Fix minor bug in bridge interface handling.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Expand Split DNS Article
2010-03-23 08:47:56 -07:00 · 2010-03-22 19:56:45 -07:00 · 2010-03-22 15:41:32 -07:00 · 2010-03-22 15:34:10 -07:00 · 2010-03-22 08:12:26 -07:00 · 2010-03-22 06:46:48 -07:00
80 changed files with 4110 additions and 3972 deletions
--- a/Shorewall-lite/README.txt
+++ b/Shorewall-lite/README.txt
@@ -1 +1 @@
-This is the Shorewall-lite development 4.3 branch of SVN.
+This is the Shorewall-lite stable 4.4 branch of Git.
--- a/Shorewall-lite/fallback.sh
+++ b/Shorewall-lite/fallback.sh
@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.

-VERSION=4.4.7.2
+VERSION=4.4.8

 usage() # $1 = exit status
 {
--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@@ -2,8 +2,8 @@

 ### BEGIN INIT INFO
 # Provides:          shorewall-lite
-# Required-Start:    $network
-# Required-Stop:     $network
+# Required-Start:    $network $remote_fs
+# Required-Stop:     $network $remote_fs
 # Default-Start:     S
 # Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time
@@ -42,6 +42,7 @@ echo_notdone () {
 	  echo "not done (check $INITLOG)."
  fi

+  exit 1
 }

 not_configured () {
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.7.2
+VERSION=4.4.8

 usage() # $1 = exit status
 {
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -48,18 +48,19 @@
 SHAREDIR=/usr/share/shorewall-lite
 VARDIR=/var/lib/shorewall-lite
 CONFDIR=/etc/shorewall-lite
-PRODUCT="Shorewall Lite"
+g_product="Shorewall Lite"

 . /usr/share/shorewall-lite/lib.base
+. /usr/share/shorewall-lite/lib.cli
 . /usr/share/shorewall-lite/configpath

 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

-VERSION=$(cat /usr/share/shorewall-lite/version)
+SHOREWALL_VERSION=$(cat /usr/share/shorewall-lite/version)

 [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)

-VERBOSE=0
+VERBOSITY=0
 load_kernel_modules No
 determine_capabilities
 report_capabilities1
--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -117,8 +117,6 @@ get_config() {

    [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:"

-    export LOGFORMAT
-
    if [ -n "$IPTABLES" ]; then
 	if [ ! -x "$IPTABLES" ]; then
 	    echo "   ERROR: The program specified in IPTABLES does not exist or is not executable" >&2
@@ -132,8 +130,6 @@ get_config() {
 	fi
    fi

-    export IPTABLES
-
    if [ -n "$SHOREWALL_SHELL" ]; then
 	if [ ! -x "$SHOREWALL_SHELL" ]; then
 	    echo "   WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
@@ -145,15 +141,20 @@ get_config() {

    validate_restorefile RESTOREFILE

-    export RESTOREFILE
-
    [ -n "${VERBOSITY:=2}" ]

-    [ -n "$USE_VERBOSITY" ] && VERBOSE=$USE_VERBOSITY || VERBOSE=$(($VERBOSE_OFFSET + $VERBOSITY))
+    [ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY))

-    export VERBOSE
+    g_hostname=$(hostname 2> /dev/null)

-    [ -n "${HOSTNAME:=$(hostname)}" ]
+    IP=$(mywhich ip 2> /dev/null)
+    if [ -z "$IP" ] ; then
+	echo "   ERROR: Can't find ip executable" >&2
+	exit 2
+    fi
+
+    IPSET=ipset
+    TC=tc

 }

@@ -161,13 +162,13 @@ get_config() {
 # Verify that we have a compiled firewall script
 #
 verify_firewall_script() {
-    if [ ! -f $FIREWALL ]; then
+    if [ ! -f $g_firewall ]; then
 	echo "   ERROR: Shorewall Lite is not properly installed" >&2
-	if [ -L $FIREWALL ]; then
-	    echo "          $FIREWALL is a symbolic link to a" >&2
+	if [ -L $g_firewall ]; then
+	    echo "          $g_firewall is a symbolic link to a" >&2
 	    echo "          non-existant file" >&2
 	else
-	    echo "          The file $FIREWALL does not exist" >&2
+	    echo "          The file $g_firewall does not exist" >&2
 	fi
 	
 	exit 2
@@ -187,7 +188,7 @@ start_command() {
 	[ -n "$nolock" ] || mutex_on

 	if [ -x ${LITEDIR}/firewall ]; then
-	    ${LITEDIR}/firewall $debugging start
+	    run_it ${LITEDIR}/firewall $debugging start
 	    rc=$?
 	else
 	    error_message "${LITEDIR}/firewall is missing or is not executable"
@@ -219,12 +220,12 @@ start_command() {
 			    option=
 			    ;;
 			f*)
-			    FAST=Yes
+			    g_fast=Yes
 			    option=${option#f}
 			    ;;
 			p*)
 			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-			    PURGE=Yes
+			    g_purge=Yes
 			    option=${option%p}
 			    ;;
 			*)
@@ -248,36 +249,21 @@ start_command() {
 	    ;;
    esac

-    export NOROUTES
-
-    if [ -n "$FAST" ]; then
+    if [ -n "$g_fast" ]; then
 	if qt mywhich make; then
-	    #
-	    # RESTOREFILE is exported by get_config()
-	    #
-	    make -qf ${CONFDIR}/Makefile || FAST=
+	    export RESTOREFILE
+	    make -qf ${CONFDIR}/Makefile || g_fast=
 	fi

-	if [ -n "$FAST" ]; then
+	if [ -n "$g_fast" ]; then

-	    RESTOREPATH=${VARDIR}/$RESTOREFILE
-
-	    if [ -x $RESTOREPATH ]; then
-		if [ -x ${RESTOREPATH}-ipsets ]; then
-		    echo Restoring Ipsets...
-		    #
-		    # We must purge iptables to be sure that there are no
-		    # references to ipsets
-		    #
-		    iptables -F
-		    iptables -X
-		    $SHOREWALL_SHELL ${RESTOREPATH}-ipsets
-		fi
+	    g_restorepath=${VARDIR}/$RESTOREFILE

+	    if [ -x $g_restorepath ]; then
 		echo Restoring Shorewall Lite...
-		$SHOREWALL_SHELL $RESTOREPATH restore
+		run_it $g_restorepath restore
 		date > ${VARDIR}/restarted
-		progress_message3 Shorewall Lite restored from $RESTOREPATH
+		progress_message3 Shorewall Lite restored from $g_restorepath
 	    else
 		do_it
 	    fi
@@ -313,12 +299,12 @@ restart_command() {
 			    option=
 			    ;;
 			n*)
-			    NOROUTES=Yes
+			    g_noroutes=Yes
 			    option=${option#n}
 			    ;;
 			p*)
 			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-			    PURGE=Yes
+			    g_purge=Yes
 			    option=${option%p}
 			    ;;
 			*)
@@ -342,12 +328,10 @@ restart_command() {
 	    ;;
    esac

-    export NOROUTES
-
    [ -n "$nolock" ] || mutex_on

    if [ -x ${LITEDIR}/firewall ]; then
-	$SHOREWALL_SHELL ${LITEDIR}/firewall $debugging restart
+	run_it ${LITEDIR}/firewall $debugging restart
 	rc=$?
    else
 	error_message "${LITEDIR}/firewall is missing or is not executable"
@@ -423,16 +407,13 @@ if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
    shift
 fi

-IPT_OPTIONS="-nv"
-FAST=
-VERBOSE_OFFSET=0
-USE_VERBOSITY=
-NOROUTES=
-EXPORT=
-export TIMESTAMP=
-noroutes=
-RECOVERING=
-export RECOVERING
+g_ipt_options="-nv"
+g_fast=
+g_verbose_offset=0
+g_use_verbosity=
+g_noroutes=
+g_timestamp=
+g_recovering=

 finished=0

@@ -451,48 +432,48 @@ while [ $finished -eq 0 ]; do
 	    while [ -n "$option" ]; do
 		case $option in
 		    x*)
-			IPT_OPTIONS="-xnv"
+			g_ipt_options="-xnv"
 			option=${option#x}
 			;;
 		    q*)
-			VERBOSE_OFFSET=$(($VERBOSE_OFFSET - 1 ))
+			g_verbose_offset=$(($g_verbose_offset - 1 ))
 			option=${option#q}
 			;;
 		    f*)
-			FAST=Yes
+			g_fast=Yes
 			option=${option#f}
 			;;
 		    v*)
 			option=${option#v}
 			case $option in 
 			    -1*)
-				USE_VERBOSITY=-1
+				g_use_verbosity=-1
 				option=${option#-1}
 				;;
 			    0*)
-				USE_VERBOSITY=0
+				g_use_verbosity=0
 				option=${option#0}
 				;;
 			    1*)
-				USE_VERBOSITY=1
+				g_use_verbosity=1
 				option=${option#1}
 				;;
 			    2*)
-				USE_VERBOSITY=2
+				g_use_verbosity=2
 				option=${option#2}
 				;;
 			    *)
-				VERBOSE_OFFSET=$(($VERBOSE_OFFSET + 1 ))
-				USE_VERBOSITY=
+				g_verbose_offset=$(($g_verbose_offset + 1 ))
+				g_use_verbosity=
 				;;
 			esac
 			;;
 		    n*)
-			NOROUTES=Yes
+			g_noroutes=Yes
 			option=${option#n}
 			;;
 		    t*)
-			TIMESTAMP=Yes
+			g_timestamp=Yes
 			option=${option#t}
 			;;
 		    -)
@@ -517,12 +498,11 @@ if [ $# -eq 0 ]; then
 fi

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-export PATH
 MUTEX_TIMEOUT=

 SHAREDIR=/usr/share/shorewall-lite
 CONFDIR=/etc/shorewall-lite
-export PRODUCT="Shorewall Lite"
+g_product="Shorewall Lite"

 [ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir ]

@@ -530,17 +510,10 @@ export PRODUCT="Shorewall Lite"

 [ -d $VARDIR ] || mkdir -p $VARDIR || fatal_error "Unable to create $VARDIR"

-LIBRARIES="$SHAREDIR/lib.base $SHAREDIR/lib.cli"
-VERSION_FILE=$SHAREDIR/version
-HELP=$SHAREDIR/help
+version_file=$SHAREDIR/version

-for library in $LIBRARIES; do
-    if [ -f $library ]; then
-	. $library
-    else
-	echo "Installation error: $library does not exist!" >&2
-	exit 2
-    fi
+for library in base cli; do
+    . ${SHAREDIR}/lib.$library
 done

 ensure_config_path
@@ -560,7 +533,6 @@ else
 fi

 ensure_config_path
-export CONFIG_PATH

 LITEDIR=${VARDIR}

@@ -568,17 +540,17 @@ LITEDIR=${VARDIR}

 get_config

-FIREWALL=$LITEDIR/firewall
+g_firewall=$LITEDIR/firewall

-if [ -f $VERSION_FILE ]; then
-    version=$(cat $VERSION_FILE)
+if [ -f $version_file ]; then
+    SHOREWALL_VERSION=$(cat $version_file)
 else
    echo "   ERROR: Shorewall Lite is not properly installed" >&2
-    echo "          The file $VERSION_FILE does not exist" >&2
+    echo "          The file $version_file does not exist" >&2
    exit 1
 fi

-banner="Shorewall Lite $version Status at $HOSTNAME -"
+banner="Shorewall Lite $SHOREWALL_VERSION Status at $g_hostname -"

 case $(echo -e) in
    -e*)
@@ -610,12 +582,11 @@ case "$COMMAND" in
    stop|clear)
 	[ $# -ne 1 ] && usage 1
 	verify_firewall_script
-	export NOROUTES
-	exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND
+	run_it $g_firewall $debugging $nolock $COMMAND
 	;;
    reset)
 	verify_firewall_script
-	exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $@
+	run_it $SHOREWALL_SHELL $g_firewall $debugging $nolock $@
 	;;
    restart)
 	shift
@@ -628,7 +599,7 @@ case "$COMMAND" in
    status)
 	[ $# -eq 1 ] || usage 1
 	[ "$(id -u)" != 0 ] && fatal_error "ERROR: The status command may only be run by root"
-	echo "Shorewall Lite $version Status at $HOSTNAME - $(date)"
+	echo "Shorewall Lite $SHOREWALL_VERSION Status at $g_hostname - $(date)"
 	echo
 	if shorewall_is_started ; then
 	    echo "Shorewall Lite is running"
@@ -662,7 +633,7 @@ case "$COMMAND" in
 	hits_command $@
 	;;
    version)
-	echo $version Lite
+	echo $SHOREWALL_VERSION Lite
 	;;
    logwatch)
 	logwatch_command $@
@@ -731,7 +702,7 @@ case "$COMMAND" in
 	    ;;
 	esac

-	RESTOREPATH=${VARDIR}/$RESTOREFILE
+	g_restorepath=${VARDIR}/$RESTOREFILE

 	[ "$nolock" ] || mutex_on

@@ -753,20 +724,20 @@ case "$COMMAND" in
 	esac


-	RESTOREPATH=${VARDIR}/$RESTOREFILE
+	g_restorepath=${VARDIR}/$RESTOREFILE

-	if [ -x $RESTOREPATH ]; then
+	if [ -x $g_restorepath ]; then

-	    if [ -x ${RESTOREPATH}-ipsets ]; then
-		rm -f ${RESTOREPATH}-ipsets
-		echo "    ${RESTOREPATH}-ipsets removed"
+	    if [ -x ${g_restorepath}-ipsets ]; then
+		rm -f ${g_restorepath}-ipsets
+		echo "    ${g_restorepath}-ipsets removed"
 	    fi

-	    rm -f $RESTOREPATH
-	    rm -f ${RESTOREPATH}-iptables
-	    echo "    $RESTOREPATH removed"
-	elif [ -f $RESTOREPATH ]; then
-	    echo "   $RESTOREPATH exists and is not a saved Shorewall configuration"
+	    rm -f $g_restorepath
+	    rm -f ${g_restorepath}-iptables
+	    echo "    $g_restorepath removed"
+	elif [ -f $g_restorepath ]; then
+	    echo "   $g_restorepath exists and is not a saved Shorewall configuration"
 	fi
 	rm -f ${VARDIR}/save
 	;;
--- a/Shorewall-lite/shorewall-lite.spec
+++ b/Shorewall-lite/shorewall-lite.spec
@@ -1,6 +1,6 @@
 %define name shorewall-lite
-%define version 4.4.7
-%define release 2
+%define version 4.4.8
+%define release 0base

 Summary: Shoreline Firewall Lite is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -88,6 +88,7 @@ fi
 %attr(-   ,root,root) /usr/share/shorewall-lite/functions
 %attr(0644,root,root) /usr/share/shorewall-lite/lib.base
 %attr(0644,root,root) /usr/share/shorewall-lite/lib.cli
+%attr(0644,root,root) /usr/share/shorewall-lite/lib.common
 %attr(0644,root,root) /usr/share/shorewall-lite/modules
 %attr(0544,root,root) /usr/share/shorewall-lite/shorecap
 %attr(0755,root,root) /usr/share/shorewall-lite/wait4ifup
@@ -100,11 +101,17 @@ fi
 %doc COPYING changelog.txt releasenotes.txt

 %changelog
-* Sun Feb 14 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-2
-* Sat Feb 13 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-1
+* Fri Mar 19 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0base
+* Tue Mar 16 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0RC2
+* Mon Mar 08 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0RC1
+* Sun Feb 28 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0Beta2
 * Thu Feb 11 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0Beta1
+* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0base
 * Tue Feb 02 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0RC2
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.7.2
+VERSION=4.4.8

 usage() # $1 = exit status
 {
@@ -106,6 +106,7 @@ rm -rf /var/lib/shorewall-lite
 rm -rf /var/lib/shorewall-lite-*.bkout
 rm -rf /usr/share/shorewall-lite
 rm -rf /usr/share/shorewall-lite-*.bkout
+rm -f  /etc/logrotate.d/shorewall-lite

 echo "Shorewall Uninstalled"

--- a/Shorewall/Contrib/swping
+++ b/Shorewall/Contrib/swping
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     Shorewall WAN Interface monitor - V4.2
+#     Shorewall WAN Interface monitor - V4.4
 #
 #     Inspired by Angsuman Chakraborty's gwping script.
 #
--- a/Shorewall/Contrib/swping.init
+++ b/Shorewall/Contrib/swping.init
@@ -1,5 +1,5 @@
 #!/bin/sh
-#     Shorewall WAN Interface monitor - V4.2
+#     Shorewall WAN Interface monitor - V4.4
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
--- a/Shorewall/Macros/macro.HKP
+++ b/Shorewall/Macros/macro.HKP
@@ -0,0 +1,11 @@
+#
+# Shorewall version 4 - HKP Macro
+#
+# /usr/share/shorewall/macro.HKP
+#
+#	This macro handles OpenPGP HTTP keyserver protocol traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	tcp	11371
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -174,7 +174,7 @@ our %EXPORT_TAGS = (

 Exporter::export_ok_tags('internal');

-our $VERSION = '4.4_7';
+our $VERSION = '4.4_8';

 #
 # Chain Table
@@ -262,6 +262,7 @@ our $chainseq;
 our $idiotcount;
 our $idiotcount1;
 our $warningcount;
+our $hashlimitset;

 our $global_variables;

@@ -351,7 +352,7 @@ sub initialize( $ ) {
    #
    $comment = '';
    #
-    # Used to sequence chains names.
+    # Used to sequence chain names.
    #
    $chainseq = 0;
    #
@@ -373,6 +374,7 @@ sub initialize( $ ) {
    $idiotcount         = 0;
    $idiotcount1        = 0;
    $warningcount       = 0;
+    $hashlimitset       = 0;
    #
    # The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined.
    #
@@ -633,7 +635,7 @@ sub add_jump( $$$;$$$ ) {
 	#
 	# Ensure that we have the chain unless it is a builtin like 'ACCEPT'
 	#
-	$toref = ensure_chain( $fromref->{table} , $to ) unless $builtin_target{ $to };
+	$toref = ensure_chain( $fromref->{table} , $to ) unless $builtin_target{$to} || $to =~ / --/; #If the target has options, it must be a builtin. 
    }

    #
@@ -768,9 +770,11 @@ sub zone_forward_chain($) {
 #
 # Returns true if we're to use the interface's forward chain
 #
-sub use_forward_chain($) {
-    my $interface = $_[0];
+sub use_forward_chain($$) {
+    my ( $interface, $chainref ) = @_;
    my $interfaceref = find_interface($interface);
+
+    return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & 4096 );
    #
    # We must use the interfaces's chain if the interface is associated with multiple zone nets
    #
@@ -804,10 +808,12 @@ sub zone_input_chain($) {
 #
 # Returns true if we're to use the interface's input chain
 #
-sub use_input_chain($) {
-    my $interface = $_[0];
+sub use_input_chain($$) {
+    my ( $interface, $chainref ) = @_;
    my $interfaceref = find_interface($interface);
    my $nets = $interfaceref->{nets};
+
+    return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & 4096 );
    #
    # We must use the interfaces's chain if:
    #
@@ -833,8 +839,6 @@ sub use_input_chain($) {
    #
    # Interface associated with a single zone -- use the zone's input chain if it has one
    #
-    my $chainref = $filter_table->{zone_input_chain $zone};
-
    return 0 if $chainref;
    #
    # Use the '<zone>2fw' chain if it is referenced.
@@ -862,10 +866,12 @@ sub zone_output_chain($) {
 #
 # Returns true if we're to use the interface's output chain
 #
-sub use_output_chain($) {
-    my $interface = $_[0];
+sub use_output_chain($$) {
+    my ( $interface, $chainref)  = @_;
    my $interfaceref = find_interface($interface);
    my $nets = $interfaceref->{nets};
+
+    return 1 if @{$chainref->{rules}} && ( $config{OPTIMIZE} & 4096 );
    #
    # We must use the interfaces's chain if the interface is associated with multiple zone nets
    #
@@ -877,8 +883,6 @@ sub use_output_chain($) {
    #
    # Interface associated with a single zone -- use the zone's output chain if it has one
    #
-    my $chainref = $filter_table->{zone_output_chain $interfaceref->{zone}};
-
    return 0 if $chainref;
    #
    # Use the 'fw2<zone>' chain if it is referenced.
@@ -1314,7 +1318,7 @@ sub optimize_chain( $ ) {
 	my $rules    = $chainref->{rules};
 	my $count    = 0;
    
-	pop @$rules;
+	pop @$rules; # Pop the plain -j ACCEPT rule at the end of the chain 

 	pop @$rules, $count++ while @$rules && $rules->[-1] =~ /-j ACCEPT\b/;

@@ -1507,7 +1511,7 @@ sub optimize_ruleset() {
    # The search continues until no short chains remain
    # Chains with 'dont_optimize = 1' are exempted from optimization
    #
-    for my $table ( qw/ raw mangle nat filter/ ) {
+    for my $table ( qw/raw mangle nat filter/ ) {

 	next if $family == F_IPV6 && $table eq 'nat';

@@ -1592,11 +1596,11 @@ sub optimize_ruleset() {
 				replace_references $chainref, $1;
 				$progress = 1;
 			    }
-			} elsif ( $firstrule =~ /-A $chainref->{name}( .*) -[jg] (.*)$/ ) {
+			} elsif ( $firstrule =~ /-A $chainref->{name}( +.+) -[jg] (.*)$/ ) {
 			    #
 			    # Not so easy -- the rule contains matches
 			    #
-			    if ( $chainref->{builtin} ) {
+			    if ( $chainref->{builtin} || ! have_capability 'KLUDGEFREE' ) {
 				#
 				# This case requires a new rule merging algorithm. Ignore this chain for
 				# now.
@@ -1842,12 +1846,12 @@ sub do_proto( $$$;$ )

 	  PROTO:
 	    {
-		if ( $proto == TCP || $proto == UDP || $proto == SCTP || $proto == DCCP ) {
+		if ( $proto == TCP || $proto == UDP || $proto == SCTP || $proto == DCCP || $proto == UDPLITE ) {
 		    my $multiport = 0;

 		    if ( $ports ne '' ) {
 			$invert = $ports =~ s/^!// ? '! ' : '';
-			if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 ) {
+			if ( $ports =~ tr/,/,/ > 0 || $sports =~ tr/,/,/ > 0 || $proto == UDPLITE ) {
 			    fatal_error "Port lists require Multiport support in your kernel/iptables" unless have_capability( 'MULTIPORT' );
 			    fatal_error "Multiple ports not supported with SCTP" if $proto == SCTP;
 			    fatal_error "A port list in this file may only have up to 15 ports" if $restricted && port_count( $ports ) > 15;
@@ -1859,7 +1863,7 @@ sub do_proto( $$$;$ )
 			    $output .= "${invert}--dport ${ports} ";
 			}
 		    } else {
-			$multiport = ( ( $sports =~ tr/,/,/ ) > 0 );
+			$multiport = ( ( $sports =~ tr/,/,/ ) > 0 || $proto == UDPLITE );
 		    }

 		    if ( $sports ne '' ) {
@@ -2026,20 +2030,36 @@ sub do_ratelimit( $$ ) {

 	my $limit = "-m hashlimit ";
 	my $match = have_capability( 'OLD_HL_MATCH' ) ? 'hashlimit' : 'hashlimit-upto';
+	my $units;

 	if ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?):(\d+)$/ ) {
 	    $limit .= "--hashlimit $3 --hashlimit-burst $6 --hashlimit-name ";
-	    $limit .= $2 ? $2 : 'shorewall';
+	    $limit .= $2 ? $2 : 'shorewall' . $hashlimitset++;
 	    $limit .= ' --hashlimit-mode ';
+	    $units = $5;
 	} elsif ( $rate =~ /^[sd]:((\w*):)?(\d+(\/(sec|min|hour|day))?)$/ ) {
 	    $limit .= "--$match $3 --hashlimit-name ";
-	    $limit .= $2 ? $2 : 'shorewall';
+	    $limit .= $2 ? $2 :  'shorewall' . $hashlimitset++;
 	    $limit .= ' --hashlimit-mode ';
+	    $units = $5;
 	} else {
 	    fatal_error "Invalid rate ($rate)";
 	}

 	$limit .= $rate =~ /^s:/ ? 'srcip ' : 'dstip ';
+
+	if ( $units && $units ne 'sec' ) {
+	    my $expire = 60000; # 1 minute in milliseconds
+
+	    if ( $units ne 'min' ) {
+		$expire *= 60; #At least an hour
+		$expire *= 24 if $units eq 'day';
+	    }
+
+	    $limit .= "--hashlimit-htable-expire $expire ";
+	} 
+
+	$limit;
    } elsif ( $rate =~ /^(\d+(\/(sec|min|hour|day))?):(\d+)$/ ) {
 	"-m limit --limit $1 --limit-burst $4 ";
    } elsif ( $rate =~ /^(\d+)(\/(sec|min|hour|day))?$/ )  {
@@ -2626,7 +2646,7 @@ sub mark_firewall_not_started() {
 # Returns the name of the shell variable holding the first address of the passed interface
 #
 sub interface_address( $ ) {
-    my $variable = chain_base( $_[0] ) . '_address';
+    my $variable = 'sw_' . chain_base( $_[0] ) . '_address';
    uc $variable;
 }

@@ -2651,7 +2671,7 @@ sub get_interface_address ( $ ) {
 # Returns the name of the shell variable holding the broadcast addresses of the passed interface
 #
 sub interface_bcasts( $ ) {
-    my $variable = chain_base( $_[0] ) . '_bcasts';
+    my $variable = 'sw_' . chain_base( $_[0] ) . '_bcasts';
    uc $variable;
 }

@@ -2674,7 +2694,7 @@ sub get_interface_bcasts ( $ ) {
 # Returns the name of the shell variable holding the anycast addresses of the passed interface
 #
 sub interface_acasts( $ ) {
-    my $variable = chain_base( $_[0] ) . '_acasts';
+    my $variable = 'sw_' . chain_base( $_[0] ) . '_acasts';
    uc $variable;
 }

@@ -2697,7 +2717,7 @@ sub get_interface_acasts ( $ ) {
 # Returns the name of the shell variable holding the gateway through the passed interface
 #
 sub interface_gateway( $ ) {
-    my $variable = chain_base( $_[0] ) . '_gateway';
+    my $variable = 'sw_' . chain_base( $_[0] ) . '_gateway';
    uc $variable;
 }

@@ -2729,7 +2749,7 @@ sub get_interface_gateway ( $ ) {
 # Returns the name of the shell variable holding the addresses of the passed interface
 #
 sub interface_addresses( $ ) {
-    my $variable = chain_base( $_[0] ) . '_addresses';
+    my $variable = 'sw_' . chain_base( $_[0] ) . '_addresses';
    uc $variable;
 }

@@ -2759,7 +2779,7 @@ sub get_interface_addresses ( $ ) {
 # Returns the name of the shell variable holding the networks routed out of the passed interface
 #
 sub interface_nets( $ ) {
-    my $variable = chain_base( $_[0] ) . '_networks';
+    my $variable = 'sw_' . chain_base( $_[0] ) . '_networks';
    uc $variable;
 }

@@ -2790,7 +2810,7 @@ sub get_interface_nets ( $ ) {
 # Returns the name of the shell variable holding the MAC address of the gateway for the passed provider out of the passed interface
 #
 sub interface_mac( $$ ) {
-    my $variable = join( '_' , chain_base( $_[0] ) , chain_base( $_[1] ) , 'mac' );
+    my $variable = join( '_' , 'sw' , chain_base( $_[0] ) , chain_base( $_[1] ) , 'mac' );
    uc $variable;
 }

@@ -3256,7 +3276,7 @@ sub expand_rule( $$$$$$$$$$;$ )

 		    if ( $loglevel ne '' ) {
 			if ( $disposition ne 'LOG' ) {
-			    unless ( $logname ) {
+			    unless ( $logname || $target =~ /-j RETURN\b/ ) {
 				#
 				# Find/Create a chain that both logs and applies the target action
 				# and jump to the log chain if all of the rule's conditions are met
@@ -3270,7 +3290,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 				log_rule_limit(
 					       $loglevel ,
 					       $chainref ,
-					       $logname ,
+					       $logname || $chain,
 					       $disposition ,
 					       '',
 					       $logtag,
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -41,9 +41,9 @@ use Shorewall::IPAddrs;
 use Shorewall::Raw;

 our @ISA = qw(Exporter);
-our @EXPORT = qw( compiler EXPORT TIMESTAMP DEBUG );
+our @EXPORT = qw( compiler );
 our @EXPORT_OK = qw( $export );
-our $VERSION = '4.4_7';
+our $VERSION = '4.4_8';

 our $export;

@@ -72,9 +72,12 @@ sub initialize_package_globals() {
 #
 # First stage of script generation.
 #
-#    Copy prog.header to the generated script.
+#    Copy prog.header and lib.common to the generated script.
 #    Generate the various user-exit jacket functions.
 #
+#    Note: This function is not called when $command eq 'check'. So it must have no side effects other
+#          than those related to writing to the output script file.
+#
 sub generate_script_1() {

    if ( $test ) {
@@ -83,25 +86,19 @@ sub generate_script_1() {
 	my $date = localtime;

 	emit "#!/bin/sh\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
+
 	if ( $family == F_IPV4 ) {
 	    copy $globals{SHAREDIRPL} . 'prog.header';
 	} else {
 	    copy $globals{SHAREDIRPL} . 'prog.header6';
 	}
+
+	copy2 $globals{SHAREDIR} . '/lib.common';
    }

    my $lib = find_file 'lib.private';

-    if ( -f $lib ) {
-	emit <<'EOF';
-################################################################################
-# Functions imported from lib.private
-################################################################################
-EOF
-
-	copy1 $lib;
-	emit "\n";
-    }
+    copy2 $lib if -f $lib;

    emit <<'EOF';
 ################################################################################
@@ -164,24 +161,24 @@ sub generate_script_2() {
 	if ( $export ) {
 	    emit ( 'SHAREDIR=/usr/share/shorewall-lite',
 		   'CONFDIR=/etc/shorewall-lite',
-		   'PRODUCT="Shorewall Lite"'
+		   'g_product="Shorewall Lite"'
 		 );
 	} else {
 	    emit ( 'SHAREDIR=/usr/share/shorewall',
 		   'CONFDIR=/etc/shorewall',
-		   'PRODUCT=\'Shorewall\'',
+		   'g_product=\'Shorewall\'',
 		 );
 	}
    } else {
 	if ( $export ) {
 	    emit ( 'SHAREDIR=/usr/share/shorewall6-lite',
 		   'CONFDIR=/etc/shorewall6-lite',
-		   'PRODUCT="Shorewall6 Lite"'
+		   'g_product="Shorewall6 Lite"'
 		 );
 	} else {
 	    emit ( 'SHAREDIR=/usr/share/shorewall6',
 		   'CONFDIR=/etc/shorewall6',
-		   'PRODUCT=\'Shorewall6\'',
+		   'g_product=\'Shorewall6\'',
 		 );
 	}
    }
@@ -213,16 +210,15 @@ sub generate_script_2() {
    my @dont_load = split_list $config{DONT_LOAD}, 'module';

    emit ( '[ -n "${COMMAND:=restart}" ]',
-	   '[ -n "${VERBOSE:=0}" ]',
+	   '[ -n "${VERBOSITY:=0}" ]',
 	   qq([ -n "\${RESTOREFILE:=$config{RESTOREFILE}}" ]) );

-    emit ( qq(VERSION="$globals{VERSION}") ) unless $test;
+    emit ( qq(SHOREWALL_VERSION="$globals{VERSION}") ) unless $test;

    emit ( qq(PATH="$config{PATH}") ,
 	   'TERMINATOR=fatal_error' ,
 	   qq(DONT_LOAD="@dont_load") ,
 	   qq(STARTUP_LOG="$config{STARTUP_LOG}") ,
-	   "LOG_VERBOSE=$config{LOG_VERBOSITY}" ,
 	   ''
 	   );

@@ -231,7 +227,7 @@ sub generate_script_2() {
    append_file 'params' if $config{EXPORTPARAMS};

    emit ( '',
-	   "STOPPING=",
+	   "g_stopping=",
 	   '',
 	   '#',
 	   '# The library requires that ${VARDIR} exist',
@@ -375,7 +371,7 @@ sub generate_script_3($) {
 		   '        $IPSET -X' ,
 		   '        $IPSET -R < ${VARDIR}/ipsets.save' ,
 		   '    fi' ,
-		   'elif [ "$COMMAND" = restore -a -z "$RECOVERING" ]; then' ,
+		   'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' ,
 		   '    if [ -f $(my_pathname)-ipsets ]; then' ,
 		   '        if chain_exists shorewall; then' ,
 		   '            startup_error "Cannot restore $(my_pathname)-ipsets with Shorewall running"' ,
@@ -503,6 +499,7 @@ EOF
    pop_indent;
    setup_forwarding( $family , 1 );
    push_indent;
+
    emit<<'EOF';
    set_state "Started"
    run_restored_exit
@@ -511,6 +508,7 @@ else
        chainlist_reload
 EOF
    setup_forwarding( $family , 0 );
+
    emit<<'EOF';
        run_refreshed_exit
        do_iptables -N shorewall
@@ -521,6 +519,7 @@ EOF
        conditionally_flush_conntrack
 EOF
    setup_forwarding( $family , 0 );
+
    emit<<'EOF';
        run_start_exit
        do_iptables -N shorewall
@@ -535,16 +534,16 @@ date > ${VARDIR}/restarted

 case $COMMAND in
    start)
-        logger -p kern.info "$PRODUCT started"
+        logger -p kern.info "$g_product started"
        ;;
    restart)
-        logger -p kern.info "$PRODUCT restarted"
+        logger -p kern.info "$g_product restarted"
        ;;
    refresh)
-        logger -p kern.info "$PRODUCT refreshed"
+        logger -p kern.info "$g_product refreshed"
        ;;
    restore)
-        logger -p kern.info "$PRODUCT restored"
+        logger -p kern.info "$g_product restored"
        ;;
 esac
 EOF
@@ -704,11 +703,11 @@ sub compiler {
 	push_indent;
    }
    #
-    # Do all of the zone-independent stuff
+    # Do all of the zone-independent stuff (mostly /proc)
    #
    add_common_rules;
    #
-    # /proc stuff
+    # More /proc
    #
    if ( $family == F_IPV4 ) {
 	setup_arp_filtering;
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -81,6 +81,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       pop_indent
 				       copy
 				       copy1
+				       copy2
 				       create_temp_aux_config
 				       finalize_aux_config
 				       set_shorewall_dir
@@ -128,7 +129,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script

 Exporter::export_ok_tags('internal');

-our $VERSION = '4.4_7';
+our $VERSION = '4.4_8';

 #
 # describe the current command, it's present progressive, and it's completion.
@@ -189,7 +190,7 @@ our %config;
 #
 # Config options and global settings that are to be copied to output script
 #
-our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOAD_HELPERS_ONLY SUBSYSLOCK /;
+our @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOAD_HELPERS_ONLY SUBSYSLOCK LOG_VERBOSITY/;
 #
 # From parsing the capabilities file or detecting capabilities
 #
@@ -337,8 +338,8 @@ sub initialize( $ ) {
 		    TC_SCRIPT => '',
 		    EXPORT => 0,
 		    UNTRACKED => 0,
-		    VERSION => "4.4.7.2",
-		    CAPVERSION => 40407 ,
+		    VERSION => "4.4.8",
+		    CAPVERSION => 40408 ,
 		  );

    #
@@ -655,7 +656,7 @@ sub initialize( $ ) {
 	       LOG_TARGET => 1,         # Assume that we have it.
 	       PERSISTENT_SNAT => undef,
 	       OLD_HL_MATCH => undef,
-	       FLOW_FILTER => 'default',
+	       FLOW_FILTER => undef,
 	       CAPVERSION => undef,
 	       KERNELVERSION => undef,
 	       );
@@ -1199,6 +1200,62 @@ sub copy1( $ ) {
    $result;
 }

+#
+# This one drops header comments and replaces them with a three-line banner
+#
+sub copy2( $ ) {
+    assert( $script_enabled );
+    my $empty = 1;
+
+    if ( $script ) {
+	my $file = $_[0];
+
+	open IF , $file or fatal_error "Unable to open $file: $!";
+
+	while ( <IF> ) {
+	    $empty = 0, last unless /^#/;
+	}
+
+	unless ( $empty ) {
+	    print $script <<EOF;
+################################################################################
+#   Functions imported from $file
+################################################################################
+
+EOF
+	    print $script $_ unless /^\s*$/;
+
+	    while ( <IF> ) {
+		chomp;
+		if ( /^\s*$/ ) {
+		    print $script "\n" unless $lastlineblank;
+		    $lastlineblank = 1;
+		} else {
+		    if  ( $indent ) {
+			s/^(\s*)/$indent1$1$indent2/;
+			s/        /\t/ if $indent2;
+		    }
+		    
+		    print $script $_;
+		    print $script "\n";
+		    $lastlineblank = 0;
+		}
+	    }
+	    
+	    close IF;
+	
+	    print $script "\n" unless $lastlineblank;
+
+	    print $script <<EOF;
+################################################################################
+#   End of imports from $file
+################################################################################
+EOF
+	    $lastlineblank = 0;
+	}
+    }
+}
+
 #
 # Create the temporary script file -- the passed file name is the name of the final file.
 # We create a temporary file in the same directory so that we can use rename to finalize it.
@@ -2603,10 +2660,6 @@ sub read_capabilities() {
 	$capabilities{$_} = '' unless defined $capabilities{$_};
    }

-    if ( $capabilities{FLOW_FILTER} eq 'default' ) {
-	$capabilities{FLOW_FILTER} = $capabilities{OLD_HL_MATCH} ? '' : 'Yes';
-    }
-    
 }

 #
@@ -2951,7 +3004,7 @@ sub get_configuration( $ ) {

    $val = numeric_value $config{OPTIMIZE};

-    fatal_error "Invalid OPTIMIZE value ($config{OPTIMIZE})" unless defined( $val ) && $val >= 0 && $val <= 7;
+    fatal_error "Invalid OPTIMIZE value ($config{OPTIMIZE})" unless defined( $val ) && $val >= 0 && ( $val & ( 4096 ^ -1 ) ) <= 7;

    $globals{MARKING_CHAIN} = $config{MARK_IN_FORWARD_CHAIN} ? 'tcfor' : 'tcpre';

--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -47,6 +47,7 @@ our @EXPORT = qw( ALLIPv4
 		  ALL
 		  TCP
 		  UDP
+		  UDPLITE
 		  ICMP
 		  DCCP
 		  IPv6_ICMP
@@ -103,11 +104,11 @@ use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       UDP                 => 17,
 	       DCCP                => 33,
 	       IPv6_ICMP           => 58,
-	       SCTP                => 132 };
+	       SCTP                => 132,
+	       UDPLITE             => 136 };

 our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );

-
 #
 # Note: initialize() is declared at the bottom of the file
 #
@@ -314,9 +315,11 @@ sub validate_port( $$ ) {
 	$value = getservbyname( $port, $proto );
    }

-    fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
+    return $value if defined $value;

-    $value;
+    fatal_error "The separator for a port range is ':', not '-' ($port)" if $port =~ /^\d+-\d+$/;
+
+    fatal_error "Invalid/Unknown $proto port/service ($_[1])" unless defined $value;
 }

 sub validate_portpair( $$ ) {
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -138,7 +138,7 @@ sub setup_route_filtering() {

 	emit "echo $val > /proc/sys/net/ipv4/conf/default/rp_filter" if $val ne '';

-	emit "[ -n \"\$NOROUTES\" ] || \$IP -4 route flush cache";
+	emit "[ -n \"\$g_noroutes\" ] || \$IP -4 route flush cache";
    }
 }

--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -35,7 +35,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_providers @routemarked_interfaces handle_stickiness handle_optional_interfaces );
 our @EXPORT_OK = qw( initialize lookup_provider );
-our $VERSION = '4.4_7';
+our $VERSION = '4.4_8';

 use constant { LOCAL_TABLE   => 255,
 	       MAIN_TABLE    => 254,
@@ -416,7 +416,7 @@ sub add_a_provider( ) {
 	start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
    } else {
 	if ( $optional ) {
-	    start_provider( $table, $number, qq(if [ -n "\$${base}_IS_USABLE" ]; then) );
+	    start_provider( $table, $number, qq(if [ -n "\$SW_${base}_IS_USABLE" ]; then) );
 	} elsif ( $gatewaycase eq 'detect' ) {
 	    start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$gateway" ]; then) );
 	} else {
@@ -543,7 +543,7 @@ sub add_a_provider( ) {
 sub start_new_if( $ ) {
    our $current_if = shift;

-    emit ( '', qq(if [ -n "\$${current_if}_IS_USABLE" ]; then) );
+    emit ( '', qq(if [ -n "\$SW_${current_if}_IS_USABLE" ]; then) );
    push_indent;
 }
  
@@ -759,7 +759,7 @@ sub setup_providers() {

    first_entry sub() {
 	progress_message2 "$doing $fn...";
-	emit "\nif [ -z \"\$NOROUTES\" ]; then";
+	emit "\nif [ -z \"\$g_noroutes\" ]; then";
 	push_indent;
 	start_providers; };

@@ -792,7 +792,7 @@ sub setup_providers() {

 	setup_route_marking if @routemarked_interfaces;
    } else {
-	emit "\nif [ -z \"\$NOROUTES\" ]; then";
+	emit "\nif [ -z \"\$g_noroutes\" ]; then";

 	push_indent;

@@ -871,9 +871,9 @@ sub handle_optional_interfaces() {
 		emit qq(if interface_is_usable $physical; then);
 	    }

-	    emit( "    ${base}_IS_USABLE=Yes" ,
+	    emit( "    SW_${base}_IS_USABLE=Yes" ,
 		  'else' ,
-		  "    ${base}_IS_USABLE=" ,
+		  "    SW_${base}_IS_USABLE=" ,
 		  'fi' );
 	}

--- a/Shorewall/Perl/Shorewall/Proxyarp.pm
+++ b/Shorewall/Perl/Shorewall/Proxyarp.pm
@@ -76,7 +76,7 @@ sub setup_one_proxy_arp( $$$$$ ) {
    }

    unless ( $haveroute ) {
-	emit "[ -n \"\$NOROUTES\" ] || run_ip route replace $address dev $interface";
+	emit "[ -n \"\$g_noroutes\" ] || run_ip route replace $address dev $interface";
 	$haveroute = 1 if $persistent;
    }

--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -46,7 +46,7 @@ our @EXPORT = qw( process_tos
 		  compile_stop_firewall
 		  );
 our @EXPORT_OK = qw( process_rule process_rule1 initialize );
-our $VERSION = '4.4_7';
+our $VERSION = '4.4_8';

 #
 # Set to one if we find a SECTION
@@ -223,9 +223,12 @@ sub setup_blacklist() {
    my $chainref;
    my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
    my $target = $disposition eq 'REJECT' ? 'reject' : $disposition;
-
+    #
+    # We go ahead and generate the blacklist chain and jump to it, even if it turns out to be empty. That is necessary
+    # for 'refresh' to work properly.
+    #
    if ( @$hosts ) {
-	$chainref = new_standard_chain 'blacklst';
+	$chainref = dont_delete new_standard_chain 'blacklst';

 	if ( defined $level && $level ne '' ) {
 	    my $logchainref = new_standard_chain 'blacklog';
@@ -274,6 +277,10 @@ sub setup_blacklist() {

 		progress_message "  \"$currentline\" added to blacklist";
 	    }
+
+	    warning_message q(There are interfaces or hosts with the 'blacklist' option but the 'blacklist' file is empty) if $first_entry && @$hosts;
+	} elsif ( @$hosts ) {
+	    warning_message q(There are interfaces or hosts with the 'blacklist' option, but the 'blacklist' file is either missing or has zero size);
 	}

 	my $state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? '-m state --state NEW,INVALID,UNTRACKED ' : '-m state --state NEW,INVALID ' : '';
@@ -1182,9 +1189,9 @@ sub process_rule1 ( $$$$$$$$$$$$$ ) {
    #
    # Generate Fixed part of the rule
    #
-    if ( ( $actiontype & ( NATRULE | NATONLY ) ) == NATRULE ) {
+    if ( $actiontype & ( NATRULE | NONAT ) && ! ( $actiontype & NATONLY ) ) {
 	#
-	# Don't apply rate limiting twice
+	# Either a DNAT, REDIRECT or ACCEPT+ rule; don't apply rate limiting twice
 	#
 	$rule = join( '', 
 		      do_proto($proto, $ports, $sports),
@@ -1629,6 +1636,32 @@ sub process_rules() {
    $section = 'DONE';
 }

+#
+# Helper functions for generate_matrix()
+#-----------------------------------------
+#
+# Return the target for rules from $zone to $zone1.
+#
+sub rules_target( $$ ) {
+    my ( $zone, $zone1 ) = @_;
+    my $chain = rules_chain( ${zone}, ${zone1} );
+    my $chainref = $filter_table->{$chain};
+    
+    return $chain   if $chainref && $chainref->{referenced};
+    return 'ACCEPT' if $zone eq $zone1;
+    
+    assert( $chainref );
+    
+    if ( $chainref->{policy} ne 'CONTINUE' ) {
+	my $policyref = $filter_table->{$chainref->{policychain}};
+	assert( $policyref );
+	return $policyref->{name} if $policyref ne $chainref;
+	return $chainref->{policy} eq 'REJECT' ? 'reject' : $chainref->{policy};
+    }
+    
+    ''; # CONTINUE policy
+}
+
 #
 # Add jumps from the builtin chains to the interface-chains that are used by this configuration
 #
@@ -1656,11 +1689,15 @@ sub add_interface_jumps {
    # Add the jumps to the interface chains from filter FORWARD, INPUT, OUTPUT
    #
    for my $interface ( @_ ) {
-	add_jump( $filter_table->{FORWARD} , forward_chain $interface , 0, match_source_dev( $interface ) ) unless $forward_jump_added{$interface} || ! use_forward_chain $interface;
-	add_jump( $filter_table->{INPUT}   , input_chain $interface ,   0, match_source_dev( $interface ) ) unless $input_jump_added{$interface}   || ! use_input_chain $interface;
+	my $forwardref = $filter_table->{forward_chain $interface};
+	my $inputref   = $filter_table->{input_chain $interface};
+	my $outputref  = $filter_table->{output_chain $interface};

-	unless ( $output_jump_added{$interface} || ! use_output_chain $interface ) {
-	    add_jump $filter_table->{OUTPUT} , output_chain $interface , 0, match_dest_dev( $interface ) unless get_interface_option( $interface, 'port' );
+	add_jump( $filter_table->{FORWARD} , $forwardref , 0, match_source_dev( $interface ) ) unless $forward_jump_added{$interface} || ! use_forward_chain $interface, $forwardref;
+	add_jump( $filter_table->{INPUT}   , $inputref ,   0, match_source_dev( $interface ) ) unless $input_jump_added{$interface}   || ! use_input_chain $interface, $inputref;
+
+	unless ( $output_jump_added{$interface} || ! use_output_chain $interface, $outputref ) {
+	    add_jump $filter_table->{OUTPUT} , $outputref , 0, match_dest_dev( $interface ) unless get_interface_option( $interface, 'port' );
 	}
    }
    #
@@ -1683,44 +1720,6 @@ sub add_interface_jumps {
 # The function traverses the full "source-zone by destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table rules.
 #
 sub generate_matrix() {
-    #
-    # Helper functions for generate_matrix()
-    #-----------------------------------------
-    #
-    # Return the target for rules from $zone to $zone1.
-    #
-    sub rules_target( $$ ) {
-	my ( $zone, $zone1 ) = @_;
-	my $chain = rules_chain( ${zone}, ${zone1} );
-	my $chainref = $filter_table->{$chain};
-
-	return $chain   if $chainref && $chainref->{referenced};
-	return 'ACCEPT' if $zone eq $zone1;
-
-	assert( $chainref );
-
-	if ( $chainref->{policy} ne 'CONTINUE' ) {
-	    my $policyref = $filter_table->{$chainref->{policychain}};
-	    assert( $policyref );
-	    return $policyref->{name} if $policyref ne $chainref;
-	    return $chainref->{policy} eq 'REJECT' ? 'reject' : $chainref->{policy};
-	}
-
-	''; # CONTINUE policy
-    }
-
-    #
-    # Set a breakpoint in this function if you want to step through generate_matrix().
-    #
-    sub start_matrix() {
-	progress_message2 'Generating Rule Matrix...';
-    }
-
-    #
-    #                               G e n e r a t e _ M a t r i x ( )   S t a r t s  H e r e
-    #
-    start_matrix;
-
    my @interfaces = ( all_interfaces );
    my $preroutingref = ensure_chain 'nat', 'dnat';
    my $fw = firewall_zone;
@@ -1731,6 +1730,7 @@ sub generate_matrix() {
    our %output_jump_added  = ();
    our %forward_jump_added = ();

+    progress_message2 'Generating Rule Matrix...';
    #
    # Special processing for complex configurations
    #
@@ -1753,11 +1753,10 @@ sub generate_matrix() {
 	    my $source_ref = ( $zoneref->{hosts}{ipsec} ) || {};

 	    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$source_ref ) {
-		my $sourcechainref;
+		my $sourcechainref = $filter_table->{forward_chain $interface};
 		my $interfacematch = '';

-		if ( use_forward_chain( $interface ) ) {
-		    $sourcechainref = $filter_table->{forward_chain $interface};
+		if ( use_forward_chain( $interface, $sourcechainref ) ) {
 		    add_jump $filter_table->{FORWARD} , $sourcechainref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
 		} else {
 		    $sourcechainref = $filter_table->{FORWARD};
@@ -1871,7 +1870,7 @@ sub generate_matrix() {
 			    my $interfacematch = '';
 			    my $use_output = 0;

-			    if ( use_output_chain $interface || ( @{$interfacechainref->{rules}} && ! $chain1ref ) ) {
+			    if ( use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) ) {
 				$outputref = $interfacechainref;
 				add_jump $filter_table->{OUTPUT}, $outputref, 0, match_dest_dev( $interface ) unless $output_jump_added{$interface}++;
 				$use_output = 1;
@@ -1926,7 +1925,7 @@ sub generate_matrix() {
 			my $interfacematch = '';
 			my $use_input;

-			if ( use_input_chain $interface || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
+			if ( use_input_chain( $interface, $interfacechainref ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
 			    $inputchainref = $interfacechainref;
 			    add_jump $filter_table->{INPUT}, $inputchainref, 0, match_source_dev($interface) unless $input_jump_added{$interface}++;
 			    $use_input = 1;
@@ -1942,13 +1941,13 @@ sub generate_matrix() {

 			if ( $frwd_ref && $hostref->{ipsec} ne 'ipsec' ) {
 			    my $ref = source_exclusion( $exclusions, $frwd_ref );
-			    if ( use_forward_chain $interface ) {
-				my $forwardref = $filter_table->{forward_chain $interface};
+			    my $forwardref = $filter_table->{forward_chain $interface};
+			    if ( use_forward_chain $interface, $forwardref ) {
 				add_jump $forwardref , $ref, 0, join( '', $source, $ipsec_in_match );
 				add_jump $filter_table->{FORWARD} , $forwardref, 0 , match_source_dev( $interface ) unless $forward_jump_added{$interface}++;
 			    } else {
 				add_jump $filter_table->{FORWARD} , $ref, 0, join( '', match_source_dev( $interface ) , $source, $ipsec_in_match );
-				move_rules ( $filter_table->{forward_chain $interface} , $frwd_ref );
+				move_rules ( $forwardref , $frwd_ref );
 			    }
 			}
 		    }
@@ -2063,7 +2062,7 @@ sub generate_matrix() {
 			my $match_source_dev = '';
 			my $forwardchainref = $filter_table->{forward_chain $interface};

-			if ( use_forward_chain $interface || ( @{$forwardchainref->{rules} } && ! $chainref ) ) {
+			if ( use_forward_chain( $interface , $forwardchainref ) || ( @{$forwardchainref->{rules} } && ! $chainref ) ) {
 			    #
 			    # Either we must use the interface's forwarding chain or that chain has rules and we have nowhere to move them
 			    #
@@ -2242,35 +2241,34 @@ EOF

            case $COMMAND in
 	        start)
-	            logger -p kern.err "ERROR:$PRODUCT start failed"
+	            logger -p kern.err "ERROR:$g_product start failed"
 	            ;;
 	        restart)
-	            logger -p kern.err "ERROR:$PRODUCT restart failed"
+	            logger -p kern.err "ERROR:$g_product restart failed"
 	            ;;
 	        refresh)
-	            logger -p kern.err "ERROR:$PRODUCT refresh failed"
+	            logger -p kern.err "ERROR:$g_product refresh failed"
 	            ;;
            esac

            if [ "$RESTOREFILE" = NONE ]; then
                COMMAND=clear
                clear_firewall
-                echo "$PRODUCT Cleared"
+                echo "$g_product Cleared"

 	        kill $$
 	        exit 2
            else
-	        RESTOREPATH=${VARDIR}/$RESTOREFILE
+	        g_restorepath=${VARDIR}/$RESTOREFILE

-	        if [ -x $RESTOREPATH ]; then
-		    echo Restoring ${PRODUCT:=Shorewall}...
+	        if [ -x $g_restorepath ]; then
+		    echo Restoring ${g_product:=Shorewall}...
                    
