Correct typos in accounting manpages.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Fix TOS(tos/mask) in tcrules.
2012-03-14 15:34:19 -07:00 · 2012-03-14 15:34:11 -07:00 · 2012-03-14 10:57:41 -07:00 · 2012-03-13 19:54:58 -07:00 · 2012-03-13 17:58:18 -07:00 · 2012-03-13 13:27:20 -07:00
248 changed files with 12303 additions and 16040 deletions
--- a/Shorewall-core/COPYING
+++ b/Shorewall-core/COPYING
@@ -0,0 +1,341 @@
+		    GNU GENERAL PUBLIC LICENSE
+		       Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+                          51 Franklin Street, Fifth Floor,
+			  Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+			    Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Library General Public License instead.)  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+		    GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+			    NO WARRANTY
+
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+		     END OF TERMS AND CONDITIONS
+
+	    How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+convey the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) 19yy  <name of author>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+
+
+Also add information on how to contact you by electronic and paper mail.
+
+If the program is interactive, make it output a short notice like this
+when it starts in an interactive mode:
+
+    Gnomovision version 69, Copyright (C) 19yy name of author
+    Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, the commands you use may
+be called something other than `show w' and `show c'; they could even be
+mouse-clicks or menu items--whatever suits your program.
+
+You should also get your employer (if you work as a programmer) or your
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary.  Here is a sample; alter the names:
+
+  Yoyodyne, Inc., hereby disclaims all copyright interest in the program
+  `Gnomovision' (which makes passes at compilers) written by James Hacker.
+
+  <signature of Ty Coon>, 1 April 1989
+  Ty Coon, President of Vice
+
+This General Public License does not permit incorporating your program into
+proprietary programs.  If your program is a subroutine library, you may
+consider it more useful to permit linking proprietary applications with the
+library.  If this is what you want to do, use the GNU Library General
+Public License instead of this License.
--- a/Shorewall-core/INSTALL
+++ b/Shorewall-core/INSTALL
@@ -0,0 +1,24 @@
+Shoreline Firewall (Shorewall) Version 4
+-----         ----
+
+-----------------------------------------------------------------------------
+
+     This program is free software; you can redistribute it and/or modify
+     it under the terms of Version 2 of the GNU General Public License
+     as published by the Free Software Foundation.
+
+     This program is distributed in the hope that it will be useful,
+     but WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+     GNU General Public License for more details.
+
+     You should have received a copy of the GNU General Public License
+     along with this program; if not, write to the Free Software
+     Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+
+---------------------------------------------------------------------------
+
+Please see http://www.shorewall.net/Install.htm for installation
+instructions.
+
+
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -0,0 +1,301 @@
+#!/bin/sh
+#
+# Script to install Shoreline Firewall Core Modules
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#
+#       Shorewall documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+
+VERSION=xxx #The Build script inserts the actual version
+
+usage() # $1 = exit status
+{
+    ME=$(basename $0)
+    echo "usage: $ME"
+    echo "       $ME -v"
+    echo "       $ME -h"
+    exit $1
+}
+
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    echo $dir/$1
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+run_install()
+{
+    if ! install $*; then
+	echo
+	echo "ERROR: Failed to install $*" >&2
+	exit 1
+    fi
+}
+
+cant_autostart()
+{
+    echo
+    echo  "WARNING: Unable to configure shorewall to start automatically at boot" >&2
+}
+
+delete_file() # $1 = file to delete
+{
+    rm -f $1
+}
+
+install_file() # $1 = source $2 = target $3 = mode
+{
+    run_install $T $OWNERSHIP -m $3 $1 ${2}
+}
+
+cd "$(dirname $0)"
+
+#
+# Load packager's settings if any
+#
+[ -f ../shorewall-pkg.config ] && . ../shorewall-pkg.config
+
+[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
+
+#
+# Parse the run line
+#
+# ARGS is "yes" if we've already parsed an argument
+#
+T="-T"
+
+[ -n "${LIBEXEC:=/usr/share}" ]
+[ -n "${PERLLIB:=/usr/share/shorewall}" ]
+
+case "$LIBEXEC" in
+    /*)
+	;;
+    *)
+	echo "The LIBEXEC setting must be an absolute path name" >&2
+	exit 1
+	;;
+esac
+
+case "$PERLLIB" in
+    /*)
+	;;
+    *)
+	echo "The PERLLIB setting must be an absolute path name" >&2
+	exit 1
+	;;
+esac
+
+INSTALLD='-D'
+
+if [ -z "$BUILD" ]; then
+    case $(uname) in
+	cygwin*)
+	    BUILD=cygwin
+	    ;;
+	Darwin)
+	    BUILD=apple
+	    ;;
+	*)
+	    if [ -f /etc/debian_version ]; then
+		BUILD=debian
+	    elif [ -f /etc/redhat-release ]; then
+		BUILD=redhat
+	    elif [ -f /etc/slackware-version ] ; then
+		BUILD=slackware
+	    elif [ -f /etc/SuSE-release ]; then
+		BUILD=suse
+	    elif [ -f /etc/arch-release ] ; then
+		BUILD=archlinux
+	    else
+		BUILD=linux
+	    fi
+	    ;;
+    esac
+fi
+
+case $BUILD in
+    cygwin*)
+	if [ -z "$DESTDIR" ]; then
+	    DEST=
+	    INIT=
+	fi
+
+	OWNER=$(id -un)
+	GROUP=$(id -gn)
+	;;
+    apple)
+	if [ -z "$DESTDIR" ]; then
+	    DEST=
+	    INIT=
+	    SPARSE=Yes
+	fi
+
+	[ -z "$OWNER" ] && OWNER=root
+	[ -z "$GROUP" ] && GROUP=wheel
+	INSTALLD=
+	T=
+	;;
+    *)
+	[ -z "$OWNER" ] && OWNER=root
+	[ -z "$GROUP" ] && GROUP=root
+	;;
+esac
+
+OWNERSHIP="-o $OWNER -g $GROUP"
+
+finished=0
+
+while [ $finished -eq 0 ]; do
+    option=$1
+
+    case "$option" in
+	-*)
+	    option=${option#-}
+	    
+	    while [ -n "$option" ]; do
+		case $option in
+		    h)
+			usage 0
+			;;
+		    v)
+			echo "Shorewall Firewall Installer Version $VERSION"
+			exit 0
+			;;
+		    *)
+			usage 1
+			;;
+		esac
+	    done
+
+	    shift
+	    ;;
+	*)
+	    [ -n "$option" ] && usage 1
+	    finished=1
+	    ;;
+    esac
+done
+
+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+
+#
+# Determine where to install the firewall script
+#
+
+[ -n "$HOST" ] || HOST=$BUILD
+
+case "$HOST" in
+    cygwin)
+	echo "Installing Cygwin-specific configuration..."
+	;;
+    apple)
+	echo "Installing Mac-specific configuration...";
+	;;
+    debian|redhat|slackware|archlinux|linux|suse)
+	;;
+    *)
+	echo "ERROR: Unknown HOST \"$HOST\"" >&2
+	exit 1;
+	;;
+esac
+
+if [ -n "$DESTDIR" ]; then
+    if [ $BUILD != cygwin ]; then
+	if [ `id -u` != 0 ] ; then
+	    echo "Not setting file owner/group permissions, not running as root."
+	    OWNERSHIP=""
+	fi
+    fi
+fi
+
+#
+# Change to the directory containing this script
+#
+cd "$(dirname $0)"
+
+echo "Installing Shorewall Core Version $VERSION"
+
+#
+# Create /usr/share/shorewall
+#
+mkdir -p ${DESTDIR}${LIBEXEC}/shorewall
+chmod 755 ${DESTDIR}${LIBEXEC}/shorewall
+
+if [ $LIBEXEC != /usr/shorewall/ ]; then
+    mkdir -p ${DESTDIR}/usr/share/shorewall
+    chmod 755 ${DESTDIR}/usr/share/shorewall
+fi
+#
+# Install wait4ifup
+#
+install_file wait4ifup ${DESTDIR}${LIBEXEC}/shorewall/wait4ifup 0755
+
+echo
+echo "wait4ifup installed in ${DESTDIR}${LIBEXEC}/shorewall/wait4ifup"
+
+#
+# Install the libraries
+#
+for f in lib.* ; do
+    install_file $f ${DESTDIR}/usr/share/shorewall/$f 0644
+    echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall/$f"
+done
+
+if [ $BUILD != apple ]; then
+    eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
+    eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
+else
+    eval sed -i \'\' -e \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
+    eval sed -i \'\' -e \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
+fi
+
+#
+# Symbolically link 'functions' to lib.base
+#
+ln -sf lib.base ${DESTDIR}/usr/share/shorewall/functions
+#
+# Create the version file
+#
+echo "$VERSION" > ${DESTDIR}/usr/share/shorewall/coreversion
+chmod 644 ${DESTDIR}/usr/share/shorewall/coreversion
+#
+#  Report Success
+#
+echo "Shorewall Core Version $VERSION Installed"
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -1,9 +1,9 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall/lib.base
+# Shorewall 4.5 -- /usr/share/shorewall/lib.base
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2012 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -23,16 +23,53 @@
 # This library contains the code common to all Shorewall components.
 #
 # - It is loaded by /sbin/shorewall.
-# - It is released as part of Shorewall Lite where it is used by /sbin/shorewall-lite
-#   and /usr/share/shorewall-lite/shorecap.
+# - It is released as part of Shorewall[6] Lite where it is used by /sbin/shorewall[6]-lite
+#   and /usr/share/shorewall[6]-lite/shorecap.
 #

-SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40426
+SHOREWALL_LIBVERSION=40500
+SHOREWALL_CAPVERSION=40501

-[ -n "${VARDIR:=/var/lib/shorewall}" ]
-[ -n "${SHAREDIR:=/usr/share/shorewall}" ]
-[ -n "${CONFDIR:=/etc/shorewall}" ]
+[ -n "${g_program:=shorewall}" ]
+
+case $g_program in
+    shorewall)
+	SHAREDIR=/usr/share/shorewall
+	CONFDIR=/etc/shorewall
+	g_product="Shorewall"
+	g_family=4
+	g_tool=
+	g_basedir=/usr/share/shorewall
+	g_lite=
+	;;
+    shorewall6)
+	SHAREDIR=/usr/share/shorewall6
+	CONFDIR=/etc/shorewall6
+	g_product="Shorewall6"
+	g_family=6
+	g_tool=
+	g_basedir=/usr/share/shorewall
+	g_lite=
+	;;
+    shorewall-lite)
+	SHAREDIR=/usr/share/shorewall-lite
+	CONFDIR=/etc/shorewall-lite
+	g_product="Shorewall Lite"
+	g_family=4
+	g_tool=iptables
+	g_basedir=/usr/share/shorewall-lite
+	g_lite=Yes
+	;;
+    shorewall6-lite)
+	SHAREDIR=/usr/share/shorewall6-lite
+	CONFDIR=/etc/shorewall6-lite
+	g_product="Shorewall6 Lite"
+	g_family=6
+	g_tool=ip6tables
+	g_basedir=/usr/share/shorewall6-lite
+	g_lite=Yes
+	;;
+esac

 #
 # Conditionally produce message
@@ -149,33 +186,7 @@ mutex_off()
    rm -f ${LOCKFILE:=${VARDIR}/lock}
 }

-#
-# Find the interface with the passed MAC address
-#
-
-find_interface_by_mac() {
-    local mac
-    mac=$1
-    local first
-    local second
-    local rest
-    local dev
-
-    $IP link list | while read first second rest; do
-	case $first in
-	    *:)
-                dev=$second
-		;;
-	    *)
-	        if [ "$second" = $mac ]; then
-		    echo ${dev%:}
-		    return
-		fi
-	esac
-    done
-}
-
-[ -z "$LEFTSHIFT" ] && . ${SHAREDIR}/lib.common
+[ -z "$LEFTSHIFT" ] && . /usr/share/shorewall/lib.common

 #
 # Validate an IP address
@@ -339,8 +350,8 @@ ensure_config_path() {
 	. $F
    fi

-    if [ -n "$SHOREWALL_DIR" ]; then
-	[ "${CONFIG_PATH%%:*}" = "$SHOREWALL_DIR" ] || CONFIG_PATH=$SHOREWALL_DIR:$CONFIG_PATH
+    if [ -n "$g_shorewalldir" ]; then
+	[ "${CONFIG_PATH%%:*}" = "$g_shorewalldir" ] || CONFIG_PATH=$g_shorewalldir:$CONFIG_PATH
    fi
 }

@@ -378,9 +389,8 @@ resolve_file() # $1 = file name
    esac
 }

-# Function to truncate a string -- It uses 'cut -b -<n>'
-# rather than ${v:first:last} because light-weight shells like ash and
-# dash do not support that form of expansion.
+#
+# Determine how to do "echo -e"
 #

 find_echo() {
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -1,9 +1,9 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall/lib.common.
+# Shorewall 4.5 -- /usr/share/shorewall/lib.common.
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010-2012 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -24,6 +24,50 @@
 # generated firewall scripts. To avoid versioning issues, it is copied into generated
 # scripts rather than loaded at run-time.
 #
+#########################################################################################
+#
+# Issue a message and stop
+#
+startup_error() # $* = Error Message
+{
+    echo "   ERROR: $@: Firewall state not changed" >&2
+
+    if [ $LOG_VERBOSITY -ge 0 ]; then
+        timestamp="$(date +'%_b %d %T') "
+        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
+    fi
+
+    case $COMMAND in
+        start)
+	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
+	    ;;
+	restart)
+	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
+	    ;;
+	restore)
+	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
+	    ;;
+    esac
+
+    if [ $LOG_VERBOSITY -ge 0 ]; then
+        timestamp="$(date +'%_b %d %T') "
+
+	case $COMMAND in
+	    start)
+		echo "${timestamp}  ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restart)
+		echo "${timestamp}  ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	    restore)
+		echo "${timestamp}  ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG
+		;;
+	esac
+    fi
+
+    kill $$
+    exit 2
+}

 #
 # Get the Shorewall version of the passed script
@@ -38,7 +82,7 @@ get_script_version() { # $1 = script
    verbosity="$VERBOSITY"
    VERBOSITY=0

-    temp=$( $SHOREWALL_SHELL $1 version | sed 's/-.*//' )
+    temp=$( $SHOREWALL_SHELL $1 version | tail -n 1 | sed 's/-.*//' )

    if [ $? -ne 0 ]; then
 	version=0
@@ -88,13 +132,15 @@ run_it() {
 	export TIMESTAMP=$g_timestamp
 	export RECOVERING=$g_recovering

-	if [ "$g_product" != Shorewall ]; then
-	    #
-	    # Shorewall Lite
-	    #
-	    export LOGFORMAT
-	    export IPTABLES
-	fi
+	case "$g_program" in
+	    *-lite)
+		#
+		# Shorewall Lite
+		#
+		export LOGFORMAT
+		export IPTABLES
+		;;
+	esac
    else
 	#
 	# 4.4.8 or later -- no additional exports required
@@ -127,6 +173,30 @@ error_message() # $* = Error Message
   echo "   $@" >&2
 }

+#
+# Undo the effect of 'split()'
+#
+join()
+{
+    local f
+    local o
+    o=
+
+    for f in $* ; do
+        o="${o:+$o:}$f"
+    done
+
+    echo $o
+}
+
+#
+# Return the number of elements in a list
+#
+list_count() # $* = list
+{
+    return $#
+}
+
 #
 # Split a colon-separated list into a space-separated list
 #
@@ -184,12 +254,20 @@ qt1()
 }

 #
-# Determine if Shorewall is "running"
+# Determine if Shorewall[6] is "running"
 #
+product_is_started() {
+    qt1 $g_tool -L shorewall -n
+}
+
 shorewall_is_started() {
    qt1 $IPTABLES -L shorewall -n
 }

+shorewall6_is_started() {
+    qt1 $IP6TABLES -L shorewall -n
+}
+
 #
 # Echos the fully-qualified name of the calling shell program
 #
@@ -294,7 +372,7 @@ reload_kernel_modules() {

    [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset

    [ -d /sys/module/ ] || MODULES=$(lsmod | cut -d ' ' -f1)

@@ -333,7 +411,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR

    [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv${g_family}/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset

    for directory in $(split $MODULESDIR); do
 	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
@@ -465,38 +543,100 @@ in_network() # $1 = IP address, $2 = CIDR network
    test $(( $(decodeaddr $1) & $netmask)) = $(( $(decodeaddr ${2%/*}) & $netmask ))
 }

+#
+# Query NetFilter about the existence of a filter chain
+#
+chain_exists() # $1 = chain name
+{
+    qt1 $g_tool -L $1 -n
+}
+
+#
+# Find the interface with the passed MAC address
+#
+
+find_interface_by_mac() {
+    local mac
+    mac=$1
+    local first
+    local second
+    local rest
+    local dev
+
+    $IP link list | while read first second rest; do
+	case $first in
+	    *:)
+                dev=$second
+		;;
+	    *)
+	        if [ "$second" = $mac ]; then
+		    echo ${dev%:}
+		    return
+		fi
+	esac
+    done
+}
+
 #
 # Find interface address--returns the first IP address assigned to the passed
 # device
 #
 find_first_interface_address() # $1 = interface
 {
-    #
-    # get the line of output containing the first IP address
-    #
-    addr=$(${IP:-ip} -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
-    #
-    # If there wasn't one, bail out now
-    #
-    [ -n "$addr" ] || startup_error "Can't determine the IP address of $1"
-    #
-    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
-    # along with everything else on the line
-    #
-    echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
+    if [ $g_family -eq 4 ]; then
+	#
+	# get the line of output containing the first IP address
+	#
+	addr=$(${IP:-ip} -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
+	#
+	# If there wasn't one, bail out now
+	#
+	[ -n "$addr" ] || startup_error "Can't determine the IP address of $1"
+	#
+	# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)	
+	# along with everything else on the line
+	#
+	echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
+    else
+	#
+	# get the line of output containing the first IP address
+	#
+	addr=$(${IP:-ip} -f inet6 addr show dev $1 2> /dev/null | fgrep 'inet6 ' | fgrep -v 'scope link' | head -n1)
+	#
+	# If there wasn't one, bail out now
+	#
+	[ -n "$addr" ] || startup_error "Can't determine the IPv6 address of $1"
+	#
+	# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
+	# along with everything else on the line
+	#
+	echo $addr | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
+    fi
 }

 find_first_interface_address_if_any() # $1 = interface
 {
-    #
-    # get the line of output containing the first IP address
-    #
-    addr=$(${IP:-ip} -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
-    #
-    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
-    # along with everything else on the line
-    #
-    [ -n "$addr" ] && echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' || echo 0.0.0.0
+    if [ $g_family -eq 4 ]; then
+	#
+	# get the line of output containing the first IP address
+	#
+	addr=$(${IP:-ip} -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
+	#
+	# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
+	# along with everything else on the line
+	#
+	[ -n "$addr" ] && echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' || echo 0.0.0.0
+    else
+	#
+	# get the line of output containing the first IP address
+	#
+	addr=$(${IP:-ip} -f inet6 addr show dev $1 2> /dev/null | fgrep 'inet6 ' | fgrep -v 'scope link' | head -n1)
+	#
+	# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
+	# along with everything else on the line
+	#
+	[ -n "$addr" ] && echo $addr | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//' || echo ::
+    fi
 }

 #
@@ -515,14 +655,6 @@ mywhich() {
    return 2
 }

-#
-# Query NetFilter about the existence of a filter chain
-#
-chain_exists() # $1 = chain name
-{
-    qt1 $IPTABLES -L $1 -n
-}
-
 #
 # Find a File -- For relative file name, look in each ${CONFIG_PATH} then ${CONFDIR}
 #
@@ -552,7 +684,7 @@ find_file()
 #
 # Set the Shorewall state
 #
-set_state () # $1 = state $2
+set_state () # $1 = state
 {
    if [ $# -gt 1 ]; then
 	echo "$1 ($(date)) from $2" > ${VARDIR}/state
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -0,0 +1,84 @@
+#!/bin/sh
+#
+# Script to back uninstall Shoreline Firewall
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#
+#       Shorewall documentation is available at http://www.shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#    Usage:
+#
+#       You may only use this script to uninstall the version
+#       shown below. Simply run this script to remove Shorewall Firewall
+
+VERSION=xxx #The Build script inserts the actual version
+
+usage() # $1 = exit status
+{
+    ME=$(basename $0)
+    echo "usage: $ME"
+    exit $1
+}
+
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+restore_file() # $1 = file to restore
+{
+    if [ -f ${1}-shorewall.bkout ]; then
+	if (mv -f ${1}-shorewall.bkout $1); then
+	    echo
+	    echo "$1 restored"
+        else
+	    exit 1
+        fi
+    fi
+}
+
+remove_file() # $1 = file to restore
+{
+    if [ -f $1 -o -L $1 ] ; then
+	rm -f $1
+	echo "$1 Removed"
+    fi
+}
+
+if [ -f /usr/share/shorewall/coreversion ]; then
+    INSTALLED_VERSION="$(cat /usr/share/shorewall/coreversion)"
+    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
+	echo "WARNING: Shorewall Core Version $INSTALLED_VERSION is installed"
+	echo "         and this is the $VERSION uninstaller."
+	VERSION="$INSTALLED_VERSION"
+    fi
+else
+    echo "WARNING: Shorewall Core Version $VERSION is not installed"
+    VERSION=""
+fi
+
+[ -n "${LIBEXEC:=/usr/share}" ]
+[ -n "${PERLLIB:=/usr/share/shorewall}" ]
+
+echo "Uninstalling Shorewall Core $VERSION"
+
+rm -rf /usr/share/shorewall
+
+echo "Shorewall Core Uninstalled"
+
+
--- a/Shorewall-core/wait4ifup
+++ b/Shorewall-core/wait4ifup
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -86,21 +86,14 @@ install_file() # $1 = source $2 = target $3 = mode
    run_install $T $OWNERSHIP -m $3 $1 ${2}
 }

-[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
+cd "$(dirname $0)"

-# DEST is the SysVInit script directory
-# INIT is the name of the script in the $DEST directory
-# ARGS is "yes" if we've already parsed an argument
 #
-ARGS=""
+# Load packager's settings if any
+#
+[ -f ../shorewall-pkg.config ] && . ../shorewall-pkg.config

-if [ -z "$DEST" ] ; then
-	DEST="/etc/init.d"
-fi
-
-if [ -z "$INIT" ] ; then
-	INIT="shorewall-init"
-fi
+[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"

 while [ $# -gt 0 ] ; do
    case "$1" in
@@ -116,7 +109,6 @@ while [ $# -gt 0 ] ; do
 	    ;;
    esac
    shift
-    ARGS="yes"
 done

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -127,75 +119,112 @@ case "$LIBEXEC" in
    /*)
 	;;
    *)
-	LIBEXEC=/usr/${LIBEXEC}
+	echo "The LIBEXEC setting must be an absolute path name" >&2
+	exit 1
 	;;
 esac

-#
-# Determine where to install the firewall script
-#
+INITFILE="shorewall-init"

-case $(uname) in
-    Darwin)
-	[ -z "$OWNER" ] && OWNER=root
-	[ -z "$GROUP" ] && GROUP=wheel
+if [ -z "$BUILD" ]; then
+    case $(uname) in
+	cygwin*)
+	    BUILD=cygwin
+	    ;;
+	Darwin)
+	    BUILD=apple
+	    ;;
+	*)
+	    if [ -f /etc/debian_version ]; then
+		BUILD=debian
+	    elif [ -f /etc/redhat-release ]; then
+		BUILD=redhat
+	    elif [ -f /etc/SuSE-release ]; then
+		BUILD=suse
+	    elif [ -f /etc/slackware-version ] ; then
+		BUILD=slackware
+	    elif [ -f /etc/arch-release ] ; then
+		BUILD=archlinux
+	    else
+		BUILD=linux
+	    fi
+	    ;;
+    esac
+fi
+
+[ -n "$OWNER" ] || OWNER=$(id -un)
+[ -n "$GROUP" ] || GROUP=$(id -gn)
+
+case $BUILD in
+    apple)
 	T=
-	;;	
+	;;
+    debian|redhat|suse|slackware|archlinux)
+	;;
    *)
-	[ -z "$OWNER" ] && OWNER=root
-	[ -z "$GROUP" ] && GROUP=root
+	[ -n "$BUILD" ] && echo "ERROR: Unknown BUILD environment ($BUILD)" >&2 || echo "ERROR: Unknown BUILD environment"
+	exit 1
 	;;
 esac

 OWNERSHIP="-o $OWNER -g $GROUP"

+[ -n "$HOST" ] || HOST=$BUILD
+
+case "$HOST" in
+    debian)
+	echo "Installing Debian-specific configuration..."
+	SPARSE=yes
+	;;
+    redhat|redhat)
+	echo "Installing Redhat/Fedora-specific configuration..."
+	[ -n "$INITDIR" ] || INITDIR=/etc/rc.d/init.d
+	;;
+    slackware)
+	echo "Shorewall-init is currently not supported on Slackware" >&2
+	exit 1
+	;;
+    archlinux)
+	echo "Shorewall-init is currently not supported on Arch Linux" >&2
+	exit 1
+	;;
+    suse|suse)
+	echo "Installing SuSE-specific configuration..."
+	;;
+    linux)
+	echo "ERROR: Shorewall-init is not supported on this system" >&2
+	;;
+    *)
+	echo "ERROR: Unsupported HOST distribution: \"$HOST\"" >&2
+	exit 1;
+	;;
+esac
+
+[ -z "$TARGET" ] && TARGET=$HOST
+
+if [ -z "$INITDIR" -a -n "$INITFILE" ] ; then
+    INITDIR="/etc/init.d"
+fi
+
 if [ -n "$DESTDIR" ]; then
    if [ `id -u` != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
 	OWNERSHIP=""
    fi
    
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
-elif [ -f /etc/debian_version ]; then
-    DEBIAN=yes
-elif [ -f /etc/SuSE-release ]; then
-    SUSE=Yes
-elif [ -f /etc/redhat-release ]; then
-    FEDORA=Yes
-elif [ -f /etc/slackware-version ] ; then
-    echo "Shorewall-init is currently not supported on Slackware" >&2
-    exit 1
-#   DEST="/etc/rc.d"
-#   INIT="rc.firewall"
-elif [ -f /etc/arch-release ] ; then
-    echo "Shorewall-init is currently not supported on Arch Linux" >&2
-    exit 1
-#   DEST="/etc/rc.d"
-#   INIT="shorewall-init"
-#   ARCHLINUX=yes
-elif [ -d /etc/sysconfig/network-scripts/ ]; then
-    #
-    # Assume RedHat-based
-    #
-    REDHAT=Yes
-else
-    echo "Unknown distribution: Shorewall-init support is not available" >&2
-    exit 1
+    install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
 fi

 if [ -z "$DESTDIR" ]; then
-    if [ -f /lib/systemd/system ]; then
+    if [ -d /lib/systemd/system ]; then
 	SYSTEMD=Yes
+	INITFILE=
    fi
 elif [ -n "$SYSTEMD" ]; then
    mkdir -p ${DESTDIR}/lib/systemd/system
+    INITFILE=
 fi

-#
-# Change to the directory containing this script
-#
-cd "$(dirname $0)"
-
 echo "Installing Shorewall Init Version $VERSION"

 #
@@ -207,27 +236,36 @@ else
    first_install="Yes"
 fi

-#
-# Install the Init Script
-#
-if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
-elif [ -n "$FEDORA" ]; then
-    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
-#elif [ -n "$ARCHLINUX" ]; then
-#    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
-else
-    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
+if [ -n "$INITFILE" ]; then
+    #
+    # Install the Init Script
+    #
+    case $TARGET in
+	debian)
+	    install_file init.debian.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+	    ;;
+	redhat)
+	    install_file init.fedora.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+	    ;;
+	*)
+	    install_file init.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+	    ;;
+    esac
+
+    echo  "Shorewall-init script installed in ${DESTDIR}${INITDIR}/${INITFILE}"
 fi
-
-echo  "Shorewall Init script installed in ${DESTDIR}${DEST}/$INIT"
-
 #
 # Install the .service file
 #
 if [ -n "$SYSTEMD" ]; then
    run_install $OWNERSHIP -m 600 shorewall-init.service ${DESTDIR}/lib/systemd/system/shorewall-init.service
    echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall-init.service"
+    if [ -n "$DESTDIR" ]; then
+	mkdir -p ${DESTDIR}/sbin/
+        chmod 755 ${DESTDIR}/sbin
+    fi
+    run_install $OWNERSHIP -m 700 shorewall-init ${DESTDIR}/sbin/shorewall-init
+    echo "CLI installed as ${DESTDIR}/sbin/shorewall-init"
 fi

 #
@@ -247,10 +285,10 @@ chmod 644 ${DESTDIR}/usr/share/shorewall-init/version
 #
 if [ -z "$DESTDIR" ]; then
    rm -f /usr/share/shorewall-init/init
-    ln -s ${DEST}/${INIT} /usr/share/shorewall-init/init
+    ln -s ${INITDIR}/${INITFILE} /usr/share/shorewall-init/init
 fi

-if [ -n "$DEBIAN" ]; then
+if [ $HOST = debian ]; then
    if [ -n "${DESTDIR}" ]; then
 	mkdir -p ${DESTDIR}/etc/network/if-up.d/
 	mkdir -p ${DESTDIR}/etc/network/if-post-down.d/
@@ -268,7 +306,7 @@ else
 	mkdir -p ${DESTDIR}/etc/sysconfig

 	if [ -z "$RPM" ]; then
-	    if [ -n "$SUSE" ]; then
+	    if [ $HOST = suse ]; then
 		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d
 		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-down.d
 	    else
@@ -294,24 +332,30 @@ if [ -d ${DESTDIR}/etc/NetworkManager ]; then
    install_file ifupdown.sh ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
 fi

-if [ -n "$DEBIAN" ]; then
-    install_file ifupdown.sh ${DESTDIR}/etc/network/if-up.d/shorewall 0544
-    install_file ifupdown.sh ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
-elif [ -n "$SUSE" ]; then
-    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-up.d/shorewall 0544
-    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-down.d/shorewall 0544
-elif [ -n "$REDHAT" ]; then
-    if [ -f ${DESTDIR}/sbin/ifup-local -o -f ${DESTDIR}/sbin/ifdown-local ]; then
-	echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; up/down events will not be handled"
-    else
-	install_file ifupdown.sh ${DESTDIR}/sbin/ifup-local 0544
-	install_file ifupdown.sh ${DESTDIR}/sbin/ifdown-local 0544
-    fi
-fi
+case $HOST in
+    debian)
+	install_file ifupdown.sh ${DESTDIR}/etc/network/if-up.d/shorewall 0544
+	install_file ifupdown.sh ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
+	;;
+    suse)
+	if [ -z "$RPM" ]; then
+	    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-up.d/shorewall 0544
+	    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-down.d/shorewall 0544
+	fi
+	;;
+    redhat)
+	if [ -f ${DESTDIR}/sbin/ifup-local -o -f ${DESTDIR}/sbin/ifdown-local ]; then
+	    echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; up/down events will not be handled"
+	elif [ -z "$DESTDIR" ]; then
+	    install_file ifupdown.sh ${DESTDIR}/sbin/ifup-local 0544
+	    install_file ifupdown.sh ${DESTDIR}/sbin/ifdown-local 0544
+	fi
+	;;
+esac

 if [ -z "$DESTDIR" ]; then
    if [ -n "$first_install" ]; then
-	if [ -n "$DEBIAN" ]; then
+	if [ $HOST = debian ]; then
 	    
 	    update-rc.d shorewall-init defaults

@@ -340,7 +384,7 @@ if [ -z "$DESTDIR" ]; then
 		else
 		    cant_autostart
 		fi
-	    elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
+	    else
 		cant_autostart
 	    fi

@@ -348,7 +392,7 @@ if [ -z "$DESTDIR" ]; then
    fi
 else
    if [ -n "$first_install" ]; then
-	if [ -n "$DEBIAN" ]; then
+	if [ $HOST = debian ]; then
 	    if [ -n "${DESTDIR}" ]; then
 		mkdir -p ${DESTDIR}/etc/rcS.d
 	    fi
@@ -360,31 +404,33 @@ else
 fi

 if [ -f ${DESTDIR}/etc/ppp ]; then
-    if [ -n "$DEBIAN" ] -o -n "$SUSE" ]; then
-	for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
-	    mkdir -p ${DESTDIR}/etc/ppp/$directory #SuSE doesn't create the IPv6 directories
-	    cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown ${DESTDIR}/etc/ppp/$directory/shorewall
-	done
-    elif [ -n "$REDHAT" ]; then
-	#
-	# Must use the dreaded ip_xxx.local file
-	#
-	for file in ip-up.local ip-down.local; do
-	    FILE=${DESTDIR}/etc/ppp/$file
-	    if [ -f $FILE ]; then
-		if fgrep -q Shorewall-based $FILE ; then
-		    cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown $FILE
+    case $HOST in
+	debian|suse)
+	    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
+		mkdir -p ${DESTDIR}/etc/ppp/$directory #SuSE doesn't create the IPv6 directories
+		cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown ${DESTDIR}/etc/ppp/$directory/shorewall
+	    done
+	    ;;
+	redhat)
+	    #
+	    # Must use the dreaded ip_xxx.local file
+	    #
+	    for file in ip-up.local ip-down.local; do
+		FILE=${DESTDIR}/etc/ppp/$file
+		if [ -f $FILE ]; then
+		    if fgrep -q Shorewall-based $FILE ; then
+			cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown $FILE
+		    else
+			echo "$FILE already exists -- ppp devices will not be handled"
+			break
+		    fi
 		else
-		    echo "$FILE already exists -- ppp devices will not be handled"
-		    break
+		    cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown $FILE
 		fi
-	    else
-		cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown $FILE
-	    fi
-	done
-    fi
+	    done
+	    ;;
+    esac
 fi
-
 #
 #  Report Success
 #
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -0,0 +1,97 @@
+#! /bin/bash
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2012 - Tom Eastep (teastep@shorewall.net)
+#
+#       On most distributions, this file should be called /etc/init.d/shorewall.
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#########################################################################################
+# check if shorewall-init is configured or not
+if [ -f "/etc/sysconfig/shorewall-init" ]; then
+    . /etc/sysconfig/shorewall-init
+    if [ -z "$PRODUCTS" ]; then
+        echo "ERROR: No products configured" >&2
+	exit 1
+    fi
+else
+    echo "ERROR: /etc/sysconfig/shorewall-init not found" >&2
+    exit 1
+fi
+
+# Initialize the firewall
+shorewall_start () {
+  local PRODUCT
+  local VARDIR
+
+  echo -n "Initializing \"Shorewall-based firewalls\": "
+  for PRODUCT in $PRODUCTS; do
+      VARDIR=/var/lib/$PRODUCT
+      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
+      if [ -x ${VARDIR}/firewall ]; then
+	  if ! /sbin/$PRODUCT status > /dev/null 2>&1; then
+	      ${VARDIR}/firewall stop || exit 1
+	  fi
+      fi
+  done
+
+  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+      ipset -R < "$SAVE_IPSETS"
+  fi
+
+  return 0
+}
+
+# Clear the firewall
+shorewall_stop () {
+  local PRODUCT
+  local VARDIR
+
+  echo -n "Clearing \"Shorewall-based firewalls\": "
+  for PRODUCT in $PRODUCTS; do
+      VARDIR=/var/lib/$PRODUCT
+      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
+      if [ -x ${VARDIR}/firewall ]; then
+	  ${VARDIR}/firewall clear || exit 1
+      fi
+  done
+
+  if [ -n "$SAVE_IPSETS" ]; then
+      mkdir -p $(dirname "$SAVE_IPSETS")
+      if ipset -S > "${SAVE_IPSETS}.tmp"; then
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+      fi
+  fi
+
+  return 0
+}
+
+case "$1" in
+  start)
+     shorewall_start
+     ;;
+  stop)
+     shorewall_stop
+     ;;
+  *)
+     echo "Usage: $0 {start|stop}"
+     exit 1
+esac
+
+exit 0
--- a/Shorewall-lite/Makefile
+++ b/Shorewall-lite/Makefile
@@ -12,7 +12,7 @@ $(VARDIR)/${RESTOREFILE}: $(VARDIR)/firewall
 	then \
 	    /sbin/shorewall-lite -q save >/dev/null; \
 	else \
-	    /sbin/shorewall-lite -q restart 2>&1 | tail >&2; \
+	    /sbin/shorewall-lite -q restart 2>&1 | tail >&2; exit 1; \
 	fi

