Merge branch '4.5.1'

Don't complain about SHOREWALL_INIT_SCRIPT
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2012-03-19 10:13:08 -07:00 · 2012-03-19 09:52:55 -07:00 · 2012-03-19 09:22:44 -07:00 · 2012-03-19 09:22:21 -07:00 · 2012-03-19 08:19:32 -07:00 · 2012-03-19 07:46:45 -07:00
78 changed files with 2817 additions and 1072 deletions
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -30,8 +30,6 @@ usage() # $1 = exit status
    echo "usage: $ME"
    echo "       $ME -v"
    echo "       $ME -h"
-    echo "       $ME -s"
-    echo "       $ME -f"
    exit $1
 }

@@ -87,6 +85,13 @@ install_file() # $1 = source $2 = target $3 = mode
    run_install $T $OWNERSHIP -m $3 $1 ${2}
 }

+cd "$(dirname $0)"
+
+#
+# Load packager's settings if any
+#
+[ -f ../shorewall-pkg.config ] && . ../shorewall-pkg.config
+
 [ -n "$DESTDIR" ] || DESTDIR="$PREFIX"

 #
@@ -98,13 +103,13 @@ T="-T"

 [ -n "${LIBEXEC:=/usr/share}" ]
 [ -n "${PERLLIB:=/usr/share/shorewall}" ]
-MACHOST=

 case "$LIBEXEC" in
    /*)
 	;;
    *)
-	LIBEXEC=/usr/${LIBEXEC}
+	echo "The LIBEXEC setting must be an absolute path name" >&2
+	exit 1
 	;;
 esac

@@ -112,14 +117,41 @@ case "$PERLLIB" in
    /*)
 	;;
    *)
-	PERLLIB=/usr/${PERLLIB}
+	echo "The PERLLIB setting must be an absolute path name" >&2
+	exit 1
 	;;
 esac

 INSTALLD='-D'

-case $(uname) in
-    CYGWIN*)
+if [ -z "$BUILD" ]; then
+    case $(uname) in
+	cygwin*)
+	    BUILD=cygwin
+	    ;;
+	Darwin)
+	    BUILD=apple
+	    ;;
+	*)
+	    if [ -f /etc/debian_version ]; then
+		BUILD=debian
+	    elif [ -f /etc/redhat-release ]; then
+		BUILD=redhat
+	    elif [ -f /etc/slackware-version ] ; then
+		BUILD=slackware
+	    elif [ -f /etc/SuSE-release ]; then
+		BUILD=suse
+	    elif [ -f /etc/arch-release ] ; then
+		BUILD=archlinux
+	    else
+		BUILD=linux
+	    fi
+	    ;;
+    esac
+fi
+
+case $BUILD in
+    cygwin*)
 	if [ -z "$DESTDIR" ]; then
 	    DEST=
 	    INIT=
@@ -127,18 +159,16 @@ case $(uname) in

 	OWNER=$(id -un)
 	GROUP=$(id -gn)
-	CYGWIN=Yes
 	;;
-    Darwin)
+    apple)
 	if [ -z "$DESTDIR" ]; then
 	    DEST=
 	    INIT=
+	    SPARSE=Yes
 	fi

 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=wheel
-	MAC=Yes
-        MACHOST=Yes
 	INSTALLD=
 	T=
 	;;
@@ -168,14 +198,6 @@ while [ $finished -eq 0 ]; do
 			echo "Shorewall Firewall Installer Version $VERSION"
 			exit 0
 			;;
-		    a*)
-			ANNOTATED=Yes
-			option=${option#a}
-			;;
-		    p*)
-			ANNOTATED=
-			option=${option#p}
-			;;
 		    *)
 			usage 1
 			;;
@@ -197,43 +219,30 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 # Determine where to install the firewall script
 #