-                    RECOVERING=Yes
-                    export RECOVERING
+                    g_recovering=Yes

-		    if $RESTOREPATH restore; then
-		        echo "$PRODUCT restored from $RESTOREPATH"
-		        set_state "Started"
+		    if run_it $g_restorepath restore; then
+		        echo "$g_product restored from $g_restorepath"
+		        set_state "Restored from $g_restorepath"
 		    else
 		        set_state "Unknown"
 		    fi
@@ -2282,11 +2280,14 @@ EOF
 	    ;;
    esac

+    if [ -n "$g_stopping" ]; then
+        kill $$
+        exit 1
+    fi
+
    set_state "Stopping"

-    STOPPING="Yes"
-
-    TERMINATOR=
+    g_stopping="Yes"

    deletechain shorewall

@@ -2310,7 +2311,7 @@ EOF
    if [ -f ${VARDIR}/proxyarp ]; then
 	while read address interface external haveroute; do
 	    qt arp -i $external -d $address pub
-	    [ -z "${haveroute}${NOROUTES}" ] && qt $IP -4 route del $address dev $interface
+	    [ -z "${haveroute}${g_noroutes}" ] && qt $IP -4 route del $address dev $interface
 	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
 	    [ -f $f ] && echo 0 > $f
 	done < ${VARDIR}/proxyarp
@@ -2440,7 +2441,7 @@ EOF
    emit '
    set_state "Stopped"

-    logger -p kern.info "$PRODUCT Stopped"
+    logger -p kern.info "$g_product Stopped"

    case $COMMAND in
    stop|clear)
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -40,7 +40,7 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_tc );
 our @EXPORT_OK = qw( process_tc_rule initialize );
-our $VERSION = '4.4_7';
+our $VERSION = '4.4_8';

 our %tcs = ( T => { chain  => 'tcpost',
 		    connmark => 0,
@@ -132,7 +132,6 @@ our $devnum;
 our $sticky;
 our $ipp2p;

-
 #
 # TCClasses Table
 #
@@ -446,32 +445,11 @@ sub process_flow($) {
 sub process_simple_device() {
    my ( $device , $type , $bandwidth ) = split_line 1, 3, 'tcinterfaces';

-    my $devnumber;
-
-    if ( $device =~ /:/ ) {
-	( my $number, $device, my $rest )  = split /:/, $device, 3;
-
-	fatal_error "Invalid NUMBER:INTERFACE ($device:$number:$rest)" if defined $rest;
-
-	if ( defined $number ) {
-	    $devnumber = hex_value( $number );
-	    fatal_error "Invalid interface NUMBER ($number)" unless defined $devnumber && $devnumber;
-	    fatal_error "Duplicate interface number ($number)" if defined $devnums[ $devnumber ];
-	    $devnum = $devnumber if $devnumber > $devnum;
-	} else {
-	    fatal_error "Missing interface NUMBER";
-	}
-    } else {
-	$devnumber = ++$devnum;
-    }
-
-    $devnums[ $devnumber ] = $device;
-
-    my $number = in_hexp $devnumber;
-
    fatal_error "Duplicate INTERFACE ($device)"    if $tcdevices{$device};
    fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;

+    my $number = in_hexp( $tcdevices{$device} = ++$devnum );
+
    my $physical = physical_name $device;
    my $dev      = chain_base( $physical );

@@ -485,13 +463,7 @@ sub process_simple_device() {
 	}
    }

-    $tcdevices{$device} = { number   => $devnumber ,
-			    physical => physical_name $device ,
-			    type     => $type ,
-			    in_bandwidth => $bandwidth = rate_to_kbit( $bandwidth ) ,
-			  };
-
-    push @tcdevices, $device;
+    $bandwidth = rate_to_kbit( $bandwidth );

    emit "if interface_is_up $physical; then";

@@ -502,24 +474,20 @@ sub process_simple_device() {
 	   "qt \$TC qdisc del dev $physical ingress\n"	   
 	 );

-    if ( $bandwidth ) {
-	emit ( "run_tc qdisc add dev $physical handle ffff: ingress",
-	       "run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${bandwidth}kbit burst 10k drop flowid :1\n"
-	     );
-    }
+    emit ( "run_tc qdisc add dev $physical handle ffff: ingress",
+	   "run_tc filter add dev $physical parent ffff: protocol all prio 10 u32 match ip src 0.0.0.0/0 police rate ${bandwidth}kbit burst 10k drop flowid :1\n"
+	 ) if $bandwidth;
 	  
    emit "run_tc qdisc add dev $physical root handle $number: prio bands 3 priomap $config{TC_PRIOMAP}";
-    
-    my $i = 0;

-    while ( ++$i <= 3 ) {
+    for ( my $i = 1; $i <= 3; $i++ ) {
 	emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
-	emit "run_tc filter add dev $physical protocol all parent $number: handle $i fw classid $devnum:$i";
+	emit "run_tc filter add dev $physical protocol all parent $number: handle $i fw classid $number:$i";
 	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
 	emit '';
    }

-    save_progress_message_short "   TC Device $physical defined.";
+    save_progress_message_short qq("   TC Device $physical defined.");
    
    pop_indent;
    emit 'else';
@@ -591,13 +559,13 @@ sub validate_tc_device( ) {
    if ( @redirected ) {
 	fatal_error "IFB devices may not have IN-BANDWIDTH" if $inband ne '-' && $inband;
 	$classify = 1;
-    }

-    for my $rdevice ( @redirected ) {
-	fatal_error "Invalid device name ($rdevice)" if $rdevice =~ /[:+]/;
-	my $rdevref = $tcdevices{$rdevice};
-	fatal_error "REDIRECTED device ($rdevice) has not been defined in this file" unless $rdevref;
-	fatal_error "IN-BANDWIDTH must be zero for REDIRECTED devices" if $rdevref->{in_bandwidth} ne '0kbit';
+	for my $rdevice ( @redirected ) {
+	    fatal_error "Invalid device name ($rdevice)" if $rdevice =~ /[:+]/;
+	    my $rdevref = $tcdevices{$rdevice};
+	    fatal_error "REDIRECTED device ($rdevice) has not been defined in this file" unless $rdevref;
+	    fatal_error "IN-BANDWIDTH must be zero for REDIRECTED devices" if $rdevref->{in_bandwidth} ne '0kbit';
+	}
    }

    $tcdevices{$device} = { in_bandwidth  => rate_to_kbit( $inband ) . 'kbit',
@@ -1094,7 +1062,7 @@ sub process_tc_filter( ) {

    $currentline =~ s/\s+/ /g;

-    save_progress_message_short qq("   TC Filter \"$currentline\" defined.");
+    save_progress_message_short qq('   TC Filter \"$currentline\" defined.');

    emit '';

@@ -1157,7 +1125,7 @@ sub process_tc_priority() {
 sub setup_simple_traffic_shaping() {
    my $interfaces;

-    save_progress_message "Setting up Traffic Control...";
+    save_progress_message q("Setting up Traffic Control...");

    my $fn = open_file 'tcinterfaces';

@@ -1171,9 +1139,12 @@ sub setup_simple_traffic_shaping() {
    my $fn1 = open_file 'tcpri';

    if ( $fn1 ) {
-	first_entry sub { progress_message2 "$doing $fn1...";
-			  warning_message "There are entries in $fn1 but $fn was empty" unless $interfaces;
-		      };
+	first_entry 
+	    sub { 
+		progress_message2 "$doing $fn1...";
+		warning_message "There are entries in $fn1 but $fn was empty" unless $interfaces;
+	    };
+
 	process_tc_priority while read_a_line;

 	clear_comment;
@@ -1188,7 +1159,7 @@ sub setup_simple_traffic_shaping() {
 sub setup_traffic_shaping() {
    our $lastrule = '';

-    save_progress_message "Setting up Traffic Control...";
+    save_progress_message q("Setting up Traffic Control...");

    my $fn = open_file 'tcdevices';

@@ -1198,6 +1169,9 @@ sub setup_traffic_shaping() {
 	validate_tc_device while read_a_line;
    }

+    my $sfq = $devnum;
+    my $sfqinhex;
+
    $devnum = $devnum > 10 ? 10 : 1;

    $fn = open_file 'tcclasses';
@@ -1267,7 +1241,7 @@ sub setup_traffic_shaping() {
 	    emit( "run_tc filter add dev $rdev parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" );
 	}

-	save_progress_message_short "   TC Device $device defined.";
+	save_progress_message_short qq("   TC Device $device defined.");

 	pop_indent;
 	emit 'else';
@@ -1334,17 +1308,18 @@ sub setup_traffic_shaping() {
 	    }
 	}

-	emit( "run_tc qdisc add dev $device parent $classid handle ${classnum}: sfq quantum \$quantum limit $tcref->{limit} perturb 10" ) if $tcref->{leaf} && ! $tcref->{pfifo};
+	if ( $tcref->{leaf} && ! $tcref->{pfifo} ) {
+	    $sfqinhex = in_hexp( ++$sfq);
+	    emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq quantum \$quantum limit $tcref->{limit} perturb 10" );
+	}
 	#
 	# add filters
 	#
 	unless ( $devref->{classify} ) {
-	    if ( $tcref->{occurs} == 1 ) {
-		emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid";
-	    }
+	    emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid" if $tcref->{occurs} == 1;
 	}

-	emit "run_tc filter add dev $device protocol all prio 1 parent $classnum: handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow};
+	emit "run_tc filter add dev $device protocol all prio 1 parent $sfqinhex: handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow};
 	#
 	# options
 	#
@@ -1368,7 +1343,7 @@ sub setup_traffic_shaping() {
 	$fn = open_file 'tcfilters';

 	if ( $fn ) {
-	    first_entry( sub { progress_message2 "$doing $fn..."; save_progress_message "Adding TC Filters"; } );
+	    first_entry( sub { progress_message2 "$doing $fn..."; save_progress_message q("Adding TC Filters"); } );

 	    process_tc_filter while read_a_line;
 	}
@@ -1415,7 +1390,7 @@ sub setup_tc() {
    }

    if ( $globals{TC_SCRIPT} ) {
-	save_progress_message 'Setting up Traffic Control...';
+	save_progress_message q('Setting up Traffic Control...');
 	append_file $globals{TC_SCRIPT};
    } elsif ( $config{TC_ENABLED} eq 'Internal' ) {
 	setup_traffic_shaping;
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -76,7 +76,7 @@ our @EXPORT = qw( NOTHING
 		 );

 our @EXPORT_OK = qw( initialize );
-our $VERSION = '4.4_7';
+our $VERSION = '4.4_8';

 #
 # IPSEC Option types
@@ -926,7 +926,7 @@ sub process_interface( $ ) {
 	if ( $options{bridge} ) {
 	    require_capability( 'PHYSDEV_MATCH', 'The "bridge" option', 's');
 	    fatal_error "Bridges may not have wildcard names" if $wildcard;
-	    $options{routeback} = 1;
+	    $hostoptions{routeback} = $options{routeback} = 1;
 	}

 	$zoneref->{options}{in_out}{routeback} = 1 if $zoneref && $options{routeback};
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -45,7 +45,6 @@ use Shorewall::Compiler;
 use Getopt::Long;

 sub usage( $ ) {
-    my $returnval = shift @_;

    print STDERR 'usage: compiler.pl [ <option> ... ] [ <filename> ]

@@ -63,7 +62,7 @@ sub usage( $ ) {
    [ --family={4|6} ]
 ';

-    exit $returnval;
+    exit shift @_;
 }

 #
@@ -109,7 +108,7 @@ my $result = GetOptions('h'               => \$help,
 usage(1) unless $result && @ARGV < 2;
 usage(0) if $help;

-compiler( script          => defined $ARGV[0] ? $ARGV[0] : '',
+compiler( script          => $ARGV[0] || '',
 	  directory       => $shorewall_dir,
 	  verbosity       => $verbose,
 	  timestamp       => $timestamp,
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -5,7 +5,16 @@
 # Give Usage Information
 #
 usage() {
-    echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|reset|refresh|restart|status|version ]"
+    echo "Usage: $0 [ options ] [ start|stop|clear|reset|refresh|restart|status|version ]"
+    echo 
+    echo "Options are:"
+    echo
+    echo "   -v and -q        Standard Shorewall verbosity controls"
+    echo "   -n               Don't unpdate routing configuration"
+    echo "   -p               Purge Conntrack Table"
+    echo "   -t               Timestamp progress Messages"
+    echo "   -V <verbosity>   Set verbosity explicitly"
+    echo "   -R <file>        Override RESTOREFILE setting"
    exit $1
 }
 ################################################################################
@@ -23,6 +32,17 @@ if [ $# -gt 1 ]; then
 	shift
    fi
 fi
+#
+# Map VERBOSE to VERBOSITY for compatibility with old Shorewall-lite installations
+#
+[ -z "$VERBOSITY" ] && [ -n "$VERBOSE" ] && VERBOSITY=$VERBOSE
+#
+# Map other old exported variables
+#
+g_purge=$PURGE
+g_noroutes=$NOROUTES
+g_timestamp=$TIMESTAMP
+g_recovering=$RECOVERING

 initialize

@@ -51,17 +71,78 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 	    while [ -n "$option" ]; do
 		case $option in
 		    v*)
-			VERBOSE=$(($VERBOSE + 1 ))
+			[ $VERBOSITY -lt 2 ] && VERBOSITY=$(($VERBOSITY + 1 ))
 			option=${option#v}
 			;;
 		    q*)
-			VERBOSE=$(($VERBOSE - 1 ))
+			[ $VERBOSITY -gt -1 ] && VERBOSITY=$(($VERBOSITY - 1 ))
 			option=${option#q}
 			;;
 		    n*)
-			NOROUTES=Yes
+			g_noroutes=Yes
 			option=${option#n}
 			;;
+		    t*)
+			g_timestamp=Yes
+			option=${option#t}
+			;;			
+		    p*)
+			g_purge=Yes
+			option=${option#p}
+			;;
+		    r*)
+			g_recovering=Yes
+			option=${option#r}
+			;;
+		    V*)
+			option=${option#V}
+
+			if [ -z "$option" -a $# -gt 0 ]; then
+			    shift
+			    option=$1
+			fi
+
+			if [ -n "$option" ]; then
+			    case $option in
+				-1|0|1|2)
+				    VERBOSITY=$option
+				    option=
+				    ;;
+				*)
+				    startup_error "Invalid -V option value ($option)"
+				    ;;
+			    esac
+			else
+			    startup_error "Missing -V option value"
+			fi
+			;;
+		    R*)
+			option=${option#R}
+
+			if [ -z "$option" -a $# -gt 0 ]; then
+			    shift
+			    option=$1
+			fi
+
+			if [ -n "$option" ]; then
+			    case $option in
+				*/*)		    
+	    			    startup_error "-R must specify a simple file name: $option"
+				    ;;
+				.safe|.try|NONE)
+				    ;;
+				.*)
+				    error_message "ERROR: Reserved File Name: $RESTOREFILE"
+				    exit 2
+				    ;;
+			    esac
+			else
+			    startup_error "Missing -R option value"
+			fi
+
+			RESTOREFILE=$option
+			option=
+			;;
 		    *)
 			usage 1
 			;;
@@ -77,16 +158,14 @@ done

 COMMAND="$1"

-[ -n "${PRODUCT:=Shorewall}" ]
-
 case "$COMMAND" in
    start)
 	[ $# -ne 1 ] && usage 2
 	if shorewall_is_started; then
-	    error_message "$PRODUCT is already Running"
+	    error_message "$g_product is already Running"
 	    status=0
 	else
-	    progress_message3 "Starting $PRODUCT...."
+	    progress_message3 "Starting $g_product...."
 	    detect_configuration
 	    define_firewall
 	    status=$?
@@ -96,7 +175,7 @@ case "$COMMAND" in
 	;;
    stop)
 	[ $# -ne 1 ] && usage 2
-	progress_message3 "Stopping $PRODUCT...."
+	progress_message3 "Stopping $g_product...."
 	detect_configuration
 	stop_firewall
 	status=0
@@ -105,7 +184,7 @@ case "$COMMAND" in
 	;;
    reset)
 	if ! shorewall_is_started ; then
-	    error_message "$PRODUCT is not running"
+	    error_message "$g_product is not running"
 	    status=2
 	elif [ $# -eq 1 ]; then
 	    $IPTABLES -Z
@@ -113,7 +192,7 @@ case "$COMMAND" in
 	    $IPTABLES -t mangle -Z
 	    date > ${VARDIR}/restarted
 	    status=0
-	    progress_message3 "$PRODUCT Counters Reset"
+	    progress_message3 "$g_product Counters Reset"
 	else
 	    shift
 	    status=0
@@ -135,10 +214,10 @@ case "$COMMAND" in
    restart)
 	[ $# -ne 1 ] && usage 2
 	if shorewall_is_started; then
-	    progress_message3 "Restarting $PRODUCT...."
+	    progress_message3 "Restarting $g_product...."
 	else
-	    error_message "$PRODUCT is not running"
-	    progress_message3 "Starting $PRODUCT...."
+	    error_message "$g_product is not running"
+	    progress_message3 "Starting $g_product...."
 	fi

 	detect_configuration
@@ -152,13 +231,13 @@ case "$COMMAND" in
    refresh)
 	[ $# -ne 1 ] && usage 2
 	if shorewall_is_started; then
-	    progress_message3 "Refreshing $PRODUCT...."
+	    progress_message3 "Refreshing $g_product...."
 	    detect_configuration
 	    define_firewall
 	    status=$?
 	    progress_message3 "done."
 	else
-	    echo "$PRODUCT is not running" >&2
+	    echo "$g_product is not running" >&2
 	    status=2
 	fi
 	;;
@@ -173,7 +252,7 @@ case "$COMMAND" in
 	;;
    clear)
 	[ $# -ne 1 ] && usage 2
-	progress_message3 "Clearing $PRODUCT...."
+	progress_message3 "Clearing $g_product...."
 	clear_firewall
 	status=0
 	[ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
@@ -181,13 +260,13 @@ case "$COMMAND" in
 	;;
    status)
 	[ $# -ne 1 ] && usage 2
-	echo "$PRODUCT-$VERSION Status at $HOSTNAME - $(date)"
+	echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)"
 	echo
 	if shorewall_is_started; then
-	    echo "$PRODUCT is running"
+	    echo "$g_product is running"
 	    status=0
 	else
-	    echo "$PRODUCT is stopped"
+	    echo "$g_product is stopped"
 	    status=4
 	fi

@@ -206,7 +285,7 @@ case "$COMMAND" in
 	;;
    version)
 	[ $# -ne 1 ] && usage 2
-	echo $VERSION
+	echo $SHOREWALL_VERSION
 	status=0
 	;;
    help)
--- a/Shorewall/Perl/prog.footer6
+++ b/Shorewall/Perl/prog.footer6
@@ -5,7 +5,16 @@
 # Give Usage Information
 #
 usage() {
-    echo "Usage: $0 [ -q ] [ -v ] [ -n ] [ start|stop|clear|reset|refresh|restart|status|version ]"
+    echo "Usage: $0 [ options ] [ start|stop|clear|reset|refresh|restart|status|version ]"
+    echo 
+    echo "Options are:"
+    echo
+    echo "   -v and -q        Standard Shorewall verbosity controls"
+    echo "   -n               Don't unpdate routing configuration"
+    echo "   -p               Purge Conntrack Table"
+    echo "   -t               Timestamp progress Messages"
+    echo "   -V <verbosity>   Set verbosity explicitly"
+    echo "   -R <file>        Override RESTOREFILE setting"
    exit $1
 }
 ################################################################################
@@ -23,6 +32,17 @@ if [ $# -gt 1 ]; then
 	shift
    fi
 fi
+#
+# Map VERBOSE to VERBOSITY for compatibility with old Shorewall6-lite installations
+#
+[ -z "$VERBOSITY" ] && [ -n "$VERBOSE" ] && VERBOSITY=$VERBOSE
+#
+# Map other old exported variables
+#
+g_purge=$PURGE
+g_noroutes=$NOROUTES
+g_timestamp=$TIMESTAMP
+g_recovering=$RECOVERING

 initialize

@@ -51,19 +71,77 @@ while [ $finished -eq 0 -a $# -gt 0 ]; do
 	    while [ -n "$option" ]; do
 		case $option in
 		    v*)
-			VERBOSE=$(($VERBOSE + 1 ))
+			[ $VERBOSITY -lt 2 ] && VERBOSITY=$(($VERBOSITY + 1 ))
 			option=${option#v}
 			;;
 		    q*)
-			VERBOSE=$(($VERBOSE - 1 ))
+			[ $VERBOSITY -gt -1 ] && VERBOSITY=$(($VERBOSITY - 1 ))
 			option=${option#q}
 			;;
 		    n*)
-			NOROUTES=Yes
+			g_noroutes=Yes
 			option=${option#n}
 			;;
-		    *)
-			usage 1
+		    t*)
+			g_timestamp=Yes
+			option=${option#t}
+			;;			
+		    p*)
+			g_purge=Yes
+			option=${option#p}
+			;;
+		    r*)
+			g_recovering=Yes
+			option=${option#r}
+			;;
+		    V*)
+			option=${option#V}
+
+			if [ -z "$option" -a $# -gt 0 ]; then
+			    shift
+			    option=$1
+			fi
+
+			if [ -n "$option" ]; then
+			    case $option in
+				-1|0|1|2)
+				    VERBOSITY=$option
+				    option=
+				    ;;
+				*)
+				    startup_error "Invalid -V option value ($option)"
+				    ;;
+			    esac
+			else
+			    startup_error "Missing -V option value"
+			fi
+			;;
+		    R*)
+			option=${option#R}
+
+			if [ -z "$option" -a $# -gt 0 ]; then
+			    shift
+			    option=$1
+			fi
+
+			if [ -n "$option" ]; then
+			    case $option in
+				*/*)		    
+	    			    startup_error "-R must specify a simple file name: $option"
+				    ;;
+				.safe|.try|NONE)
+				    ;;
+				.*)
+				    error_message "ERROR: Reserved File Name: $RESTOREFILE"
+				    exit 2
+				    ;;
+			    esac
+			else
+			    startup_error "Missing -R option value"
+			fi
+
+			RESTOREFILE=$option
+			option=
 			;;
 		esac
 	    done
@@ -77,21 +155,19 @@ done

 COMMAND="$1"

-[ -n "${PRODUCT:=Shorewall6}" ]
-
 kernel=$(printf "%2d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
 if [ $kernel -lt 20624 ]; then
-    error_message "ERROR: $PRODUCT requires Linux kernel 2.6.24 or later"
+    error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
    status=2
 else
    case "$COMMAND" in
 	start)
 	    [ $# -ne 1 ] && usage 2
 	    if shorewall6_is_started; then
-		error_message "$PRODUCT is already Running"
+		error_message "$g_product is already Running"
 		status=0
 	    else
-		progress_message3 "Starting $PRODUCT...."
+		progress_message3 "Starting $g_product...."
 		detect_configuration
 		define_firewall
 		status=$?
@@ -101,7 +177,7 @@ else
 	    ;;
 	stop)
 	    [ $# -ne 1 ] && usage 2
-	    progress_message3 "Stopping $PRODUCT...."
+	    progress_message3 "Stopping $g_product...."
 	    detect_configuration
 	    stop_firewall
 	    status=0
@@ -110,14 +186,14 @@ else
 	    ;;
 	reset)
 	    if ! shorewall6_is_started ; then
-		error_message "$PRODUCT is not running"
+		error_message "$g_product is not running"
 		status=2
 	    elif [ $# -eq 1 ]; then
 		$IP6TABLES -Z
 		$IP6TABLES -t mangle -Z
 		date > ${VARDIR}/restarted
 		status=0
-		progress_message3 "$PRODUCT Counters Reset"
+		progress_message3 "$g_product Counters Reset"
 	    else
 		shift
 		status=0
@@ -139,10 +215,10 @@ else
 	restart)
 	    [ $# -ne 1 ] && usage 2
 	    if shorewall6_is_started; then
-		progress_message3 "Restarting $PRODUCT...."
+		progress_message3 "Restarting $g_product...."
 	    else
-		error_message "$PRODUCT is not running"
-		progress_message3 "Starting $PRODUCT...."
+		error_message "$g_product is not running"
+		progress_message3 "Starting $g_product...."
 	    fi

 	    detect_configuration
@@ -156,13 +232,13 @@ else
 	refresh)
 	    [ $# -ne 1 ] && usage 2
 	    if shorewall6_is_started; then
-		progress_message3 "Refreshing $PRODUCT...."
+		progress_message3 "Refreshing $g_product...."
 		detect_configuration
 		define_firewall
 		status=$?
 		progress_message3 "done."
 	    else
-		echo "$PRODUCT is not running" >&2
+		echo "$g_product is not running" >&2
 		status=2
 	    fi
 	    ;;
@@ -177,7 +253,7 @@ else
 	    ;;
 	clear)
 	    [ $# -ne 1 ] && usage 2
-	    progress_message3 "Clearing $PRODUCT...."
+	    progress_message3 "Clearing $g_product...."
 	    clear_firewall
 	    status=0
 	    [ -n "$SUBSYSLOCK" ] && rm -f $SUBSYSLOCK
@@ -185,13 +261,13 @@ else
 	    ;;
 	status)
 	    [ $# -ne 1 ] && usage 2
-	    echo "$PRODUCT-$VERSION Status at $HOSTNAME - $(date)"
+	    echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)"
 	    echo
 	    if shorewall6_is_started; then
-		echo "$PRODUCT is running"
+		echo "$g_product is running"
 		status=0
 	    else
-		echo "$PRODUCT is stopped"
+		echo "$g_product is stopped"
 		status=4
 	    fi

@@ -210,7 +286,7 @@ else
 	    ;;
 	version)
 	    [ $# -ne 1 ] && usage 2
-	    echo $VERSION
+	    echo $SHOREWALL_VERSION
 	    status=0
 	    ;;
 	help)
--- a/Shorewall/Perl/prog.header
+++ b/Shorewall/Perl/prog.header
@@ -1,11 +1,18 @@
+#!/bin/sh
+#
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999-2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2010 - Tom Eastep (teastep@shorewall.net)
 #
 #	Options are:
 #
 #	    -n				  Don't alter Routing
 #	    -v and -q			  Standard Shorewall Verbosity control
+#           -t                            Timestamp progress messages
+#           -p                            Purge conntrack table
+#           -r                            Recover from failed start/restart
+#           -V <verbosity>                Set verbosity level explicitly
+#           -R <restore>                  Overrides RESTOREFILE setting
 #
 #	Commands are:
 #
@@ -22,14 +29,6 @@
 ################################################################################
 # Functions imported from /usr/share/shorewall/prog.header
 ################################################################################
-#
-# Message to stderr
-#
-error_message() # $* = Error Message
-{
-   echo "   $@" >&2
-}
-
 #
 # Conditionally produce message
 #
@@ -38,12 +37,12 @@ progress_message() # $* = Message
    local timestamp
    timestamp=

-    if [ $VERBOSE -gt 1 ]; then
-	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSITY -gt 1 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi

-    if [ $LOG_VERBOSE -gt 1 ]; then
+    if [ $LOG_VERBOSITY -gt 1 ]; then
        timestamp="$(date +'%b %_d %T') "
        echo "${timestamp}$@" >> $STARTUP_LOG
    fi
@@ -54,12 +53,12 @@ progress_message2() # $* = Message
    local timestamp
    timestamp=

-    if [ $VERBOSE -gt 0 ]; then
-	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSITY -gt 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi

-    if [ $LOG_VERBOSE -gt 0 ]; then
+    if [ $LOG_VERBOSITY -gt 0 ]; then
        timestamp="$(date +'%b %_d %T') "
        echo "${timestamp}$@" >> $STARTUP_LOG
    fi
@@ -70,93 +69,17 @@ progress_message3() # $* = Message
    local timestamp
    timestamp=

-    if [ $VERBOSE -ge 0 ]; then
-	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSITY -ge 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi

-    if [ $LOG_VERBOSE -ge 0 ]; then
+    if [ $LOG_VERBOSITY -ge 0 ]; then
        timestamp="$(date +'%b %_d %T') "
        echo "${timestamp}$@" >> $STARTUP_LOG
    fi
 }

-#
-# Split a colon-separated list into a space-separated list
-#
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    echo $*
-    IFS=$ifs
-}
-
-#
-# Search a list looking for a match -- returns zero if a match found
-# 1 otherwise
-#
-list_search() # $1 = element to search for , $2-$n = list
-{
-    local e
-    e=$1
-
-    while [ $# -gt 1 ]; do
-	shift
-	[ "x$e" = "x$1" ] && return 0
-    done
-
-    return 1
-}
-
-#
-# Suppress all output for a command
-#
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-qt1()
-{
-    local status
-
-    while [ 1 ]; do
-	"$@" >/dev/null 2>&1
-	status=$?
-	[ $status -ne 4 ] && return $status
-    done
-}
-
-#
-# Determine if Shorewall is "running"
-#
-shorewall_is_started() {
-    qt1 $IPTABLES -L shorewall -n
-}
-
-#
-# Echos the fully-qualified name of the calling shell program
-#
-my_pathname() {
-    cd $(dirname $0)
-    echo $PWD/$(basename $0)
-}
-
-#
-# Source a user exit file if it exists
-#
-run_user_exit() # $1 = file name
-{
-    local user_exit
-    user_exit=$(find_file $1)
-
-    if [ -f $user_exit ]; then
-	progress_message "Processing $user_exit ..."
-	. $user_exit
-    fi
-}
-
 #
 # Set a standard chain's policy
 #
@@ -197,243 +120,6 @@ deleteallchains() {
    run_iptables -X
 }

-#
-# Load a Kernel Module -- assumes that the variable 'moduledirectories' contains
-#                         a space-separated list of directories to search for
-#                         the module and that 'moduleloader' contains the
-#                         module loader command.
-#
-loadmodule() # $1 = module name, $2 - * arguments
-{
-    local modulename
-    modulename=$1
-    local modulefile
-    local suffix
-
-    if ! list_search $modulename $DONT_LOAD $MODULES; then
-	shift
-
-	for suffix in $MODULE_SUFFIX ; do
-	    for directory in $moduledirectories; do
-		modulefile=$directory/${modulename}.${suffix}
-
-		if [ -f $modulefile ]; then
-		    case $moduleloader in
-			insmod)
-			    insmod $modulefile $*
-			    ;;
-			*)
-			    modprobe $modulename $*
-			    ;;
-		    esac
-		    break 2
-		fi
-	    done
-	done
-    fi
-}
-
-#
-# Reload the Modules
-#
-reload_kernel_modules() {
-
-    local save_modules_dir
-    save_modules_dir=$MODULESDIR
-    local directory
-    local moduledirectories
-    moduledirectories=
-    local moduleloader
-    moduleloader=modprobe
-    local uname
-
-    if ! qt mywhich modprobe; then
-	moduleloader=insmod
-    fi
-
-    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
-
-    [ -z "$MODULESDIR" ] && \
-	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
-
-    MODULES=$(lsmod | cut -d ' ' -f1)
-
-    for directory in $(split $MODULESDIR); do
-	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
-    done
-
-    [ -n "$moduledirectories" ] && while read command; do
-	eval $command
-    done
-
-    MODULESDIR=$save_modules_dir
-}
-
-#
-# Load kernel modules required for Shorewall
-#
-load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
-{
-    local save_modules_dir
-    save_modules_dir=$MODULESDIR
-    local directory
-    local moduledirectories
-    moduledirectories=
-    local moduleloader
-    moduleloader=modprobe
-    local savemoduleinfo
-    savemoduleinfo=${1:-Yes} # So old compiled scripts still work
-    local uname
-
-    if ! qt mywhich modprobe; then
-	moduleloader=insmod
-    fi
-
-    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
-
-    [ -z "$MODULESDIR" ] && \
-	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
-
-    for directory in $(split $MODULESDIR); do
-	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
-    done
-
-    [ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules)
-
-    if [ -f $modules -a -n "$moduledirectories" ]; then
-	MODULES=$(lsmod | cut -d ' ' -f1)
-	progress_message "Loading Modules..."
-	. $modules
-	if [ $savemoduleinfo = Yes ]; then
-	    [ -d ${VARDIR} ] || mkdir -p ${VARDIR}
-	    echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir
-	    cp -f $modules ${VARDIR}/.modules
-	fi
-    elif [ $savemoduleinfo = Yes ]; then
-	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
-	> ${VARDIR}/.modulesdir
-	> ${VARDIR}/.modules
-    fi
-
-    MODULESDIR=$save_modules_dir
-}
-
-#
-#  Note: The following set of IP address manipulation functions have anomalous
-#        behavior when the shell only supports 32-bit signed arithmetic and
-#        the IP address is 128.0.0.0 or 128.0.0.1.
-#
-
-LEFTSHIFT='<<'
-
-#
-# Convert an IP address in dot quad format to an integer
-#
-decodeaddr() {
-    local x
-    local temp
-    temp=0
-    local ifs
-    ifs=$IFS
-
-    IFS=.
-
-    for x in $1; do
-	temp=$(( $(( $temp $LEFTSHIFT 8 )) | $x ))
-    done
-
-    echo $temp
-
-    IFS=$ifs
-}
-
-#
-# convert an integer to dot quad format
-#
-encodeaddr() {
-    addr=$1
-    local x
-    local y
-    y=$(($addr & 255))
-
-    for x in 1 2 3 ; do
-	addr=$(($addr >> 8))
-	y=$(($addr & 255)).$y
-    done
-
-    echo $y
-}
-
-#
-# Netmask from CIDR
-#
-ip_netmask() {
-    local vlsm
-    vlsm=${1#*/}
-
-    [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 $LEFTSHIFT $(( 32 - $vlsm )) ))
-}
-
-#
-# Network address from CIDR
-#
-ip_network() {
-    local decodedaddr
-    decodedaddr=$(decodeaddr ${1%/*})
-    local netmask
-    netmask=$(ip_netmask $1)
-
-    echo $(encodeaddr $(($decodedaddr & $netmask)))
-}
-
-#
-# The following hack is supplied to compensate for the fact that many of
-# the popular light-weight Bourne shell derivatives don't support XOR ("^").
-#
-ip_broadcast() {
-    local x
-    x=$(( 32 - ${1#*/} ))
-
-    [ $x -eq 32 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 ))
-}
-
-#
-# Calculate broadcast address from CIDR
-#
-broadcastaddress() {
-    local decodedaddr
-    decodedaddr=$(decodeaddr ${1%/*})
-    local netmask
-    netmask=$(ip_netmask $1)
-    local broadcast
-    broadcast=$(ip_broadcast $1)
-
-    echo $(encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast )))
-}
-
-#
-# Test for network membership
-#
-in_network() # $1 = IP address, $2 = CIDR network
-{
-    local netmask
-    netmask=$(ip_netmask $2)
-    #
-    # Use string comparison to work around a broken BusyBox ash in OpenWRT
-    #
-    test $(( $(decodeaddr $1) & $netmask)) = $(( $(decodeaddr ${2%/*}) & $netmask ))
-}
-
-#
-# Query NetFilter about the existence of a filter chain
-#
-chain_exists() # $1 = chain name
-{
-    qt1 $IPTABLES -L $1 -n
-}
-
 #
 # Find the value 'dev' in the passed arguments then echo the next value
 #
@@ -534,32 +220,6 @@ find_interface_by_address() {
    [ -n "$dev" ] && echo $dev
 }

-#
-# Find the interface with the passed MAC address
-#
-
-find_interface_by_mac() {
-    local mac
-    mac=$1
-    local first
-    local second
-    local rest
-    local dev
-
-    $IP link list | while read first second rest; do
-	case $first in
-	    *:)
-                dev=$second
-		;;
-	    *)
-	        if [ "$second" = $mac ]; then
-		    echo ${dev%:}
-		    return
-		fi
-	esac
-    done
-}
-
 #
 # Determine if Interface is up
 #
@@ -567,40 +227,6 @@ interface_is_up() {
    [ -n "$($IP link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
 }

-#
-# Find interface address--returns the first IP address assigned to the passed
-# device
-#
-find_first_interface_address() # $1 = interface
-{
-    #
-    # get the line of output containing the first IP address
-    #
-    addr=$($IP -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
-    #
-    # If there wasn't one, bail out now
-    #
-    [ -n "$addr" ] || startup_error "Can't determine the IP address of $1"
-    #
-    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
-    # along with everything else on the line
-    #
-    echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
-}
-
-find_first_interface_address_if_any() # $1 = interface
-{
-    #
-    # get the line of output containing the first IP address
-    #
-    addr=$($IP -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
-    #
-    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
-    # along with everything else on the line
-    #
-    [ -n "$addr" ] && echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' || echo 0.0.0.0
-}
-
 #
 # Determine if interface is usable from a Netfilter prespective
 #
@@ -659,71 +285,6 @@ get_interface_bcasts() # $1 = interface
    $IP -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
 }

-#
-# Internal version of 'which'
-#
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    echo $dir/$1
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-#
-# Find a File -- For relative file name, look in each ${CONFIG_PATH} then ${CONFDIR}
-#
-find_file()
-{
-    local saveifs
-    saveifs=
-    local directory
-
-    case $1 in
-	/*)
-	    echo $1
-	    ;;
-	*)
-	    for directory in $(split $CONFIG_PATH); do
-		if [ -f $directory/$1 ]; then
-		    echo $directory/$1
-		    return
-		fi
-	    done
-
-	    echo ${CONFDIR}/$1
-	    ;;
-    esac
-}
-
-#
-# Set the Shorewall state
-#
-set_state () # $1 = state
-{
-    echo "$1 ($(date))" > ${VARDIR}/state
-}
-
-#
-# Perform variable substitution on the passed argument and echo the result
-#
-expand() # $@ = contents of variable which may be the name of another variable
-{
-    eval echo \"$@\"
-}
-
-#
-# Function for including one file into another
-#
-INCLUDE() {
-    . $(find_file $(expand $@))
-}
-
 #
 # Delete IP address
 #
@@ -876,16 +437,6 @@ disable_ipv6() {
    fi
 }

-# Function to truncate a string -- It uses 'cut -b -<n>'
-# rather than ${v:first:last} because light-weight shells like ash and
-# dash do not support that form of expansion.
-#
-
-truncate() # $1 = length
-{
-    cut -b -${1}
-}
-
 #
 # Clear the current traffic shaping configuration
 #
@@ -951,7 +502,7 @@ get_device_mtu1() # $1 = device
 #
 undo_routing() {

-    if [ -z "$NOROUTES"  ]; then
+    if [ -z "$g_noroutes"  ]; then
 	#
 	# Restore rt_tables database
 	#
@@ -975,7 +526,7 @@ undo_routing() {
 # Restore the default route that was in place before the initial 'shorewall start'
 #
 restore_default_route() {
-    if [ -z "$NOROUTES" -a -f ${VARDIR}/default_route ]; then
+    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=
 	local route
@@ -1018,25 +569,6 @@ restore_default_route() {
    return $result
 }

-#
-# Determine how to do "echo -e"
-#
-
-find_echo() {
-    local result
-
-    result=$(echo "a\tb")
-    [ ${#result} -eq 3 ] && { echo echo; return; }
-
-    result=$(echo -e "a\tb")
-    [ ${#result} -eq 3 ] && { echo "echo -e"; return; }
-
-    result=$(mywhich echo)
-    [ -n "$result" ] && { echo "$result -e"; return; }
-
-    echo echo
-}
-
 #
 # Determine the MAC address of the passed IP through the passed interface
 #
@@ -1059,11 +591,11 @@ find_mac() # $1 = IP address, $2 = interface
 }

 #
-# Flush the conntrack table if $PURGE is non-empty
+# Flush the conntrack table if $g_purge is non-empty
 #
 conditionally_flush_conntrack() {

-    if [ -n "$PURGE" ]; then
+    if [ -n "$g_purge" ]; then
 	if [ -n $(mywhich conntrack) ]; then
            conntrack -F
 	else
@@ -1079,7 +611,7 @@ delete_proxyarp() {
    if [ -f ${VARDIR}/proxyarp ]; then
 	while read address interface external haveroute; do
 	    qt arp -i $external -d $address pub
-	    [ -z "${haveroute}${NOROUTES}" ] && qt $IP -4 route del $address dev $interface
+	    [ -z "${haveroute}${g_noroutes}" ] && qt $IP -4 route del $address dev $interface
 	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
 	    [ -f $f ] && echo 0 > $f
 	done < ${VARDIR}/proxyarp
@@ -1114,7 +646,7 @@ clear_firewall() {

    set_state "Cleared"

-    logger -p kern.info "$PRODUCT Cleared"
+    logger -p kern.info "$g_product Cleared"
 }

 #
@@ -1124,7 +656,7 @@ fatal_error()
 {
    echo "   ERROR: $@" >&2

-    if [ $LOG_VERBOSE -gt 1 ]; then
+    if [ $LOG_VERBOSITY -gt 1 ]; then
        timestamp="$(date +'%_b %d %T') "
        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
    fi
@@ -1142,28 +674,28 @@ startup_error() # $* = Error Message
    echo "   ERROR: $@: Firewall state not changed" >&2
    case $COMMAND in
        start)
-	    logger -p kern.err "ERROR:$PRODUCT start failed:Firewall state not changed"
+	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
 	    ;;
 	restart)
-	    logger -p kern.err "ERROR:$PRODUCT restart failed:Firewall state not changed"
+	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
 	    ;;
 	restore)
-	    logger -p kern.err "ERROR:$PRODUCT restore failed:Firewall state not changed"
+	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
 	    ;;
    esac

-    if [ $LOG_VERBOSE -gt 1 ]; then
+    if [ $LOG_VERBOSITY -gt 1 ]; then
        timestamp="$(date +'%_b %d %T') "

 	case $COMMAND in
 	    start)
-		echo "${timestamp}  ERROR:$PRODUCT start failed:Firewall state not changed" >> $STARTUP_LOG
+		echo "${timestamp}  ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG
 		;;
 	    restart)
-		echo "${timestamp}  ERROR:$PRODUCT restart failed:Firewall state not changed" >> $STARTUP_LOG
+		echo "${timestamp}  ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG
 		;;
 	    restore)
-		echo "${timestamp}  ERROR:$PRODUCT restore failed:Firewall state not changed" >> $STARTUP_LOG
+		echo "${timestamp}  ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG
 		;;
 	esac
    fi
--- a/Shorewall/Perl/prog.header6
+++ b/Shorewall/Perl/prog.header6
@@ -1,11 +1,18 @@
+#!/bin/sh
+#
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999-2009 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2010- Tom Eastep (teastep@shorewall.net)
 #
 #	Options are:
 #
 #	    -n				  Don't alter Routing
 #	    -v and -q			  Standard Shorewall Verbosity control
+#           -t                            Timestamp progress messages
+#           -p                            Purge conntrack table
+#           -r                            Recover from failed start/restart
+#           -V <verbosity>                Set verbosity level explicitly
+#           -R <restore>                  Overrides RESTOREFILE setting
 #
 #	Commands are:
 #
@@ -22,14 +29,6 @@
 ################################################################################
 # Functions imported from /usr/share/shorewall/prog.header6
 ################################################################################
-#
-# Message to stderr
-#
-error_message() # $* = Error Message
-{
-   echo "   $@" >&2
-}
-
 #
 # Conditionally produce message
 #
@@ -38,12 +37,12 @@ progress_message() # $* = Message
    local timestamp
    timestamp=

-    if [ $VERBOSE -gt 1 ]; then
-	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSITY -gt 1 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi

-    if [ $LOG_VERBOSE -gt 1 ]; then
+    if [ $LOG_VERBOSITY -gt 1 ]; then
        timestamp="$(date +'%b %_d %T') "
        echo "${timestamp}$@" >> $STARTUP_LOG
    fi
@@ -54,12 +53,12 @@ progress_message2() # $* = Message
    local timestamp
    timestamp=

-    if [ $VERBOSE -gt 0 ]; then
-	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSITY -gt 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi

-    if [ $LOG_VERBOSE -gt 0 ]; then
+    if [ $LOG_VERBOSITY -gt 0 ]; then
        timestamp="$(date +'%b %_d %T') "
        echo "${timestamp}$@" >> $STARTUP_LOG
    fi
@@ -70,117 +69,17 @@ progress_message3() # $* = Message
    local timestamp
    timestamp=

-    if [ $VERBOSE -ge 0 ]; then
-	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSITY -ge 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi

-    if [ $LOG_VERBOSE -ge 0 ]; then
+    if [ $LOG_VERBOSITY -ge 0 ]; then
        timestamp="$(date +'%b %_d %T') "
        echo "${timestamp}$@" >> $STARTUP_LOG
    fi
 }

-#
-# Split a colon-separated list into a space-separated list
-#
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    echo $*
-    IFS=$ifs
-}
-
-#
-# Undo the effect of 'split()'
-#
-join()
-{
-    local f
-    local o
-    o=
-
-    for f in $* ; do
-        o="${o:+$o:}$f"
-    done
-
-    echo $o
-}
-
-#
-# Return the number of elements in a list
-#
-list_count() # $* = list
-{
-    return $#
-}
-
-#
-# Search a list looking for a match -- returns zero if a match found
-# 1 otherwise
-#
-list_search() # $1 = element to search for , $2-$n = list
-{
-    local e
-    e=$1
-
-    while [ $# -gt 1 ]; do
-	shift
-	[ "x$e" = "x$1" ] && return 0
-    done
-
-    return 1
-}
-
-#
-# Suppress all output for a command
-#
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-qt1()
-{
-    local status
-
-    while [ 1 ]; do
-	"$@" >/dev/null 2>&1
-	status=$?
-	[ $status -ne 4 ] && return $status
-    done
-}
-
-#
-# Determine if Shorewall is "running"
-#
-shorewall6_is_started() {
-    qt1 $IP6TABLES -L shorewall -n
-}
-
-#
-# Echos the fully-qualified name of the calling shell program
-#
-my_pathname() {
-    cd $(dirname $0)
-    echo $PWD/$(basename $0)
-}
-
-#
-# Source a user exit file if it exists
-#
-run_user_exit() # $1 = file name
-{
-    local user_exit
-    user_exit=$(find_file $1)
-
-    if [ -f $user_exit ]; then
-	progress_message "Processing $user_exit ..."
-	. $user_exit
-    fi
-}
-
 #
 # Set a standard chain's policy
 #
@@ -213,131 +112,6 @@ deleteallchains() {
    run_iptables -X
 }

-#
-# Load a Kernel Module -- assumes that the variable 'moduledirectories' contains
-#                         a space-separated list of directories to search for
-#                         the module and that 'moduleloader' contains the
-#                         module loader command.
-#
-loadmodule() # $1 = module name, $2 - * arguments
-{
-    local modulename
-    modulename=$1
-    local modulefile
-    local suffix
-
-    if ! list_search $modulename $DONT_LOAD $MODULES; then
-	shift
-
-	for suffix in $MODULE_SUFFIX ; do
-	    for directory in $moduledirectories; do
-		modulefile=$directory/${modulename}.${suffix}
-
-		if [ -f $modulefile ]; then
-		    case $moduleloader in
-			insmod)
-			    insmod $modulefile $*
-			    ;;
-			*)
-			    modprobe $modulename $*
-			    ;;
-		    esac
-		    break 2
-		fi
-	    done
-	done
-    fi
-}
-
-#
-# Reload the Modules
-#
-reload_kernel_modules() {
-
-    local save_modules_dir
-    save_modules_dir=$MODULESDIR
-    local directory
-    local moduledirectories
-    moduledirectories=
-    local moduleloader
-    moduleloader=modprobe
-
-    if ! qt mywhich modprobe; then
-	moduleloader=insmod
-    fi
-
-    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
-
-    [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter:/lib/modules/$(uname -r)/kernel/net/sched/
-    MODULES=$(lsmod | cut -d ' ' -f1)
-
-    for directory in $(split $MODULESDIR); do
-	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
-    done
-
-    [ -n "$moduledirectories" ] && while read command; do
-	eval $command
-    done
-
-    MODULESDIR=$save_modules_dir
-}
-
-#
-# Load kernel modules required for Shorewall6
-#
-load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
-{
-    local save_modules_dir
-    save_modules_dir=$MODULESDIR
-    local directory
-    local moduledirectories
-    moduledirectories=
-    local moduleloader
-    moduleloader=modprobe
-    local savemoduleinfo
-    savemoduleinfo=${1:-Yes} # So old compiled scripts still work
-
-    if ! qt mywhich modprobe; then
-	moduleloader=insmod
-    fi
-
-    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
-
-    [ -z "$MODULESDIR" ] && \
-	MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter:/lib/modules/$(uname -r)/kernel/net/sched/
-
-    for directory in $(split $MODULESDIR); do
-	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
-    done
-
-    [ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules)
-
-    if [ -f $modules -a -n "$moduledirectories" ]; then
-	MODULES=$(lsmod | cut -d ' ' -f1)
-	progress_message "Loading Modules..."
-	. $modules
-	if [ $savemoduleinfo = Yes ]; then
-	    [ -d ${VARDIR} ] || mkdir -p ${VARDIR}
-	    echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir
-	    cp -f $modules ${VARDIR}/.modules
-	fi
-    elif [ $savemoduleinfo = Yes ]; then
-	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
-	> ${VARDIR}/.modulesdir
-	> ${VARDIR}/.modules
-    fi
-
-    MODULESDIR=$save_modules_dir
-}
-
-#
-# Query NetFilter about the existence of a filter chain
-#
-chain_exists() # $1 = chain name
-{
-    qt1 $IP6TABLES -L $1 -n
-}
-
 #
 # Find the value 'dev' in the passed arguments then echo the next value
 #
@@ -400,32 +174,6 @@ find_default_interface() {
    done
 }

-#
-# Find the interface with the passed MAC address
-#
-
-find_interface_by_mac() {
-    local mac
-    mac=$1
-    local first
-    local second
-    local rest
-    local dev
-
-    $IP link list | while read first second rest; do
-	case $first in
-	    *:)
-                dev=$second
-		;;
-	    *)
-	        if [ "$second" = $mac ]; then
-		    echo ${dev%:}
-		    return
-		fi
-	esac
-    done
-}
-
 #
 # Determine if Interface is up
 #
@@ -433,40 +181,6 @@ interface_is_up() {
    [ -n "$($IP link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
 }

-#
-# Find interface address--returns the first IP address assigned to the passed
-# device
-#
-find_first_interface_address() # $1 = interface
-{
-    #
-    # get the line of output containing the first IP address
-    #
-    addr=$($IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 .* global' | head -n1)
-    #
-    # If there wasn't one, bail out now
-    #
-    [ -n "$addr" ] || startup_error "Can't determine the IPv6 address of $1"
-    #
-    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
-    # along with everything else on the line
-    #
-    echo $addr | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
-}
-
-find_first_interface_address_if_any() # $1 = interface
-{
-    #
-    # get the line of output containing the first IP address
-    #
-    addr=$($IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2.* global' | head -n1)
-    #
-    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
-    # along with everything else on the line
-    #
-    [ -n "$addr" ] && echo $addr | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//' || echo ::
-}
-
 #
 # Determine if interface is usable from a Netfilter prespective
 #
@@ -682,71 +396,6 @@ get_all_acasts()
    find_interface_full_addresses | convert_to_anycast | sort -u
 }

-#
-# Internal version of 'which'
-#
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    echo $dir/$1
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
-#
-# Find a File -- For relative file name, look in each ${CONFIG_PATH} then ${CONFDIR}
-#
-find_file()
-{
-    local saveifs
-    saveifs=
-    local directory
-
-    case $1 in
-	/*)
-	    echo $1
-	    ;;
-	*)
-	    for directory in $(split $CONFIG_PATH); do
-		if [ -f $directory/$1 ]; then
-		    echo $directory/$1
-		    return
-		fi
-	    done
-
-	    echo ${CONFDIR}/$1
-	    ;;
-    esac
-}
-
-#
-# Set the Shorewall state
-#
-set_state () # $1 = state
-{
-    echo "$1 ($(date))" > ${VARDIR}/state
-}
-
-#
-# Perform variable substitution on the passed argument and echo the result
-#
-expand() # $@ = contents of variable which may be the name of another variable
-{
-    eval echo \"$@\"
-}
-
-#
-# Function for including one file into another
-#
-INCLUDE() {
-    . $(find_file $(expand $@))
-}
-
 #
 # Detect the gateway through an interface
 #
@@ -772,20 +421,6 @@ detect_gateway() # $1 = interface
    [ -n "$gateway" ] && echo $gateway
 }

-# Function to truncate a string -- It uses 'cut -b -<n>'
-# rather than ${v:first:last} because light-weight shells like ash and
-# dash do not support that form of expansion.
-#
-
-truncate() # $1 = length
-{
-    cut -b -${1}
-}
-
-#
-# Clear the current traffic shaping configuration
-#
-
 delete_tc1()
 {
    clear_one_tc() {
@@ -847,7 +482,7 @@ get_device_mtu1() # $1 = device
 #
 undo_routing() {

-    if [ -z "$NOROUTES"  ]; then
+    if [ -z "$g_noroutes"  ]; then
 	#
 	# Restore rt_tables database
 	#
@@ -871,7 +506,7 @@ undo_routing() {
 # Restore the default route that was in place before the initial 'shorewall start'
 #
 restore_default_route() {
-    if [ -z "$NOROUTES" -a -f ${VARDIR}/default_route ]; then
+    if [ -z "$g_noroutes" -a -f ${VARDIR}/default_route ]; then
 	local default_route
 	default_route=
 	local route
@@ -934,11 +569,11 @@ find_echo() {
 }

 #
-# Flush the conntrack table if $PURGE is non-empty
+# Flush the conntrack table if $g_purge is non-empty
 #
 conditionally_flush_conntrack() {

-    if [ -n "$PURGE" ]; then
+    if [ -n "$g_purge" ]; then
 	if [ -n $(which conntrack) ]; then
            conntrack -F
 	else
@@ -965,7 +600,7 @@ clear_firewall() {

    set_state "Cleared"

-    logger -p kern.info "$PRODUCT Cleared"
+    logger -p kern.info "$g_product Cleared"
 }

 #
@@ -975,7 +610,7 @@ fatal_error()
 {
    echo "   ERROR: $@" >&2

-    if [ $LOG_VERBOSE -gt 1 ]; then
+    if [ $LOG_VERBOSITY -gt 1 ]; then
        timestamp="$(date +'%_b %d %T') "
        echo "${timestamp}  ERROR: $@" >> $STARTUP_LOG
    fi
@@ -993,28 +628,28 @@ startup_error() # $* = Error Message
    echo "   ERROR: $@: Firewall state not changed" >&2
    case $COMMAND in
        start)
-	    logger -p kern.err "ERROR:$PRODUCT start failed:Firewall state not changed"
+	    logger -p kern.err "ERROR:$g_product start failed:Firewall state not changed"
 	    ;;
 	restart)
-	    logger -p kern.err "ERROR:$PRODUCT restart failed:Firewall state not changed"
+	    logger -p kern.err "ERROR:$g_product restart failed:Firewall state not changed"
 	    ;;
 	restore)
-	    logger -p kern.err "ERROR:$PRODUCT restore failed:Firewall state not changed"
+	    logger -p kern.err "ERROR:$g_product restore failed:Firewall state not changed"
 	    ;;
    esac

-    if [ $LOG_VERBOSE -gt 1 ]; then
+    if [ $LOG_VERBOSITY -gt 1 ]; then
        timestamp="$(date +'%_b %d %T') "

 	case $COMMAND in
 	    start)
-		echo "${timestamp}  ERROR:$PRODUCT start failed:Firewall state not changed" >> $STARTUP_LOG
+		echo "${timestamp}  ERROR:$g_product start failed:Firewall state not changed" >> $STARTUP_LOG
 		;;
 	    restart)
-		echo "${timestamp}  ERROR:$PRODUCT restart failed:Firewall state not changed" >> $STARTUP_LOG
+		echo "${timestamp}  ERROR:$g_product restart failed:Firewall state not changed" >> $STARTUP_LOG
 		;;
 	    restore)
-		echo "${timestamp}  ERROR:$PRODUCT restore failed:Firewall state not changed" >> $STARTUP_LOG
+		echo "${timestamp}  ERROR:$g_product restore failed:Firewall state not changed" >> $STARTUP_LOG
 		;;
 	esac
    fi
--- a/Shorewall/changelog.txt
+++ b/Shorewall/changelog.txt
@@ -1,12 +1,41 @@
-Changes in Shorewall 4.4.7.2
+Changes in Shorewall 4.4.8

-1)  Fix detection of "Old hashlimit match".
+1)  Correct handling of RATE LIMIT on NAT rules.