 # EOF
--- a/Shorewall-lite/default.debian
+++ b/Shorewall-lite/default.debian
@@ -18,9 +18,18 @@ startup=0
 #
 # Startup options
 #
-
 OPTIONS=""

+#
+# Start options
+#
+STARTOPTIONS=""
+
+#
+# Restart options
+#
+RESTARTOPTIONS=""
+
 #
 # Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
 #
@@ -30,7 +39,6 @@ INITLOG=/dev/null
 # Set this to 1 to cause '/etc/init.d/shorewall-lite stop' to place the firewall in
 # a safe state rather than to open it
 #
-
 SAFESTOP=0

 # EOF
--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@@ -80,7 +80,7 @@ fi
 # start the firewall
 shorewall_start () {
  echo -n "Starting \"Shorewall firewall\": "
-  $SRWL $SRWL_OPTS start >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }

@@ -98,7 +98,7 @@ shorewall_stop () {
 # restart the firewall
 shorewall_restart () {
  echo -n "Restarting \"Shorewall firewall\": "
-  $SRWL $SRWL_OPTS restart >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }

--- a/Shorewall-lite/init.sh
+++ b/Shorewall-lite/init.sh
@@ -76,14 +76,13 @@ command="$1"

 case "$command" in
    start)
-	exec /sbin/shorewall-lite $OPTIONS $@
+	exec /sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
 	;;
-    stop|restart|status)
-	exec /sbin/shorewall-lite $@
+    restart|reload)
+	exec /sbin/shorewall-lite $OPTIONS restart $RESTARTOPTIONS
 	;;
-    reload)
-	shift
-	exec /sbin/shorewall-lite restart $@
+    status|stop)
+	exec /sbin/shorewall-lite $OPTIONS $command $@
 	;;
    *)
 	usage
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -72,7 +72,7 @@ run_install()
 cant_autostart()
 {
    echo
-    echo  "WARNING: Unable to configure shorewall to start automatically at boot" >&2
+    echo  "WARNING: Unable to configure $Product to start automatically at boot" >&2
 }

 delete_file() # $1 = file to delete
@@ -85,32 +85,36 @@ install_file() # $1 = source $2 = target $3 = mode
    run_install $T $OWNERSHIP -m $3 $1 ${2}
 }

+#
+# Change to the directory containing this script
+#
+cd "$(dirname $0)"
+
+#
+# Load packager's settings if any
+#
+[ -f ../shorewall-pkg.config ] && . ../shorewall-pkg.config
+
+if [ -f shorewall-lite ]; then
+    PRODUCT=shorewall-lite
+    Product="Shorewall Lite"
+else
+    PRODUCT=shorewall6-lite
+    Product="Shorewall6 Lite"
+fi
+
 [ -n "$DESTDIR" ] || DESTDIR="$PREFIX"

 #
 # Parse the run line
 #
-# DEST is the SysVInit script directory
-# INIT is the name of the script in the $DEST directory
-# ARGS is "yes" if we've already parsed an argument
-#
-ARGS=""
-
-if [ -z "$DEST" ] ; then
-	DEST="/etc/init.d"
-fi
-
-if [ -z "$INIT" ] ; then
-	INIT="shorewall-lite"
-fi
-
 while [ $# -gt 0 ] ; do
    case "$1" in
 	-h|help|?)
 	    usage 0
 	    ;;
        -v)
-	    echo "Shorewall Lite Firewall Installer Version $VERSION"
+	    echo "$Product Firewall Installer Version $VERSION"
 	    exit 0
 	    ;;
 	*)
@@ -118,7 +122,6 @@ while [ $# -gt 0 ] ; do
 	    ;;
    esac
    shift
-    ARGS="yes"
 done

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -129,31 +132,56 @@ case "$LIBEXEC" in
    /*)
 	;;
    *)
-	LIBEXEC=/usr/${LIBEXEC}
+	echo "The LIBEXEC setting must be an absolute path name" >&2
+	exit 1
 	;;
 esac

 #
 # Determine where to install the firewall script
 #
-CYGWIN=
+cygwin=
 INSTALLD='-D'
+INITFILE=$PRODUCT
 T='-T'

-case $(uname) in
-    CYGWIN*)
-	if [ -z "$DESTDIR" ]; then
-	    DEST=
-	    INIT=
-	fi
+if [ -z "$BUILD" ]; then
+    case $(uname) in
+	cygwin*)
+	    BUILD=cygwin
+	    ;;
+	Darwin)
+	    BUILD=apple
+	    ;;
+	*)
+	    if [ -f /etc/debian_version ]; then
+		BUILD=debian
+	    elif [ -f /etc/redhat-release ]; then
+		BUILD=redhat
+	    elif [ -f /etc/SuSE-release ]; then
+		BUILD=suse
+	    elif [ -f /etc/slackware-version ] ; then
+		BUILD=slackware
+	    elif [ -f /etc/arch-release ] ; then
+		BUILD=archlinux
+	    else
+		BUILD=linux
+	    fi
+	    ;;
+    esac
+fi

+case $BUILD in
+    cygwin*)
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;
-    Darwin)
+    apple)
+	[ -z "$OWNER" ] && OWNER=root
+	[ -z "$GROUP" ] && GROUP=wheel
 	INSTALLD=
 	T=
-	;;	   
+	;;
    *)
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=root
@@ -162,6 +190,45 @@ esac

 OWNERSHIP="-o $OWNER -g $GROUP"

+[ -n "$HOST" ] || HOST=$BUILD
+
+case "$HOST" in
+    cygwin)
+	echo "$PRODUCT is not supported on Cygwin" >&2
+	exit 1
+	;;
+    apple)
+	echo "$PRODUCT is not supported on OS X" >&2
+	exit 1
+	;;
+    debian)
+	echo "Installing Debian-specific configuration..."
+	SPARSE=yes
+	;;
+    redhat)
+	echo "Installing Redhat/Fedora-specific configuration..."
+	[ -n "$INITDIR" ]  || INITDIR=/etc/rc.d/init.d
+	;;
+    slackware)
+	echo "Installing Slackware-specific configuration..."
+	[ -n "$INITDIR" ]  || INITDIR="/etc/rc.d"
+	[ -n "$INITFILE" ] || INITFILE="rc.firewall"
+	[ -n "$MANDIR=" ]  || MANDIR=/usr/man
+	;;
+    archlinux)
+	echo "Installing ArchLinux-specific configuration..."
+	[ -n "$INITDIR" ]  || INITDIR="/etc/rc.d"
+	;;
+    linux|suse)
+	;;
+    *)
+	echo "ERROR: Unknown HOST \"$HOST\"" >&2
+	exit 1;
+	;;
+esac
+
+[ -z "$INITDIR" ] && INITDIR="/etc/init.d"
+
 if [ -n "$DESTDIR" ]; then
    if [ `id -u` != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
@@ -169,179 +236,167 @@ if [ -n "$DESTDIR" ]; then
    fi
    
    install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
-elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
-    DEBIAN=yes
-elif [ -f /etc/redhat-release ]; then
-    FEDORA=yes
-elif [ -f /etc/slackware-version ] ; then
-    DEST="/etc/rc.d"
-    INIT="rc.firewall"
-elif [ -f /etc/arch-release ] ; then
-      DEST="/etc/rc.d"
-      INIT="shorewall-lite"
-      ARCHLINUX=yes
-fi
+    install -d $OWNERSHIP -m 755 ${DESTDIR}${DESTFILE}
+
+    if [ -n "$SYSTEMD" ]; then
+	mkdir -p ${DESTDIR}/lib/systemd/system
+	INITFILE=
+    fi
+else
+    if [ ! -f /usr/share/shorewall/coreversion ]; then
+	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
+	exit 1
+    fi

-if [ -z "$DESTDIR" ]; then
    if [ -f /lib/systemd/system ]; then
 	SYSTEMD=Yes
+	INITFILE=
    fi
-elif [ -n "$SYSTEMD" ]; then
-    mkdir -p ${DESTDIR}/lib/systemd/system
 fi

-#
-# Change to the directory containing this script
-#
-cd "$(dirname $0)"
-
-echo "Installing Shorewall Lite Version $VERSION"
+echo "Installing $Product Version $VERSION"

 #
-# Check for /etc/shorewall-lite
+# Check for /etc/$PRODUCT
 #
-if [ -z "$DESTDIR" -a -d /etc/shorewall-lite ]; then
-    [ -f /etc/shorewall-lite/shorewall.conf ] && \
-	mv -f /etc/shorewall-lite/shorewall.conf /etc/shorewall-lite/shorewall-lite.conf
+if [ -z "$DESTDIR" -a -d /etc/$PRODUCT ]; then
+    if [ ! -f /usr/share/shorewall/coreversion ]; then
+	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
+	exit 1
+    fi
+
+    [ -f /etc/$PRODUCT/shorewall.conf ] && \
+	mv -f /etc/$PRODUCT/shorewall.conf /etc/$PRODUCT/$PRODUCT.conf
 else
-    rm -rf ${DESTDIR}/etc/shorewall-lite
-    rm -rf ${DESTDIR}/usr/share/shorewall-lite
-    rm -rf ${DESTDIR}/var/lib/shorewall-lite
-    [ "$LIBEXEC" = share ] || rm -rf /usr/share/shorewall-lite/shorecap /usr/share/shorecap
+    rm -rf ${DESTDIR}/etc/$PRODUCT
+    rm -rf ${DESTDIR}/usr/share/$PRODUCT
+    rm -rf ${DESTDIR}/var/lib/$PRODUCT
+    [ "$LIBEXEC" = /usr/share ] || rm -rf ${DESTDIR}/usr/share/$PRODUCT/wait4ifup ${DESTDIR}/usr/share/$PRODUCT/shorecap
 fi

 #
-# Check for /sbin/shorewall-lite
+# Check for /sbin/$PRODUCT
 #
-if [ -f ${DESTDIR}/sbin/shorewall-lite ]; then
+if [ -f ${DESTDIR}/sbin/$PRODUCT ]; then
    first_install=""
 else
    first_install="Yes"
 fi

-delete_file ${DESTDIR}/usr/share/shorewall-lite/xmodules
+delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules

-install_file shorewall-lite ${DESTDIR}/sbin/shorewall-lite 0544
+install_file $PRODUCT ${DESTDIR}/sbin/$PRODUCT 0544

-eval sed -i \'``s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/sbin/shorewall-lite
-
-echo "Shorewall Lite control program installed in ${DESTDIR}/sbin/shorewall-lite"
+echo "$Product control program installed in ${DESTDIR}/sbin/$PRODUCT"

 #
-# Install the Firewall Script
+# Create /etc/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
 #
-if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-lite 0544
-elif [ -n "$FEDORA" ]; then
-    install_file init.fedora.sh ${DESTDIR}/etc/init.d/shorewall-lite 0544
-elif [ -n "$ARCHLINUX" ]; then
-    install_file init.archlinux.sh ${DESTDIR}/${DEST}/$INIT 0544
-else
-    install_file init.sh ${DESTDIR}/${DEST}/$INIT 0544
-fi
+mkdir -p ${DESTDIR}/etc/$PRODUCT
+mkdir -p ${DESTDIR}/usr/share/$PRODUCT
+mkdir -p ${DESTDIR}${LIBEXEC}/$PRODUCT
+mkdir -p ${DESTDIR}/var/lib/$PRODUCT

-echo  "Shorewall Lite script installed in ${DESTDIR}${DEST}/$INIT"
-
-#
-# Create /etc/shorewall-lite, /usr/share/shorewall-lite and /var/lib/shorewall-lite if needed
-#
-mkdir -p ${DESTDIR}/etc/shorewall-lite
-mkdir -p ${DESTDIR}/usr/share/shorewall-lite
-mkdir -p ${DESTDIR}${LIBEXEC}/shorewall-lite
-mkdir -p ${DESTDIR}/var/lib/shorewall-lite
-
-chmod 755 ${DESTDIR}/etc/shorewall-lite
-chmod 755 ${DESTDIR}/usr/share/shorewall-lite
+chmod 755 ${DESTDIR}/etc/$PRODUCT
+chmod 755 ${DESTDIR}/usr/share/$PRODUCT

 if [ -n "$DESTDIR" ]; then
    mkdir -p ${DESTDIR}/etc/logrotate.d
    chmod 755 ${DESTDIR}/etc/logrotate.d
+    mkdir -p ${DESTDIR}${INITDIR}
+    chmod 755 ${DESTDIR}${INITDIR}
 fi

+if [ -n "$INITFILE" ]; then
+    case $TARGET in
+	debian)
+	    install_file init.debian.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+	    ;;
+	redhat)
+	    install_file init.fedora.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+	    ;;
+	archlinux)
+	    install_file init.archlinux.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+	    ;;
+	*)
+	    install_file init.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+	    ;;
+    esac
+
+    echo  "$Product init script installed in ${DESTDIR}${INITDIR}/${INITFILE}"
+fi
 #
 # Install the .service file
 #
 if [ -n "$SYSTEMD" ]; then
-    run_install $OWNERSHIP -m 600 shorewall-lite.service ${DESTDIR}/lib/systemd/system/shorewall-lite.service
-    echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall-lite.service"
+    run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}/lib/systemd/system/$PRODUCT.service
+    echo "Service file installed as ${DESTDIR}/lib/systemd/system/$PRODUCT.service"
 fi

 #
 # Install the config file
 #
-if [ ! -f ${DESTDIR}/etc/shorewall-lite/shorewall-lite.conf ]; then
-   run_install $OWNERSHIP -m 0744 shorewall-lite.conf ${DESTDIR}/etc/shorewall-lite
-   echo "Config file installed as ${DESTDIR}/etc/shorewall-lite/shorewall-lite.conf"
+if [ ! -f ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf ]; then
+   install_file $PRODUCT.conf ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf 0744
+   echo "Config file installed as ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf"
 fi

-if [ -n "$ARCHLINUX" ] ; then
-   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/shorewall-lite/shorewall.conf
+if [ $HOST = archlinux ] ; then
+   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf
 fi

 #
 # Install the  Makefile
 #
-run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/shorewall-lite
-echo "Makefile installed as ${DESTDIR}/etc/shorewall-lite/Makefile"
+run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/$PRODUCT
+echo "Makefile installed as ${DESTDIR}/etc/$PRODUCT/Makefile"

 #
 # Install the default config path file
 #
-install_file configpath ${DESTDIR}/usr/share/shorewall-lite/configpath 0644
-echo "Default config path file installed as ${DESTDIR}/usr/share/shorewall-lite/configpath"
+install_file configpath ${DESTDIR}/usr/share/$PRODUCT/configpath 0644
+echo "Default config path file installed as ${DESTDIR}/usr/share/$PRODUCT/configpath"

 #
 # Install the libraries
 #
 for f in lib.* ; do
    if [ -f $f ]; then
-	install_file $f ${DESTDIR}/usr/share/shorewall-lite/$f 0644
-	echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall-lite/$f"
+	install_file $f ${DESTDIR}/usr/share/$PRODUCT/$f 0644
+	echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/$PRODUCT/$f"
    fi
 done

-ln -sf lib.base ${DESTDIR}/usr/share/shorewall-lite/functions
+ln -sf lib.base ${DESTDIR}/usr/share/$PRODUCT/functions

-echo "Common functions linked through ${DESTDIR}/usr/share/shorewall-lite/functions"
+echo "Common functions linked through ${DESTDIR}/usr/share/$PRODUCT/functions"

 #
 # Install Shorecap
 #

-install_file shorecap ${DESTDIR}${LIBEXEC}/shorewall-lite/shorecap 0755
+install_file shorecap ${DESTDIR}${LIBEXEC}/$PRODUCT/shorecap 0755

 echo
-echo "Capability file builder installed in ${DESTDIR}${LIBEXEC}/shorewall-lite/shorecap"
-
-#
-# Install wait4ifup
-#
-
-if [ -f wait4ifup ]; then
-    install_file wait4ifup ${DESTDIR}${LIBEXEC}/shorewall-lite/wait4ifup 0755
-
-    echo
-    echo "wait4ifup installed in ${DESTDIR}${LIBEXEC}/shorewall-lite/wait4ifup"
-fi
+echo "Capability file builder installed in ${DESTDIR}${LIBEXEC}/$PRODUCT/shorecap"

 #
 # Install the Modules files
 #

 if [ -f modules ]; then
-    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/shorewall-lite
-    echo "Modules file installed as ${DESTDIR}/usr/share/shorewall-lite/modules"
+    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/$PRODUCT
+    echo "Modules file installed as ${DESTDIR}/usr/share/$PRODUCT/modules"
 fi

 if [ -f helpers ]; then
-    run_install $OWNERSHIP -m 0600 helpers ${DESTDIR}/usr/share/shorewall-lite
-    echo "Helper modules file installed as ${DESTDIR}/usr/share/shorewall-lite/helpers"
+    run_install $OWNERSHIP -m 0600 helpers ${DESTDIR}/usr/share/$PRODUCT
+    echo "Helper modules file installed as ${DESTDIR}/usr/share/$PRODUCT/helpers"
 fi

 for f in modules.*; do
-    run_install $OWNERSHIP -m 0644 $f ${DESTDIR}/usr/share/shorewall-lite/$f
-    echo "Module file $f installed as ${DESTDIR}/usr/share/shorewall-lite/$f"
+    run_install $OWNERSHIP -m 0644 $f ${DESTDIR}/usr/share/$PRODUCT/$f
+    echo "Module file $f installed as ${DESTDIR}/usr/share/$PRODUCT/$f"
 done

 #
@@ -371,66 +426,69 @@ if [ -d manpages ]; then
 fi

 if [ -d ${DESTDIR}/etc/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}/etc/logrotate.d/shorewall-lite
-    echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/shorewall-lite"
+    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}/etc/logrotate.d/$PRODUCT
+    echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/$PRODUCT"
 fi

-
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall-lite/version
-chmod 644 ${DESTDIR}/usr/share/shorewall-lite/version
+echo "$VERSION" > ${DESTDIR}/usr/share/$PRODUCT/version
+chmod 644 ${DESTDIR}/usr/share/$PRODUCT/version
 #
 # Remove and create the symbolic link to the init script
 #

 if [ -z "$DESTDIR" ]; then
-    rm -f /usr/share/shorewall-lite/init
-    ln -s ${DEST}/${INIT} /usr/share/shorewall-lite/init
+    rm -f /usr/share/$PRODUCT/init
+    ln -s ${INITDIR}/${INITFILE} /usr/share/$PRODUCT/init
 fi

+delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.common
+delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.cli
+delete_file ${DESTDIR}/usr/share/$PRODUCT/wait4ifup
+
 if [ -z "$DESTDIR" ]; then
-    touch /var/log/shorewall-lite-init.log
+    touch /var/log/$PRODUCT-init.log

    if [ -n "$first_install" ]; then
-	if [ -n "$DEBIAN" ]; then
-	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/shorewall-lite
+	if [ $HOST = debian ]; then
+	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/$PRODUCT

-	    update-rc.d shorewall-lite defaults
+	    update-rc.d $PRODUCT defaults

 	    if [ -x /sbin/insserv ]; then
-		insserv /etc/init.d/shorewall-lite
+		insserv /etc/init.d/$PRODUCT
 	    else
-		ln -s ../init.d/shorewall-lite /etc/rcS.d/S40shorewall-lite
+		ln -s ../init.d/$PRODUCT /etc/rcS.d/S40$PRODUCT
 	    fi

-	    echo "Shorewall Lite will start automatically at boot"
+	    echo "$Product will start automatically at boot"
 	else
 	    if [ -n "$SYSTEMD" ]; then
-		if systemctl enable shorewall-lite; then
-		    echo "Shorewall Lite will start automatically at boot"
+		if systemctl enable $PRODUCT; then
+		    echo "$Product will start automatically at boot"
 		fi
 	    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
-		if insserv /etc/init.d/shorewall-lite ; then
-		    echo "Shorewall Lite will start automatically at boot"
+		if insserv /etc/init.d/$PRODUCT ; then
+		    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
-		if chkconfig --add shorewall-lite ; then
-		    echo "Shorewall Lite will start automatically in run levels as follows:"
-		    chkconfig --list shorewall-lite
+		if chkconfig --add $PRODUCT ; then
+		    echo "$Product will start automatically in run levels as follows:"
+		    chkconfig --list $PRODUCT
 		else
 		    cant_autostart
 		fi
 	    elif [ -x /sbin/rc-update ]; then
-		if rc-update add shorewall-lite default; then
-		    echo "Shorewall Lite will start automatically at boot"
+		if rc-update add $PRODUCT default; then
+		    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
 		fi
-	    elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
+	    elif [ "$INITFILE" != rc.firewall ]; then #Slackware starts this automatically
 		cant_autostart
 	    fi
 	fi
@@ -440,4 +498,4 @@ fi
 #
 #  Report Success
 #
-echo "shorewall Lite Version $VERSION Installed"
+echo "$Product Version $VERSION Installed"
--- a/Shorewall-lite/lib.base
+++ b/Shorewall-lite/lib.base
@@ -0,0 +1,34 @@
+#
+# Shorewall 4.4 -- /usr/share/shorewall-lite/lib.base
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+#
+#	Complete documentation is available at http://shorewall.net
+#
+#	This program is free software; you can redisribute it and/or modify
+#	it under the terms of Version 2 of the GNU General Public License
+#	as published by the Free Software Foundation.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, write to the Free Software
+#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# This library contains the code common to all Shorewall components.
+
+g_program=shorewall-lite
+g_family=4
+g_basedir=/usr/share/shorewall
+
+[ -n "${VARDIR:=/var/lib/$g_program}" ]
+[ -n "${SHAREDIR:=/usr/share/$g_program}" ]
+[ -n "${CONFDIR:=/etc/$g_program}" ]
+
+. /usr/share/shorewall/lib.base
+
--- a/Shorewall-lite/manpages/shorewall-lite-vardir.xml
+++ b/Shorewall-lite/manpages/shorewall-lite-vardir.xml
--- a/Shorewall-lite/manpages/shorewall-lite.conf.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.conf.xml
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@@ -11,11 +11,27 @@
  <refnamediv>
    <refname>shorewall-lite</refname>

-    <refpurpose>Administration tool for Shoreline Firewall Lite
-    (Shorewall-lite)</refpurpose>
+    <refpurpose>Administration tool for Shoreline Firewall Lite (Shorewall
+    Lite)</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg rep="norepeat">-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>add</option></arg>
+
+      <arg choice="plain"
+      rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg>
+
+      <arg choice="plain"><replaceable>zone</replaceable></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall-lite</command>

@@ -37,11 +53,28 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>clear</option></arg>
+      <arg
+      choice="plain"><option>clear</option><arg><option>-f</option></arg></arg>
    </cmdsynopsis>

    <cmdsynopsis>
-      <command>shorewall</command>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg rep="norepeat">-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>delete</option></arg>
+
+      <arg choice="plain"
+      rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg>
+
+      <arg choice="plain"><replaceable>zone</replaceable></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall-lite</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@@ -50,7 +83,8 @@

      <arg choice="plain"><option>disable</option></arg>

-      <arg choice="plain"><replaceable>interface</replaceable></arg>
+      <arg choice="plain">{ <replaceable>interface</replaceable> |
+      <replaceable>provider</replaceable> }</arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -63,8 +97,7 @@

      <arg choice="plain"><option>drop</option></arg>

-      <arg choice="plain">{ <replaceable>interface</replaceable> |
-      <replaceable>provider</replaceable> }</arg>
+      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -78,11 +111,13 @@

      <arg><option>-x</option></arg>

+      <arg><option>-l</option></arg>
+
      <arg><option>-m</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
-      <command>shorewall</command>
+      <command>shorewall-lite</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@@ -98,7 +133,8 @@
    <cmdsynopsis>
      <command>shorewall-lite</command>

-      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

@@ -124,7 +160,8 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>hits</option></arg>
+      <arg
+      choice="plain"><option>hits</option><arg><option>-t</option></arg></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -158,6 +195,19 @@
      choice="plain"><replaceable>address1</replaceable><option>-</option><replaceable>address2</replaceable></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>iptrace</option></arg>
+
+      <arg choice="plain"><replaceable>iptables match
+      expression</replaceable></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall-lite</command>

@@ -198,6 +248,19 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>noiptrace</option></arg>
+
+      <arg choice="plain"><replaceable>iptables match
+      expression</replaceable></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall-lite</command>

@@ -219,8 +282,24 @@

      <arg>-<replaceable>options</replaceable></arg>

+      <arg choice="plain"><option>reset</option></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
      <arg
-      choice="plain"><option>restart</option><arg><option>-n</option></arg><arg><option>-p</option></arg></arg>
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>restart</option></arg>
+
+      <arg><option>-n</option></arg>
+
+      <arg><option>-p</option></arg>
+
+      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -260,8 +339,10 @@

      <arg><option>-x</option></arg>

+      <arg><option>-l</option></arg>
+
      <arg><option>-t</option>
-      {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>}</arg>
+      {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw|rawpost</option>}</arg>

      <arg><arg><option>chain</option></arg><arg choice="plain"
      rep="repeat"><replaceable>chain</replaceable></arg></arg>
@@ -291,7 +372,7 @@
      <arg choice="plain"><option>show</option></arg>

      <arg
-      choice="req"><option>actions|classifiers|connections|config|zones</option></arg>
+      choice="req"><option>classifiers|connections|config|filters|ip|ipa|zones|policies|marks</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -305,7 +386,7 @@

      <arg><option>-x</option></arg>

-      <arg choice="req"><option>mangle|nat</option></arg>
+      <arg choice="req"><option>mangle|nat|routing|raw|rawpost</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -346,7 +427,7 @@

      <arg><option>-n</option></arg>

-      <arg><option>-f</option><arg><option>-p</option></arg></arg>
+      <arg><option>-p</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -377,7 +458,8 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>version</option></arg>
+      <arg
+      choice="plain"><option>version</option><arg><option>-a</option></arg></arg>
    </cmdsynopsis>
  </refsynopsisdiv>

@@ -385,7 +467,7 @@
    <title>Description</title>

    <para>The shorewall-lite utility is used to control the Shoreline Firewall
-    (Shorewall) Lite.</para>
+    Lite (Shorewall Lite).</para>
  </refsect1>

  <refsect1>
@@ -393,12 +475,12 @@

    <para>The <option>trace</option> and <option>debug</option> options are
    used for debugging. See <ulink
-    url="http://www.shorewall.net/starting_and_stopping.htm#Trace">http://www.shorewall.net/starting_and_stopping.htm#Trace</ulink>.</para>
+    url="http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>

    <para>The nolock <option>option</option> prevents the command from
-    attempting to acquire the Shorewall Lite lockfile. It is useful if you
-    need to include <command>shorewall-lite</command> commands in the
-    <filename>started</filename> extension script.</para>
+    attempting to acquire the Shorewall-lite lockfile. It is useful if you
+    need to include <command>shorewall</command> commands in
+    <filename>/etc/shorewall/started</filename>.</para>

    <para>The <emphasis>options</emphasis> control the amount of output that
    the command produces. They consist of a sequence of the letters <emphasis
@@ -435,15 +517,17 @@
          defined in the <ulink
          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
          file. A <emphasis>host-list</emphasis> is comma-separated list whose
-          elements are a host or network address.<caution>
-              <para>The <command>add</command> command is not very robust. If
-              there are errors in the <replaceable>host-list</replaceable>,
-              you may see a large number of error messages yet a subsequent
-              <command>shorewall show zones</command> command will indicate
-              that all hosts were added. If this happens, replace
-              <command>add</command> by <command>delete</command> and run the
-              same command again. Then enter the correct command.</para>
-            </caution></para>
+          elements are host or network addresses.</para>
+
+          <caution>
+            <para>The <command>add</command> command is not very robust. If
+            there are errors in the <replaceable>host-list</replaceable>, you
+            may see a large number of error messages yet a subsequent
+            <command>shorewall-lite show zones</command> command will indicate
+            that all hosts were added. If this happens, replace
+            <command>add</command> by <command>delete</command> and run the
+            same command again. Then enter the correct command.</para>
+          </caution>
        </listitem>
      </varlistentry>

@@ -463,10 +547,16 @@
        <term><emphasis role="bold">clear</emphasis></term>

        <listitem>
-          <para>Clear will remove all rules and chains installed by Shorewall
-          Lite. The firewall is then wide open and unprotected. Existing
-          connections are untouched. Clear is often used to see if the
-          firewall is causing connection problems.</para>
+          <para>Clear will remove all rules and chains installed by
+          Shorewall-lite. The firewall is then wide open and unprotected.
+          Existing connections are untouched. Clear is often used to see if
+          the firewall is causing connection problems.</para>
+
+          <para>If <option>-f</option> is given, the command will be processed
+          by the compiled script that executed the last successful <emphasis
+          role="bold">start</emphasis>, <emphasis
+          role="bold">restart</emphasis> or <emphasis
+          role="bold">refresh</emphasis> command if that script exists.</para>
        </listitem>
      </varlistentry>

@@ -516,8 +606,11 @@
          <para>The <emphasis role="bold">-x</emphasis> option causes actual
          packet and byte counts to be displayed. Without that option, these
          counts are abbreviated. The <emphasis role="bold">-m</emphasis>
-          option causes any MAC addresses included in Shorewall Lite log
+          option causes any MAC addresses included in Shorewall-lite log
          messages to be displayed.</para>
+
+          <para>The <emphasis role="bold">-l</emphasis> option causes the rule
+          number for each Netfilter rule to be displayed.</para>
        </listitem>
      </varlistentry>

@@ -541,7 +634,7 @@
          and /var/lib/shorewall-lite/save. If no
          <emphasis>filename</emphasis> is given then the file specified by
          RESTOREFILE in <ulink
-          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5) is
+          url="shorewall.conf.html">shorewall.conf</ulink>(5) is
          assumed.</para>
        </listitem>
      </varlistentry>
@@ -558,8 +651,9 @@
        <term><emphasis role="bold">hits</emphasis></term>

        <listitem>
-          <para>Generates several reports from Shorewall Lite log messages in
-          the current log file.</para>
+          <para>Generates several reports from Shorewall-lite log messages in
+          the current log file. If the <option>-t</option> option is included,
+          the reports are restricted to log messages generated today.</para>
        </listitem>
      </varlistentry>

@@ -582,12 +676,33 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">iptrace</emphasis></term>
+
+        <listitem>
+          <para>This is a low-level debugging command that causes iptables
+          TRACE log records to be created. See iptables(8) for details.</para>
+
+          <para>The <replaceable>iptables match expression</replaceable> must
+          be one or more matches that may appear in both the raw table OUTPUT
+          and raw table PREROUTING chains.</para>
+
+          <para>The trace records are written to the kernel's log buffer with
+          faciility = kernel and priority = warning, and they are routed from
+          there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
+          Shorewall-lite has no control over where the messages go; consult
+          your logging daemon's documentation.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">logdrop</emphasis></term>

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
-          to be logged then discarded.</para>
+          to be logged then discarded. Logging occurs at the log level
+          specified by the BLACKLIST_LOGLEVEL setting in <ulink
+          url="shorewall.conf.html">shorewall.conf</ulink> (5).</para>
        </listitem>
      </varlistentry>

@@ -595,9 +710,9 @@
        <term><emphasis role="bold">logwatch</emphasis></term>

        <listitem>
-          <para>Monitors the log file specified by theLOGFILE option in <ulink
-          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5) and
-          produces an audible alarm when new Shorewall Lite messages are
+          <para>Monitors the log file specified by the LOGFILE option in
+          <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5) and
+          produces an audible alarm when new Shorewall-lite messages are
          logged. The <emphasis role="bold">-m</emphasis> option causes the
          MAC address of each packet source to be displayed if that
          information is available. The
@@ -615,7 +730,22 @@

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
-          to be logged then rejected.</para>
+          to be logged then rejected. Logging occurs at the log level
+          specified by the BLACKLIST_LOGLEVEL setting in <ulink
+          url="shorewall.conf.html">shorewall.conf</ulink> (5).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">noiptrace</emphasis></term>
+
+        <listitem>
+          <para>This is a low-level debugging command that cancels a trace
+          started by a preceding <command>iptrace</command> command.</para>
+
+          <para>The <replaceable>iptables match expression</replaceable> must
+          be one given in the <command>iptrace</command> command being
+          cancelled.</para>
        </listitem>
      </varlistentry>

@@ -633,10 +763,10 @@

        <listitem>
          <para>Restart is similar to <emphasis role="bold">shorewall-lite
-          start</emphasis> but assumes that the firewall is already started.
-          Existing connections are maintained.</para>
+          start</emphasis> except that it assumes that the firewall is already
+          started. Existing connections are maintained.</para>

-          <para>The <option>-n</option> option causes Shorewall to avoid
+          <para>The <option>-n</option> option causes Shorewall-lite to avoid
          updating the routing table(s).</para>

          <para>The <option>-p</option> option causes the connection tracking
@@ -649,14 +779,14 @@
        <term><emphasis role="bold">restore</emphasis></term>

        <listitem>
-          <para>Restore Shorewall Lite to a state saved using the <emphasis
+          <para>Restore Shorewall-lite to a state saved using the <emphasis
          role="bold">shorewall-lite save</emphasis> command. Existing
          connections are maintained. The <emphasis>filename</emphasis> names
          a restore file in /var/lib/shorewall-lite created using <emphasis
          role="bold">shorewall-lite save</emphasis>; if no
-          <emphasis>filename</emphasis> is given then Shorewall Lite will be
+          <emphasis>filename</emphasis> is given then Shorewall-lite will be
          restored from the file specified by the RESTOREFILE option in <ulink
-          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5).</para>
+          url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>

@@ -667,11 +797,10 @@
          <para>The dynamic blacklist is stored in
          /var/lib/shorewall-lite/save. The state of the firewall is stored in
          /var/lib/shorewall-lite/<emphasis>filename</emphasis> for use by the
-          <emphasis role="bold">shorewall-lite restore</emphasis> and
-          <emphasis role="bold">shorewall-lite -f start</emphasis> commands.
-          If <emphasis>filename</emphasis> is not given then the state is
-          saved in the file specified by the RESTOREFILE option in <ulink
-          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5).</para>
+          <emphasis role="bold">shorewall-lite restore</emphasis>. If
+          <emphasis>filename</emphasis> is not given then the state is saved
+          in the file specified by the RESTOREFILE option in <ulink
+          url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>

@@ -683,15 +812,6 @@
          arguments:</para>

          <variablelist>
-            <varlistentry>
-              <term><emphasis role="bold">actions</emphasis></term>
-
-              <listitem>
-                <para>Produces a report about the available actions (built-in,
-                standard and user-defined).</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis role="bold">capabilities</emphasis></term>

@@ -704,8 +824,8 @@
            </varlistentry>

            <varlistentry>
-              <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>
-              ... ]</term>
+              <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>...
+              ]</term>

              <listitem>
                <para>The rules in each <emphasis>chain</emphasis> are
@@ -721,20 +841,25 @@
                Netfilter table to display. The default is <emphasis
                role="bold">filter</emphasis>.</para>