+[ -n "$HOST" ] || HOST=$BUILD
+
+case "$HOST" in
+    cygwin)
+	echo "Installing Cygwin-specific configuration..."
+	;;
+    apple)
+	echo "Installing Mac-specific configuration...";
+	;;
+    debian|redhat|slackware|archlinux|linux|suse)
+	;;
+    *)
+	echo "ERROR: Unknown HOST \"$HOST\"" >&2
+	exit 1;
+	;;
+esac
+
 if [ -n "$DESTDIR" ]; then
-    if [ -z "$CYGWIN" ]; then
+    if [ $BUILD != cygwin ]; then
 	if [ `id -u` != 0 ] ; then
 	    echo "Not setting file owner/group permissions, not running as root."
 	    OWNERSHIP=""
 	fi
    fi
-
-    install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
-
-    CYGWIN=
-    MAC=
-else
-    if [ -n "$CYGWIN" ]; then
-	echo "Installing Cygwin-specific configuration..."
-    elif [ -n "$MAC" ]; then
-	echo "Installing Mac-specific configuration..."
-    else
-	if [ -f /etc/debian_version ]; then
-	    echo "Installing Debian-specific configuration..."
-	    DEBIAN=yes
-	elif [ -f /etc/redhat-release ]; then
-	    echo "Installing Redhat/Fedora-specific configuration..."
-	    FEDORA=yes
-	elif [ -f /etc/slackware-version ] ; then
-	    echo "Installing Slackware-specific configuration..."
-	    DEST="/etc/rc.d"
-	    MANDIR="/usr/man"
-	    SLACKWARE=yes
-	elif [ -f /etc/arch-release ] ; then
-	    echo "Installing ArchLinux-specific configuration..."
-	    DEST="/etc/rc.d"
-	    INIT="shorewall"
-	    ARCHLINUX=yes
-	fi
-    fi
 fi

 #
@@ -247,7 +256,12 @@ echo "Installing Shorewall Core Version $VERSION"
 # Create /usr/share/shorewall
 #
 mkdir -p ${DESTDIR}${LIBEXEC}/shorewall
-chmod 755 ${DESTDIR}/usr/share/shorewall
+chmod 755 ${DESTDIR}${LIBEXEC}/shorewall
+
+if [ $LIBEXEC != /usr/shorewall/ ]; then
+    mkdir -p ${DESTDIR}/usr/share/shorewall
+    chmod 755 ${DESTDIR}/usr/share/shorewall
+fi
 #
 # Install wait4ifup
 #
@@ -264,7 +278,7 @@ for f in lib.* ; do
    echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall/$f"
 done

-if [ -z "$MACHOST" ]; then
+if [ $BUILD != apple ]; then
    eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
    eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
 else
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -1112,7 +1112,7 @@ do_dump_command() {
 	echo "   Shorewall $(cat /usr/share/shorewall/version)"
 	echo
    fi
-    
+    show_status
    show_reset
    host=$(echo $g_hostname | sed 's/\..*$//')
    $g_tool -L $g_ipt_options
@@ -1957,6 +1957,8 @@ determine_capabilities() {
    CT_TARGET=
    STATISTIC_MATCH=
    IMQ_TARGET=
+    DSCP_MATCH=
+    DSCP_TARGET=

    chain=fooX$$

@@ -2081,10 +2083,14 @@ determine_capabilities() {
 	qt $g_tool -t mangle -A $chain -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes
 	qt $g_tool -t mangle -A $chain -j IPMARK --addr src && IPMARK_TARGET=Yes
 	qt $g_tool -t mangle -A $chain -p tcp -j TPROXY --on-port 0 --tproxy-mark 1 && TPROXY_TARGET=Yes
+	qt $g_tool -t mangle -A $chain -j IMQ --todev 0 && IMQ_TARGET=Yes
+	qt $g_tool -t mangle -A $chain -m dscp --dscp 0 && DSCP_MATCH=Yes
+	qt $g_tool -t mangle -A $chain -j DSCP --set-dscp 0 && DSCP_TARGET=Yes
+
 	qt $g_tool -t mangle -F $chain
 	qt $g_tool -t mangle -X $chain
+	
 	qt $g_tool -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
-	qt $g_tool -t mangle -A $chain -j IMQ --todev 0 && IMQ_TARGET=Yes
    fi

    qt $g_tool -t raw	    -L -n && RAW_TABLE=Yes
@@ -2267,6 +2273,8 @@ report_capabilities() {
 	report_capability "Condition Match" $CONDITION_MATCH
 	report_capability "Statistic Match" $STATISTIC_MATCH
 	report_capability "IMQ Target" $IMQ_TARGET
+	report_capability "DSCP Match" $DSCP_MATCH
+	report_capability "DSCP Target" $DSCP_TARGET
 	