-2)  Detect FLOW_FILTER when LOAD_HELPERS_ONLY=No
+2)  Don't create a logging chain for rules with '-j RETURN'.

-Changes in Shorewall 4.4.7.1
+3)  Avoid duplicate SFQ class numbers.

-1)  Don't apply rate limiting twice in NAT rules.
+4)  Fix low per-IP rate limits.
+
+5)  Fix Debian init script exit status
+
+6)  Fix NFQUEUE(queue-num) in policy
+
+7)  Implement -s option in install.sh
+
+8)  Add HKP Macro
+
+9)  Fix multiple policy matches with OPTIMIZE 4 and not KLUDGEFREE
+
+10) Eliminate up-cased variable names that aren't documented options.
+
+11) Don't show 'OLD' capabilities if they are not available.
+
+12) Attempt to flag use of '-' as a port-range separator.
+
+13) Add undocumented OPTIMIZE=-1 setting.
+
+14) Replace OPTIMIZE=-1 with undocumented optimize 4096 which DISABLES
+    default optimizations.
+
+15) Add support for UDPLITE
+
+16) Distinguish between 'Started' and 'Restored' in ${VARDIR}/state
+
+17) Issue warnings when 'blacklist' but no blacklist file entries.
+
+18) Don't optimize 'blacklst'.

 Changes in Shorewall 4.4.7

--- a/Shorewall/init.debian.sh
+++ b/Shorewall/init.debian.sh
@@ -1,8 +1,8 @@
 #!/bin/sh
 ### BEGIN INIT INFO
 # Provides:          shorewall
-# Required-Start:    $network
-# Required-Stop:     $network
+# Required-Start:    $network $remote_fs
+# Required-Stop:     $network $remote_fs
 # Default-Start:     S
 # Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time
@@ -38,6 +38,7 @@ echo_notdone () {
 	  echo "not done (check $INITLOG)."
  fi

+  exit 1
 }

 not_configured () {
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.7.2
+VERSION=4.4.8

 usage() # $1 = exit status
 {
@@ -109,6 +109,7 @@ fi

 DEBIAN=
 CYGWIN=
+SPARSE=
 MANDIR=${MANDIR:-"/usr/share/man"}

 case $(uname) in
@@ -121,6 +122,7 @@ case $(uname) in
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	CYGWIN=Yes
+	SPARSE=Yes
 	;;
    *)
 	[ -z "$OWNER" ] && OWNER=root
@@ -139,6 +141,9 @@ while [ $# -gt 0 ] ; do
 	    echo "Shorewall Firewall Installer Version $VERSION"
 	    exit 0
 	    ;;
+	-s)
+	    SPARSE=Yes
+	    ;;
 	*)
 	    usage 1
 	    ;;
@@ -175,15 +180,20 @@ else
 	exit 1
    fi

-    if [ -z "$CYGWIN" ]; then
+    if [ -n "$CYGWIN" ]; then
+	echo "Installing Cygwin-specific configuration..."
+    else
 	if [ -f /etc/debian_version ]; then
+	    echo "Installing Debian-specific configuration..."
 	    DEBIAN=yes
+	    SPARSE=yes
 	elif [ -f /etc/slackware-version ] ; then
-	    echo "installing Slackware specific configuration..."
+	    echo "Installing Slackware-specific configuration..."
 	    DEST="/etc/rc.d"
 	    MANDIR="/usr/man"
 	    SLACKWARE=yes
 	elif [ -f /etc/arch-release ] ; then
+	    echo "Installing ArchLinux-specific configuration..."
 	    DEST="/etc/rc.d"
 	    INIT="shorewall"
 	    ARCHLINUX=yes
@@ -276,7 +286,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/zones ${PREFIX}/usr/share/shorewall/configfiles/zones

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/zones ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/zones ]; then
    run_install $OWNERSHIP -m 0744 configfiles/zones ${PREFIX}/etc/shorewall/zones
    echo "Zones file installed as ${PREFIX}/etc/shorewall/zones"
 fi
@@ -309,7 +319,7 @@ echo "wait4ifup installed in ${PREFIX}/usr/share/shorewall/wait4ifup"
 #
 run_install $OWNERSHIP -m 0644 configfiles/policy ${PREFIX}/usr/share/shorewall/configfiles/policy

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/policy ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/policy ]; then
    run_install $OWNERSHIP -m 0600 configfiles/policy ${PREFIX}/etc/shorewall/policy
    echo "Policy file installed as ${PREFIX}/etc/shorewall/policy"
 fi
@@ -318,7 +328,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/interfaces ${PREFIX}/usr/share/shorewall/configfiles/interfaces

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/interfaces ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/interfaces ]; then
    run_install $OWNERSHIP -m 0600 configfiles/interfaces ${PREFIX}/etc/shorewall/interfaces
    echo "Interfaces file installed as ${PREFIX}/etc/shorewall/interfaces"
 fi
@@ -328,7 +338,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/hosts ${PREFIX}/usr/share/shorewall/configfiles/hosts

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/hosts ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/hosts ]; then
    run_install $OWNERSHIP -m 0600 configfiles/hosts ${PREFIX}/etc/shorewall/hosts
    echo "Hosts file installed as ${PREFIX}/etc/shorewall/hosts"
 fi
@@ -337,7 +347,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/rules ${PREFIX}/usr/share/shorewall/configfiles/rules

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/rules ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/rules ]; then
    run_install $OWNERSHIP -m 0600 configfiles/rules ${PREFIX}/etc/shorewall/rules
    echo "Rules file installed as ${PREFIX}/etc/shorewall/rules"
 fi
@@ -346,7 +356,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/nat ${PREFIX}/usr/share/shorewall/configfiles/nat

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/nat ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/nat ]; then
    run_install $OWNERSHIP -m 0600 configfiles/nat ${PREFIX}/etc/shorewall/nat
    echo "NAT file installed as ${PREFIX}/etc/shorewall/nat"
 fi
@@ -355,7 +365,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/netmap ${PREFIX}/usr/share/shorewall/configfiles/netmap

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/netmap ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/netmap ]; then
    run_install $OWNERSHIP -m 0600 configfiles/netmap ${PREFIX}/etc/shorewall/netmap
    echo "NETMAP file installed as ${PREFIX}/etc/shorewall/netmap"
 fi
@@ -375,7 +385,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/proxyarp ${PREFIX}/usr/share/shorewall/configfiles/proxyarp

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/proxyarp ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/proxyarp ]; then
    run_install $OWNERSHIP -m 0600 configfiles/proxyarp ${PREFIX}/etc/shorewall/proxyarp
    echo "Proxy ARP file installed as ${PREFIX}/etc/shorewall/proxyarp"
 fi
@@ -384,7 +394,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/routestopped ${PREFIX}/usr/share/shorewall/configfiles/routestopped

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/routestopped ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/routestopped ]; then
    run_install $OWNERSHIP -m 0600 configfiles/routestopped ${PREFIX}/etc/shorewall/routestopped
    echo "Stopped Routing file installed as ${PREFIX}/etc/shorewall/routestopped"
 fi
@@ -393,7 +403,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/maclist ${PREFIX}/usr/share/shorewall/configfiles/maclist

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/maclist ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/maclist ]; then
    run_install $OWNERSHIP -m 0600 configfiles/maclist ${PREFIX}/etc/shorewall/maclist
    echo "MAC list file installed as ${PREFIX}/etc/shorewall/maclist"
 fi
@@ -402,7 +412,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/masq ${PREFIX}/usr/share/shorewall/configfiles/masq

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/masq ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/masq ]; then
    run_install $OWNERSHIP -m 0600 configfiles/masq ${PREFIX}/etc/shorewall/masq
    echo "Masquerade file installed as ${PREFIX}/etc/shorewall/masq"
 fi
@@ -411,7 +421,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/notrack ${PREFIX}/usr/share/shorewall/configfiles/notrack

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/notrack ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/notrack ]; then
    run_install $OWNERSHIP -m 0600 configfiles/notrack ${PREFIX}/etc/shorewall/notrack
    echo "Notrack file installed as ${PREFIX}/etc/shorewall/notrack"
 fi
@@ -432,7 +442,7 @@ echo "Helper modules file installed as ${PREFIX}/usr/share/shorewall/helpers"
 #
 run_install $OWNERSHIP -m 0644 configfiles/tcrules ${PREFIX}/usr/share/shorewall/configfiles/tcrules

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tcrules ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/tcrules ]; then
    run_install $OWNERSHIP -m 0600 configfiles/tcrules ${PREFIX}/etc/shorewall/tcrules
    echo "TC Rules file installed as ${PREFIX}/etc/shorewall/tcrules"
 fi
@@ -442,7 +452,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/tcinterfaces ${PREFIX}/usr/share/shorewall/configfiles/tcinterfaces

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tcinterfaces ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/tcinterfaces ]; then
    run_install $OWNERSHIP -m 0600 configfiles/tcinterfaces ${PREFIX}/etc/shorewall/tcinterfaces
    echo "TC Interfaces file installed as ${PREFIX}/etc/shorewall/tcinterfaces"
 fi
@@ -452,7 +462,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/tcpri ${PREFIX}/usr/share/shorewall/configfiles/tcpri

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tcpri ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/tcpri ]; then
    run_install $OWNERSHIP -m 0600 configfiles/tcpri ${PREFIX}/etc/shorewall/tcpri
    echo "TC Priority file installed as ${PREFIX}/etc/shorewall/tcpri"
 fi
@@ -462,7 +472,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/tos ${PREFIX}/usr/share/shorewall/configfiles/tos

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tos ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/tos ]; then
    run_install $OWNERSHIP -m 0600 configfiles/tos ${PREFIX}/etc/shorewall/tos
    echo "TOS file installed as ${PREFIX}/etc/shorewall/tos"
 fi
@@ -471,7 +481,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/tunnels ${PREFIX}/usr/share/shorewall/configfiles/tunnels

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tunnels ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/tunnels ]; then
    run_install $OWNERSHIP -m 0600 configfiles/tunnels ${PREFIX}/etc/shorewall/tunnels
    echo "Tunnels file installed as ${PREFIX}/etc/shorewall/tunnels"
 fi
@@ -480,7 +490,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/blacklist ${PREFIX}/usr/share/shorewall/configfiles/blacklist

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/blacklist ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/blacklist ]; then
    run_install $OWNERSHIP -m 0600 configfiles/blacklist ${PREFIX}/etc/shorewall/blacklist
    echo "Blacklist file installed as ${PREFIX}/etc/shorewall/blacklist"
 fi
@@ -489,7 +499,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/findgw ${PREFIX}/usr/share/shorewall/configfiles/findgw

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/findgw ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/findgw ]; then
    run_install $OWNERSHIP -m 0600 configfiles/findgw ${PREFIX}/etc/shorewall/findgw
    echo "Find GW file installed as ${PREFIX}/etc/shorewall/findgw"
 fi
@@ -517,7 +527,7 @@ delete_file ${PREFIX}/usr/share/shorewall/xmodules
 #
 run_install $OWNERSHIP -m 0644 configfiles/providers ${PREFIX}/usr/share/shorewall/configfiles/providers

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/providers ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/providers ]; then
    run_install $OWNERSHIP -m 0600 configfiles/providers ${PREFIX}/etc/shorewall/providers
    echo "Providers file installed as ${PREFIX}/etc/shorewall/providers"
 fi
@@ -527,7 +537,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/route_rules ${PREFIX}/usr/share/shorewall/configfiles/route_rules

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/route_rules ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/route_rules ]; then
    run_install $OWNERSHIP -m 0600 configfiles/route_rules ${PREFIX}/etc/shorewall/route_rules
    echo "Routing rules file installed as ${PREFIX}/etc/shorewall/route_rules"
 fi
@@ -537,7 +547,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/tcclasses ${PREFIX}/usr/share/shorewall/configfiles/tcclasses

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tcclasses ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/tcclasses ]; then
    run_install $OWNERSHIP -m 0600 configfiles/tcclasses ${PREFIX}/etc/shorewall/tcclasses
    echo "TC Classes file installed as ${PREFIX}/etc/shorewall/tcclasses"
 fi
@@ -547,7 +557,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/tcdevices ${PREFIX}/usr/share/shorewall/configfiles/tcdevices

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tcdevices ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/tcdevices ]; then
    run_install $OWNERSHIP -m 0600 configfiles/tcdevices ${PREFIX}/etc/shorewall/tcdevices
    echo "TC Devices file installed as ${PREFIX}/etc/shorewall/tcdevices"
 fi
@@ -557,7 +567,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/tcfilters ${PREFIX}/usr/share/shorewall/configfiles/tcfilters

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tcfilters ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/tcfilters ]; then
    run_install $OWNERSHIP -m 0600 configfiles/tcfilters ${PREFIX}/etc/shorewall/tcfilters
    echo "TC Filters file installed as ${PREFIX}/etc/shorewall/tcfilters"
 fi
@@ -572,7 +582,7 @@ echo "Default config path file installed as ${PREFIX}/usr/share/shorewall/config
 #
 run_install $OWNERSHIP -m 0644 configfiles/init ${PREFIX}/usr/share/shorewall/configfiles/init

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/init ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/init ]; then
    run_install $OWNERSHIP -m 0600 configfiles/init ${PREFIX}/etc/shorewall/init
    echo "Init file installed as ${PREFIX}/etc/shorewall/init"
 fi
@@ -581,7 +591,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/initdone ${PREFIX}/usr/share/shorewall/configfiles/initdone

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/initdone ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/initdone ]; then
    run_install $OWNERSHIP -m 0600 configfiles/initdone ${PREFIX}/etc/shorewall/initdone
    echo "Initdone file installed as ${PREFIX}/etc/shorewall/initdone"
 fi
@@ -590,7 +600,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/start ${PREFIX}/usr/share/shorewall/configfiles/start

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/start ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/start ]; then
    run_install $OWNERSHIP -m 0600 configfiles/start ${PREFIX}/etc/shorewall/start
    echo "Start file installed as ${PREFIX}/etc/shorewall/start"
 fi
@@ -599,7 +609,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/stop ${PREFIX}/usr/share/shorewall/configfiles/stop

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/stop ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/stop ]; then
    run_install $OWNERSHIP -m 0600 configfiles/stop ${PREFIX}/etc/shorewall/stop
    echo "Stop file installed as ${PREFIX}/etc/shorewall/stop"
 fi
@@ -608,7 +618,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/stopped ${PREFIX}/usr/share/shorewall/configfiles/stopped

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/stopped ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/stopped ]; then
    run_install $OWNERSHIP -m 0600 configfiles/stopped ${PREFIX}/etc/shorewall/stopped
    echo "Stopped file installed as ${PREFIX}/etc/shorewall/stopped"
 fi
@@ -617,7 +627,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/ecn ${PREFIX}/usr/share/shorewall/configfiles/ecn

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/ecn ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/ecn ]; then
    run_install $OWNERSHIP -m 0600 configfiles/ecn ${PREFIX}/etc/shorewall/ecn
    echo "ECN file installed as ${PREFIX}/etc/shorewall/ecn"
 fi
@@ -626,7 +636,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/accounting ${PREFIX}/usr/share/shorewall/configfiles/accounting

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/accounting ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/accounting ]; then
    run_install $OWNERSHIP -m 0600 configfiles/accounting ${PREFIX}/etc/shorewall/accounting
    echo "Accounting file installed as ${PREFIX}/etc/shorewall/accounting"
 fi
@@ -635,7 +645,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/lib.private ${PREFIX}/usr/share/shorewall/configfiles/lib.private

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/lib.private ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/lib.private ]; then
    run_install $OWNERSHIP -m 0600 configfiles/lib.private ${PREFIX}/etc/shorewall/lib.private
    echo "Private library file installed as ${PREFIX}/etc/shorewall/lib.private"
 fi
@@ -644,7 +654,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/started ${PREFIX}/usr/share/shorewall/configfiles/started

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/started ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/started ]; then
    run_install $OWNERSHIP -m 0600 configfiles/started ${PREFIX}/etc/shorewall/started
    echo "Started file installed as ${PREFIX}/etc/shorewall/started"
 fi
@@ -653,7 +663,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/restored ${PREFIX}/usr/share/shorewall/configfiles/restored

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/restored ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/restored ]; then
    run_install $OWNERSHIP -m 0600 configfiles/restored ${PREFIX}/etc/shorewall/restored
    echo "Restored file installed as ${PREFIX}/etc/shorewall/restored"
 fi
@@ -662,7 +672,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/clear ${PREFIX}/usr/share/shorewall/configfiles/clear

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/clear ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/clear ]; then
    run_install $OWNERSHIP -m 0600 configfiles/clear ${PREFIX}/etc/shorewall/clear
    echo "Clear file installed as ${PREFIX}/etc/shorewall/clear"
 fi
@@ -671,7 +681,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/isusable ${PREFIX}/usr/share/shorewall/configfiles/isusable

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/isusable ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/isusable ]; then
    run_install $OWNERSHIP -m 0600 configfiles/isusable ${PREFIX}/etc/shorewall/isusable
    echo "Isusable file installed as ${PREFIX}/etc/shorewall/isusable"
 fi
@@ -680,7 +690,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/refresh ${PREFIX}/usr/share/shorewall/configfiles/refresh

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/refresh ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/refresh ]; then
    run_install $OWNERSHIP -m 0600 configfiles/refresh ${PREFIX}/etc/shorewall/refresh
    echo "Refresh file installed as ${PREFIX}/etc/shorewall/refresh"
 fi
@@ -689,7 +699,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/refreshed ${PREFIX}/usr/share/shorewall/configfiles/refreshed

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/refreshed ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/refreshed ]; then
    run_install $OWNERSHIP -m 0600 configfiles/refreshed ${PREFIX}/etc/shorewall/refreshed
    echo "Refreshed file installed as ${PREFIX}/etc/shorewall/refreshed"
 fi
@@ -698,7 +708,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 configfiles/tcclear ${PREFIX}/usr/share/shorewall/configfiles/tcclear

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/tcclear ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/tcclear ]; then
    run_install $OWNERSHIP -m 0600 configfiles/tcclear ${PREFIX}/etc/shorewall/tcclear
    echo "Tcclear file installed as ${PREFIX}/etc/shorewall/tcclear"
 fi
@@ -713,7 +723,7 @@ echo "Standard actions file installed as ${PREFIX}/usr/shared/shorewall/actions.
 #
 run_install $OWNERSHIP -m 0644 configfiles/actions ${PREFIX}/usr/share/shorewall/configfiles/actions

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall/actions ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall/actions ]; then
    run_install $OWNERSHIP -m 0644 configfiles/actions ${PREFIX}/etc/shorewall/actions
    echo "Actions file installed as ${PREFIX}/etc/shorewall/actions"
 fi
@@ -723,7 +733,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 Makefile-lite ${PREFIX}/usr/share/shorewall/configfiles/Makefile

-if [ -z "$CYGWIN" ]; then
+if [ -z "$SPARSE" ]; then
    run_install $OWNERSHIP -m 0600 Makefile ${PREFIX}/etc/shorewall/Makefile
    echo "Makefile installed as ${PREFIX}/etc/shorewall/Makefile"
 fi
@@ -841,7 +851,7 @@ if [ -z "$PREFIX" -a -n "$first_install" -a -z "$CYGWIN" ]; then
 	echo "shorewall will start automatically at boot"
 	echo "Set startup=1 in /etc/default/shorewall to enable"
 	touch /var/log/shorewall-init.log
-	qt mywhich perl && perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' /etc/shorewall/shorewall.conf
+	perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' /etc/shorewall/shorewall.conf
    else
 	if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
 	    if insserv /etc/init.d/shorewall ; then
--- a/Shorewall/known_problems.txt
+++ b/Shorewall/known_problems.txt
@@ -1,18 +1 @@
-1)  All versions of Shorewall-perl mishandle per-IP rate limiting in
-    REDIRECT and DNAT rules. The effective rate and burst are 1/2 of
-    the values given in the rule.
-
-    Corrected in 4.4.7.1
-
-2)  Detection of the 'Old hashlimit match' capability was broken in
-    /sbin/shorewall, /sbin/shorewall-lite and in the IPv4 version of 
-    shorecap. This problem only affects users of older distributions
-    such as RH3L5 and derivatives.
-
-    Corrected in 4.4.7.2
-
-2)  On older distributions such as RHEL5 and derivatives, when
-    LOAD_HELPERS_ONLY=No, Shorewall would fail to start if a TYPE was
-    specified in /etc/shorewall/tcinterfaces.
-
-    Corrected in 4.4.7.2
+There are no known problems in Shorewall 4.4.8
--- a/Shorewall/lib.base
+++ b/Shorewall/lib.base
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Shorewall 4.2 -- /usr/share/shorewall/lib.base
+# Shorewall 4.4 -- /usr/share/shorewall/lib.base
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -24,26 +24,17 @@
 # This library contains the code common to all Shorewall components.
 #
 # - It is loaded by /sbin/shorewall.
-# - It is loaded by /usr/share/shorewall/firewall.
 # - It is released as part of Shorewall Lite where it is used by /sbin/shorewall-lite
 #   and /usr/share/shorewall-lite/shorecap.
 #

 SHOREWALL_LIBVERSION=40407
-SHOREWALL_CAPVERSION=40407
+SHOREWALL_CAPVERSION=40408

 [ -n "${VARDIR:=/var/lib/shorewall}" ]
 [ -n "${SHAREDIR:=/usr/share/shorewall}" ]
 [ -n "${CONFDIR:=/etc/shorewall}" ]

-#
-# Message to stderr
-#
-error_message() # $* = Error Message
-{
-   echo "   $@" >&2
-}
-
 #
 # Conditionally produce message
 #
@@ -52,8 +43,8 @@ progress_message() # $* = Message
    local timestamp
    timestamp=

-    if [ $VERBOSE -gt 1 ]; then
-	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSITY -gt 1 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
 }
@@ -63,8 +54,8 @@ progress_message2() # $* = Message
    local timestamp
    timestamp=

-    if [ $VERBOSE -gt 0 ]; then
-	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSITY -gt 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
 }
@@ -74,40 +65,12 @@ progress_message3() # $* = Message
    local timestamp
    timestamp=

-    if [ $VERBOSE -ge 0 ]; then
-	[ -n "$TIMESTAMP" ] && timestamp="$(date +%H:%M:%S) "
+    if [ $VERBOSITY -ge 0 ]; then
+	[ -n "$g_timestamp" ] && timestamp="$(date +%H:%M:%S) "
 	echo "${timestamp}$@"
    fi
 }

-#
-# Split a colon-separated list into a space-separated list
-#
-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    echo $*
-    IFS=$ifs
-}
-
-#
-# Search a list looking for a match -- returns zero if a match found
-# 1 otherwise
-#
-list_search() # $1 = element to search for , $2-$n = list
-{
-    local e
-    e=$1
-
-    while [ $# -gt 1 ]; do
-	shift
-	[ "x$e" = "x$1" ] && return 0
-    done
-
-    return 1
-}
-
 #
 # Undo the effect of 'separate_list()'
 #
@@ -124,167 +87,6 @@ combine_list()
    echo $o
 }

-#
-# Suppress all output for a command
-#
-qt()
-{
-    "$@" >/dev/null 2>&1
-}
-
-#
-# Determine if Shorewall is "running"
-#
-shorewall_is_started() {
-    qt $IPTABLES -L shorewall -n
-}
-
-#
-# Echos the fully-qualified name of the calling shell program
-#
-my_pathname() {
-    cd $(dirname $0)
-    echo $PWD/$(basename $0)
-}
-
-#
-# Source a user exit file if it exists
-#
-run_user_exit() # $1 = file name
-{
-    local user_exit
-    user_exit=$(find_file $1)
-
-    if [ -f $user_exit ]; then
-	progress_message "Processing $user_exit ..."
-	. $user_exit
-    fi
-}
-
-#
-# Load a Kernel Module -- assumes that the variable 'moduledirectories' contains
-#                         a space-separated list of directories to search for
-#                         the module and that 'moduleloader' contains the
-#                         module loader command.
-#
-loadmodule() # $1 = module name, $2 - * arguments
-{
-    local modulename
-    modulename=$1
-    local modulefile
-    local suffix
-
-    if ! list_search $modulename $MODULES $DONT_LOAD ; then
-	shift
-
-	for suffix in $MODULE_SUFFIX ; do
-	    for directory in $moduledirectories; do
-		modulefile=$directory/${modulename}.${suffix}
-
-		if [ -f $modulefile ]; then
-		    case $moduleloader in
-			insmod)
-			    insmod $modulefile $*
-			    ;;
-			*)
-			    modprobe $modulename $*
-			    ;;
-		    esac
-		    break 2
-		fi
-	    done
-	done
-    fi
-}
-
-#
-# Reload the Modules
-#
-reload_kernel_modules() {
-
-    local save_modules_dir
-    save_modules_dir=$MODULESDIR
-    local directory
-    local moduledirectories
-    moduledirectories=
-    local moduleloader
-    moduleloader=modprobe
-    local uname
-
-    if ! qt mywhich modprobe; then
-	moduleloader=insmod
-    fi
-
-    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
-
-
-    [ -z "$MODULESDIR" ] && \
-	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
-
-    MODULES=$(lsmod | cut -d ' ' -f1)
-
-    for directory in $(split $MODULESDIR); do
-	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
-    done
-
-    [ -n "$moduledirectories" ] && while read command; do
-	eval $command
-    done
-
-    MODULESDIR=$save_modules_dir
-}
-
-#
-# Load kernel modules required for Shorewall
-#
-load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
-{
-    local save_modules_dir
-    save_modules_dir=$MODULESDIR
-    local directory
-    local moduledirectories
-    moduledirectories=
-    local moduleloader
-    moduleloader=modprobe
-    local savemoduleinfo
-    savemoduleinfo=${1:-Yes} # So old compiled scripts still work
-    local uname
-
-    if ! qt mywhich modprobe; then
-	moduleloader=insmod
-    fi
-
-    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
-
-    [ -z "$MODULESDIR" ] && \
-	uname=$(uname -r) && \
-	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
-
-    for directory in $(split $MODULESDIR); do
-	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
-    done
-
-    [ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules)
-
-    if [ -f $modules -a -n "$moduledirectories" ]; then
-	MODULES=$(lsmod | cut -d ' ' -f1)
-	progress_message "Loading Modules..."
-	. $modules
-	if [ $savemoduleinfo = Yes ]; then
-	    [ -d ${VARDIR} ] || mkdir -p ${VARDIR}
-	    echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir
-	    cp -f $modules ${VARDIR}/.modules
-	fi
-    elif [ $savemoduleinfo = Yes ]; then
-	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
-	> ${VARDIR}/.modulesdir	
-	> ${VARDIR}/.modules
-    fi
-
-    MODULESDIR=$save_modules_dir
-}
-
 #
 # Call this function to assert mutual exclusion with Shorewall. If you invoke the
 # /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as
@@ -334,12 +136,32 @@ mutex_off()
 }

 #
-#  Note: The following set of IP address manipulation functions have anomalous
-#        behavior when the shell only supports 32-bit signed arithmetic and
-#        the IP address is 128.0.0.0 or 128.0.0.1.
+# Find the interface with the passed MAC address
 #

-LEFTSHIFT='<<'
+find_interface_by_mac() {
+    local mac
+    mac=$1
+    local first
+    local second
+    local rest
+    local dev
+
+    $IP link list | while read first second rest; do
+	case $first in
+	    *:)
+                dev=$second
+		;;
+	    *)
+	        if [ "$second" = $mac ]; then
+		    echo ${dev%:}
+		    return
+		fi
+	esac
+    done
+}
+
+[ -z "$LEFTSHIFT" ] && . ${SHAREDIR}/lib.common

 #
 # Validate an IP address
@@ -369,44 +191,6 @@ valid_address() {
    return 0
 }

-#
-# Convert an IP address in dot quad format to an integer
-#
-decodeaddr() {
-    local x
-    local temp
-    temp=0
-    local ifs
-    ifs=$IFS
-
-    IFS=.
-
-    for x in $1; do
-	temp=$(( $(( $temp $LEFTSHIFT 8 )) | $x ))
-    done
-
-    echo $temp
-
-    IFS=$ifs
-}
-
-#
-# convert an integer to dot quad format
-#
-encodeaddr() {
-    addr=$1
-    local x
-    local y
-    y=$(($addr & 255))
-
-    for x in 1 2 3 ; do
-	addr=$(($addr >> 8))
-	y=$(($addr & 255)).$y
-    done
-
-    echo $y
-}
-
 #
 # Miserable Hack to work around broken BusyBox ash in OpenWRT
 #
@@ -507,66 +291,6 @@ ip_range_explicit() {
    done
 }

-#
-# Netmask from CIDR
-#
-ip_netmask() {
-    local vlsm
-    vlsm=${1#*/}
-
-    [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 $LEFTSHIFT $(( 32 - $vlsm )) ))
-}
-
-#
-# Network address from CIDR
-#
-ip_network() {
-    local decodedaddr
-    decodedaddr=$(decodeaddr ${1%/*})
-    local netmask
-    netmask=$(ip_netmask $1)
-
-    echo $(encodeaddr $(($decodedaddr & $netmask)))
-}
-
-#
-# The following hack is supplied to compensate for the fact that many of
-# the popular light-weight Bourne shell derivatives don't support XOR ("^").
-#
-ip_broadcast() {
-    local x
-    x=$(( 32 - ${1#*/} ))
-
-    [ $x -eq 32 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 ))
-}
-
-#
-# Calculate broadcast address from CIDR
-#
-broadcastaddress() {
-    local decodedaddr
-    decodedaddr=$(decodeaddr ${1%/*})
-    local netmask
-    netmask=$(ip_netmask $1)
-    local broadcast
-    broadcast=$(ip_broadcast $1)
-
-    echo $(encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast )))
-}
-
-#
-# Test for network membership
-#
-in_network() # $1 = IP address, $2 = CIDR network
-{
-    local netmask
-    netmask=$(ip_netmask $2)
-    #
-    # We compare the values as strings rather than integers to work around broken BusyBox ash on OpenWRT
-    #
-    test $(( $(decodeaddr $1) & $netmask)) = $(( $(decodeaddr ${2%/*}) & $netmask ))
-}
-
 #
 # Netmask to VLSM
 #
@@ -590,90 +314,6 @@ ip_vlsm() {
    fi
 }

-#
-# Query NetFilter about the existence of a filter chain
-#
-chain_exists() # $1 = chain name
-{
-    qt $IPTABLES -L $1 -n
-}
-
-#
-# Find the interface with the passed MAC address
-#
-
-find_interface_by_mac() {
-    local mac
-    mac=$1 
-    local first 
-    local second
-    local rest
-    local dev
-
-    ip link list | while read first second rest; do
-	case $first in
-	    *:)
-                dev=$second
-		;;
-	    *)
-	        if [ "$second" = $mac ]; then
-		    echo ${dev%:}
-		    return
-		fi
-	esac
-    done
-}
-
-#
-# Find interface address--returns the first IP address assigned to the passed
-# device
-#
-find_first_interface_address() # $1 = interface
-{
-    #
-    # get the line of output containing the first IP address
-    #
-    addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
-    #
-    # If there wasn't one, bail out now
-    #
-    [ -n "$addr" ] || fatal_error "Can't determine the IP address of $1"
-    #
-    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
-    # along with everything else on the line
-    #
-    echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
-}
-
-find_first_interface_address_if_any() # $1 = interface
-{
-    #
-    # get the line of output containing the first IP address
-    #
-    addr=$(ip -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
-    #
-    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
-    # along with everything else on the line
-    #
-    [ -n "$addr" ] && echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' || echo 0.0.0.0
-}
-
-#
-# Internal version of 'which'
-#
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    echo $dir/$1
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
 #
 # Set default config path
 #
@@ -690,32 +330,6 @@ ensure_config_path() {
    fi
 }

-#
-# Find a File -- For relative file name, look in each ${CONFIG_PATH} then ${CONFDIR}
-#
-find_file()
-{
-    local saveifs
-    saveifs= 
-    local directory
-
-    case $1 in
-	/*)
-	    echo $1
-	    ;;
-	*)
-	    for directory in $(split $CONFIG_PATH); do
-		if [ -f $directory/$1 ]; then
-		    echo $directory/$1
-		    return
-		fi
-	    done
-
-	    echo ${CONFDIR}/$1
-	    ;;
-    esac
-}
-
 #
 # Get fully-qualified name of file
 #
@@ -750,378 +364,11 @@ resolve_file() # $1 = file name
    esac
 }

-#
-# Perform variable substitution on the passed argument and echo the result
-#
-expand() # $@ = contents of variable which may be the name of another variable
-{
-    eval echo \"$@\"
-}
-
-#
-# Function for including one file into another
-#
-INCLUDE() {
-    . $(find_file $(expand $@))
-}
-
-#
-# Set the Shorewall state
-#
-set_state () # $1 = state
-{
-    echo "$1 ($(date))" > ${VARDIR}/state
-}
-
-#
-# Determine which optional facilities are supported by iptables/netfilter
-#
-determine_capabilities() {
-    [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)
-
-    if [ -z "$IPTABLES" ]; then
-	echo "   ERROR: No executable iptables binary can be found on your PATH" >&2
-	exit 1
-    fi
-
-    [ "$TC" = tc -o -z "$TC" ] && TC=$(which tc)
-
-    [ -n "$TC" -a -x "$TC" ] || TC=
-
-    qt $IPTABLES -t nat    -L -n && NAT_ENABLED=Yes    || NAT_ENABLED=
-    qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
-
-    CONNTRACK_MATCH=
-    NEW_CONNTRACK_MATCH=
-    OLD_CONNTRACK_MATCH=
-    MULTIPORT=
-    XMULTIPORT=
-    POLICY_MATCH=
-    PHYSDEV_MATCH=
-    PHYSDEV_BRIDGE=
-    IPRANGE_MATCH=
-    RECENT_MATCH=
-    OWNER_MATCH=
-    IPSET_MATCH=
-    CONNMARK=
-    XCONNMARK=
-    CONNMARK_MATCH=
-    XCONNMARK_MATCH=
-    RAW_TABLE=
-    IPP2P_MATCH=
-    OLD_IPP2P_MATCH=
-    LENGTH_MATCH=
-    CLASSIFY_TARGET=
-    ENHANCED_REJECT=
-    USEPKTTYPE=
-    KLUDGEFREE=
-    MARK=
-    XMARK=
-    EXMARK=
-    TPROXY_TARGET=
-    MANGLE_FORWARD=
-    COMMENTS=
-    ADDRTYPE=
-    TCPMSS_MATCH=
-    HASHLIMIT_MATCH=
-    NFQUEUE_TARGET=
-    REALM_MATCH=
-    HELPER_MATCH=
-    CONNLIMIT_MATCH=
-    TIME_MATCH=
-    GOTO_TARGET=
-    LOGMARK_TARGET=
-    IPMARK_TARGET=
-    LOG_TARGET=Yes
-    PERSISTENT_SNAT=
-    FLOW_FILTER=
-
-    chain=fooX$$
-
-    if [ -n "$NAT_ENABLED" ]; then
-	if qt $IPTABLES -t nat -N $chain; then
-	    qt $IPTABLES -t nat -A $chain -j SNAT --to-source 1.2.3.4 --persistent && PERSISTENT_SNAT=Yes
-	    qt $IPTABLES -t nat -F $chain
-	    qt $IPTABLES -t nat -X $chain
-	fi
-    fi
-
-    qt $IPTABLES -F $chain
-    qt $IPTABLES -X $chain
-    if ! $IPTABLES -N $chain; then
-	echo "   ERROR: The command \"$IPTABLES -N $chain\" failed" >&2
-	exit 1
-    fi
-
-    chain1=${chain}1
-
-    qt $IPTABLES -F $chain1
-    qt $IPTABLES -X $chain1
-    if ! $IPTABLES -N $chain1; then
-	echo "   ERROR: The command \"$IPTABLES -N $chain1\" failed" >&2
-	exit 1
-    fi
-
-    if ! qt $IPTABLES -A $chain -m state --state ESTABLISHED,RELATED -j ACCEPT; then
-	echo "   ERROR: Your kernel lacks connection tracking and/or state matching -- Shorewall will not run on this system" >&2
-	exit 1
-    fi
-
-    qt $IPTABLES -A $chain -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
-
-    if [ -n "$CONNTRACK_MATCH" ]; then
-	qt $IPTABLES -A $chain -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT && NEW_CONNTRACK_MATCH=Yes
-	qt $IPTABLES -A $chain -m conntrack ! --ctorigdst 1.2.3.4 || OLD_CONNTRACK_MATCH=Yes
-    fi
-
-    if qt $IPTABLES -A $chain -p tcp -m multiport --dports 21,22 -j ACCEPT; then
-	MULTIPORT=Yes
-	qt $IPTABLES -A $chain -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT && KLUDEFREE=Yes
-    fi
-
-    qt $IPTABLES -A $chain -p tcp -m multiport --dports 21:22 -j ACCEPT           && XMULTIPORT=Yes
-    qt $IPTABLES -A $chain -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes
-
-    if qt $IPTABLES -A $chain -m physdev --physdev-out eth0 -j ACCEPT; then
-	PHYSDEV_MATCH=Yes
-	qt $IPTABLES -A $chain -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth0 -j ACCEPT && PHYSDEV_BRIDGE=Yes
-	if [ -z "${KLUDGEFREE}" ]; then
-	    qt $IPTABLES -A $chain -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT && KLUDGEFREE=Yes
-	fi
-    fi
-
-    if qt $IPTABLES -A $chain -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT; then
-	IPRANGE_MATCH=Yes
-	if [ -z "${KLUDGEFREE}" ]; then
-	    qt $IPTABLES -A $chain -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT && KLUDGEFREE=Yes
-	fi
-    fi
-
-    qt $IPTABLES -A $chain -m recent --update -j ACCEPT     && RECENT_MATCH=Yes
-    qt $IPTABLES -A $chain -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes
-
-    if qt $IPTABLES -A $chain -m connmark --mark 2  -j ACCEPT; then
-	CONNMARK_MATCH=Yes
-	qt $IPTABLES -A $chain -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes
-    fi
-
-    qt $IPTABLES -A $chain -p tcp -m ipp2p --edk -j ACCEPT       && IPP2P_MATCH=Yes
-    if [ -n "$IPP2P_MATCH" ]; then
-	qt $IPTABLES -A $chain -p tcp -m ipp2p --ipp2p -j ACCEPT && OLD_IPP2P_MATCH=Yes
-    fi
-
-    qt $IPTABLES -A $chain -m length --length 10:20 -j ACCEPT           && LENGTH_MATCH=Yes
-    qt $IPTABLES -A $chain -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes
-
-    qt $IPTABLES -A $chain -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes
-
-    if [ -n "$MANGLE_ENABLED" ]; then
-	qt $IPTABLES -t mangle -N $chain
-
-	if qt $IPTABLES -t mangle -A $chain -j MARK --set-mark 1; then
-	    MARK=Yes
-	    qt $IPTABLES -t mangle -A $chain -j MARK --and-mark 0xFF && XMARK=Yes
-	    qt $IPTABLES -t mangle -A $chain -j MARK --set-mark 1/0xFF && EXMARK=Yes
-	fi
-
-	if qt $IPTABLES -t mangle -A $chain -j CONNMARK --save-mark; then
-	    CONNMARK=Yes
-	    qt $IPTABLES -t mangle -A $chain -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes
-	fi
-
-	qt $IPTABLES -t mangle -A $chain -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes
-	qt $IPTABLES -t mangle -A $chain -j IPMARK --addr src && IPMARK_TARGET=Yes
-	qt $IPTABLES -t mangle -A $chain -p tcp -j TPROXY --on-port 0 --tproxy-mark 1 && TPROXY_TARGET=Yes
-	qt $IPTABLES -t mangle -F $chain
-	qt $IPTABLES -t mangle -X $chain
-	qt $IPTABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
-    fi
-
-    qt $IPTABLES -t raw	   -L -n && RAW_TABLE=Yes
-
-    if qt mywhich ipset; then
-	qt ipset -X $chain # Just in case something went wrong the last time
-
-	if qt ipset -N $chain iphash ; then
-	    if qt $IPTABLES -A $chain -m set --set $chain src -j ACCEPT; then
-		qt $IPTABLES -D $chain -m set --set $chain src -j ACCEPT
-		IPSET_MATCH=Yes
-	    fi
-	    qt ipset -X $chain
-	fi
-    fi
-
-    qt $IPTABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
-    qt $IPTABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
-    qt $IPTABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
-    qt $IPTABLES -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
-    if [ -z "$HASHLIMIT_MATCH" ]; then
-	qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
-	HASHLIMIT_MATCH=$OLD_HL_MATCH
-    fi	
-    qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
-    qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
-    qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
-    qt $IPTABLES -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes
-    qt $IPTABLES -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
-    qt $IPTABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
-    qt $IPTABLES -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
-    qt $IPTABLES -A $chain -j LOG || LOG_TARGET=
-
-    qt $IPTABLES -F $chain
-    qt $IPTABLES -X $chain
-    qt $IPTABLES -F $chain1
-    qt $IPTABLES -X $chain1
-
-    [ -n "$TC" ] && $TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
-
-    CAPVERSION=$SHOREWALL_CAPVERSION
-    KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
-}
-
-report_capabilities() {
-    report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
-    {
-	local setting
-	setting=
-
-	[ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
-
-	echo "  " $1: $setting
-    }
-
-    if [ $VERBOSE -gt 1 ]; then
-	echo "Shorewall has detected the following iptables/netfilter capabilities:"
-	report_capability "NAT" $NAT_ENABLED
-	report_capability "Packet Mangling" $MANGLE_ENABLED
-	report_capability "Multi-port Match" $MULTIPORT
-	[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
-	report_capability "Connection Tracking Match" $CONNTRACK_MATCH
-	if [ -n "$CONNTRACK_MATCH" ]; then
-	    report_capability "Extended Connection Tracking Match Support" $NEW_CONNTRACK_MATCH
-	    report_capability "Old Connection Tracking Match Syntax" $OLD_CONNTRACK_MATCH
-	fi
-	report_capability "Packet Type Match" $USEPKTTYPE
-	report_capability "Policy Match" $POLICY_MATCH
-	report_capability "Physdev Match" $PHYSDEV_MATCH
-	report_capability "Physdev-is-bridged Support" $PHYSDEV_BRIDGE
-	report_capability "Packet length Match" $LENGTH_MATCH
-	report_capability "IP range Match" $IPRANGE_MATCH
-	report_capability "Recent Match" $RECENT_MATCH
-	report_capability "Owner Match" $OWNER_MATCH
-	report_capability "Ipset Match" $IPSET_MATCH
-	report_capability "CONNMARK Target" $CONNMARK
-	[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
-	report_capability "Connmark Match" $CONNMARK_MATCH
-	[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH
-	report_capability "Raw Table" $RAW_TABLE
-	report_capability "IPP2P Match" $IPP2P_MATCH
-	[ -n "$IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax" $OLD_IPP2P_MATCH
-	report_capability "CLASSIFY Target" $CLASSIFY_TARGET
-	report_capability "Extended REJECT" $ENHANCED_REJECT
-	report_capability "Repeat match" $KLUDGEFREE
-	report_capability "MARK Target" $MARK
-	[ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK
-	[ -n "$XMARK" ] && report_capability "Extended MARK Target 2" $EXMARK
-	report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD
-	report_capability "Comments" $COMMENTS
-	report_capability "Address Type Match" $ADDRTYPE
-	report_capability "TCPMSS Match" $TCPMSS_MATCH
-	report_capability "Hashlimit Match" $HASHLIMIT_MATCH
-	report_capability "Old Hashlimit Match" $OLD_HL_MATCH
-	report_capability "NFQUEUE Target" $NFQUEUE_TARGET
-	report_capability "Realm Match" $REALM_MATCH
-	report_capability "Helper Match" $HELPER_MATCH
-	report_capability "Connlimit Match" $CONNLIMIT_MATCH
-	report_capability "Time Match" $TIME_MATCH
-	report_capability "Goto Support" $GOTO_TARGET
-	report_capability "LOGMARK Target" $LOGMARK_TARGET
-	report_capability "IPMARK Target" $IPMARK_TARGET
-	report_capability "LOG Target" $LOG_TARGET
-	report_capability "Persistent SNAT" $PERSISTENT_SNAT
-	report_capability "TPROXY Target" $TPROXY_TARGET
-	report_capability "FLOW Classifier" $FLOW_FILTER
-    fi
-
-    [ -n "$PKTTYPE" ] || USEPKTTYPE=
-
-}
-
-report_capabilities1() {
-    report_capability1() # $1 = Capability
-    {
-	eval echo $1=\$$1
-    }
-
-    echo "#"
-    echo "# Shorewall $VERSION detected the following iptables/netfilter capabilities - $(date)"
-    echo "#"
-    report_capability1 NAT_ENABLED
-    report_capability1 MANGLE_ENABLED
-    report_capability1 MULTIPORT
-    report_capability1 XMULTIPORT
-    report_capability1 CONNTRACK_MATCH
-    report_capability1 NEW_CONNTRACK_MATCH
-    report_capability1 OLD_CONNTRACK_MATCH
-    report_capability1 USEPKTTYPE
-    report_capability1 POLICY_MATCH
-    report_capability1 PHYSDEV_MATCH
-    report_capability1 PHYSDEV_BRIDGE
-    report_capability1 LENGTH_MATCH
-    report_capability1 IPRANGE_MATCH
-    report_capability1 RECENT_MATCH
-    report_capability1 OWNER_MATCH
-    report_capability1 IPSET_MATCH
-    report_capability1 CONNMARK
-    report_capability1 XCONNMARK
-    report_capability1 CONNMARK_MATCH
-    report_capability1 XCONNMARK_MATCH
-    report_capability1 RAW_TABLE
-    report_capability1 IPP2P_MATCH
-    report_capability1 OLD_IPP2P_MATCH
-    report_capability1 CLASSIFY_TARGET
-    report_capability1 ENHANCED_REJECT
-    report_capability1 KLUDGEFREE
-    report_capability1 MARK
-    report_capability1 XMARK
-    report_capability1 EXMARK
-    report_capability1 MANGLE_FORWARD
-    report_capability1 COMMENTS
-    report_capability1 ADDRTYPE
-    report_capability1 TCPMSS_MATCH
-    report_capability1 HASHLIMIT_MATCH
-    report_capability1 OLD_HL_MATCH
-    report_capability1 NFQUEUE_TARGET
-    report_capability1 REALM_MATCH
-    report_capability1 HELPER_MATCH
-    report_capability1 CONNLIMIT_MATCH
-    report_capability1 TIME_MATCH
-    report_capability1 GOTO_TARGET
-    report_capability1 LOGMARK_TARGET
-    report_capability1 IPMARK_TARGET
-    report_capability1 LOG_TARGET
-    report_capability1 PERSISTENT_SNAT
-    report_capability1 TPROXY_TARGET
-    report_capability1 FLOW_FILTER
-    
-    echo CAPVERSION=$SHOREWALL_CAPVERSION
-    echo KERNELVERSION=$KERNELVERSION
-}
-
 # Function to truncate a string -- It uses 'cut -b -<n>'
 # rather than ${v:first:last} because light-weight shells like ash and
 # dash do not support that form of expansion.
 #