+                <para>The <emphasis role="bold">-l</emphasis> option causes
+                the rule number for each Netfilter rule to be
+                displayed.</para>
+
                <para>If the <emphasis role="bold">t</emphasis> option and the
                <option>chain</option> keyword are both omitted and any of the
                listed <replaceable>chain</replaceable>s do not exist, a usage
-                message will be displayed.</para>
+                message is displayed.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">classifiers</emphasis></term>
+              <term><emphasis
+              role="bold">classifiers|filters</emphasis></term>

              <listitem>
                <para>Displays information about the packet classifiers
-                defined on the system 10-080213-8397as a result of traffic
-                shaping configuration.</para>
+                defined on the system as a result of traffic shaping
+                configuration.</para>
              </listitem>
            </varlistentry>

@@ -756,15 +881,44 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">mangle</emphasis></term>
+              <term><emphasis role="bold">ip</emphasis></term>

              <listitem>
-                <para>Displays the Netfilter mangle table using the command
-                <emphasis role="bold">iptables -t mangle -L -n
-                -v</emphasis>.The <emphasis role="bold">-x</emphasis> option
-                is passed directly through to iptables and causes actual
-                packet and byte counts to be displayed. Without this option,
-                those counts are abbreviated.</para>
+                <para>Displays the system's IPv4 configuration.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">ipa</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.17. Displays the per-IP
+                accounting counters (<ulink
+                url="manpages/shorewall-accounting.html">shorewall-accounting</ulink>
+                (5)).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">log</emphasis></term>
+
+              <listitem>
+                <para>Displays the last 20 Shorewall-lite messages from the
+                log file specified by the LOGFILE option in <ulink
+                url="shorewall.conf.html">shorewall.conf</ulink>(5). The
+                <emphasis role="bold">-m</emphasis> option causes the MAC
+                address of each packet source to be displayed if that
+                information is available.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">marks</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.26. Displays the various fields
+                in packet marks giving the min and max value (in both decimal
+                and hex) and the applicable mask (in hex).</para>
              </listitem>
            </varlistentry>

@@ -781,6 +935,39 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis role="bold">policies</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.4. Displays the applicable policy
+                between each pair of zones. Note that implicit intrazone
+                ACCEPT policies are not displayed for zones associated with a
+                single network where that network doesn't specify
+                <option>routeback</option>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">routing</emphasis></term>
+
+              <listitem>
+                <para>Displays the system's IPv4 routing configuration.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">raw</emphasis></term>
+
+              <listitem>
+                <para>Displays the Netfilter raw table using the command
+                <emphasis role="bold">iptables -t raw -L -n -v</emphasis>.The
+                <emphasis role="bold">-x</emphasis> option is passed directly
+                through to iptables and causes actual packet and byte counts
+                to be displayed. Without this option, those counts are
+                abbreviated.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">tc</emphasis></term>

@@ -794,8 +981,8 @@
              <term><emphasis role="bold">zones</emphasis></term>

              <listitem>
-                <para>Displays the current composition of the Shorewall Lite
-                zones on the system.</para>
+                <para>Displays the current composition of the Shorewall zones
+                on the system.</para>
              </listitem>
            </varlistentry>
          </variablelist>
@@ -806,17 +993,10 @@
        <term><emphasis role="bold">start</emphasis></term>

        <listitem>
-          <para>Start shorewall Lite. Existing connections through
+          <para>Start Shorewall Lite. Existing connections through
          shorewall-lite managed interfaces are untouched. New connections
          will be allowed only if they are allowed by the firewall rules or
-          policies. If <emphasis role="bold">-f</emphasis> is specified, the
-          saved configuration specified by the RESTOREFILE option in <ulink
-          url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5) will
-          be restored if that saved configuration exists and has been modified
-          more recently than the files in /etc/shorewall.</para>
-
-          <para>The <option>-n</option> option causes Shorewall to avoid
-          updating the routing table(s).</para>
+          policies.</para>

          <para>The <option>-p</option> option causes the connection tracking
          table to be flushed; the <command>conntrack</command> utility must
@@ -831,11 +1011,18 @@
          <para>Stops the firewall. All existing connections, except those
          listed in <ulink
          url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
-          or permitted by the ADMINISABSENTMINDED option in shorewall.conf(5),
-          are taken down. The only new traffic permitted through the firewall
-          is from systems listed in <ulink
+          or permitted by the ADMINISABSENTMINDED option in <ulink
+          url="shorewall.conf.html">shorewall.conf</ulink>(5), are taken down.
+          The only new traffic permitted through the firewall is from systems
+          listed in <ulink
          url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
          or by ADMINISABSENTMINDED.</para>
+
+          <para>If <option>-f</option> is given, the command will be processed
+          by the compiled script that executed the last successful <emphasis
+          role="bold">start</emphasis>, <emphasis
+          role="bold">restart</emphasis> or <emphasis
+          role="bold">refresh</emphasis> command if that script exists.</para>
        </listitem>
      </varlistentry>

@@ -852,7 +1039,9 @@
        <term><emphasis role="bold">version</emphasis></term>

        <listitem>
-          <para>Displays Shorewall-lite's version.</para>
+          <para>Displays Shorewall's version. The <option>-a</option> option
+          is included for compatibility with earlier Shorewall releases and is
+          ignored.</para>
        </listitem>
      </varlistentry>
    </variablelist>
@@ -871,13 +1060,13 @@
    url="http://www.shorewall.net/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>

    <para>shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
-    shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
-    shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
-    shorewall-zones(5)</para>
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -48,10 +48,14 @@
 SHAREDIR=/usr/share/shorewall-lite
 VARDIR=/var/lib/shorewall-lite
 CONFDIR=/etc/shorewall-lite
+g_program=shorewall-lite
 g_product="Shorewall Lite"
+g_family=4
+g_base=shorewall
+g_basedir=/usr/share/shorewall-lite

 . /usr/share/shorewall-lite/lib.base
-. /usr/share/shorewall-lite/lib.cli
+. /usr/share/shorewall/lib.cli
 . /usr/share/shorewall-lite/configpath

 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -60,6 +64,8 @@ SHOREWALL_VERSION=$(cat /usr/share/shorewall-lite/version)

 [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)

+g_tool=$IPTABLES
+
 VERBOSITY=0
 load_kernel_modules No
 determine_capabilities
--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -1,14 +1,13 @@
 #!/bin/sh
 #
-#     Shorewall Lite Packet Filtering Firewall Control Program - V4.4
+#     Shorewall Lite Packet Filtering Firewall Control Program - V4.5
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2006,2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011 - 
+#         Tom Eastep (teastep@shorewall.net)
 #
-#	This file should be placed in /sbin/shorewall-lite.
-#
-#	Shorewall documentation is available at http://shorewall.net
+#	Shorewall documentation is available at http://www.shorewall.net
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License
@@ -23,868 +22,11 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#     If an error occurs while starting or restarting the firewall, the
-#     firewall is automatically stopped.
+#       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
-#     Commands are:
-#
-#     shorewall-lite dump                          Dumps all Shorewall-related information
-#                                                  for problem analysis
-#     shorewall-lite start 			   Starts the firewall
-#     shorewall-lite restart			   Restarts the firewall
-#     shorewall-lite stop			   Stops the firewall
-#     shorewall-lite status			   Displays firewall status
-#     shorewall-lite reset			   Resets iptables packet and
-#						   byte counts
-#     shorewall-lite clear			   Open the floodgates by
-#						   removing all iptables rules
-#						   and setting the three permanent
-#						   chain policies to ACCEPT
-#     shorewall-lite show <chain> [ <chain> ... ]  Display the rules in each <chain> listed
-#     shorewall-lite show log			   Print the last 20 log messages
-#     shorewall-lite show connections		   Show the kernel's connection
-#						   tracking table
-#     shorewall-lite show nat			   Display the rules in the nat table
-#     shorewall-lite show {mangle|tos}		   Display the rules in the mangle table
-#     shorewall-lite show tc			   Display traffic control info
-#     shorewall-lite show classifiers		   Display classifiers
-#     shorewall-lite show capabilities             Display iptables/kernel capabilities
-#     shorewall-lite show vardir                   Display VARDIR setting
-#     shorewall-lite version			   Display the installed version id
-#     shorewall-lite logwatch [ refresh-interval ] Monitor the local log for Shorewall
-#						   messages.
-#     shorewall-lite drop <address> ...		   Temporarily drop all packets from the
-#						   listed address(es)
-#     shorewall-lite reject <address> ...	   Temporarily reject all packets from the
-#						   listed address(es)
-#     shorewall-lite allow <address> ...	   Reenable address(es) previously
-#						   disabled with "drop" or "reject"
-#     shorewall-lite save [ <file> ]		   Save the list of "rejected" and
-#						   "dropped" addresses so that it will
-#						   be automatically reinstated the
-#						   next time that Shorewall starts.
-#                                                  Save the current state so that 'shorewall
-#                                                  restore' can be used.
-#
-#     shorewall-lite forget [ <file> ]             Discard the data saved by 'shorewall save'
-#
-#     shorewall-lite restore [ <file> ]            Restore the state of the firewall from
-#                                                  previously saved information.
-#
-#     shorewall-lite ipaddr { <address>/<cidr> | <address> <netmask> }
-#
-#                                                  Displays information about the network
-#                                                  defined by the argument[s]
-#
-#     shorewall-lite iprange <address>-<address>   Decomposes a range of IP addresses into
-#                                                  a list of network/host addresses.
-#
-#     shorewall-lite ipdecimal { <address> | <integer> }
-#
-#                                                  Displays the decimal equivalent of an IP
-#                                                  address and vice versa.
+################################################################################################
+g_program=shorewall-lite

-#
-# Set the configuration variables from shorewall-lite.conf
-#
-get_config() {
+. /usr/share/shorewall/lib.cli

-    [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-
-    [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages
-
-    if ( ps ax 2> /dev/null | grep -v grep |  qt grep 'syslogd.*-C' ) ; then
-	g_logread="logread | tac"
-    elif [ -r $LOGFILE ]; then
-	g_logread="tac $LOGFILE"
-    else
-	echo "LOGFILE ($LOGFILE) does not exist!" >&2
-	exit 2
-    fi
-    #
-    # See if we have a real version of "tail" -- use separate redirection so
-    # that ash (aka /bin/sh on LRP) doesn't crap
-    #
-    if ( tail -n5 /dev/null > /dev/null 2> /dev/null ) ; then
-	realtail="Yes"
-    else
-	realtail=""
-    fi
-
-    [ -n "$FW" ] || FW=fw
-
-    if [ -n "$IPTABLES" ]; then
-	if [ ! -x "$IPTABLES" ]; then
-	    echo "   ERROR: The program specified in IPTABLES does not exist or is not executable" >&2
-	    exit 2
-	fi
-    else
-	IPTABLES=$(mywhich iptables 2> /dev/null)
-	if [ -z "$IPTABLES" ] ; then
-	    echo "   ERROR: Can't find iptables executable" >&2
-	    exit 2
-	fi
-    fi
-
-    if [ -n "$SHOREWALL_SHELL" ]; then
-	if [ ! -x "$SHOREWALL_SHELL" ]; then
-	    echo "   WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
-	    SHOREWALL_SHELL=/bin/sh
-	fi
-    fi
-
-    [ -n "$RESTOREFILE" ] || RESTOREFILE=restore
-
-    validate_restorefile RESTOREFILE
-
-    [ -n "${VERBOSITY:=2}" ]
-
-    [ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY))
-
-    if [ $VERBOSITY -lt -1 ]; then
-	VERBOSITY=-1
-    elif [ $VERBOSITY -gt 2 ]; then
-	VERBOSITY=2
-    fi
-
-    g_hostname=$(hostname 2> /dev/null)
-
-    IP=$(mywhich ip 2> /dev/null)
-    if [ -z "$IP" ] ; then
-	echo "   ERROR: Can't find ip executable" >&2
-	exit 2
-    fi
-
-    IPSET=ipset
-    TC=tc
-
-}
-
-#
-# Verify that we have a compiled firewall script
-#
-verify_firewall_script() {
-    if [ ! -f $g_firewall ]; then
-	echo "   ERROR: Shorewall Lite is not properly installed" >&2
-	if [ -L $g_firewall ]; then
-	    echo "          $g_firewall is a symbolic link to a" >&2
-	    echo "          non-existant file" >&2
-	else
-	    echo "          The file $g_firewall does not exist" >&2
-	fi
-	
-	exit 2
-    fi
-}
-
-#
-# Fatal error
-#
-startup_error() {
-    echo "   ERROR: $@" >&2
-    kill $$
-    exit 1
-}
-
-#
-# Start Command Executor
-#
-start_command() {
-    local finished
-    finished=0
-
-    do_it() {
-	local rc
-	rc=0
-	[ -n "$nolock" ] || mutex_on
-
-	if [ -x ${LITEDIR}/firewall ]; then
-	    run_it ${LITEDIR}/firewall $debugging start
-	    rc=$?
-	else
-	    error_message "${LITEDIR}/firewall is missing or is not executable"
-	    logger -p kern.err "ERROR:Shorewall Lite start failed"
-	    rc=2
-	fi
-
-	[ -n "$nolock" ] || mutex_off
-	exit $rc
-    }
-
-    verify_firewall_script
-
-    if shorewall_is_started; then
-	error_message "Shorewall is already running"
-	exit 0
-    fi
-
-    while [ $finished -eq 0 -a $# -gt 0 ]; do
-	option=$1
-	case $option in
-	    -*)
-		option=${option#-}
-
-		while [ -n "$option" ]; do
-		    case $option in
-			-)
-			    finished=1
-			    option=
-			    ;;
-			f*)
-			    g_fast=Yes
-			    option=${option#f}
-			    ;;
-			p*)
-			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-			    g_purge=Yes
-			    option=${option%p}
-			    ;;
-			*)
-			    usage 1
-			    ;;
-		    esac
-		done
-		shift
-		;;
-	    *)
-		finished=1
-		;;
-	esac
-    done
-
-    case $# in
-	0)
-	    ;;
-	*)
-	    usage 1
-	    ;;
-    esac
-
-    if [ -n "$g_fast" ]; then
-	if qt mywhich make; then
-	    export RESTOREFILE
-	    make -qf ${CONFDIR}/Makefile || g_fast=
-	fi
-
-	if [ -n "$g_fast" ]; then
-
-	    g_restorepath=${VARDIR}/$RESTOREFILE
-
-	    if [ -x $g_restorepath ]; then
-		echo Restoring Shorewall Lite...
-		run_it $g_restorepath restore
-		date > ${VARDIR}/restarted
-		progress_message3 Shorewall Lite restored from $g_restorepath
-	    else
-		do_it
-	    fi
-	else
-	    do_it
-	fi
-    else
-	do_it
-    fi
-}
-
-#
-# Restart Command Executor
-#
-restart_command() {
-    local finished
-    finished=0
-    local rc
-    rc=0
-
-    verify_firewall_script
-
-    while [ $finished -eq 0 -a $# -gt 0 ]; do
-	option=$1
-	case $option in
-	    -*)
-		option=${option#-}
-
-		while [ -n "$option" ]; do
-		    case $option in
-			-)
-			    finished=1
-			    option=
-			    ;;
-			n*)
-			    g_noroutes=Yes
-			    option=${option#n}
-			    ;;
-			p*)
-			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-			    g_purge=Yes
-			    option=${option%p}
-			    ;;
-			*)
-			    usage 1
-			    ;;
-		    esac
-		done
-		shift
-		;;
-	    *)
-		finished=1
-		;;
-	esac
-    done
-
-    case $# in
-	0)
-	    ;;
-	*)
-	    usage 1
-	    ;;
-    esac
-
-    [ -n "$nolock" ] || mutex_on
-
-    if [ -x ${LITEDIR}/firewall ]; then
-	run_it ${LITEDIR}/firewall $debugging restart
-	rc=$?
-    else
-	error_message "${LITEDIR}/firewall is missing or is not executable"
-	logger -p kern.err "ERROR:Shorewall Lite restart failed"
-	rc=2
-    fi
-
-    [ -n "$nolock" ] || mutex_off
-    return $rc
-}
-
-#
-# Give Usage Information
-#
-usage() # $1 = exit status
-{
-    echo "Usage: $(basename $0) [debug|trace] [nolock] [ -q ] [ -v[-1|{0-2}] ] [ -t ] <command>"
-    echo "where <command> is one of:"
-    echo "   add <interface>[:<host-list>] ... <zone>"
-    echo "   allow <address> ..."
-    echo "   clear"
-    echo "   delete <interface>[:<host-list>] ... <zone>"
-    echo "   disable <interface>"
-    echo "   drop <address> ..."
-    echo "   dump [ -x ]"
-    echo "   enable <interface>"
-    echo "   forget [ <file name> ]"
-    echo "   help"
-    echo "   ipcalc { <address>/<vlsm> | <address> <netmask> }"
-    echo "   ipdecimal { <address> | <integer> }"
-    echo "   iprange <address>-<address>"
-    echo "   logdrop <address> ..."
-    echo "   logreject <address> ..."
-    echo "   logwatch [<refresh interval>]"
-    echo "   reject <address> ..."
-    echo "   reset [ <chain> ... ]"
-    echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
-    echo "   restore [ -n ] [ <file name> ]"
-    echo "   save [ <file name> ]"
-    echo "   show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
-    echo "   show [ -f ] capabilities"
-    echo "   show classifiers"
-    echo "   show config"
-    echo "   show connections"
-    echo "   show filters"
-    echo "   show ip"
-    echo "   show [ -m ] log [<regex>]"
-    echo "   show [ -x ] mangle|nat|raw|routing"
-    echo "   show policies"
-    echo "   show tc [ device ]"
-    echo "   show vardir"
-    echo "   show zones"
-    echo "   start [ -f ] [ -p ] [ <directory> ]"
-    echo "   stop"
-    echo "   status"
-    echo "   version [ -a ]"
-    echo
-    exit $1
-}
-
-version_command() {
-    local finished
-    finished=0
-    local all
-    all=
-    local product
-
-    while [ $finished -eq 0 -a $# -gt 0 ]; do
-	option=$1
-	case $option in
-	    -*)
-		option=${option#-}
-
-		while [ -n "$option" ]; do
-		    case $option in
-			-)
-			    finished=1
-			    option=
-			    ;;
-			a*)
-			    all=Yes
-			    option=${option#a}
-			    ;;
-			*)
-			    usage 1
-			    ;;
-		    esac
-		done
-		shift
-		;;
-	    *)
-		finished=1
-		;;
-	esac
-    done
-
-    [ $# -gt 0 ] && usage 1
-
-    echo $SHOREWALL_VERSION
-    
-    if [ -n "$all" ]; then
-	for product in shorewall shorewall6 shorewall6-lite shorewall-init; do
-	    if [ -f /usr/share/$product/version ]; then
-		echo "$product: $(cat /usr/share/$product/version)"
-	    fi
-	done
-    fi
-}
-
-#
-# Execution begins here
-#
-debugging=
-
-if [ $# -gt 0 ] && [ "$1" = "debug" -o "$1" = "trace" ]; then
-    debugging=$1
-    shift
-fi
-
-nolock=
-
-if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
-    nolock=nolock
-    shift
-fi
-
-g_ipt_options="-nv"
-g_fast=
-g_verbose_offset=0
-g_use_verbosity=
-g_noroutes=
-g_timestamp=
-g_recovering=
-g_logread=
-
-#
-# Make sure that these variables are cleared
-#
-VERBOSE=
-VERBOSITY=
-
-finished=0
-
-while [ $finished -eq 0 ]; do
-    [ $# -eq 0 ] && usage 1
-    option=$1
-    case $option in
-	-)
-	    finished=1
-	    ;;
-	-*)
-	    option=${option#-}
-
-	    [ -z "$option" ] && usage 1
-
-	    while [ -n "$option" ]; do
-		case $option in
-		    x*)
-			g_ipt_options="-xnv"
-			option=${option#x}
-			;;
-		    q*)
-			g_verbose_offset=$(($g_verbose_offset - 1 ))
-			option=${option#q}
-			;;
-		    f*)
-			g_fast=Yes
-			option=${option#f}
-			;;
-		    v*)
-			option=${option#v}
-			case $option in 
-			    -1*)
-				g_use_verbosity=-1
-				option=${option#-1}
-				;;
-			    0*)
-				g_use_verbosity=0
-				option=${option#0}
-				;;
-			    1*)
-				g_use_verbosity=1
-				option=${option#1}
-				;;
-			    2*)
-				g_use_verbosity=2
-				option=${option#2}
-				;;
-			    *)
-				g_verbose_offset=$(($g_verbose_offset + 1 ))
-				g_use_verbosity=
-				;;
-			esac
-			;;
-		    n*)
-			g_noroutes=Yes
-			option=${option#n}
-			;;
-		    t*)
-			g_timestamp=Yes
-			option=${option#t}
-			;;
-		    -)
-			finished=1
-			option=
-			;;
-		    *)
-			usage 1
-			;;
-		esac
-	    done
-	    shift
-	    ;;
-	*)
-	    finished=1
-            ;;
-    esac
-done
-
-if [ $# -eq 0 ]; then
-    usage 1
-fi
-
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-MUTEX_TIMEOUT=
-
-SHAREDIR=/usr/share/shorewall-lite
-CONFDIR=/etc/shorewall-lite
-g_product="Shorewall Lite"
-g_libexec=share
-
-[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir ]
-
-[ -n "${VARDIR:=/var/lib/shorewall-lite}" ]
-
-[ -d $VARDIR ] || mkdir -p $VARDIR || fatal_error "Unable to create $VARDIR"
-
-version_file=$SHAREDIR/version
-
-for library in base cli; do
-    . ${SHAREDIR}/lib.$library
-done
-
-ensure_config_path
-
-config=$(find_file shorewall-lite.conf)
-
-if [ -f $config ]; then
-    if [ -r $config ]; then
-	. $config
-    else
-	echo "Cannot read $config! (Hint: Are you root?)" >&2
-	exit 1
-    fi
-else
-    echo "$config does not exist!" >&2
-    exit 2
-fi
-
-ensure_config_path
-
-LITEDIR=${VARDIR}
-
-[ -f ${LITEDIR}/firewall.conf ] && . ${LITEDIR}/firewall.conf
-
-get_config
-
-g_firewall=$LITEDIR/firewall
-
-if [ -f $version_file ]; then
-    SHOREWALL_VERSION=$(cat $version_file)
-else
-    echo "   ERROR: Shorewall Lite is not properly installed" >&2
-    echo "          The file $version_file does not exist" >&2
-    exit 1
-fi
-
-banner="Shorewall Lite $SHOREWALL_VERSION Status at $g_hostname -"
-
-case $(echo -e) in
-    -e*)
-	RING_BELL="echo \a"
-	ECHO_E="echo"
-	;;
-    *)
-	RING_BELL="echo -e \a"
-	ECHO_E="echo -e"
-	;;
-esac
-
-case $(echo -n "Testing") in
-    -n*)
-	ECHO_N=
-	;;
-    *)
-	ECHO_N=-n
-	;;
-esac
-
-COMMAND=$1
-
-case "$COMMAND" in
-    start)
-	shift
-	start_command $@
-	;;
-    stop|reset|clear)
-	[ $# -ne 1 ] && usage 1
-	verify_firewall_script
-	[ -n "$nolock" ] || mutex_on
-	run_it $g_firewall $debugging $COMMAND
-	[ -n "$nolock" ] || mutex_off
-	;;
-    restart)
-	shift
-	restart_command
-	;;
-    show|list)
-    	shift
-    	show_command $@
-	;;
-    status)
-	[ $# -eq 1 ] || usage 1
-	[ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root"
-	echo "Shorewall Lite $SHOREWALL_VERSION Status at $g_hostname - $(date)"
-	echo
-	if shorewall_is_started ; then
-	    echo "Shorewall Lite is running"
-	    status=0
-	else
-	    echo "Shorewall Lite is stopped"
-	    status=4
-	fi
-
-	if [ -f ${VARDIR}/state ]; then
-	    state="$(cat ${VARDIR}/state)"
-	    case $state in
-		Stopped*|Closed*|Clear*)
-		    status=3
-		    ;;
-	    esac
-	else
-	    state=Unknown
-	fi
-	echo "State:$state"
-	echo
-	exit $status
-	;;
-    dump)
-    	shift
-    	dump_command $@
-	;;
-    hits)
-	[ -n "$debugging" ] && set -x
-	shift
-	hits_command $@
-	;;
-    version)
-	shift
-	version_command $@
-	;;
-    logwatch)
-	logwatch_command $@
-	;;
-    drop)
-	[ -n "$debugging" ] && set -x
-	[ $# -eq 1 ] && usage 1
-	if shorewall_is_started ; then
-	    [ -n "$nolock" ] || mutex_on
-	    block DROP Dropped $*
-	    [ -n "$nolock" ] || mutex_off
-	else
-	    error_message "ERROR: Shorewall Lite is not started"
-	    exit 2
-	fi
-	;;
-    logdrop)
-	[ -n "$debugging" ] && set -x
-	[ $# -eq 1 ] && usage 1
-	if shorewall_is_started ; then
-	    [ -n "$nolock" ] || mutex_on
-	    block logdrop Dropped $*
-	    [ -n "$nolock" ] || mutex_off
-	else
-	    error_message "ERROR: Shorewall Lite is not started"
-	    exit 2
-	fi
-	;;
-    reject|logreject)
-	[ -n "$debugging" ] && set -x
-	[ $# -eq 1 ] && usage 1
-	if shorewall_is_started ; then
-	    [ -n "$nolock" ] || mutex_on
-	    block $COMMAND Rejected $*
-	    [ -n "$nolock" ] || mutex_off
-	else
-	    error_message "ERROR: Shorewall Lite is not started"
-	    exit 2
-	fi
-	;;
-    allow)
-	allow_command $@
-	;;
-    add)
-	get_config
-	shift
-	add_command $@
-	;;
-    delete)
-	get_config
-	shift
-	add_command $@
-	;;
-    disable|enable)
-	get_config Yes
-	if shorewall_is_started; then
-	    run_it ${VARDIR}/firewall $g_debugging $@
-	else
-	    fatal_error "Shorewall is not running"
-	fi
-	;;
-    save)
-	[ -n "$debugging" ] && set -x
-
-	case $# in
-	1)
-	    ;;
-	2)
-	    RESTOREFILE="$2"
-	    validate_restorefile '<restore file>'
-	    ;;
-	*)
-	    usage 1
-	    ;;
-	esac
-
-	g_restorepath=${VARDIR}/$RESTOREFILE
-
-	[ "$nolock" ] || mutex_on
-
-	save_config
-
-	[ "$nolock" ] || mutex_off
-	;;
-    forget)
-	case $# in
-	1)
-	    ;;
-	2)
-	    RESTOREFILE="$2"
-	    validate_restorefile '<restore file>'
-	    ;;
-	*)
-	    usage 1
-	    ;;
-	esac
-
-
-	g_restorepath=${VARDIR}/$RESTOREFILE
-
-	if [ -x $g_restorepath ]; then
-	    rm -f $g_restorepath
-	    rm -f ${g_restorepath}-iptables
-	    rm -f ${g_restorepath}-ipsets
-	    echo "    $g_restorepath removed"
-	elif [ -f $g_restorepath ]; then
-	    echo "   $g_restorepath exists and is not a saved Shorewall configuration"
-	fi
-	rm -f ${VARDIR}/save
-	;;
-    ipcalc)
-    	[ -n "$debugging" ] && set -x
-	if [ $# -eq 2 ]; then
-	    address=${2%/*}
-	    vlsm=${2#*/}
-	elif [ $# -eq 3 ]; then
-	    address=$2
-	    vlsm=$(ip_vlsm $3)
-	else
-	    usage 1
-	fi
-
-	valid_address $address || fatal_error "Invalid IP address: $address"
-	[ -z "$vlsm" ] && exit 2
-	[ "x$address" = "x$vlsm" ] && usage 2
-	[ $vlsm -gt 32 ] && echo "Invalid VLSM: /$vlsm" >&2 && exit 2
-
-	address=$address/$vlsm
-
-	                                   echo "   CIDR=$address"
-	temp=$(ip_netmask $address);       echo "   NETMASK=$(encodeaddr $temp)"
-	temp=$(ip_network $address);       echo "   NETWORK=$temp"
-	temp=$(broadcastaddress $address); echo "   BROADCAST=$temp"
-	;;
-
-    iprange)
-	[ -n "$debugging" ] && set -x
-	case $2 in
-	    *.*.*.*-*.*.*.*)
-		for address in ${2%-*} ${2#*-}; do
-		    valid_address $address || fatal_error "Invalid IP address: $address"
-		done
-
-		ip_range $2
-		;;
-	    *)
-		usage 1
-		;;
-	esac
-	;;
-    ipdecimal)
-	[ -n "$debugging" ] && set -x
-	[ $# -eq 2 ] || usage 1
-	case $2 in
-	    *.*.*.*)
-		valid_address $2 || fatal_error "Invalid IP address: $2"
-		echo "   $(decodeaddr $2)"
-		;;
-	    *)
-		echo "   $(encodeaddr $2)"
-		;;
-	esac
-	;;
-    restore)
-	shift
-	STARTUP_ENABLED=Yes
-	restore_command $@
-        ;;
-    call)
-	[ -n "$debugging" ] && set -x
-	#
-	# Undocumented way to call functions in ${SHAREDIR}/functions directly
-	#
-	shift
-	$@
-	;;
-    help)
-	shift
-	usage
-	;;
-    *)
-	usage 1
-	;;
-
-esac
+shorewall_cli $@
--- a/Shorewall/Makefile
+++ b/Shorewall/Makefile
@@ -2,6 +2,7 @@
 VARDIR=$(shell /sbin/shorewall show vardir)
 CONFDIR=/etc/shorewall
 RESTOREFILE?=firewall
+
 all: $(VARDIR)/${RESTOREFILE}

 $(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
@@ -11,11 +12,12 @@ $(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
 	then \
 	    /sbin/shorewall -q save >/dev/null; \
 	else \
-	    /sbin/shorewall -q restart 2>&1 | tail >&2; \
+	    /sbin/shorewall -q restart 2>&1 | tail >&2; exit 1; \
 	fi

 clean:
 	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~
+
 .PHONY: clean

 # EOF
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -322,7 +322,7 @@ sub process_accounting_rule( ) {
 	}
    }

-    dont_optimize( $chainref ) if $target eq 'RETURN';
+    set_optflags( $chainref, DONT_OPTIMIZE ) if $target eq 'RETURN';

    if ( $jumpchainref ) {
 	if ( $asection ) {
@@ -407,7 +407,7 @@ sub setup_accounting() {
 		}

 		if ( $tableref->{accounting} ) {
-		    dont_optimize( 'accounting' );
+		    set_optflags( 'accounting' , DONT_OPTIMIZE );
 		    for my $chain ( qw/INPUT FORWARD/ ) {
 			insert_ijump( $tableref->{$chain}, j => 'accounting', 0 );
 		    }
@@ -429,7 +429,7 @@ sub setup_accounting() {
 		    insert_ijump( $tableref->{POSTROUTING}, j => 'accountpost', 0 );
 		}
 	    } elsif ( $tableref->{accounting} ) {
-		dont_optimize( 'accounting' );
+		set_optflags( 'accounting' , DONT_OPTIMIZE );
 		for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
 		    insert_ijump( $tableref->{$chain}, j => 'accounting', 0 );
 		}
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -1,10 +1,10 @@
 #! /usr/bin/perl -w
 #
-#     The Shoreline Firewall Packet Filtering Firewall Compiler - V4.4
+#     The Shoreline Firewall Packet Filtering Firewall Compiler - V4.5
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -71,7 +71,7 @@ sub initialize_package_globals( $ ) {
 #
 # First stage of script generation.
 #
-#    Copy prog.header and lib.common to the generated script.
+#    Copy prog.header, lib.core and lib.common to the generated script.
 #    Generate the various user-exit jacket functions.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
@@ -95,7 +95,8 @@ sub generate_script_1( $ ) {
 		copy $globals{SHAREDIRPL} . 'prog.header6';
 	    }

-	    copy2 $globals{SHAREDIR} . '/lib.common', 0;
+	    copy2 $globals{SHAREDIRPL} . '/lib.core', 0;
+	    copy2 $globals{SHAREDIRPL} . '/lib.common', 0;
 	}

    }
@@ -162,27 +163,39 @@ sub generate_script_2() {
    push_indent;

    if ( $family == F_IPV4 ) {
+	emit( 'g_family=4' );
+
 	if ( $export ) {
 	    emit ( 'SHAREDIR=/usr/share/shorewall-lite',
 		   'CONFDIR=/etc/shorewall-lite',
-		   'g_product="Shorewall Lite"'
+		   'g_product="Shorewall Lite"',
+		   'g_program=shorewall-lite',
+		   'g_basedir=/usr/share/shorewall-lite',
 		 );
 	} else {
 	    emit ( 'SHAREDIR=/usr/share/shorewall',
 		   'CONFDIR=/etc/shorewall',
-		   'g_product=\'Shorewall\'',
+		   'g_product=Shorewall',
+		   'g_program=shorewall',
+		   'g_basedir=/usr/share/shorewall',
 		 );
 	}
    } else {
+	emit( 'g_family=6' );
+
 	if ( $export ) {
 	    emit ( 'SHAREDIR=/usr/share/shorewall6-lite',
 		   'CONFDIR=/etc/shorewall6-lite',
-		   'g_product="Shorewall6 Lite"'
+		   'g_product="Shorewall6 Lite"',
+		   'g_program=shorewall6-lite',
+		   'g_basedir=/usr/share/shorewall6',
 		 );
 	} else {
 	    emit ( 'SHAREDIR=/usr/share/shorewall6',
 		   'CONFDIR=/etc/shorewall6',
-		   'g_product=\'Shorewall6\'',
+		   'g_product=Shorewall6',
+		   'g_program=shorewall6',
+		   'g_basedir=/usr/share/shorewall'
 		 );
 	}
    }
@@ -461,6 +474,7 @@ sub generate_script_3($) {
    fi
 EOF
    pop_indent;
+    setup_load_distribution;
    setup_forwarding( $family , 1 );
    push_indent;

@@ -473,14 +487,18 @@ else
    if [ \$COMMAND = refresh ]; then
        chainlist_reload
 EOF
+    setup_load_distribution;
    setup_forwarding( $family , 0 );

+    emit( '        run_refreshed_exit' ,
+	  '        do_iptables -N shorewall' ,
+	  "        set_state Started $config_dir" ,
+	  '    else' ,
+	  '        setup_netfilter' );
+    
+    setup_load_distribution;
+
    emit<<"EOF";
-        run_refreshed_exit
-        do_iptables -N shorewall
-        set_state Started $config_dir
-    else
-        setup_netfilter
        conditionally_flush_conntrack
 EOF
    setup_forwarding( $family , 0 );
@@ -604,14 +622,9 @@ sub compiler {
    #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
    #
    get_configuration( $export , $update , $annotate );
-
-    report_capabilities unless $config{LOAD_HELPERS_ONLY};
-
-    require_capability( 'MULTIPORT'       , "Shorewall $globals{VERSION}" , 's' );
-    require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' , 's' )           if $config{MACLIST_TTL};
-    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{PROVIDER_OFFSET} > 0;
-    require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'      )  if $config{TC_ENABLED};
-
+    #
+    # Create a temp file to hold the script
+    #
    if ( $scriptfilename ) {
 	set_command( 'compile', 'Compiling', 'Compiled' );
 	create_temp_script( $scriptfilename , $export );
@@ -620,7 +633,7 @@ sub compiler {
    }
    #
    # Chain table initialization depends on shorewall.conf and capabilities. So it must be deferred until
-    # shorewall.conf has been processed and the capabilities have been determined.
+    # now when shorewall.conf has been processed and the capabilities have been determined.
    #
    initialize_chain_table(1);
    #
@@ -778,7 +791,7 @@ sub compiler {
    #
    # Process the rules file.
    #
-    process_rules;
+    process_rules( $convert );
    #
    # Add Tunnel rules.
    #
@@ -802,6 +815,8 @@ sub compiler {
 	#
 	generate_matrix;

+	optimize_level0;
+
 	if ( $config{OPTIMIZE} & 0x1E ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
@@ -844,13 +859,7 @@ sub compiler {
 	#
 	# Copy the footer to the script
 	#
-	unless ( $test ) {
-	    if ( $family == F_IPV4 ) {
-		copy $globals{SHAREDIRPL} . 'prog.footer';
-	    } else {
-		copy $globals{SHAREDIRPL} . 'prog.footer6';
-	    }
-	}
+	copy $globals{SHAREDIRPL} . 'prog.footer' unless $test;

 	disable_script;
 	#
@@ -871,16 +880,18 @@ sub compiler {
 	    #
 	    generate_matrix;

-	    if ( $config{OPTIMIZE} & 0x1E ) {
+	    optimize_level0;
+
+	    if ( $config{OPTIMIZE} & OPTIMIZE_MASK ) {
 		progress_message2 'Optimizing Ruleset...';
 		#
 		# Optimize Policy Chains
 		#
-		optimize_policy_chains if $config{OPTIMIZE} & 2;
+		optimize_policy_chains if $config{OPTIMIZE} & OPTIMIZE_POLICY_MASK;
 		#
 		# Ruleset Optimization
 		#
-		optimize_ruleset if $config{OPTIMIZE} & 0x1C;
+		optimize_ruleset if $config{OPTIMIZE} & OPTIMIZE_RULESET_MASK;
 	    }

 	    enable_script if $debug;
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -136,6 +136,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       $doing
 				       $done
 				       $currentline
+				       $currentfilename
 				       $debug
 				       %config
 				       %globals
@@ -287,6 +288,12 @@ my  %capdesc = ( NAT_ENABLED     => 'NAT',
 		 CONDITION_MATCH => 'Condition Match',
 		 IPTABLES_S      => 'iptables -S',
 		 BASIC_FILTER    => 'Basic Filter',
+		 CT_TARGET       => 'CT Target',
+		 STATISTIC_MATCH => 
+		                    'Statistics Match',
+		 IMQ_TARGET      => 'IMQ Target',
+		 DSCP_MATCH      => 'DSCP Match',
+		 DSCP_TARGET     => 'DSCP Target',
 		 CAPVERSION      => 'Capability Version',
 		 KERNELVERSION   => 'Kernel Version',
 	       );
@@ -366,7 +373,7 @@ my @actparms;

 our $currentline;            # Current config file line image
 my  $currentfile;            # File handle reference
-my  $currentfilename;        # File NAME
+our $currentfilename;        # File NAME
 my  $currentlinenumber;      # Line number
 my  $perlscript;             # File Handle Reference to current temporary file being written by an in-line Perl script
 my  $perlscriptname;         # Name of that file.
@@ -384,8 +391,8 @@ my  $toolNAME;               # Tool name in CAPS
 our $product;                # Name of product that will run the generated script
 our $Product;                # $product with initial cap.