 	if [ $g_family -eq 4 ]; then
 	    report_capability "iptables -S" $IPTABLES_S
@@ -2354,14 +2362,14 @@ report_capabilities1() {
    report_capability1 CT_TARGET
    report_capability1 STATISTIC_MATCH
    report_capability1 IMQ_TARGET
+    report_capability1 DSCP_MATCH
+    report_capability1 DSCP_TARGET

    echo CAPVERSION=$SHOREWALL_CAPVERSION
    echo KERNELVERSION=$KERNELVERSION
 }

-status_command() {
-    echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)"
-    echo
+show_status() {
    if product_is_started ; then
 	echo "$g_product is running"
 	status=0
@@ -2381,6 +2389,12 @@ status_command() {
 	state=Unknown
    fi
    echo "State:$state"
+}
+
+status_command() {
+    echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)"
+    echo
+    show_status
    echo
    exit $status
 }
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -86,21 +86,14 @@ install_file() # $1 = source $2 = target $3 = mode
    run_install $T $OWNERSHIP -m $3 $1 ${2}
 }

-[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
+cd "$(dirname $0)"

-# DEST is the SysVInit script directory
-# INIT is the name of the script in the $DEST directory
-# ARGS is "yes" if we've already parsed an argument
 #
-ARGS=""
+# Load packager's settings if any
+#
+[ -f ../shorewall-pkg.config ] && . ../shorewall-pkg.config

-if [ -z "$DEST" ] ; then
-	DEST="/etc/init.d"
-fi
-
-if [ -z "$INIT" ] ; then
-	INIT="shorewall-init"
-fi
+[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"

 while [ $# -gt 0 ] ; do
    case "$1" in
@@ -116,7 +109,6 @@ while [ $# -gt 0 ] ; do
 	    ;;
    esac
    shift
-    ARGS="yes"
 done

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -127,75 +119,112 @@ case "$LIBEXEC" in
    /*)
 	;;
    *)
-	LIBEXEC=/usr/${LIBEXEC}
+	echo "The LIBEXEC setting must be an absolute path name" >&2
+	exit 1
 	;;
 esac

-#
-# Determine where to install the firewall script
-#
+INITFILE="shorewall-init"

-case $(uname) in
-    Darwin)
-	[ -z "$OWNER" ] && OWNER=root
-	[ -z "$GROUP" ] && GROUP=wheel
+if [ -z "$BUILD" ]; then
+    case $(uname) in
+	cygwin*)
+	    BUILD=cygwin
+	    ;;
+	Darwin)
+	    BUILD=apple
+	    ;;
+	*)
+	    if [ -f /etc/debian_version ]; then
+		BUILD=debian
+	    elif [ -f /etc/redhat-release ]; then
+		BUILD=redhat
+	    elif [ -f /etc/SuSE-release ]; then
+		BUILD=suse
+	    elif [ -f /etc/slackware-version ] ; then
+		BUILD=slackware
+	    elif [ -f /etc/arch-release ] ; then
+		BUILD=archlinux
+	    else
+		BUILD=linux
+	    fi
+	    ;;
+    esac
+fi
+
+[ -n "$OWNER" ] || OWNER=$(id -un)
+[ -n "$GROUP" ] || GROUP=$(id -gn)
+
+case $BUILD in
+    apple)
 	T=
-	;;	
+	;;
+    debian|redhat|suse|slackware|archlinux)
+	;;
    *)
-	[ -z "$OWNER" ] && OWNER=root
-	[ -z "$GROUP" ] && GROUP=root
+	[ -n "$BUILD" ] && echo "ERROR: Unknown BUILD environment ($BUILD)" >&2 || echo "ERROR: Unknown BUILD environment"
+	exit 1
 	;;
 esac

 OWNERSHIP="-o $OWNER -g $GROUP"

+[ -n "$HOST" ] || HOST=$BUILD
+
+case "$HOST" in
+    debian)
+	echo "Installing Debian-specific configuration..."
+	SPARSE=yes
+	;;
+    redhat|redhat)
+	echo "Installing Redhat/Fedora-specific configuration..."
+	[ -n "$INITDIR" ] || INITDIR=/etc/rc.d/init.d
+	;;
+    slackware)
+	echo "Shorewall-init is currently not supported on Slackware" >&2
+	exit 1
+	;;
+    archlinux)
+	echo "Shorewall-init is currently not supported on Arch Linux" >&2
+	exit 1
+	;;
+    suse|suse)
+	echo "Installing SuSE-specific configuration..."
+	;;
+    linux)
+	echo "ERROR: Shorewall-init is not supported on this system" >&2
+	;;
+    *)
+	echo "ERROR: Unsupported HOST distribution: \"$HOST\"" >&2
+	exit 1;
+	;;
+esac
+
+[ -z "$TARGET" ] && TARGET=$HOST
+
+if [ -z "$INITDIR" -a -n "$INITFILE" ] ; then
+    INITDIR="/etc/init.d"
+fi
+
 if [ -n "$DESTDIR" ]; then
    if [ `id -u` != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
 	OWNERSHIP=""
    fi
    