-truncate() # $1 = length
-{
-    cut -b -${1}
-}
-
-#
-# Determine how to do "echo -e"
-#
-
 find_echo() {
    local result

--- a/Shorewall/lib.cli
+++ b/Shorewall/lib.cli
@@ -1,10 +1,10 @@
 #!/bin/sh
 #
-# Shorewall 4.2 -- /usr/share/shorewall/lib.cli.
+# Shorewall 4.4 -- /usr/share/shorewall/lib.cli.
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -34,6 +34,7 @@ fatal_error() # $@ = Message
    exit 2
 }

+#
 # Display a chain if it exists
 #

@@ -151,10 +152,10 @@ syslog_circular_buffer() {
 #
 packet_log() # $1 = number of messages
 {
-    if [ -n "$SHOWMACS" -o $VERBOSE -gt 2 ]; then
-	$LOGREAD | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | head -n$1 | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
+    if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
+	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' | head -n$1 | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
    else
-	$LOGREAD | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  head -n$1 | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
+	$g_logread | grep 'IN=.* OUT=.*SRC=.*\..*DST=' |  head -n$1 | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
    fi
 }

@@ -217,7 +218,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
 	   #		     an 'interesting' packet count changes
 {

-    host=$(echo $HOSTNAME | sed 's/\..*$//')
+    host=$(echo $g_hostname | sed 's/\..*$//')
    oldrejects=$($IPTABLES -L -v -n | grep 'LOG')

    if [ $1 -lt 0 ]; then
@@ -245,13 +246,13 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
 	if [ "$rejects" != "$oldrejects" ]; then
 	    oldrejects="$rejects"

-	    $RING_BELL
+	    $g_ring_bell

 	    packet_log 40

 	    if [ "$pause" = "Yes" ]; then
 		echo
-		echo $ECHO_N 'Enter any character to continue: '
+		echo $g_echo_n 'Enter any character to continue: '
 		read foo
 	    else
 		timed_read
@@ -273,10 +274,10 @@ do_save() {

    if [ -f ${VARDIR}/firewall ]; then
 	if $iptables_save | iptablesbug > ${VARDIR}/restore-$$; then
-	    cp -f ${VARDIR}/firewall $RESTOREPATH
-	    mv -f ${VARDIR}/restore-$$ ${RESTOREPATH}-iptables
-	    chmod +x $RESTOREPATH
-	    echo "   Currently-running Configuration Saved to $RESTOREPATH"
+	    cp -f ${VARDIR}/firewall $g_restorepath
+	    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
+	    chmod +x $g_restorepath
+	    echo "   Currently-running Configuration Saved to $g_restorepath"
 	    run_user_exit save
 	else
 	    rm -f ${VARDIR}/restore-$$
@@ -317,7 +318,7 @@ do_save() {
                    #
                    # Don't save an 'empty' file
                    #
-		    grep -q '^-N' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${RESTOREPATH}-ipsets
+		    grep -q '^-N' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${g_restorepath}-ipsets
 		fi
 	    fi
 	    ;;
@@ -343,8 +344,8 @@ save_config() {
    if shorewall_is_started ; then
 	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}

-	if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
-	    echo "   ERROR: $RESTOREPATH exists and is not a saved $PRODUCT configuration" >&2
+	if [ -f $g_restorepath -a ! -x $g_restorepath ]; then
+	    echo "   ERROR: $g_restorepath exists and is not a saved $g_product configuration" >&2
 	else
 	    case $RESTOREFILE in
 		capabilities|chains|default_route|firewall|firewall.conf|nat|proxyarp|restarted|rt_tables|save|state|undo_routing|zones)
@@ -440,7 +441,7 @@ show_command() {
 	    if [ ${#macro} -gt 10 ]; then
 		echo "   $macro  ${foo#\#}"
 	    else
-		$ECHO_E "   $macro  \t${foo#\#}"
+		$g_echo_e "   $macro  \t${foo#\#}"
 	    fi
 	fi
    }
@@ -458,19 +459,19 @@ show_command() {
 			    option=
 			    ;;
 			v*)
-			    VERBOSE=$(($VERBOSE + 1 ))
+			    VERBOSITY=$(($VERBOSITY + 1 ))
 			    option=${option#v}
 			    ;;
 			x*)
-			    IPT_OPTIONS="-xnv"
+			    g_ipt_options="-xnv"
 			    option=${option#x}
 			    ;;
 			m*)
-			    SHOWMACS=Yes
+			    g_showmacs=Yes
 			    option=${option#m}
 			    ;;
 			f*)
-			    FILEMODE=Yes
+			    g_filemode=Yes
 			    option=${option#f}
 			    ;;
 			t)
@@ -490,7 +491,7 @@ show_command() {
 			    shift
 			    ;;
 			l*)
-			    IPT_OPTIONS1="--line-numbers"
+			    g_ipt_options1="--line-numbers"
 			    option=${option#l}
 			    ;;
 			*)
@@ -506,64 +507,64 @@ show_command() {
 	esac
    done

-    IPT_OPTIONS="$IPT_OPTIONS $IPT_OPTIONS1"
+    g_ipt_options="$g_ipt_options $g_ipt_options1"

-    [ -n "$debugging" ] && set -x
+    [ -n "$g_debugging" ] && set -x
    case "$1" in
 	connections)
 	    [ $# -gt 1 ] && usage 1
 	    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
 	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
-	    echo "$PRODUCT $version Connections ($count out of $max) at $HOSTNAME - $(date)"
+	    echo "$g_product $SHOREWALL_VERSION Connections ($count out of $max) at $g_hostname - $(date)"
 	    echo
 	    [ -f /proc/net/ip_conntrack ] && cat /proc/net/ip_conntrack || grep -v '^ipv6' /proc/net/nf_conntrack
 	    ;;
 	nat)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$PRODUCT $version NAT Table at $HOSTNAME - $(date)"
+	    echo "$g_product $SHOREWALL_VERSION NAT Table at $g_hostname - $(date)"
 	    echo
 	    show_reset
-	    $IPTABLES -t nat -L $IPT_OPTIONS
+	    $IPTABLES -t nat -L $g_ipt_options
 	    ;;
 	raw)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$PRODUCT $version RAW Table at $HOSTNAME - $(date)"
+	    echo "$g_product $SHOREWALL_VERSION RAW Table at $g_hostname - $(date)"
 	    echo
 	    show_reset
-	    $IPTABLES -t raw -L $IPT_OPTIONS
+	    $IPTABLES -t raw -L $g_ipt_options
 	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$PRODUCT $version Mangle Table at $HOSTNAME - $(date)"
+	    echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
 	    echo
 	    show_reset
-	    $IPTABLES -t mangle -L $IPT_OPTIONS
+	    $IPTABLES -t mangle -L $g_ipt_options
 	    ;;
 	log)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$PRODUCT $version Log ($LOGFILE) at $HOSTNAME - $(date)"
+	    echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)"
 	    echo
 	    show_reset
-	    host=$(echo $HOSTNAME | sed 's/\..*$//')
+	    host=$(echo $g_hostname | sed 's/\..*$//')
 	    packet_log 20
 	    ;;
 	tc)
 	    [ $# -gt 2 ] && usage 1
-	    echo "$PRODUCT $version Traffic Control at $HOSTNAME - $(date)"
+	    echo "$g_product $SHOREWALL_VERSION Traffic Control at $g_hostname - $(date)"
 	    echo
 	    shift
 	    show_tc $1
 	    ;;
 	classifiers|filters)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$PRODUCT $version Classifiers at $HOSTNAME - $(date)"
+	    echo "$g_product $SHOREWALL_VERSION Classifiers at $g_hostname - $(date)"
 	    echo
 	    show_classifiers
 	    ;;
 	zones)
 	    [ $# -gt 1 ] && usage 1
 	    if [ -f ${VARDIR}/zones ]; then
-		echo "$PRODUCT $version Zones at $HOSTNAME - $(date)"
+		echo "$g_product $SHOREWALL_VERSION Zones at $g_hostname - $(date)"
 		echo
 		while read zone type hosts; do
 		    echo "$zone ($type)"
@@ -587,8 +588,8 @@ show_command() {
 	capabilities)
 	    [ $# -gt 1 ] && usage 1
 	    determine_capabilities
-	    VERBOSE=2
-	    if [ -n "$FILEMODE" ]; then
+	    VERBOSITY=2
+	    if [ -n "$g_filemode" ]; then
 		report_capabilities1
 	    else
 		report_capabilities
@@ -596,13 +597,13 @@ show_command() {
 	    ;;
 	ip)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$PRODUCT $version IP at $HOSTNAME - $(date)"
+	    echo "$g_product $SHOREWALL_VERSION IP at $g_hostname - $(date)"
 	    echo
 	    ip -4 addr list
 	    ;;
 	routing)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$PRODUCT $version Routing at $HOSTNAME - $(date)"
+	    echo "$g_product $SHOREWALL_VERSION Routing at $g_hostname - $(date)"
 	    echo
 	    show_routing
 	    ;;
@@ -613,16 +614,16 @@ show_command() {
 	    ;;
 	chain)
 	    shift
-	    echo "$PRODUCT $version $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $HOSTNAME - $(date)"
+	    echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $g_hostname - $(date)"
 	    echo
 	    show_reset
 	    if [ $# -gt 0 ]; then
 		for chain in $*; do
-		    $IPTABLES -t $table -L $chain $IPT_OPTIONS
+		    $IPTABLES -t $table -L $chain $g_ipt_options
 		    echo
 		done
 	    else
-		$IPTABLES -t $table -L $IPT_OPTIONS
+		$IPTABLES -t $table -L $g_ipt_options
 	    fi
 	    ;;
 	vardir)
@@ -630,12 +631,12 @@ show_command() {
 	    ;;
 	policies)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$PRODUCT $version Policies at $HOSTNAME - $(date)"
+	    echo "$g_product $SHOREWALL_VERSION Policies at $g_hostname - $(date)"
 	    echo
 	    [ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies;
 	    ;;
 	*)
-	    if [ "$PRODUCT" = Shorewall ]; then
+	    if [ "$g_product" = Shorewall ]; then
 		case $1 in
 		    actions)
 			[ $# -gt 1 ] && usage 1
@@ -665,7 +666,7 @@ show_command() {
 			[ $# -ne 2 ] && usage 1
 			for directory in $(split $CONFIG_PATH); do
 			    if [ -f ${directory}/macro.$2 ]; then
-				echo "Shorewall $version Macro $2 at $HOSTNAME - $(date)"
+				echo "Shorewall $SHOREWALL_VERSION Macro $2 at $g_hostname - $(date)"
 				cat ${directory}/macro.$2
 				return
 			    fi
@@ -704,29 +705,29 @@ show_command() {
 		if [ $1 = dynamic -a $# -gt 1 ]; then
 		    shift
 		    [ $# -eq 1 ] || usage 1
-		    list_zone $2
+		    list_zone $1
 		    return;
                fi

 		[ -n "$table_given" ] || for chain in $*; do
-		    if ! qt $IPTABLES -t $table -L $chain $IPT_OPTIONS; then
-			echo "usage $(basename $0) show [ -x ] [ -m ] [-f] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|dynamic <zone>|filters|ip|log|macros|mangle|nat|routing|tc|zones} ] " >&2
+		    if ! qt $IPTABLES -t $table -L $chain $g_ipt_options; then
+			error_message "ERROR: Chain '$chain' is not recognized by $IPTABLES."
 			exit 1
 		    fi
 		done
 		
-		echo "$PRODUCT $version $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $HOSTNAME - $(date)"
+		echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $g_hostname - $(date)"
 		echo
 		show_reset
 		for chain in $*; do
-		    $IPTABLES -t $table -L $chain $IPT_OPTIONS
+		    $IPTABLES -t $table -L $chain $g_ipt_options
 		    echo
 		done
 	    else
-		echo "$PRODUCT $version $table Table at $HOSTNAME - $(date)"
+		echo "$g_product $SHOREWALL_VERSION $table Table at $g_hostname - $(date)"
 		echo
 		show_reset
-		$IPTABLES -t $table -L $IPT_OPTIONS
+		$IPTABLES -t $table -L $g_ipt_options
 	    fi
 	    ;;
    esac
@@ -752,15 +753,15 @@ dump_command() {
 			    option=
 			    ;;
 			x*)
-			    IPT_OPTIONS="-xnv"
+			    g_ipt_options="-xnv"
 			    option=${option#x}
 			    ;;
 			m*)
-			    SHOWMACS=Yes
+			    g_showmacs=Yes
 			    option=${option#m}
 			    ;;
 			l*)
-			    IPT_OPTIONS1="--line-numbers"
+			    g_ipt_options1="--line-numbers"
 			    option=${option#l}
 			    ;;
 			*)
@@ -776,31 +777,37 @@ dump_command() {
 	esac
    done

-    IPT_OPTIONS="$IPT_OPTIONS $IPT_OPTIONS1"
+    g_ipt_options="$g_ipt_options $g_ipt_options1"

-    [ $VERBOSE -lt 2 ] && VERBOSE=2
+    [ $VERBOSITY -lt 2 ] && VERBOSITY=2

-    [ -n "$debugging" ] && set -x
+    [ -n "$g_debugging" ] && set -x
    [ $# -eq 0 ] || usage 1
    clear_term
-    echo "$PRODUCT $version Dump at $HOSTNAME - $(date)"
+    echo "$g_product $SHOREWALL_VERSION Dump at $g_hostname - $(date)"
    echo
    
    show_reset
-    host=$(echo $HOSTNAME | sed 's/\..*$//')
-    $IPTABLES -L $IPT_OPTIONS
+    host=$(echo $g_hostname | sed 's/\..*$//')
+    $IPTABLES -L $g_ipt_options

    heading "Log ($LOGFILE)"
    packet_log 20

-    heading "NAT Table"
-    $IPTABLES -t nat -L $IPT_OPTIONS
+    if qt $IPTABLES -t nat -L -n; then
+	heading "NAT Table"
+	$IPTABLES -t nat -L $g_ipt_options
+    fi

-    heading "Mangle Table"
-    $IPTABLES -t mangle -L $IPT_OPTIONS
+    if qt $IPTABLES -t mangle -L -n; then
+	heading "Mangle Table"
+	$IPTABLES -t mangle -L $g_ipt_options
+    fi

-    heading "Raw Table"
-    $IPTABLES -t raw -L $IPT_OPTIONS
+    if qt $IPTABLES -t raw -L -n; then
+	heading "Raw Table"
+	$IPTABLES -t raw -L $g_ipt_options
+    fi

    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
@@ -882,7 +889,7 @@ restore_command() {
 			    option=
 			    ;;
 			n*)
-			    NOROUTES=Yes
+			    g_noroutes=Yes
 			    option=${option#n}
 			    ;;
 			*)
@@ -915,20 +922,18 @@ restore_command() {
 	exit 2
    fi

-    RESTOREPATH=${VARDIR}/$RESTOREFILE
-
-    export NOROUTES
+    g_restorepath=${VARDIR}/$RESTOREFILE

    [ -n "$nolock" ] || mutex_on

-    if [ -x $RESTOREPATH ]; then
+    if [ -x $g_restorepath ]; then
 	progress_message3 "Restoring Shorewall..."

-	$SHOREWALL_SHELL $RESTOREPATH restore && progress_message3 "$PRODUCT restored from ${VARDIR}/$RESTOREFILE"
+	run_it $g_restorepath restore && progress_message3 "$g_product restored from ${VARDIR}/$RESTOREFILE"

 	[ -n "$nolock" ] || mutex_off
    else
-	echo "File $RESTOREPATH: file not found"
+	echo "File $g_restorepath: file not found"
 	[ -n "$nolock" ] || mutex_off
 	exit 2
    fi
@@ -986,20 +991,20 @@ heading() {
 #
 make_verbose() {
    local v
-    v=$VERBOSE_OFFSET
+    v=$g_verbose_offset
    local option
    option=-

-    if [ -n "$USE_VERBOSITY" ]; then
-	echo "-v$USE_VERBOSITY"
-    elif [ $VERBOSE_OFFSET -gt 0 ]; then
+    if [ -n "$g_use_verbosity" ]; then
+	echo "-v$g_use_verbosity"
+    elif [ $g_verbose_offset -gt 0 ]; then
 	while [ $v -gt 0 ]; do
 	    option="${option}v"
 	    v=$(($v - 1))
 	done

 	echo $option
-    elif [ $VERBOSE_OFFSET -lt 0 ]; then
+    elif [ $g_verbose_offset -lt 0 ]; then
 	while [ $v -lt 0 ]; do
 	    option="${option}q"
 	    v=$(($v + 1))
@@ -1020,7 +1025,7 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
    finished=$2

    if ! chain_exists dynamic; then
-	echo "Dynamic blacklisting is not enabled in the current $PRODUCT configuration" >&2
+	echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
 	[ -n "$nolock" ] || mutex_off
 	exit 2
    fi
@@ -1068,12 +1073,6 @@ separate_list() {
 	    # There's been whining about us not catching embedded white space in
 	    # comma-separated lists. This is an attempt to snag some of the cases.
 	    #
-	    # The 'TERMINATOR' function will be set by the 'firewall' script to
-	    # either 'startup_error' or 'fatal_error' depending on the command and
-	    # command phase
-	    #
-            [ -n "$TERMINATOR" ] && \
-		$TERMINATOR "Invalid comma-separated list \"$@\""
            echo "WARNING -- invalid comma-separated list \"$@\"" >&2
 	    ;;
 	*\[*\]*)
@@ -1282,15 +1281,15 @@ hits_command() {
    [ $# -eq 0 ] || usage 1

    clear_term
-    echo "$PRODUCT $version Hits at $HOSTNAME - $(date)"
+    echo "$g_product $SHOREWALL_VERSION Hits at $g_hostname - $(date)"
    echo

    timeout=30

-    if $LOGREAD | grep -q "${today}IN=.* OUT=" ; then
+    if $g_logread | grep -q "${today}IN=.* OUT=" ; then
 	echo "   HITS IP	        DATE"
 	echo "   ---- --------------- ------"
-	$LOGREAD | grep "${today}IN=.* OUT=" | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3	\1/' | sort | uniq -c | sort -rn | while read count address month day; do
+	$g_logread | grep "${today}IN=.* OUT=" | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3	\1/' | sort | uniq -c | sort -rn | while read count address month day; do
 	    printf '%7d %-15s %3s %2d\n' $count $address $month $day
 	done

@@ -1298,7 +1297,7 @@ hits_command() {

 	echo "   HITS IP	        PORT"
 	echo "   ---- --------------- -----"
-	$LOGREAD | grep  "${today}IN=.* OUT=" | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2	\4/
+	$g_logread | grep  "${today}IN=.* OUT=" | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2	\4/
 						t
 						s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn | while read count address port; do
 	    printf '%7d %-15s %d\n' $count $address $port
@@ -1308,7 +1307,7 @@ hits_command() {

 	echo "   HITS DATE"
 	echo "   ---- ------"
-	$LOGREAD | grep  "${today}IN=.* OUT=" | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn | while read count month day; do
+	$g_logread | grep  "${today}IN=.* OUT=" | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn | while read count month day; do
 	    printf '%7d %3s %2d\n' $count $month $day
 	done

@@ -1316,7 +1315,7 @@ hits_command() {

 	echo "   HITS  PORT SERVICE(S)"
 	echo "   ---- ----- ----------"
-	$LOGREAD | grep "${today}IN=.* OUT=.*DPT" | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | while read count port ; do
+	$g_logread | grep "${today}IN=.* OUT=.*DPT" | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | while read count port ; do
 	    # List all services defined for the given port
 	    srv=$(grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | cut -f 1 -d' ' | sort -u)
 	    srv=$(echo $srv | sed 's/ /,/g')
@@ -1334,11 +1333,11 @@ hits_command() {
 # 'allow' command executor
 #
 allow_command() {
-    [ -n "$debugging" ] && set -x
+    [ -n "$g_debugging" ] && set -x
    [ $# -eq 1 ] && usage 1
    if shorewall_is_started ; then
 	if ! chain_exists dynamic; then
-	    echo "Dynamic blacklisting is not enabled in the current $PRODUCT configuration" >&2
+	    echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
 	    exit 2
 	fi

@@ -1372,7 +1371,7 @@ allow_command() {
 	done
 	[ -n "$nolock" ] || mutex_off
    else
-	error_message "ERROR: $PRODUCT is not started"
+	error_message "ERROR: $g_product is not started"
 	exit 2
    fi
 }
@@ -1396,15 +1395,15 @@ logwatch_command() {
 		while [ -n "$option" ]; do
 		    case $option in
 			v*)
-			    VERBOSE=$(($VERBOSE + 1 ))
+			    VERBOSITY=$(($VERBOSITY + 1 ))
 			    option=${option#v}
 			    ;;
 			q*)
-			    VERBOSE=$(($VERBOSE - 1 ))
+			    VERBOSITY=$(($VERBOSITY - 1 ))
 			    option=${option#q}
 			    ;;
 			m*)
-			    SHOWMACS=Yes
+			    g_showmacs=Yes
 			    option=${option#m}
 			    ;;
 			-)
@@ -1424,7 +1423,7 @@ logwatch_command() {
 	esac
    done
    
-    [ -n "$debugging" ] && set -x
+    [ -n "$g_debugging" ] && set -x

    if [ $# -eq 1 ]; then
 	logwatch $1
@@ -1434,3 +1433,338 @@ logwatch_command() {
 	usage 1
    fi
 }
+
+#
+# Determine which optional facilities are supported by iptables/netfilter
+#
+determine_capabilities() {
+    [ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)
+
+    if [ -z "$IPTABLES" ]; then
+	echo "   ERROR: No executable iptables binary can be found on your PATH" >&2
+	exit 1
+    fi
+
+    [ "$TC" = tc -o -z "$TC" ] && TC=$(which tc)
+
+    [ -n "$TC" -a -x "$TC" ] || TC=
+
+    qt $IPTABLES -t nat    -L -n && NAT_ENABLED=Yes    || NAT_ENABLED=
+    qt $IPTABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
+
+    CONNTRACK_MATCH=
+    NEW_CONNTRACK_MATCH=
+    OLD_CONNTRACK_MATCH=
+    MULTIPORT=
+    XMULTIPORT=
+    POLICY_MATCH=
+    PHYSDEV_MATCH=
+    PHYSDEV_BRIDGE=
+    IPRANGE_MATCH=
+    RECENT_MATCH=
+    OWNER_MATCH=
+    IPSET_MATCH=
+    CONNMARK=
+    XCONNMARK=
+    CONNMARK_MATCH=
+    XCONNMARK_MATCH=
+    RAW_TABLE=
+    IPP2P_MATCH=
+    OLD_IPP2P_MATCH=
+    LENGTH_MATCH=
+    CLASSIFY_TARGET=
+    ENHANCED_REJECT=
+    USEPKTTYPE=
+    KLUDGEFREE=
+    MARK=
+    XMARK=
+    EXMARK=
+    TPROXY_TARGET=
+    MANGLE_FORWARD=
+    COMMENTS=
+    ADDRTYPE=
+    TCPMSS_MATCH=
+    HASHLIMIT_MATCH=
+    NFQUEUE_TARGET=
+    REALM_MATCH=
+    HELPER_MATCH=
+    CONNLIMIT_MATCH=
+    TIME_MATCH=
+    GOTO_TARGET=
+    LOGMARK_TARGET=
+    IPMARK_TARGET=
+    LOG_TARGET=Yes
+    PERSISTENT_SNAT=
+    FLOW_FILTER=
+
+    chain=fooX$$
+
+    if [ -n "$NAT_ENABLED" ]; then
+	if qt $IPTABLES -t nat -N $chain; then
+	    qt $IPTABLES -t nat -A $chain -j SNAT --to-source 1.2.3.4 --persistent && PERSISTENT_SNAT=Yes
+	    qt $IPTABLES -t nat -F $chain
+	    qt $IPTABLES -t nat -X $chain
+	fi
+    fi
+
+    qt $IPTABLES -F $chain
+    qt $IPTABLES -X $chain
+    if ! $IPTABLES -N $chain; then
+	echo "   ERROR: The command \"$IPTABLES -N $chain\" failed" >&2
+	exit 1
+    fi
+
+    chain1=${chain}1
+
+    qt $IPTABLES -F $chain1
+    qt $IPTABLES -X $chain1
+    if ! $IPTABLES -N $chain1; then
+	echo "   ERROR: The command \"$IPTABLES -N $chain1\" failed" >&2
+	exit 1
+    fi
+
+    if ! qt $IPTABLES -A $chain -m state --state ESTABLISHED,RELATED -j ACCEPT; then
+	echo "   ERROR: Your kernel lacks connection tracking and/or state matching -- Shorewall will not run on this system" >&2
+	exit 1
+    fi
+
+    qt $IPTABLES -A $chain -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
+
+    if [ -n "$CONNTRACK_MATCH" ]; then
+	qt $IPTABLES -A $chain -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT && NEW_CONNTRACK_MATCH=Yes
+	qt $IPTABLES -A $chain -m conntrack ! --ctorigdst 1.2.3.4 || OLD_CONNTRACK_MATCH=Yes
+    fi
+
+    if qt $IPTABLES -A $chain -p tcp -m multiport --dports 21,22 -j ACCEPT; then
+	MULTIPORT=Yes
+	qt $IPTABLES -A $chain -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT && KLUDEFREE=Yes
+    fi
+
+    qt $IPTABLES -A $chain -p tcp -m multiport --dports 21:22 -j ACCEPT           && XMULTIPORT=Yes
+    qt $IPTABLES -A $chain -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes
+
+    if qt $IPTABLES -A $chain -m physdev --physdev-out eth0 -j ACCEPT; then
+	PHYSDEV_MATCH=Yes
+	qt $IPTABLES -A $chain -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth0 -j ACCEPT && PHYSDEV_BRIDGE=Yes
+	if [ -z "${KLUDGEFREE}" ]; then
+	    qt $IPTABLES -A $chain -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT && KLUDGEFREE=Yes
+	fi
+    fi
+
+    if qt $IPTABLES -A $chain -m iprange --src-range 192.168.1.5-192.168.1.124 -j ACCEPT; then
+	IPRANGE_MATCH=Yes
+	if [ -z "${KLUDGEFREE}" ]; then
+	    qt $IPTABLES -A $chain -m iprange --src-range 192.168.1.5-192.168.1.124 -m iprange --dst-range 192.168.1.5-192.168.1.124 -j ACCEPT && KLUDGEFREE=Yes
+	fi
+    fi
+
+    qt $IPTABLES -A $chain -m recent --update -j ACCEPT     && RECENT_MATCH=Yes
+    qt $IPTABLES -A $chain -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes
+
+    if qt $IPTABLES -A $chain -m connmark --mark 2  -j ACCEPT; then
+	CONNMARK_MATCH=Yes
+	qt $IPTABLES -A $chain -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes
+    fi
+
+    qt $IPTABLES -A $chain -p tcp -m ipp2p --edk -j ACCEPT       && IPP2P_MATCH=Yes
+    if [ -n "$IPP2P_MATCH" ]; then
+	qt $IPTABLES -A $chain -p tcp -m ipp2p --ipp2p -j ACCEPT && OLD_IPP2P_MATCH=Yes
+    fi
+
+    qt $IPTABLES -A $chain -m length --length 10:20 -j ACCEPT           && LENGTH_MATCH=Yes
+    qt $IPTABLES -A $chain -j REJECT --reject-with icmp-host-prohibited && ENHANCED_REJECT=Yes
+
+    qt $IPTABLES -A $chain -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes
+
+    if [ -n "$MANGLE_ENABLED" ]; then
+	qt $IPTABLES -t mangle -N $chain
+
+	if qt $IPTABLES -t mangle -A $chain -j MARK --set-mark 1; then
+	    MARK=Yes
+	    qt $IPTABLES -t mangle -A $chain -j MARK --and-mark 0xFF && XMARK=Yes
+	    qt $IPTABLES -t mangle -A $chain -j MARK --set-mark 1/0xFF && EXMARK=Yes
+	fi
+
+	if qt $IPTABLES -t mangle -A $chain -j CONNMARK --save-mark; then
+	    CONNMARK=Yes
+	    qt $IPTABLES -t mangle -A $chain -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes
+	fi
+
+	qt $IPTABLES -t mangle -A $chain -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes
+	qt $IPTABLES -t mangle -A $chain -j IPMARK --addr src && IPMARK_TARGET=Yes
+	qt $IPTABLES -t mangle -A $chain -p tcp -j TPROXY --on-port 0 --tproxy-mark 1 && TPROXY_TARGET=Yes
+	qt $IPTABLES -t mangle -F $chain
+	qt $IPTABLES -t mangle -X $chain
+	qt $IPTABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
+    fi
+
+    qt $IPTABLES -t raw	   -L -n && RAW_TABLE=Yes
+
+    if qt mywhich ipset; then
+	qt ipset -X $chain # Just in case something went wrong the last time
+
+	if qt ipset -N $chain iphash ; then
+	    if qt $IPTABLES -A $chain -m set --set $chain src -j ACCEPT; then
+		qt $IPTABLES -D $chain -m set --set $chain src -j ACCEPT
+		IPSET_MATCH=Yes
+	    fi
+	    qt ipset -X $chain
+	fi
+    fi
+
+    qt $IPTABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
+    qt $IPTABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
+    qt $IPTABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
+    qt $IPTABLES -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
+    if [ -z "$HASHLIMIT_MATCH" ]; then
+	qt $IPTABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
+	HASHLIMIT_MATCH=$OLD_HL_MATCH
+    fi	
+    qt $IPTABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
+    qt $IPTABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
+    qt $IPTABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
+    qt $IPTABLES -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes
+    qt $IPTABLES -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
+    qt $IPTABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
+    qt $IPTABLES -A $chain -j LOGMARK && LOGMARK_TARGET=Yes
+    qt $IPTABLES -A $chain -j LOG || LOG_TARGET=
+
+    qt $IPTABLES -F $chain
+    qt $IPTABLES -X $chain
+    qt $IPTABLES -F $chain1
+    qt $IPTABLES -X $chain1
+
+    [ -n "$TC" ] && $TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
+
+    CAPVERSION=$SHOREWALL_CAPVERSION
+    KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
+}
+
+report_capabilities() {
+    report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
+    {
+	local setting
+	setting=
+
+	[ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
+
+	echo "  " $1: $setting
+    }
+
+    if [ $VERBOSITY -gt 1 ]; then
+	echo "Shorewall has detected the following iptables/netfilter capabilities:"
+	report_capability "NAT" $NAT_ENABLED
+	report_capability "Packet Mangling" $MANGLE_ENABLED
+	report_capability "Multi-port Match" $MULTIPORT
+	[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
+	report_capability "Connection Tracking Match" $CONNTRACK_MATCH
+	if [ -n "$CONNTRACK_MATCH" ]; then
+	    report_capability "Extended Connection Tracking Match Support" $NEW_CONNTRACK_MATCH
+	    [ -n "$OLD_CONNTRACK_MATCH" ] && report_capability "Old Connection Tracking Match Syntax" $OLD_CONNTRACK_MATCH
+	fi
+	report_capability "Packet Type Match" $USEPKTTYPE
+	report_capability "Policy Match" $POLICY_MATCH
+	report_capability "Physdev Match" $PHYSDEV_MATCH
+	report_capability "Physdev-is-bridged Support" $PHYSDEV_BRIDGE
+	report_capability "Packet length Match" $LENGTH_MATCH
+	report_capability "IP range Match" $IPRANGE_MATCH
+	report_capability "Recent Match" $RECENT_MATCH
+	report_capability "Owner Match" $OWNER_MATCH
+	report_capability "Ipset Match" $IPSET_MATCH
+	report_capability "CONNMARK Target" $CONNMARK
+	[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
+	report_capability "Connmark Match" $CONNMARK_MATCH
+	[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH
+	report_capability "Raw Table" $RAW_TABLE
+	report_capability "IPP2P Match" $IPP2P_MATCH
+	[ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax" $OLD_IPP2P_MATCH
+	report_capability "CLASSIFY Target" $CLASSIFY_TARGET
+	report_capability "Extended REJECT" $ENHANCED_REJECT
+	report_capability "Repeat match" $KLUDGEFREE
+	report_capability "MARK Target" $MARK
+	[ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK
+	[ -n "$XMARK" ] && report_capability "Extended MARK Target 2" $EXMARK
+	report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD
+	report_capability "Comments" $COMMENTS
+	report_capability "Address Type Match" $ADDRTYPE
+	report_capability "TCPMSS Match" $TCPMSS_MATCH
+	report_capability "Hashlimit Match" $HASHLIMIT_MATCH
+	[ -n "$OLD_HL_MATCH" ] && report_capability "Old Hashlimit Match" $OLD_HL_MATCH
+	report_capability "NFQUEUE Target" $NFQUEUE_TARGET
+	report_capability "Realm Match" $REALM_MATCH
+	report_capability "Helper Match" $HELPER_MATCH
+	report_capability "Connlimit Match" $CONNLIMIT_MATCH
+	report_capability "Time Match" $TIME_MATCH
+	report_capability "Goto Support" $GOTO_TARGET
+	report_capability "LOGMARK Target" $LOGMARK_TARGET
+	report_capability "IPMARK Target" $IPMARK_TARGET
+	report_capability "LOG Target" $LOG_TARGET
+	report_capability "Persistent SNAT" $PERSISTENT_SNAT
+	report_capability "TPROXY Target" $TPROXY_TARGET
+	report_capability "FLOW Classifier" $FLOW_FILTER
+    fi
+
+    [ -n "$PKTTYPE" ] || USEPKTTYPE=
+
+}
+
+report_capabilities1() {
+    report_capability1() # $1 = Capability
+    {
+	eval echo $1=\$$1
+    }
+
+    echo "#"
+    echo "# Shorewall $SHOREWALL_VERSION detected the following iptables/netfilter capabilities - $(date)"
+    echo "#"
+    report_capability1 NAT_ENABLED
+    report_capability1 MANGLE_ENABLED
+    report_capability1 MULTIPORT
+    report_capability1 XMULTIPORT
+    report_capability1 CONNTRACK_MATCH
+    report_capability1 NEW_CONNTRACK_MATCH
+    report_capability1 OLD_CONNTRACK_MATCH
+    report_capability1 USEPKTTYPE
+    report_capability1 POLICY_MATCH
+    report_capability1 PHYSDEV_MATCH
+    report_capability1 PHYSDEV_BRIDGE
+    report_capability1 LENGTH_MATCH
+    report_capability1 IPRANGE_MATCH
+    report_capability1 RECENT_MATCH
+    report_capability1 OWNER_MATCH
+    report_capability1 IPSET_MATCH
+    report_capability1 CONNMARK
+    report_capability1 XCONNMARK
+    report_capability1 CONNMARK_MATCH
+    report_capability1 XCONNMARK_MATCH
+    report_capability1 RAW_TABLE
+    report_capability1 IPP2P_MATCH
+    report_capability1 OLD_IPP2P_MATCH
+    report_capability1 CLASSIFY_TARGET
+    report_capability1 ENHANCED_REJECT
+    report_capability1 KLUDGEFREE
+    report_capability1 MARK
+    report_capability1 XMARK
+    report_capability1 EXMARK
+    report_capability1 MANGLE_FORWARD
+    report_capability1 COMMENTS
+    report_capability1 ADDRTYPE
+    report_capability1 TCPMSS_MATCH
+    report_capability1 HASHLIMIT_MATCH
+    report_capability1 OLD_HL_MATCH
+    report_capability1 NFQUEUE_TARGET
+    report_capability1 REALM_MATCH
+    report_capability1 HELPER_MATCH
+    report_capability1 CONNLIMIT_MATCH
+    report_capability1 TIME_MATCH
+    report_capability1 GOTO_TARGET
+    report_capability1 LOGMARK_TARGET
+    report_capability1 IPMARK_TARGET
+    report_capability1 LOG_TARGET
+    report_capability1 PERSISTENT_SNAT
+    report_capability1 TPROXY_TARGET
+    report_capability1 FLOW_FILTER
+    
+    echo CAPVERSION=$SHOREWALL_CAPVERSION
+    echo KERNELVERSION=$KERNELVERSION
+}
--- a/Shorewall/lib.common
+++ b/Shorewall/lib.common
@@ -0,0 +1,540 @@
+#!/bin/sh
+#
+# Shorewall 4.4 -- /usr/share/shorewall/lib.common.
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
+#
+#	Complete documentation is available at http://shorewall.net
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of Version 2 of the GNU General Public License
+#	as published by the Free Software Foundation.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, write to the Free Software
+#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# The purpose of this library is to hold those functions used by both the CLI and by the
+# generated firewall scripts. To avoid versioning issues, it is copied into generated
+# scripts rather than loaded at run-time.
+#
+
+#
+# Get the Shorewall version of the passed script
+#
+get_script_version() { # $1 = script
+    local temp
+    local version
+    local ifs
+    local digits
+
+    temp=$( $SHOREWALL_SHELL $1 version | sed 's/-.*//' )
+
+    if [ $? -ne 0 ]; then
+	version=0
+    else
+	ifs=$IFS
+	IFS=.
+	temp=$(echo $temp)
+	IFS=$ifs
+	digits=0
+	
+	for temp in $temp; do
+	    version=${version}$(printf '%02d' $temp)
+	    digits=$(($digits + 1))
+	    [ $digits -eq 3 ] && break
+	done
+    fi
+    
+    echo $version
+}
+ 
+#
+# Do required exports or create the required option string and run the passed script using
+# $SHOREWALL_SHELL
+#
+run_it() {
+    local script
+    local options
+    local version
+
+    export VARDIR
+	
+    script=$1
+    shift
+
+    version=$(get_script_version $script)
+
+    if [ $version -lt 040408 ]; then
+	#
+	# Old script that doesn't understand 4.4.8 script options
+	#
+	export RESTOREFILE
+	export VERBOSITY
+	export NOROUTES=$g_noroutes
+	export PURGE=$g_purge
+	export TIMESTAMP=$g_timestamp
+	export RECOVERING=$g_recovering
+ 
+	if [ "$g_product" != Shorewall ]; then
+	    #
+	    # Shorewall Lite
+	    #
+	    export LOGFORMAT
+	    export IPTABLES
+	fi
+    else
+	#
+	# 4.4.8 or later -- no additional exports required
+	#
+	options='-'
+
+	[ -n "$g_noroutes" ]   && options=${options}n
+	[ -n "$g_timestamp" ]  && options=${options}t
+	[ -n "$g_purge" ]      && options=${options}p
+	[ -n "$g_recovering" ] && options=${options}r
+
+	options="${options}V $VERBOSITY"
+
+	[ -n "$RESTOREFILE" ] && options="${options} -R $RESTOREFILE"
+    fi
+	
+    $SHOREWALL_SHELL $script $options $@
+}
+
+#
+# Message to stderr
+#
+error_message() # $* = Error Message
+{
+   echo "   $@" >&2
+}
+
+#
+# Split a colon-separated list into a space-separated list
+#
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    echo $*
+    IFS=$ifs
+}
+
+#
+# Search a list looking for a match -- returns zero if a match found
+# 1 otherwise
+#
+list_search() # $1 = element to search for , $2-$n = list
+{
+    local e
+    e=$1
+
+    while [ $# -gt 1 ]; do
+	shift
+	[ "x$e" = "x$1" ] && return 0
+    done
+
+    return 1
+}
+
+#
+# Suppress all output for a command
+#
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+qt1()
+{
+    local status
+
+    while [ 1 ]; do
+	"$@" >/dev/null 2>&1
+	status=$?
+	[ $status -ne 4 ] && return $status
+    done
+}
+
+#
+# Determine if Shorewall is "running"
+#
+shorewall_is_started() {
+    qt $IPTABLES -L shorewall -n
+}
+
+#
+# Echos the fully-qualified name of the calling shell program
+#
+my_pathname() {
+    cd $(dirname $0)
+    echo $PWD/$(basename $0)
+}
+
+#
+# Source a user exit file if it exists
+#
+run_user_exit() # $1 = file name
+{
+    local user_exit
+    user_exit=$(find_file $1)
+
+    if [ -f $user_exit ]; then
+	progress_message "Processing $user_exit ..."
+	. $user_exit
+    fi
+}
+
+#
+# Load a Kernel Module -- assumes that the variable 'moduledirectories' contains
+#                         a space-separated list of directories to search for
+#                         the module and that 'moduleloader' contains the
+#                         module loader command.
+#
+loadmodule() # $1 = module name, $2 - * arguments
+{
+    local modulename
+    modulename=$1
+    local modulefile
+    local suffix
+
+    if ! list_search $modulename $DONT_LOAD $MODULES; then
+	shift
+
+	for suffix in $MODULE_SUFFIX ; do
+	    for directory in $moduledirectories; do
+		modulefile=$directory/${modulename}.${suffix}
+
+		if [ -f $modulefile ]; then
+		    case $moduleloader in
+			insmod)
+			    insmod $modulefile $*
+			    ;;
+			*)
+			    modprobe $modulename $*
+			    ;;
+		    esac
+		    break 2
+		fi
+	    done
+	done
+    fi
+}
+
+#
+# Reload the Modules
+#
+reload_kernel_modules() {
+
+    local save_modules_dir
+    save_modules_dir=$MODULESDIR
+    local directory
+    local moduledirectories
+    moduledirectories=
+    local moduleloader
+    moduleloader=modprobe
+    local uname
+
+    if ! qt mywhich modprobe; then
+	moduleloader=insmod
+    fi
+
+    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
+
+    [ -z "$MODULESDIR" ] && \
+	uname=$(uname -r) && \
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+
+    MODULES=$(lsmod | cut -d ' ' -f1)
+
+    for directory in $(split $MODULESDIR); do
+	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
+    done
+
+    [ -n "$moduledirectories" ] && while read command; do
+	eval $command
+    done
+
+    MODULESDIR=$save_modules_dir
+}
+
+#
+# Load kernel modules required for Shorewall
+#
+load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
+{
+    local save_modules_dir
+    save_modules_dir=$MODULESDIR
+    local directory
+    local moduledirectories
+    moduledirectories=
+    local moduleloader
+    moduleloader=modprobe
+    local savemoduleinfo
+    savemoduleinfo=${1:-Yes} # So old compiled scripts still work
+    local uname
+
+    if ! qt mywhich modprobe; then
+	moduleloader=insmod
+    fi
+
+    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
+
+    [ -z "$MODULESDIR" ] && \
+	uname=$(uname -r) && \
+	MODULESDIR=/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/kernel/net/sched:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset
+
+    for directory in $(split $MODULESDIR); do
+	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
+    done
+
+    [ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules)
+
+    if [ -f $modules -a -n "$moduledirectories" ]; then
+	MODULES=$(lsmod | cut -d ' ' -f1)
+	progress_message "Loading Modules..."
+	. $modules
+	if [ $savemoduleinfo = Yes ]; then
+	    [ -d ${VARDIR} ] || mkdir -p ${VARDIR}
+	    echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir
+	    cp -f $modules ${VARDIR}/.modules
+	fi
+    elif [ $savemoduleinfo = Yes ]; then
+	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
+	> ${VARDIR}/.modulesdir
+	> ${VARDIR}/.modules
+    fi
+
+    MODULESDIR=$save_modules_dir
+}
+
+#
+#  Note: The following set of IP address manipulation functions have anomalous
+#        behavior when the shell only supports 32-bit signed arithmetic and
+#        the IP address is 128.0.0.0 or 128.0.0.1.
+#
+
+LEFTSHIFT='<<'
+
+#
+# Convert an IP address in dot quad format to an integer
+#
+decodeaddr() {
+    local x
+    local temp
+    temp=0
+    local ifs
+    ifs=$IFS
+
+    IFS=.
+
+    for x in $1; do
+	temp=$(( $(( $temp $LEFTSHIFT 8 )) | $x ))
+    done
+
+    echo $temp
+
+    IFS=$ifs
+}
+
+#
+# convert an integer to dot quad format
+#
+encodeaddr() {
+    addr=$1
+    local x
+    local y
+    y=$(($addr & 255))
+
+    for x in 1 2 3 ; do
+	addr=$(($addr >> 8))
+	y=$(($addr & 255)).$y
+    done
+
+    echo $y
+}
+
+#
+# Netmask from CIDR
+#
+ip_netmask() {
+    local vlsm
+    vlsm=${1#*/}
+
+    [ $vlsm -eq 0 ] && echo 0 || echo $(( -1 $LEFTSHIFT $(( 32 - $vlsm )) ))
+}
+
+#
+# Network address from CIDR
+#
+ip_network() {
+    local decodedaddr
+    decodedaddr=$(decodeaddr ${1%/*})
+    local netmask
+    netmask=$(ip_netmask $1)
+
+    echo $(encodeaddr $(($decodedaddr & $netmask)))
+}
+
+#
+# The following hack is supplied to compensate for the fact that many of
+# the popular light-weight Bourne shell derivatives don't support XOR ("^").
+#
+ip_broadcast() {
+    local x
+    x=$(( 32 - ${1#*/} ))
+
+    [ $x -eq 32 ] && echo -1 || echo $(( $(( 1 $LEFTSHIFT $x )) - 1 ))
+}
+
+#
+# Calculate broadcast address from CIDR
+#
+broadcastaddress() {
+    local decodedaddr
+    decodedaddr=$(decodeaddr ${1%/*})
+    local netmask
+    netmask=$(ip_netmask $1)
+    local broadcast
+    broadcast=$(ip_broadcast $1)
+
+    echo $(encodeaddr $(( $(($decodedaddr & $netmask)) | $broadcast )))
+}
+
+#
+# Test for network membership
+#
+in_network() # $1 = IP address, $2 = CIDR network
+{
+    local netmask
+    netmask=$(ip_netmask $2)
+    #
+    # Use string comparison to work around a broken BusyBox ash in OpenWRT
+    #
+    test $(( $(decodeaddr $1) & $netmask)) = $(( $(decodeaddr ${2%/*}) & $netmask ))
+}
+
+#
+# Find interface address--returns the first IP address assigned to the passed
+# device
+#
+find_first_interface_address() # $1 = interface
+{
+    #
+    # get the line of output containing the first IP address
+    #
+    addr=$($IP -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
+    #
+    # If there wasn't one, bail out now
+    #
+    [ -n "$addr" ] || startup_error "Can't determine the IP address of $1"
+    #
+    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
+    # along with everything else on the line
+    #
+    echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
+}
+
+find_first_interface_address_if_any() # $1 = interface
+{
+    #
+    # get the line of output containing the first IP address
+    #
+    addr=$($IP -f inet addr show $1 2> /dev/null | grep 'inet .* global' | head -n1)
+    #
+    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
+    # along with everything else on the line
+    #
+    [ -n "$addr" ] && echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//' || echo 0.0.0.0
+}
+
+#
+# Internal version of 'which'
+#
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    echo $dir/$1
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+#
+# Query NetFilter about the existence of a filter chain
+#
+chain_exists() # $1 = chain name
+{
+    qt1 $IPTABLES -L $1 -n
+}
+
+#
+# Find a File -- For relative file name, look in each ${CONFIG_PATH} then ${CONFDIR}
+#
+find_file()
+{
+    local saveifs
+    saveifs=
+    local directory
+
+    case $1 in
+	/*)
+	    echo $1
+	    ;;
+	*)
+	    for directory in $(split $CONFIG_PATH); do
+		if [ -f $directory/$1 ]; then
+		    echo $directory/$1
+		    return
+		fi
+	    done
+
+	    echo ${CONFDIR}/$1
+	    ;;
+    esac
+}
+
+#
+# Set the Shorewall state
+#
+set_state () # $1 = state
+{
+    echo "$1 ($(date))" > ${VARDIR}/state
+}
+
+#
+# Perform variable substitution on the passed argument and echo the result
+#
+expand() # $@ = contents of variable which may be the name of another variable
+{
+    eval echo \"$@\"
+}
+
+#
+# Function for including one file into another
+#
+INCLUDE() {
+    . $(find_file $(expand $@))
+}
+
+# Function to truncate a string -- It uses 'cut -b -<n>'
+# rather than ${v:first:last} because light-weight shells like ash and
+# dash do not support that form of expansion.
+#
+
+truncate() # $1 = length
+{
+    cut -b -${1}
+}
--- a/Shorewall/releasenotes.txt
+++ b/Shorewall/releasenotes.txt
@@ -1,7 +1,16 @@
-Shorewall 4.4.7 Patch Release 2.
+----------------------------------------------------------------------------
+                       S H O R E W A L L  4 . 4 . 8
+----------------------------------------------------------------------------
+
+I.    RELEASE 4.4 HIGHLIGHTS
+II.   MIGRATION ISSUES
+III.  PROBLEMS CORRECTED IN THIS RELEASE
+IV.   KNOWN PROBLEMS REMAINING
+V.    NEW FEATURES IN THIS RELEASE
+VI.   PROBLEMS CORRECTED AND NEW FEATURES IN PRIOR RELEASES 

 ----------------------------------------------------------------------------
-               R E L E A S E  4 . 4  H I G H L I G H T S
+             I.  R E L E A S E  4 . 4  H I G H L I G H T S
 ----------------------------------------------------------------------------

 1)  Support for Shorewall-shell has been discontinued. Shorewall-perl
@@ -59,7 +68,7 @@ Shorewall 4.4.7 Patch Release 2.
 15) TPROXY support has been added.