-my $sillyname;               # Name of temporary filter chains for testing capabilities
-my $sillyname1;
+our $sillyname;              # Name of temporary filter chains for testing capabilities
+our $sillyname1;
 my $iptables;                # Path to iptables/ip6tables
 my $tc;                      # Path to tc
 my $ip;                      # Path to ip
@@ -404,6 +411,20 @@ use constant { MIN_VERBOSITY => -1,

 my %validlevels;             # Valid log levels.

+#
+# Deprecated options with their default values
+#
+my %deprecated = ( LOGRATE            => '' ,
+		   LOGBURST           => '' ,
+		   EXPORTPARAMS       => 'no',
+		   WIDE_TC_MARKS      => 'no',
+		   HIGH_ROUTE_MARKS   => 'no'
+		 );
+#
+# Deprecated options that are eliminated via update
+#
+my %converted = ( WIDE_TC_MARKS => 1,
+		  HIGH_ROUTE_MARKS => 1 );
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
@@ -451,7 +472,7 @@ sub initialize( $ ) {
 		    STATEMATCH => '-m state --state',
 		    UNTRACKED  => 0,
 		    VERSION    => "4.4.22.1",
-		    CAPVERSION => 40426 ,
+		    CAPVERSION => 40501 ,
 		  );
    #
    # From shorewall.conf file
@@ -470,6 +491,7 @@ sub initialize( $ ) {
 	  LOGBURST => undef,
 	  LOGALLNEW => undef,
 	  BLACKLIST_LOGLEVEL => undef,
+	  RELATED_LOG_LEVEL => undef,
 	  RFC1918_LOG_LEVEL => undef,
 	  MACLIST_LOG_LEVEL => undef,
 	  TCP_FLAGS_LOG_LEVEL => undef,
@@ -567,6 +589,7 @@ sub initialize( $ ) {
 	  COMPLETE => undef,
 	  EXPORTMODULES => undef,
 	  LEGACY_FASTSTART => undef,
+	  USE_PHYSICAL_NAMES => undef,
 	  #
 	  # Packet Disposition
 	  #
@@ -575,6 +598,7 @@ sub initialize( $ ) {
 	  BLACKLIST_DISPOSITION => undef,
 	  SMURF_DISPOSITION => undef,
 	  SFILTER_DISPOSITION => undef,
+	  RELATED_DISPOSITION => undef,
 	  #
 	  # Mark Geometry
 	  #
@@ -672,6 +696,11 @@ sub initialize( $ ) {
 	       CONDITION_MATCH => undef,
 	       IPTABLES_S => undef,
 	       BASIC_FILTER => undef,
+	       CT_TARGET => undef,
+	       STATISTIC_MATCH => undef,
+	       IMQ_TARGET => undef,
+	       DSCP_MATCH => undef,
+	       DSCP_TARGET => undef,
 	       CAPVERSION => undef,
 	       KERNELVERSION => undef,
 	       );
@@ -966,10 +995,10 @@ sub emitstd {
 #
 # Write passed message to the script with newline but no indentation.
 #
-sub emit_unindented( $ ) {
+sub emit_unindented( $;$ ) {
    assert( $script_enabled );

-    print $script "$_[0]\n" if $script;
+    print $script $_[1] ? "$_[0]" : "$_[0]\n" if $script;
 }

 #
@@ -1790,7 +1819,7 @@ sub embedded_shell( $ ) {
 sub embedded_perl( $ ) {
    my $multiline = shift;

-    my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config qw/shorewall/;\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );
+    my ( $command , $linenumber ) = ( qq(package Shorewall::User;\nno strict;\nuse Shorewall::Config (qw/shorewall/);\n# line $currentlinenumber "$currentfilename"\n$currentline), $currentlinenumber );

    if ( $multiline ) {
 	#
@@ -1929,9 +1958,11 @@ sub expand_variables( \$ ) {
 	if ( $var =~ /^\d+$/ ) {
 	    fatal_error "Undefined parameter (\$$var)" unless $var > 0 && defined $actparms[$var];
 	    $val = $actparms[$var];
-	} else {
-	    fatal_error "Undefined shell variable (\$$var)" unless exists $params{$var};
+	} elsif ( exists $params{$var} ) {
 	    $val = $params{$var};
+	} else {
+	    fatal_error "Undefined shell variable (\$$var)" unless exists $config{$var};
+	    $val = $config{$var};
 	}

 	$val = '' unless defined $val;
@@ -2738,6 +2769,35 @@ sub Iptables_S() {
    qt1( "$iptables -S INPUT" )
 }

+sub Ct_Target() {
+    my $ct_target;
+
+    if ( have_capability 'RAW_TABLE' ) {
+	qt1( "$iptables -t raw -N $sillyname" );
+	$ct_target = qt1( "$iptables -t raw -A $sillyname -j CT --notrack" );
+	qt1( "$iptables -t raw -F $sillyname" );
+	qt1( "$iptables -t raw -X $sillyname" );
+    }
+
+    $ct_target;
+}
+
+sub Statistic_Match() {
+    qt1( "$iptables -A $sillyname -m statistic --mode nth --every 2 --packet 1" );
+}
+
+sub Imq_Target() {
+    have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j IMQ --todev 0" );
+}
+
+sub Dscp_Match() {
+    have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -m dscp --dscp 0" );
+}
+
+sub Dscp_Target() {
+    have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j DSCP --set-dscp 0" );
+}
+
 our %detect_capability =
    ( ACCOUNT_TARGET =>\&Account_Target,
      AUDIT_TARGET => \&Audit_Target,
@@ -2750,6 +2810,9 @@ our %detect_capability =
      CONNMARK => \&Connmark,
      CONNMARK_MATCH => \&Connmark_Match,
      CONNTRACK_MATCH => \&Conntrack_Match,
+      CT_TARGET => \&Ct_Target,
+      DSCP_MATCH => \&Dscp_Match,
+      DSCP_TARGET => \&Dscp_Target,
      ENHANCED_REJECT => \&Enhanced_Reject,
      EXMARK => \&Exmark,
      FLOW_FILTER => \&Flow_Filter,
@@ -2758,6 +2821,7 @@ our %detect_capability =
      HASHLIMIT_MATCH => \&Hashlimit_Match,
      HEADER_MATCH => \&Header_Match,
      HELPER_MATCH => \&Helper_Match,
+      IMQ_TARGET => \&Imq_Target,
      IPMARK_TARGET => \&IPMark_Target,
      IPP2P_MATCH => \&Ipp2p_Match,
      IPRANGE_MATCH => \&IPRange_Match,
@@ -2791,6 +2855,7 @@ our %detect_capability =
      RAWPOST_TABLE => \&Rawpost_Table,
      REALM_MATCH => \&Realm_Match,
      RECENT_MATCH => \&Recent_Match,
+      STATISTIC_MATCH => \&Statistic_Match,
      TCPMSS_MATCH => \&Tcpmss_Match,
      TIME_MATCH => \&Time_Match,
      TPROXY_TARGET => \&Tproxy_Target,
@@ -2895,11 +2960,6 @@ sub determine_capabilities() {
 	$capabilities{IPMARK_TARGET}   = detect_capability( 'IPMARK_TARGET' );
 	$capabilities{TPROXY_TARGET}   = detect_capability( 'TPROXY_TARGET' );

-	if ( $capabilities{MANGLE_ENABLED} ) {
-	    qt1( "$iptables -t mangle -F $sillyname" );
-	    qt1( "$iptables -t mangle -X $sillyname" );
-	}
-
 	$capabilities{MANGLE_FORWARD}  = detect_capability( 'MANGLE_FORWARD' );
 	$capabilities{RAW_TABLE}       = detect_capability( 'RAW_TABLE' );
 	$capabilities{RAWPOST_TABLE}   = detect_capability( 'RAWPOST_TABLE' );
@@ -2926,6 +2986,11 @@ sub determine_capabilities() {
 	$capabilities{CONDITION_MATCH} = detect_capability( 'CONDITION_MATCH' );
 	$capabilities{IPTABLES_S}      = detect_capability( 'IPTABLES_S' );
 	$capabilities{BASIC_FILTER}    = detect_capability( 'BASIC_FILTER' );
+	$capabilities{CT_TARGET}       = detect_capability( 'CT_TARGET' );
+	$capabilities{STATISTIC_MATCH} = detect_capability( 'STATISTIC_MATCH' );
+	$capabilities{IMQ_TARGET}      = detect_capability( 'IMQ_TARGET' );
+	$capabilities{DSCP_MATCH}      = detect_capability( 'DSCP_MATCH' );
+	$capabilities{DSCP_TARGET}     = detect_capability( 'DSCP_TARGET' );


 	qt1( "$iptables -F $sillyname" );
@@ -2933,6 +2998,16 @@ sub determine_capabilities() {
 	qt1( "$iptables -F $sillyname1" );
 	qt1( "$iptables -X $sillyname1" );

+	if ( $capabilities{MANGLE_ENABLED} ) {
+	    qt1( "$iptables -t mangle -F $sillyname" );
+	    qt1( "$iptables -t mangle -X $sillyname" );
+	}
+
+	if ( $capabilities{NAT_ENABLED} ) {
+	    qt1( "$iptables -t nat -F $sillyname" );
+	    qt1( "$iptables -t nat -X $sillyname" );
+	}
+
 	$sillyname = $sillyname1 = undef;
    }
 }
@@ -3048,16 +3123,7 @@ sub update_config_file( $ ) {
 	#
 	$fn = $annotate ? "$globals{SHAREDIR}/configfiles/${product}.conf.annotated" : "$globals{SHAREDIR}/configfiles/${product}.conf";
    }
-    #
-    # Deprecated options with their default values
-    #
-    my %deprecated = ( LOGRATE            => '' ,
-		       LOGBURST           => '' ,
-		       EXPORTPARAMS       => 'no',
-		       WIDE_TC_MARKS      => 'no',
-		       HIGH_ROUTE_MARKS   => 'no'
-		     );
-    if ( -f $fn ) {
+   if ( -f $fn ) {
 	my ( $template, $output );

 	open $template, '<' , $fn or fatal_error "Unable to open $fn: $!";
@@ -3105,7 +3171,7 @@ sub update_config_file( $ ) {

 	my $heading_printed;

-	for ( keys %deprecated ) {
+	for ( grep ! $converted{$_} , keys %deprecated ) {
 	    if ( supplied( my $val = $config{$_} ) ) {
 		if ( lc $val ne $deprecated{$_} ) {
 		    unless ( $heading_printed ) {
@@ -3141,7 +3207,7 @@ EOF
 		progress_message3 "No update required to configuration file $configfile; $configfile.bak not saved";
 	    } else {
 		warning_message "Unable to unlink $configfile.bak";
-		progress_message3 "No update required to configuration file $configfile; $configfile.b";
+		progress_message3 "No update required to configuration file $configfile";
 	    }

 	    exit 0 unless -f find_file 'blacklist';
@@ -3176,6 +3242,9 @@ sub process_shorewall_conf( $$ ) {
 		    warning_message "Unknown configuration option ($var) ignored", next unless exists $config{$var};

 		    $config{$var} = ( $val =~ /\"([^\"]*)\"$/ ? $1 : $val );
+		    
+		    warning_message "Option $var=$val is deprecated"
+			if $deprecated{$var} && supplied $val && lc $config{$var} ne $deprecated{$var};
 		} else {
 		    fatal_error "Unrecognized $product.conf entry";
 		}
@@ -3312,6 +3381,8 @@ sub unsupported_yes_no_warning( $ ) {
 sub get_params() {
    my $fn = find_file 'params';

+    my %reserved = ( COMMAND => 1, CONFDIR => 1, SHAREDIR => 1, VARDIR => 1 );
+
    if ( -f $fn ) {
 	progress_message2 "Processing $fn ...";

@@ -3415,6 +3486,11 @@ sub get_params() {
 	    }
 	}

+	for ( keys %params ) {
+	    fatal_error "The variable name $_ is reserved and may not be set in the params file"
+		if /^SW_/ || /^SHOREWALL_/ || ( exists $config{$_} && ! exists $ENV{$_} ) || exists $reserved{$_};
+	}
+
 	if ( $debug ) {
 	    print "PARAMS:\n";
 	    my $value;
@@ -3441,11 +3517,13 @@ sub add_param( $$ ) {
 sub export_params() {
    my $count = 0;

-    while ( my ( $param, $value ) = each %params ) {
+    for my $param ( sort keys %params ) {
 	#
 	# Don't export params added by the compiler
 	#
 	next if exists $compiler_params{$param};
+
+	my $value = $params{$param};
 	#
 	# Values in %params are generated from the output of 'export -p'.
 	# The different shells have different conventions for delimiting
@@ -3514,7 +3592,6 @@ sub get_configuration( $$$ ) {

    get_capabilities( $export );

-
    $globals{STATEMATCH} = '-m conntrack --ctstate' if have_capability 'CONNTRACK_MATCH';

    if ( my $rate = $config{LOGLIMIT} ) {
@@ -3713,6 +3790,7 @@ sub get_configuration( $$$ ) {
    default_yes_no 'COMPLETE'                   , '';
    default_yes_no 'EXPORTMODULES'              , '';
    default_yes_no 'LEGACY_FASTSTART'           , 'Yes';
+    default_yes_no 'USE_PHYSICAL_NAMES'         , '';

    require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};

@@ -3781,6 +3859,7 @@ sub get_configuration( $$$ ) {
    default_log_level 'MACLIST_LOG_LEVEL',   '';
    default_log_level 'TCP_FLAGS_LOG_LEVEL', '';
    default_log_level 'RFC1918_LOG_LEVEL',   '';
+    default_log_level 'RELATED_LOG_LEVEL',   '';

    warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL};

@@ -3815,6 +3894,23 @@ sub get_configuration( $$$ ) {
 	$globals{MACLIST_TARGET}      = 'reject';
    }

+    if ( $val = $config{RELATED_DISPOSITION} ) {
+	if ( $val =~ /^(?:A_)?(?:DROP|ACCEPT)$/ ) {
+	    $globals{RELATED_TARGET} = $val;
+	} elsif ( $val eq 'REJECT' ) {
+	    $globals{RELATED_TARGET} = 'reject';
+	} elsif ( $val eq 'A_REJECT' ) {
+	    $globals{RELATED_TARGET} = $val;
+	} else {
+	    fatal_error "Invalid value ($config{RELATED_DISPOSITION}) for RELATED_DISPOSITION"
+	}
+
+	require_capability 'AUDIT_TARGET' , "MACLIST_DISPOSITION=$val", 's' if $val =~ /^A_/;
+    } else {
+	$config{RELATED_DISPOSITION}  =
+	$globals{RELATED_TARGET}      = 'ACCEPT';
+    }
+
    if ( $val = $config{MACLIST_TABLE} ) {
 	if ( $val eq 'mangle' ) {
 	    fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^((?:A)?REJECT)$/;
@@ -3929,6 +4025,13 @@ sub get_configuration( $$$ ) {
    } else {
 	$config{LOCKFILE} = '';
    }
+
+    report_capabilities unless $config{LOAD_HELPERS_ONLY};
+
+    require_capability( 'MULTIPORT'       , "Shorewall $globals{VERSION}" , 's' );
+    require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' , 's' )           if $config{MACLIST_TTL};
+    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{PROVIDER_OFFSET} > 0;
+    require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'      )  if $config{TC_ENABLED};
 }

 #
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -55,6 +55,7 @@ our @EXPORT = qw( ALLIPv4
 		  DCCP
 		  IPv6_ICMP
 		  SCTP
+		  GRE

 		  validate_address
 		  validate_net
@@ -117,6 +118,7 @@ use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       TCP                 => 6,
 	       UDP                 => 17,
 	       DCCP                => 33,
+	       GRE                 => 47,
 	       IPv6_ICMP           => 58,
 	       SCTP                => 132,
 	       UDPLITE             => 136 };
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -1,9 +1,9 @@
 #
-# Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Misc.pm
+# Shorewall 4.5 -- /usr/share/shorewall/Shorewall/Misc.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -67,18 +67,17 @@ sub process_tos() {
    my $chain    = have_capability( 'MANGLE_FORWARD' ) ? 'fortos'  : 'pretos';
    my $stdchain = have_capability( 'MANGLE_FORWARD' ) ? 'FORWARD' : 'PREROUTING';

-    my %tosoptions = ( 'minimize-delay'       => 0x10 ,
-		       'maximize-throughput'  => 0x08 ,
-		       'maximize-reliability' => 0x04 ,
-		       'minimize-cost'        => 0x02 ,
-		       'normal-service'       => 0x00 );
-
-    if ( my $fn = open_file 'tos' ) {
+   if ( my $fn = open_file 'tos' ) {
 	my $first_entry = 1;

 	my ( $pretosref, $outtosref );

-	first_entry( sub { progress_message2 "$doing $fn..."; $pretosref = ensure_chain 'mangle' , $chain; $outtosref = ensure_chain 'mangle' , 'outtos'; } );
+	first_entry( sub { progress_message2 "$doing $fn..."; 
+			   warning_message "Use of the tos file is deprecated in favor of the TOS target in tcrules";
+			   $pretosref = ensure_chain 'mangle' , $chain; 
+			   $outtosref = ensure_chain 'mangle' , 'outtos';
+		       }
+		   );

 	while ( read_a_line ) {

@@ -86,14 +85,7 @@ sub process_tos() {

 	    $first_entry = 0;

-	    fatal_error 'A value must be supplied in the TOS column' if $tos eq '-';
-
-	    if ( defined ( my $tosval = $tosoptions{"\L$tos"} ) ) {
-		$tos = $tosval;
-	    } else {
-		my $val = numeric_value( $tos );
-		fatal_error "Invalid TOS value ($tos)" unless defined( $val ) && $val < 0x1f;
-	    }
+	    $tos = decode_tos( $tos , 1 );

 	    my $chainref;

@@ -129,7 +121,7 @@ sub process_tos() {
 		$src ,
 		$dst ,
 		'' ,
-		"TOS --set-tos $tos" ,
+		'TOS' . $tos ,
 		'' ,
 		'TOS' ,
 		'';
@@ -216,8 +208,8 @@ sub setup_blacklist() {
    # for 'refresh' to work properly.
    #
    if ( @$zones || @$zones1 ) {
-	$chainref  = dont_delete new_standard_chain 'blacklst' if @$zones;
-	$chainref1 = dont_delete new_standard_chain 'blackout' if @$zones1;
+	$chainref  = set_optflags( new_standard_chain( 'blacklst' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones;
+	$chainref1 = set_optflags( new_standard_chain( 'blackout' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones1;

 	if ( supplied $level ) {
 	    $target = ensure_blacklog_chain ( $target, $disposition, $level, $audit );
@@ -397,7 +389,6 @@ sub convert_blacklist() {
 	if ( supplied $level ) {
 	    $target = 'blacklog';
 	} elsif ( $audit ) {
-	    require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
 	    $target = verify_audit( $disposition );
 	}

@@ -691,20 +682,22 @@ sub add_common_rules ( $ ) {
    my $dynamicref;

    my @state     = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
+    my $faststate = $config{RELATED_DISPOSITION} eq 'ACCEPT' && $config{RELATED_LOG_LEVEL} eq '' ? 'ESTABLISHED,RELATED' : 'ESTABLISHED';
    my $level     = $config{BLACKLIST_LOGLEVEL};
    my $rejectref = $filter_table->{reject};

    if ( $config{DYNAMIC_BLACKLIST} ) {
-	add_rule_pair dont_delete( new_standard_chain( 'logdrop' ) ),   '' , 'DROP'   , $level ;
-	add_rule_pair dont_delete( new_standard_chain( 'logreject' ) ), '' , 'reject' , $level ;
-	$dynamicref = dont_optimize( new_standard_chain( 'dynamic' ) );
-	add_ijump $filter_table->{INPUT}, j => $dynamicref, @state;
+	add_rule_pair( set_optflags( new_standard_chain( 'logdrop' )  , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP'   , $level );
+	add_rule_pair( set_optflags( new_standard_chain( 'logreject' ), DONT_OPTIMIZE | DONT_DELETE ), '' , 'reject' , $level );
+	$dynamicref =  set_optflags( new_standard_chain( 'dynamic' ) ,  DONT_OPTIMIZE );
 	add_commands( $dynamicref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' );
    }

    setup_mss;

-    add_ijump( $filter_table->{OUTPUT} , j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' ) if ( $config{FASTACCEPT} );
+    if ( $config{FASTACCEPT} ) {
+	add_ijump( $filter_table->{OUTPUT} , j => 'ACCEPT', state_imatch $faststate )
+    } 

    my $policy   = $config{SFILTER_DISPOSITION};
    $level       = $config{SFILTER_LOG_LEVEL};
@@ -751,8 +744,8 @@ sub add_common_rules ( $ ) {
 	$target1 = $target;
    }

-    for $interface ( grep $_ ne '%vserver%', all_interfaces ) {
-	ensure_chain( 'filter', $_ ) for first_chains( $interface ), output_chain( $interface );
+    for $interface ( all_real_interfaces ) {
+	ensure_chain( 'filter', $_ ) for first_chains( $interface ), output_chain( $interface ), option_chains( $interface ), output_option_chain( $interface );

 	my $interfaceref = find_interface $interface;

@@ -760,33 +753,28 @@ sub add_common_rules ( $ ) {

 	    my @filters = @{$interfaceref->{filter}};
 	
-	    $chainref = $filter_table->{forward_chain $interface};
+	    $chainref = $filter_table->{forward_option_chain $interface};
 	
 	    if ( @filters ) {
 		add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
-		$interfaceref->{options}{use_forward_chain} = 1;
 	    } elsif ( $interfaceref->{bridge} eq $interface ) {
 		add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_dest_dev( $interface ), @ipsec ), $chainref->{filtered}++
 		    unless( $config{ROUTE_FILTER} eq 'on' ||
 			    $interfaceref->{options}{routeback} ||
 			    $interfaceref->{options}{routefilter} ||
 			    $interfaceref->{physical} eq '+' );
-
-		$interfaceref->{options}{use_forward_chain} = 1;
 	    }

-	    add_ijump( $chainref, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' ), $chainref->{filtered}++ if $config{FASTACCEPT};
-	    add_ijump( $chainref, j => $dynamicref, @state ), $chainref->{filtered}++ if $dynamicref;
-
-	    $chainref = $filter_table->{input_chain $interface};
 	
 	    if ( @filters ) {
+		$chainref = $filter_table->{input_option_chain $interface};
 		add_ijump( $chainref , g => $target, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
-		$interfaceref->{options}{use_input_chain} = 1;
 	    }
 	
-	    add_ijump( $chainref, j => 'ACCEPT', state_imatch 'ESTABLISHED,RELATED' ), $chainref->{filtered}++ if $config{FASTACCEPT};
-	    add_ijump( $chainref, j => $dynamicref, @state ), $chainref->{filtered}++ if $dynamicref;
+	    for ( option_chains( $interface ) ) {
+		add_ijump( $filter_table->{$_}, j => $dynamicref, @state ) if $dynamicref;
+		add_ijump( $filter_table->{$_}, j => 'ACCEPT', state_imatch $faststate ) if $config{FASTACCEPT};
+	    }
 	}
    }

@@ -870,12 +858,9 @@ sub add_common_rules ( $ ) {
 	    my @policy     = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my $target     = source_exclusion( $hostref->[3], $chainref );

-	    for $chain ( first_chains $interface ) {
+	    for $chain ( option_chains $interface ) {
 		add_ijump( $filter_table->{$chain} , j => $target, @state, imatch_source_net( $hostref->[2] ), @policy );
 	    }
-
-	    set_interface_option $interface, 'use_input_chain', 1;
-	    set_interface_option $interface, 'use_forward_chain', 1;
 	}
    }

@@ -925,14 +910,11 @@ sub add_common_rules ( $ ) {
 	my $ports = $family == F_IPV4 ? '67:68' : '546:547';

 	for $interface ( @$list ) {
-	    set_interface_option $interface, 'use_input_chain', 1;
-	    set_interface_option $interface, 'use_forward_chain', 1;
-	    
 	    set_rule_option( add_ijump( $filter_table->{$_} , j => 'ACCEPT', p => "udp --dport $ports" ) ,
 			     'dhcp',
-			     1 ) for input_chain( $interface ), output_chain( $interface );
+			     1 ) for input_option_chain( $interface ), output_option_chain( $interface );

-	    add_ijump( $filter_table->{forward_chain $interface} ,
+	    add_ijump( $filter_table->{forward_option_chain $interface} ,
 		       j => 'ACCEPT', 
 		       p =>  "udp --dport $ports" ,
 		       imatch_dest_dev( $interface ) )
@@ -990,11 +972,9 @@ sub add_common_rules ( $ ) {
 	    my $target     = source_exclusion( $hostref->[3], $chainref );
 	    my @policy     = have_ipsec ? ( policy => "--pol $hostref->[1] --dir in" ) : ();

-	    for $chain ( first_chains $interface ) {
+	    for $chain ( option_chains $interface ) {
 		add_ijump( $filter_table->{$chain} , j => $target, p => 'tcp', imatch_source_net( $hostref->[2] ), @policy );
 	    }
-	    set_interface_option $interface, 'use_input_chain', 1;
-	    set_interface_option $interface, 'use_forward_chain', 1;
 	}
    }

@@ -1006,7 +986,7 @@ sub add_common_rules ( $ ) {
 	if ( @$list ) {
 	    progress_message2 "$doing UPnP";

-	    $chainref = dont_optimize new_nat_chain( 'UPnP' );
+	    $chainref = set_optflags( new_nat_chain( 'UPnP' ), DONT_OPTIMIZE );

 	    add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );

@@ -1023,11 +1003,12 @@ sub add_common_rules ( $ ) {
 	    progress_message2 "$doing UPnP" unless $announced;

 	    for $interface ( @$list ) {
-		my $chainref = $filter_table->{input_chain $interface};
+		my $chainref = $filter_table->{input_option_chain $interface};
 		my $base     = uc chain_base get_physical $interface;
-		my $variable = get_interface_gateway $interface;
+		my $optional = interface_is_optional( $interface );
+		my $variable = get_interface_gateway( $interface, ! $optional );

-		if ( interface_is_optional $interface ) {
+		if ( $optional ) {
 		    add_commands( $chainref,
 				  qq(if [ -n "SW_\$${base}_IS_USABLE" -a -n "$variable" ]; then) );
 		    incr_cmd_level( $chainref );
@@ -1172,12 +1153,9 @@ sub setup_mac_lists( $ ) {
 	    if ( $table eq 'filter' ) {
 		my $chainref = source_exclusion( $hostref->[3], $filter_table->{mac_chain $interface} );

-		for my $chain ( first_chains $interface ) {
+		for my $chain ( option_chains $interface ) {
 		    add_ijump $filter_table->{$chain} , j => $chainref, @source, @state, @policy;
 		}
-
-		set_interface_option $interface, 'use_input_chain', 1;
-		set_interface_option $interface, 'use_forward_chain', 1;
 	    } else {
 		my $chainref = source_exclusion( $hostref->[3], $mangle_table->{mac_chain $interface} );
 		add_ijump $mangle_table->{PREROUTING}, j => $chainref, imatch_source_dev( $interface ), @source, @state, @policy;
@@ -1382,6 +1360,7 @@ sub add_interface_jumps {
    our %output_jump_added;
    our %forward_jump_added;
    my  $lo_jump_added = 0;
+    my @interfaces = grep $_ ne '%vserver%', @_;
    #
    # Add Nat jumps
    #
@@ -1393,7 +1372,7 @@ sub add_interface_jumps {
    addnatjump 'POSTROUTING' , 'nat_out';
    addnatjump 'PREROUTING', 'dnat';

-    for my $interface ( grep $_ ne '%vserver%', @_ ) {
+    for my $interface ( @interfaces  ) {
 	addnatjump 'PREROUTING'  , input_chain( $interface )  , imatch_source_dev( $interface );
 	addnatjump 'POSTROUTING' , output_chain( $interface ) , imatch_dest_dev( $interface );
 	addnatjump 'POSTROUTING' , masq_chain( $interface ) , imatch_dest_dev( $interface );
@@ -1407,7 +1386,7 @@ sub add_interface_jumps {
    #
    # Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT
    #
-    for my $interface ( grep $_ ne '%vserver%', @_ ) {
+    for my $interface ( @interfaces ) {
 	my $forwardref   = $filter_table->{forward_chain $interface};
 	my $inputref     = $filter_table->{input_chain $interface};
 	my $outputref    = $filter_table->{output_chain $interface};
@@ -1487,58 +1466,19 @@ sub generate_matrix() {
    my  %ipsec_jump_added   = ();

    progress_message2 'Generating Rule Matrix...';
-    progress_message  '  Handling blacklisting and complex zones...';
+    progress_message  '  Handling complex zones...';

    #
-    # Special processing for complex and/or blacklisting configurations
+    # Special processing for complex configurations
    #
    for my $zone ( @zones ) {
 	my $zoneref = find_zone( $zone );
-	my $simple  =  @zones <= 2 && ! $zoneref->{options}{complex};
+	
+	next if  @zones <= 2 && ! $zoneref->{options}{complex};
 	#
-	# Handle blacklisting first
+	# Complex zone or we have more than one non-firewall zone -- process_rules created a zone forwarding chain
 	#
-	if ( $zoneref->{options}{in}{blacklist} ) {
-	    my $blackref = $filter_table->{blacklst};
-	    insert_ijump ensure_rules_chain( rules_chain( $zone, $_ ) ) , j => $blackref , -1, @state for firewall_zone, @vservers;
-
-	    if ( $simple ) {
-		#
-		# We won't create a zone forwarding chain for this zone so we must add blacklisting jumps to the rules chains
-		#
-		for my $zone1 ( @zones ) {
-		    my $ruleschain    = rules_chain( $zone, $zone1 );
-		    my $ruleschainref = $filter_table->{$ruleschain};
-
-		    if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
-			insert_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, -1, @state );
-		    }
-		}
-	    }
-	}
-
-	if ( $zoneref->{options}{out}{blacklist} ) {
-	    my $blackref = $filter_table->{blackout};
-	    insert_ijump ensure_rules_chain( rules_chain( firewall_zone, $zone ) ) , j => $blackref , -1, @state;
-
-	    for my $zone1 ( @zones, @vservers ) {
-		my $ruleschain    = rules_chain( $zone1, $zone );
-		my $ruleschainref = $filter_table->{$ruleschain};
-
-		if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
-		    insert_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, -1, @state );
-		}
-	    }
-	}
-
-	next if $simple;
-
-	#
-	# Complex zone or we have more than one non-firewall zone -- create a zone forwarding chain
-	#
-	my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
-
-	insert_ijump( $frwd_ref , j => $filter_table->{blacklst}, -1, @state ) if $zoneref->{options}{in}{blacklist};
+	my $frwd_ref = $filter_table->{zone_forward_chain( $zone )};

 	add_ijump( $frwd_ref , j => 'MARK --set-mark ' . in_hex( $zoneref->{mark} ) . '/' . in_hex( $globals{ZONE_MASK} ) ) if $zoneref->{mark};

@@ -1776,7 +1716,6 @@ sub generate_matrix() {
 			my $interfacechainref = $filter_table->{input_chain $interface};
 			my @interfacematch;
 			my $use_input;
-			my $blacklist = $zoneref->{options}{in}{blacklist};

 			if ( @vservers || use_input_chain( $interface, $interfacechainref ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
 			    $inputchainref = $interfacechainref;
@@ -2030,8 +1969,6 @@ sub generate_matrix() {

    add_interface_jumps @interfaces unless $interface_jumps_added;

-    promote_blacklist_rules;
-
    my %builtins = ( mangle => [ qw/PREROUTING INPUT FORWARD POSTROUTING/ ] ,
 		     nat=>     [ qw/PREROUTING OUTPUT POSTROUTING/ ] ,
 		     filter=>  [ qw/INPUT FORWARD OUTPUT/ ] );
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -54,8 +54,8 @@ sub initialize() {
 #
 sub process_one_masq( )
 {
-    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user ) = 
-	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7 };
+    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition ) = 
+	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8 };

    if ( $interfacelist eq 'COMMENT' ) {
 	process_comment;
@@ -88,7 +88,7 @@ sub process_one_masq( )
 	$interfacelist = $1;
    } elsif ( $interfacelist =~ /^([^:]+):([^:]*)$/ ) {
 	my ( $one, $two ) = ( $1, $2 );
-	if ( $2 =~ /\./ ) {
+	if ( $2 =~ /\./ || $2 =~ /^%/ ) {
 	    $interfacelist = $one;
 	    $destnets = $two;
 	}
@@ -117,9 +117,9 @@ sub process_one_masq( )
    }