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
-elif [ -f /etc/debian_version ]; then
-    DEBIAN=yes
-elif [ -f /etc/SuSE-release ]; then
-    SUSE=Yes
-elif [ -f /etc/redhat-release ]; then
-    FEDORA=Yes
-elif [ -f /etc/slackware-version ] ; then
-    echo "Shorewall-init is currently not supported on Slackware" >&2
-    exit 1
-#   DEST="/etc/rc.d"
-#   INIT="rc.firewall"
-elif [ -f /etc/arch-release ] ; then
-    echo "Shorewall-init is currently not supported on Arch Linux" >&2
-    exit 1
-#   DEST="/etc/rc.d"
-#   INIT="shorewall-init"
-#   ARCHLINUX=yes
-elif [ -d /etc/sysconfig/network-scripts/ ]; then
-    #
-    # Assume RedHat-based
-    #
-    REDHAT=Yes
-else
-    echo "Unknown distribution: Shorewall-init support is not available" >&2
-    exit 1
+    install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
 fi

 if [ -z "$DESTDIR" ]; then
-    if [ -f /lib/systemd/system ]; then
+    if [ -d /lib/systemd/system ]; then
 	SYSTEMD=Yes
+	INITFILE=
    fi
 elif [ -n "$SYSTEMD" ]; then
    mkdir -p ${DESTDIR}/lib/systemd/system
+    INITFILE=
 fi

-#
-# Change to the directory containing this script
-#
-cd "$(dirname $0)"
-
 echo "Installing Shorewall Init Version $VERSION"

 #
@@ -207,27 +236,36 @@ else
    first_install="Yes"
 fi

-#
-# Install the Init Script
-#
-if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
-elif [ -n "$FEDORA" ]; then
-    install_file init.fedora.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
-#elif [ -n "$ARCHLINUX" ]; then
-#    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
-else
-    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
+if [ -n "$INITFILE" ]; then
+    #
+    # Install the Init Script
+    #
+    case $TARGET in
+	debian)
+	    install_file init.debian.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+	    ;;
+	redhat)
+	    install_file init.fedora.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+	    ;;
+	*)
+	    install_file init.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+	    ;;
+    esac
+
+    echo  "Shorewall-init script installed in ${DESTDIR}${INITDIR}/${INITFILE}"
 fi
-
-echo  "Shorewall Init script installed in ${DESTDIR}${DEST}/$INIT"
-
 #
 # Install the .service file
 #
 if [ -n "$SYSTEMD" ]; then
    run_install $OWNERSHIP -m 600 shorewall-init.service ${DESTDIR}/lib/systemd/system/shorewall-init.service
    echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall-init.service"
+    if [ -n "$DESTDIR" ]; then
+	mkdir -p ${DESTDIR}/sbin/
+        chmod 755 ${DESTDIR}/sbin
+    fi
+    run_install $OWNERSHIP -m 700 shorewall-init ${DESTDIR}/sbin/shorewall-init
+    echo "CLI installed as ${DESTDIR}/sbin/shorewall-init"
 fi

 #
@@ -247,10 +285,10 @@ chmod 644 ${DESTDIR}/usr/share/shorewall-init/version
 #
 if [ -z "$DESTDIR" ]; then
    rm -f /usr/share/shorewall-init/init
-    ln -s ${DEST}/${INIT} /usr/share/shorewall-init/init
+    ln -s ${INITDIR}/${INITFILE} /usr/share/shorewall-init/init
 fi