 ----------------------------------------------------------------------------
-                    M I G R A T I O N   I S S U E S
+                  I I.  M I G R A T I O N   I S S U E S
 ----------------------------------------------------------------------------
 1)  If you are currently using Shorewall-shell:

@@ -183,28 +192,178 @@ Shorewall 4.4.7 Patch Release 2.
    unless you choose to replace your current shorewall.conf with the
    one from the release (not recommended).

+14) The names of interface configuration variables in generated scripts
+    have been changed to insure uniqueness. These names now begin with
+    SW_.
+
+    This change will only affect you if your extension scripts are
+    using one or more of these variables.
+
+          Old Variable Name                   New Variable Name
+          -----------------------------------------------------
+	  iface_ADDRESS                        SW_iface_ADDRESS
+	  iface_BCASTS                         SW_iface_BCASTS
+	  iface_ACASTS                         SW_iface_ACASTS
+	  iface_GATEWAY                        SW_iface_GATEWAY
+	  iface_ADDRESSES                      SW_iface_ADDRESSES
+	  iface_NETWORKS                       SW_iface_NETWORKS
+	  iface_MAC                            SW_iface_MAC
+	  
+	  provider_IS_USABLE                   SW_provider_IS_USABLE
+
+    where 'iface' is a capitalized interface name (e.g., ETH0) and
+    'provider' is the capitalized name of a provider.
+	  
 ----------------------------------------------------------------------------
-       P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7 . 2
+I I I.  P R O B L E M S   C O R R E C T E D   I N   T H I S  R E L E A S E
 ----------------------------------------------------------------------------

-1)  Detection of the 'Old hashlimit match' capability was broken in
+1)  A CONTINUE rule specifying a log level would cause the compiler to 
+    generate an incorrect rule sequence. The packet would be logged
+    but the CONTINUE action would not occur.
+
+2)  If multiple entries were present in /etc/shorewall/tcdevices and
+    globally unique class numbers were not explicitly specified in
+    /etc/shorewall/tcclasses, then 'shorewall start' would fail with a
+    diagnostic such as:
+
+    Setting up Traffic Control...
+    RTNETLINK answers: File exists
+      ERROR: Command "tc qdisc add dev eth1 parent 2:2 handle 2: sfq quantum
+             1500 limit 127 perturb 10" Failed
+    Processing /etc/shorewall/stop ...
+
+3)  Previously, when a low per-IP rate limit (such as 1/hour) was
+    specified, the effective enforced rate was much higher
+    (approximately 6/min). The Shorewall compiler now configures the
+    hashlimit table idle timeout based on the rate units (min, hour,
+    ...) so that the rate is more accurately enforced.
+
+    As part of this change, a unique hash table name is assigned to
+    each per-IP rate limiting rule that does not specify a table name
+    in the rule. The assigned names are of the form 'shorewallN' where
+    N is an integer. Previously, all such rules shared a single
+    'shorewall' table which lead to unexpected results.
+
+4)  All versions of Shorewall-perl mishandle per-IP rate limiting in
+    REDIRECT, DNAT and ACCEPT+ rules. The effective rate and burst are
+    1/2 of the values given in the rule.
+
+5)  Detection of the 'Old hashlimit match' capability was broken in
    /sbin/shorewall, /sbin/shorewall-lite and in the IPv4 version of 
    shorecap.

-2)  On older distributions such as RHEL5 and derivatives, when
-    LOAD_HELPERS_ONLY=No, Shorewall would fail to start if a TYPE was
-    specified in /etc/shorewall/tcinterfaces.
+6)  On older distributions such as RHEL5 and derivatives, Shorewall
+    would fail to start if a TYPE was specified in
+    /etc/shorewall/tcinterfaces and LOAD_HELPERS_ONLY had been
+    specified in /etc/shorewall/shorewall.conf.
+
+7)  The Debian init scripts are modified to include $remote_fs in the 
+    Required-start and Required-stop specifications.
+
+8)  Previously, when a supported command failed, the Debian Shorewall
+    init script would still return a success (zero) exit status. It now
+    returns a failure status (1) when the command fails.
+
+9)  Previously, if a queue number was specified in an NFQUEUE policy
+    (e.g., NFQUEUE(0)), invalid iptables-restore input would be
+    generated.
+
+10) Previously, with optimization 4, users of ipsec on older releases
+    such as RHEL5 and CentOS, could encounter an error similar to this
+    one:
+
+    Running /sbin/iptables-restore...
+    iptables-restore v1.3.5: Unknown arg `out'
+    Error occurred at line: 93
+    Try `iptables-restore -h' or 'iptables-restore --help' for more
+        information.
+    	ERROR: iptables-restore Failed. Input is in
+               /var/lib/shorewall/.iptables-restore-input
+
+11) Previously, with optimization 4, the 'blacklst' chain could be
+    optimized away. If the blacklist file was then changed and a
+    'shorewall refresh' executed, those new changes would not be included
+    in the active ruleset.
+
+----------------------------------------------------------------------------
+           I V. K N O W N   P R O B L E M S   R E M A I N I N G
+----------------------------------------------------------------------------
+
+None.
+
+----------------------------------------------------------------------------
+         V.  N E W   F E A T U R E S   I N   T H I S  R E L E A S E
+----------------------------------------------------------------------------
+
+1)  To avoid variable name collisions, a number of shell variable names
+    that Shorewall uses and that are in all capital letters have been
+    changed. The following variables are now safe to use in your
+    /etc/shorewall/params file and in your extension scripts:
+
+        DEBUG
+	ECHO_E
+	ECHO_N
+	EXPORT
+	FAST
+	HOSTNAME
+	IPT_OPTIONS
+	NOROUTES
+	PREVIEW
+	PRODUCT
+	PROFILE
+	PURGE
+	RECOVERING
+	RESTOREPATH
+	RING_BELL
+	STOPPING
+	TEST
+	TIMESTAMP
+	USE_VERBOSITY
+	VERBOSE
+	VERBOSE_OFFSET
+	VERSION
+	
+    See Migration Issue 14 above for additional information.
+
+2)  The Shorewall and Shorewall6 installers now accept a '-s' (sparse)
+    option. That option causes only shorewall.conf to be installed in
+    /etc/shorewall/.
+
+3)  An OpenPGP HTTP Keyserver Protocol (HKP) macro (macro.HKP) has been
+    contributed.
+
+4)  In an attempt to help those who don't read the documentation, the
+    compiler now flags apparent use of '-' as a port range separator
+    with an error message.
+
+    Example:
+
+    /etc/shorewall/rules
+
+       #ACTION    SOURCE     DEST      PROTO    DEST
+       #                                        PORT(S)
+       ACCEPT	  net        fw        tcp      21-22
+
+    Resulting error message
+
+       ERROR: The separator for a port range is ':', not '-' (21-22) : 
+              /etc/shorewall/rules (line 3)
+
+5)  Support has been added for UDPLITE (proto 136) in that DEST PORT(S)
+    and SOURCE PORT(S) may now be specified for that protocol.
+
+6)  If a runtime error occurs during a 'start' or 'restart' operation
+    but a saved configuration is successfully restored, a subsequent
+    'status' command now gives the detailed status as 'Restored from
+    <filename>' rather than 'Started'; <filename> is the saved script
+    used to restore the configuration.
 
 ----------------------------------------------------------------------------
-       P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7 . 1
+V I.  P R O B L E M S  C O R R E C T E D  A N D  N E W   F E A T U R E S
+      I N   P R I O R  R E L E A S E S
 ----------------------------------------------------------------------------
-
-1)  All versions of Shorewall-perl mishandle per-IP rate limiting in
-    REDIRECT and DNAT rules. The effective rate and burst are 1/2 of
-    the values given in the rule.
-
----------------------------------------------------------------------------
-          P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7
+         P R O B L E M S   C O R R E C T E D   I N   4 . 4 . 7
 ----------------------------------------------------------------------------

 1)  The tcinterfaces and tcpri files are now installed by the
@@ -245,12 +404,6 @@ Shorewall 4.4.7 Patch Release 2.
      compiler will use other hints to try to determine if 'flow' is
      available.

----------------------------------------------------------------------------
-             K N O W N   P R O B L E M S   R E M A I N I N G
----------------------------------------------------------------------------
-
-None.
-
 ----------------------------------------------------------------------------
                N E W   F E A T U R E S   I N   4 . 4 . 7
 ----------------------------------------------------------------------------
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@@ -62,19 +62,17 @@ get_config() {

    ensure_config_path
    
-    if [ -z "$EXPORT" -a "$(id -u)" = 0 ]; then
+    if [ -z "$g_export" -a "$(id -u)" = 0 ]; then
 	#
 	# This block is avoided for compile for export and when the user isn't root
 	#
-	export CONFIG_PATH
-
 	if [ "$3" = Yes ]; then
 	    [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages

 	    if [ -n "$(syslog_circular_buffer)" ]; then
-		LOGREAD="logread | tac"
+		g_logread="logread | tac"
 	    elif [ -r $LOGFILE ]; then
-		LOGREAD="tac $LOGFILE"
+		g_logread="tac $LOGFILE"
 	    else
 		echo "LOGFILE ($LOGFILE) does not exist!" >&2
 		exit 2
@@ -94,8 +92,6 @@ get_config() {
 	    fi
 	fi

-	export IPTABLES
-
 	if [ -n "$IP" ]; then
 	    case "$IP" in
 		*/*)
@@ -117,8 +113,6 @@ get_config() {
 	    IP='ip'
 	fi

-	export IP
-
 	if [ -n "$IPSET" ]; then
 	    case "$IPSET" in
 		*/*)
@@ -140,8 +134,6 @@ get_config() {
 	    IPSET='ipset'
 	fi

-	export IPSET
-
 	if [ -n "$TC" ]; then
 	    case "$TC" in
 		*/*)
@@ -162,9 +154,6 @@ get_config() {
 	else 
 	    TC='tc'
 	fi
-
-	export TC
-
 	#
 	# Compile by non-root needs no restore file
 	#
@@ -172,8 +161,6 @@ get_config() {

 	validate_restorefile RESTOREFILE

-	export RESTOREFILE
-
 	if [ "$2" = Yes ]; then
 	    case $STARTUP_ENABLED in
 		No|no|NO)
@@ -213,8 +200,6 @@ get_config() {

 	[ -n "$LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}"

-	export LOGFORMAT
-
 	if [ -n "$STARTUP_LOG" ]; then
 	    if [ -n "$LOG_VERBOSITY" ]; then
 		case $LOG_VERBOSITY in
@@ -259,17 +244,15 @@ get_config() {
 	    ;;
    esac

-    [ -n "$USE_VERBOSITY" ] && VERBOSE=$USE_VERBOSITY || VERBOSE=$(($VERBOSE_OFFSET + $VERBOSITY))
+    [ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY))

-    if [ $VERBOSE -lt -1 ]; then
-	VERBOSE=-1
-    elif [ $VERBOSE -gt 2 ]; then
-	VERBOSE=2
+    if [ $VERBOSITY -lt -1 ]; then
+	VERBOSITY=-1
+    elif [ $VERBOSITY -gt 2 ]; then
+	VERBOSITY=2
    fi

-    export VERBOSE
-
-    [ -n "${HOSTNAME:=$(hostname)}" ]
+    g_hostname=$(hostname 2> /dev/null)

    [ -n "$RSH_COMMAND" ] || RSH_COMMAND='ssh ${root}@${system} ${command}'
    [ -n "$RCP_COMMAND" ] || RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
@@ -288,20 +271,6 @@ get_config() {
 	    ;;
    esac

-    case $FAST_STOP in
-	Yes|yes)
-	    ;;
-	No|no)
-	    FAST_STOP=
-	    ;;
-	*)
-	    if [ -n "$FAST_STOP" ]; then
-		echo "   ERROR: Invalid FAST_STOP setting ($FAST_STOP)" >&2
-		exit 2
-	    fi
-	    ;;
-    esac
-
    case $AUTOMAKE in
 	Yes|yes)
 	    ;;
@@ -360,8 +329,8 @@ compiler() {
    esac

    debugflags="-w"
-    [ -n "$DEBUG" ]   && debugflags='-wd'
-    [ -n "$PROFILE" ] && debugflags='-wd:DProf'
+    [ -n "$g_debug" ]   && debugflags='-wd'
+    [ -n "$g_profile" ] && debugflags='-wd:DProf'

    # Perl compiler only takes the output file as a argument
 	    
@@ -369,16 +338,16 @@ compiler() {
    [ "$1" = nolock ] && shift;
    shift 

-    options="--verbose=$VERBOSE"
+    options="--verbose=$VERBOSITY"
    [ -n "$STARTUP_LOG" ] && options="$options --log=$STARTUP_LOG"
    [ -n "$LOG_VERBOSITY" ] && options="$options --log_verbosity=$LOG_VERBOSITY";
-    [ -n "$EXPORT" ] && options="$options --export"
+    [ -n "$g_export" ] && options="$options --export"
    [ -n "$SHOREWALL_DIR" ] && options="$options --directory=$SHOREWALL_DIR"
-    [ -n "$TIMESTAMP" ] && options="$options --timestamp"
-    [ -n "$TEST" ] && options="$options --test"
-    [ -n "$PREVIEW" ] && options="$options --preview"
-    [ "$debugging" = trace ] && options="$options --debug"
-    [ -n "$REFRESHCHAINS" ] && options="$options --refresh=$REFRESHCHAINS"
+    [ -n "$g_timestamp" ] && options="$options --timestamp"
+    [ -n "$g_test" ] && options="$options --test"
+    [ -n "$g_preview" ] && options="$options --preview"
+    [ "$g_debugging" = trace ] && options="$options --debug"
+    [ -n "$g_refreshchains" ] && options="$options --refresh=$g_refreshchains"
    #
    # Run the appropriate params file
    #
@@ -387,7 +356,7 @@ compiler() {
    set +a

    perl $debugflags /usr/share/shorewall/compiler.pl $options $@
-}    
+}

 #
 # Start Command Executor
@@ -403,15 +372,15 @@ start_command() {

 	if [ -n "$AUTOMAKE" ]; then
 	    [ -n "$nolock" ] || mutex_on
-	    ${VARDIR}/firewall $debugging start
+	    run_it ${VARDIR}/firewall $g_debugging start
 	    rc=$?
 	    [ -n "$nolock" ] || mutex_off
 	else
 	    progress_message3 "Compiling..."

-	    if compiler $debugging $nolock compile ${VARDIR}/.start; then
+	    if compiler $g_debugging $nolock compile ${VARDIR}/.start; then
 		[ -n "$nolock" ] || mutex_on
-		${VARDIR}/.start $debugging start
+		run_it ${VARDIR}/.start $g_debugging start
 		rc=$?
 		[ -n "$nolock" ] || mutex_off
 	    else
@@ -443,16 +412,16 @@ start_command() {
 			    option=
 			    ;;
 			d*)
-			    DEBUG=Yes
+			    g_debug=Yes
 			    option=${option#d}
 			    ;;
 			f*)
-			    FAST=Yes
+			    g_fast=Yes
 			    option=${option#f}
 			    ;;
 			p*)
 			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-			    PURGE=Yes
+			    g_purge=Yes
 			    option=${option%p}
 			    ;;
 			*)
@@ -472,7 +441,7 @@ start_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$SHOREWALL_DIR" -o -n "$FAST" ] && usage 2
+	    [ -n "$SHOREWALL_DIR" -o -n "$g_fast" ] && usage 2

 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -483,7 +452,6 @@ start_command() {
 	    fi

 	    SHOREWALL_DIR=$(resolve_file $1)
-	    export SHOREWALL_DIR
 	    AUTOMAKE=
 	    ;;
 	*)
@@ -491,42 +459,38 @@ start_command() {
 	    ;;
    esac

-    export NOROUTES
-    export PURGE
-
-    if [ -n "${FAST}${AUTOMAKE}" ]; then
+    if [ -n "${g_fast}${AUTOMAKE}" ]; then
 	if qt mywhich make; then
-	    #
-	    # RESTOREFILE is exported by get_config()
-	    #
 	    restorefile=$RESTOREFILE

-	    if [ -z "$FAST" ]; then
+	    if [ -z "$g_fast" ]; then
 		#
 		# Automake -- use the last compiled script
 		#
 		RESTOREFILE=firewall
 	    fi

-	    if ! make -qf ${CONFDIR}/Makefile; then
-		FAST= 
+	    export RESTOREFILE
+
+	    if make -qf ${CONFDIR}/Makefile; then
+		g_fast=
 		AUTOMAKE=
 	    fi

 	    RESTOREFILE=$restorefile
 	else
-	    FAST=
+	    g_fast=
 	    AUTOMAKE=
 	fi

-	if [ -n "$FAST" ]; then
-	    RESTOREPATH=${VARDIR}/$RESTOREFILE
+	if [ -n "$g_fast" ]; then
+	    g_restorepath=${VARDIR}/$RESTOREFILE

-	    if [ -x $RESTOREPATH ]; then
+	    if [ -x $g_restorepath ]; then
 		echo Restoring Shorewall...
-		$SHOREWALL_SHELL $RESTOREPATH restore
+		run_it $g_restorepath restore
 		date > ${VARDIR}/restarted
-		progress_message3 Shorewall restored from $RESTOREPATH
+		progress_message3 Shorewall restored from $g_restorepath
 	    else
 		do_it
 	    fi
@@ -558,19 +522,19 @@ compile_command() {
 		while [ -n "$option" ]; do
 		    case $option in
 			e*)
-			    EXPORT=Yes
+			    g_export=Yes
 			    option=${option#e}
 			    ;;
 			p*)
-			    PROFILE=Yes
+			    g_profile=Yes
 			    option=${option#p}
 			    ;;
 			t*)
-			    TEST=Yes
+			    g_test=Yes
 			    option=${option#t}
 			    ;;			    
 			d*)
-			    DEBUG=Yes;
+			    g_debug=Yes;
 			    option=${option#d}
 			    ;;
 			-)
@@ -611,7 +575,6 @@ compile_command() {
 	    fi

 	    SHOREWALL_DIR=$(resolve_file $1)
-	    export SHOREWALL_DIR
 	    file=$2
 	    ;;
 	*)
@@ -619,11 +582,9 @@ compile_command() {
 	    ;;
    esac

-    export EXPORT
-
    [ "x$file" = x- ] || progress_message3 "Compiling..."

-    compiler $debugging compile $file
+    compiler $g_debugging compile $file
 }

 #
@@ -646,19 +607,19 @@ check_command() {
 			    option=
 			    ;;
 			e*)
-			    EXPORT=Yes
+			    g_export=Yes
 			    option=${option#e}
 			    ;;
 			p*)
-			    PROFILE=Yes
+			    g_profile=Yes
 			    option=${option#p}
 			    ;;
 			d*)
-			    DEBUG=Yes;
+			    g_debug=Yes;
 			    option=${option#d}
 			    ;;
 			r*)
-			    PREVIEW=Yes;
+			    g_preview=Yes;
 			    option=${option#r}
 			    ;;
 			*)
@@ -689,18 +650,15 @@ check_command() {
 	    fi

 	    SHOREWALL_DIR=$(resolve_file $1)
-	    export SHOREWALL_DIR
 	    ;;
 	*)
 	    usage 1
 	    ;;
    esac

-    export EXPORT
-
    progress_message3 "Checking..."

-    compiler $debugging $nolock check
+    compiler $g_debugging $nolock check
 }

 #
@@ -726,20 +684,20 @@ restart_command() {
 			    option=
 			    ;;
 			d*)
-			    DEBUG=Yes
+			    g_debug=Yes
 			    option=${option#d}
 			    ;;
 			f*)
-			    FAST=Yes
+			    g_fast=Yes
 			    option=${option#f}
 			    ;;
 			n*)
-			    NOROUTES=Yes
+			    g_noroutes=Yes
 			    option=${option#n}
 			    ;;
 			p*)
 			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-			    PURGE=Yes
+			    g_purge=Yes
 			    option=${option%p}
 			    ;;
 			*)
@@ -770,8 +728,7 @@ restart_command() {
 	    fi

 	    SHOREWALL_DIR=$(resolve_file $1)
-	    [ -n "$FAST" ] && fatal_error "Directory may not be specified with the -f option"
-	    export SHOREWALL_DIR
+	    [ -n "$g_fast" ] && fatal_error "Directory may not be specified with the -f option"
 	    AUTOMAKE=
 	    ;;
 	*)
@@ -781,27 +738,24 @@ restart_command() {

    [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled"

-    export NOROUTES
-    export PURGE
-
-    if [ -z "$FAST" -a -n "$AUTOMAKE" ]; then
+    if [ -z "$g_fast" -a -n "$AUTOMAKE" ]; then
 	if qt mywhich make; then
 	    #
 	    # RESTOREFILE is exported by get_config()
 	    #
 	    restorefile=$RESTOREFILE
 	    RESTOREFILE=firewall
-	    make -qf ${CONFDIR}/Makefile && FAST=Yes
+	    make -qf ${CONFDIR}/Makefile && g_fast=Yes
 	    RESTOREFILE=$restorefile
 	fi
    fi

-    if [ -z "$FAST" ]; then  
+    if [ -z "$g_fast" ]; then  
 	progress_message3 "Compiling..."

-	if compiler $debugging $nolock compile ${VARDIR}/.restart; then
+	if compiler $g_debugging $nolock compile ${VARDIR}/.restart; then
 	    [ -n "$nolock" ] || mutex_on
-	    $SHOREWALL_SHELL ${VARDIR}/.restart $debugging restart
+	    run_it ${VARDIR}/.restart $g_debugging restart
 	    rc=$?
 	    [ -n "$nolock" ] || mutex_off
 	else
@@ -811,7 +765,7 @@ restart_command() {
    else
 	[ -x ${VARDIR}/firewall ] || fatal_error "No ${VARDIR}/firewall file found"
 	[ -n "$nolock" ] || mutex_on
-	$SHOREWALL_SHELL ${VARDIR}/firewall $debugging restart
+	run_it ${VARDIR}/firewall $g_debugging restart
 	rc=$?
 	[ -n "$nolock" ] || mutex_off
    fi
@@ -852,11 +806,11 @@ refresh_command() {
    done

    if [ $# -gt 0 ]; then
-	REFRESHCHAINS=$1
+	g_refreshchains=$1
 	shift

 	while [ $# -gt 0 ]; do
-	    REFRESHCHAINS="$REFRESHCHAINS,$1"
+	    g_refreshchains="$g_refreshchains,$1"
 	    shift
 	done
    fi
@@ -865,13 +819,11 @@ refresh_command() {

    [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled"

-    export NOROUTES
-
    progress_message3 "Compiling..."

-    if compiler $debugging $nolock compile ${VARDIR}/.refresh; then
+    if compiler $g_debugging $nolock compile ${VARDIR}/.refresh; then
 	[ -n "$nolock" ] || mutex_on
-	$SHOREWALL_SHELL ${VARDIR}/.refresh $debugging refresh
+	run_it ${VARDIR}/.refresh $g_debugging refresh
 	rc=$?
 	[ -n "$nolock" ] || mutex_off
    else
@@ -908,7 +860,7 @@ safe_commands() {
 			    option=
 			    ;;
 			n*)
-			    NOROUTES=Yes
+			    g_noroutes=Yes
 			    option=${option#n}
 			    ;;
 			*)
@@ -939,7 +891,6 @@ safe_commands() {
 	    fi

 	    SHOREWALL_DIR=$(resolve_file $1)
-	    export SHOREWALL_DIR
 	    ;;
 	*)
 	    usage 1
@@ -970,19 +921,19 @@ safe_commands() {

    progress_message3 "Compiling..."

-    if ! compiler $debugging nolock compile ${VARDIR}/.$command; then
+    if ! compiler $g_debugging nolock compile ${VARDIR}/.$command; then
 	status=$?
 	exit $status
    fi

    case $command in
 	start)
-	    export RESTOREFILE=NONE
+	    RESTOREFILE=NONE
 	    progress_message3 "Starting..."
 	    ;;
 	restart)
-	    export RESTOREFILE=.safe
-	    RESTOREPATH=${VARDIR}/.safe
+	    RESTOREFILE=.safe
+	    g_restorepath=${VARDIR}/.safe
 	    save_config
 	    progress_message3 "Restarting..."
 	    ;;
@@ -990,7 +941,7 @@ safe_commands() {

    [ -n "$nolock" ] || mutex_on

-    if ${VARDIR}/.$command $debugging $command; then
+    if ${VARDIR}/.$command $g_debugging $command; then

 	echo -n "Do you want to accept the new firewall configuration? [y/n] "

@@ -1035,7 +986,6 @@ try_command() {
 	fi
 	
 	SHOREWALL_DIR=$(resolve_file $1)
-	export SHOREWALL_DIR
    }

    while [ $finished -eq 0 -a $# -gt 0 ]; do
@@ -1051,7 +1001,7 @@ try_command() {
 			    option=
 			    ;;
 			n*)
-			    NOROUTES=Yes
+			    g_noroutes=Yes
 			    option=${option#n}
 			    ;;
 			*)
@@ -1107,19 +1057,19 @@ try_command() {

    progress_message3 "Compiling..."

-    if ! compiler $debugging $nolock compile ${VARDIR}/.$command; then
+    if ! compiler $g_debugging $nolock compile ${VARDIR}/.$command; then
 	status=$?
 	exit $status
    fi

    case $command in
 	start)
-	    export RESTOREFILE=NONE
+	    RESTOREFILE=NONE
 	    progress_message3 "Starting..."
 	    ;;
 	restart)
-	    export RESTOREFILE=.try
-	    RESTOREPATH=${VARDIR}/.try
+	    RESTOREFILE=.try
+	    g_restorepath=${VARDIR}/.try
 	    save_config
 	    progress_message3 "Restarting..."
 	    ;;
@@ -1178,7 +1128,7 @@ reload_command() # $* = original arguments less the command.
    local root
    root=root

-    LITEDIR=/var/lib/shorewall-lite
+    litedir=/var/lib/shorewall-lite

    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@@ -1233,9 +1183,9 @@ reload_command() # $* = original arguments less the command.
 	    ;;
    esac

-    litedir=$(rsh_command /sbin/shorewall-lite show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')
+    temp=$(rsh_command /sbin/shorewall-lite show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')

-    [ -n "$litedir" ] && LITEDIR=$litedir
+    [ -n "$temp" ] && litedir="$temp"

    if [ -z "$getcaps" ]; then
 	SHOREWALL_DIR=$(resolve_file $directory)
@@ -1260,11 +1210,11 @@ reload_command() # $* = original arguments less the command.

    file=$(resolve_file $directory/firewall)

-    [ -n "$TIMESTAMP" ] && timestamp='-t' || timestamp=
+    [ -n "$g_timestamp" ] && timestamp='-t' || timestamp=

-    if shorewall $debugging $verbose $timestamp compile -e $directory $directory/firewall && \
-	progress_message3 "Copying $file and ${file}.conf to ${system}:${LITEDIR}..." && \
-	rcp_command "$directory/firewall $directory/firewall.conf" ${LITEDIR}
+    if shorewall $g_debugging $verbose $timestamp compile -e $directory $directory/firewall && \
+	progress_message3 "Copying $file and ${file}.conf to ${system}:${litedir}..." && \
+	rcp_command "$directory/firewall $directory/firewall.conf" ${litedir}
    then
 	save=$(find_file save);

@@ -1272,15 +1222,15 @@ reload_command() # $* = original arguments less the command.

 	progress_message3 "Copy complete"
 	if [ $COMMAND = reload ]; then
-	    rsh_command "/sbin/shorewall-lite $debugging $verbose $timestamp restart" && \
+	    rsh_command "/sbin/shorewall-lite $g_debugging $verbose $timestamp restart" && \
 	    progress_message3 "System $system reloaded" || saveit=
 	else
-	    rsh_command "/sbin/shorewall-lite $debugging $verbose $timestamp start" && \
+	    rsh_command "/sbin/shorewall-lite $g_debugging $verbose $timestamp start" && \
 	    progress_message3 "System $system loaded" || saveit=
 	fi

 	if [ -n "$saveit" ]; then
-	    rsh_command "/sbin/shorewall-lite $debugging $verbose $timestamp save" && \
+	    rsh_command "/sbin/shorewall-lite $g_debugging $verbose $timestamp save" && \
 	    progress_message3 "Configuration on system $system saved"
 	fi
    fi
@@ -1349,7 +1299,7 @@ export_command() # $* = original arguments less the command.

    file=$(resolve_file $directory/firewall)

-    if shorewall $debugging $verbose compile -e $directory $directory/firewall && \
+    if shorewall $g_debugging $verbose compile -e $directory $directory/firewall && \
 	echo "Copying $file and ${file}.conf to ${target#*@}..." && \
 	scp $directory/firewall $directory/firewall.conf $target
    then
@@ -1427,10 +1377,10 @@ usage() # $1 = exit status
 #
 # Execution begins here
 #
-debugging=
+g_debugging=

 if [ $# -gt 0 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then
-    debugging=$1
+    g_debugging=$1
    shift
 fi

@@ -1442,16 +1392,16 @@ if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
 fi

 SHOREWALL_DIR=
-IPT_OPTIONS="-nv"
-FAST=
-VERBOSE_OFFSET=0
-USE_VERBOSITY=
-NOROUTES=
-PURGE=
-DEBUG=
-EXPORT=
-export TIMESTAMP=
-noroutes=
+g_noroutes=
+g_purge=
+
+g_ipt_options="-nv"
+g_fast=
+g_verbose_offset=0
+g_use_verbosity=
+g_debug=
+g_export=
+g_refreshchains=

 finished=0

@@ -1483,52 +1433,52 @@ while [ $finished -eq 0 ]; do
 			shift
 			;;
 		    e*)
-			EXPORT=Yes
+			g_export=Yes
 			option=${option#e}
 			;;
 		    x*)
-			IPT_OPTIONS="-xnv"
+			g_ipt_options="-xnv"
 			option=${option#x}
 			;;
 		    q*)
-			VERBOSE_OFFSET=$(($VERBOSE_OFFSET - 1 ))
+			g_verbose_offset=$(($g_verbose_offset - 1 ))
 			option=${option#q}
 			;;
 		    f*)
-			FAST=Yes
+			g_fast=Yes
 			option=${option#f}
 			;;
 		    v*)
 			option=${option#v}
 			case $option in 
 			    -1*)
-				USE_VERBOSITY=-1
+				g_use_verbosity=-1
 				option=${option#-1}
 				;;
 			    0*)
-				USE_VERBOSITY=0
+				g_use_verbosity=0
 				option=${option#0}
 				;;
 			    1*)
-				USE_VERBOSITY=1
+				g_use_verbosity=1
 				option=${option#1}
 				;;
 			    2*)
-				USE_VERBOSITY=2
+				g_use_verbosity=2
 				option=${option#2}
 				;;
 			    *)
-				VERBOSE_OFFSET=$(($VERBOSE_OFFSET + 1 ))
-				USE_VERBOSITY=
+				g_verbose_offset=$(($g_verbose_offset + 1 ))
+				g_use_verbosity=
 				;;
 			esac
 			;;
 		    n*)
-			NOROUTES=Yes
+			g_noroutes=Yes
 			option=${option#n}
 			;;
 		    t*)
-			TIMESTAMP=Yes
+			g_timestamp=Yes
 			option=${option#t}
 			;;
 		    -)
@@ -1585,7 +1535,7 @@ version_command() {

    [ $# -gt 0 ] && usage 1

-    echo $version
+    echo $SHOREWALL_VERSION

 }

@@ -1593,14 +1543,14 @@ if [ $# -eq 0 ]; then
    usage 1
 fi

-[ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-export PATH
 MUTEX_TIMEOUT=

 SHAREDIR=/usr/share/shorewall
 CONFDIR=/etc/shorewall
-export PRODUCT="Shorewall"
+g_product="Shorewall"
+g_recovering=
+g_timestamp=

 [ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir

@@ -1610,49 +1560,40 @@ if [ ! -f ${VARDIR}/firewall ]; then
    [ -f ${VARDIR}/.restore ] && cp -f ${VARDIR}/.restore ${VARDIR}/firewall 
 fi

-FIREWALL=${VARDIR}/firewall
-LIBRARIES="$SHAREDIR/lib.base $SHAREDIR/lib.cli"
-VERSION_FILE=$SHAREDIR/version
-REFRESHCHAINS=
-RECOVERING=
-export RECOVERING
+g_firewall=${VARDIR}/firewall

-for library in $LIBRARIES; do
-    if [ -f $library ]; then
-	. $library
-    else
-	echo "$library does not exist!" >&2
-	exit 2
-    fi
+for library in base cli; do
+    . ${SHAREDIR}/lib.$library
 done

-if [ -f $VERSION_FILE ]; then
-    version=$(cat $VERSION_FILE)
+version_file=$SHAREDIR/version
+if [ -f $version_file ]; then
+    SHOREWALL_VERSION=$(cat $version_file)
 else
    echo "   ERROR: Shorewall is not properly installed" >&2
-    echo "	 The file $VERSION_FILE does not exist"  >&2
+    echo "	 The file $version_file does not exist"  >&2
    exit 1
 fi

-banner="Shorewall-$version Status at $HOSTNAME -"
+banner="Shorewall-$SHOREWALL_VERSION Status at $g_hostname -"

 case $(echo -e) in
    -e*)
-	RING_BELL="echo \a"
-	ECHO_E="echo"
+	g_ring_bell="echo \a"
+	g_echo_e="echo"
 	;;
    *)
-	RING_BELL="echo -e \a"
-	ECHO_E="echo -e"
+	g_ring_bell="echo -e \a"
+	g_echo_e="echo -e"
 	;;
 esac

 case $(echo -n "Testing") in
    -n*)
-	ECHO_N=
+	g_echo_n=
 	;;
    *)
-	ECHO_N=-n
+	g_echo_n=-n
 	;;
 esac

@@ -1667,19 +1608,17 @@ case "$COMMAND" in
    stop|clear)
 	get_config
 	[ $# -ne 1 ] && usage 1
-	[ -x $FIREWALL ] || fatal_error "Shorewall has never been started"
-	export NOROUTES
+	[ -x $g_firewall ] || fatal_error "Shorewall has never been started"
 	mutex_on
-	$SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND
+	run_it $g_firewall $g_debugging $nolock $COMMAND
 	mutex_off
 	;;
    reset)
 	get_config
-	export NOROUTES
 	shift
 	mutex_on
-	[ -x $FIREWALL ] || fatal_error "Shorewall has never been started"
-	$SHOREWALL_SHELL $FIREWALL $debugging $nolock reset $@
+	[ -x $g_firewall ] || fatal_error "Shorewall has never been started"
+	run_it $g_firewall $g_debugging $nolock reset $@
 	mutex_off
 	;;
    compile)
@@ -1721,7 +1660,7 @@ case "$COMMAND" in
 	[ $# -eq 1 ] || usage 1
 	[ "$(id -u)" != 0 ] && fatal_error "ERROR: The status command may only be run by root"
 	get_config
-	echo "Shorewall-$version Status at $HOSTNAME - $(date)"
+	echo "Shorewall-$SHOREWALL_VERSION Status at $g_hostname - $(date)"
 	echo
 	if shorewall_is_started ; then
 	    echo "Shorewall is running"
@@ -1752,7 +1691,7 @@ case "$COMMAND" in
 	;;
    hits)
 	get_config Yes No Yes
-	[ -n "$debugging" ] && set -x
+	[ -n "$g_debugging" ] && set -x
 	shift
 	hits_command $@
 	;;
@@ -1767,16 +1706,16 @@ case "$COMMAND" in
 	;;
    logwatch)
 	get_config Yes Yes Yes
-	banner="Shorewall-$version Logwatch at $HOSTNAME -"
+	banner="Shorewall-$SHOREWALL_VERSION Logwatch at $g_hostname -"
 	logwatch_command $@
 	;;
    drop)
 	get_config
-	[ -n "$debugging" ] && set -x
+	[ -n "$g_debugging" ] && set -x
 	[ $# -eq 1 ] && usage 1
 	if shorewall_is_started ; then
 	    if ! chain_exists dynamic; then
-		echo "Dynamic blacklisting is not supported in the current $PRODUCT configuration"
+		echo "Dynamic blacklisting is not supported in the current $g_product configuration"
 		exit 2
 	    fi

@@ -1789,11 +1728,11 @@ case "$COMMAND" in
 	;;
    logdrop)
 	get_config
-	[ -n "$debugging" ] && set -x
+	[ -n "$g_debugging" ] && set -x
 	[ $# -eq 1 ] && usage 1
 	if shorewall_is_started ; then
 	    if ! chain_exists dynamic; then
-		echo "Dynamic blacklisting is not supported in the current $PRODUCT configuration"
+		echo "Dynamic blacklisting is not supported in the current $g_product configuration"
 		exit 2
 	    fi

@@ -1806,7 +1745,7 @@ case "$COMMAND" in
 	;;
    reject|logreject)
 	get_config
-	[ -n "$debugging" ] && set -x
+	[ -n "$g_debugging" ] && set -x
 	[ $# -eq 1 ] && usage 1
 	if shorewall_is_started ; then
 	    [ -n "$nolock" ] || mutex_on
@@ -1832,7 +1771,7 @@ case "$COMMAND" in
 	;;
    save)
 	get_config
-	[ -n "$debugging" ] && set -x
+	[ -n "$g_debugging" ] && set -x

 	case $# in
 	1)
@@ -1846,7 +1785,7 @@ case "$COMMAND" in
 	    ;;
 	esac

-	RESTOREPATH=${VARDIR}/$RESTOREFILE
+	g_restorepath=${VARDIR}/$RESTOREFILE

 	[ -n "$nolock" ] || mutex_on

@@ -1872,20 +1811,19 @@ case "$COMMAND" in
 	    ;;
 	esac

+	g_restorepath=${VARDIR}/$RESTOREFILE

-	RESTOREPATH=${VARDIR}/$RESTOREFILE
-
-	if [ -x $RESTOREPATH ]; then
-	    rm -f $RESTOREPATH
-	    rm -f ${RESTOREPATH}-iptables
-	    echo "    $RESTOREPATH removed"
-	elif [ -f $RESTOREPATH ]; then
-	    echo "   $RESTOREPATH exists and is not a saved Shorewall configuration"
+	if [ -x $g_restorepath ]; then
+	    rm -f $g_restorepath
+	    rm -f ${g_restorepath}-iptables
+	    echo "    $g_restorepath removed"
+	elif [ -f $g_restorepath ]; then
+	    echo "   $g_restorepath exists and is not a saved Shorewall configuration"
 	fi
 	rm -f ${VARDIR}/save
 	;;
    ipcalc)
-    	[ -n "$debugging" ] && set -x
+    	[ -n "$g_debugging" ] && set -x
 	if [ $# -eq 2 ]; then
 	    address=${2%/*}
 	    vlsm=${2#*/}
@@ -1910,7 +1848,7 @@ case "$COMMAND" in
 	;;

    iprange)
-	[ -n "$debugging" ] && set -x
+	[ -n "$g_debugging" ] && set -x
 	case $2 in
 	    *.*.*.*-*.*.*.*)
 		for address in ${2%-*} ${2#*-}; do
@@ -1925,7 +1863,7 @@ case "$COMMAND" in
 	esac
 	;;
    ipdecimal)
-	[ -n "$debugging" ] && set -x
+	[ -n "$g_debugging" ] && set -x
 	[ $# -eq 2 ] || usage 1
 	case $2 in
 	    *.*.*.*)
@@ -1944,7 +1882,7 @@ case "$COMMAND" in
        ;;
    call)
 	get_config
-	[ -n "$debugging" ] && set -x
+	[ -n "$g_debugging" ] && set -x
 	#
 	# Undocumented way to call functions in ${SHAREDIR}/functions directly
 	#
--- a/Shorewall/shorewall.spec
+++ b/Shorewall/shorewall.spec
@@ -1,6 +1,6 @@
 %define name shorewall
-%define version 4.4.7
-%define release 2
+%define version 4.4.8
+%define release 0base

 Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
 Name: %{name}
@@ -89,6 +89,7 @@ fi
 %attr(-   ,root,root) /usr/share/shorewall/functions
 %attr(0644,root,root) /usr/share/shorewall/lib.base
 %attr(0644,root,root) /usr/share/shorewall/lib.cli
+%attr(0644,root,root) /usr/share/shorewall/lib.common
 %attr(0644,root,root) /usr/share/shorewall/macro.*
 %attr(0644,root,root) /usr/share/shorewall/modules
 %attr(0644,root,root) /usr/share/shorewall/helpers
@@ -107,11 +108,17 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt Contrib/* Samples 

 %changelog
-* Sun Feb 14 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-2
-* Sat Feb 13 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-1
+* Fri Mar 19 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0base
+* Tue Mar 16 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0RC2
+* Mon Mar 08 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0RC1
+* Sun Feb 28 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0Beta2
 * Thu Feb 11 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0Beta1
+* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0base
 * Tue Feb 02 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0RC2
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.7.2
+VERSION=4.4.8

 usage() # $1 = exit status
 {
@@ -108,6 +108,7 @@ rm -rf /usr/share/shorewall
 rm -rf /usr/share/shorewall-*.bkout
 rm -rf /usr/share/man/man5/shorewall*
 rm -rf /usr/share/man/man8/shorewall*
+rm -f  /etc/logrotate.d/shorewall

 echo "Shorewall Uninstalled"

--- a/Shorewall6-lite/README.txt
+++ b/Shorewall6-lite/README.txt
@@ -1 +1 @@
-This is the Shorewall6-lite development 4.3 branch of SVN.
+This is the Shorewall6-lite stable 4.4 branch of Git.
--- a/Shorewall6-lite/fallback.sh
+++ b/Shorewall6-lite/fallback.sh
@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.

-VERSION=4.4.7.2
+VERSION=4.4.8

 usage() # $1 = exit status
 {
--- a/Shorewall6-lite/init.debian.sh
+++ b/Shorewall6-lite/init.debian.sh
@@ -2,8 +2,8 @@

 ### BEGIN INIT INFO
 # Provides:          shorewall6-lite
-# Required-Start:    $network
-# Required-Stop:     $network
+# Required-Start:    $network $remote_fs
+# Required-Stop:     $network $remote_fs
 # Default-Start:     S
 # Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time
@@ -42,6 +42,7 @@ echo_notdone () {
 	  echo "not done (check $INITLOG)."
  fi

+  exit 1
 }

 not_configured () {
--- a/Shorewall6-lite/install.sh
+++ b/Shorewall6-lite/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.7.2
+VERSION=4.4.8

 usage() # $1 = exit status
 {
--- a/Shorewall6-lite/shorecap
+++ b/Shorewall6-lite/shorecap
@@ -48,18 +48,19 @@
 SHAREDIR=/usr/share/shorewall6-lite
 VARDIR=/var/lib/shorewall6-lite
 CONFDIR=/etc/shorewall6-lite
-PRODUCT="Shorewall Lite"
+g_product="Shorewall Lite"

 . /usr/share/shorewall6-lite/lib.base
+. /usr/share/shorewall6-lite/lib.cli
 . /usr/share/shorewall6-lite/configpath

 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

-VERSION=$(cat /usr/share/shorewall6-lite/version)
+SHOREWALL_VERSION=$(cat /usr/share/shorewall6-lite/version)

-[ -n "$IPTABLES" ] || IPTABLES=$(mywhich iptables)
+[ -n "$IP6TABLES" ] || IP6TABLES=$(mywhich iptables)

-VERBOSE=0
+VERBOSITY=0
 load_kernel_modules No
 determine_capabilities
 report_capabilities1
--- a/Shorewall6-lite/shorewall6-lite
+++ b/Shorewall6-lite/shorewall6-lite
@@ -117,8 +117,6 @@ get_config() {

    [ -n "$LOGFORMAT" ] || LOGFORMAT="Shorewall:"

-    export LOGFORMAT
-
    if [ -n "$IP6TABLES" ]; then
 	if [ ! -x "$IP6TABLES" ]; then
 	    echo "   ERROR: The program specified in IP6TABLES does not exist or is not executable" >&2
@@ -127,13 +125,11 @@ get_config() {
    else
 	IP6TABLES=$(mywhich ip6tables 2> /dev/null)
 	if [ -z "$IP6TABLES" ] ; then
-	    echo "   ERROR: Can't find iptables executable" >&2
+	    echo "   ERROR: Can't find ip6tables executable" >&2
 	    exit 2
 	fi
    fi

-    export IP6TABLES
-
    if [ -n "$SHOREWALL_SHELL" ]; then
 	if [ ! -x "$SHOREWALL_SHELL" ]; then
 	    echo "   WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
@@ -145,29 +141,33 @@ get_config() {

    validate_restorefile RESTOREFILE

-    export RESTOREFILE
-
    [ -n "${VERBOSITY:=2}" ]

-    [ -n "$USE_VERBOSITY" ] && VERBOSE=$USE_VERBOSITY || VERBOSE=$(($VERBOSE_OFFSET + $VERBOSITY))
+    [ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY))

-    export VERBOSE
+    g_hostname=$(hostname 2> /dev/null)

-    [ -n "${HOSTNAME:=$(hostname)}" ]
+    IP=$(mywhich ip 2> /dev/null)
+    if [ -z "$IP" ] ; then
+	echo "   ERROR: Can't find ip executable" >&2
+	exit 2
+    fi

+    IPSET=ipset
+    TC=tc
 }

 #
 # Verify that we have a compiled firewall script
 #
 verify_firewall_script() {
-    if [ ! -f $FIREWALL ]; then
+    if [ ! -f $g_firewall ]; then
 	echo "   ERROR: Shorewall6 Lite is not properly installed" >&2
-	if [ -L $FIREWALL ]; then
-	    echo "          $FIREWALL is a symbolic link to a" >&2
+	if [ -L $g_firewall ]; then
+	    echo "          $g_firewall is a symbolic link to a" >&2
 	    echo "          non-existant file" >&2
 	else
-	    echo "          The file $FIREWALL does not exist" >&2
+	    echo "          The file $g_firewall does not exist" >&2
 	fi
 	
 	exit 2
@@ -187,7 +187,7 @@ start_command() {
 	[ -n "$nolock" ] || mutex_on

 	if [ -x ${LITEDIR}/firewall ]; then
-	    ${LITEDIR}/firewall $debugging start
+	    run_it ${LITEDIR}/firewall $debugging start
 	    rc=$?
 	else
 	    error_message "${LITEDIR}/firewall is missing or is not executable"
@@ -219,12 +219,12 @@ start_command() {
 			    option=
 			    ;;
 			f*)
-			    FAST=Yes
+			    g_fast=Yes
 			    option=${option#f}
 			    ;;
 			p*)
 			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-			    PURGE=Yes
+			    g_purge=Yes
 			    option=${option%p}
 			    ;;
 			*)
@@ -244,40 +244,24 @@ start_command() {
 	0)
 	    ;;
 	*)
-	    usage 1
-	    ;;
+	    usage 1	    ;;
    esac

-    export NOROUTES
-
-    if [ -n "$FAST" ]; then
+    if [ -n "$g_fast" ]; then
 	if qt mywhich make; then
-	    #
-	    # RESTOREFILE is exported by get_config()
-	    #
-	    make -qf ${CONFDIR}/Makefile || FAST=
+	    export RESTOREFILE
+	    make -qf ${CONFDIR}/Makefile || g_fast=
 	fi

-	if [ -n "$FAST" ]; then
+	if [ -n "$g_fast" ]; then

-	    RESTOREPATH=${VARDIR}/$RESTOREFILE
-
-	    if [ -x $RESTOREPATH ]; then
-		if [ -x ${RESTOREPATH}-ipsets ]; then
-		    echo Restoring Ipsets...
-		    #
-		    # We must purge iptables to be sure that there are no
-		    # references to ipsets
-		    #
-		    iptables -F
-		    iptables -X
-		    $SHOREWALL_SHELL ${RESTOREPATH}-ipsets
-		fi
+	    g_restorepath=${VARDIR}/$RESTOREFILE

+	    if [ -x $g_restorepath ]; then
 		echo Restoring Shorewall6 Lite...
-		$SHOREWALL_SHELL $RESTOREPATH restore
+		run_it $g_restorepath restore
 		date > ${VARDIR}/restarted
-		progress_message3 Shorewall6 Lite restored from $RESTOREPATH
+		progress_message3 Shorewall6 Lite restored from $g_restorepath
 	    else
 		do_it
 	    fi
@@ -313,12 +297,12 @@ restart_command() {
 			    option=
 			    ;;
 			n*)
-			    NOROUTES=Yes
+			    g_noroutes=Yes
 			    option=${option#n}
 			    ;;
 			p*)
 			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-			    PURGE=Yes
+			    g_purge=Yes
 			    option=${option%p}
 			    ;;
 			*)
@@ -342,12 +326,10 @@ restart_command() {
 	    ;;
    esac

-    export NOROUTES
-
    [ -n "$nolock" ] || mutex_on

    if [ -x ${LITEDIR}/firewall ]; then
-	$SHOREWALL_SHELL ${LITEDIR}/firewall $debugging restart
+	run_it ${LITEDIR}/firewall $debugging restart
 	rc=$?
    else
 	error_message "${LITEDIR}/firewall is missing or is not executable"
@@ -408,16 +390,14 @@ if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
    shift
 fi