    #
-    # Handle Protocol and Ports
+    # Handle Protocol, Ports and Condition
    #
-    $baserule .= do_proto $proto, $ports, '';
+    $baserule .= do_proto( $proto, $ports, '' ) . do_condition( $condition );
    #
    # Handle Mark
    #
@@ -195,7 +195,7 @@ sub process_one_masq( )
 			    if ( $conditional = conditional_rule( $chainref, $addr ) ) {
 				$addrlist .= '--to-source ' . get_interface_address $1;
 			    } else {
-				$addrlist .= '--to-source ' . record_runtime_address $1;
+				$addrlist .= '--to-source ' . record_runtime_address( '&', $1 );
 			    }
 			} elsif ( $addr =~ /^.*\..*\..*\./ ) {
 			    $target = 'SNAT ';
--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -308,8 +308,7 @@ sub setup_interface_proc( $ ) {
    }

    if ( @emitted ) {
-	emit( '',
-	      'if [ $COMMAND = enable ]; then' );
+	emit( 'if [ $COMMAND = enable ]; then' );
 	push_indent;
 	emit "$_" for @emitted;
 	pop_indent;
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010.2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010.2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -21,7 +21,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MAS 02110-1301 USA.
 #
 #   This module deals with the /etc/shorewall/providers,
-#   /etc/shorewall/route_rules and /etc/shorewall/routes files.
+#   /etc/shorewall/rtrules and /etc/shorewall/routes files.
 #
 package Shorewall::Providers;
 require Exporter;
@@ -38,7 +38,9 @@ our @EXPORT = qw( process_providers
 		  setup_providers
 		  @routemarked_interfaces
 		  handle_stickiness
-		  handle_optional_interfaces );
+		  handle_optional_interfaces
+		  setup_load_distribution
+	       );
 our @EXPORT_OK = qw( initialize lookup_provider );
 our $VERSION = '4.4_24';

@@ -53,11 +55,14 @@ my  @routemarked_providers;
 my  %routemarked_interfaces;
 our @routemarked_interfaces;
 my  %provider_interfaces;
+my  @load_providers;
+my  @load_interfaces;

 my $balancing;
 my $fallback;
 my $first_default_route;
 my $first_fallback_route;
+my $maxload;

 my %providers;

@@ -82,14 +87,17 @@ use constant { ROUTEMARKED_SHARED => 1, ROUTEMARKED_UNSHARED => 2 };
 sub initialize( $ ) {
    $family = shift;

-    @routemarked_providers = ();
+    @routemarked_providers  = ();
    %routemarked_interfaces = ();
    @routemarked_interfaces = ();
    %provider_interfaces    = ();
-    $balancing           = 0;
-    $fallback            = 0;
-    $first_default_route  = 1;
-    $first_fallback_route = 1;
+    @load_providers         = ();
+    @load_interfaces        = ();
+    $balancing              = 0;
+    $fallback               = 0;
+    $first_default_route    = 1;
+    $first_fallback_route   = 1;
+    $maxload                = 0;

    %providers  = ( local   => { number => LOCAL_TABLE   , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
 		    main    => { number => MAIN_TABLE    , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
@@ -110,33 +118,55 @@ sub setup_route_marking() {
    add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask", connmark => "! --mark 0/$mask" for qw/PREROUTING OUTPUT/;

    my $chainref  = new_chain 'mangle', 'routemark';
-    my $chainref1 = new_chain 'mangle', 'setsticky';
-    my $chainref2 = new_chain 'mangle', 'setsticko';

-    my %marked_interfaces;
+    if ( @routemarked_providers ) {
+	my $chainref1 = new_chain 'mangle', 'setsticky';
+	my $chainref2 = new_chain 'mangle', 'setsticko';

-    for my $providerref ( @routemarked_providers ) {
-	my $interface = $providerref->{interface};
-	my $physical  = $providerref->{physical};
-	my $mark      = $providerref->{mark};
+	my %marked_interfaces;

-	unless ( $marked_interfaces{$interface} ) {
-	    add_ijump $mangle_table->{PREROUTING} , j => $chainref,  i => $physical,     mark => "--mark 0/$mask";
-	    add_ijump $mangle_table->{PREROUTING} , j => $chainref1, i => "! $physical", mark => "--mark  $mark/$mask";
-	    add_ijump $mangle_table->{OUTPUT}     , j => $chainref2,                     mark => "--mark  $mark/$mask";
-	    $marked_interfaces{$interface} = 1;
+	for my $providerref ( @routemarked_providers ) {
+	    my $interface = $providerref->{interface};
+	    my $physical  = $providerref->{physical};
+	    my $mark      = $providerref->{mark};
+
+	    unless ( $marked_interfaces{$interface} ) {
+		add_ijump $mangle_table->{PREROUTING} , j => $chainref,  i => $physical,     mark => "--mark 0/$mask";
+		add_ijump $mangle_table->{PREROUTING} , j => $chainref1, i => "! $physical", mark => "--mark  $mark/$mask";
+		add_ijump $mangle_table->{OUTPUT}     , j => $chainref2,                     mark => "--mark  $mark/$mask";
+		$marked_interfaces{$interface} = 1;
+	    }
+
+	    if ( $providerref->{shared} ) {
+		add_commands( $chainref, qq(if [ -n "$providerref->{mac}" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
+		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
+		decr_cmd_level( $chainref ), add_commands( $chainref, "fi\n" ) if $providerref->{optional};
+	    } else {
+		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface );
+	    }
 	}

-	if ( $providerref->{shared} ) {
-	    add_commands( $chainref, qq(if [ -n "$providerref->{mac}" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
-	    add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
-	    decr_cmd_level( $chainref ), add_commands( $chainref, "fi\n" ) if $providerref->{optional};
-	} else {
-	    add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface );
-	}
+	add_ijump $chainref, j => 'CONNMARK', targetopts => "--save-mark --mask $mask", mark => "! --mark 0/$mask";
    }

-    add_ijump $chainref, j => 'CONNMARK', targetopts => "--save-mark --mask $mask", mark => "! --mark 0/$mask";
+    if ( @load_interfaces ) {
+	my $chainref1 = new_chain 'mangle', 'balance';
+	my @match;
+
+	add_ijump $chainref,               g => $chainref1, mark => "--mark 0/$mask";
+	add_ijump $mangle_table->{OUTPUT}, j => $chainref1, state_imatch( 'NEW,RELATED' ), mark => "--mark 0/$mask";
+
+	for my $physical ( @load_interfaces ) {
+
+	    my $chainref2 = new_chain( 'mangle', load_chain( $physical ) );
+
+	    set_optflags( $chainref2, DONT_OPTIMIZE | DONT_MOVE | DONT_DELETE );
+	
+  	    add_ijump ( $chainref1,
+			j => $chainref2 ,
+		        mark => "--mark 0/$mask" );
+	}
+    }
 }

 sub copy_table( $$$ ) {
@@ -366,8 +396,8 @@ sub process_a_provider() {
 	$gateway = '';
    }

-    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $local ) =
-	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0 );
+    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $local , $load ) =
+	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0      , 0 );

    unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
@@ -408,6 +438,9 @@ sub process_a_provider() {
 		$local = 1;
 		$track = 0           if $config{TRACK_PROVIDERS};
 		$default_balance = 0 if $config{USE_DEFAULT_RT};
+	    } elsif ( $option =~ /^load=(0?\.\d{1,8})/ ) {
+		$load = $1;
+		require_capability 'STATISTIC_MATCH', "load=$load", 's';
 	    } else {
 		fatal_error "Invalid option ($option)";
 	    }
@@ -416,6 +449,12 @@ sub process_a_provider() {

    fatal_error q(The 'balance' and 'fallback' options are mutually exclusive) if $balance && $default;

+    if ( $load ) {
+	fatal_error q(The 'balance=<weight>' and 'load=<load-factor>' options are mutually exclusive) if $balance > 1;
+	fatal_error q(The 'fallback=<weight>' and 'load=<load-factor>' options are mutually exclusive) if $default > 1;
+	$maxload += $load;
+    }
+
    if ( $local ) {
 	fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none';
 	fatal_error "'track' not valid with 'local'"          if $track;
@@ -488,6 +527,7 @@ sub process_a_provider() {
 			   duplicate   => $duplicate ,
 			   address     => $address ,
 			   local       => $local ,
+			   load        => $load ,
 			   rules       => [] ,
 			   routes      => [] ,
 			 };
@@ -506,6 +546,8 @@ sub process_a_provider() {
 	push @routemarked_providers, $providers{$table};
    }

+    push @load_interfaces, $physical if $load;
+
    push @providers, $table;

    progress_message "   Provider \"$currentline\" $done";
@@ -537,6 +579,8 @@ sub add_a_provider( $$ ) {
    my $duplicate   = $providerref->{duplicate};
    my $address     = $providerref->{address};
    my $local       = $providerref->{local};
+    my $load        = $providerref->{load};
+
    my $dev         = chain_base $physical;
    my $base        = uc $dev;
    my $realm = '';
@@ -563,7 +607,23 @@ sub add_a_provider( $$ ) {
 	    }
 	}
    }
+
+    emit( qq(echo $load > \${VARDIR}/${physical}_load) ) if $load;
+
+    emit( '', 
+	  "cat <<EOF >> \${VARDIR}/undo_${table}_routing" );
    
+    emit_unindented 'case \$COMMAND in';
+    emit_unindented '    enable|disable)';
+    emit_unindented '        ;;';
+    emit_unindented '    *)';
+    emit_unindented "        rm -f \${VARDIR}/${physical}_load" if $load;
+    emit_unindented <<"CEOF", 1;
+        rm -f \${VARDIR}/${physical}.status
+        ;;
+esac
+EOF
+CEOF
    #
    # /proc for this interface
    #
@@ -599,8 +659,7 @@ sub add_a_provider( $$ ) {
 	    emit "run_ip route replace $gateway src $address dev $physical ${mtu}";
 	    emit "run_ip route replace $gateway src $address dev $physical ${mtu}table $number $realm";
 	} else {
-	    emit "qt \$IP -6 route del $gateway src $address dev $physical ${mtu}";
-	    emit "run_ip route add $gateway src $address dev $physical ${mtu}";
+	    emit "qt \$IP -6 route add $gateway src $address dev $physical ${mtu}";
 	    emit "qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $number $realm";
 	    emit "run_ip route add $gateway src $address dev $physical ${mtu}table $number $realm";
 	}
@@ -631,7 +690,10 @@ sub add_a_provider( $$ ) {
 	$fallback = 1;
    }

-    emit ( qq(\nqt \$IP rule add from all table ) . DEFAULT_TABLE . qq( prio 32767\n) ) if $family == F_IPV6;
+    emit( qq(\n) ,
+	  qq(if ! \$IP -6 rule ls | egrep -q "32767:[[:space:]]+from all lookup (default|253)"; then) ,
+	  qq(    qt \$IP -6 rule add from all table ) . DEFAULT_TABLE . qq( prio 32767\n) ,
+	  qq(fi) ) if $family == F_IPV6;

    unless ( $local ) {
 	emit '';
@@ -669,11 +731,14 @@ sub add_a_provider( $$ ) {
    }

    emit( '' );
-
+    
    my ( $tbl, $weight );

-    if ( $optional ) {
-	emit( 'if [ $COMMAND = enable ]; then' );
+    emit( qq(echo 0 > \${VARDIR}/${physical}.status) );
+
+    if ( $optional ) {	
+	emit( '',
+	      'if [ $COMMAND = enable ]; then' );

 	push_indent;

@@ -697,10 +762,12 @@ sub add_a_provider( $$ ) {
 		    emit qq(add_gateway "nexthop dev $physical $realm" ) . $tbl;
 		}
 	    }
-	} else {
+	    	} else {
 	    $weight = 1;
 	}

+	emit ( "distribute_load $maxload @load_interfaces" ) if $load;
+
 	unless ( $shared ) {
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
 	}
@@ -709,12 +776,13 @@ sub add_a_provider( $$ ) {

 	pop_indent;
 
-	emit( 'else' ,
-	      qq(    echo $weight > \${VARDIR}/${physical}_weight) ,
+	emit( 'else' );
+	emit( qq(    echo $weight > \${VARDIR}/${physical}_weight) ,
 	      qq(    progress_message "   Provider $table ($number) Started"),
 	      qq(fi\n)
 	    );
    } else {
+	emit( qq(echo 0 > \${VARDIR}/${physical}.status) );
 	emit( qq(progress_message "Provider $table ($number) Started") );
    }
    
@@ -723,6 +791,8 @@ sub add_a_provider( $$ ) {
    emit 'else';

    push_indent;
+    
+    emit( qq(echo 1 > \${VARDIR}/${physical}.status) );

    if ( $optional ) {
 	if ( $shared ) {
@@ -782,6 +852,9 @@ sub add_a_provider( $$ ) {
 	emit (". $undo",
 	      "> $undo" );

+	emit ( '',
+	       "distribute_load $maxload @load_interfaces" ) if $load;
+
 	unless ( $shared ) {
 	    emit( '', 
 		  "qt \$TC qdisc del dev $physical root",
@@ -804,7 +877,7 @@ sub add_a_provider( $$ ) {
 }

 sub add_an_rtrule( ) {
-    my ( $source, $dest, $provider, $priority, $originalmark ) = split_line 'route_rules file', { source => 0, dest => 1, provider => 2, priority => 3 , mark => 4 };
+    my ( $source, $dest, $provider, $priority, $originalmark ) = split_line 'rtrules file', { source => 0, dest => 1, provider => 2, priority => 3 , mark => 4 };

    our $current_if;

@@ -831,7 +904,7 @@ sub add_an_rtrule( ) {
    my $number = $providerref->{number};

    fatal_error "You may not add rules for the $provider provider" if $number == LOCAL_TABLE || $number == UNSPEC_TABLE;
-    fatal_error "You must specify either the source or destination in a route_rules entry" if $source eq '-' && $dest eq '-';
+    fatal_error "You must specify either the source or destination in a rtrules entry" if $source eq '-' && $dest eq '-';

    if ( $dest eq '-' ) {
 	$dest = 'to ' . ALLIP;
@@ -842,6 +915,8 @@ sub add_an_rtrule( ) {

    if ( $source eq '-' ) {
 	$source = 'from ' . ALLIP;
+    } elsif ( $source =~ s/^&// ) {
+	$source = 'from ' . record_runtime_address '&', $source;
    } elsif ( $family == F_IPV4 ) {
 	if ( $source =~ /:/ ) {
 	    ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
@@ -992,20 +1067,20 @@ sub start_providers() {
 }

 sub finish_providers() {
+    my $table = MAIN_TABLE;
+    
+    if ( $config{USE_DEFAULT_RT} ) {
+	emit ( 'run_ip rule add from ' . ALLIP . ' table ' . MAIN_TABLE .    ' pref 999',
+	       'run_ip rule add from ' . ALLIP . ' table ' . BALANCE_TABLE . ' pref 32765',
+	       "\$IP -$family rule del from " . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766',
+	       qq(echo "qt \$IP -$family rule add from ) . ALLIP . ' table ' . MAIN_TABLE .    ' pref 32766" >> ${VARDIR}/undo_main_routing',
+	       qq(echo "qt \$IP -$family rule del from ) . ALLIP . ' table ' . MAIN_TABLE .    ' pref 999" >> ${VARDIR}/undo_main_routing',
+	       qq(echo "qt \$IP -$family rule del from ) . ALLIP . ' table ' . BALANCE_TABLE . ' pref 32765" >> ${VARDIR}/undo_balance_routing',
+	       '' );
+	$table = BALANCE_TABLE;
+    }
+
    if ( $balancing ) {
-	my $table = MAIN_TABLE;
-
-	if ( $config{USE_DEFAULT_RT} ) {
-	    emit ( 'run_ip rule add from ' . ALLIP . ' table ' . MAIN_TABLE .    ' pref 999',
-		   'run_ip rule add from ' . ALLIP . ' table ' . BALANCE_TABLE . ' pref 32765',
-		   "\$IP -$family rule del from " . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766',
-		   qq(echo "qt \$IP -$family rule add from ) . ALLIP . ' table ' . MAIN_TABLE .    ' pref 32766" >> ${VARDIR}/undo_main_routing',
-		   qq(echo "qt \$IP -$family rule del from ) . ALLIP . ' table ' . MAIN_TABLE .    ' pref 999" >> ${VARDIR}/undo_main_routing',
-		   qq(echo "qt \$IP -$family rule del from ) . ALLIP . ' table ' . BALANCE_TABLE . ' pref 32765" >> ${VARDIR}/undo_balance_routing',
-		   '' );
-	    $table = BALANCE_TABLE;
-	}
-
 	emit  ( 'if [ -n "$DEFAULT_ROUTE" ]; then' );
 	if ( $family == F_IPV4 ) {
 	    emit  ( "    run_ip route replace default scope global table $table \$DEFAULT_ROUTE" );
@@ -1093,7 +1168,15 @@ sub process_providers( $ ) {
    }

    if ( $providers ) {
-	my $fn = open_file 'route_rules';
+	my $fn = open_file( 'route_rules' );
+
+	if ( $fn ){
+	    if ( -f ( my $fn1 = find_file 'rtrules' ) ) {
+		warning_message "Both $fn and $fn1 exists: $fn1 will be ignored";
+	    }
+	} else {
+	    $fn = open_file( 'rtrules' );
+	}

 	if ( $fn ) {
 	    first_entry "$doing $fn...";
@@ -1141,7 +1224,7 @@ EOF
 	    emit ( "    if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then", 
 		   "        start_provider_$provider",
 		   '    else',
-		   '        startup_error "Interface $g_interface is already enabled"',
+		   "        startup_error \"Interface $providerref->{physical} is already enabled\"",
 		   '    fi',
 		   '    ;;'
 		 );
@@ -1173,11 +1256,11 @@ EOF
    for my $provider (@providers ) {
 	my $providerref = $providers{$provider};

-	emit( "$providerref->{physical})",
+	emit( "$providerref->{physical}|$provider)",
 	      "    if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then", 
 	      "        stop_provider_$provider",
 	      '    else',
-	      '        startup_error "Interface $g_interface is already disabled"',
+	      "        startup_error \"Interface $providerref->{physical} is already disabled\"",
 	      '    fi',
 	      '    ;;'
 	    ) if $providerref->{optional};
@@ -1220,7 +1303,7 @@ sub setup_providers() {
 	pop_indent;
 	emit "fi\n";

-	setup_route_marking if @routemarked_interfaces;
+	setup_route_marking if @routemarked_interfaces || @load_interfaces;
    } else {
 	emit "\nif [ -z \"\$g_noroutes\" ]; then";

@@ -1492,10 +1575,17 @@ sub handle_stickiness( $ ) {
 	}
    }

-    if ( @routemarked_providers ) {
+    if ( @routemarked_providers || @load_interfaces ) {
 	delete_jumps $mangle_table->{PREROUTING}, $setstickyref unless @{$setstickyref->{rules}};
 	delete_jumps $mangle_table->{OUTPUT},     $setstickoref unless @{$setstickoref->{rules}};
    }
 }

+sub setup_load_distribution() {
+    emit ( '',
+	   "        distribute_load $maxload @load_interfaces" ,
+	   '' 
+	 ) if @load_interfaces;
+}
+
 1;
--- a/Shorewall/Perl/Shorewall/Proxyarp.pm
+++ b/Shorewall/Perl/Shorewall/Proxyarp.pm
@@ -84,7 +84,7 @@ sub setup_one_proxy_arp( $$$$$$$ ) {
 	    emit "[ -n \"\$g_noroutes\" ] || run_ip route replace $address/32 dev $physical";
 	} else {
 	    emit( 'if [ -z "$g_noroutes" ]; then',
-		  "    qt \$IP -6 route del $address/128 dev $physical".
+		  "    qt \$IP -6 route del $address/128 dev $physical",
 		  "    run_ip route add $address/128 dev $physical",
 		  'fi'
 		);
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -36,12 +36,14 @@ our @EXPORT = qw( setup_notrack );
 our @EXPORT_OK = qw( );
 our $VERSION = 'MODULEVERSION';

+my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured => 1, protoinfo => 1, helper => 1, mark => 1, natseqinfo => 1, secmark => 1 );
+
 #
 # Notrack
 #
-sub process_notrack_rule( $$$$$$ ) {
+sub process_notrack_rule( $$$$$$$ ) {

-    my ($source, $dest, $proto, $ports, $sports, $user ) = @_;
+    my ($action, $source, $dest, $proto, $ports, $sports, $user ) = @_;

    $proto  = ''    if $proto  eq 'any';
    $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
@@ -55,42 +57,110 @@ sub process_notrack_rule( $$$$$$ ) {
    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
    require_capability 'RAW_TABLE', 'Notrack rules', '';

+    my $target = $action;
+    my $exception_rule = '';
    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user );

-    expand_rule
-	$chainref ,
-	$restriction ,
-	$rule ,
-	$source ,
-	$dest ,
-	'' ,
-	'NOTRACK' ,
-	'' ,
-	'NOTRACK' ,
-	'' ;
+    unless ( $action eq 'NOTRACK' ) {
+	(  $target, my ( $option, $args, $junk ) ) = split ':', $action, 4;

+	fatal_error "Invalid notrack ACTION ( $action )" if $junk || $target ne 'CT';
+
+	require_capability 'CT_TARGET', 'CT entries in the notrack file', '';
+
+	if ( $option eq 'notrack' ) {
+	    fatal_error "Invalid notrack ACTION ( $action )" if supplied $args;
+	    $action = 'CT --notrack';
+	} else {
+	    fatal_error "Invalid or missing CT option and arguments" unless supplied $option && supplied $args;
+
+	    if ( $option eq 'helper' ) {
+		fatal_error "Invalid helper' ($args)" if $args =~ /,/;
+		validate_helper( $args, $proto );
+		$action = "CT --helper $args";
+		$exception_rule = do_proto( $proto, '-', '-' );
+	    } elsif ( $option eq 'ctevents' ) {
+		for ( split ',', $args ) {
+		    fatal_error "Invalid 'ctevents' event ($_)" unless $valid_ctevent{$_};
+		}
+
+		$action = "CT --ctevents $args";
+	    } elsif ( $option eq 'expevent' ) {
+		fatal_error "Invalid expevent argument ($args)" unless $args eq 'new';
+	    } elsif ( $option eq 'zone' ) {
+		fatal_error "Invalid zone id ($args)" unless $args =~ /^\d+$/;
+	    } else {
+		fatal_error "Invalid CT option ($option)";
+	    }
+	}
+    }
+
+    expand_rule( $chainref ,
+		 $restriction ,
+		 $rule,
+		 $source ,
+		 $dest ,
+		 '' ,
+		 $action ,
+		 '' ,
+		 $target ,
+		 $exception_rule );
+    
    progress_message "  Notrack rule \"$currentline\" $done";

    $globals{UNTRACKED} = 1;
 }

+sub process_format( $ ) {
+    my $format = shift;
+
+    fatal_error q(FORMAT must be '1' or '2') unless $format =~ /^[12]$/;
+
+    $format;
+}
+
 sub setup_notrack() {

+    my $format = 1;
+    my $action = 'NOTRACK';
+
    if ( my $fn = open_file 'notrack' ) {

 	first_entry "$doing $fn...";

 	my $nonEmpty = 0;

-	while ( read_a_line ) {
+	while ( read_a_line ) {	    
+	    my ( $source, $dest, $proto, $ports, $sports, $user );

-	    my ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
-
-	    if ( $source eq 'COMMENT' ) {
-		process_comment;
+	    if ( $format == 1 ) {
+		( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
+		
+		if ( $source eq 'FORMAT' ) {
+		    $format = process_format( $dest );
+		    next;
+		}
+		
+		if ( $source eq 'COMMENT' ) {
+		    process_comment;
+		    next;
+		}	    
 	    } else {
-		process_notrack_rule $source, $dest, $proto, $ports, $sports, $user;
+		( $action, $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6 }, { COMMENT => 0, FORMAT => 2 };
+		
+		if ( $action eq 'FORMAT' ) {
+		    $format = process_format( $source );
+		    $action = 'NOTRACK';
+		    next;
+		}
+		
+		if ( $action eq 'COMMENT' ) {
+		    process_comment;
+		    next;
+		}	    
 	    }
+	    
+	    process_notrack_rule $action, $source, $dest, $proto, $ports, $sports, $user;
 	}

 	clear_comment;
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -116,7 +116,6 @@ my %auditpolicies = ( ACCEPT => 1,
 		      DROP   => 1,
 		      REJECT => 1
 		    );
-
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
@@ -145,8 +144,7 @@ sub initialize( $ ) {
    #
    # These are set to 1 as sections are encountered.
    #
-    %sections = ( BLACKLIST   => 0,
-		  ALL         => 0,
+    %sections = ( ALL         => 0,
 		  ESTABLISHED => 0,
 		  RELATED     => 0,
 		  NEW         => 0
@@ -678,8 +676,6 @@ sub complete_standard_chain ( $$$$ ) {
    policy_rules $stdchainref , $policy , $loglevel, $defaultaction, 0;
 }

-sub require_audit($$;$);
-
 #
 # Create and populate the synflood chains corresponding to entries in /etc/shorewall/policy
 #
@@ -744,7 +740,7 @@ sub ensure_rules_chain( $ )

    my $chainref = $filter_table->{$chain};

-    $chainref = dont_move( new_chain( 'filter', $chain ) ) unless $chainref;
+    $chainref = new_chain( 'filter', $chain ) unless $chainref;

    unless ( $chainref->{referenced} ) {
 	if ( $section =~/^(NEW|DONE)$/ ) {
@@ -764,11 +760,33 @@ sub ensure_rules_chain( $ )
 #
 sub finish_chain_section ($$) {
    my ($chainref, $state ) = @_;
-    my $chain = $chainref->{name};
+    my $chain               = $chainref->{name};
+    my $related_level       = $config{RELATED_LOG_LEVEL};
+    my $related_target      = $globals{RELATED_TARGET};
    
    push_comment(''); #These rules should not have comments

-    add_ijump $chainref, j => 'ACCEPT', state_imatch $state unless $config{FASTACCEPT};
+    if ( $state =~ /RELATED/ && ( $related_level || $related_target ne 'ACCEPT' ) ) {
+
+	if ( $related_level ) {
+	    my $relatedref = new_chain( 'filter', "+$chainref->{name}" );
+	    log_rule( $related_level,
+		      $relatedref,
+		      $config{RELATED_DISPOSITION},
+		      '' );
+	    add_ijump( $relatedref, g => $related_target );
+		    
+	    $related_target = $relatedref->{name};
+	}
+
+	add_ijump $chainref, g => $related_target, state_imatch 'RELATED';
+
+	$state =~ s/,?RELATED//;
+    }
+
+    if ( $state ) {
+	add_ijump $chainref, j => 'ACCEPT', state_imatch $state unless $config{FASTACCEPT};
+    }

    if ($sections{NEW} ) {
 	if ( $chainref->{is_policy} ) {
@@ -945,7 +963,7 @@ sub createlogactionchain( $$$$$ ) {

    unless ( $targets{$action} & BUILTIN ) {

-	dont_optimize $chainref;
+	set_optflags( $chainref, DONT_OPTIMIZE );

 	my $file = find_file $chain;

@@ -979,7 +997,7 @@ sub createsimpleactionchain( $ ) {

    unless ( $targets{$action} & BUILTIN ) {

-	dont_optimize $chainref;
+	set_optflags( $chainref, DONT_OPTIMIZE );

 	my $file = find_file $action;

@@ -1288,7 +1306,7 @@ sub allowInvalid ( $$$$ ) {
 }

 sub forwardUPnP ( $$$$ ) {
-    my $chainref = dont_optimize 'forwardUPnP';
+    my $chainref = set_optflags( 'forwardUPnP', DONT_OPTIMIZE );

    add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' );
 }
@@ -1409,7 +1427,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ );

 #
 # Populate an action invocation chain. As new action tuples are encountered,
-# the function will be called recursively by process_rules_common().
+# the function will be called recursively by process_rule1().
 #
 sub process_action( $) {
    my $chainref = shift;
@@ -1697,9 +1715,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 	#
 	fatal_error "Macro invocations nested too deeply" if ++$macro_nest_level > MAX_MACRO_NEST_LEVEL;

-	if ( $param ne '' ) {
-	    $current_param = $param unless $param eq 'PARAM';
-	}
+	$current_param = $param unless $param eq '' || $param eq 'PARAM';

 	my $generated = process_macro( $basictarget,
 				       $chainref,
@@ -1741,7 +1757,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
    #
    # We can now dispense with the postfix character
    #
-    fatal_error "The +, - and ! modifiers are not allowed in the bllist file or in the BLACKLIST section" if $action =~ s/[\+\-!]$// && $blacklist;
+    fatal_error "The +, - and ! modifiers are not allowed in the blrules file" if $action =~ s/[\+\-!]$// && $blacklist;
    #
    # Handle actions
    #
@@ -1807,7 +1823,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 			  CONTINUE => sub { $action = 'RETURN'; } ,

 			  WHITELIST => sub { 
-			      fatal_error "'WHITELIST' may only be used in the blrules file and in the 'BLACKLIST' section" unless $blacklist; 
+			      fatal_error "'WHITELIST' may only be used in the blrules file" unless $blacklist; 
 			      $action = 'RETURN';
 			  } ,

@@ -2000,7 +2016,12 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
    }

    unless ( $section eq 'NEW' || $inaction ) {
-	fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" if $config{FASTACCEPT};
+	if ( $config{FASTACCEPT} ) {
+	    fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" unless 
+		$section eq 'BLACKLIST' ||
+		( $section eq 'RELATED' && ( $config{RELATED_DISPOSITION} ne 'ACCEPT' || $config{RELATED_LOG_LEVEL} ) )
+	}
+
 	fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT );
 	$rule .= "$globals{STATEMATCH} $section " unless $section eq 'ALL' || $blacklist;
    }
@@ -2217,7 +2238,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 	    }
 	}

-	dont_move( dont_optimize( $nonat_chain ) ) if $tgt eq 'RETURN';
+	set_optflags( $nonat_chain, DONT_MOVE | DONT_OPTIMIZE ) if $tgt eq 'RETURN';

 	expand_rule( $nonat_chain ,
 		     PREROUTE_RESTRICT ,
@@ -2241,7 +2262,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 	    $action = $usedactions{$normalized_target}{name};
 	    $loglevel = '';
 	} else {
-	    dont_move( dont_optimize ( $chainref ) ) if $action eq 'RETURN';
+	    set_optflags( $chainref , DONT_MOVE | DONT_OPTIMIZE ) if $action eq 'RETURN';
 	}

 	if ( $origdest ) {
@@ -2285,15 +2306,15 @@ sub process_section ($) {
    fatal_error "Duplicate or out of order SECTION $sect" if $sections{$sect};
    $sections{$sect} = 1;

-    if ( $sect eq 'ALL' ) {
-	$sections{BLACKLIST} = 1;
+    if ( $sect eq 'BLACKLIST' ) {
+	fatal_error "The BLACKLIST section has been eliminated. Please move your BLACKLIST rules to the 'blrules' file";
    } elsif ( $sect eq 'ESTABLISHED' ) {
-	$sections{'BLACKLIST','ALL'} = ( 1, 1);
+	$sections{ALL} = 1;
    } elsif ( $sect eq 'RELATED' ) {
-	@sections{'BLACKLIST','ALL','ESTABLISHED'} = ( 1, 1, 1);
+	@sections{'ALL','ESTABLISHED'} = ( 1, 1);
 	finish_section 'ESTABLISHED';
    } elsif ( $sect eq 'NEW' ) {
-	@sections{'BLACKLIST','ALL','ESTABLISHED','RELATED'} = ( 1, 1, 1, 1 );
+	@sections{'ALL','ESTABLISHED','RELATED'} = ( 1, 1, 1 );
 	finish_section ( ( $section eq 'RELATED' ) ? 'RELATED' : 'ESTABLISHED,RELATED' );
    }

@@ -2438,34 +2459,115 @@ sub process_rule ( ) {
 }

 #
-# Process the Rules File
+# Add jumps to the blacklst and blackout chains
 #
-sub process_rules() {
+sub classic_blacklist() {
+    my $fw       = firewall_zone;
+    my @zones    = off_firewall_zones;
+    my @vservers = vserver_zones;
+    my @state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
+    my $result;
+    
+    for my $zone ( @zones ) {
+	my $zoneref = find_zone( $zone );
+	my $simple  =  @zones <= 2 && ! $zoneref->{options}{complex};
+	
+	if ( $zoneref->{options}{in}{blacklist} ) {
+	    my $blackref = $filter_table->{blacklst};
+	    add_ijump ensure_rules_chain( rules_chain( $zone, $_ ) ) , j => $blackref , @state for firewall_zone, @vservers;
+
+	    if ( $simple ) {
+		#
+		# We won't create a zone forwarding chain for this zone so we must add blacklisting jumps to the rules chains
+		#
+		for my $zone1 ( @zones ) {
+		    my $ruleschain    = rules_chain( $zone, $zone1 );
+		    my $ruleschainref = $filter_table->{$ruleschain};
+
+		    if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
+			add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
+		    }
+		}
+	    }
+
+	    $result = 1;
+	}
+
+	if ( $zoneref->{options}{out}{blacklist} ) {
+	    my $blackref = $filter_table->{blackout};
+	    add_ijump ensure_rules_chain( rules_chain( firewall_zone, $zone ) ) , j => $blackref , @state;
+
+	    for my $zone1 ( @zones, @vservers ) {
+		my $ruleschain    = rules_chain( $zone1, $zone );
+		my $ruleschainref = $filter_table->{$ruleschain};
+
+		if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
+		    add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
+		}
+	    }
+
+	    $result = 1;
+	}
+
+	unless ( $simple ) {
+	    #
+	    # Complex zone or we have more than one non-firewall zone -- create a zone forwarding chain
+	    #
+	    my $frwd_ref = new_standard_chain zone_forward_chain( $zone );
+
+	    add_ijump( $frwd_ref , j => $filter_table->{blacklst}, @state ) if $zoneref->{options}{in}{blacklist};
+	}
+    }
+
+    $result;
+}
+
+#
+# Process the BLRules and Rules Files
+#
+sub process_rules( $ ) {
+    my $convert = shift;
+    my $blrules = 0;
+    #
+    # Generate jumps to the classic blacklist chains
+    #
+    $blrules = classic_blacklist unless $convert;
+    #
+    # Process the blrules file
+    #
+    $section = 'BLACKLIST';
+
    my $fn = open_file 'blrules';

    if ( $fn ) {
 	first_entry( sub () {
 			 my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
-			 my $audit       = $disposition =~ /^A_/;
-			 my $target      = $disposition eq 'REJECT' ? 'reject' : $disposition;
+			 my  $audit       = $disposition =~ /^A_/;
+			 my  $target      = $disposition eq 'REJECT' ? 'reject' : $disposition;

-			 progress_message2 "$doing $fn...";
+			 progress_message2 "$doing $currentfilename...";

 			 if ( supplied $level ) {
 			     ensure_blacklog_chain( $target, $disposition, $level, $audit );
+			     ensure_audit_blacklog_chain( $target, $disposition, $level ) if have_capability 'AUDIT_TARGET';
 			 } elsif ( $audit ) {
 			     require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
 			     verify_audit( $disposition );
+			 } elsif ( have_capability 'AUDIT_TARGET' ) {
+			     verify_audit( 'A_' . $disposition );
 			 }
-		     } );
-	
-	$section = 'BLACKLIST';
+
+			 $blrules = 1;
+		     }
+		   );

 	process_rule while read_a_line;
-	    
-	$section = '';
    }

+    $section = '';
+
+    add_interface_options( $blrules );
+
    $fn = open_file 'rules';

    if ( $fn ) {
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -104,6 +104,9 @@ my  %flow_keys = ( 'src'            => 1,
 		   'sk-gid'         => 1,
 		   'vlan-tag'       => 1 );