-if [ -n "$DEBIAN" ]; then
+if [ $HOST = debian ]; then
    if [ -n "${DESTDIR}" ]; then
 	mkdir -p ${DESTDIR}/etc/network/if-up.d/
 	mkdir -p ${DESTDIR}/etc/network/if-post-down.d/
@@ -268,7 +306,7 @@ else
 	mkdir -p ${DESTDIR}/etc/sysconfig

 	if [ -z "$RPM" ]; then
-	    if [ -n "$SUSE" ]; then
+	    if [ $HOST = suse ]; then
 		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d
 		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-down.d
 	    else
@@ -294,24 +332,30 @@ if [ -d ${DESTDIR}/etc/NetworkManager ]; then
    install_file ifupdown.sh ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
 fi

-if [ -n "$DEBIAN" ]; then
-    install_file ifupdown.sh ${DESTDIR}/etc/network/if-up.d/shorewall 0544
-    install_file ifupdown.sh ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
-elif [ -n "$SUSE" ]; then
-    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-up.d/shorewall 0544
-    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-down.d/shorewall 0544
-elif [ -n "$REDHAT" ]; then
-    if [ -f ${DESTDIR}/sbin/ifup-local -o -f ${DESTDIR}/sbin/ifdown-local ]; then
-	echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; up/down events will not be handled"
-    else
-	install_file ifupdown.sh ${DESTDIR}/sbin/ifup-local 0544
-	install_file ifupdown.sh ${DESTDIR}/sbin/ifdown-local 0544
-    fi
-fi
+case $HOST in
+    debian)
+	install_file ifupdown.sh ${DESTDIR}/etc/network/if-up.d/shorewall 0544
+	install_file ifupdown.sh ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
+	;;
+    suse)
+	if [ -z "$RPM" ]; then
+	    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-up.d/shorewall 0544
+	    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-down.d/shorewall 0544
+	fi
+	;;
+    redhat)
+	if [ -f ${DESTDIR}/sbin/ifup-local -o -f ${DESTDIR}/sbin/ifdown-local ]; then
+	    echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; up/down events will not be handled"
+	elif [ -z "$DESTDIR" ]; then
+	    install_file ifupdown.sh ${DESTDIR}/sbin/ifup-local 0544
+	    install_file ifupdown.sh ${DESTDIR}/sbin/ifdown-local 0544
+	fi
+	;;
+esac

 if [ -z "$DESTDIR" ]; then
    if [ -n "$first_install" ]; then
-	if [ -n "$DEBIAN" ]; then
+	if [ $HOST = debian ]; then
 	    
 	    update-rc.d shorewall-init defaults

@@ -340,7 +384,7 @@ if [ -z "$DESTDIR" ]; then
 		else
 		    cant_autostart
 		fi
-	    elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
+	    else
 		cant_autostart
 	    fi

@@ -348,7 +392,7 @@ if [ -z "$DESTDIR" ]; then
    fi
 else
    if [ -n "$first_install" ]; then
-	if [ -n "$DEBIAN" ]; then
+	if [ $HOST = debian ]; then
 	    if [ -n "${DESTDIR}" ]; then
 		mkdir -p ${DESTDIR}/etc/rcS.d
 	    fi
@@ -360,31 +404,33 @@ else
 fi