-IPT_OPTIONS="-nv"
-FAST=
-VERBOSE_OFFSET=0
-USE_VERBOSITY=
-NOROUTES=
-EXPORT=
-export TIMESTAMP=
-RECOVERING=
-export RECOVERING
-noroutes=
+g_ipt_options="-nv"
+g_fast=
+g_verbose_offset=0
+g_use_verbosity=
+g_noroutes=
+g_timestamp=
+g_recovering=
+g_purge=

 finished=0

@@ -436,48 +416,48 @@ while [ $finished -eq 0 ]; do
 	    while [ -n "$option" ]; do
 		case $option in
 		    x*)
-			IPT_OPTIONS="-xnv"
+			g_ipt_options="-xnv"
 			option=${option#x}
 			;;
 		    q*)
-			VERBOSE_OFFSET=$(($VERBOSE_OFFSET - 1 ))
+			g_verbose_offset=$(($g_verbose_offset - 1 ))
 			option=${option#q}
 			;;
 		    f*)
-			FAST=Yes
+			g_fast=Yes
 			option=${option#f}
 			;;
 		    v*)
 			option=${option#v}
 			case $option in 
 			    -1*)
-				USE_VERBOSITY=-1
+				g_use_verbosity=-1
 				option=${option#-1}
 				;;
 			    0*)
-				USE_VERBOSITY=0
+				g_use_verbosity=0
 				option=${option#0}
 				;;
 			    1*)
-				USE_VERBOSITY=1
+				g_use_verbosity=1
 				option=${option#1}
 				;;
 			    2*)
-				USE_VERBOSITY=2
+				g_use_verbosity=2
 				option=${option#2}
 				;;
 			    *)
-				VERBOSE_OFFSET=$(($VERBOSE_OFFSET + 1 ))
-				USE_VERBOSITY=
+				g_verbose_offset=$(($g_verbose_offset + 1 ))
+				g_use_verbosity=
 				;;
 			esac
 			;;
 		    n*)
-			NOROUTES=Yes
+			g_noroutes=Yes
 			option=${option#n}
 			;;
 		    t*)
-			TIMESTAMP=Yes
+			g_timestamp=Yes
 			option=${option#t}
 			;;
 		    -)
@@ -502,12 +482,11 @@ if [ $# -eq 0 ]; then
 fi

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-export PATH
 MUTEX_TIMEOUT=

 SHAREDIR=/usr/share/shorewall6-lite
 CONFDIR=/etc/shorewall6-lite
-export PRODUCT="Shorewall6 Lite"
+g_product="Shorewall6 Lite"

 [ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir ]

@@ -515,17 +494,10 @@ export PRODUCT="Shorewall6 Lite"

 [ -d $VARDIR ] || mkdir -p $VARDIR || fatal_error "Unable to create $VARDIR"

-LIBRARIES="$SHAREDIR/lib.base $SHAREDIR/lib.cli"
-VERSION_FILE=$SHAREDIR/version
-HELP=$SHAREDIR/help
+version_file=$SHAREDIR/version

-for library in $LIBRARIES; do
-    if [ -f $library ]; then
-	. $library
-    else
-	echo "Installation error: $library does not exist!" >&2
-	exit 2
-    fi
+for library in base cli; do
+    . ${SHAREDIR}/lib.$library
 done

 ensure_config_path
@@ -545,7 +517,6 @@ else
 fi

 ensure_config_path
-export CONFIG_PATH

 LITEDIR=${VARDIR}

@@ -553,17 +524,17 @@ LITEDIR=${VARDIR}

 get_config

-FIREWALL=$LITEDIR/firewall
+g_firewall=$LITEDIR/firewall

-if [ -f $VERSION_FILE ]; then
-    version=$(cat $VERSION_FILE)
+if [ -f $version_file ]; then
+    SHOREWALL_VERSION=$(cat $version_file)
 else
    echo "   ERROR: Shorewall6 Lite is not properly installed" >&2
-    echo "          The file $VERSION_FILE does not exist" >&2
+    echo "          The file $SHOREWALL_VERSION_FILE does not exist" >&2
    exit 1
 fi

-banner="Shorewall6 Lite $version Status at $HOSTNAME -"
+banner="Shorewall6 Lite $SHOREWALL_VERSION Status at $g_hostname -"

 case $(echo -e) in
    -e*)
@@ -595,8 +566,7 @@ case "$COMMAND" in
    stop|reset|clear)
 	[ $# -ne 1 ] && usage 1
 	verify_firewall_script
-	export NOROUTES
-	exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND
+	run_it $g_firewall $debugging $nolock $COMMAND
 	;;
    restart)
 	shift
@@ -609,7 +579,7 @@ case "$COMMAND" in
    status)
 	[ $# -eq 1 ] || usage 1
 	[ "$(id -u)" != 0 ] && fatal_error "ERROR: The status command may only be run by root"
-	echo "Shorewall6 Lite $version Status at $HOSTNAME - $(date)"
+	echo "Shorewall6 Lite $SHOREWALL_VERSION Status at $g_hostname - $(date)"
 	echo
 	if shorewall6_is_started ; then
 	    echo "Shorewall6 Lite is running"
@@ -643,7 +613,7 @@ case "$COMMAND" in
 	hits_command $@
 	;;
    version)
-	echo $version Lite
+	echo $SHOREWALL_VERSION Lite
 	;;
    logwatch)
 	logwatch_command $@
@@ -702,7 +672,7 @@ case "$COMMAND" in
 	    ;;
 	esac

-	RESTOREPATH=${VARDIR}/$RESTOREFILE
+	g_restorepath=${VARDIR}/$RESTOREFILE

 	[ "$nolock" ] || mutex_on

@@ -724,20 +694,20 @@ case "$COMMAND" in
 	esac


-	RESTOREPATH=${VARDIR}/$RESTOREFILE
+	g_restorepath=${VARDIR}/$RESTOREFILE

-	if [ -x $RESTOREPATH ]; then
+	if [ -x $g_restorepath ]; then

-	    if [ -x ${RESTOREPATH}-ipsets ]; then
-		rm -f ${RESTOREPATH}-ipsets
-		echo "    ${RESTOREPATH}-ipsets removed"
+	    if [ -x ${g_restorepath}-ipsets ]; then
+		rm -f ${g_restorepath}-ipsets
+		echo "    ${g_restorepath}-ipsets removed"
 	    fi

-	    rm -f $RESTOREPATH
-	    rm -f ${RESTOREPATH}-iptables
-	    echo "    $RESTOREPATH removed"
-	elif [ -f $RESTOREPATH ]; then
-	    echo "   $RESTOREPATH exists and is not a saved Shorewall6 configuration"
+	    rm -f $g_restorepath
+	    rm -f ${g_restorepath}-iptables
+	    echo "    $g_restorepath removed"
+	elif [ -f $g_restorepath ]; then
+	    echo "   $g_restorepath exists and is not a saved Shorewall6 configuration"
 	fi
 	rm -f ${VARDIR}/save
 	;;
--- a/Shorewall6-lite/shorewall6-lite.spec
+++ b/Shorewall6-lite/shorewall6-lite.spec
@@ -1,6 +1,6 @@
 %define name shorewall6-lite
-%define version 4.4.7
-%define release 2
+%define version 4.4.8
+%define release 0base

 Summary: Shoreline Firewall 6 Lite is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -79,6 +79,7 @@ fi
 %attr(-   ,root,root) /usr/share/shorewall6-lite/functions
 %attr(0644,root,root) /usr/share/shorewall6-lite/lib.base
 %attr(0644,root,root) /usr/share/shorewall6-lite/lib.cli
+%attr(0644,root,root) /usr/share/shorewall6-lite/lib.common
 %attr(0644,root,root) /usr/share/shorewall6-lite/modules
 %attr(0544,root,root) /usr/share/shorewall6-lite/shorecap
 %attr(0755,root,root) /usr/share/shorewall6-lite/wait4ifup
@@ -91,11 +92,17 @@ fi
 %doc COPYING changelog.txt releasenotes.txt

 %changelog
-* Sun Feb 14 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-2
-* Sat Feb 13 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-1
+* Fri Mar 19 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0base
+* Tue Mar 16 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0RC2
+* Mon Mar 08 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0RC1
+* Sun Feb 28 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0Beta2
 * Thu Feb 11 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0Beta1
+* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0base
 * Tue Feb 02 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0RC2
--- a/Shorewall6-lite/uninstall.sh
+++ b/Shorewall6-lite/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.7.2
+VERSION=4.4.8

 usage() # $1 = exit status
 {
@@ -94,6 +94,7 @@ rm -rf /var/lib/shorewall6-lite
 rm -rf /var/lib/shorewall6-lite-*.bkout
 rm -rf /usr/share/shorewall6-lite
 rm -rf /usr/share/shorewall6-lite-*.bkout
+rm -f  /etc/logrotate.d/shorewall6-lite

 echo "Shorewall6 Lite Uninstalled"

--- a/Shorewall6/README.txt
+++ b/Shorewall6/README.txt
@@ -1 +1 @@
-This is the Shorewall6 development 4.3 branch of SVN.
+This is the Shorewall6 stable 4.4 branch of Git.
--- a/Shorewall6/fallback.sh
+++ b/Shorewall6/fallback.sh
@@ -28,7 +28,7 @@
 #       shown below. Simply run this script to revert to your prior version of
 #       Shoreline Firewall.

-VERSION=4.4.7.2
+VERSION=4.4.8

 usage() # $1 = exit status
 {
--- a/Shorewall6/init.debian.sh
+++ b/Shorewall6/init.debian.sh
@@ -1,8 +1,8 @@
 #!/bin/sh
 ### BEGIN INIT INFO
 # Provides:          shorewall6
-# Required-Start:    $network
-# Required-Stop:     $network
+# Required-Start:    $network $remote_fs
+# Required-Stop:     $network $remote_fs
 # Default-Start:     S
 # Default-Stop:      0 6
 # Short-Description: Configure the firewall at boot time
@@ -38,6 +38,7 @@ echo_notdone () {
 	  echo "not done (check $INITLOG)."
  fi

+  exit 1
 }

 not_configured () {
--- a/Shorewall6/install.sh
+++ b/Shorewall6/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.4.7.2
+VERSION=4.4.8

 usage() # $1 = exit status
 {
@@ -110,6 +110,7 @@ fi
 DEBIAN=
 CYGWIN=
 MANDIR=${MANDIR:-"/usr/share/man"}
+SPARSE=

 case $(uname) in
    CYGWIN*)
@@ -121,6 +122,7 @@ case $(uname) in
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	CYGWIN=Yes
+	SPARSE=Yes
 	;;
    *)
 	[ -z "$OWNER" ] && OWNER=root
@@ -139,6 +141,9 @@ while [ $# -gt 0 ] ; do
 	    echo "Shorewall6 Firewall Installer Version $VERSION"
 	    exit 0
 	    ;;
+	-s)
+	    SPARSE=Yes
+	    ;;
 	*)
 	    usage 1
 	    ;;
@@ -168,14 +173,20 @@ if [ -n "$PREFIX" ]; then
 else
    [ -x /usr/share/shorewall/compiler.pl ] || \
 	{ echo "   ERROR: Shorewall >= 4.3.5 is not installed" >&2; exit 1; }
-    if [ -z "$CYGWIN" ]; then
+    if [ -n "$CYGWIN" ]; then
+	echo "Installing Cygwin-specific configuration..."
+    else
 	if [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
+	    echo "Installing Debian-specific configuration..."
 	    DEBIAN=yes
+	    SPARSE=yes
 	elif [ -f /etc/slackware-version ] ; then
+	    echo "Installing Slackware-specific configuration..."
 	    DEST="/etc/rc.d"
 		SLACKWARE=yes
 	    INIT="rc.firewall"
 	elif [ -f /etc/arch-release ] ; then
+	    echo "Installing ArchLinux-specific configuration..."
 	    DEST="/etc/rc.d"
 	    INIT="shorewall6"
 	    ARCHLINUX=yes
@@ -261,7 +272,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 zones ${PREFIX}/usr/share/shorewall6/configfiles/zones

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/zones ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/zones ]; then
    run_install $OWNERSHIP -m 0744 zones ${PREFIX}/etc/shorewall6/zones
    echo "Zones file installed as ${PREFIX}/etc/shorewall6/zones"
 fi
@@ -294,7 +305,7 @@ echo "wait4ifup installed in ${PREFIX}/usr/share/shorewall6/wait4ifup"
 #
 run_install $OWNERSHIP -m 0644 policy ${PREFIX}/usr/share/shorewall6/configfiles/policy

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/policy ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/policy ]; then
    run_install $OWNERSHIP -m 0600 policy ${PREFIX}/etc/shorewall6/policy
    echo "Policy file installed as ${PREFIX}/etc/shorewall6/policy"
 fi
@@ -303,7 +314,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 interfaces ${PREFIX}/usr/share/shorewall6/configfiles/interfaces

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/interfaces ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/interfaces ]; then
    run_install $OWNERSHIP -m 0600 interfaces ${PREFIX}/etc/shorewall6/interfaces
    echo "Interfaces file installed as ${PREFIX}/etc/shorewall6/interfaces"
 fi
@@ -313,7 +324,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 hosts ${PREFIX}/usr/share/shorewall6/configfiles/hosts

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/hosts ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/hosts ]; then
    run_install $OWNERSHIP -m 0600 hosts ${PREFIX}/etc/shorewall6/hosts
    echo "Hosts file installed as ${PREFIX}/etc/shorewall6/hosts"
 fi
@@ -322,7 +333,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 rules ${PREFIX}/usr/share/shorewall6/configfiles/rules

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/rules ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/rules ]; then
    run_install $OWNERSHIP -m 0600 rules ${PREFIX}/etc/shorewall6/rules
    echo "Rules file installed as ${PREFIX}/etc/shorewall6/rules"
 fi
@@ -342,7 +353,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 routestopped ${PREFIX}/usr/share/shorewall6/configfiles/routestopped

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/routestopped ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/routestopped ]; then
    run_install $OWNERSHIP -m 0600 routestopped ${PREFIX}/etc/shorewall6/routestopped
    echo "Stopped Routing file installed as ${PREFIX}/etc/shorewall6/routestopped"
 fi
@@ -351,7 +362,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 maclist ${PREFIX}/usr/share/shorewall6/configfiles/maclist

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/maclist ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/maclist ]; then
    run_install $OWNERSHIP -m 0600 maclist ${PREFIX}/etc/shorewall6/maclist
    echo "MAC list file installed as ${PREFIX}/etc/shorewall6/maclist"
 fi
@@ -372,7 +383,7 @@ echo "Helper modules file installed as ${PREFIX}/usr/share/shorewall6/helpers"
 #
 run_install $OWNERSHIP -m 0644 tcrules ${PREFIX}/usr/share/shorewall6/configfiles/tcrules

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/tcrules ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tcrules ]; then
    run_install $OWNERSHIP -m 0600 tcrules ${PREFIX}/etc/shorewall6/tcrules
    echo "TC Rules file installed as ${PREFIX}/etc/shorewall6/tcrules"
 fi
@@ -382,7 +393,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 tcinterfaces ${PREFIX}/usr/share/shorewall6/configfiles/tcinterfaces

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/tcinterfaces ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tcinterfaces ]; then
    run_install $OWNERSHIP -m 0600 tcinterfaces ${PREFIX}/etc/shorewall6/tcinterfaces
    echo "TC Interfaces file installed as ${PREFIX}/etc/shorewall6/tcinterfaces"
 fi
@@ -392,7 +403,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 tcpri ${PREFIX}/usr/share/shorewall6/configfiles/tcpri

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/tcpri ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tcpri ]; then
    run_install $OWNERSHIP -m 0600 tcpri ${PREFIX}/etc/shorewall6/tcpri
    echo "TC Priority file installed as ${PREFIX}/etc/shorewall6/tcpri"
 fi
@@ -402,7 +413,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 tos ${PREFIX}/usr/share/shorewall6/configfiles/tos

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/tos ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tos ]; then
    run_install $OWNERSHIP -m 0600 tos ${PREFIX}/etc/shorewall6/tos
    echo "TOS file installed as ${PREFIX}/etc/shorewall6/tos"
 fi
@@ -411,7 +422,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 tunnels ${PREFIX}/usr/share/shorewall6/configfiles/tunnels

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/tunnels ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tunnels ]; then
    run_install $OWNERSHIP -m 0600 tunnels ${PREFIX}/etc/shorewall6/tunnels
    echo "Tunnels file installed as ${PREFIX}/etc/shorewall6/tunnels"
 fi
@@ -420,7 +431,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 blacklist ${PREFIX}/usr/share/shorewall6/configfiles/blacklist

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/blacklist ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/blacklist ]; then
    run_install $OWNERSHIP -m 0600 blacklist ${PREFIX}/etc/shorewall6/blacklist
    echo "Blacklist file installed as ${PREFIX}/etc/shorewall6/blacklist"
 fi
@@ -429,7 +440,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 providers ${PREFIX}/usr/share/shorewall6/configfiles/providers

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/providers ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/providers ]; then
    run_install $OWNERSHIP -m 0600 providers ${PREFIX}/etc/shorewall6/providers
    echo "Providers file installed as ${PREFIX}/etc/shorewall6/providers"
 fi
@@ -439,7 +450,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 route_rules ${PREFIX}/usr/share/shorewall6/configfiles/route_rules

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/route_rules ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/route_rules ]; then
    run_install $OWNERSHIP -m 0600 route_rules ${PREFIX}/etc/shorewall6/route_rules
    echo "Routing rules file installed as ${PREFIX}/etc/shorewall6/route_rules"
 fi
@@ -449,7 +460,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 tcclasses ${PREFIX}/usr/share/shorewall6/configfiles/tcclasses

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/tcclasses ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tcclasses ]; then
    run_install $OWNERSHIP -m 0600 tcclasses ${PREFIX}/etc/shorewall6/tcclasses
    echo "TC Classes file installed as ${PREFIX}/etc/shorewall6/tcclasses"
 fi
@@ -459,7 +470,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 tcdevices ${PREFIX}/usr/share/shorewall6/configfiles/tcdevices

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/tcdevices ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tcdevices ]; then
    run_install $OWNERSHIP -m 0600 tcdevices ${PREFIX}/etc/shorewall6/tcdevices
    echo "TC Devices file installed as ${PREFIX}/etc/shorewall6/tcdevices"
 fi
@@ -469,7 +480,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 notrack ${PREFIX}/usr/share/shorewall6/configfiles/notrack

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/notrack ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/notrack ]; then
    run_install $OWNERSHIP -m 0600 notrack ${PREFIX}/etc/shorewall6/notrack
    echo "Notrack file installed as ${PREFIX}/etc/shorewall6/notrack"
 fi
@@ -483,7 +494,7 @@ echo "Default config path file installed as ${PREFIX}/usr/share/shorewall6/confi
 #
 run_install $OWNERSHIP -m 0644 init ${PREFIX}/usr/share/shorewall6/configfiles/init

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/init ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/init ]; then
    run_install $OWNERSHIP -m 0600 init ${PREFIX}/etc/shorewall6/init
    echo "Init file installed as ${PREFIX}/etc/shorewall6/init"
 fi
@@ -492,7 +503,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 start ${PREFIX}/usr/share/shorewall6/configfiles/start

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/start ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/start ]; then
    run_install $OWNERSHIP -m 0600 start ${PREFIX}/etc/shorewall6/start
    echo "Start file installed as ${PREFIX}/etc/shorewall6/start"
 fi
@@ -501,7 +512,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 stop ${PREFIX}/usr/share/shorewall6/configfiles/stop

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/stop ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/stop ]; then
    run_install $OWNERSHIP -m 0600 stop ${PREFIX}/etc/shorewall6/stop
    echo "Stop file installed as ${PREFIX}/etc/shorewall6/stop"
 fi
@@ -510,7 +521,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 stopped ${PREFIX}/usr/share/shorewall6/configfiles/stopped

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/stopped ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/stopped ]; then
    run_install $OWNERSHIP -m 0600 stopped ${PREFIX}/etc/shorewall6/stopped
    echo "Stopped file installed as ${PREFIX}/etc/shorewall6/stopped"
 fi
@@ -519,7 +530,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 accounting ${PREFIX}/usr/share/shorewall6/configfiles/accounting

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/accounting ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/accounting ]; then
    run_install $OWNERSHIP -m 0600 accounting ${PREFIX}/etc/shorewall6/accounting
    echo "Accounting file installed as ${PREFIX}/etc/shorewall6/accounting"
 fi
@@ -528,7 +539,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 started ${PREFIX}/usr/share/shorewall6/configfiles/started

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/started ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/started ]; then
    run_install $OWNERSHIP -m 0600 started ${PREFIX}/etc/shorewall6/started
    echo "Started file installed as ${PREFIX}/etc/shorewall6/started"
 fi
@@ -537,7 +548,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 restored ${PREFIX}/usr/share/shorewall6/configfiles/restored

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/restored ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/restored ]; then
    run_install $OWNERSHIP -m 0600 restored ${PREFIX}/etc/shorewall6/restored
    echo "Restored file installed as ${PREFIX}/etc/shorewall6/restored"
 fi
@@ -546,7 +557,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 clear ${PREFIX}/usr/share/shorewall6/configfiles/clear

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/clear ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/clear ]; then
    run_install $OWNERSHIP -m 0600 clear ${PREFIX}/etc/shorewall6/clear
    echo "Clear file installed as ${PREFIX}/etc/shorewall6/clear"
 fi
@@ -555,7 +566,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 isusable ${PREFIX}/usr/share/shorewall6/configfiles/isusable

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/isusable ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/isusable ]; then
    run_install $OWNERSHIP -m 0600 isusable ${PREFIX}/etc/shorewall6/isusable
    echo "Isusable file installed as ${PREFIX}/etc/shorewall/isusable"
 fi
@@ -564,7 +575,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 refresh ${PREFIX}/usr/share/shorewall6/configfiles/refresh

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/refresh ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/refresh ]; then
    run_install $OWNERSHIP -m 0600 refresh ${PREFIX}/etc/shorewall6/refresh
    echo "Refresh file installed as ${PREFIX}/etc/shorewall6/refresh"
 fi
@@ -573,7 +584,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 refreshed ${PREFIX}/usr/share/shorewall6/configfiles/refreshed

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/refreshed ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/refreshed ]; then
    run_install $OWNERSHIP -m 0600 refreshed ${PREFIX}/etc/shorewall6/refreshed
    echo "Refreshed file installed as ${PREFIX}/etc/shorewall6/refreshed"
 fi
@@ -582,7 +593,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 tcclear ${PREFIX}/usr/share/shorewall6/configfiles/tcclear

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/tcclear ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/tcclear ]; then
    run_install $OWNERSHIP -m 0600 tcclear ${PREFIX}/etc/shorewall6/tcclear
    echo "Tcclear file installed as ${PREFIX}/etc/shorewall6/tcclear"
 fi
@@ -597,7 +608,7 @@ echo "Standard actions file installed as ${PREFIX}/usr/shared/shorewall6/actions
 #
 run_install $OWNERSHIP -m 0644 actions ${PREFIX}/usr/share/shorewall6/configfiles/actions

-if [ -z "$CYGWIN" -a ! -f ${PREFIX}/etc/shorewall6/actions ]; then
+if [ -z "$SPARSE" -a ! -f ${PREFIX}/etc/shorewall6/actions ]; then
    run_install $OWNERSHIP -m 0644 actions ${PREFIX}/etc/shorewall6/actions
    echo "Actions file installed as ${PREFIX}/etc/shorewall6/actions"
 fi
@@ -607,7 +618,7 @@ fi
 #
 run_install $OWNERSHIP -m 0644 Makefile-lite ${PREFIX}/usr/share/shorewall6/configfiles/Makefile

-if [ -z "$CYGWIN" ]; then
+if [ -z "$SPARSE" ]; then
    run_install $OWNERSHIP -m 0600 Makefile ${PREFIX}/etc/shorewall6/Makefile
    echo "Makefile installed as ${PREFIX}/etc/shorewall6/Makefile"
 fi
@@ -686,7 +697,7 @@ if [ -z "$PREFIX" -a -n "$first_install" -a -z "$CYGWIN" ]; then
 	echo "shorewall6 will start automatically at boot"
 	echo "Set startup=1 in /etc/default/shorewall6 to enable"
 	touch /var/log/shorewall6-init.log
-	qt mywhich perl && perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' /etc/shorewall6/shorewall6.conf
+	perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' /etc/shorewall6/shorewall6.conf
    else
 	if [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
 	    if insserv /etc/init.d/shorewall6 ; then
--- a/Shorewall6/lib.base
+++ b/Shorewall6/lib.base
--- a/Shorewall6/lib.cli
+++ b/Shorewall6/lib.cli
@@ -34,6 +34,7 @@ fatal_error() # $@ = Message
    exit 2
 }

+#
 # Display a chain if it exists
 #

@@ -132,10 +133,10 @@ syslog_circular_buffer() {
 #
 packet_log() # $1 = number of messages
 {
-    if [ -n "$SHOWMACS" -o $VERBOSE -gt 2 ]; then
-	$LOGREAD | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
+    if [ -n "$g_showmacs" -o $VERBOSITY -gt 2 ]; then
+	$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' | head -n$1 | tac | sed 's/ kernel://; s/\[.*\] //' | sed s/" $host $LOGFORMAT"/" "/
    else
-	$LOGREAD | grep 'IN=.* OUT=.*SRC=.*:.*DST=' |  head -n$1 | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
+	$g_logread | grep 'IN=.* OUT=.*SRC=.*:.*DST=' |  head -n$1 | tac | sed 's/ kernel://; s/MAC=.* SRC=/SRC=/; s/\[.*\] '// | sed s/" $host $LOGFORMAT"/" "/
    fi
 }

@@ -198,7 +199,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
 	   #		     an 'interesting' packet count changes
 {

-    host=$(echo $HOSTNAME | sed 's/\..*$//')
+    host=$(echo $g_hostname | sed 's/\..*$//')
    oldrejects=$($IP6TABLES -L -v -n | grep 'LOG')

    if [ $1 -lt 0 ]; then
@@ -226,13 +227,13 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
 	if [ "$rejects" != "$oldrejects" ]; then
 	    oldrejects="$rejects"

-	    $RING_BELL
+	    $g_ring_bell

 	    packet_log 40

 	    if [ "$pause" = "Yes" ]; then
 		echo
-		echo $ECHO_N 'Enter any character to continue: '
+		echo $g_echo_n 'Enter any character to continue: '
 		read foo
 	    else
 		timed_read
@@ -254,10 +255,10 @@ do_save() {

    if [ -f ${VARDIR}/firewall ]; then
 	if $iptables_save > ${VARDIR}/restore-$$; then
-	    cp -f ${VARDIR}/firewall $RESTOREPATH
-	    mv -f ${VARDIR}/restore-$$ ${RESTOREPATH}-iptables
-	    chmod +x $RESTOREPATH
-	    echo "   Currently-running Configuration Saved to $RESTOREPATH"
+	    cp -f ${VARDIR}/firewall $g_restorepath
+	    mv -f ${VARDIR}/restore-$$ ${g_restorepath}-iptables
+	    chmod +x $g_restorepath
+	    echo "   Currently-running Configuration Saved to $g_restorepath"
 	    run_user_exit save
 	else
 	    rm -f ${VARDIR}/restore-$$
@@ -284,8 +285,8 @@ save_config() {
    if shorewall6_is_started ; then
 	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}

-	if [ -f $RESTOREPATH -a ! -x $RESTOREPATH ]; then
-	    echo "   ERROR: $RESTOREPATH exists and is not a saved $PRODUCT configuration" >&2
+	if [ -f $g_restorepath -a ! -x $g_restorepath ]; then
+	    echo "   ERROR: $g_restorepath exists and is not a saved $g_product configuration" >&2
 	else
 	    case $RESTOREFILE in
 		capabilities|chains|default_route|firewall|firewall.conf|nat|proxyarp|restarted|rt_tables|save|state|undo_routing|zones)
@@ -353,7 +354,7 @@ show_command() {
 	    if [ ${#macro} -gt 10 ]; then
 		echo "   $macro  ${foo#\#}"
 	    else
-		$ECHO_E "   $macro  \t${foo#\#}"
+		$g_echo_e "   $macro  \t${foo#\#}"
 	    fi
 	fi
    }
@@ -371,19 +372,19 @@ show_command() {
 			    option=
 			    ;;
 			v*)
-			    VERBOSE=$(($VERBOSE + 1 ))
+			    VERBOSITY=$(($VERBOSITY + 1 ))
 			    option=${option#v}
 			    ;;
 			x*)
-			    IPT_OPTIONS="-xnv"
+			    g_ipt_options="-xnv"
 			    option=${option#x}
 			    ;;
 			m*)
-			    SHOWMACS=Yes
+			    g_showmacs=Yes
 			    option=${option#m}
 			    ;;
 			f*)
-			    FILEMODE=Yes
+			    g_filemode=Yes
 			    option=${option#f}
 			    ;;
 			t)
@@ -403,7 +404,7 @@ show_command() {
 			    shift
 			    ;;
 			l*)
-			    IPT_OPTIONS1="--line-numbers"
+			    g_ipt_options1="--line-numbers"
 			    option=${option#l}
 			    ;;
 			*)
@@ -419,56 +420,56 @@ show_command() {
 	esac
    done

-    IPT_OPTIONS="$IPT_OPTIONS $IPT_OPTIONS1"
+    g_ipt_options="$g_ipt_options $g_ipt_options1"

-    [ -n "$debugging" ] && set -x
+    [ -n "$g_debugging" ] && set -x
    case "$1" in
 	connections)
 	    [ $# -gt 1 ] && usage 1
 	    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
 	    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
-	    echo "$PRODUCT $version Connections ($count of $max) at $HOSTNAME - $(date)"
+	    echo "$g_product $SHOREWALL_VERSION Connections ($count of $max) at $g_hostname - $(date)"
 	    echo
 	    grep '^ipv6' /proc/net/nf_conntrack
 	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$PRODUCT $version Mangle Table at $HOSTNAME - $(date)"
+	    echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
 	    echo
 	    show_reset
-	    $IP6TABLES -t mangle -L $IPT_OPTIONS
+	    $IP6TABLES -t mangle -L $g_ipt_options
 	    ;;
 	raw)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$PRODUCT $version raw Table at $HOSTNAME - $(date)"
+	    echo "$g_product $SHOREWALL_VERSION raw Table at $g_hostname - $(date)"
 	    echo
 	    show_reset
-	    $IP6TABLES -t raw -L $IPT_OPTIONS
+	    $IP6TABLES -t raw -L $g_ipt_options
 	    ;;
 	log)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$PRODUCT $version Log ($LOGFILE) at $HOSTNAME - $(date)"
+	    echo "$g_product $SHOREWALL_VERSION Log ($LOGFILE) at $g_hostname - $(date)"
 	    echo
 	    show_reset
-	    host=$(echo $HOSTNAME | sed 's/\..*$//')
+	    host=$(echo $g_hostname | sed 's/\..*$//')
 	    packet_log 20
 	    ;;
 	tc)
 	    [ $# -gt 2 ] && usage 1
-	    echo "$PRODUCT $version Traffic Control at $HOSTNAME - $(date)"
+	    echo "$g_product $SHOREWALL_VERSION Traffic Control at $g_hostname - $(date)"
 	    echo
 	    show_tc
 	    ;;
 	classifiers|filters)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$PRODUCT $version Classifiers at $HOSTNAME - $(date)"
+	    echo "$g_product $SHOREWALL_VERSION Classifiers at $g_hostname - $(date)"
 	    echo
 	    show_classifiers
 	    ;;
 	zones)
 	    [ $# -gt 1 ] && usage 1
 	    if [ -f ${VARDIR}/zones ]; then
-		echo "$PRODUCT $version Zones at $HOSTNAME - $(date)"
+		echo "$g_product $SHOREWALL_VERSION Zones at $g_hostname - $(date)"
 		echo
 		while read zone type hosts; do
 		    echo "$zone ($type)"
@@ -492,8 +493,8 @@ show_command() {
 	capabilities)
 	    [ $# -gt 1 ] && usage 1
 	    determine_capabilities
-	    VERBOSE=2
-	    if [ -n "$FILEMODE" ]; then
+	    VERBOSITY=2
+	    if [ -n "$g_filemode" ]; then
 		report_capabilities1
 	    else
 		report_capabilities
@@ -501,13 +502,13 @@ show_command() {
 	    ;;
 	ip)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$PRODUCT $version IP at $HOSTNAME - $(date)"
+	    echo "$g_product $SHOREWALL_VERSION IP at $g_hostname - $(date)"
 	    echo
 	    ip -6 addr list
 	    ;;
 	routing)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$PRODUCT $version Routing at $HOSTNAME - $(date)"
+	    echo "$g_product $SHOREWALL_VERSION Routing at $g_hostname - $(date)"
 	    echo
 	    show_routing
 	    ;;
@@ -518,15 +519,15 @@ show_command() {
 	    ;;
 	chain)
 	    shift
-	    echo "$PRODUCT $version $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $HOSTNAME - $(date)"
+	    echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || [ $# -gt 0 ] && echo "Chain " || echo $table Table)$* at $g_hostname - $(date)"
 	    echo
 	    show_reset
 	    if [ $# -gt 0 ]; then
 		for chain in $*; do
-		    $IP6TABLES -t $table -L $chain $IPT_OPTIONS
+		    $IP6TABLES -t $table -L $chain $g_ipt_options
 		done
 	    else
-		$IP6TABLES -t $table -L $IPT_OPTIONS
+		$IP6TABLES -t $table -L $g_ipt_options
 	    fi
 	    ;;
 	vardir)
@@ -534,12 +535,12 @@ show_command() {
 	    ;;
 	policies)
 	    [ $# -gt 1 ] && usage 1
-	    echo "$PRODUCT $version Policies at $HOSTNAME - $(date)"
+	    echo "$g_product $SHOREWALL_VERSION Policies at $g_hostname - $(date)"
 	    echo
 	    [ -f ${VARDIR}/policies ] && cat ${VARDIR}/policies;
 	    ;;
 	*)
-	    if [ "$PRODUCT" = Shorewall6 ]; then
+	    if [ "$g_product" = Shorewall6 ]; then
 		case $1 in
 		    actions)
 			[ $# -gt 1 ] && usage 1
@@ -586,23 +587,23 @@ show_command() {

 	    if [ $# -gt 0 ]; then
 		[ -n "$table_given" ] || for chain in $*; do
-		    if ! qt $IP6TABLES -t $table -L $chain $IPT_OPTIONS; then
-			echo "usage $(basename $0) show [ -x ] [ -m ] [-f] [ -t {filter|mangle} ] [ {chain [<chain> [ <chain> ... ]|actions|capabilities|classifiers|config|connections|filters|ip|log|macros|mangle|routing|tc|zones} ] " >&2
+		    if ! qt $IP6TABLES -t $table -L $chain $g_ipt_options; then
+			error_message "ERROR: Chain '$chain' is not recognized by $IP6TABLES."
 			exit 1
 		    fi
 		done
 		
-		echo "$PRODUCT $version $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $HOSTNAME - $(date)"
+		echo "$g_product $SHOREWALL_VERSION $([ $# -gt 1 ] && echo "Chains " || echo "Chain ")$* at $g_hostname - $(date)"
 		echo
 		show_reset
 		for chain in $*; do
-		    $IP6TABLES -t $table -L $chain $IPT_OPTIONS
+		    $IP6TABLES -t $table -L $chain $g_ipt_options
 		done
 	    else
-		echo "$PRODUCT $version $table Table at $HOSTNAME - $(date)"
+		echo "$g_product $SHOREWALL_VERSION $table Table at $g_hostname - $(date)"
 		echo
 		show_reset
-		$IP6TABLES -t $table -L $IPT_OPTIONS
+		$IP6TABLES -t $table -L $g_ipt_options
 	    fi
 	    ;;
    esac
@@ -628,15 +629,15 @@ dump_command() {
 			    option=
 			    ;;
 			x*)
-			    IPT_OPTIONS="-xnv"
+			    g_ipt_options="-xnv"
 			    option=${option#x}
 			    ;;
 			m*)
-			    SHOWMACS=Yes
+			    g_showmacs=Yes
 			    option=${option#m}
 			    ;;
 			l*)
-			    IPT_OPTIONS1="--line-numbers"
+			    g_ipt_options1="--line-numbers"
 			    option=${option#l}
 			    ;;
 			*)
@@ -652,14 +653,14 @@ dump_command() {
 	esac
    done

-    IPT_OPTIONS="$IPT_OPTIONS $IPT_OPTIONS1"
+    g_ipt_options="$g_ipt_options $g_ipt_options1"

-    [ $VERBOSE -lt 2 ] && VERBOSE=2
+    [ $VERBOSITY -lt 2 ] && VERBOSITY=2

-    [ -n "$debugging" ] && set -x
+    [ -n "$g_debugging" ] && set -x
    [ $# -eq 0 ] || usage 1
    clear_term
-    echo "$PRODUCT $version Dump at $HOSTNAME - $(date)"
+    echo "$g_product $SHOREWALL_VERSION Dump at $g_hostname - $(date)"
    echo

    if [ -f /usr/share/shorewall/version ]; then
@@ -668,17 +669,21 @@ dump_command() {
    fi
    
    show_reset
-    host=$(echo $HOSTNAME | sed 's/\..*$//')
-    $IP6TABLES -L $IPT_OPTIONS
+    host=$(echo $g_hostname | sed 's/\..*$//')
+    $IP6TABLES -L $g_ipt_options

    heading "Log ($LOGFILE)"
    packet_log 20

-    heading "Mangle Table"
-    $IP6TABLES -t mangle -L $IPT_OPTIONS
+    if qt $IP6TABLES -t mangle -L -n; then
+	heading "Mangle Table"
+	$IP6TABLES -t mangle -L $g_ipt_options
+    fi

-    heading "Raw Table"
-    $IP6TABLES -t raw -L $IPT_OPTIONS
+    if qt $IP6TABLES -t raw -L -n; then
+	heading "Raw Table"
+	$IP6TABLES -t raw -L $g_ipt_options
+    fi

    local count=$(cat /proc/sys/net/netfilter/nf_conntrack_count)
    local max=$(cat /proc/sys/net/netfilter/nf_conntrack_max)
@@ -758,7 +763,7 @@ restore_command() {
 			    option=
 			    ;;
 			n*)
-			    NOROUTES=Yes
+			    g_noroutes=Yes
 			    option=${option#n}
 			    ;;
 			*)
@@ -791,27 +796,25 @@ restore_command() {
 	exit 2
    fi

-    RESTOREPATH=${VARDIR}/$RESTOREFILE
-
-    export NOROUTES
+    g_restorepath=${VARDIR}/$RESTOREFILE

    [ -n "$nolock" ] || mutex_on

-    if [ -x $RESTOREPATH ]; then
-	if [ -x ${RESTOREPATH}-ipsets ] ; then
+    if [ -x $g_restorepath ]; then
+	if [ -x ${g_restorepath}-ipsets ] ; then
 	    echo Restoring Ipsets...
 	    $IP6TABLES -F
 	    $IP6TABLES -X
-	    $SHOREWALL_SHELL ${RESTOREPATH}-ipsets
+	    $SHOREWALL_SHELL ${g_restorepath}-ipsets
 	fi

 	progress_message3 "Restoring Shorewall6..."

-	$SHOREWALL_SHELL $RESTOREPATH restore && progress_message3 "$PRODUCT restored from ${VARDIR}/$RESTOREFILE"
+	run_it $g_restorepath restore && progress_message3 "$g_product restored from ${VARDIR}/$RESTOREFILE"

 	[ -n "$nolock" ] || mutex_off
    else
-	echo "File $RESTOREPATH: file not found"
+	echo "File $g_restorepath: file not found"
 	[ -n "$nolock" ] || mutex_off
 	exit 2
    fi
@@ -869,20 +872,20 @@ heading() {
 #
 make_verbose() {
    local v
-    v=$VERBOSE_OFFSET
+    v=$g_verbose_offset
    local option
    option=-

-    if [ -n "$USE_VERBOSITY" ]; then
-	echo "-v$USE_VERBOSITY"
-    elif [ $VERBOSE_OFFSET -gt 0 ]; then
+    if [ -n "$g_use_verbosity" ]; then
+	echo "-v$g_use_verbosity"
+    elif [ $g_verbose_offset -gt 0 ]; then
 	while [ $v -gt 0 ]; do
 	    option="${option}v"
 	    v=$(($v - 1))
 	done

 	echo $option
-    elif [ $VERBOSE_OFFSET -lt 0 ]; then
+    elif [ $g_verbose_offset -lt 0 ]; then
 	while [ $v -lt 0 ]; do
 	    option="${option}q"
 	    v=$(($v + 1))
@@ -903,7 +906,7 @@ block() # $1 = command, $2 = Finished, $3 - $n addresses
    finished=$2

    if ! chain_exists dynamic; then
-	echo "Dynamic blacklisting is not enabled in the current $PRODUCT configuration" >&2
+	echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
 	[ -n "$nolock" ] || mutex_off
 	exit 2
    fi
@@ -974,15 +977,15 @@ hits_command() {
    [ $# -eq 0 ] || usage 1

    clear_term
-    echo "$PRODUCT $version Hits at $HOSTNAME - $(date)"
+    echo "$g_product $SHOREWALL_VERSION Hits at $g_hostname - $(date)"
    echo

    timeout=30

-    if $LOGREAD | grep -q "${today}IN=.* OUT=" ; then
+    if $g_logread | grep -q "${today}IN=.* OUT=" ; then
 	echo "   HITS IP	        DATE"
 	echo "   ---- --------------- ------"
-	$LOGREAD | grep "${today}IN=.* OUT=" | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3	\1/' | sort | uniq -c | sort -rn | while read count address month day; do
+	$g_logread | grep "${today}IN=.* OUT=" | sed 's/\(.\{6\}\)\(.*SRC=\)\(.*\)\( DST=.*\)/\3	\1/' | sort | uniq -c | sort -rn | while read count address month day; do
 	    printf '%7d %-15s %3s %2d\n' $count $address $month $day
 	done

@@ -990,7 +993,7 @@ hits_command() {

 	echo "   HITS IP	        PORT"
 	echo "   ---- --------------- -----"
-	$LOGREAD | grep  "${today}IN=.* OUT=" | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2	\4/
+	$g_logread | grep  "${today}IN=.* OUT=" | sed 's/\(.*SRC=\)\(.*\)\( DST=.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2	\4/
 						t
 						s/\(.*SRC=\)\(.*\)\( DST=.*\)/\2/' | sort | uniq -c | sort -rn | while read count address port; do
 	    printf '%7d %-15s %d\n' $count $address $port
@@ -1000,7 +1003,7 @@ hits_command() {

 	echo "   HITS DATE"
 	echo "   ---- ------"
-	$LOGREAD | grep  "${today}IN=.* OUT=" | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn | while read count month day; do
+	$g_logread | grep  "${today}IN=.* OUT=" | sed 's/\(.\{6\}\)\(.*\)/\1/' | sort | uniq -c | sort -rn | while read count month day; do
 	    printf '%7d %3s %2d\n' $count $month $day
 	done

@@ -1008,7 +1011,7 @@ hits_command() {

 	echo "   HITS  PORT SERVICE(S)"
 	echo "   ---- ----- ----------"
-	$LOGREAD | grep "${today}IN=.* OUT=.*DPT" | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | while read count port ; do
+	$g_logread | grep "${today}IN=.* OUT=.*DPT" | sed 's/\(.*DPT=\)\([0-9]\{1,5\}\)\(.*\)/\2/' | sort | uniq -c | sort -rn | while read count port ; do
 	    # List all services defined for the given port
 	    srv=$(grep "^[^#].*\\b$port/" /etc/services | cut -f 1 | cut -f 1 -d' ' | sort -u)
 	    srv=$(echo $srv | sed 's/ /,/g')
@@ -1026,11 +1029,11 @@ hits_command() {
 # 'allow' command executor
 #
 allow_command() {
-    [ -n "$debugging" ] && set -x
+    [ -n "$g_debugging" ] && set -x
    [ $# -eq 1 ] && usage 1
    if shorewall6_is_started ; then
 	if ! chain_exists dynamic; then
-	    echo "Dynamic blacklisting is not enabled in the current $PRODUCT configuration" >&2
+	    echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
 	    exit 2
 	fi

@@ -1064,7 +1067,7 @@ allow_command() {
 	done
 	[ -n "$nolock" ] || mutex_off
    else
-	error_message "ERROR: $PRODUCT is not started"
+	error_message "ERROR: $g_product is not started"
 	exit 2
    fi
 }
@@ -1088,15 +1091,15 @@ logwatch_command() {
 		while [ -n "$option" ]; do
 		    case $option in
 			v*)
-			    VERBOSE=$(($VERBOSE + 1 ))
+			    VERBOSITY=$(($VERBOSITY + 1 ))
 			    option=${option#v}
 			    ;;
 			q*)
-			    VERBOSE=$(($VERBOSE - 1 ))
+			    VERBOSITY=$(($VERBOSITY - 1 ))
 			    option=${option#q}
 			    ;;
 			m*)
-			    SHOWMACS=Yes
+			    g_showmacs=Yes
 			    option=${option#m}
 			    ;;
 			-)
@@ -1116,7 +1119,7 @@ logwatch_command() {
 	esac
    done
    