+my %designator = ( F => 'tcfor' ,
+		   T => 'tcpost' );
+
 my  %tosoptions = ( 'tos-minimize-delay'       => '0x10/0x10' ,
 		    'tos-maximize-throughput'  => '0x08/0x08' ,
 		    'tos-maximize-reliability' => '0x04/0x04' ,
@@ -191,8 +194,15 @@ sub initialize( $ ) {
 }

 sub process_tc_rule( ) {
-    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers ) = 
-	split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12 };
+    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp );
+    if ( $family == F_IPV4 ) {
+	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp ) =
+	    split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13 };
+	$headers = '-';
+    } else {
+	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp ) = 
+	    split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 };
+    }

    our @tccmd;

@@ -207,38 +217,203 @@ sub process_tc_rule( ) {

    fatal_error "Invalid MARK ($originalmark)" unless supplied $mark;

+    my $chain    = $globals{MARKING_CHAIN};
+    my $classid  = 0;
+
    if ( $remainder ) { 
 	if ( $originalmark =~ /^\w+\(?.*\)$/ ) {
 	    $mark = $originalmark; # Most likely, an IPv6 address is included in the parameter list
 	} else {
-	    fatal_error "Invalid MARK ($originalmark)";
+	    fatal_error "Invalid MARK ($originalmark)" 
+		unless ( $mark =~ /^([0-9a-fA-F]+)$/ &&
+			 $designator =~ /^([0-9a-fA-F]+)$/ && 
+			 ( $chain = $designator{$remainder} ) );
+	    $mark    = join( ':', $mark, $designator );
+	    $classid = 1;
 	}
    }

-    my $chain  = $globals{MARKING_CHAIN};
    my $target = 'MARK --set-mark';
    my $tcsref;
    my $connmark = 0;
-    my $classid  = 0;
    my $device   = '';
    my $fw       = firewall_zone;
    my $list;
+    my $restriction = 0;
+    my $cmd;
+    my $rest;
+
+    my %processtcc = ( sticky => sub() {
+			                  if ( $chain eq 'tcout' ) {
+					      $target = 'sticko';
+					  } else {
+					      fatal_error "SAME rules are only allowed in the PREROUTING and OUTPUT chains" if $chain ne 'tcpre';
+					  }
+
+					  $restriction = DESTIFACE_DISALLOW;
+
+					  ensure_mangle_chain($target);
+
+					  $sticky++;
+				      },
+		       IPMARK => sub() {
+			                  my ( $srcdst, $mask1, $mask2, $shift ) = ('src', 255, 0, 0 );
+
+					  require_capability 'IPMARK_TARGET', 'IPMARK', 's';
+
+					  if ( $cmd =~ /^IPMARK\((.+?)\)$/ ) {
+					      my $params = $1;
+					      my $val;
+
+					      my ( $sd, $m1, $m2, $s , $bad ) = split ',', $params;
+
+					      fatal_error "Invalid IPMARK parameters ($params)" if $bad;
+					      fatal_error "Invalid IPMARK parameter ($sd)" unless ( $sd eq 'src' || $sd eq 'dst' );
+					      $srcdst = $sd;
+
+					      if ( supplied $m1 ) {
+						  $val = numeric_value ($m1);
+						  fatal_error "Invalid Mask ($m1)" unless defined $val && $val && $val <= 0xffffffff;
+						  $mask1 = in_hex ( $val & 0xffffffff );
+					      }
+
+					      if ( supplied $m2 ) {
+						  $val = numeric_value ($m2);
+						  fatal_error "Invalid Mask ($m2)" unless defined $val && $val <= 0xffffffff;
+						  $mask2 = in_hex ( $val & 0xffffffff );
+					      }
+
+					      if ( defined $s ) {
+						  $val = numeric_value ($s);
+						  fatal_error "Invalid Shift Bits ($s)" unless defined $val && $val >= 0 && $val < 128;
+						  $shift = $s;
+					      }			    
+					  } else {
+					      fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless $cmd eq 'IPMARK';
+					  }
+
+					  $target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
+				      },
+		       TPROXY => sub() {
+			                  require_capability( 'TPROXY_TARGET', 'Use of TPROXY', 's');
+
+			                  fatal_error "Invalid TPROXY specification( $cmd/$rest )" if $rest;
+
+					  $chain = 'tcpre';
+
+					  $cmd =~ /TPROXY\((.+?)\)$/;
+
+					  my $params = $1;
+
+					  fatal_error "Invalid TPROXY specification( $cmd )" unless defined $params;
+
+					  ( $mark, my $port, my $ip, my $bad ) = split ',', $params;
+
+					  fatal_error "Invalid TPROXY specification( $cmd )" if defined $bad;
+
+					  if ( $port ) {
+					      $port = validate_port( 'tcp', $port );
+					  } else {
+					      $port = 0;
+					  }
+
+					  $target .= " --on-port $port";
+
+					  if ( supplied $ip ) {
+					      if ( $family == F_IPV6 ) {
+						  $ip = $1 if $ip =~ /^\[(.+)\]$/ || $ip =~ /^<(.+)>$/;
+					      }
+
+					      validate_address $ip, 1;
+					      $target .= " --on-ip $ip";
+					  }
+
+					  $target .= ' --tproxy-mark';
+				      },
+		       TTL => sub() {
+			                  fatal_error "TTL is not supported in IPv6 - use HL instead" if $family == F_IPV6;
+					  fatal_error "Invalid TTL specification( $cmd/$rest )" if $rest;
+					  fatal_error "Chain designator $designator not allowed with TTL" if $designator && ! ( $designator eq 'F' );
+
+					  $chain = 'tcfor';
+
+					  $cmd =~ /^TTL\(([-+]?\d+)\)$/;
+
+					  my $param =  $1;
+
+					  fatal_error "Invalid TTL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
+
+					  if ( $1 =~ /^\+/ ) {
+					      $target .= " --ttl-inc $param";
+					  } elsif ( $1 =~ /\-/ ) {
+					      $target .= " --ttl-dec $param";
+					  } else {
+					      $target .= " --ttl-set $param";
+					  }
+				      },
+		       HL => sub() {
+			                  fatal_error "HL is not supported in IPv4 - use TTL instead" if $family == F_IPV4;
+					  fatal_error "Invalid HL specification( $cmd/$rest )" if $rest;
+					  fatal_error "Chain designator $designator not allowed with HL" if $designator && ! ( $designator eq 'F' );
+
+					  $chain = 'tcfor';
+
+					  $cmd =~ /^HL\(([-+]?\d+)\)$/;
+
+					  my $param =  $1;
+
+					  fatal_error "Invalid HL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
+
+					  if ( $1 =~ /^\+/ ) {
+					      $target .= " --hl-inc $param";
+					  } elsif ( $1 =~ /\-/ ) {
+					      $target .= " --hl-dec $param";
+					  } else {
+					      $target .= " --hl-set $param";
+					  }
+				      },
+		       IMQ => sub() {
+			                  assert( $cmd =~ /^IMQ\((\d+)\)$/ );
+					  require_capability 'IMQ_TARGET', 'IMQ', 's';
+					  $target .= " --todev $1";
+				      },
+		       DSCP => sub() {
+			                  assert( $cmd =~ /^DSCP\((\w+)\)$/ );
+					  require_capability 'DSCP_TARGET', 'The DSCP action', 's'; 
+					  my $dscp = numeric_value( $1 );
+					  $dscp = $dscpmap{$1} unless defined $dscp;
+					  fatal_error( "Invalid DSCP ($1)" ) unless defined $dscp && $dscp <= 0x38 && ! ( $dscp & 1 );
+					  $target .= ' --set-dscp ' . in_hex( $dscp );
+				      },
+		       TOS => sub() {
+			                  assert( $cmd =~ /^TOS\((.+)\)$/ );
+					  $target .= decode_tos( $1 , 2 );
+				      },
+		     );

    if ( $source ) {
 	if ( $source eq $fw ) {
-	    $chain = 'tcout';
+	    if ( $classid ) {
+		fatal_error ":F is not allowed when the SOURCE is the firewall" if $chain eq 'tcfor';
+	    } else {
+		$chain = 'tcout';
+	    }
+
 	    $source = '';
-	} else {
-	    $chain = 'tcout' if $source =~ s/^($fw)://;
+	} elsif ( $source =~ s/^($fw):// ) {
+	    fatal_error ":F is not allowed when the SOURCE is the firewall" if ( $designator || '' ) eq 'F';
+	    $chain = 'tcout';
 	}
    }

    if ( $dest ) {
 	if ( $dest eq $fw ) {
+	    fatal_error 'A CLASSIFY rule may not have $FW as the DEST' if $classid;
 	    $chain = 'tcin';
 	    $dest  = '';
-	} else {
-	    $chain = 'tcin' if $dest =~ s/^($fw)://;
+	} elsif ( $dest =~ s/^($fw):// ) {
+	    fatal_error 'A CLASSIFY rule may not have $FW as the DEST' if $classid;
+	    $chain = 'tcin';
 	}
    }

@@ -259,11 +434,16 @@ sub process_tc_rule( ) {
 	    require_capability ('CONNMARK' , "CONNMARK Rules", '' ) if $connmark;

 	} else {
-	    fatal_error "Invalid MARK ($originalmark)"   unless $mark =~ /^([0-9a-fA-F]+)$/ and $designator =~ /^([0-9a-fA-F]+)$/;
+	    unless ( $classid ) {
+		fatal_error "Invalid MARK ($originalmark)" unless $mark =~ /^([0-9a-fA-F]+)$/ and $designator =~ /^([0-9a-fA-F]+)$/;
+		fatal_error 'A CLASSIFY rule may not have $FW as the DEST' if $chain eq 'tcin';
+		$chain = 'tcpost';
+		$mark  = $originalmark;
+	    }

 	    if ( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' ) {
 		$originalmark = join( ':', normalize_hex( $mark ), normalize_hex( $designator ) );
-		fatal_error "Unknown Class ($originalmark)}" unless ( $device = $classids{$originalmark} );
+		fatal_error "Unknown Class ($mark)}" unless ( $device = $classids{$mark} );
 		fatal_error "IFB Classes may not be specified in tcrules" if @{$tcdevices{$device}{redirected}};

 		unless ( $tcclasses{$device}{hex_value $designator}{leaf} ) {
@@ -278,19 +458,20 @@ sub process_tc_rule( ) {
 		}
 	    }

-	    $chain   = 'tcpost';
 	    $classid = 1;
-	    $mark    = $originalmark;
 	    $target  = 'CLASSIFY --set-class';
 	}
    }

-    my ($cmd, $rest) = split( '/', $mark, 2 );
+    if ( $mark =~ /^TOS/ ) {
+	$cmd = $mark;
+	$rest = '';
+    } else {
+	($cmd, $rest) = split( '/', $mark, 2 );
+    }

    $list = '';

-    my $restriction = 0;
-
    unless ( $classid ) {
      MARK:
 	{
@@ -309,130 +490,8 @@ sub process_tc_rule( ) {
 			$mark =~ s/^[|&]//;
 		    }

-		    if ( $target eq 'sticky' ) {
-			if ( $chain eq 'tcout' ) {
-			    $target = 'sticko';
-			} else {
-			    fatal_error "SAME rules are only allowed in the PREROUTING and OUTPUT chains" if $chain ne 'tcpre';
-			}
-
-			$restriction = DESTIFACE_DISALLOW;
-
-			ensure_mangle_chain($target);
-
-			$sticky++;
-		    } elsif ( $target eq 'IPMARK' ) {
-			my ( $srcdst, $mask1, $mask2, $shift ) = ('src', 255, 0, 0 );
-
-			require_capability 'IPMARK_TARGET', 'IPMARK', 's';
-
-			if ( $cmd =~ /^IPMARK\((.+?)\)$/ ) {
-			    my $params = $1;
-			    my $val;
-
-			    my ( $sd, $m1, $m2, $s , $bad ) = split ',', $params;
-
-			    fatal_error "Invalid IPMARK parameters ($params)" if $bad;
-			    fatal_error "Invalid IPMARK parameter ($sd)" unless ( $sd eq 'src' || $sd eq 'dst' );
-			    $srcdst = $sd;
-
-			    if ( supplied $m1 ) {
-				$val = numeric_value ($m1);
-				fatal_error "Invalid Mask ($m1)" unless defined $val && $val && $val <= 0xffffffff;
-				$mask1 = in_hex ( $val & 0xffffffff );
-			    }
-
-			    if ( supplied $m2 ) {
-				$val = numeric_value ($m2);
-				fatal_error "Invalid Mask ($m2)" unless defined $val && $val <= 0xffffffff;
-				$mask2 = in_hex ( $val & 0xffffffff );
-			    }
-
-			    if ( defined $s ) {
-				$val = numeric_value ($s);
-				fatal_error "Invalid Shift Bits ($s)" unless defined $val && $val >= 0 && $val < 128;
-				$shift = $s;
-			    }
-			} else {
-			    fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless $cmd eq 'IPMARK';
-			}
-
-			$target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
-		    } elsif ( $target eq 'TPROXY' ) {
-			require_capability( 'TPROXY_TARGET', 'Use of TPROXY', 's');
-
-			fatal_error "Invalid TPROXY specification( $cmd/$rest )" if $rest;
-
-			$chain = 'tcpre';
-
-			$cmd =~ /TPROXY\((.+?)\)$/;
-
-			my $params = $1;
-
-			fatal_error "Invalid TPROXY specification( $cmd )" unless defined $params;
-
-			( $mark, my $port, my $ip, my $bad ) = split ',', $params;
-
-			fatal_error "Invalid TPROXY specification( $cmd )" if defined $bad;
-
-			if ( $port ) {
-			    $port = validate_port( 'tcp', $port );
-			} else {
-			    $port = 0;
-			}
-
-			$target .= " --on-port $port";
-
-			if ( supplied $ip ) {
-			    if ( $family == F_IPV6 ) {
-				$ip = $1 if $ip =~ /^\[(.+)\]$/ || $ip =~ /^<(.+)>$/;
-			    }
-
-			    validate_address $ip, 1;
-			    $target .= " --on-ip $ip";
-			}
-
-			$target .= ' --tproxy-mark';
-		    } elsif ( $target eq 'TTL' ) {
-			fatal_error "TTL is not supported in IPv6 - use HL instead" if $family == F_IPV6;
-			fatal_error "Invalid TTL specification( $cmd/$rest )" if $rest;
-			fatal_error "Chain designator $designator not allowed with TTL" if $designator && ! ( $designator eq 'F' );
-
-			$chain = 'tcfor';
-
-			$cmd =~ /^TTL\(([-+]?\d+)\)$/;
-
-			my $param =  $1;
-
-			fatal_error "Invalid TTL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
-
-			if ( $1 =~ /^\+/ ) {
-			    $target .= " --ttl-inc $param";
-			} elsif ( $1 =~ /\-/ ) {
-			    $target .= " --ttl-dec $param";
-			} else {
-			    $target .= " --ttl-set $param";
-			}
-		    } elsif ( $target eq 'HL' ) {
-			fatal_error "HL is not supported in IPv4 - use TTL instead" if $family == F_IPV4;
-			fatal_error "Invalid HL specification( $cmd/$rest )" if $rest;
-			fatal_error "Chain designator $designator not allowed with HL" if $designator && ! ( $designator eq 'F' );
-
-			$chain = 'tcfor';
-
-			$cmd =~ /^HL\(([-+]?\d+)\)$/;
-
-			my $param =  $1;
-
-			fatal_error "Invalid HL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
-
-			if ( $1 =~ /^\+/ ) {
-			    $target .= " --hl-inc $param";
-			} elsif ( $1 =~ /\-/ ) {
-			    $target .= " --hl-dec $param";
-			} else {
-			    $target .= " --hl-set $param";
-			}
+		    if ( my $f = $processtcc{$target} ) {
+			$f->();
 		    }

 		    if ( $rest ) {
@@ -478,7 +537,9 @@ sub process_tc_rule( ) {
 				     do_tos( $tos ) .
 				     do_connbytes( $connbytes ) .
 				     do_helper( $helper ) .
-				     do_headers( $headers ) ,
+				     do_headers( $headers ) .
+				     do_probability( $probability ) .
+				     do_dscp( $dscp ),
 				     $source ,
 				     $dest ,
 				     '' ,
@@ -527,7 +588,7 @@ sub calculate_quantum( $$ ) {
 sub process_in_bandwidth( $ ) {
    my $in_rate     = shift;
    
-    return 0 if $in_rate eq '-';
+    return 0 if $in_rate eq '-' or $in_rate eq '0';

    my $in_burst    = '10kb';
    my $in_avrate   = 0;
@@ -823,7 +884,7 @@ sub validate_tc_device( ) {
 			    pfifo         => $pfifo,
 			    tablenumber   => 1 ,
 			    redirected    => \@redirected,
-			    default       => 0,
+			    default       => undef,
 			    nextclass     => 2,
 			    qdisc         => $qdisc,
 			    guarantee     => 0,
@@ -966,6 +1027,7 @@ sub validate_tc_class( ) {
 	}
    } else {
 	fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
+	$markval = '-';
    }

    if ( $parentclass != 1 ) {
@@ -1082,8 +1144,10 @@ sub validate_tc_class( ) {
    }

    unless ( $devref->{classify} || $occurs > 1 ) {
-	fatal_error "Missing MARK" if $mark eq '-';
-	warning_message "Class NUMBER ignored -- INTERFACE $device does not have the 'classify' option"	if $devclass =~ /:/;
+	if ( $mark ne '-' ) {
+	    fatal_error "Missing MARK" if $mark eq '-';
+	    warning_message "Class NUMBER ignored -- INTERFACE $device does not have the 'classify' option"	if $devclass =~ /:/;
+	}
    }

    $tcref->{flow}  = $devref->{flow}  unless $tcref->{flow};
@@ -1564,7 +1628,7 @@ sub process_traffic_shaping() {
 	my $devnum  = in_hexp $devref->{number};
 	my $r2q     = int calculate_r2q $devref->{out_bandwidth};

-	fatal_error "No default class defined for device $devname" unless $devref->{default};
+	fatal_error "No default class defined for device $devname" unless defined $devref->{default};

 	my $device = physical_name $devname;

@@ -1676,7 +1740,7 @@ sub process_traffic_shaping() {
 		#
 		# add filters
 		#
-		unless ( $devref->{classify} ) {
+		unless ( $mark eq '-' ) {
 		    emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid" if $tcref->{occurs} == 1;
 		}

@@ -1949,7 +2013,25 @@ sub setup_tc() {
 			  mark      => NOMARK,
 			  mask      => '',
 			  connmark  => 0
-			} 
+			},
+			{ match     => sub( $ ) { $_[0] =~ /^IMQ\(\d+\)$/ },
+			  target    => 'IMQ',
+			  mark      => NOMARK,
+			  mask      => '',
+			  connmark  => 0
+			},
+			{ match     => sub( $ ) { $_[0] =~ /^DSCP\(\w+\)$/ },
+			  target    => 'DSCP',
+			  mark      => NOMARK,
+			  mask      => '',
+			  connmark  => 0
+			},
+			{ match     => sub( $ ) { $_[0] =~ /^TOS\(.+\)$/ },
+			  target    => 'TOS',
+			  mark      => NOMARK,
+			  mask      => '',
+			  connmark  => 0
+			},
 		      );

 	if ( my $fn = open_file 'tcrules' ) {
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -61,6 +61,7 @@ our @EXPORT = qw( NOTHING
 		  chain_base
 		  validate_interfaces_file
 		  all_interfaces
+		  all_real_interfaces
 		  all_bridges
 		  interface_number
 		  find_interface
@@ -226,6 +227,25 @@ my %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 );

 my %validhostoptions;

+my %validzoneoptions = ( mss          => NUMERIC,
+			 nomark       => NOTHING,
+			 blacklist    => NOTHING,
+			 strict       => NOTHING,
+			 next         => NOTHING,
+			 reqid        => NUMERIC,
+			 spi          => NUMERIC,
+			 proto        => IPSECPROTO,
+			 mode         => IPSECMODE,
+			 "tunnel-src" => NETWORK,
+			 "tunnel-dst" => NETWORK,
+		       );
+
+use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
+#
+# Hash of options that have their own key in the returned hash.
+#
+my %zonekey = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW, nomark => NOFW | IN_OUT_ONLY );
+
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
@@ -328,25 +348,6 @@ sub initialize( $$ ) {
 #
 sub parse_zone_option_list($$\$$)
 {
-    my %validoptions = ( mss          => NUMERIC,
-			 nomark       => NOTHING,
-			 blacklist    => NOTHING,
-			 strict       => NOTHING,
-			 next         => NOTHING,
-			 reqid        => NUMERIC,
-			 spi          => NUMERIC,
-			 proto        => IPSECPROTO,
-			 mode         => IPSECMODE,
-			 "tunnel-src" => NETWORK,
-			 "tunnel-dst" => NETWORK,
-		       );
-
-    use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
-    #
-    # Hash of options that have their own key in the returned hash.
-    #
-    my %key = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW, nomark => NOFW | IN_OUT_ONLY );
-
    my ( $list, $zonetype, $complexref, $column ) = @_;
    my %h;
    my $options = '';
@@ -366,7 +367,7 @@ sub parse_zone_option_list($$\$$)
 		$e   = $1;
 	    }

-	    $fmt = $validoptions{$e};
+	    $fmt = $validzoneoptions{$e};

 	    fatal_error "Invalid Option ($e)" unless $fmt;

@@ -377,7 +378,7 @@ sub parse_zone_option_list($$\$$)
 		fatal_error "Invalid value ($val) for option \"$e\"" unless $val =~ /^($fmt)$/;
 	    }

-	    my $key = $key{$e};
+	    my $key = $zonekey{$e};

 	    if ( $key ) {
 		fatal_error "Option '$e' not permitted with this zone type " if $key & NOFW && ($zonetype & ( FIREWALL | VSERVER) );
@@ -402,7 +403,7 @@ sub parse_zone_option_list($$\$$)
 #
 # Set the super option on the passed zoneref and propagate to its parents
 #
-sub set_super( $ );
+sub set_super( $ ); #required for recursion

 sub set_super( $ ) {
    my $zoneref = shift;
@@ -610,11 +611,14 @@ sub zone_report()
 		for my $interface ( sort keys %$interfaceref ) {
 		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};
+
 		    for my $groupref ( @$arrayref ) {
 			my $hosts      = $groupref->{hosts};
+
 			if ( $hosts ) {
 			    my $grouplist  = join ',', ( @$hosts );
 			    my $exclusions = join ',', @{$groupref->{exclusions}};
+
 			    $grouplist = join '!', ( $grouplist, $exclusions) if $exclusions;

 			    if ( $family == F_IPV4 ) {
@@ -625,7 +629,6 @@ sub zone_report()
 			    $printed = 1;
 			}
 		    }
-
 		}
 	    }
 	}
@@ -661,6 +664,7 @@ sub dump_zone_contents() {
 		for my $interface ( sort keys %$interfaceref ) {
 		    my $iref     = $interfaces{$interface};
 		    my $arrayref = $interfaceref->{$interface};
+
 		    for my $groupref ( @$arrayref ) {
 			my $hosts     = $groupref->{hosts};

@@ -765,13 +769,13 @@ sub add_group_to_zone($$$$$)

    my $gtype = $type & IPSEC ? 'ipsec' : 'ip';

-    $hostsref     = ( $zoneref->{hosts}           || ( $zoneref->{hosts} = {} ) );
-    $typeref      = ( $hostsref->{$gtype}         || ( $hostsref->{$gtype} = {} ) );
-    $interfaceref = ( $typeref->{$interface}      || ( $typeref->{$interface} = [] ) );
+    $hostsref     = ( $zoneref->{hosts}      ||= {} );
+    $typeref      = ( $hostsref->{$gtype}    ||= {} );
+    $interfaceref = ( $typeref->{$interface} ||= [] );

    fatal_error "Duplicate Host Group ($interface:" . ALLIP . ") in zone $zone" if $allip && @$interfaceref;

-    $zoneref->{options}{complex} = 1 if @$interfaceref || ( @newnetworks > 1 ) || ( @exclusions ) || $options->{routeback};
+    $zoneref->{options}{complex} = 1 if @$interfaceref || @newnetworks > 1 || @exclusions || $options->{routeback};

    push @{$interfaceref}, { options => $options,
 			     hosts   => \@newnetworks,
@@ -908,10 +912,27 @@ sub process_interface( $$ ) {
    my ( $nextinum, $export ) = @_;
    my $netsref   = '';
    my $filterref = [];
-    my ($zone, $originalinterface, $bcasts, $options ) = split_line 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 };
+    my ($zone, $originalinterface, $bcasts, $options );
    my $zoneref;
    my $bridge = '';
+    our $format;

+    if ( $format == 1 ) {
+	($zone, $originalinterface, $bcasts, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 }, { COMMENT => 0, FORMAT => 2 };
+    } else {
+	($zone, $originalinterface, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, options => 2 }, { COMMENT => 0, FORMAT => 2 };
+	$bcasts = '-';
+    }
+
+    if ( $zone eq 'FORMAT' ) {
+	if ( $originalinterface =~ /^([12])$/ ) {
+	    $format = $1;
+	    return;
+	}
+
+	fatal_error "Invalid FORMAT ($1)";
+    }
+	
    if ( $zone eq '-' ) {
 	$zone = '';
    } else {
@@ -1181,7 +1202,8 @@ sub process_interface( $$ ) {
 # Parse the interfaces file.
 #
 sub validate_interfaces_file( $ ) {
-    my $export = shift;
+    my  $export = shift;
+    our $format = 1;
    
    my @ifaces;
    my $nextinum = 1;
@@ -1305,6 +1327,13 @@ sub all_interfaces() {
    @interfaces;
 }

+#
+# Return all non-vserver interfaces
+#
+sub all_real_interfaces() {
+    grep $_ ne '%vserver%', @interfaces;
+}
+
 #
 # Return a list of bridges
 #
@@ -1340,7 +1369,7 @@ sub physical_name( $ ) {

    $devref ? $devref->{physical} : $device;
 }
-
+    
 #
 # Returns true if there are bridge port zones defined in the config
 #
@@ -1803,7 +1832,7 @@ sub process_host( ) {
 	$interface = $1;
 	$hosts = $2;

-	fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface})->{root};
+	fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
    } else {
 	fatal_error "Invalid HOST(S) column contents: $hosts" 
    }
@@ -1904,7 +1933,6 @@ sub validate_hosts_file()
    $have_ipsec = $ipsec || haveipseczones;

    $_->{options}{complex} ||= ( keys %{$_->{interfaces}} > 1 ) for values %zones;
-
 }

 #
--- a/Shorewall/Perl/getparams
+++ b/Shorewall/Perl/getparams
@@ -28,13 +28,13 @@
 #      $3 = Address family (4 o4 6)
 #
 if [ "$3" = 6 ]; then
-    . /usr/share/shorewall6/lib.base
-    . /usr/share/shorewall6/lib.cli
+    g_program=shorewall6
 else
-    . /usr/share/shorewall/lib.base
-    . /usr/share/shorewall/lib.cli
+    g_program=shorewall
 fi

+. /usr/share/shorewall/lib.cli
+
 CONFIG_PATH="$2"

 set -a
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -6,7 +6,7 @@
 #
 usage() {
    echo "Usage: $0 [ options ] <command>"
-    echo 
+    echo
    echo "<command> is one of:"
    echo "   start"
    echo "   stop"
@@ -31,23 +31,50 @@ usage() {
    echo "   -R <file>        Override RESTOREFILE setting"
    exit $1
 }
+
+checkkernelversion() {
+    local kernel
+
+    if [ $g_family -eq 6 ]; then
+	kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')
+
+	case "$kernel" in 
+	    *.*.*)
+		kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
+		;;
+	    *)
+		kernel=$(printf "%d%02d00" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
+		;;
+	esac
+
+	if [ $kernel -lt 20624 ]; then
+	    error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
+	    return 1
+	fi
+    fi
+
+    return 0
+}
+
 ################################################################################
 # E X E C U T I O N    B E G I N S   H E R E				       #
 ################################################################################
 #
 # Start trace if first arg is "debug" or "trace"
 #
+g_debug_iptables=
+
 if [ $# -gt 1 ]; then
    if [ "x$1" = "xtrace" ]; then
 	set -x
 	shift
    elif [ "x$1" = "xdebug" ]; then
-	DEBUG=Yes
+	g_debug_iptables=Yes
 	shift
    fi
 fi
 #
-# Map VERBOSE to VERBOSITY for compatibility with old Shorewall-lite installations
+# Map VERBOSE to VERBOSITY for compatibility with old Shorewall[6]-lite installations
 #
 [ -z "$VERBOSITY" ] && [ -n "$VERBOSE" ] && VERBOSITY=$VERBOSE
 #
@@ -175,61 +202,66 @@ COMMAND="$1"
 case "$COMMAND" in
    start)
 	[ $# -ne 1 ] && usage 2
-	if shorewall_is_started; then
+	if product_is_started; then
 	    error_message "$g_product is already Running"
 	    status=0
 	else
 	    progress_message3 "Starting $g_product...."
-	    detect_configuration
-	    define_firewall
-	    status=$?
-	    if [ $status -eq 0 ]; then
-		[ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
-		progress_message3 "done."
+	    if checkkernelversion; then
+		detect_configuration
+		define_firewall
+		status=$?
+		if [ $status -eq 0 ]; then
+		    [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
+		    progress_message3 "done."
+		fi
 	    fi
 	fi
 	;;
    stop)
 	[ $# -ne 1 ] && usage 2
-	progress_message3 "Stopping $g_product...."
-	detect_configuration
-	stop_firewall
-	status=0
-	[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
-	progress_message3 "done."
+	if checkkernelversion; then
+	    progress_message3 "Stopping $g_product...."
+	    detect_configuration
+	    stop_firewall
+	    status=0
+	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
+	    progress_message3 "done."
+	fi
 	;;
    reset)
-	if ! shorewall_is_started ; then
+	if ! product_is_started ; then
 	    error_message "$g_product is not running"
 	    status=2
-	elif [ $# -eq 1 ]; then
-	    $IPTABLES -Z
-	    $IPTABLES -t nat -Z
-	    $IPTABLES -t mangle -Z
-	    date > ${VARDIR}/restarted
-	    status=0
-	    progress_message3 "$g_product Counters Reset"
-	else
-	    shift
-	    status=0
-	    for chain in $@; do
-		if chain_exists $chain; then
-		    if qt $IPTABLES -Z $chain; then
-			progress_message3 "Filter $chain Counters Reset"
+	elif checkkernelversion; then
+	    if [ $# -eq 1 ]; then
+		$IP6TABLES -Z
+		$IP6TABLES -t mangle -Z
+		date > ${VARDIR}/restarted
+		status=0
+		progress_message3 "$g_product Counters Reset"
+	    else
+		shift
+		status=0
+		for chain in $@; do
+		    if chain_exists $chain; then
+			if qt $IP6TABLES -Z $chain; then
+			    progress_message3 "Filter $chain Counters Reset"
+			else
+			    error_message "ERROR: Reset of chain $chain failed"
+			    status=2
+			    break
+			fi
 		    else
-			error_message "ERROR: Reset of chain $chain failed"
-			status=2
-			break
+			error_message "WARNING: Filter Chain $chain does not exist"
 		    fi
-		else
-		    error_message "WARNING: Filter Chain $chain does not exist"
-		fi
-	    done
+		done
+	    fi
 	fi
 	;;
    restart)
 	[ $# -ne 1 ] && usage 2
-	if shorewall_is_started; then
+	if product_is_started; then
 	    progress_message3 "Restarting $g_product...."
 	else
 	    error_message "$g_product is not running"
@@ -237,22 +269,27 @@ case "$COMMAND" in
 	    COMMAND=start
 	fi