-    [ -n "$debugging" ] && set -x
+    [ -n "$g_debugging" ] && set -x

    if [ $# -eq 1 ]; then
 	logwatch $1
@@ -1126,3 +1129,320 @@ logwatch_command() {
 	usage 1
    fi
 }
+
+#
+# Determine which optional facilities are supported by iptables/netfilter
+#
+determine_capabilities() {
+    CONNTRACK_MATCH=
+    NEW_CONNTRACK_MATCH=
+    OLD_CONNTRACK_MATCH=
+    MULTIPORT=
+    XMULTIPORT=
+    POLICY_MATCH=
+    PHYSDEV_MATCH=
+    PHYSDEV_BRIDGE=
+    IPRANGE_MATCH=
+    RECENT_MATCH=
+    OWNER_MATCH=
+    IPSET_MATCH=
+    CONNMARK=
+    XCONNMARK=
+    CONNMARK_MATCH=
+    XCONNMARK_MATCH=
+    RAW_TABLE=
+    IPP2P_MATCH=
+    OLD_IPP2P_MATCH=
+    LENGTH_MATCH=
+    CLASSIFY_TARGET=
+    ENHANCED_REJECT=
+    USEPKTTYPE=
+    KLUDGEFREE=
+    MARK=
+    XMARK=
+    EXMARK=
+    TPROXY_TARGET=
+    MANGLE_FORWARD=
+    COMMENTS=
+    ADDRTYPE=
+    TCPMSS_MATCH=
+    HASHLIMIT_MATCH=
+    NFQUEUE_TARGET=
+    REALM_MATCH=
+    HELPER_MATCH=
+    CONNLIMIT_MATCH=
+    TIME_MATCH=
+    GOTO_TARGET=
+    IPMARK_TARGET=
+    LOG_TARGET=Yes
+    FLOW_FILTER=
+
+    chain=fooX$$
+
+    [ -n "$IP6TABLES" ] || IP6TABLES=$(mywhich ip6tables)
+
+    if [ -z "$IP6TABLES" ]; then
+	echo "   ERROR: No executable iptables binary can be found on your PATH" >&2
+	exit 1
+    fi
+
+    [ -n "$IP" ] || IP=$(which ip)
+
+    [ -n "$IP" -a -x "$IP" ] || IP=
+
+    qt $IP6TABLES -t mangle -L -n && MANGLE_ENABLED=Yes || MANGLE_ENABLED=
+
+    qt $IP6TABLES -F $chain
+    qt $IP6TABLES -X $chain
+    if ! $IP6TABLES -N $chain; then
+	echo "   ERROR: The command \"$IP6TABLES -N $chain\" failed" >&2
+	exit 1
+    fi
+
+    chain1=${chain}1
+
+    qt $IP6TABLES -F $chain1
+    qt $IP6TABLES -X $chain1
+    if ! $IP6TABLES -N $chain1; then
+	echo "   ERROR: The command \"$IP6TABLES -N $chain1\" failed" >&2
+	exit 1
+    fi
+
+    if ! qt $IP6TABLES -A $chain -m state --state ESTABLISHED,RELATED -j ACCEPT; then
+	echo "   ERROR: Your kernel lacks connection tracking and/or state matching -- Shorewall will not run on this system" >&2
+	exit 1
+    fi
+
+    qt $IP6TABLES -A $chain -m conntrack --ctorigdst ::1 -j ACCEPT && CONNTRACK_MATCH=Yes
+
+    if [ -n "$CONNTRACK_MATCH" ]; then
+	qt $IP6TABLES -A $chain -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT && NEW_CONNTRACK_MATCH=Yes
+	qt $IP6TABLES -A $chain -m conntrack ! --ctorigdst ::1 || OLD_CONNTRACK_MATCH=Yes
+    fi
+
+    if qt $IP6TABLES -A $chain -p tcp -m multiport --dports 21,22 -j ACCEPT; then
+	MULTIPORT=Yes
+	qt $IP6TABLES -A $chain -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT && KLUDEFREE=Yes
+    fi
+
+    qt $IP6TABLES -A $chain -p tcp -m multiport --dports 21:22 -j ACCEPT           && XMULTIPORT=Yes
+    qt $IP6TABLES -A $chain -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes
+
+    if qt $IP6TABLES -A $chain -m physdev --physdev-out eth0 -j ACCEPT; then
+	PHYSDEV_MATCH=Yes
+	qt $IP6TABLES -A $chain -m physdev --physdev-is-bridged --physdev-in eth0 --physdev-out eth0 -j ACCEPT && PHYSDEV_BRIDGE=Yes
+	if [ -z "${KLUDGEFREE}" ]; then
+	    qt $IP6TABLES -A $chain -m physdev --physdev-in eth0 -m physdev --physdev-out eth0 -j ACCEPT && KLUDGEFREE=Yes
+	fi
+    fi
+
+    if qt $IP6TABLES -A $chain -m iprange --src-range ::1-::2 -j ACCEPT; then
+	IPRANGE_MATCH=Yes
+	if [ -z "${KLUDGEFREE}" ]; then
+	    qt $IP6TABLES -A $chain -m iprange --src-range ::1-::2 -m iprange --dst-range ::1-::2 -j ACCEPT && KLUDGEFREE=Yes
+	fi
+    fi
+
+    qt $IP6TABLES -A $chain -m recent --update -j ACCEPT     && RECENT_MATCH=Yes
+    qt $IP6TABLES -A $chain -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes
+
+    if qt $IP6TABLES -A $chain -m connmark --mark 2  -j ACCEPT; then
+	CONNMARK_MATCH=Yes
+	qt $IP6TABLES -A $chain -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes
+    fi
+
+    qt $IP6TABLES -A $chain -p tcp -m ipp2p --edk -j ACCEPT       && IPP2P_MATCH=Yes
+    if [ -n "$IPP2P_MATCH" ]; then
+	qt $IP6TABLES -A $chain -p tcp -m ipp2p --ipp2p -j ACCEPT && OLD_IPP2P_MATCH=Yes
+    fi
+
+   qt $IP6TABLES -A $chain -m length --length 10:20 -j ACCEPT           && LENGTH_MATCH=Yes
+    qt $IP6TABLES -A $chain -j REJECT --reject-with icmp6-adm-prohibited && ENHANCED_REJECT=Yes
+
+    qt $IP6TABLES -A $chain -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes
+
+    if [ -n "$MANGLE_ENABLED" ]; then
+	qt $IP6TABLES -t mangle -N $chain
+
+	if qt $IP6TABLES -t mangle -A $chain -j MARK --set-mark 1; then
+	    MARK=Yes
+	    qt $IP6TABLES -t mangle -A $chain -j MARK --and-mark 0xFF && XMARK=Yes
+	    qt $IP6TABLES -t mangle -A $chain -j MARK --set-mark 1/0xFF && EXMARK=Yes
+	fi
+
+	if qt $IP6TABLES -t mangle -A $chain -j CONNMARK --save-mark; then
+	    CONNMARK=Yes
+	    qt $IP6TABLES -t mangle -A $chain -j CONNMARK --save-mark --mask 0xFF && XCONNMARK=Yes
+	fi
+
+	qt $IP6TABLES -t mangle -A $chain -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes
+	qt $IP6TABLES -t mangle -A $chain -j IPMARK --addr src && IPMARK_TARGET=Yes
+	qt $IP6TABLES -t mangle -A $chain -p tcp -j TPROXY --on-port 0 --tproxy-mark 1 && TPROXY_TARGET=Yes
+	qt $IP6TABLES -t mangle -F $chain
+	qt $IP6TABLES -t mangle -X $chain
+	qt $IP6TABLES -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
+    fi
+
+    qt $IP6TABLES -t raw	   -L -n && RAW_TABLE=Yes
+
+    if qt mywhich ipset; then
+	qt ipset -X $chain # Just in case something went wrong the last time
+
+	if qt ipset -N $chain iphash ; then
+	    if qt $IP6TABLES -A $chain -m set --set $chain src -j ACCEPT; then
+		qt $IP6TABLES -D $chain -m set --set $chain src -j ACCEPT
+		IPSET_MATCH=Yes
+	    fi
+	    qt ipset -X $chain
+	fi
+    fi
+
+    qt $IP6TABLES -A $chain -m pkttype --pkt-type broadcast -j ACCEPT && USEPKTTYPE=Yes
+    qt $IP6TABLES -A $chain -m addrtype --src-type BROADCAST -j ACCEPT && ADDRTYPE=Yes
+    qt $IP6TABLES -A $chain -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1000:1500 -j ACCEPT && TCPMSS_MATCH=Yes
+    qt $IP6TABLES -A $chain -m hashlimit --hashlimit-upto 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && HASHLIMIT_MATCH=Yes
+    if [ -z "$HASHLIMIT_MATCH" ]; then
+	qt $IP6TABLES -A $chain -m hashlimit --hashlimit 4 --hashlimit-burst 5 --hashlimit-name $chain --hashlimit-mode dstip -j ACCEPT && OLD_HL_MATCH=Yes
+	HASHLIMIT_MATCH=$OLD_HL_MATCH
+    fi	
+    qt $IP6TABLES -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
+    qt $IP6TABLES -A $chain -m realm --realm 4 && REALM_MATCH=Yes
+    qt $IP6TABLES -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
+    qt $IP6TABLES -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes
+    qt $IP6TABLES -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
+    qt $IP6TABLES -A $chain -g $chain1 && GOTO_TARGET=Yes
+    qt $IP6TABLES -A $chain -j LOG || LOG_TARGET=
+
+    qt $IP6TABLES -F $chain
+    qt $IP6TABLES -X $chain
+    qt $IP6TABLES -F $chain1
+    qt $IP6TABLES -X $chain1
+
+    [ -n "$IP" ] && $IP filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
+
+    CAPVERSION=$SHOREWALL_CAPVERSION
+    KERNELVERSION=$(printf "%d%02d%02d" $(uname -r 2> /dev/null | sed -e 's/-.*//' -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
+}
+
+report_capabilities() {
+    report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
+    {
+	local setting
+	setting=
+
+	[ "x$2" = "xYes" ] && setting="Available" || setting="Not available"
+
+	echo "  " $1: $setting
+    }
+
+    if [ $VERBOSITY -gt 1 ]; then
+	echo "Shorewall6 has detected the following ip6tables/netfilter capabilities:"
+	report_capability "Packet Mangling" $MANGLE_ENABLED
+	report_capability "Multi-port Match" $MULTIPORT
+	[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
+	report_capability "Connection Tracking Match" $CONNTRACK_MATCH
+	if [ -n "$CONNTRACK_MATCH" ]; then
+	    report_capability "Extended Connection Tracking Match Support" $NEW_CONNTRACK_MATCH
+	    [ -n "$OLD_CONNTRACK_MATCH" ] && report_capability "Old Connection Tracking Match Syntax" $OLD_CONNTRACK_MATCH
+	fi
+	report_capability "Packet Type Match" $USEPKTTYPE
+	report_capability "Policy Match" $POLICY_MATCH
+	report_capability "Physdev Match" $PHYSDEV_MATCH
+	report_capability "Physdev-is-bridged Support" $PHYSDEV_BRIDGE
+	report_capability "Packet length Match" $LENGTH_MATCH
+	report_capability "IP range Match" $IPRANGE_MATCH
+	report_capability "Recent Match" $RECENT_MATCH
+	report_capability "Owner Match" $OWNER_MATCH
+	report_capability "Ipset Match" $IPSET_MATCH
+	report_capability "CONNMARK Target" $CONNMARK
+	[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
+	report_capability "Connmark Match" $CONNMARK_MATCH
+	[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH
+	report_capability "Raw Table" $RAW_TABLE
+	report_capability "IPP2P Match" $IPP2P_MATCH
+	[ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax" $OLD_IPP2P_MATCH
+	report_capability "CLASSIFY Target" $CLASSIFY_TARGET
+	report_capability "Extended REJECT" $ENHANCED_REJECT
+	report_capability "Repeat match" $KLUDGEFREE
+	report_capability "MARK Target" $MARK
+	[ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK
+	[ -n "$XMARK" ] && report_capability "Extended MARK Target 2" $EXMARK
+	report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD
+	report_capability "Comments" $COMMENTS
+	report_capability "Address Type Match" $ADDRTYPE
+	report_capability "TCPMSS Match" $TCPMSS_MATCH
+	report_capability "Hashlimit Match" $HASHLIMIT_MATCH
+	[ -n "$OLD_HL_MATCH" ] && report_capability "Old Hashlimit Match" $OLD_HL_MATCH
+	report_capability "NFQUEUE Target" $NFQUEUE_TARGET
+	report_capability "Realm Match" $REALM_MATCH
+	report_capability "Helper Match" $HELPER_MATCH
+	report_capability "Connlimit Match" $CONNLIMIT_MATCH
+	report_capability "Time Match" $TIME_MATCH
+	report_capability "Goto Support" $GOTO_TARGET
+	report_capability "IPMARK Target" $IPMARK_TARGET
+	report_capability "LOG Target" $LOG_TARGET
+	report_capability "TPROXY Target" $TPROXY_TARGET
+	report_capability "FLOW Classifier" $FLOW_FILTER
+    fi
+
+    [ -n "$PKTTYPE" ] || USEPKTTYPE=
+
+}
+
+report_capabilities1() {
+    report_capability1() # $1 = Capability
+    {
+	eval echo $1=\$$1
+    }
+
+    echo "#"
+    echo "# Shorewall6 $SHOREWALL_VERSION detected the following ip6tables/netfilter capabilities - $(date)"
+    echo "#"
+    report_capability1 MANGLE_ENABLED
+    report_capability1 MULTIPORT
+    report_capability1 XMULTIPORT
+    report_capability1 CONNTRACK_MATCH
+    report_capability1 NEW_CONNTRACK_MATCH
+    report_capability1 OLD_CONNTRACK_MATCH
+    report_capability1 USEPKTTYPE
+    report_capability1 POLICY_MATCH
+    report_capability1 PHYSDEV_MATCH
+    report_capability1 PHYSDEV_BRIDGE
+    report_capability1 LENGTH_MATCH
+    report_capability1 IPRANGE_MATCH
+    report_capability1 RECENT_MATCH
+    report_capability1 OWNER_MATCH
+    report_capability1 IPSET_MATCH
+    report_capability1 CONNMARK
+    report_capability1 XCONNMARK
+    report_capability1 CONNMARK_MATCH
+    report_capability1 XCONNMARK_MATCH
+    report_capability1 RAW_TABLE
+    report_capability1 IPP2P_MATCH
+    report_capability1 OLD_IPP2P_MATCH
+    report_capability1 CLASSIFY_TARGET
+    report_capability1 ENHANCED_REJECT
+    report_capability1 KLUDGEFREE
+    report_capability1 MARK
+    report_capability1 XMARK
+    report_capability1 EXMARK
+    report_capability1 MANGLE_FORWARD
+    report_capability1 COMMENTS
+    report_capability1 ADDRTYPE
+    report_capability1 TCPMSS_MATCH
+    report_capability1 HASHLIMIT_MATCH
+    report_capability1 OLD_HL_MATCH
+    report_capability1 NFQUEUE_TARGET
+    report_capability1 REALM_MATCH
+    report_capability1 HELPER_MATCH
+    report_capability1 CONNLIMIT_MATCH
+    report_capability1 TIME_MATCH
+    report_capability1 GOTO_TARGET
+    report_capability1 IPMARK_TARGET
+    report_capability1 LOG_TARGET
+    report_capability1 TPROXY_TARGET
+    report_capability1 FLOW_FILTER
+    
+    echo CAPVERSION=$SHOREWALL_CAPVERSION
+    echo KERNELVERSION=$KERNELVERSION    
+}
--- a/Shorewall6/lib.common
+++ b/Shorewall6/lib.common
@@ -0,0 +1,476 @@
+#!/bin/sh
+#
+# Shorewall 4.4 -- /usr/share/shorewall6/lib.common.
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
+#
+#	Complete documentation is available at http://shorewall.net
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of Version 2 of the GNU General Public License
+#	as published by the Free Software Foundation.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, write to the Free Software
+#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# This library contains the wrapper code for running a generated script.
+#
+
+#
+# Get the Shorewall version of the passed script
+#
+get_script_version() { # $1 = script
+    local temp
+    local version
+    local ifs
+    local digits
+
+    temp=$( $SHOREWALL_SHELL $1 version | sed 's/-.*//' )
+
+    if [ $? -ne 0 ]; then
+	version=0
+    else
+	ifs=$IFS
+	IFS=.
+	temp=$(echo $temp)
+	IFS=$ifs
+	digits=0
+	
+	for temp in $temp; do
+	    version=${version}$(printf '%02d' $temp)
+	    digits=$(($digits + 1))
+	    [ $digits -eq 3 ] && break
+	done
+    fi
+    
+    echo $version
+}
+  
+#
+# Do required exports and create the required option string and run the passed script using
+# $SHOREWALL_SHELL
+#
+run_it() {
+    local script
+    local options
+    local version
+
+    export VARDIR
+	
+    script=$1
+    shift
+
+    version=$(get_script_version $script)
+
+    if [ $version -lt 040408 ]; then
+	#
+	# Old script that doesn't understand 4.4.8 script options
+	#
+	export RESTOREFILE=
+	export VERBOSITY
+	export NOROUTES=$g_noroutes
+	export PURGE=$g_purge
+	export TIMESTAMP=$g_timestamp
+	export RECOVERING=$g_recovering
+
+	if [ "$g_product" != Shorewall6 ]; then
+	    #
+	    # Shorewall6 Lite
+	    #
+	    export LOGFORMAT
+	    export IP6TABLES
+	fi
+    else
+	#
+	# 4.4.8 or later -- no additional exports required
+	#
+	options='-'
+
+	[ -n "$g_noroutes" ]   && options=${options}n
+	[ -n "$g_timestamp" ]  && options=${options}t
+	[ -n "$g_purge" ]      && options=${options}p
+	[ -n "$g_recovering" ] && options=${options}r
+
+	options="${options}V $VERBOSITY"
+
+	[ -n "$RESTOREFILE" ] && options="${options} -R $RESTOREFILE"
+    fi
+
+    $SHOREWALL_SHELL $script $options $@
+}
+
+#
+# Message to stderr
+#
+error_message() # $* = Error Message
+{
+   echo "   $@" >&2
+}
+
+#
+# Split a colon-separated list into a space-separated list
+#
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    echo $*
+    IFS=$ifs
+}
+
+#
+# Undo the effect of 'split()'
+#
+join()
+{
+    local f
+    local o
+    o=
+
+    for f in $* ; do
+        o="${o:+$o:}$f"
+    done
+
+    echo $o
+}
+
+#
+# Return the number of elements in a list
+#
+list_count() # $* = list
+{
+    return $#
+}
+
+#
+# Search a list looking for a match -- returns zero if a match found
+# 1 otherwise
+#
+list_search() # $1 = element to search for , $2-$n = list
+{
+    local e
+    e=$1
+
+    while [ $# -gt 1 ]; do
+	shift
+	[ "x$e" = "x$1" ] && return 0
+    done
+
+    return 1
+}
+
+#
+# Suppress all output for a command
+#
+qt()
+{
+    "$@" >/dev/null 2>&1
+}
+
+qt1()
+{
+    local status
+
+    while [ 1 ]; do
+	"$@" >/dev/null 2>&1
+	status=$?
+	[ $status -ne 4 ] && return $status
+    done
+}
+
+#
+# Determine if Shorewall is "running"
+#
+shorewall6_is_started() {
+    qt1 $IP6TABLES -L shorewall -n
+}
+
+#
+# Echos the fully-qualified name of the calling shell program
+#
+my_pathname() {
+    cd $(dirname $0)
+    echo $PWD/$(basename $0)
+}
+
+#
+# Source a user exit file if it exists
+#
+run_user_exit() # $1 = file name
+{
+    local user_exit
+    user_exit=$(find_file $1)
+
+    if [ -f $user_exit ]; then
+	progress_message "Processing $user_exit ..."
+	. $user_exit
+    fi
+}
+
+#
+# Load a Kernel Module -- assumes that the variable 'moduledirectories' contains
+#                         a space-separated list of directories to search for
+#                         the module and that 'moduleloader' contains the
+#                         module loader command.
+#
+loadmodule() # $1 = module name, $2 - * arguments
+{
+    local modulename
+    modulename=$1
+    local modulefile
+    local suffix
+
+    if ! list_search $modulename $MODULES $DONT_LOAD ; then
+	shift
+
+	for suffix in $MODULE_SUFFIX ; do
+	    for directory in $moduledirectories; do
+		modulefile=$directory/${modulename}.${suffix}
+
+		if [ -f $modulefile ]; then
+		    case $moduleloader in
+			insmod)
+			    insmod $modulefile $*
+			    ;;
+			*)
+			    modprobe $modulename $*
+			    ;;
+		    esac
+		    break 2
+		fi
+	    done
+	done
+    fi
+}
+
+#
+# Reload the Modules
+#
+reload_kernel_modules() {
+
+    local save_modules_dir
+    save_modules_dir=$MODULESDIR
+    local directory
+    local moduledirectories
+    moduledirectories=
+    local moduleloader
+    moduleloader=modprobe
+
+    if ! qt mywhich modprobe; then
+	moduleloader=insmod
+    fi
+
+    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
+
+    [ -z "$MODULESDIR" ] && MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter:/lib/modules/$(uname -r)/kernel/net/sched
+    MODULES=$(lsmod | cut -d ' ' -f1)
+
+    for directory in $(split $MODULESDIR); do
+	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
+    done
+
+    [ -n "$moduledirectories" ] && while read command; do
+	eval $command
+    done
+
+    MODULESDIR=$save_modules_dir
+}
+
+#
+# Load kernel modules required for Shorewall
+#
+load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
+{
+    local save_modules_dir
+    save_modules_dir=$MODULESDIR
+    local directory
+    local moduledirectories
+    moduledirectories=
+    local moduleloader
+    moduleloader=modprobe
+    local savemoduleinfo
+    savemoduleinfo=${1:-Yes} # So old compiled scripts still work
+
+    if ! qt mywhich modprobe; then
+	moduleloader=insmod
+    fi
+
+    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
+
+    [ -z "$MODULESDIR" ] && \
+	MODULESDIR=/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter:/lib/modules/$(uname -r)/kernel/net/netfilter:/lib/modules/$(uname -r)/kernel/net/sched
+
+    for directory in $(split $MODULESDIR); do
+	[ -d $directory ] && moduledirectories="$moduledirectories $directory"
+    done
+
+    [ -n "$LOAD_HELPERS_ONLY" ] && modules=$(find_file helpers) || modules=$(find_file modules)
+
+    if [ -f $modules -a -n "$moduledirectories" ]; then
+	MODULES=$(lsmod | cut -d ' ' -f1)
+	progress_message "Loading Modules..."
+	. $modules
+	if [ $savemoduleinfo = Yes ]; then
+	    [ -d ${VARDIR} ] || mkdir -p ${VARDIR}
+	    echo MODULESDIR="$MODULESDIR" > ${VARDIR}/.modulesdir
+	    cp -f $modules ${VARDIR}/.modules
+	fi
+    elif [ $savemoduleinfo = Yes ]; then
+	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
+	> ${VARDIR}/.modulesdir	
+	> ${VARDIR}/.modules
+    fi
+
+    MODULESDIR=$save_modules_dir
+}
+
+#
+# Query NetFilter about the existence of a filter chain
+#
+chain_exists() # $1 = chain name
+{
+    qt1 $IP6TABLES -L $1 -n
+}
+
+#
+# Find the interface with the passed MAC address
+#
+
+find_interface_by_mac() {
+    local mac
+    mac=$1
+    local first
+    local second
+    local rest
+    local dev
+
+    $IP link list | while read first second rest; do
+	case $first in
+	    *:)
+                dev=$second
+		;;
+	    *)
+	        if [ "$second" = $mac ]; then
+		    echo ${dev%:}
+		    return
+		fi
+	esac
+    done
+}
+
+#
+# Find interface address--returns the first IP address assigned to the passed
+# device
+#
+find_first_interface_address() # $1 = interface
+{
+    #
+    # get the line of output containing the first IP address
+    #
+    addr=$($IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 .* global' | head -n1)
+    #
+    # If there wasn't one, bail out now
+    #
+    [ -n "$addr" ] || startup_error "Can't determine the IPv6 address of $1"
+    #
+    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
+    # along with everything else on the line
+    #
+    echo $addr | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
+}
+
+find_first_interface_address_if_any() # $1 = interface
+{
+    #
+    # get the line of output containing the first IP address
+    #
+    addr=$($IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2.* global' | head -n1)
+    #
+    # Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
+    # along with everything else on the line
+    #
+    [ -n "$addr" ] && echo $addr | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//' || echo ::
+}
+
+#
+# Internal version of 'which'
+#
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    echo $dir/$1
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
+#
+# Find a File -- For relative file name, look in each ${CONFIG_PATH} then ${CONFDIR}
+#
+find_file()
+{
+    local saveifs
+    saveifs=
+    local directory
+
+    case $1 in
+	/*)
+	    echo $1
+	    ;;
+	*)
+	    for directory in $(split $CONFIG_PATH); do
+		if [ -f $directory/$1 ]; then
+		    echo $directory/$1
+		    return
+		fi
+	    done
+
+	    echo ${CONFDIR}/$1
+	    ;;
+    esac
+}
+
+#
+# Set the Shorewall state
+#
+set_state () # $1 = state
+{
+    echo "$1 ($(date))" > ${VARDIR}/state
+}
+
+#
+# Perform variable substitution on the passed argument and echo the result
+#
+expand() # $@ = contents of variable which may be the name of another variable
+{
+    eval echo \"$@\"
+}
+
+#
+# Function for including one file into another
+#
+INCLUDE() {
+    . $(find_file $(expand $@))
+}
+
+# Function to truncate a string -- It uses 'cut -b -<n>'
+# rather than ${v:first:last} because light-weight shells like ash and
+# dash do not support that form of expansion.
+#
+
+truncate() # $1 = length
+{
+    cut -b -${1}
+}
--- a/Shorewall6/shorewall6
+++ b/Shorewall6/shorewall6
@@ -62,19 +62,17 @@ get_config() {

    ensure_config_path
    
-    if [ -z "$EXPORT" -a "$(id -u)" = 0 ]; then
+    if [ -z "$g_export" -a "$(id -u)" = 0 ]; then
 	#
 	# This block is avoided for compile for export and when the user isn't root
 	#
-	export CONFIG_PATH
-
 	if [ "$3" = Yes ]; then
 	    [ -z "$LOGFILE" ] && LOGFILE=/var/log/messages

 	    if [ -n "$(syslog_circular_buffer)" ]; then
-		LOGREAD="logread | tac"
+		g_logread="logread | tac"
 	    elif [ -r $LOGFILE ]; then
-		LOGREAD="tac $LOGFILE"
+		g_logread="tac $LOGFILE"
 	    else
 		echo "LOGFILE ($LOGFILE) does not exist!" >&2
 		exit 2
@@ -94,8 +92,6 @@ get_config() {
 	    fi
 	fi

-	export IP6TABLES
-
 	#
 	# Compile by non-root needs no restore file
 	#
@@ -103,8 +99,6 @@ get_config() {

 	validate_restorefile RESTOREFILE

-	export RESTOREFILE
-
 	if [ "$2" = Yes ]; then
 	    case $STARTUP_ENABLED in
 		No|no|NO)
@@ -132,8 +126,6 @@ get_config() {

 	[ -n "$LOGFORMAT" ] && LOGFORMAT="${LOGFORMAT%%%*}"

-	export LOGFORMAT
-
 	if [ -n "$STARTUP_LOG" ]; then
 	    if [ -n "$LOG_VERBOSITY" ]; then
 		case $LOG_VERBOSITY in
@@ -178,17 +170,15 @@ get_config() {
 	    ;;
    esac

-    [ -n "$USE_VERBOSITY" ] && VERBOSE=$USE_VERBOSITY || VERBOSE=$(($VERBOSE_OFFSET + $VERBOSITY))
+    [ -n "$g_use_verbosity" ] && VERBOSITY=$g_use_verbosity || VERBOSITY=$(($g_verbose_offset + $VERBOSITY))

-    if [ $VERBOSE -lt -1 ]; then
-	VERBOSE=-1
-    elif [ $VERBOSE -gt 2 ]; then
-	VERBOSE=2
+    if [ $VERBOSITY -lt -1 ]; then
+	VERBOSITY=-1
+    elif [ $VERBOSITY -gt 2 ]; then
+	VERBOSITY=2
    fi

-    export VERBOSE
-
-    [ -n "${HOSTNAME:=$(hostname)}" ]
+    g_hostname=$(hostname 2> /dev/null)

    [ -n "$RSH_COMMAND" ] || RSH_COMMAND='ssh ${root}@${system} ${command}'
    [ -n "$RCP_COMMAND" ] || RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
@@ -262,7 +252,6 @@ compiler() {
    #
    ensure_config_path

-    compiler=perl
    haveparams=

    case $COMMAND in
@@ -277,8 +266,8 @@ compiler() {
    [ $command = exec ] || command=
    
    debugflags="-w"
-    [ -n "$DEBUG" ]   && debugflags='-wd'
-    [ -n "$PROFILE" ] && debugflags='-wd:DProf'
+    [ -n "$g_debug" ]   && debugflags='-wd'
+    [ -n "$g_profile" ] && debugflags='-wd:DProf'

    # Perl compiler only takes the output file as a argument
 	    
@@ -286,16 +275,16 @@ compiler() {
    [ "$1" = nolock ] && shift;
    shift 

-    options="--verbose=$VERBOSE --family=6"
+    options="--verbose=$VERBOSITY --family=6"
    [ -n "$STARTUP_LOG" ] && options="$options --log=$STARTUP_LOG"
    [ -n "$LOG_VERBOSITY" ] && options="$options --log_verbosity=$LOG_VERBOSITY";
-    [ -n "$EXPORT" ] && options="$options --export"
+    [ -n "$g_export" ] && options="$options --export"
    [ -n "$SHOREWALL_DIR" ] && options="$options --directory=$SHOREWALL_DIR"
-    [ -n "$TIMESTAMP" ] && options="$options --timestamp"
-    [ -n "$TEST" ] && options="$options --test"
-    [ -n "$PREVIEW" ] && options="$options --preview"
-    [ "$debugging" = trace ] && options="$options --debug"
-    [ -n "$REFRESHCHAINS" ] && options="$options --refresh=$REFRESHCHAINS"
+    [ -n "$g_timestamp" ] && options="$options --timestamp"
+    [ -n "$g_test" ] && options="$options --test"
+    [ -n "$g_preview" ] && options="$options --preview"
+    [ "$g_debugging" = trace ] && options="$options --debug"
+    [ -n "$g_refreshchains" ] && options="$options --refresh=$g_refreshchains"
    [ -x $pc ] || startup_error "Shorewall6 requires the shorewall package which is not installed"
    #
    # Run the appropriate params file
@@ -323,15 +312,15 @@ start_command() {

 	if [ -n "$AUTOMAKE" ]; then
 	    [ -n "$nolock" ] || mutex_on
-	    ${VARDIR}/firewall $debugging start
+	    run_it ${VARDIR}/firewall $g_debugging start
 	    rc=$?
 	    [ -n "$nolock" ] || mutex_off
 	else
 	    progress_message3 "Compiling..."

-	    if compiler run $debugging $nolock compile ${VARDIR}/.start; then
+	    if compiler run $g_debugging $nolock compile ${VARDIR}/.start; then
 		[ -n "$nolock" ] || mutex_on
-		${VARDIR}/.start $debugging start
+		run_it ${VARDIR}/.start $g_debugging start
 		rc=$?
 		[ -n "$nolock" ] || mutex_off
 	    else
@@ -363,11 +352,11 @@ start_command() {
 			    option=
 			    ;;
 			d*)
-			    DEBUG=Yes
+			    g_debug=Yes
 			    option=${option#d}
 			    ;;
 			f*)
-			    FAST=Yes
+			    g_fast=Yes
 			    option=${option#f}
 			    ;;
 			*)
@@ -387,7 +376,7 @@ start_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$SHOREWALL_DIR" -o -n "$FAST" ] && usage 2
+	    [ -n "$SHOREWALL_DIR" -o -n "$g_fast" ] && usage 2

 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -398,7 +387,6 @@ start_command() {
 	    fi

 	    SHOREWALL_DIR=$(resolve_file $1)
-	    export SHOREWALL_DIR
 	    AUTOMAKE=
 	    ;;
 	*)
@@ -406,41 +394,37 @@ start_command() {
 	    ;;
    esac

-    export NOROUTES
-    export PURGE
-
-    if [ -n "${FAST}${AUTOMAKE}" ]; then
+    if [ -n "${g_fast}${AUTOMAKE}" ]; then
 	if qt mywhich make; then
 	    restorefile=$RESTOREFILE
-	    #
-	    # RESTOREFILE is exported by get_config()
-	    #
-	    if [ -z "$FAST" ]; then
+	    if [ -z "$g_fast" ]; then
 		#
 		# Autofast -- use the last compiled script
 		#
 		RESTOREFILE=firewall
 	    fi

-	    if ! make -qf ${CONFDIR}/Makefile; then
-		FAST= 
+	    export RESTOREFILE
+
+	    if make -qf ${CONFDIR}/Makefile; then
+		g_fast=
 		AUTOMAKE=
 	    fi

 	    RESTOREFILE=$restorefile
 	else
-	    FAST=
+	    g_fast=
 	    AUTOMAKE=
 	fi

-	if [ -n "$FAST" ]; then
-	    RESTOREPATH=${VARDIR}/$RESTOREFILE
+	if [ -n "$g_fast" ]; then
+	    g_restorepath=${VARDIR}/$RESTOREFILE

-	    if [ -x $RESTOREPATH ]; then
+	    if [ -x $g_restorepath ]; then
 		echo Restoring Shorewall6...
-		$SHOREWALL_SHELL $RESTOREPATH restore
+		run_it $g_restorepath restore
 		date > ${VARDIR}/restarted
-		progress_message3 Shorewall6 restored from $RESTOREPATH
+		progress_message3 Shorewall6 restored from $g_restorepath
 	    else
 		do_it
 	    fi
@@ -472,19 +456,19 @@ compile_command() {
 		while [ -n "$option" ]; do
 		    case $option in
 			e*)
-			    EXPORT=Yes
+			    g_export=Yes
 			    option=${option#e}
 			    ;;
 			p*)
-			    PROFILE=Yes
+			    g_profile=Yes
 			    option=${option#p}
 			    ;;
 			t*)
-			    TEST=Yes
+			    g_test=Yes
 			    option=${option#t}
 			    ;;			    
 			d*)
-			    DEBUG=Yes;
+			    g_debug=Yes;
 			    option=${option#d}
 			    ;;
 			-)
@@ -525,7 +509,6 @@ compile_command() {
 	    fi

 	    SHOREWALL_DIR=$(resolve_file $1)
-	    export SHOREWALL_DIR
 	    file=$2
 	    ;;
 	*)
@@ -533,11 +516,9 @@ compile_command() {
 	    ;;
    esac

-    export EXPORT
-
    [ "x$file" = x- ] || progress_message3 "Compiling..."

-    compiler exec $debugging compile $file
+    compiler exec $g_debugging compile $file
 }

 #
@@ -560,19 +541,19 @@ check_command() {
 			    option=
 			    ;;
 			e*)
-			    EXPORT=Yes
+			    g_export=Yes
 			    option=${option#e}
 			    ;;
 			p*)
-			    PROFILE=Yes
+			    g_profile=Yes
 			    option=${option#p}
 			    ;;
 			r*)
-			    PREVIEW=Yes;
+			    g_preview=Yes;
 			    option=${option#r}
 			    ;;
 			d*)
-			    DEBUG=Yes;
+			    g_debug=Yes;
 			    option=${option#d}
 			    ;;
 			*)
@@ -603,18 +584,15 @@ check_command() {
 	    fi

 	    SHOREWALL_DIR=$(resolve_file $1)
-	    export SHOREWALL_DIR
 	    ;;
 	*)
 	    usage 1
 	    ;;
    esac

-    export EXPORT
-
    progress_message3 "Checking..."

-    compiler exec $debugging $nolock check
+    compiler exec $g_debugging $nolock check
 }

 #
@@ -640,20 +618,20 @@ restart_command() {
 			    option=
 			    ;;
 			d*)
-			    DEBUG=Yes
+			    g_debug=Yes
 			    option=${option#d}
 			    ;;
 			f*)
-			    FAST=Yes
+			    g_fast=Yes
 			    option=${option#f}
 			    ;;
 			n*)
-			    NOROUTES=Yes
+			    g_noroutes=Yes
 			    option=${option#n}
 			    ;;
 			p*)
 			    [ -n "$(which conntrack)" ] || fatal_error "The '-p' option requires the conntrack utility which does not appear to be installed on this system"
-			    PURGE=Yes
+			    g_purge=Yes
 			    option=${option%p}
 			    ;;
 			*)
@@ -684,8 +662,7 @@ restart_command() {
 	    fi

 	    SHOREWALL_DIR=$(resolve_file $1)
-	    [ -n "$FAST" ] && fatal_error "Directory may not be specified with the -f option"
-	    export SHOREWALL_DIR
+	    [ -n "$g_fast" ] && fatal_error "Directory may not be specified with the -f option"
 	    AUTOMAKE=
 	    ;;
 	*)
@@ -695,27 +672,24 @@ restart_command() {

    [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled"

-    export NOROUTES
-    export PURGE
-
-    if [ -z "$FAST" -a -n "$AUTOMAKE" ]; then
+    if [ -z "$g_fast" -a -n "$AUTOMAKE" ]; then
 	if qt mywhich make; then
 	    #
 	    # RESTOREFILE is exported by get_config()
 	    #
 	    restorefile=$RESTOREFILE
 	    RESTOREFILE=firewall
-	    make -qf ${CONFDIR}/Makefile && FAST=Yes
+	    make -qf ${CONFDIR}/Makefile && g_fast=Yes
 	    RESTOREFILE=$restorefile
 	fi
    fi

-    if [ -z "$FAST" ]; then  
+    if [ -z "$g_fast" ]; then  
 	progress_message3 "Compiling..."

-	if compiler run $debugging $nolock compile ${VARDIR}/.restart; then
+	if compiler run $g_debugging $nolock compile ${VARDIR}/.restart; then
 	    [ -n "$nolock" ] || mutex_on
-	    $SHOREWALL_SHELL ${VARDIR}/.restart $debugging restart
+	    run_it ${VARDIR}/.restart $g_debugging restart
 	    rc=$?
 	    [ -n "$nolock" ] || mutex_off
 	else
@@ -725,7 +699,7 @@ restart_command() {
    else
 	[ -x ${VARDIR}/firewall ] || fatal_error "No ${VARDIR}/firewall file found"
 	[ -n "$nolock" ] || mutex_on
-	$SHOREWALL_SHELL ${VARDIR}/firewall $debugging restart
+	run_it ${VARDIR}/firewall $g_debugging restart
 	rc=$?
 	[ -n "$nolock" ] || mutex_off
    fi
@@ -766,11 +740,11 @@ refresh_command() {
    done

    if [ $# -gt 0 ]; then
-	REFRESHCHAINS=$1
+	g_refreshchains=$1
 	shift

 	while [ $# -gt 0 ]; do
-	    REFRESHCHAINS="$REFRESHCHAINS,$1"
+	    g_refreshchains="$g_refreshchains,$1"
 	    shift
 	done
    fi
@@ -779,13 +753,11 @@ refresh_command() {

    [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled"

-    export NOROUTES
-
    progress_message3 "Compiling..."

-    if compiler run $debugging $nolock compile ${VARDIR}/.refresh; then
+    if compiler run $g_debugging $nolock compile ${VARDIR}/.refresh; then
 	[ -n "$nolock" ] || mutex_on
-	$SHOREWALL_SHELL ${VARDIR}/.refresh $debugging refresh
+	run_it ${VARDIR}/.refresh $g_debugging refresh
 	rc=$?
 	[ -n "$nolock" ] || mutex_off
    else
@@ -822,7 +794,7 @@ safe_commands() {
 			    option=
 			    ;;
 			n*)
-			    NOROUTES=Yes
+			    g_noroutes=Yes
 			    option=${option#n}
 			    ;;
 			*)
@@ -853,7 +825,6 @@ safe_commands() {
 	    fi

 	    SHOREWALL_DIR=$(resolve_file $1)
-	    export SHOREWALL_DIR
 	    ;;
 	*)
 	    usage 1
@@ -884,19 +855,19 @@ safe_commands() {

    progress_message3 "Compiling..."

-    if ! compiler run $debugging nolock compile ${VARDIR}/.$command; then
+    if ! compiler run $g_debugging nolock compile ${VARDIR}/.$command; then
 	status=$?
 	exit $status
    fi

    case $command in
 	start)
-	    export RESTOREFILE=NONE
+	    RESTOREFILE=NONE
 	    progress_message3 "Starting..."
 	    ;;
 	restart)
-	    export RESTOREFILE=.safe
-	    RESTOREPATH=${VARDIR}/.safe
+	    RESTOREFILE=.safe
+	    g_restorepath=${VARDIR}/.safe
 	    save_config
 	    progress_message3 "Restarting..."
 	    ;;
@@ -904,7 +875,7 @@ safe_commands() {

    [ -n "$nolock" ] || mutex_on

-    if ${VARDIR}/.$command $command; then
+    if run_it ${VARDIR}/.$command $command; then

 	echo -n "Do you want to accept the new firewall configuration? [y/n] "

@@ -912,9 +883,9 @@ safe_commands() {
 	    echo "New configuration has been accepted"
 	else
 	    if [ "$command" = "restart" ]; then
-		${VARDIR}/.safe restore
+		run_it ${VARDIR}/.safe restore
 	    else
-		${VARDIR}/.$command clear
+		run_it ${VARDIR}/.$command clear
 	    fi
 	    
 	    [ -n "$nolock" ] || mutex_off
@@ -949,7 +920,6 @@ try_command() {
 	fi
 	
 	SHOREWALL_DIR=$(resolve_file $1)
-	export SHOREWALL_DIR
    }

    while [ $finished -eq 0 -a $# -gt 0 ]; do
@@ -965,7 +935,7 @@ try_command() {
 			    option=
 			    ;;
 			n*)
-			    NOROUTES=Yes
+			    g_noroutes=Yes
 			    option=${option#n}
 			    ;;
 			*)
@@ -1021,19 +991,19 @@ try_command() {

    progress_message3 "Compiling..."

-    if ! compiler run $debugging $nolock compile ${VARDIR}/.$command; then
+    if ! compiler run $g_debugging $nolock compile ${VARDIR}/.$command; then
 	status=$?
 	exit $status
    fi

    case $command in
 	start)
-	    export RESTOREFILE=NONE
+	    RESTOREFILE=NONE
 	    progress_message3 "Starting..."
 	    ;;
 	restart)
-	    export RESTOREFILE=.try
-	    RESTOREPATH=${VARDIR}/.try
+	    RESTOREFILE=.try
+	    g_restorepath=${VARDIR}/.try
 	    save_config
 	    progress_message3 "Restarting..."
 	    ;;
@@ -1041,13 +1011,13 @@ try_command() {

    [ -n "$nolock" ] || mutex_on

-    if ${VARDIR}/.$command $command && [ -n "$timeout" ]; then
+    if run_it ${VARDIR}/.$command $command && [ -n "$timeout" ]; then
 	sleep $timeout
 	    
 	if [ "$command" = "restart" ]; then
-	    ${VARDIR}/.try restore
+	    run_it ${VARDIR}/.try restore
 	else
-	    ${VARDIR}/.$command clear
+	    run_it ${VARDIR}/.$command clear
 	fi	    
    fi

@@ -1094,7 +1064,7 @@ reload_command() # $* = original arguments less the command.
    local compiler
    compiler=

-    LITEDIR=/var/lib/shorewall6-lite
+    litedir=/var/lib/shorewall6-lite

    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@@ -1149,9 +1119,9 @@ reload_command() # $* = original arguments less the command.
 	    ;;
    esac

-    litedir=$(rsh_command /sbin/shorewall6-lite show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')
+    temp=$(rsh_command /sbin/shorewall6-lite show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')

-    [ -n "$litedir" ] && LITEDIR=$litedir
+    [ -n "$temp" ] && litedir=$temp

    if [ -z "$getcaps" ]; then
 	SHOREWALL_DIR=$(resolve_file $directory)
@@ -1174,11 +1144,11 @@ reload_command() # $* = original arguments less the command.

    file=$(resolve_file $directory/firewall)

-    [ -n "$TIMESTAMP" ] && timestamp='-t' || timestamp=
+    [ -n "$g_timestamp" ] && timestamp='-t' || timestamp=

-    if shorewall6 $debugging $verbose $timestamp compile -e $compiler $directory $directory/firewall && \
-	progress_message3 "Copying $file and ${file}.conf to ${system}:${LITEDIR}..." && \
-	rcp_command "$directory/firewall $directory/firewall.conf" ${LITEDIR}
+    if shorewall6 $g_debugging $verbose $timestamp compile -e $compiler $directory $directory/firewall && \
+	progress_message3 "Copying $file and ${file}.conf to ${system}:${litedir}..." && \
+	rcp_command "$directory/firewall $directory/firewall.conf" ${litedir}
    then
 	save=$(find_file save);

@@ -1186,15 +1156,15 @@ reload_command() # $* = original arguments less the command.

 	progress_message3 "Copy complete"
 	if [ $COMMAND = reload ]; then
-	    rsh_command "/sbin/shorewall6-lite $debugging $verbose $timestamp restart" && \
+	    rsh_command "/sbin/shorewall6-lite $g_debugging $verbose $timestamp restart" && \
 	    progress_message3 "System $system reloaded" || saveit=
 	else
-	    rsh_command "/sbin/shorewall6-lite $debugging $verbose $timestamp start" && \
+	    rsh_command "/sbin/shorewall6-lite $g_debugging $verbose $timestamp start" && \
 	    progress_message3 "System $system loaded" || saveit=
 	fi

 	if [ -n "$saveit" ]; then
-	    rsh_command "/sbin/shorewall6-lite $debugging $verbose $timestamp save" && \
+	    rsh_command "/sbin/shorewall6-lite $g_debugging $verbose $timestamp save" && \
 	    progress_message3 "Configuration on system $system saved"
 	fi
    fi
@@ -1265,7 +1235,7 @@ export_command() # $* = original arguments less the command.

    file=$(resolve_file $directory/firewall)

-    if shorewall6 $debugging $verbose compile -e $compiler $directory $directory/firewall && \
+    if shorewall6 $g_debugging $verbose compile -e $compiler $directory $directory/firewall && \
 	echo "Copying $file and ${file}.conf to ${target#*@}..." && \
 	scp $directory/firewall $directory/firewall.conf $target
    then
@@ -1323,10 +1293,10 @@ usage() # $1 = exit status
 #
 # Execution begins here
 #
-debugging=
+g_debugging=

 if [ $# -gt 0 ] && [ "x$1" = "xdebug" -o "x$1" = "xtrace" ]; then
-    debugging=$1
+    g_debugging=$1
    shift
 fi

@@ -1338,16 +1308,16 @@ if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
 fi

 SHOREWALL_DIR=
-IPT_OPTIONS="-nv"
-FAST=
-VERBOSE_OFFSET=0
-USE_VERBOSITY=
-NOROUTES=
-PURGE=
-DEBUG=
-EXPORT=
-export TIMESTAMP=
-noroutes=
+g_ipt_options="-nv"
+g_fast=
+g_verbose_offset=0
+g_use_verbosity=
+g_debug=
+g_export=
+
+g_noroutes=
+g_purge=
+g_timestamp=

 finished=0

@@ -1379,52 +1349,52 @@ while [ $finished -eq 0 ]; do
 			shift
 			;;
 		    e*)
-			EXPORT=Yes
+			g_export=Yes
 			option=${option#e}
 			;;
 		    x*)
-			IPT_OPTIONS="-xnv"
+			g_ipt_options="-xnv"
 			option=${option#x}
 			;;
 		    q*)
-			VERBOSE_OFFSET=$(($VERBOSE_OFFSET - 1 ))
+			g_verbose_offset=$(($g_verbose_offset - 1 ))
 			option=${option#q}
 			;;
 		    f*)
-			FAST=Yes
+			g_fast=Yes
 			option=${option#f}
 			;;
 		    v*)
 			option=${option#v}
 			case $option in 
 			    -1*)
-				USE_VERBOSITY=-1
+				g_use_verbosity=-1
 				option=${option#-1}
 				;;
 			    0*)
-				USE_VERBOSITY=0
+				g_use_verbosity=0
 				option=${option#0}
 				;;
 			    1*)
-				USE_VERBOSITY=1
+				g_use_verbosity=1
 				option=${option#1}
 				;;
 			    2*)
-				USE_VERBOSITY=2
+				g_use_verbosity=2
 				option=${option#2}
 				;;
 			    *)
-				VERBOSE_OFFSET=$(($VERBOSE_OFFSET + 1 ))
-				USE_VERBOSITY=
+				g_verbose_offset=$(($g_verbose_offset + 1 ))
+				g_use_verbosity=
 				;;
 			esac
 			;;
 		    n*)
-			NOROUTES=Yes
+			g_noroutes=Yes
 			option=${option#n}
 			;;
 		    t*)
-			TIMESTAMP=Yes
+			g_timestamp=Yes
 			option=${option#t}
 			;;
 		    -)
@@ -1481,7 +1451,7 @@ version_command() {

    [ $# -gt 0 ] && usage 1

-    echo $version
+    echo $SHOREWALL_VERSION

    if [ -n "$all" ]; then
 	if [ -f /usr/share/shorewall/version ]; then
@@ -1494,14 +1464,13 @@ if [ $# -eq 0 ]; then
    usage 1
 fi

-[ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-export PATH
 MUTEX_TIMEOUT=

 SHAREDIR=/usr/share/shorewall6
 CONFDIR=/etc/shorewall6
-export PRODUCT="Shorewall6"
+g_product="Shorewall6"
+g_recovering=

 [ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir

@@ -1511,48 +1480,40 @@ if [ ! -f ${VARDIR}/firewall ]; then
    [ -f ${VARDIR}/.restore ] && cp -f ${VARDIR}/.restore ${VARDIR}/firewall 
 fi

-FIREWALL=${VARDIR}/firewall
-LIBRARIES="$SHAREDIR/lib.base $SHAREDIR/lib.cli"
-VERSION_FILE=$SHAREDIR/version
-RECOVERING=
-export RECOVERING
+g_firewall=${VARDIR}/firewall

-for library in $LIBRARIES; do
-    if [ -f $library ]; then
-	. $library
-    else
-	echo "$library does not exist!" >&2
-	exit 2
-    fi
+for library in base cli; do
+    . ${SHAREDIR}/lib.$library
 done

-if [ -f $VERSION_FILE ]; then
-    version=$(cat $VERSION_FILE)
+version_file=$SHAREDIR/version
+if [ -f $version_file ]; then
+    SHOREWALL_VERSION=$(cat $version_file)
 else
    echo "   ERROR: Shorewall6 is not properly installed" >&2
-    echo "	 The file $VERSION_FILE does not exist"  >&2
+    echo "	 The file $version_file does not exist"  >&2
    exit 1
 fi

-banner="Shorewall6-$version Status at $HOSTNAME -"
+banner="Shorewall6-$SHOREWALL_VERSION Status at $g_hostname -"

 case $(echo -e) in
    -e*)
-	RING_BELL="echo \a"
-	ECHO_E="echo"
+	g_ring_bell="echo \a"
+	g_echo_e="echo"
 	;;
    *)
-	RING_BELL="echo -e \a"
-	ECHO_E="echo -e"
+	g_ring_bell="echo -e \a"
+	g_echo_e="echo -e"
 	;;
 esac

 case $(echo -n "Testing") in
    -n*)
-	ECHO_N=
+	g_echo_n=
 	;;
    *)
-	ECHO_N=-n
+	g_echo_n=-n
 	;;
 esac

@@ -1567,19 +1528,17 @@ case "$COMMAND" in
    stop|clear)
 	[ $# -ne 1 ] && usage 1
 	get_config
-	[ -x $FIREWALL ] || fatal_error "Shorewall6 has never been started"
-	export NOROUTES
+	[ -x $g_firewall ] || fatal_error "Shorewall6 has never been started"
 	mutex_on
-	$SHOREWALL_SHELL $FIREWALL $debugging $nolock $COMMAND
+	run_it $g_firewall $g_debugging $nolock $COMMAND
 	mutex_off
 	;;
    reset)
 	get_config
-	export NOROUTES
 	shift
 	mutex_on
-	[ -x $FIREWALL ] || fatal_error "Shorewall6 has never been started"
-	$SHOREWALL_SHELL $FIREWALL $debugging $nolock reset $@
+	[ -x $g_firewall ] || fatal_error "Shorewall6 has never been started"
+	run_it $g_firewall $g_debugging $nolock reset $@
 	mutex_off
 	;;
    compile)
@@ -1621,7 +1580,7 @@ case "$COMMAND" in
 	[ $# -eq 1 ] || usage 1
 	[ "$(id -u)" != 0 ] && fatal_error "ERROR: The status command may only be run by root"
 	get_config
-	echo "Shorewall6-$version Status at $HOSTNAME - $(date)"
+	echo "Shorewall6-$SHOREWALL_VERSION Status at $g_hostname - $(date)"
 	echo
 	if shorewall6_is_started ; then
 	    echo "Shorewall6 is running"
@@ -1661,12 +1620,12 @@ case "$COMMAND" in
 	;;
    logwatch)
 	get_config Yes Yes Yes
-	banner="Shorewall6-$version Logwatch at $HOSTNAME -"
+	banner="Shorewall6-$SHOREWALL_VERSION Logwatch at $g_hostname -"
 	logwatch_command $@
 	;;
    drop)
 	get_config
-	[ -n "$debugging" ] && set -x
+	[ -n "$g_debugging" ] && set -x
 	[ $# -eq 1 ] && usage 1
 	if shorewall6_is_started ; then
 	    [ -n "$nolock" ] || mutex_on
@@ -1678,7 +1637,7 @@ case "$COMMAND" in
 	;;
    logdrop)
 	get_config
-	[ -n "$debugging" ] && set -x
+	[ -n "$g_debugging" ] && set -x
 	[ $# -eq 1 ] && usage 1
 	if shorewall6_is_started ; then
 	    [ -n "$nolock" ] || mutex_on
@@ -1690,7 +1649,7 @@ case "$COMMAND" in
 	;;
    reject|logreject)
 	get_config
-	[ -n "$debugging" ] && set -x
+	[ -n "$g_debugging" ] && set -x
 	[ $# -eq 1 ] && usage 1
 	if shorewall6_is_started ; then
 	    [ -n "$nolock" ] || mutex_on
@@ -1706,7 +1665,7 @@ case "$COMMAND" in
 	;;
    save)
 	get_config
-	[ -n "$debugging" ] && set -x
+	[ -n "$g_debugging" ] && set -x

 	case $# in
 	1)
@@ -1720,7 +1679,7 @@ case "$COMMAND" in
 	    ;;
 	esac

-	RESTOREPATH=${VARDIR}/$RESTOREFILE
+	g_restorepath=${VARDIR}/$RESTOREFILE

 	[ -n "$nolock" ] || mutex_on

@@ -1746,21 +1705,20 @@ case "$COMMAND" in
 	    ;;
 	esac

+	g_restorepath=${VARDIR}/$RESTOREFILE

-	RESTOREPATH=${VARDIR}/$RESTOREFILE
+	if [ -x $g_restorepath ]; then

-	if [ -x $RESTOREPATH ]; then
-
-	    if [ -x ${RESTOREPATH}-ipsets ]; then
-		rm -f ${RESTOREPATH}-ipsets
-		echo "    ${RESTOREPATH}-ipsets removed"
+	    if [ -x ${g_restorepath}-ipsets ]; then
+		rm -f ${g_restorepath}-ipsets
+		echo "    ${g_restorepath}-ipsets removed"
 	    fi

-	    rm -f $RESTOREPATH
-	    rm -f ${RESTOREPATH}-iptables
-	    echo "    $RESTOREPATH removed"
-	elif [ -f $RESTOREPATH ]; then
-	    echo "   $RESTOREPATH exists and is not a saved Shorewall6 configuration"
+	    rm -f $g_restorepath
+	    rm -f ${g_restorepath}-iptables
+	    echo "    $g_restorepath removed"
+	elif [ -f $g_restorepath ]; then
+	    echo "   $g_restorepath exists and is not a saved Shorewall6 configuration"
 	fi
 	rm -f ${VARDIR}/save
 	;;
@@ -1771,7 +1729,7 @@ case "$COMMAND" in
        ;;
    call)
 	get_config
-	[ -n "$debugging" ] && set -x
+	[ -n "$g_debugging" ] && set -x
 	#
 	# Undocumented way to call functions in ${SHAREDIR}/functions directly
 	#
--- a/Shorewall6/shorewall6.spec
+++ b/Shorewall6/shorewall6.spec
@@ -1,6 +1,6 @@
 %define name shorewall6
-%define version 4.4.7
-%define release 2
+%define version 4.4.8
+%define release 0base

 Summary: Shoreline Firewall 6 is an ip6tables-based firewall for Linux systems.
 Name: %{name}
@@ -82,6 +82,7 @@ fi
 %attr(-   ,root,root) /usr/share/shorewall6/functions
 %attr(0644,root,root) /usr/share/shorewall6/lib.base
 %attr(0644,root,root) /usr/share/shorewall6/lib.cli
+%attr(0644,root,root) /usr/share/shorewall6/lib.common
 %attr(0644,root,root) /usr/share/shorewall6/macro.*
 %attr(0644,root,root) /usr/share/shorewall6/modules
 %attr(0644,root,root) /usr/share/shorewall6/helpers
@@ -96,11 +97,17 @@ fi
 %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel ipsecvpn ipv6 Samples6

 %changelog
-* Sun Feb 14 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-2
-* Sat Feb 13 2010 Tom Eastep tom@shorewall.net
- Updated to 4.4.7-1
+* Fri Mar 19 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0base
+* Tue Mar 16 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0RC2
+* Mon Mar 08 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0RC1
+* Sun Feb 28 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0Beta2
 * Thu Feb 11 2010 Tom Eastep tom@shorewall.net
+- Updated to 4.4.8-0Beta1
+* Fri Feb 05 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0base
 * Tue Feb 02 2010 Tom Eastep tom@shorewall.net
 - Updated to 4.4.7-0RC2
--- a/Shorewall6/uninstall.sh
+++ b/Shorewall6/uninstall.sh
@@ -26,7 +26,7 @@
 #       You may only use this script to uninstall the version
 #       shown below. Simply run this script to remove Shorewall Firewall

-VERSION=4.4.7.2
+VERSION=4.4.8

 usage() # $1 = exit status
 {
@@ -108,6 +108,7 @@ rm -rf /usr/share/shorewall6
 rm -rf /usr/share/shorewall6-*.bkout
 rm -rf /usr/share/man/man5/shorewall6*
 rm -rf /usr/share/man/man8/shorewall6*
+rm -f  /etc/logrotate.d/shorewall6

 echo "Shorewall6 Uninstalled"

--- a/docs/Accounting.xml
+++ b/docs/Accounting.xml
@@ -126,17 +126,19 @@
      <listitem>
        <para><emphasis role="bold">DEST PORT</emphasis> - Destination Port
        number. Service name from <filename>/etc/services</filename> or port
-        number. May only be specified if the protocol is TCP or UDP (6 or 17).
-        If the PROTOCOL is <quote>ipp2p</quote>, then this column is
-        interpreted as an ipp2p option without the leading <quote>--</quote>
-        (default <quote>ipp2p</quote>). For a list of value ipp2p options, as
-        root type <command>iptables -m ipp2p --help</command>.</para>
+        number. May only be specified if the protocol is TCP (6), UDP (17),
+        DCCP (33), SCTP (132) or UDPLITE (136). If the PROTOCOL is
+        <quote>ipp2p</quote>, then this column is interpreted as an ipp2p
+        option without the leading <quote>--</quote> (default
+        <quote>ipp2p</quote>). For a list of value ipp2p options, as root type
+        <command>iptables -m ipp2p --help</command>.</para>
      </listitem>

      <listitem>
        <para><emphasis role="bold">SOURCE PORT</emphasis>- Source Port
        number. Service name from /etc/services or port number. May only be
-        specified if the protocol is TCP or UDP (6 or 17).</para>
+        specified if the protocol is TCP (6), UDP (17), DCCP (33), SCTP (132)
+        or UDPLITE (136).</para>
      </listitem>

      <listitem>
--- a/docs/Build.xml
+++ b/docs/Build.xml
@@ -265,7 +265,7 @@
        </varlistentry>
      </variablelist>

-      <para>The scripts assume that there will be a separete <firstterm>build
+      <para>The scripts assume that there will be a separate <firstterm>build
      directory</firstterm> per major release. To build a release, you cd to
      the appropriate directory and run the build script.</para>

@@ -391,8 +391,8 @@
    <section>
      <title>upload44</title>

-      <para>This script is used to upload a release to lists.shorewall.net.
-      The command is run in the build directory for the major release of the
+      <para>This script is used to upload a release to www1.shorewall.net. The
+      command is run in the build directory for the major release of the
      product.</para>

      <blockquote>
@@ -463,10 +463,10 @@
        <para><command>upload44 4.3.7</command></para>
      </blockquote>

-      <para>Example 2 - Upload shorewall-perl-4.3.7.3:</para>
+      <para>Example 2 - Upload shorewall-4.3.7.3:</para>

      <blockquote>
-        <para><command>upload44 -p 4.3.7.3</command></para>
+        <para><command>upload44 -c 4.3.7.3</command></para>
      </blockquote>
    </section>
  </section>
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -1186,7 +1186,8 @@ to debug/develop the newnat interface.</programlisting></para>
 LOGBURST=""</programlisting>

      <para>It is also possible to <ulink url="shorewall_logging.html">set up
-      Shorewall to log all of its messages to a separate file</ulink>.</para>
+      Shorewall to log all of Netfilter's messages to a separate
+      file</ulink>.</para>

      <section id="faq6a">
        <title>(FAQ 6a) Are there any log parsers that work with
@@ -1203,33 +1204,35 @@ LOGBURST=""</programlisting>
        </literallayout>

        <para>I personally use <ulink
-        url="http://www.logwatch.org">Logwatch</ulink>. It emails me a report
-        each day from my various systems with each report summarizing the
-        logged activity on the corresponding system. I use the brief report
-        format; here's a sample:</para>
+        url="http://www.cert.uni-stuttgart.de.projects/fwlogwatch">fwlogwatch</ulink>.
+        It emails me a report each day from my various systems with each
+        report summarizing the logged activity on the corresponding system;
+        here's a sample:</para>

        <blockquote>
-          <programlisting> --------------------- iptables firewall Begin ------------------------ 
+          <programlisting>fwlogwatch summary
+Generated Tuesday March 02 08:14:37 PST 2010 by root.
+362 (and 455 older than 86400 seconds) of 817 entries in the file "/var/log/ulog/syslogemu.log" are packet logs, 138 have unique characteristics.
+First packet log entry: Mar 01 08:16:06, last: Mar 02 08:06:21.
+All entries were logged by the same host: "gateway".
+All entries have the same target: "-".
+Only entries with a count of at least 5 are shown.