-	detect_configuration
-	define_firewall
-	status=$?
-	if [ -n "$SUBSYSLOCK" ]; then
-	    [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
-	fi
-	[ $status -eq 0 ] && progress_message3 "done."
-	;;
-    refresh)
-	[ $# -ne 1 ] && usage 2
-	if shorewall_is_started; then
-	    progress_message3 "Refreshing $g_product...."
+	if checkkernelversion; then
 	    detect_configuration
 	    define_firewall
 	    status=$?
+	    if [ -n "$SUBSYSLOCK" ]; then
+ 		[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
+            fi
+
 	    [ $status -eq 0 ] && progress_message3 "done."
+	fi
+	;;
+    refresh)
+	[ $# -ne 1 ] && usage 2
+	if product_is_started; then
+	    progress_message3 "Refreshing $g_product...."
+	    if checkkernelversion; then
+		detect_configuration
+		define_firewall
+		status=$?
+		[ $status -eq 0 ] && progress_message3 "done."
+	    fi
 	else
 	    echo "$g_product is not running" >&2
 	    status=2
@@ -260,20 +297,25 @@ case "$COMMAND" in
 	;;
    restore)
 	[ $# -ne 1 ] && usage 2
-	detect_configuration
-	define_firewall
-	status=$?
-	if [ -n "$SUBSYSLOCK" ]; then
- 	    [ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
-        fi
+	if checkkernelversion; then
+	    detect_configuration
+	    define_firewall
+	    status=$?
+	    if [ -n "$SUBSYSLOCK" ]; then
+ 		[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
+            fi
+	    [ $status -eq 0 ] && progress_message3 "done."
+	fi
 	;;
    clear)
 	[ $# -ne 1 ] && usage 2
 	progress_message3 "Clearing $g_product...."
-	clear_firewall
-	status=0
-	if [ $status -eq 0 ]; then
-	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
+	if checkkernelversion; then
+	    clear_firewall
+	    status=0
+	    if [ -n "$SUBSYSLOCK" ]; then
+		rm -f $SUBSYSLOCK
+	    fi
 	    progress_message3 "done."
 	fi
 	;;
@@ -281,7 +323,7 @@ case "$COMMAND" in
 	[ $# -ne 1 ] && usage 2
 	echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)"
 	echo
-	if shorewall_is_started; then
+	if product_is_started; then
 	    echo "$g_product is running"
 	    status=0
 	else
@@ -292,7 +334,7 @@ case "$COMMAND" in
 	if [ -f ${VARDIR}/state ]; then
 	    state="$(cat ${VARDIR}/state)"
 	    case $state in
-		Stopped*|lClear*)
+		Stopped*|Clear*)
 		    status=3
 		    ;;
 	    esac
@@ -306,14 +348,14 @@ case "$COMMAND" in
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
-	updown $@
-	status=0;
+	updown $1
+	status=0
 	;;
    enable)
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
-	if shorewall_is_started; then
+	if product_is_started; then
 	    detect_configuration
 	    enable_provider $1
 	fi
@@ -323,7 +365,7 @@ case "$COMMAND" in
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
-	if shorewall_is_started; then
+	if product_is_started; then
 	    detect_configuration
 	    disable_provider $1
 	fi
--- a/Shorewall/Perl/prog.footer6
+++ b/Shorewall/Perl/prog.footer6
@@ -1,381 +0,0 @@
-###############################################################################
-# Code imported from /usr/share/shorewall/prog.footer6
-###############################################################################
-#
-# Give Usage Information
-#
-usage() {
-    echo "Usage: $0 [ options ] <command>"
-    echo
-    echo "<command> is one of:"
-    echo "   start"
-    echo "   stop"
-    echo "   clear"
-    echo "   disable <interface>"
-    echo "   down <interface>"
-    echo "   enable <interface>"
-    echo "   reset"
-    echo "   refresh"
-    echo "   restart"
-    echo "   status"
-    echo "   up <interface>"
-    echo "   version"
-    echo
-    echo "Options are:"
-    echo
-    echo "   -v and -q        Standard Shorewall verbosity controls"
-    echo "   -n               Don't unpdate routing configuration"
-    echo "   -p               Purge Conntrack Table"
-    echo "   -t               Timestamp progress Messages"
-    echo "   -V <verbosity>   Set verbosity explicitly"
-    echo "   -R <file>        Override RESTOREFILE setting"
-    exit $1
-}
-
-checkkernelversion() {
-    local kernel
-
-    kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')
-
-    case "$kernel" in 
-	*.*.*)
-	    kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
-	    ;;
-	*)
-	    kernel=$(printf "%d%02d00" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
-	    ;;
-    esac
-
-    if [ $kernel -lt 20624 ]; then
-	error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
-	return 1
-    else
-	return 0
-    fi
-}
-################################################################################
-# E X E C U T I O N    B E G I N S   H E R E				       #
-################################################################################
-#
-# Start trace if first arg is "debug" or "trace"
-#
-if [ $# -gt 1 ]; then
-    if [ "x$1" = "xtrace" ]; then
-	set -x
-	shift
-    elif [ "x$1" = "xdebug" ]; then
-	DEBUG=Yes
-	shift
-    fi
-fi
-#
-# Map VERBOSE to VERBOSITY for compatibility with old Shorewall6-lite installations
-#
-[ -z "$VERBOSITY" ] && [ -n "$VERBOSE" ] && VERBOSITY=$VERBOSE
-#
-# Map other old exported variables
-#
-g_purge=$PURGE
-g_noroutes=$NOROUTES
-g_timestamp=$TIMESTAMP
-g_recovering=$RECOVERING
-
-initialize
-
-if [ -n "$STARTUP_LOG" ]; then
-    touch $STARTUP_LOG
-    chmod 0600 $STARTUP_LOG
-    if [ ${SHOREWALL_INIT_SCRIPT:-0} -eq 1 ]; then
-	#
-	# We're being run by a startup script that isn't redirecting STDOUT
-	# Redirect it to the log
-	#
-	exec 2>>$STARTUP_LOG
-    fi
-fi
-
-finished=0
-
-while [ $finished -eq 0 -a $# -gt 0 ]; do
-    option=$1
-    case $option in
-	-*)
-	    option=${option#-}
-
-	    [ -z "$option" ] && usage 1
-
-	    while [ -n "$option" ]; do
-		case $option in
-		    v*)
-			[ $VERBOSITY -lt 2 ] && VERBOSITY=$(($VERBOSITY + 1 ))
-			option=${option#v}
-			;;
-		    q*)
-			[ $VERBOSITY -gt -1 ] && VERBOSITY=$(($VERBOSITY - 1 ))
-			option=${option#q}
-			;;
-		    n*)
-			g_noroutes=Yes
-			option=${option#n}
-			;;
-		    t*)
-			g_timestamp=Yes
-			option=${option#t}
-			;;
-		    p*)
-			g_purge=Yes
-			option=${option#p}
-			;;
-		    r*)
-			g_recovering=Yes
-			option=${option#r}
-			;;
-		    V*)
-			option=${option#V}
-
-			if [ -z "$option" -a $# -gt 0 ]; then
-			    shift
-			    option=$1
-			fi
-
-			if [ -n "$option" ]; then
-			    case $option in
-				-1|0|1|2)
-				    VERBOSITY=$option
-				    option=
-				    ;;
-				*)
-				    startup_error "Invalid -V option value ($option)"
-				    ;;
-			    esac
-			else
-			    startup_error "Missing -V option value"
-			fi
-			;;
-		    R*)
-			option=${option#R}
-
-			if [ -z "$option" -a $# -gt 0 ]; then
-			    shift
-			    option=$1
-			fi
-
-			if [ -n "$option" ]; then
-			    case $option in
-				*/*)
-	    			    startup_error "-R must specify a simple file name: $option"
-				    ;;
-				.safe|.try|NONE)
-				    ;;
-				.*)
-				    error_message "ERROR: Reserved File Name: $RESTOREFILE"
-				    exit 2
-				    ;;
-			    esac
-			else
-			    startup_error "Missing -R option value"
-			fi
-
-			RESTOREFILE=$option
-			option=
-			;;
-		esac
-	    done
-	    shift
-	    ;;
-	*)
-	    finished=1
-            ;;
-    esac
-done
-
-COMMAND="$1"
-
-
-case "$COMMAND" in
-    start)
-	[ $# -ne 1 ] && usage 2
-	if shorewall6_is_started; then
-	    error_message "$g_product is already Running"
-	    status=0
-	else
-	    progress_message3 "Starting $g_product...."
-	    if checkkernelversion; then
-		detect_configuration
-		define_firewall
-		status=$?
-		if [ $status -eq 0 ]; then
-		    [ -n "$SUBSYSLOCK" ] && touch $SUBSYSLOCK
-		    progress_message3 "done."
-		fi
-	    fi
-	fi
-	;;
-    stop)
-	[ $# -ne 1 ] && usage 2
-	if checkkernelversion; then
-	    progress_message3 "Stopping $g_product...."
-	    detect_configuration
-	    stop_firewall
-	    status=0
-	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
-	    progress_message3 "done."
-	fi
-	;;
-    reset)
-	if ! shorewall6_is_started ; then
-	    error_message "$g_product is not running"
-	    status=2
-	elif checkkernelversion; then
-	    if [ $# -eq 1 ]; then
-		$IP6TABLES -Z
-		$IP6TABLES -t mangle -Z
-		date > ${VARDIR}/restarted
-		status=0
-		progress_message3 "$g_product Counters Reset"
-	    else
-		shift
-		status=0
-		for chain in $@; do
-		    if chain_exists $chain; then
-			if qt $IP6TABLES -Z $chain; then
-			    progress_message3 "Filter $chain Counters Reset"
-			else
-			    error_message "ERROR: Reset of chain $chain failed"
-			    status=2
-			    break
-			fi
-		    else
-			error_message "WARNING: Filter Chain $chain does not exist"
-		    fi
-		done
-	    fi
-	fi
-	;;
-    restart)
-	[ $# -ne 1 ] && usage 2
-	if shorewall6_is_started; then
-	    progress_message3 "Restarting $g_product...."
-	else
-	    error_message "$g_product is not running"
-	    progress_message3 "Starting $g_product...."
-	    COMMAND=start
-	fi
-
-	if checkkernelversion; then
-	    detect_configuration
-	    define_firewall
-	    status=$?
-	    if [ -n "$SUBSYSLOCK" ]; then
- 		[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
-            fi
-
-	    [ $status -eq 0 ] && progress_message3 "done."
-	fi
-	;;
-    refresh)
-	[ $# -ne 1 ] && usage 2
-	if shorewall6_is_started; then
-	    progress_message3 "Refreshing $g_product...."
-	    if checkkernelversion; then
-		detect_configuration
-		define_firewall
-		status=$?
-		[ $status -eq 0 ] && progress_message3 "done."
-	    fi
-	else
-	    echo "$g_product is not running" >&2
-	    status=2
-	fi
-	;;
-    restore)
-	[ $# -ne 1 ] && usage 2
-	if checkkernelversion; then
-	    detect_configuration
-	    define_firewall
-	    status=$?
-	    if [ -n "$SUBSYSLOCK" ]; then
- 		[ $status -eq 0 ] && touch $SUBSYSLOCK || rm -f $SUBSYSLOCK
-            fi
-	    [ $status -eq 0 ] && progress_message3 "done."
-	fi
-	;;
-    clear)
-	[ $# -ne 1 ] && usage 2
-	progress_message3 "Clearing $g_product...."
-	if checkkernelversion; then
-	    clear_firewall
-	    status=0
-	    if [ -n "$SUBSYSLOCK" ]; then
-		rm -f $SUBSYSLOCK
-	    fi
-	    progress_message3 "done."
-	fi
-	;;
-    status)
-	[ $# -ne 1 ] && usage 2
-	echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)"
-	echo
-	if shorewall6_is_started; then
-	    echo "$g_product is running"
-	    status=0
-	else
-	    echo "$g_product is stopped"
-	    status=4
-	fi
-
-	if [ -f ${VARDIR}/state ]; then
-	    state="$(cat ${VARDIR}/state)"
-	    case $state in
-		Stopped*|Clear*)
-		    status=3
-		    ;;
-	    esac
-	else
-	    state=Unknown
-	fi
-	echo "State:$state"
-	echo
-	;;
-    up|down)
-	[ $# -eq 1 ] && exit 0
-	shift
-	[ $# -ne 1 ] && usage 2
-	updown $1
-	status=0
-	;;
-    enable)
-	[ $# -eq 1 ] && exit 0
-	shift
-	[ $# -ne 1 ] && usage 2
-	if shorewall6_is_started; then
-	    detect_configuration
-	    enable_provider $1
-	fi
-	status=0
-	;;
-    disable)
-	[ $# -eq 1 ] && exit 0
-	shift
-	[ $# -ne 1 ] && usage 2
-	if shorewall6_is_started; then
-	    detect_configuration
-	    disable_provider $1
-	fi
-	status=0
-	;;
-    version)
-	[ $# -ne 1 ] && usage 2
-	echo $SHOREWALL_VERSION
-	status=0
-	;;
-    help)
-	[ $# -ne 1 ] && usage 2
-	usage 0
-	;;
-    *)
-	usage 2
-	;;
-esac
-
-exit $status
--- a/Shorewall/Perl/prog.header
+++ b/Shorewall/Perl/prog.header
@@ -27,90 +27,6 @@
 ################################################################################
 # Functions imported from /usr/share/shorewall/prog.header
 ################################################################################
-#
-# Conditionally produce message
-#
-progress_message() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -gt 1 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-
-    if [ $LOG_VERBOSITY -gt 1 ]; then
-        timestamp="$(date +'%b %_d %T') "
-        echo "${timestamp}$@" >> $STARTUP_LOG
-    fi
-}
-
-progress_message2() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -gt 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-
-    if [ $LOG_VERBOSITY -gt 0 ]; then
-        timestamp="$(date +'%b %_d %T') "
-        echo "${timestamp}$@" >> $STARTUP_LOG
-    fi
-}
-
-progress_message3() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -ge 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%b %_d %T') "
-        echo "${timestamp}$@" >> $STARTUP_LOG
-    fi
-}
-
-#
-# Set a standard chain's policy
-#
-setpolicy() # $1 = name of chain, $2 = policy
-{
-    run_iptables -P $1 $2
-}
-
-#
-# Generate a list of all network interfaces on the system
-#
-find_all_interfaces() {
-    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
-}
-
-#
-# Generate a list of all network interfaces on the system that have an ipv4 address
-#
-find_all_interfaces1() {
-    ${IP:-ip} -4 addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
-}
-
-#
-# Find the value 'dev' in the passed arguments then echo the next value
-#
-
-find_device() {
-    while [ $# -gt 1 ]; do
-	[ "x$1" = xdev ] && echo $2 && return
-	shift
-    done
-}
-
 #
 # Find the value 'weight' in the passed arguments then echo the next value
 #
@@ -122,40 +38,6 @@ find_weight() {
    done
 }

-#
-# Find the value 'via' in the passed arguments then echo the next value
-#
-
-find_gateway() {
-    while [ $# -gt 1 ]; do
-	[ "x$1" = xvia ] && echo $2 && return
-	shift
-    done
-}
-
-#
-# Find the value 'mtu' in the passed arguments then echo the next value
-#
-
-find_mtu() {
-    while [ $# -gt 1 ]; do
-	[ "x$1" = xmtu ] && echo $2 && return
-	shift
-    done
-}
-
-#
-# Find the value 'peer' in the passed arguments then echo the next value up to
-# "/"
-#
-
-find_peer() {
-    while [ $# -gt 1 ]; do
-	[ "x$1" = xpeer ] && echo ${2%/*} && return
-	shift
-    done
-}
-
 #
 # Find the interfaces that have a route to the passed address - the default
 # route is not used.
@@ -178,23 +60,6 @@ find_rt_interface() {
    done
 }

-#
-# Try to find the gateway through an interface looking for 'nexthop'
-
-find_nexthop() # $1 = interface
-{
-    echo $(find_gateway `$IP -4 route list | grep "[[:space:]]nexthop.* $1"`)
-}
-
-#
-# Find the default route's interface
-#
-find_default_interface() {
-    $IP -4 route list | while read first rest; do
-	[ "$first" = default ] && echo $(find_device $rest) && return
-    done
-}
-
 #
 # Echo the name of the interface(s) that will be used to send to the
 # passed address
@@ -211,31 +76,6 @@ find_interface_by_address() {
    [ -n "$dev" ] && echo $dev
 }

-#
-# Determine if Interface is up
-#
-interface_is_up() {
-    [ -n "$($IP link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
-}
-
-#
-# Determine if interface is usable from a Netfilter prespective
-#
-interface_is_usable() # $1 = interface
-{
-    [ "$1" = lo ] && return 0
-    interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ] && run_isusable_exit $1
-}
-
-#
-# Find interface addresses--returns the set of addresses assigned to the passed
-# device
-#
-find_interface_addresses() # $1 = interface
-{
-    $IP -f inet addr show $1 2> /dev/null | grep inet\  | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
-}
-
 #
 #  echo the list of networks routed out of a given interface
 #
@@ -428,178 +268,6 @@ disable_ipv6() {
    fi
 }

-#
-# Clear the current traffic shaping configuration
-#
-
-delete_tc1()
-{
-    clear_one_tc() {
-        $TC qdisc del dev $1 root 2> /dev/null
-        $TC qdisc del dev $1 ingress 2> /dev/null
-
-    }
-
-    run_tcclear_exit
-
-    run_ip link list | \
-    while read inx interface details; do
-        case $inx in
-            [0-9]*)
-                clear_one_tc ${interface%:}
-                ;;
-            *)
-                ;;
-        esac
-    done
-}
-
-#
-# Detect a device's MTU -- echos the passed device's MTU
-#
-get_device_mtu() # $1 = device
-{
-    local output
-    output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
-
-    if [ -n "$output" ]; then
-	echo $(find_mtu $output)
-    else
-	echo 1500
-    fi
-}
-
-#
-# Version of the above that doesn't generate any output for MTU 1500.
-# Generates 'mtu <mtu+>' otherwise, where <mtu+> is the device's MTU + 100
-#
-get_device_mtu1() # $1 = device
-{
-    local output
-    output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
-    local mtu
-
-    if [ -n "$output" ]; then
-	mtu=$(find_mtu $output)
-	if [ -n "$mtu" ]; then
-	    [ $mtu = 1500 ] || echo mtu $(($mtu + 100))
-	fi
-    fi
-
-}
-
-#
-# Undo changes to routing
-#
-undo_routing() {
-    local undofiles
-    local f
-
-    if [ -z "$g_noroutes"  ]; then
-	#
-	# Restore rt_tables database
-	#
-	if [ -f ${VARDIR}/rt_tables ]; then
-	    [ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
-	    rm -f ${VARDIR}/rt_tables
-	fi
-	#
-	# Restore the rest of the routing table
-	#
-	undofiles="$(ls ${VARDIR}/undo_*routing 2> /dev/null)"
-
-	if [ -n "$undofiles" ]; then
-	    for f in $undofiles; do
-		. $f
-	    done
-
-	    rm -f $undofiles
-
-            progress_message "Shorewall-generated routing tables and routing rules removed"
-	fi
-    fi
-
-}
-
-#
-# Save the default route
-#
-save_default_route() {
-    awk \
-    'BEGIN        {defroute=0;};
-     /^default /  {deroute=1; print; next};
-     /nexthop/    {if (defroute == 1 ) {print ; next} };
-                  { defroute=0; };'
-}
-
-#
-# Restore the default route that was in place before the initial 'shorewall start'
-#
-replace_default_route() # $1 = USE_DEFAULT_RT
-{
-    #
-    # default_route and result are inherited from the caller
-    #
-    if [ -n "$default_route" ]; then
-	case "$default_route" in
-	    *metric*)
-	        #
-	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
-	        #
-		[ -n "$1" ] && qt $IP -4 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
-		default_route=
-		;;
-	    *)
-		qt $IP -4 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
-		result=0
-		default_route=
-		;;
-	esac
-    fi
-}
-
-restore_default_route() # $1 = USE_DEFAULT_RT
-{
-    local result
-    result=1
-
-    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
-	local default_route
-	default_route=
-	local route
-
-	while read route ; do
-	    case $route in
-		default*)
-		    replace_default_route $1
-		    default_route="$default_route $route"
-		    ;;
-		*)
-		    default_route="$default_route $route"
-		    ;;
-	    esac
-	done < ${VARDIR}/default_route
-
-	replace_default_route $1
-	
-	if [ $result = 1 ]; then
-	    #
-	    # We didn't restore a default route with metric 0
-	    #
-	    if $IP -4 -o route list 2> /dev/null | fgrep default | fgrep -qv metric; then
-	       #
-	       # But we added a default route with metric 0
-	       #
-	       qt $IP -4 route del default metric 0 && progress_message "Default route with metric 0 deleted"
-	    fi
-	fi
-
-	rm -f ${VARDIR}/default_route
-    fi
-
-    return $result
-}
-
 #
 # Add an additional gateway to the default route
 #
@@ -675,20 +343,6 @@ find_mac() # $1 = IP address, $2 = interface
    fi
 }

-#
-# Flush the conntrack table if $g_purge is non-empty
-#
-conditionally_flush_conntrack() {
-
-    if [ -n "$g_purge" ]; then
-	if [ -n $(mywhich conntrack) ]; then
-            conntrack -F
-	else
-            error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-	fi
-    fi
-}
-
 #
 # Clear Proxy Arp
 #
@@ -735,124 +389,6 @@ clear_firewall() {
    logger -p kern.info "$g_product Cleared"
 }

-#
-# Issue a message and stop/restore the firewall
-#
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
-    stop_firewall
-    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
-    exit 2
-}
-
-#
-# Issue a message and stop
-#
-startup_error() # $* = Error Message
-{
-    echo "   ERROR: $@: Firewall state not changed" >&2
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
-    case $COMMAND in
-        start)
-	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
-	    ;;
-	restart)
-	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
-	    ;;
-	restore)
-	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
-	    ;;
-    esac
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
-
-	case $COMMAND in
-	    start)
-		echo "${timestamp}  ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restart)
-		echo "${timestamp}  ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restore)
-		echo "${timestamp}  ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	esac
-    fi
-
-    kill $$
-    exit 2
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IPTABLES $@
-	status=$?
-	[ $status -ne 4 ] && break
-    done
-
-    if [ $status -ne 0 ]; then
-        error_message "ERROR: Command \"$IPTABLES $@\" Failed"
-	stop_firewall
-        exit 2
-    fi
-}
-
-#
-# Run iptables retrying exit status 4
-#
-do_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IPTABLES $@
-	status=$?
-	[ $status -ne 4 ] && return $status;
-    done
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_ip()
-{
-    if ! $IP -4 $@; then
-	error_message "ERROR: Command \"$IP -4 $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Run tc and if an error occurs, stop/restore the firewall
-#
-run_tc() {
-    if ! $TC $@ ; then
-	error_message "ERROR: Command \"$TC $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
 #
 # Get a list of all configured broadcast addresses on the system
 #
@@ -861,97 +397,6 @@ get_all_bcasts()
    $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
 }

-#
-# Run the .iptables_restore_input as a set of discrete iptables commands
-#
-debug_restore_input() {
-    local first second rest table chain
-    #
-    # Clear the ruleset
-    #
-    qt1 $IPTABLES -t mangle -F
-    qt1 $IPTABLES -t mangle -X
-
-    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
-	qt1 $IPTABLES -t mangle -P $chain ACCEPT
-    done
-
-    qt1 $IPTABLES -t raw     -F
-    qt1 $IPTABLES -t raw     -X
-    qt1 $IPTABLES -t rawpost -F
-    qt1 $IPTABLES -t rawpost -X
-
-    for chain in PREROUTING OUTPUT; do
-	qt1 $IPTABLES -t raw -P $chain ACCEPT
-    done
-
-    qt1 $iptables -T rawpost -P POSTROUTING ACCEPT
-
-    run_iptables -t nat -F
-    run_iptables -t nat -X
-
-    for chain in PREROUTING POSTROUTING OUTPUT; do
-	qt1 $IPTABLES -t nat -P $chain ACCEPT
-    done
-
-    qt1 $IPTABLES -t filter -F
-    qt1 $IPTABLES -t filter -X
-
-    for chain in INPUT FORWARD OUTPUT; do
-	qt1 $IPTABLES -t filter -P $chain -P ACCEPT
-    done
-
-    while read first second rest; do
-	case $first in
-	    -*)
-		#
-		# We can't call run_iptables() here because the rules may contain quoted strings
-		#
-		eval $IPTABLES -t $table $first $second $rest
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    :*)
-		chain=${first#:}
-
-		if [ "x$second" = x- ]; then
-		    do_iptables -t $table -N $chain
-		else
-		    do_iptables -t $table -P $chain $second
-		fi
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IPTABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    #
-	    # This grotesque hack with the table names works around a bug/feature with ash
-	    #
-	    '*'raw)
-		table=raw
-		;;
-	    '*'rawpost)
-		table=rawpost
-		;;
-	    '*'mangle)
-		table=mangle
-		;;
-	    '*'nat)
-		table=nat
-		;;
-	    '*'filter)
-		table=filter
-		;;
-	esac
-    done
-}
-
 ################################################################################
 # End of functions in /usr/share/shorewall/prog.header
 ################################################################################
--- a/Shorewall/Perl/prog.header6
+++ b/Shorewall/Perl/prog.header6
@@ -27,166 +27,6 @@
 ################################################################################
 # Functions imported from /usr/share/shorewall/prog.header6
 ################################################################################
-#
-# Conditionally produce message
-#
-progress_message() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -gt 1 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-
-    if [ $LOG_VERBOSITY -gt 1 ]; then
-        timestamp="$(date +'%b %_d %T') "
-        echo "${timestamp}$@" >> $STARTUP_LOG
-    fi
-}
-
-progress_message2() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -gt 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-
-    if [ $LOG_VERBOSITY -gt 0 ]; then
-        timestamp="$(date +'%b %_d %T') "
-        echo "${timestamp}$@" >> $STARTUP_LOG
-    fi
-}
-
-progress_message3() # $* = Message
-{
-    local timestamp
-    timestamp=
-
-    if [ $VERBOSITY -ge 0 ]; then
-	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
-	echo "${timestamp}$@"
-    fi
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%b %_d %T') "
-        echo "${timestamp}$@" >> $STARTUP_LOG
-    fi
-}
-
-#
-# Set a standard chain's policy
-#
-setpolicy() # $1 = name of chain, $2 = policy
-{
-    run_iptables -P $1 $2
-}
-
-#
-# Generate a list of all network interfaces on the system
-#
-find_all_interfaces() {
-    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
-}
-
-#
-# Generate a list of all network interfaces on the system that have an ipv6 address
-#
-find_all_interfaces1() {
-    ${IP:-ip} -6 addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
-}
-
-#
-# Find the value 'dev' in the passed arguments then echo the next value
-#
-
-find_device() {
-    while [ $# -gt 1 ]; do
-	[ "x$1" = xdev ] && echo $2 && return
-	shift
-    done
-}
-
-#
-# Find the value 'via' in the passed arguments then echo the next value
-#
-
-find_gateway() {
-    while [ $# -gt 1 ]; do
-	[ "x$1" = xvia ] && echo $2 && return
-	shift
-    done
-}
-
-#
-# Find the value 'mtu' in the passed arguments then echo the next value
-#
-
-find_mtu() {
-    while [ $# -gt 1 ]; do
-	[ "x$1" = xmtu ] && echo $2 && return
-	shift
-    done
-}
-
-#
-# Find the value 'peer' in the passed arguments then echo the next value up to
-# "/"
-#
-
-find_peer() {
-    while [ $# -gt 1 ]; do
-	[ "x$1" = xpeer ] && echo ${2%/*} && return
-	shift
-    done
-}
-
-#
-# Try to find the gateway through an interface looking for 'nexthop'
-
-find_nexthop() # $1 = interface
-{
-    echo $(find_gateway `$IP -6 route list | grep "[[:space:]]nexthop.* $1"`)
-}
-
-#
-# Find the default route's interface
-#
-find_default_interface() {
-    $IP -6 route list | while read first rest; do
-	[ "$first" = default ] && echo $(find_device $rest) && return
-    done
-}
-
-#
-# Determine if Interface is up
-#
-interface_is_up() {
-    [ -n "$($IP -6 link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
-}
-
-#
-# Determine if interface is usable from a Netfilter prespective
-#
-interface_is_usable() # $1 = interface
-{
-    [ "$1" = lo ] && return 0
-    interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && run_isusable_exit $1
-}
-
-#
-# Find interface addresses--returns the set of addresses assigned to the passed
-# device
-#
-find_interface_addresses() # $1 = interface
-{
-    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
-}
-
 #
 # Get all interface addresses with VLSMs
 #
@@ -196,64 +36,6 @@ find_interface_full_addresses() # $1 = interface
    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
 }

-#
-# Add an additional gateway to the default route
-#
-add_gateway() # $1 = Delta $2 = Table Number
-{
-    local route
-    local weight
-    local delta
-    local dev
-    
-    run_ip route add default scope global table $2 $1
-}
-
-#
-# Remove a gateway from the default route
-#
-delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
-{
-    local route
-    local gateway
-    local dev
-
-    route=`$IP -6 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
-    gateway=$1
-  
-    dev=$(find_device $route)
-    [ "$dev" = "$3" ] && run_ip route delete default table $2
-}
-
-#
-#  echo the list of networks routed out of a given interface
-#
-get_routed_networks() # $1 = interface name, $2-n = Fatal error message
-{
-    local address
-    local rest
-
-    $IP -6 route show dev $1 2> /dev/null |
-	while read address rest; do
-	    case "$address" in
-		default)
-		    if [ $# -gt 1 ]; then
-			shift
-			fatal_error "$@"
-		    else
-			echo "WARNING: default route ignored on interface $1" >&2
-		    fi
-		    ;;
-		multicast|broadcast|prohibit|nat|throw|nexthop)
-		    ;;
-		2*)
-		    [ "$address" = "${address%/*}" ] && address="${address}/128"
-		    echo $address
-		    ;;
-	    esac
-        done
-}
-
 #
 # Normalize an IPv6 Address by compressing out consecutive zero elements
 #
@@ -438,172 +220,33 @@ detect_gateway() # $1 = interface
    [ -n "$gateway" ] && echo $gateway
 }

-delete_tc1()
+#
+# Add an additional gateway to the default route
+#
+add_gateway() # $1 = Delta $2 = Table Number
 {
-    clear_one_tc() {
-        $TC qdisc del dev $1 root 2> /dev/null
-        $TC qdisc del dev $1 ingress 2> /dev/null
-
-    }
-
-    run_tcclear_exit
-
-    run_ip link list | \
-    while read inx interface details; do
-        case $inx in
-            [0-9]*)
-                clear_one_tc ${interface%:}
-                ;;
-            *)
-                ;;
-        esac
-    done
+    local route
+    local weight
+    local delta
+    local dev
+    
+    run_ip route add default scope global table $2 $1
 }

 #
-# Detect a device's MTU -- echos the passed device's MTU
+# Remove a gateway from the default route
 #
-get_device_mtu() # $1 = device
+delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
 {
-    local output
-    output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
+    local route
+    local gateway
+    local dev

-    if [ -n "$output" ]; then
-	echo $(find_mtu $output)
-    else
-	echo 1500
-    fi
-}
-
-#
-# Version of the above that doesn't generate any output for MTU 1500.
-# Generates 'mtu <mtu+>' otherwise, where <mtu+> is the device's MTU + 100
-#
-get_device_mtu1() # $1 = device
-{
-    local output
-    output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
-    local mtu
-
-    if [ -n "$output" ]; then
-	mtu=$(find_mtu $output)
-	if [ -n "$mtu" ]; then
-	    [ $mtu = 1500 ] || echo mtu $(($mtu + 100))
-	fi
-    fi
-
-}
-
-#
-# Undo changes to routing
-#
-undo_routing() {
-    local undofiles
-    local f
-
-    if [ -z "$g_noroutes"  ]; then
-	#
-	# Restore rt_tables database
-	#
-	if [ -f ${VARDIR}/rt_tables ]; then
-	    [ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
-	    rm -f ${VARDIR}/rt_tables
-	fi
-	#
-	# Restore the rest of the routing table
-	#
-	undofiles="$(ls ${VARDIR}/undo_*routing 2> /dev/null)"
-
-	if [ -n "$undofiles" ]; then
-	    for f in $undofiles; do
-		. $f
-	    done
-
-	    rm -f $undofiles
-
-            progress_message "Shorewall6-generated routing tables and routing rules removed"
-	fi
-    fi
-
-}
-
-#
-# Save the default route
-#
-save_default_route() {
-    awk \
-    'BEGIN        {defroute=0;};
-     /^default /  {defroute=1; print; next};
-     /nexthop/    {if (defroute == 1 ) {print ; next} };
-                  { defroute=0; };'
-}
-
-#
-# Restore the default route that was in place before the initial 'shorewall start'
-#
-replace_default_route() # $1 = USE_DEFAULT_RT
-{
-    #
-    # default_route and result are inherited from the caller
-    #
-    if [ -n "$default_route" ]; then
-	case "$default_route" in
-	    *metric*)
-	        #
-	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
-	        #
-		[ -n "$1" ] && qt $IP -6 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
-		default_route=
-		;;
-	    *)
-		qt $IP -6 route replace $default_route && progress_message "Default Route (${default_route# }) restored"
-		result=0
-		default_route=
-		;;
-	esac
-    fi
-}
-
-restore_default_route() # $1 = USE_DEFAULT_RT
-{
-    local result
-    result=1
-
-    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
-	local default_route
-	default_route=
-	local route
-
-	while read route ; do
-	    case $route in
-		default*)
-		    replace_default_route $1
-		    default_route="$default_route $route"
-		    ;;
-		*)
-		    default_route="$default_route $route"
-		    ;;
-	    esac
-	done < ${VARDIR}/default_route
-
-	replace_default_route $1
-	
-	if [ $result = 1 ]; then
-	    #
-	    # We didn't restore a default route with metric 0
-	    #
-	    if $IP -6 -o route list 2> /dev/null | fgrep default | fgrep -qv metric; then
-	       #
-	       # But we added a default route with metric 0
-	       #
-	       qt $IP -6 route del default metric 0 && progress_message "Default route with metric 0 deleted"
-	    fi
-	fi
-
-	rm -f ${VARDIR}/default_route
-    fi
-
-    return $result
+    route=`$IP -6 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
+    gateway=$1
+  
+    dev=$(find_device $route)
+    [ "$dev" = "$3" ] && run_ip route delete default table $2
 }

 #
@@ -625,20 +268,6 @@ find_echo() {
    echo echo
 }

-#
-# Flush the conntrack table if $g_purge is non-empty
-#
-conditionally_flush_conntrack() {
-
-    if [ -n "$g_purge" ]; then
-	if [ -n $(which conntrack) ]; then
-            conntrack -F
-	else
-            error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-	fi
-    fi
-}
-
 #
 # Clear Proxy NDP
 #
@@ -677,204 +306,6 @@ clear_firewall() {
    logger -p kern.info "$g_product Cleared"
 }

-#
-# Issue a message and stop/restore the firewall
-#
-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-
-    if [ $LOG_VERBOSITY -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
-    stop_firewall
-    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
-    exit 2
-}
-
-#
-# Issue a message and stop
-#
-startup_error() # $* = Error Message
-{
-    echo "   ERROR: $@: Firewall state not changed" >&2
-
-    if [ $LOG_VERBOSITY -ge 0 ]; then
-        timestamp="$(date +'%_b %d %T') "
-        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
-    fi
-
-    case $COMMAND in
-        start)
-	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
-	    ;;
-	restart)
-	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
-	    ;;
-	restore)
-	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
-	    ;;
-    esac
-
-    if [ $LOG_VERBOSITY -gt 1 ]; then
-        timestamp="$(date +'%_b %d %T') "
-
-	case $COMMAND in
-	    start)
-		echo "${timestamp}  ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restart)
-		echo "${timestamp}  ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	    restore)
-		echo "${timestamp}  ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG
-		;;
-	esac
-    fi
-
-    kill $$
-    exit 2
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IP6TABLES $@
-	status=$?
-	[ $status -ne 4 ] && break
-    done
-
-    if [ $status -ne 0 ]; then
-        error_message "ERROR: Command \"$IP6TABLES $@\" Failed"
-	stop_firewall
-        exit 2
-    fi
-}
-
-#
-# Run iptables retrying exit status 4
-#
-do_iptables()
-{
-    local status
-
-    while [ 1 ]; do
-	$IP6TABLES $@
-	status=$?
-	[ $status -ne 4 ] && return $status;
-    done
-}
-
-#
-# Run iptables and if an error occurs, stop/restore the firewall
-#
-run_ip()
-{
-    if ! $IP -6 $@; then
-	error_message "ERROR: Command \"$IP -6 $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Run tc and if an error occurs, stop/restore the firewall
-#
-run_tc() {
-    if ! $TC $@ ; then
-	error_message "ERROR: Command \"$TC $@\" Failed"
-	stop_firewall
-	exit 2
-    fi
-}
-
-#
-# Run the .iptables_restore_input as a set of discrete iptables commands
-#
-debug_restore_input() {
-    local first second rest table chain
-    #
-    # Clear the ruleset
-    #
-    qt1 $IP6TABLES -t mangle -F
-    qt1 $IP6TABLES -t mangle -X
-
-    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
-	qt1 $IP6TABLES -t mangle -P $chain ACCEPT
-    done
-
-    qt1 $IP6TABLES -t raw    -F
-    qt1 $IP6TABLES -t raw    -X
-
-    for chain in PREROUTING OUTPUT; do
-	qt1 $IP6TABLES -t raw -P $chain ACCEPT
-    done
-
-    qt1 $IP6TABLES -t filter -F
-    qt1 $IP6TABLES -t filter -X
-
-    for chain in INPUT FORWARD OUTPUT; do
-	qt1 $IP6TABLES -t filter -P $chain -P ACCEPT
-    done
-
-    while read first second rest; do
-	case $first in
-	    -*)
-		#
-		# We can't call run_iptables() here because the rules may contain quoted strings
-		#
-		eval $IP6TABLES -t $table $first $second $rest
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    :*)
-		chain=${first#:}
-
-		if [ "x$second" = x- ]; then
-		    do_iptables -t $table -N $chain
-		else
-		    do_iptables -t $table -P $chain $second
-		fi
-
-		if [ $? -ne 0 ]; then
-		    error_message "ERROR: Command \"$IP6TABLES $first $second $rest\" Failed"
-		    stop_firewall
-		    exit 2
-		fi
-		;;
-	    #
-	    # This grotesque hack with the table names works around a bug/feature with ash
-	    #
-	    '*'raw)
-		table=raw
-		;;
-	    '*'rawpost)
-		table=rawpost
-		;;
-	    '*'mangle)
-		table=mangle
-		;;
-	    '*'nat)
-		table=nat
-		;;
-	    '*'filter)
-		table=filter
-		;;
-	esac
-    done
-}
-
 ################################################################################
 # End of functions imported from /usr/share/shorewall/prog.header6
 ################################################################################
--- a/Shorewall/Samples/LICENSE
+++ b/Shorewall/Samples/LICENSE
--- a/Shorewall/Samples/README.txt
+++ b/Shorewall/Samples/README.txt
--- a/Shorewall/Samples/Universal/interfaces
+++ b/Shorewall/Samples/Universal/interfaces
--- a/Shorewall/Samples/Universal/policy
+++ b/Shorewall/Samples/Universal/policy
--- a/Shorewall/Samples/Universal/rules
+++ b/Shorewall/Samples/Universal/rules
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -39,6 +39,8 @@ LOGLIMIT=

 MACLIST_LOG_LEVEL=info

+RELATED_LOG_LEVEL=
+
 SFILTER_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info
@@ -186,6 +188,8 @@ TRACK_PROVIDERS=Yes

 USE_DEFAULT_RT=No

+USE_PHYSICAL_NAMES=No
+
 ZONE2ZONE=2

 ###############################################################################
@@ -196,6 +200,8 @@ BLACKLIST_DISPOSITION=DROP

 MACLIST_DISPOSITION=REJECT

+RELATED_DISPOSITION=ACCEPT
+
 SMURF_DISPOSITION=DROP

 SFILTER_DISPOSITION=DROP
--- a/Shorewall/Samples/Universal/zones
+++ b/Shorewall/Samples/Universal/zones
--- a/Shorewall/Samples/one-interface/README.txt
+++ b/Shorewall/Samples/one-interface/README.txt
--- a/Shorewall/Samples/one-interface/interfaces
+++ b/Shorewall/Samples/one-interface/interfaces
--- a/Shorewall/Samples/one-interface/policy
+++ b/Shorewall/Samples/one-interface/policy
--- a/Shorewall/Samples/one-interface/rules
+++ b/Shorewall/Samples/one-interface/rules
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -50,6 +50,8 @@ LOGLIMIT=

 MACLIST_LOG_LEVEL=info

+RELATED_LOG_LEVEL=
+
 SFILTER_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info
@@ -197,6 +199,8 @@ TRACK_PROVIDERS=Yes

 USE_DEFAULT_RT=No

+USE_PHYSICAL_NAMES=No
+
 ZONE2ZONE=2

 ###############################################################################
@@ -207,6 +211,8 @@ BLACKLIST_DISPOSITION=DROP

 MACLIST_DISPOSITION=REJECT

+RELATED_DISPOSITION=ACCEPT
+
 SMURF_DISPOSITION=DROP

 SFILTER_DISPOSITION=DROP
--- a/Shorewall/Samples/one-interface/zones
+++ b/Shorewall/Samples/one-interface/zones
--- a/Shorewall/Samples/three-interfaces/README.txt
+++ b/Shorewall/Samples/three-interfaces/README.txt
--- a/Shorewall/Samples/three-interfaces/interfaces
+++ b/Shorewall/Samples/three-interfaces/interfaces
--- a/Shorewall/Samples/three-interfaces/masq
+++ b/Shorewall/Samples/three-interfaces/masq
--- a/Shorewall/Samples/three-interfaces/policy
+++ b/Shorewall/Samples/three-interfaces/policy
--- a/Shorewall/Samples/three-interfaces/routestopped
+++ b/Shorewall/Samples/three-interfaces/routestopped
--- a/Shorewall/Samples/three-interfaces/rules
+++ b/Shorewall/Samples/three-interfaces/rules
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -48,6 +48,8 @@ LOGLIMIT=

 MACLIST_LOG_LEVEL=info

+RELATED_LOG_LEVEL=
+
 SFILTER_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info
@@ -195,6 +197,8 @@ TRACK_PROVIDERS=Yes

 USE_DEFAULT_RT=No

+USE_PHYSICAL_NAMES=No
+
 ZONE2ZONE=2

 ###############################################################################
@@ -205,6 +209,8 @@ BLACKLIST_DISPOSITION=DROP

 MACLIST_DISPOSITION=REJECT

+RELATED_DISPOSITION=ACCEPT
+
 SMURF_DISPOSITION=DROP

 SFILTER_DISPOSITION=DROP
--- a/Shorewall/Samples/three-interfaces/zones
+++ b/Shorewall/Samples/three-interfaces/zones
--- a/Shorewall/Samples/two-interfaces/README.txt
+++ b/Shorewall/Samples/two-interfaces/README.txt
--- a/Shorewall/Samples/two-interfaces/interfaces
+++ b/Shorewall/Samples/two-interfaces/interfaces
--- a/Shorewall/Samples/two-interfaces/masq
+++ b/Shorewall/Samples/two-interfaces/masq
--- a/Shorewall/Samples/two-interfaces/policy
+++ b/Shorewall/Samples/two-interfaces/policy
--- a/Shorewall/Samples/two-interfaces/routestopped
+++ b/Shorewall/Samples/two-interfaces/routestopped
--- a/Shorewall/Samples/two-interfaces/rules
+++ b/Shorewall/Samples/two-interfaces/rules
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -51,6 +51,8 @@ LOGLIMIT=

 MACLIST_LOG_LEVEL=info

+RELATED_LOG_LEVEL=
+
 SFILTER_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info
@@ -198,6 +200,8 @@ TRACK_PROVIDERS=Yes

 USE_DEFAULT_RT=No

+USE_PHYSICAL_NAMES=No
+
 ZONE2ZONE=2

 ###############################################################################
@@ -208,6 +212,8 @@ BLACKLIST_DISPOSITION=DROP

 MACLIST_DISPOSITION=REJECT

+RELATED_DISPOSITION=ACCEPT
+
 SMURF_DISPOSITION=DROP

 SFILTER_DISPOSITION=DROP
--- a/Shorewall/Samples/two-interfaces/zones
+++ b/Shorewall/Samples/two-interfaces/zones
--- a/Shorewall/action.Invalid
+++ b/Shorewall/action.Invalid
@@ -49,7 +49,7 @@ my $target           = require_audit ( $action , $audit );
 log_rule_limit $level, $chainref, 'Invalid' , $action, '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
 add_jump $chainref , $target, 0, "$globals{STATEMATCH} INVALID ";

-$chainref->{dont_optimize} = 0;
+allow_optimize( $chainref );

 1;

--- a/Shorewall/action.NotSyn
+++ b/Shorewall/action.NotSyn
@@ -49,7 +49,7 @@ my $target           = require_audit ( $action , $audit );
 log_rule_limit $level, $chainref, 'NotSyn' , $action, '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
 add_jump $chainref , $target, 0, '-p 6 ! --syn ';

-$chainref->{dont_optimize} = 0;
+allow_optimize( $chainref );

 1;

--- a/Shorewall/configfiles/interfaces
+++ b/Shorewall/configfiles/interfaces
@@ -7,4 +7,8 @@
 # http://www.shorewall.net/manpages/shorewall-interfaces.html
 #
 ###############################################################################
+FORMAT 1
 #ZONE	INTERFACE	BROADCAST	OPTIONS
+
+FORMAT 2
+#ZONE		INTERFACE		OPTIONS
--- a/Shorewall/configfiles/masq
+++ b/Shorewall/configfiles/masq
@@ -6,6 +6,6 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-masq.html
 #
-#############################################################################################
-#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/
+######################################################################################################
+#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH
 #											GROUP
--- a/Shorewall/configfiles/notrack
+++ b/Shorewall/configfiles/notrack
@@ -4,5 +4,6 @@
 # For information about entries in this file, type "man shorewall-notrack"
 #
 #####################################################################################
-#SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/
-#					PORT(S)		PORT(S)	GROUP
+FORMAT 2
+#ACTION		SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/
+#							PORT(S)		PORT(S)	GROUP
--- a/Shorewall/configfiles/route_rules
+++ b/Shorewall/configfiles/route_rules
@@ -1,7 +1,7 @@
 #
-# Shorewall version 4 - route_rules File
+# Shorewall version 4 - route rules File
 #
-# For information about entries in this file, type "man shorewall-route_rules"
+# For information about entries in this file, type "man shorewall-rtrules"
 #
 # For additional information, see http://www.shorewall.net/MultiISP.html
 ####################################################################################
--- a/Shorewall/configfiles/rules
+++ b/Shorewall/configfiles/rules
@@ -9,7 +9,6 @@
 ######################################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
-#SECTION BLACKLIST
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -39,6 +39,8 @@ LOGLIMIT=

 MACLIST_LOG_LEVEL=info

+RELATED_LOG_LEVEL=
+
 SFILTER_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info
@@ -186,6 +188,8 @@ TRACK_PROVIDERS=No

 USE_DEFAULT_RT=No

+USE_PHYSICAL_NAMES=No
+
 ZONE2ZONE=2

 ###############################################################################
@@ -196,6 +200,8 @@ BLACKLIST_DISPOSITION=DROP

 MACLIST_DISPOSITION=REJECT

+RELATED_DISPOSITION=ACCEPT
+
 SMURF_DISPOSITION=DROP

 SFILTER_DISPOSITION=DROP
--- a/Shorewall/configfiles/tcrules
+++ b/Shorewall/configfiles/tcrules
@@ -9,6 +9,7 @@
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
-######################################################################################################################
-#MARK	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER
+##########################################################################################################################################
+#MARK	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER    PROBABILITY DSCP
 #						PORT(S)	PORT(S)
+
--- a/Shorewall/configfiles/tos
+++ b/Shorewall/configfiles/tos
@@ -4,5 +4,5 @@
 # For information about entries in this file, type "man shorewall-tos"
 #
 ###############################################################################
-#SOURCE		DEST		PROTOCOL	SOURCE	DEST	TOS	MARK
+#SOURCE		DEST		PROTOCOL	DEST	SOURCE	TOS	MARK
 #						PORTS	PORTS
--- a/Shorewall/default.debian
+++ b/Shorewall/default.debian
@@ -16,11 +16,20 @@ startup=0
 #    wait_interface=

 #
-# Startup options
+# Global start/restart/stop options
 #
-
 OPTIONS=""

+#
+# Start options
+#
+STARTOPTIONS=""
+
+#
+# Restart options
+#
+RESTARTOPTIONS=""
+
 #
 # Init Log -- if /dev/null, use the STARTUP_LOG defined in shorewall.conf
 #
@@ -30,7 +39,6 @@ INITLOG=/dev/null
 # Set this to 1 to cause '/etc/init.d/shorewall stop' to place the firewall in
 # a safe state rather than to open it
 #
-
 SAFESTOP=0

 # EOF
--- a/Shorewall/helpers
+++ b/Shorewall/helpers
@@ -48,6 +48,7 @@ loadmodule nf_conntrack_netlink
 loadmodule nf_conntrack_pptp
 loadmodule nf_conntrack_proto_gre
 loadmodule nf_conntrack_proto_sctp
+loadmodule nf_conntrack_proto_udplite
 loadmodule nf_conntrack_sip         sip_direct_media=0
 loadmodule nf_conntrack_tftp
 loadmodule nf_conntrack_sane
--- a/Shorewall/init.debian.sh
+++ b/Shorewall/init.debian.sh
@@ -86,7 +86,7 @@ wait_for_pppd () {
 shorewall_start () {
  echo -n "Starting \"Shorewall firewall\": "
  wait_for_pppd
-  $SRWL $SRWL_OPTS start >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  $SRWL $SRWL_OPTS start $STARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }

@@ -104,7 +104,7 @@ shorewall_stop () {
 # restart the firewall
 shorewall_restart () {
  echo -n "Restarting \"Shorewall firewall\": "
-  $SRWL $SRWL_OPTS restart >> $INITLOG 2>&1 && echo "done." || echo_notdone
+  $SRWL $SRWL_OPTS restart $RESTARTOPTIONS >> $INITLOG 2>&1 && echo "done." || echo_notdone
  return 0
 }

--- a/Shorewall/init.sh
+++ b/Shorewall/init.sh
@@ -74,17 +74,17 @@ export SHOREWALL_INIT_SCRIPT=1
 # E X E C U T I O N    B E G I N S   H E R E				       #
 ################################################################################
 command="$1"
+shift

 case "$command" in
-    start|restart|stop)
-	exec /sbin/shorewall $OPTIONS $@
+    start)
+	exec /sbin/shorewall $OPTIONS start $STARTOPTIONS
 	;;
-    stop|restart|status)
-	exec /sbin/shorewall $@
+    restart|reload)
+	exec /sbin/shorewall $OPTIONS restart $RESTARTOPTIONS
 	;;
-    reload)
-	shift
-	exec /sbin/shorewall $OPTIONS restart $@
+    status|stop)
+	exec /sbin/shorewall $OPTIONS $command
 	;;
    *)
 	usage
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
--- a/Shorewall/lib.cli
+++ b/Shorewall/lib.cli
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
--- a/Shorewall/lib.core
+++ b/Shorewall/lib.core
@@ -0,0 +1,632 @@
+#
+# Shorewall 4.5 -- /usr/share/shorewall/lib.core.
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2010-2012 - Tom Eastep (teastep@shorewall.net)
+#
+#	Complete documentation is available at http://shorewall.net
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of Version 2 of the GNU General Public License
+#	as published by the Free Software Foundation.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, write to the Free Software
+#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# The purpose of this library is to hold those functions used by the generated
+# scripts (both IPv4 and IPv6 -- the functions that are specific to one or the other
+# are found in prog.header and prog.header6).
+#
+#########################################################################################
+#
+# Conditionally produce message
+#
+progress_message() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -gt 1 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+
+    if [ $LOG_VERBOSITY -gt 1 ]; then
+        timestamp="$(date +'%b %_d %T') "
+        echo "${timestamp}$@" >> $STARTUP_LOG
+    fi
+}
+
+progress_message2() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -gt 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+
+    if [ $LOG_VERBOSITY -gt 0 ]; then
+        timestamp="$(date +'%b %_d %T') "
+        echo "${timestamp}$@" >> $STARTUP_LOG
+    fi
+}
+
+progress_message3() # $* = Message
+{
+    local timestamp
+    timestamp=
+
+    if [ $VERBOSITY -ge 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
+	echo "${timestamp}$@"
+    fi
+
+    if [ $LOG_VERBOSITY -ge 0 ]; then
+        timestamp="$(date +'%b %_d %T') "
+        echo "${timestamp}$@" >> $STARTUP_LOG
+    fi
+}
+
+#
+# Set a standard chain's policy
+#
+setpolicy() # $1 = name of chain, $2 = policy
+{
+    run_iptables -P $1 $2
+}
+
+#
+# Generate a list of all network interfaces on the system
+#
+find_all_interfaces() {
+    ${IP:-ip} link list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
+}
+
+#
+# Generate a list of all network interfaces on the system that have an ipvX address
+#
+find_all_interfaces1() {
+    ${IP:-ip} -$g_family addr list | egrep '^[[:digit:]]+:' | cut -d ' ' -f2 | sed -r 's/(@.*)?:$//'
+}
+
+#
+# Find the value 'dev' in the passed arguments then echo the next value
+#
+
+find_device() {
+    while [ $# -gt 1 ]; do
+	[ "x$1" = xdev ] && echo $2 && return
+	shift
+    done
+}
+
+#
+# Find the value 'via' in the passed arguments then echo the next value
+#
+
+find_gateway() {
+    while [ $# -gt 1 ]; do
+	[ "x$1" = xvia ] && echo $2 && return
+	shift
+    done
+}
+
+#
+# Find the value 'mtu' in the passed arguments then echo the next value
+#
+
+find_mtu() {
+    while [ $# -gt 1 ]; do
+	[ "x$1" = xmtu ] && echo $2 && return
+	shift
+    done
+}
+
+#
+# Find the value 'peer' in the passed arguments then echo the next value up to
+# "/"
+#
+
+find_peer() {
+    while [ $# -gt 1 ]; do
+	[ "x$1" = xpeer ] && echo ${2%/*} && return
+	shift
+    done
+}
+
+#
+# Try to find the gateway through an interface looking for 'nexthop'
+
+find_nexthop() # $1 = interface
+{
+    echo $(find_gateway `$IP -$g_family route list | grep "[[:space:]]nexthop.* $1"`)
+}
+
+#
+# Find the default route's interface
+#
+find_default_interface() {
+    $IP -$g_family route list | while read first rest; do
+	[ "$first" = default ] && echo $(find_device $rest) && return
+    done
+}
+
+#
+# Determine if Interface is up
+#
+interface_is_up() {
+    [ -n "$($IP -$g_family link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
+}
+
+#
+# Determine if interface is usable from a Netfilter perspective
+#
+interface_is_usable() # $1 = interface
+{
+    [ "$1" = lo ] && return 0
+    interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && run_isusable_exit $1
+}
+
+#
+# Find interface addresses--returns the set of addresses assigned to the passed
+# device
+#
+find_interface_addresses() # $1 = interface
+{
+    if [ $g_family -eq 4 ]; then
+	$IP -f inet addr show $1 2> /dev/null | grep inet\  | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
+    else
+	$IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
+    fi
+}
+
+#
+#  echo the list of networks routed out of a given interface
+#
+get_routed_networks() # $1 = interface name, $2-n = Fatal error message
+{
+    local address
+    local rest
+    local mask
+
+    [ $g_family -eq 4 ] && mask=32 || mask=128
+    
+
+    $IP -$g_family route show dev $1 2> /dev/null |
+	while read address rest; do
+	    case "$address" in
+		default)
+		    if [ $# -gt 1 ]; then
+			shift
+			fatal_error "$@"
+		    else
+			echo "WARNING: default route ignored on interface $1" >&2
+		    fi
+		    ;;
+		multicast|broadcast|prohibit|nat|throw|nexthop)
+		    ;;
+		[2-3]*)
+		    [ "$address" = "${address%/*}" ] && address="${address}/${mask}"
+		    echo $address
+		    ;;
+		*)
+		    if [ $g_family -eq 4 ]; then
+			[ "$address" = "${address%/*}" ] && address="${address}/${mask}"
+			echo $address
+		    fi
+		    ;;
+	    esac
+        done
+}
+
+#
+# Clear the current traffic shaping configuration
+#
+
+delete_tc1()
+{
+    clear_one_tc() {
+        $TC qdisc del dev $1 root 2> /dev/null
+        $TC qdisc del dev $1 ingress 2> /dev/null
+
+    }
+
+    run_tcclear_exit
+
+    run_ip link list | \
+    while read inx interface details; do
+        case $inx in
+            [0-9]*)
+                clear_one_tc ${interface%:}
+                ;;
+            *)
+                ;;
+        esac
+    done
+}
+
+#
+# Detect a device's MTU -- echos the passed device's MTU
+#
+get_device_mtu() # $1 = device
+{
+    local output
+    output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
+
+    if [ -n "$output" ]; then
+	echo $(find_mtu $output)
+    else
+	echo 1500
+    fi
+}
+
+#
+# Version of the above that doesn't generate any output for MTU 1500.
+# Generates 'mtu <mtu+>' otherwise, where <mtu+> is the device's MTU + 100
+#
+get_device_mtu1() # $1 = device
+{
+    local output
+    output="$($IP link list dev $1 2> /dev/null)" # quotes required for /bin/ash
+    local mtu
+
+    if [ -n "$output" ]; then
+	mtu=$(find_mtu $output)
+	if [ -n "$mtu" ]; then
+	    [ $mtu = 1500 ] || echo mtu $(($mtu + 100))
+	fi
+    fi
+
+}
+
+#
+# Undo changes to routing
+#
+undo_routing() {
+    local undofiles
+    local f
+
+    if [ -z "$g_noroutes"  ]; then
+	#
+	# Restore rt_tables database
+	#
+	if [ -f ${VARDIR}/rt_tables ]; then
+	    [ -w /etc/iproute2/rt_table -a -z "$KEEP_RT_TABLES" ] && cp -f ${VARDIR}/rt_tables /etc/iproute2/ && progress_message "/etc/iproute2/rt_tables database restored"
+	    rm -f ${VARDIR}/rt_tables
+	fi
+	#
+	# Restore the rest of the routing table
+	#
+	undofiles="$(ls ${VARDIR}/undo_*routing 2> /dev/null)"
+
+	if [ -n "$undofiles" ]; then
+	    for f in $undofiles; do
+		. $f
+	    done
+
+	    rm -f $undofiles
+
+            progress_message "Shorewall-generated routing tables and routing rules removed"
+	fi
+    fi
+
+}
+
+#
+# Save the default route
+#
+save_default_route() {
+    awk \
+    'BEGIN        {defroute=0;};
+     /^default /  {defroute=1; print; next};
+     /nexthop/    {if (defroute == 1 ) {print ; next} };
+                  { defroute=0; };'
+}
+
+#
+# Restore the default route that was in place before the initial 'shorewall start'
+#
+replace_default_route() # $1 = USE_DEFAULT_RT
+{
+    #
+    # default_route and result are inherited from the caller
+    #
+    if [ -n "$default_route" ]; then
+	case "$default_route" in
+	    *metric*)
+	        #
+	        # Don't restore a default route with a metric unless USE_DEFAULT_RT=Yes. Otherwise, we only replace the one with metric 0
+	        #
+		[ -n "$1" ] && qt $IP -$g_family route replace $default_route && progress_message "Default Route (${default_route# }) restored"
+		default_route=
+		;;
+	    *)
+		qt $IP -$g_family route replace $default_route && progress_message "Default Route (${default_route# }) restored"
+		result=0
+		default_route=
+		;;
+	esac
+    fi
+}
+
+restore_default_route() # $1 = USE_DEFAULT_RT
+{
+    local result
+    result=1
+
+    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
+	local default_route
+	default_route=
+	local route
+
+	while read route ; do
+	    case $route in
+		default*)
+		    replace_default_route $1
+		    default_route="$default_route $route"
+		    ;;
+		*)
+		    default_route="$default_route $route"
+		    ;;
+	    esac
+	done < ${VARDIR}/default_route
+
+	replace_default_route $1
+	
+	if [ $result = 1 ]; then
+	    #
+	    # We didn't restore a default route with metric 0
+	    #
+	    if $IP -$g_family -o route list 2> /dev/null | fgrep default | fgrep -qv metric; then
+	       #
+	       # But we added a default route with metric 0
+	       #
+	       qt $IP -$g_family route del default metric 0 && progress_message "Default route with metric 0 deleted"
+	    fi
+	fi
+
+	rm -f ${VARDIR}/default_route
+    fi
+
+    return $result
+}
+
+#
+# Flush the conntrack table if $g_purge is non-empty
+#
+conditionally_flush_conntrack() {
+
+    if [ -n "$g_purge" ]; then
+	if [ -n $(mywhich conntrack) ]; then
+            conntrack -F
+	else
+            error_message "WARNING: The '-p' option requires the conntrack utility which does not appear to be installed on this system"
+	fi
+    fi
+}
+
+#
+# Issue a message and stop/restore the firewall.
+#
+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+
+    if [ $LOG_VERBOSITY -ge 0 ]; then
+        timestamp="$(date +'%_b %d %T') "
+        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
+    fi
+
+    stop_firewall
+    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
+    exit 2
+}
+
+#
+# Run iptables/ip6tables and if an error occurs, stop/restore the firewall
+#
+run_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$g_tool $@
+	status=$?
+	[ $status -ne 4 ] && break
+    done
+
+    if [ $status -ne 0 ]; then
+        error_message "ERROR: Command \"$g_tool $@\" Failed"
+	stop_firewall
+        exit 2
+    fi
+}
+
+#
+# Run iptables/ip6tables retrying exit status 4
+#
+do_iptables()
+{
+    local status
+
+    while [ 1 ]; do
+	$g_tool $@
+	status=$?
+	[ $status -ne 4 ] && return $status;
+    done
+}
+
+#
+# Run ip and if an error occurs, stop/restore the firewall
+#
+run_ip()
+{
+    if ! $IP -$g_family $@; then
+	error_message "ERROR: Command \"$IP -$g_family $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Run tc and if an error occurs, stop/restore the firewall
+#
+run_tc() {
+    if ! $TC $@ ; then
+	error_message "ERROR: Command \"$TC $@\" Failed"
+	stop_firewall
+	exit 2
+    fi
+}
+
+#
+# Run the .iptables_restore_input as a set of discrete iptables commands
+#
+debug_restore_input() {
+    local first second rest table chain
+    #
+    # Clear the ruleset
+    #
+    qt1 $g_tool -t mangle -F
+    qt1 $g_tool -t mangle -X
+
+    for chain in PREROUTING INPUT FORWARD POSTROUTING; do
+	qt1 $g_tool -t mangle -P $chain ACCEPT
+    done
+
+    qt1 $g_tool -t raw    -F
+    qt1 $g_tool -t raw    -X
+
+    for chain in PREROUTING OUTPUT; do
+	qt1 $g_tool -t raw -P $chain ACCEPT
+    done
+
+    qt1 $g_tool -t rawpost -F
+    qt1 $g_tool -t rawpost    -X
+
+    for chain in POSTROUTING; do
+	qt1 $g_tool -t rawpost -P $chain ACCEPT
+    done
+
+    qt1 $g_tool -t nat    -F
+    qt1 $g_tool -t nat    -X
+
+    for chain in PREROUTING POSTROUTING; do
+        qt1 $g_tool -t nat -P $chain ACCEPT
+    done
+
+    qt1 $g_tool -t filter -F
+    qt1 $g_tool -t filter -X
+
+    for chain in INPUT FORWARD OUTPUT; do
+	qt1 $g_tool -t filter -P $chain -P ACCEPT
+    done
+
+    while read first second rest; do
+	case $first in
+	    -*)
+		#
+		# We can't call run_iptables() here because the rules may contain quoted strings
+		#
+		eval $g_tool -t $table $first $second $rest
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$g_tool $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    :*)
+		chain=${first#:}
+
+		if [ "x$second" = x- ]; then
+		    do_iptables -t $table -N $chain
+		else
+		    do_iptables -t $table -P $chain $second
+		fi
+
+		if [ $? -ne 0 ]; then
+		    error_message "ERROR: Command \"$g_tool $first $second $rest\" Failed"
+		    stop_firewall
+		    exit 2
+		fi
+		;;
+	    #
+	    # This grotesque hack with the table names works around a bug/feature with ash
+	    #
+	    '*'raw)
+		table=raw
+		;;
+	    '*'rawpost)
+		table=rawpost
+		;;
+	    '*'mangle)
+		table=mangle
+		;;
+	    '*'nat)
+		table=nat
+		;;
+	    '*'filter)
+		table=filter
+		;;
+	esac
+    done
+}
+
+interface_up() {
+    return $(cat ${VARDIR}/$1.status)
+}
+
+distribute_load() {
+    local interface
+    local totalload
+    local load
+    local maxload
+
+    maxload=$1
+    shift
+
+    totalload=0
+
+    for interface in $@; do
+	if interface_up $interface; then
+	    load=$(cat ${VARDIR}/${interface}_load)
+	    eval ${interface}_load=$load
+	    totalload=$( bc <<EOF
+scale=8
+$totalload + $load
+EOF
+)
+	fi
+    done
+
+    if [ $totalload ]; then
+	for interface in $@; do
+	    qt $g_tool -t mangle -F ~$interface
+	    eval load=\$${interface}_load
+	
+	    if [ -n "$load" ]; then
+		load=$(bc <<EOF
+scale=8
+( $load / $totalload ) * $maxload
+EOF
+)
+		totalload=$(bc <<EOF
+scale=8
+$totalload - $load
+EOF
+)
+		run_iptables -t mangle -A ~$interface -m statistic --mode random --probability $load
+	    fi
+	done
+    fi
+}
--- a/Shorewall/manpages/shorewall-accounting.xml
+++ b/Shorewall/manpages/shorewall-accounting.xml
@@ -75,12 +75,9 @@

    <itemizedlist>
      <listitem>
-        <para>A jump to a user-defined accounting chain before entries that
-        add rules to that chain.</para>
-      </listitem>
-
-      <listitem>
-        <para>This eliminates loops and unreferenced chains.</para>
+        <para>A jump to a user-defined accounting chain must appear before
+        entries that add rules to that chain. This eliminates loops and
+        unreferenced chains.</para>
      </listitem>

      <listitem>
@@ -702,7 +699,7 @@
    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -51,7 +51,7 @@
    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
--- a/Shorewall/manpages/shorewall-blacklist.xml
+++ b/Shorewall/manpages/shorewall-blacklist.xml
@@ -189,7 +189,7 @@
    shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
--- a/Shorewall/manpages/shorewall-blrules.xml
+++ b/Shorewall/manpages/shorewall-blrules.xml
@@ -40,7 +40,7 @@
      <varlistentry>
        <term><emphasis role="bold">ACTION- {<emphasis
        role="bold">ACCEPT</emphasis>|CONTINUE|DROP|A_DROP|REJECT|A_REJECT|<emphasis
-        role="bold">WHITELIES</emphasis>|<emphasis
+        role="bold">WHITELIST</emphasis>|<emphasis
        role="bold">LOG</emphasis>|<emphasis
        role="bold">QUEUE</emphasis>|<emphasis
        role="bold">NFQUEUE</emphasis>[<emphasis
@@ -292,10 +292,9 @@
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
    shoewall6-netmap(5),shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-route_rules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
-    shorewall-zones(5)</para>
+    shorewall-providers(5), shorewall-rtrules(5), shorewall-routestopped(5),
+    shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
+    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-ecn.xml
+++ b/Shorewall/manpages/shorewall-ecn.xml
@@ -67,7 +67,7 @@
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
--- a/Shorewall/manpages/shorewall-exclusion.xml
+++ b/Shorewall/manpages/shorewall-exclusion.xml
@@ -180,7 +180,7 @@ ACCEPT          all!z2        net         tcp           22</programlisting>
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
--- a/Shorewall/manpages/shorewall-hosts.xml
+++ b/Shorewall/manpages/shorewall-hosts.xml
@@ -148,12 +148,6 @@
              <term><emphasis role="bold">blacklist</emphasis></term>

              <listitem>
-                <para>This option is deprecated in Shorewall 4.4.25 in favor
-                of entries in <ulink
-                url="shorewall-blrules.html">shorewall-blrules</ulink> (5) or
-                in the BLACKLIST section of <ulink
-                url="shorewall-rules.html">shorewall-rules </ulink>(5).</para>
-
                <para>Check packets arriving on this port against the <ulink
                url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
                file.</para>
@@ -275,7 +269,7 @@ vpn         ppp+:192.168.3.0/24</programlisting></para>
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-nesting(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
--- a/Shorewall/manpages/shorewall-init.xml
+++ b/Shorewall/manpages/shorewall-init.xml
@@ -166,7 +166,7 @@
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -228,11 +228,7 @@ loc     eth2            -</programlisting>
              <term><emphasis role="bold">blacklist</emphasis></term>

              <listitem>
-                <para>Deprecated in Shorewall 4.4.25 and later in favor of
-                rules in the BLACKLIST section of <ulink
-                url="shorewall-rules.html">shorewall-rules</ulink> (5) or in
-                <ulink url="shorewall-blrules.html">shorewall-blrules</ulink>
-                (5). Checks packets arriving on this interface against the
+                <para>Checks packets arriving on this interface against the
                <ulink
                url="shorewall-blacklist.html">shorewall-blacklist</ulink>(5)
                file.</para>
@@ -379,11 +375,8 @@ loc     eth2            -</programlisting>
              <term><emphasis role="bold">maclist</emphasis></term>

              <listitem>
-                <para>Deprecated in Shorewall 4.4.25 and later in favor of
-                rules in the BLACKLIST section of <ulink
-                url="shorewall-blacklist.html">shorewall-rules</ulink> (5).
-                Connection requests from this interface are compared against
-                the contents of <ulink
+                <para>Connection requests from this interface are compared
+                against the contents of <ulink
                url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
                this option is specified, the interface must be an ethernet
                NIC and must be up before Shorewall is started.</para>
@@ -432,9 +425,8 @@ loc     eth2            -</programlisting>
              <term>nosmurfs</term>

              <listitem>
-                <para>Deprecated in Shorewall 4.4.25 and later in favor of the
-                DropSmurfs standard action. Filter packets for smurfs (packets
-                with a broadcast address as the source).</para>
+                <para>Filter packets for smurfs (packets with a broadcast
+                address as the source).</para>

                <para>Smurfs will be optionally logged based on the setting of
                SMURF_LOG_LEVEL in <ulink
@@ -651,13 +643,11 @@ loc     eth2            -</programlisting>
              <term><emphasis role="bold">tcpflags</emphasis></term>

              <listitem>
-                <para>Deprecated in Shorewall 4.4.25 and later in favor of the
-                TCPFlags standard action. Packets arriving on this interface
-                are checked for certain illegal combinations of TCP flags.
-                Packets found to have such a combination of flags are handled
-                according to the setting of TCP_FLAGS_DISPOSITION after having
-                been logged according to the setting of
-                TCP_FLAGS_LOG_LEVEL.</para>
+                <para>Packets arriving on this interface are checked for
+                certain illegal combinations of TCP flags. Packets found to
+                have such a combination of flags are handled according to the
+                setting of TCP_FLAGS_DISPOSITION after having been logged
+                according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
              </listitem>
            </varlistentry>

@@ -782,7 +772,7 @@ net     ppp0      -</programlisting>
    shorewall-blacklist(5), shorewall-hosts(5), shorewall-maclist(5),
    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
--- a/Shorewall/manpages/shorewall-ipsets.xml
+++ b/Shorewall/manpages/shorewall-ipsets.xml
@@ -120,7 +120,7 @@
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
--- a/Shorewall/manpages/shorewall-maclist.xml
+++ b/Shorewall/manpages/shorewall-maclist.xml
@@ -110,7 +110,7 @@
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-masq(5), shorewall-nat(5),
    shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
--- a/Shorewall/manpages/shorewall-masq.xml
+++ b/Shorewall/manpages/shorewall-masq.xml
@@ -35,8 +35,8 @@
      <para>If you have more than one ISP link, adding entries to this file
      will <emphasis role="bold">not</emphasis> force connections to go out
      through a particular link. You must use entries in <ulink
-      url="shorewall-route_rules.html">shorewall-route_rules</ulink>(5) or
-      PREROUTING entries in <ulink
+      url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or PREROUTING
+      entries in <ulink
      url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5) to do
      that.</para>
    </warning>
@@ -88,7 +88,8 @@
          addresses to indicate that you only want to change the source IP
          address for packets being sent to those particular destinations.
          Exclusion is allowed (see <ulink
-          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
+          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)) as
+          are ipset names preceded by a plus sign '+';</para>

          <para>If you wish to inhibit the action of ADD_SNAT_ALIASES for this
          entry then include the ":" but omit the digit:</para>
@@ -149,6 +150,10 @@

          <para>In that example traffic from eth1 would be masqueraded unless
          it came from 192.168.1.4 or 196.168.32.0/27</para>
+
+          <para>The preferred way to specify the SOURCE is to supply one or
+          more host or network addresses separated by comma. You may use ipset
+          names preceded by a plus sign (+) to specify a set of hosts.</para>
        </listitem>
      </varlistentry>

@@ -467,6 +472,43 @@
          </variablelist>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">SWITCH -
+        [!]<replaceable>switch-name</replaceable></emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.1 and allows enabling and disabling the
+          rule without requiring <command>shorewall restart</command>.</para>
+
+          <para>The rule is enabled if the value stored in
+          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
+          is 1. The rule is disabled if that file contains 0 (the default). If
+          '!' is supplied, the test is inverted such that the rule is enabled
+          if the file contains 0. <replaceable>switch-name</replaceable> must
+          begin with a letter and be composed of letters, decimal digits,
+          underscores or hyphens. Switch names must be 30 characters or less
+          in length.</para>
+
+          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
+          turn a switch <emphasis role="bold">on</emphasis>:</para>
+
+          <simplelist>
+            <member><command>echo 1 &gt;
+            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
+          </simplelist>
+
+          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
+
+          <simplelist>
+            <member><command>echo 0 &gt;
+            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
+          </simplelist>
+
+          <para>Switch settings are retained over <command>shorewall
+          restart</command>.</para>
+        </listitem>
+      </varlistentry>
    </variablelist>
  </refsect1>

@@ -548,6 +590,19 @@
          </warning>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term>Example 6:</term>
+
+        <listitem>
+          <para>Connections leaving on eth0 and destined to any host defined
+          in the ipset <emphasis>myset</emphasis> should have the source IP
+          address changed to 206.124.146.177.</para>
+
+          <programlisting>        #INTERFACE              SOURCE          ADDRESS
+        eth0:+myset[dst]        -               206.124.146.177</programlisting>
+        </listitem>
+      </varlistentry>
    </variablelist>
  </refsect1>

@@ -568,7 +623,7 @@
    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
-    shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
+    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
--- a/Show More
+++ b/Show More