- Dropped 111 packets on interface eth0
-   From 58.20.162.142 - 5 packets to tcp(1080) 
-   From 62.163.19.50 - 1 packet to udp(6348) 
-   From 66.111.45.60 - 9 packets to tcp(192) 
-   From 69.31.82.50 - 18 packets to tcp(3128) 
-   From 72.232.183.102 - 2 packets to tcp(3128) 
-   From 82.96.96.3 - 6 packets to tcp(808,1080,1978,7600,65506) 
-   From 128.48.51.209 - 5 packets to tcp(143) 
-   From 164.77.223.150 - 12 packets to tcp(873) 
-   From 165.233.109.23 - 8 packets to tcp(22) 
-   From 202.99.172.175 - 4 packets to udp(2,4081) 
-   From 206.59.41.101 - 2 packets to tcp(5900) 
-   From 217.91.30.224 - 24 packets to tcp(873) 
-   From 218.87.47.114 - 6 packets to tcp(3128) 
-   From 220.110.219.234 - 4 packets to tcp(22) 
-   From 220.133.116.173 - 5 packets to tcp(3128) 
- 
- ---------------------- iptables firewall End -------------------------</programlisting>
+net-dmz DROP  eth2 36 packets from 61.158.162.9 to 206.124.146.177
+net-fw DROP  eth0 21 packets from 89.163.162.13 to 76.104.233.98
+net-fw DROP  eth0 19 packets from 61.184.101.46 to 76.104.233.98
+net-fw DROP  eth0 12 packets from 81.157.214.103 to 76.104.233.98
+net-fw DROP  eth0 11 packets from 174.37.159.222 to 76.104.233.98
+net-fw DROP  eth0 10 packets from 221.195.73.86 to 76.104.233.98
+net-dmz DROP  eth2 9 packets from 202.199.158.6 to 206.124.146.177
+net-fw DROP  eth2 9 packets from 202.199.158.6 to 206.124.146.176
+net-dmz DROP  eth2 9 packets from 202.199.158.6 to 206.124.146.178
+net-fw DROP  eth0 6 packets from 221.192.199.35 to 76.104.233.98
+net-fw DROP  eth2 5 packets from 61.158.162.9 to 206.124.146.177</programlisting>
        </blockquote>
+
+        <para>Fwlogwatch contains a built-in web server that allows monitoring
+        recent activity in summary fashion.</para>
      </section>

      <section id="faq6b">
@@ -1252,6 +1255,17 @@ DROP      net       fw      udp      10619</programlisting>
 -                       udp             10619</programlisting>
      </section>

+      <section id="faq6c">
+        <title>(FAQ 6c) cat /proc/sys/kernel/prink returns '4 4 1 7' and still
+        I get dmesg filled up</title>
+
+        <para><emphasis role="bold">Answer</emphasis>: While we would argue
+        that 'dmesg filled up' is not necessarily a problem, the only way to
+        eliminate that is to <ulink url="shorewall_logging.html">set up
+        Shorewall to log all of Netfilter's messages to a separate
+        file</ulink>.</para>
+      </section>
+
      <section id="faq6d">
        <title>(FAQ 6d) Why is the MAC address in Shorewall log messages so
        long? I thought MAC addresses were only 6 bytes in length.</title>
@@ -2184,7 +2198,15 @@ We have an error talking to the kernel
      <para><emphasis role="bold">Answer:</emphasis> At the shell prompt,
      type:</para>

-      <programlisting><command>/sbin/shorewall[-lite] version</command>      </programlisting>
+      <programlisting><command>/sbin/shorewall[-lite] version -a</command>     </programlisting>
+
+      <section id="faq25a">
+        <title>(FAQ 25a) It says 4.4.7.5; how do I know if it is
+        Shorewall-shell or Shorewall-perl?</title>
+
+        <para><emphasis role="bold">Answer</emphasis>: It is Shorewall-perl.
+        Shorewall-shell is discontinued in Shorewall 4.4.</para>
+      </section>
    </section>

    <section id="faq31">
--- a/docs/Install.xml
+++ b/docs/Install.xml
@@ -150,7 +150,20 @@
      <listitem>
        <para>Type:</para>

-        <programlisting><command>./install.sh</command></programlisting>
+        <programlisting><command>./install.sh </command></programlisting>
+
+        <para>or if you are installing Shorewall or Shorewall6 version 4.4.8
+        or later, you may type:</para>
+
+        <programlisting><command>./install.sh -s</command></programlisting>
+
+        <para>The <emphasis role="bold">-s</emphasis> option supresses
+        installation of all files in <filename
+        class="directory">/etc/shorewall</filename> except
+        <filename>shorewall.conf</filename>. You can copy any other files you
+        need from one of the <ulink url="GettingStarted.html">Samples</ulink>
+        or from <filename
+        class="directory">/usr/share/shorewall/configfiles/</filename>.</para>
      </listitem>

      <listitem>
@@ -321,6 +334,19 @@ Pin-Priority: 700</programlisting><emphasis role="bold"><emphasis>Then
        <para>Type:</para>

        <programlisting><command>./install.sh</command></programlisting>
+
+        <para>or if you are installing Shorewall or Shorewall6 version 4.4.8
+        or later, you may type:</para>
+
+        <programlisting><command>./install.sh -s</command></programlisting>
+
+        <para>The <emphasis role="bold">-s</emphasis> option supresses
+        installation of all files in <filename
+        class="directory">/etc/shorewall</filename> except
+        <filename>shorewall.conf</filename>. You can copy any other files you
+        need from one of the <ulink url="GettingStarted.html">Samples</ulink>
+        or from <filename
+        class="directory">/usr/share/shorewall/configfiles/</filename>.</para>
      </listitem>

      <listitem>
--- a/docs/OpenVZ.xml
+++ b/docs/OpenVZ.xml
@@ -506,4 +506,316 @@ net         ipv4</programlisting>
 net     <emphasis role="bold">venet0 </emphasis>         detect          dhcp,tcpflags,logmartians,nosmurfs</programlisting>
    </section>
  </section>
+
+  <section>
+    <title>Working Example Using a Bridge</title>
+
+    <para>This is the configuration at shorewall.net during the spring of
+    2010. Rather than using the venet0 configuration shown above, this
+    configuration uses a bridge in preparation for adding IPv6 support in the
+    DMZ. The eth0 interface in each of the containers is statically configured
+    using the distributions' configuration tools
+    (<filename>/etc/network/interfaces</filename> on Debian and Yast on
+    OpenSuSE).</para>
+
+    <para>The network diagram is shown below.</para>
+
+    <graphic fileref="images/Network2010.png" />
+
+    <para>The two systems shown in the green box are OpenVZ Virtual
+    Environments (containers).</para>
+
+    <section>
+      <title>Bridge Configuration</title>
+
+      <para>The following stanza in /etc/network/interfaces on the host
+      configures the bridge.</para>
+
+      <programlisting>auto vzbr0
+iface vzbr0 inet static
+      pre-up /usr/sbin/brctl addbr vzbr0
+      address 206.124.146.176
+      network 206.124.146.176
+      broadcast 206.124.146.176
+      netmask 255.255.255.255
+      post-down /usr/sbin/brctl delbr br0
+</programlisting>
+    </section>
+
+    <section>
+      <title>OpenVZ Configuration</title>
+
+      <para>In the files below, items in <emphasis role="bold">bold
+      font</emphasis> show the changes from the preceeding example.</para>
+
+      <para><filename>/etc/vz/conf</filename> (long lines folded for
+      clarity).</para>
+
+      <programlisting>## Global parameters
+VIRTUOZZO=yes
+LOCKDIR=/var/lib/vz/lock
+DUMPDIR=/var/lib/vz/dump
+VE0CPUUNITS=1000
+
+## Logging parameters
+LOGGING=yes
+LOGFILE=/var/log/vzctl.log
+LOG_LEVEL=0
+VERBOSE=0
+
+## Disk quota parameters
+DISK_QUOTA=no
+VZFASTBOOT=no
+
+# The name of the device whose ip address will be used as source ip for VE.
+# By default automatically assigned.
+VE_ROUTE_SRC_DEV="eth3"
+
+# Controls which interfaces to send ARP requests and modify APR tables on.
+NEIGHBOUR_DEVS=detect
+
+## Template parameters
+TEMPLATE=/var/lib/vz/template
+
+## Defaults for VEs
+VE_ROOT=/home/vz/root/$VEID
+VE_PRIVATE=/home/vz/private/$VEID
+CONFIGFILE="vps.basic"
+#DEF_OSTEMPLATE="fedora-core-4"
+DEF_OSTEMPLATE="debian"
+
+## Load vzwdog module
+VZWDOG="no"
+
+## IPv4 iptables kernel modules
+IPTABLES="iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos
+          ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length
+          ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack
+          ipt_state ipt_helper iptable_nat  ip_nat_ftp  ip_nat_irc ipt_REDIRECT
+          xt_mac ipt_owner"
+
+## Enable IPv6
+IPV6="no"</programlisting>
+
+      <para><filename>/etc/vz/conf/101.conf</filename>:</para>
+
+      <programlisting>ONBOOT="yes"
+
+# UBC parameters (in form of barrier:limit)
+KMEMSIZE="574890800:589781600"
+LOCKEDPAGES="256:256"
+PRIVVMPAGES="1073741824:2137483648"
+SHMPAGES="21504:21504"
+NUMPROC="240:240"
+PHYSPAGES="0:9223372036854775807"
+VMGUARPAGES="262144:9223372036854775807"
+OOMGUARPAGES="26112:9223372036854775807"
+NUMTCPSOCK="360:360"
+NUMFLOCK="188:206"
+NUMPTY="16:16"
+NUMSIGINFO="256:256"
+TCPSNDBUF="1720320:2703360"
+TCPRCVBUF="1720320:2703360"
+OTHERSOCKBUF="1126080:2097152"
+DGRAMRCVBUF="262144:262144"
+NUMOTHERSOCK="360:360"
+DCACHESIZE="3409920:3624960"
+NUMFILE="9312:9312"
+AVNUMPROC="180:180"
+NUMIPTENT="200:200"
+
+# Disk quota parameters (in form of softlimit:hardlimit)
+DISKSPACE="1048576:1153024"
+DISKINODES="200000:220000"
+QUOTATIME="0"
+
+# CPU fair sheduler parameter
+CPUUNITS="1000"
+
+VE_ROOT="/home/vz/root/$VEID"
+VE_PRIVATE="/home/vz/private/$VEID"
+OSTEMPLATE="suse-11.1-x86_64"
+ORIGIN_SAMPLE="vps.basic"
+HOSTNAME="lists.shorewall.net"
+NAMESERVER="127.0.0.1"
+NAME="lists"
+SEARCHDOMAIN="shorewall.net"
+
+<emphasis role="bold">NETIF="ifname=eth0,mac=00:18:51:22:24:81,host_ifname=veth101.0,host_mac=00:18:51:B6:1A:F1"</emphasis></programlisting>
+
+      <para>This VE is the mail server at shorewall.net (MX and IMAP). Note
+      that some of the memory parameters are set ridiculously large -- I got
+      tired of out-of-memory issues.</para>
+
+      <para><filename>/etc/vz/conf/102.conf</filename> (nearly default
+      configuration on Debian):</para>
+
+      <programlisting>ONBOOT="yes"
+
+# UBC parameters (in form of barrier:limit)
+KMEMSIZE="14372700:14790164"
+LOCKEDPAGES="256:256"
+PRIVVMPAGES="65536:69632"
+SHMPAGES="21504:21504"
+NUMPROC="240:240"
+PHYSPAGES="0:9223372036854775807"
+VMGUARPAGES="33792:9223372036854775807"
+OOMGUARPAGES="26112:9223372036854775807"
+NUMTCPSOCK="360:360"
+NUMFLOCK="188:206"
+NUMPTY="16:16"
+NUMSIGINFO="256:256"
+TCPSNDBUF="1720320:2703360"
+TCPRCVBUF="1720320:2703360"
+OTHERSOCKBUF="1126080:2097152"
+DGRAMRCVBUF="262144:262144"
+NUMOTHERSOCK="360:360"
+DCACHESIZE="3409920:3624960"
+NUMFILE="9312:9312"
+AVNUMPROC="180:180"
+NUMIPTENT="200:200"
+
+# Disk quota parameters (in form of softlimit:hardlimit)
+DISKSPACE="1048576:1153024"
+DISKINODES="200000:220000"
+QUOTATIME="0"
+
+# CPU fair sheduler parameter
+CPUUNITS="1000"
+
+VE_ROOT="/home/vz/root/$VEID"
+VE_PRIVATE="/home/vz/private/$VEID"
+OSTEMPLATE="debian-5.0-amd64-minimal"
+ORIGIN_SAMPLE="vps.basic"
+HOSTNAME="server.shorewall.net"
+NAMESERVER="206.124.146.177"
+NAME="server"
+
+<emphasis role="bold">NETIF="ifname=eth0,mac=00:18:51:22:24:80,host_ifname=veth102.0,host_mac=00:18:51:B6:1A:F0"</emphasis></programlisting>
+
+      <para>This server runs the rest of the services for shorewall.net (web
+      server, ftp server, rsyncd, etc.).</para>
+
+      <para>With a bridged configuration, the VIF for a VE must be added to
+      the bridge when the VE starts. That is accomplished using
+      <firstterm>mount</firstterm> files.</para>
+
+      <para><filename>/etc/vz/conf/101.mount:</filename></para>
+
+      <programlisting><emphasis role="bold">#!/bin/bash
+# This script source VPS configuration files in the same order as vzctl does
+
+# if one of these files does not exist then something is really broken
+[ -f /etc/vz/vz.conf ] || exit 1
+[ -f $VE_CONFFILE ] || exit 1
+
+# source both files. Note the order, it is important
+. /etc/vz/vz.conf
+. $VE_CONFFILE
+
+# Add the VIF to the bridge after VE has started
+{
+  BRIDGE=vzbr0
+  DEV=veth101.0
+  while sleep 1; do
+    /sbin/ifconfig $DEV 0 &gt;/dev/null 2&gt;&amp;1
+    if [ $? -eq 0 ]; then
+      /usr/sbin/brctl addif $BRIDGE $DEV
+      break
+    fi
+  done
+} &amp;</emphasis></programlisting>
+
+      <para><filename>/etc/vz/conf/102.mount:</filename></para>
+
+      <programlisting><emphasis role="bold">#!/bin/bash
+# This script source VPS configuration files in the same order as vzctl does
+
+# if one of these files does not exist then something is really broken
+[ -f /etc/vz/vz.conf ] || exit 1
+[ -f $VE_CONFFILE ] || exit 1
+
+# source both files. Note the order, it is important
+. /etc/vz/vz.conf
+. $VE_CONFFILE
+
+# Add VIF to bridge after VE has started
+{
+  BRIDGE=vzbr0
+  DEV=veth102.0
+  while sleep 1; do
+    /sbin/ifconfig $DEV 0 &gt;/dev/null 2&gt;&amp;1
+    if [ $? -eq 0 ]; then
+      /usr/sbin/brctl addif $BRIDGE $DEV
+      break
+    fi
+  done
+} &amp;</emphasis></programlisting>
+    </section>
+
+    <section>
+      <title>Shorewall Configuration on the Host</title>
+
+      <para>Below are exerpts from the configuration files as they pertain to
+      the OpenVZ environment. Again, bold font indicates change from the prior
+      configuration.</para>
+
+      <para><filename><filename>/etc/shorewall/zones</filename>:</filename></para>
+
+      <programlisting>#ZONE           TYPE            OPTIONS         IN                      OUT
+#                                               OPTIONS                 OPTIONS
+fw              firewall
+net             ipv4            #Internet
+loc             ipv4            #Local wired Zone
+dmz             ipv4            #DMZ
+...</programlisting>
+
+      <para><filename><filename>/etc/shorewall/params</filename>:</filename></para>
+
+      <programlisting>NET_IF=eth3
+INT_IF=eth1
+<emphasis role="bold">VPS_IF=vzbr0</emphasis>
+...</programlisting>
+
+      <para><filename>/etc/shorewall/interfaces</filename>:<programlisting>#ZONE   INTERFACE       BROADCAST               OPTIONS
+net     $NET_IF         detect                  dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartions=0
+loc     $INT_IF         detect                  dhcp,logmartians=1,routefilter=1,nets=(172.20.1.0/24),tcpflags
+dmz     $VPS_IF         detect                  logmartians=0,routefilter=0,nets=(206.124.146.177,206.124.146.178),routeback
+...</programlisting></para>
+
+      <para><filename>/etc/shorewall/proxyarp:</filename></para>
+
+      <programlisting>#ADDRESS        INTERFACE     EXTERNAL   HAVEROUTE   PERSISTENT
+<emphasis role="bold">206.124.146.177 DMZ_IF        eth2       no          yes
+206.124.146.178 DMZ_IF        eth2       no          yes</emphasis></programlisting>
+
+      <para>This is a multi-ISP configuration so entries are required in
+      <filename>/etc/shorewall/route_rules</filename>:</para>
+
+      <programlisting>#SOURCE   DEST                 PROVIDER  PRIORITY
+-         172.20.0.0/24        main      1000
+-         206.124.146.177      main      1001
+-         206.124.146.178      main      1001</programlisting>
+    </section>
+
+    <section>
+      <title>Shorewall Configuration on Server</title>
+
+      <para>I have set up Shorewall on VE 101 (206.124.146.178) just to have
+      an environment to test with. It is a quite vanilla one-interface
+      configuration.</para>
+
+      <para><filename>/etc/shorewall/zones:</filename></para>
+
+      <programlisting>#ZONE       TYPE         OPTIONS           IN                OUT
+#                                          OPTIONS           OPTIONS
+fw          firewall
+net         ipv4</programlisting>
+
+      <para><filename>/etc/shorewall/interfaces:</filename></para>
+
+      <programlisting>#ZONE   INTERFACE       BROADCAST       OPTIONS
+net     <emphasis role="bold">eth0  </emphasis>         detect          dhcp,tcpflags,logmartians,nosmurfs</programlisting>
+    </section>
+  </section>
 </article>
--- a/docs/ReleaseModel.xml
+++ b/docs/ReleaseModel.xml
@@ -28,6 +28,10 @@

      <year>2008</year>

+      <year>2009</year>
+
+      <year>2010</year>
+
      <holder>Thomas M. Eastep</holder>
    </copyright>

@@ -76,7 +80,10 @@
      <listitem>
        <para>Support is available through the <ulink
        url="http://sourceforge.net/mail/?group_id=22587">Mailing List</ulink>
-        for the two most recent Stable Releases.</para>
+        for the two or three most recent Stable Releases. Three releases are
+        supported when the Shorewall release in the Stable Debian distribution
+        is two releases behind the current Shorewall development. In that
+        case, only the minor release in Stable is supported.</para>
      </listitem>

      <listitem>
@@ -123,9 +130,10 @@
      </listitem>

      <listitem>
-        <para>Between minor releases, bug fixes will continue to be made
-        available through the <ulink url="errata.htm">Errata page</ulink> for
-        each major release.</para>
+        <para>Between minor releases, bug fixes are made available via
+        <firstterm>patch releases</firstterm>. A patch release has a
+        four-level identification <emphasis>x.y.z.N</emphasis> where x.y.z is
+        the minor release being fixed and N = 1.2.3...</para>
      </listitem>

      <listitem>
@@ -136,7 +144,7 @@
      </listitem>
    </orderedlist>

-    <para>The currently-supported major releases are and 4.0.x. and
-    4.2.x.</para>
+    <para>The currently-supported major releases are and 4.0.10., 4.2.x. and
+    4.4.x.</para>
  </section>
 </article>
--- a/docs/SplitDNS.xml
+++ b/docs/SplitDNS.xml
@@ -86,6 +86,46 @@

 127.0.0.1       localhost

+<emphasis role="bold">172.20.0.1      openvpn.shorewall.net   openvpn
+172.20.0.2      vpn02.shorewall.net     vpn02
+172.20.0.3      vpn03.shorewall.net     vpn03
+172.20.0.4      vpn04.shorewall.net     vpn04
+172.20.0.5      vpn05.shorewall.net     vpn05
+172.20.0.6      vpn06.shorewall.net     vpn06
+172.20.0.7      vpn07.shorewall.net     vpn07
+172.20.0.8      vpn08.shorewall.net     vpn08
+172.20.0.9      vpn09.shorewall.net     vpn09
+172.20.0.10     vpn10.shorewall.net     vpn10
+172.20.0.11     vpn11.shorewall.net     vpn11
+172.20.0.12     vpn12.shorewall.net     vpn12
+172.20.0.13     vpn13.shorewall.net     vpn13
+172.20.0.14     vpn14.shorewall.net     vpn14
+172.20.0.15     vpn15.shorewall.net     vpn15
+172.20.0.16     vpn16.shorewall.net     vpn16
+
+172.20.1.1      linksys.shorewall.net   linksys
+172.20.1.100    hp8500.shorewall.net    hp8500
+172.20.1.102    ursa.shorewall.net      ursa
+172.20.1.105    tarry.shorewall.net     tarry
+172.20.1.107    teastep.shorewall.net   teastep
+172.20.1.109    hpmini.shorewall.net    hpmini
+
+172.20.1.130    lanursa.shorewall.net   lanursa
+172.20.1.131    wookie.shorewall.net    wookie
+172.20.1.132    tipper.shorewall.net    tipper
+172.20.1.133    nasty.shorewall.net     nasty
+172.20.1.134    ursadog.shorewall.net   ursadog
+172.20.1.135    opensuse.shorewall.net  opensuse
+172.20.1.136    centos.shorewall.net    centos
+172.20.1.137    fedora.shorewall.net    fedora
+172.20.1.138    debian.shorewall.net    debian
+172.20.1.139    archlinux.shorewall.net archlinux
+172.20.1.140    foobar.shorewall.net    foobar
+172.20.1.141    deblap.shorewall.net    deblap
+172.20.1.254    firewall.shorewall.net  firewall
+
+206.124.146.254 blarg.shorewall.net     blarg
+</emphasis>
 # special IPv6 addresses
 ::1             localhost ipv6-localhost ipv6-loopback

@@ -95,24 +135,18 @@ ff00::0         ipv6-mcastprefix
 ff02::1         ipv6-allnodes
 ff02::2         ipv6-allrouters
 ff02::3         ipv6-allhosts
-127.0.0.2       ursa.shorewall.net ursa
-<emphasis role="bold">172.20.1.1      linksys.shorewall.net     linksys
-192.168.0.1     opensuse.shorewall.net    opensuse
-192.168.0.2     debian.shorewall.net      debian
-192.168.0.3     ubuntu.shorewall.net      ubuntu
-192.168.0.4     fedora.shoreawll.net      fedora
-192.168.0.5     opensuse11.shorewall.net  opensuse11
-192.168.0.6     centos.shorewall.net      centos
-192.168.0.7     debian32.shorewall.net    debian32
-192.168.0.8     fedora9.shorewall.net     fedora9</emphasis>
-206.124.146.254 blarg.shorewall.net       blarg
+
+<emphasis role="bold">2002:ce7c:92b4::1       gateway6.shorewall.net  gateway6
+2002:ce7c:92b4:1::2     mail6.shorewall.net     mail6
+2002:ce7c:92b4:1::2     lists6.shorewall.net    lists6
+2002:ce7c:92b4:2::2     server6.shorewall.net   server6</emphasis>
+
 </programlisting></para>
      </listitem>

      <listitem>
-        <para>Configure your local network hosts to use the firewall/router as
-        their DNS server. If your local hosts are configured using DHCP, that
-        is a simple one-line change to the DHCP configuration.</para>
+        <para> If your local hosts are configured using DHCP, that is a simple
+        one-line change to the DHCP configuration.</para>
      </listitem>
    </orderedlist>

@@ -128,8 +162,45 @@ ff02::3         ipv6-allhosts
 linksys.shorewall.net has address 206.124.146.180
 gateway:~ # </programlisting></para>

-    <para>From ubuntu (192.168.0.3):<programlisting>teastep@ubuntu:~$ host linksys
+    <para>From Tipper (192.168.1.132):<programlisting>teastep@tipper:~$ host linksys
 linksys.shorewall.net has address 172.20.1.1
-teastep@ubuntu:~$ </programlisting></para>
+teastep@tipper:~$ </programlisting></para>
+
+    <para>As a bonus, dnsmasq can also act as a DHCP server. Here are some
+    exerpts from the corresponding /etc/dnsmasq.conf:</para>
+
+    <programlisting>interface=eth1
+
+dhcp-range=172.20.1.210,172.20.1.219,24h
+
+dhcp-host=00:11:85:89:da:9b,172.20.1.220
+
+dhcp-host=00:1A:73:DB:8C:35,172.20.1.102
+dhcp-host=00:25:B3:9F:5B:FD,172.20.1.100
+dhcp-host=00:1F:E1:07:53:CA,172.20.1.105
+dhcp-host=00:1F:29:7B:04:04,172.20.1.107
+dhcp-host=00:24:2b:59:96:e2,172.20.1.109
+
+dhcp-host=00:1B:24:CB:2B:CC,172.20.1.130
+dhcp-host=00:21:5a:22:ac:e0,172.20.1.131
+dhcp-host=08:00:27:B1:46:a9,172.20.1.132
+dhcp-host=08:00:27:31:45:83,172.20.1.133
+dhcp-host=08:00:27:28:64:50,172.20.1.134
+dhcp-host=08:00:27:4b:38:88,172.20.1.135
+dhcp-host=08:00:27:f6:4d:65,172.20.1.136
+dhcp-host=08:00:27:dc:cd:94,172.20.1.137
+dhcp-host=08:00:27:0f:d3:8f,172.20.1.138
+dhcp-host=08:00:27:42:9c:01,172.20.1.139
+dhcp-host=08:00:27:5a:6c:d8,172.20.1.140
+dhcp-host=08:00:27:da:96:78,172.20.1.141
+
+dhcp-option=19,0           # option ip-forwarding off
+dhcp-option=44,0.0.0.0     # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
+dhcp-option=45,0.0.0.0     # netbios datagram distribution server
+dhcp-option=46,8           # netbios node type
+dhcp-option=47             # empty netbios scope.
+
+dhcp-option=option:domain-search,shorewall.net
+</programlisting>
  </section>
-</article>
+</article>
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -5,7 +5,7 @@
  <!--$Id$-->

  <articleinfo>
-    <title>Configuration Files Tips and Tricks</title>
+    <title>Configuration Files Tips and Hints</title>

    <authorgroup>
      <author>
@@ -18,7 +18,7 @@
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>

    <copyright>
-      <year>2001-2008</year>
+      <year>2001-2010</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -611,6 +611,74 @@ SHELL cat /etc/shorewall/rules.d/*.rules</programlisting></para>
    to distinguish them from variables used internally within the Shorewall
    programs</para>

+    <para>The following variable names must be avoided. Those in <emphasis
+    role="bold">bold font</emphasis> must be avoided in all Shorewall
+    versions; those in regular font must be avoided in versions prior to
+    4.4.8.</para>
+
+    <simplelist>
+      <member><emphasis role="bold">Any option from <ulink
+      url="manpages/shorewall.conf.html">shorewall.conf</ulink>
+      (5)</emphasis></member>
+
+      <member><emphasis role="bold">COMMAND</emphasis></member>
+
+      <member><emphasis role="bold">CONFDIR</emphasis></member>
+
+      <member>DEBUG</member>
+
+      <member>ECHO_E</member>
+
+      <member>ECHO_N</member>
+
+      <member>EXPORT</member>
+
+      <member>FAST</member>
+
+      <member>FILEMODE</member>
+
+      <member>HOSTNAME</member>
+
+      <member>IPT_OPTIONS</member>
+
+      <member>NOROUTES</member>
+
+      <member>PREVIEW</member>
+
+      <member>PRODUCT</member>
+
+      <member>PROFILE</member>
+
+      <member>PURGE</member>
+
+      <member>RECOVERING</member>
+
+      <member>RESTOREPATH</member>
+
+      <member>RING_BELL</member>
+
+      <member><emphasis role="bold">SHAREDIR</emphasis></member>
+
+      <member><emphasis role="bold">Any name beginning with SHOREWALL_ or
+      SW_</emphasis></member>
+
+      <member>STOPPING</member>
+
+      <member>TEST</member>
+
+      <member>TIMESTAMP</member>
+
+      <member>USE_VERBOSITY</member>
+
+      <member><emphasis role="bold">VARDIR</emphasis></member>
+
+      <member>VERBOSE</member>
+
+      <member>VERBOSE_OFFSET</member>
+
+      <member>VERSION</member>
+    </simplelist>
+
    <para>Example:</para>

    <blockquote>
@@ -792,7 +860,7 @@ use Shorewall::Config qw/shorewall/;</programlisting>

    <para><emphasis role="bold">Note: </emphasis>The '[' and ']' above are
    meta-characters which indicate that what they enclose is optional and may
-    be omitted. So you may follow PERL with a semicolon ( ':') or you may omit
+    be omitted. So you may follow PERL with a semicolon ( ';') or you may omit
    the semicolon.</para>
  </section>

@@ -1140,9 +1208,9 @@ DNAT       net        loc:192.168.1.3 tcp       4000:4100</programlisting>
    '!' to specify "All ports except these" (e.g., "!80,443").</para>

    <para>Prior to Shorewall 4.4.4, port lists appearing in the <ulink
-    url="manpages/shorewall-routestopped.html">/etc/shorewall/routestopped</ulink>
-    file may specify no more than 15 ports; port ranges appearing in a list
-    count as two ports each.</para>
+    url="manpages/shorewall-routestopped.html">shorewall-routestopped</ulink>
+    (5) file may specify no more than 15 ports; port ranges appearing in a
+    list count as two ports each.</para>
  </section>

  <section id="MAC">
@@ -1186,6 +1254,32 @@ DNAT       net        loc:192.168.1.3 tcp       4000:4100</programlisting>
    </note>
  </section>

+  <section id="RateLimit">
+    <title>Rate Limiting (Rate and Burst)</title>
+
+    <para>Shorewall supports rate limiting in a number of ways. When
+    specifying a rate limit, both a <firstterm>rate</firstterm> and a
+    <firstterm>burst</firstterm> value are given.</para>
+
+    <para>Example from <ulink
+    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5):</para>
+
+    <simplelist>
+      <member>LOGRATE=10/minute</member>
+
+      <member>LOGBURST=5</member>
+    </simplelist>
+
+    <para>For each logging rule, the first time the rule is reached, the
+    packet will be logged; in fact, since the burst is 5, the first five
+    packets will be logged. After this, it will be 6 seconds (1 minute divided
+    by the rate of 10) before a message will be logged from the rule,
+    regardless of how many packets reach it. Also, every 6 seconds which
+    passes without matching a packet, one of the bursts will be regained; if
+    no packets hit the rule for 30 seconds, the burst will be fully recharged;
+    back where we started.</para>
+  </section>
+
  <section id="Logical">
    <title>Logical Interface Names</title>

--- a/docs/images/Network2010.dia
+++ b/docs/images/Network2010.dia
--- a/docs/images/Network2010.png
+++ b/docs/images/Network2010.png
--- a/docs/shorewall_extension_scripts.xml
+++ b/docs/shorewall_extension_scripts.xml
@@ -391,6 +391,41 @@ esac</programlisting><caution>
        <programlisting>if [ $COMMAND = start ]; then
   ...</programlisting>
      </listitem>
+
+      <listitem>
+        <para>In addition to COMMAND, Shorewall defines three other variables
+        that may be used for locating Shorewall files:</para>
+
+        <itemizedlist>
+          <listitem>
+            <para>CONFDIR - The configuration directory. Will be <filename
+            class="directory">/etc/shorewall</filename>, <filename
+            class="directory">/etc/shorewall6/</filename>, <filename
+            class="directory">/etc/shorewall-lite</filename>, or <filename
+            class="directory">/etc/shorewall6-lite</filename> depending on
+            which product is running.</para>
+          </listitem>
+
+          <listitem>
+            <para>SHAREDIR - The product shared directory. Will be <filename
+            class="directory">/usr/share/shorewall</filename>, <filename
+            class="directory">/usr/share/shorewall6/</filename>, <filename
+            class="directory">/usr/share/shorewall-lite</filename>, or
+            <filename class="directory">/usr/share/shorewall6-lite</filename>
+            depending on which product is running.</para>
+          </listitem>
+
+          <listitem>
+            <para>VARDIR - The product state directory. Defaults <filename
+            class="directory">/usr/share/shorewall</filename>, <filename
+            class="directory">/usr/share/shorewall6/</filename>, <filename
+            class="directory">/usr/share/shorewall-lite</filename>, or
+            <filename class="directory">/usr/share/shorewall6-lite</filename>
+            depending on which product is running, but may be overridden by an
+            entry in ${CONFDIR}/vardir.</para>
+          </listitem>
+        </itemizedlist>
+      </listitem>
    </itemizedlist>

    <para></para>
--- a/manpages/shorewall-accounting.xml
+++ b/manpages/shorewall-accounting.xml
@@ -165,8 +165,8 @@
        <listitem>
          <para>Destination Port number. Service name from services(5) or
          <emphasis>port number</emphasis>. May only be specified if the
-          protocol is <emphasis role="bold">tcp</emphasis> or <emphasis
-          role="bold">udp</emphasis> (6 or 17).</para>
+          protocol is TCP (6), UDP (17), DCCP (33), SCTP (132) or UDPLITE
+          (136).</para>

          <para>You may place a comma-separated list of port names or numbers
          in this column if your kernel and iptables include multiport match
@@ -188,8 +188,8 @@

        <listitem>
          <para>Service name from services(5) or <emphasis>port
-          number</emphasis>. May only be specified if the protocol is TCP or
-          UDP (6 or 17).</para>
+          number</emphasis>. May only be specified if the protocol is TCP (6),
+          UDP (17), DCCP (33), SCTP (132) or UDPLITE (136).</para>

          <para>You may place a comma-separated list of port numbers in this
          column if your kernel and iptables include multiport match
--- a/manpages/shorewall-masq.xml
+++ b/manpages/shorewall-masq.xml
@@ -237,10 +237,10 @@
        [[!]<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...]</term>

        <listitem>
-          <para>If the PROTO column specifies TCP (protocol 6) or UDP
-          (protocol 17) then you may list one or more port numbers (or names
-          from services(5)) separated by commas or you may list a single port
-          range
+          <para>If the PROTO column specifies TCP (6), UDP (17), DCCP (33),
+          SCTP (132) or UDPLITE (136) then you may list one or more port
+          numbers (or names from services(5)) separated by commas or you may
+          list a single port range
          (<emphasis>lowport</emphasis>:<emphasis>highport</emphasis>).</para>

          <para>Where a comma-separated list is given, your kernel and
--- a/manpages/shorewall-params.xml
+++ b/manpages/shorewall-params.xml
@@ -1,4 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
  <refmeta>
    <refentrytitle>shorewall-params</refentrytitle>
@@ -27,6 +29,73 @@
    to distinguish them from variables used internally within the Shorewall
    programs</para>

+    <para>The following variable names must be avoided. Those in <emphasis
+    role="bold">bold font</emphasis> must be avoided in all Shorewall
+    versions; those in regular font must be avoided in versions prior to
+    4.4.8.</para>
+
+    <simplelist>
+      <member><emphasis role="bold">Any option from <ulink
+      url="shorewall.conf.html">shorewall.conf</ulink> (5)</emphasis></member>
+
+      <member><emphasis role="bold">COMMAND</emphasis></member>
+
+      <member><emphasis role="bold">CONFDIR</emphasis></member>
+
+      <member>DEBUG</member>
+
+      <member>ECHO_E</member>
+
+      <member>ECHO_N</member>
+
+      <member>EXPORT</member>
+
+      <member>FAST</member>
+
+      <member>FILEMODE</member>
+
+      <member>HOSTNAME</member>
+
+      <member>IPT_OPTIONS</member>
+
+      <member>NOROUTES</member>
+
+      <member>PREVIEW</member>
+
+      <member>PRODUCT</member>
+
+      <member>PROFILE</member>
+
+      <member>PURGE</member>
+
+      <member>RECOVERING</member>
+
+      <member>RESTOREPATH</member>
+
+      <member>RING_BELL</member>
+
+      <member><emphasis role="bold">SHAREDIR</emphasis></member>
+
+      <member><emphasis role="bold">Any name beginning with SHOREWALL_ or
+      SW_</emphasis></member>
+
+      <member>STOPPING</member>
+
+      <member>TEST</member>
+
+      <member>TIMESTAMP</member>
+
+      <member>USE_VERBOSITY</member>
+
+      <member><emphasis role="bold">VARDIR</emphasis></member>
+
+      <member>VERBOSE</member>
+
+      <member>VERBOSE_OFFSET</member>
+
+      <member>VERSION</member>
+    </simplelist>
+
    <para>Example params file:</para>

    <programlisting>NET_IF=eth0
@@ -67,4 +136,4 @@ net     eth0            130.252.100.255 routefilter,norfc1918</programlisting>
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
-</refentry>
+</refentry>
--- a/manpages/shorewall-rules.xml
+++ b/manpages/shorewall-rules.xml
@@ -891,10 +891,10 @@
          respectively. The <replaceable>name</replaceable> may be chosen by
          the user and specifies a hash table to be used to count matching
          connections. If not give, the name <emphasis
-          role="bold">shorewall</emphasis> is assumed. Where more than one
-          rule specifies the same name, the connections counts for the rules
-          are aggregated and the individual rates apply to the aggregated
-          count.</para>
+          role="bold">shorewallN</emphasis> (where N is a unique integer) is
+          assumed. Where more than one rule specifies the same name, the
+          connections counts for the rules are aggregated and the individual
+          rates apply to the aggregated count.</para>

          <para>Example: <emphasis role="bold">s:ssh:3/min:5</emphasis></para>
        </listitem>
--- a/manpages/shorewall-tcpri.xml
+++ b/manpages/shorewall-tcpri.xml
@@ -84,9 +84,10 @@
        <term>PORT(S) - <replaceable>port</replaceable> [,...]</term>

        <listitem>
-          <para>Optional. May only be given if the the PROTO is tcp (6) or udp
-          (17). A list of one or more port numbers or service names from
-          /etc/services. Port ranges of the form
+          <para>Optional. May only be given if the the PROTO is TCP (6), UDP
+          (17), DCCP (33), SCTP (132) or UDPLITE (136). A list of one or more
+          port numbers or service names from /etc/services. Port ranges of the
+          form
          <replaceable>lowport</replaceable>:<replaceable>highport</replaceable>
          may also be included.</para>
        </listitem>
--- a/manpages/shorewall.conf.xml
+++ b/manpages/shorewall.conf.xml
@@ -935,7 +935,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
          logged packets. Please see iptables(8) for a description of the
          behavior of these parameters (the iptables option --limit is set by
          LOGRATE and --limit-burst is set by LOGBURST). If both parameters
-          are set empty, no rate-limiting will occur.</para>
+          are set empty, no rate-limiting will occur. If you supply one of
+          these, then you should also supply the other.</para>

          <para>Example:</para>

@@ -1222,6 +1223,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
                  <para>action chains (user-defined)</para>
                </listitem>

+                <listitem>
+                  <para>'blacklst' chain</para>
+                </listitem>
+
                <listitem>
                  <para>dynamic</para>
                </listitem>
--- a/manpages6/shorewall6-accounting.xml
+++ b/manpages6/shorewall6-accounting.xml
@@ -164,8 +164,8 @@
        <listitem>
          <para>Destination Port number. Service name from services(5) or
          <emphasis>port number</emphasis>. May only be specified if the
-          protocol is <emphasis role="bold">tcp</emphasis> or <emphasis
-          role="bold">udp</emphasis> (6 or 17).</para>
+          protocol is TCP (6), UDP (17), DCCP (33), SCTP (132) or UDPLITE
+          (136).</para>

          <para>You may place a comma-separated list of port names or numbers
          in this column if your kernel and ip6tables include multiport match
@@ -187,8 +187,8 @@

        <listitem>
          <para>Service name from services(5) or <emphasis>port
-          number</emphasis>. May only be specified if the protocol is TCP or
-          UDP (6 or 17).</para>
+          number</emphasis>. May only be specified if the protocol is TCP (6),
+          UDP (17), DCCP (33), SCTP (132) or UDPLITE (136).</para>

          <para>You may place a comma-separated list of port numbers in this
          column if your kernel and ip6tables include multiport match
--- a/manpages6/shorewall6-blacklist.xml
+++ b/manpages6/shorewall6-blacklist.xml
@@ -37,8 +37,9 @@

        <listitem>
          <para>Host address, network address, MAC address, IP address range
-          (if your kernel and ip6tables contain iprange match support) or ipset
-          name prefaced by "+" (if your kernel supports ipset match).</para>
+          (if your kernel and ip6tables contain iprange match support) or
+          ipset name prefaced by "+" (if your kernel supports ipset
+          match).</para>

          <para>MAC addresses must be prefixed with "~" and use "-" as a
          separator.</para>
@@ -67,9 +68,9 @@
        role="bold">-</emphasis>|<emphasis>port-name-or-number</emphasis>[,<emphasis>port-name-or-number</emphasis>]...}</term>

        <listitem>
-          <para>May only be specified if the protocol is TCP (6) or UDP (17).
-          A comma-separated list of destination port numbers or service names
-          from services(5).</para>
+          <para>May only be specified if the protocol is TCP (6), UDP (17),
+          DCCP (33), SCTP (132) or UDPLITE (136). A comma-separated list of
+          destination port numbers or service names from services(5).</para>
        </listitem>
      </varlistentry>
    </variablelist>
--- a/manpages6/shorewall6-params.xml
+++ b/manpages6/shorewall6-params.xml
@@ -29,6 +29,74 @@
    to distinguish them from variables used internally within the Shorewall
    programs</para>

+    <para>The following variable names must be avoided. Those in <emphasis
+    role="bold">bold font</emphasis> must be avoided in all Shorewall
+    versions; those in regular font must be avoided in versions prior to
+    4.4.8.</para>
+
+    <simplelist>
+      <member><emphasis role="bold">Any option from <ulink
+      url="shorewall6.conf.html">shorewall6.conf</ulink>
+      (5)</emphasis></member>
+
+      <member><emphasis role="bold">COMMAND</emphasis></member>
+
+      <member><emphasis role="bold">CONFDIR</emphasis></member>
+
+      <member>DEBUG</member>
+
+      <member>ECHO_E</member>
+
+      <member>ECHO_N</member>
+
+      <member>EXPORT</member>
+
+      <member>FAST</member>
+
+      <member>FILEMODE</member>
+
+      <member>HOSTNAME</member>
+
+      <member>IPT_OPTIONS</member>
+
+      <member>NOROUTES</member>
+
+      <member>PREVIEW</member>
+
+      <member>PRODUCT</member>
+
+      <member>PROFILE</member>
+
+      <member>PURGE</member>
+
+      <member>RECOVERING</member>
+
+      <member>RESTOREPATH</member>
+
+      <member>RING_BELL</member>
+
+      <member><emphasis role="bold">SHAREDIR</emphasis></member>
+
+      <member><emphasis role="bold">Any name beginning with SHOREWALL_ or
+      SW_</emphasis></member>
+
+      <member>STOPPING</member>
+
+      <member>TEST</member>
+
+      <member>TIMESTAMP</member>
+
+      <member>USE_VERBOSITY</member>
+
+      <member><emphasis role="bold">VARDIR</emphasis></member>
+
+      <member>VERBOSE</member>
+
+      <member>VERBOSE_OFFSET</member>
+
+      <member>VERSION</member>
+    </simplelist>
+
    <para>Example params file:</para>

    <programlisting>NET_IF=eth0
--- a/manpages6/shorewall6-rules.xml
+++ b/manpages6/shorewall6-rules.xml
@@ -692,10 +692,10 @@
          respectively. The <replaceable>name</replaceable> may be chosen by
          the user and specifies a hash table to be used to count matching
          connections. If not give, the name <emphasis
-          role="bold">shorewall</emphasis> is assumed. Where more than one
-          POLICY specifies the same name, the connections counts for the rules
-          are aggregated and the individual rates apply to the aggregated
-          count.</para>
+          role="bold">shorewallN</emphasis> (where N is a unique integer) is
+          assumed. Where more than one POLICY specifies the same name, the
+          connections counts for the rules are aggregated and the individual
+          rates apply to the aggregated count.</para>
        </listitem>
      </varlistentry>

--- a/manpages6/shorewall6-tcpri.xml
+++ b/manpages6/shorewall6-tcpri.xml
@@ -84,9 +84,10 @@
        <term>PORT(S) - <replaceable>port</replaceable> [,...]</term>

        <listitem>
-          <para>Optional. May only be given if the the PROTO is tcp (6) or udp
-          (17). A list of one or more port numbers or service names from
-          /etc/services. Port ranges of the form
+          <para>Optional. May only be given if the the PROTO is TCP (6), UDP
+          (17), DCCP (33), SCTP (132) or UDPLITE (136). A list of one or more
+          port numbers or service names from /etc/services. Port ranges of the
+          form
          <replaceable>lowport</replaceable>:<replaceable>highport</replaceable>
          may also be included.</para>
        </listitem>
@@ -152,6 +153,6 @@
    shorewall6-providers(5), shorewall6-route_rules(5),
    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
    shorewall6-tcinterfaces(5), shorewall6-tos(5), shorewall6-tunnels(5),
-    shorewall6-zones(5) </para>
+    shorewall6-zones(5)</para>
  </refsect1>
 </refentry>
--- a/manpages6/shorewall6.conf.xml
+++ b/manpages6/shorewall6.conf.xml
@@ -812,7 +812,8 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
          logged packets. Please see ip6tables(8) for a description of the
          behavior of these parameters (the ip6tables option --limit is set by
          LOGRATE and --limit-burst is set by LOGBURST). If both parameters
-          are set empty, no rate-limiting will occur.</para>
+          are set empty, no rate-limiting will occur. If you supply one of
+          these, then you should also supply the other.</para>

          <para>Example:</para>

@@ -1010,6 +1011,10 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
                  <para>action chains (user-defined)</para>
                </listitem>

+                <listitem>
+                  <para>'blacklst' chain</para>
+                </listitem>
+
                <listitem>
                  <para>dynamic</para>
                </listitem>