 if [ -f ${DESTDIR}/etc/ppp ]; then
-    if [ -n "$DEBIAN" ] -o -n "$SUSE" ]; then
-	for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
-	    mkdir -p ${DESTDIR}/etc/ppp/$directory #SuSE doesn't create the IPv6 directories
-	    cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown ${DESTDIR}/etc/ppp/$directory/shorewall
-	done
-    elif [ -n "$REDHAT" ]; then
-	#
-	# Must use the dreaded ip_xxx.local file
-	#
-	for file in ip-up.local ip-down.local; do
-	    FILE=${DESTDIR}/etc/ppp/$file
-	    if [ -f $FILE ]; then
-		if fgrep -q Shorewall-based $FILE ; then
-		    cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown $FILE
+    case $HOST in
+	debian|suse)
+	    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
+		mkdir -p ${DESTDIR}/etc/ppp/$directory #SuSE doesn't create the IPv6 directories
+		cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown ${DESTDIR}/etc/ppp/$directory/shorewall
+	    done
+	    ;;
+	redhat)
+	    #
+	    # Must use the dreaded ip_xxx.local file
+	    #
+	    for file in ip-up.local ip-down.local; do
+		FILE=${DESTDIR}/etc/ppp/$file
+		if [ -f $FILE ]; then
+		    if fgrep -q Shorewall-based $FILE ; then
+			cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown $FILE
+		    else
+			echo "$FILE already exists -- ppp devices will not be handled"
+			break
+		    fi
 		else
-		    echo "$FILE already exists -- ppp devices will not be handled"
-		    break
+		    cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown $FILE
 		fi
-	    else
-		cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown $FILE
-	    fi
-	done
-    fi
+	    done
+	    ;;
+    esac
 fi
-
 #
 #  Report Success
 #
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -0,0 +1,97 @@
+#! /bin/bash
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2012 - Tom Eastep (teastep@shorewall.net)
+#
+#       On most distributions, this file should be called /etc/init.d/shorewall.
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#########################################################################################
+# check if shorewall-init is configured or not
+if [ -f "/etc/sysconfig/shorewall-init" ]; then
+    . /etc/sysconfig/shorewall-init
+    if [ -z "$PRODUCTS" ]; then
+        echo "ERROR: No products configured" >&2
+	exit 1
+    fi
+else
+    echo "ERROR: /etc/sysconfig/shorewall-init not found" >&2
+    exit 1
+fi
+
+# Initialize the firewall
+shorewall_start () {
+  local PRODUCT
+  local VARDIR
+
+  echo -n "Initializing \"Shorewall-based firewalls\": "
+  for PRODUCT in $PRODUCTS; do
+      VARDIR=/var/lib/$PRODUCT
+      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
+      if [ -x ${VARDIR}/firewall ]; then
+	  if ! /sbin/$PRODUCT status > /dev/null 2>&1; then
+	      ${VARDIR}/firewall stop || exit 1
+	  fi
+      fi
+  done
+
+  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+      ipset -R < "$SAVE_IPSETS"
+  fi
+
+  return 0
+}
+
+# Clear the firewall
+shorewall_stop () {
+  local PRODUCT
+  local VARDIR
+
+  echo -n "Clearing \"Shorewall-based firewalls\": "
+  for PRODUCT in $PRODUCTS; do
+      VARDIR=/var/lib/$PRODUCT
+      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
+      if [ -x ${VARDIR}/firewall ]; then
+	  ${VARDIR}/firewall clear || exit 1
+      fi
+  done
+
+  if [ -n "$SAVE_IPSETS" ]; then
+      mkdir -p $(dirname "$SAVE_IPSETS")
+      if ipset -S > "${SAVE_IPSETS}.tmp"; then
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+      fi
+  fi
+
+  return 0
+}
+
+case "$1" in
+  start)
+     shorewall_start
+     ;;
+  stop)
+     shorewall_stop
+     ;;
+  *)
+     echo "Usage: $0 {start|stop}"
+     exit 1
+esac
+
+exit 0
--- a/Shorewall-lite/Makefile
+++ b/Shorewall-lite/Makefile
@@ -12,7 +12,7 @@ $(VARDIR)/${RESTOREFILE}: $(VARDIR)/firewall
 	then \
 	    /sbin/shorewall-lite -q save >/dev/null; \
 	else \
-	    /sbin/shorewall-lite -q restart 2>&1 | tail >&2; \
+	    /sbin/shorewall-lite -q restart 2>&1 | tail >&2; exit 1; \
 	fi

 # EOF
--- a/Shorewall-lite/init.sh
+++ b/Shorewall-lite/init.sh
@@ -76,10 +76,10 @@ command="$1"

 case "$command" in
    start)
-	exec /sbin/shorewall-lite $OPTIONS start $STARTOPTIONS $@
+	exec /sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
 	;;
    restart|reload)
-	exec /sbin/shorewall-lite $OPTIONS restart $RESTARTOPTIONS $@
+	exec /sbin/shorewall-lite $OPTIONS restart $RESTARTOPTIONS
 	;;
    status|stop)
 	exec /sbin/shorewall-lite $OPTIONS $command $@
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -90,6 +90,11 @@ install_file() # $1 = source $2 = target $3 = mode
 #
 cd "$(dirname $0)"

+#
+# Load packager's settings if any
+#
+[ -f ../shorewall-pkg.config ] && . ../shorewall-pkg.config
+
 if [ -f shorewall-lite ]; then
    PRODUCT=shorewall-lite
    Product="Shorewall Lite"
@@ -103,17 +108,6 @@ fi
 #
 # Parse the run line
 #
-# DEST is the SysVInit script directory
-# INIT is the name of the script in the $DEST directory
-#
-if [ -z "$DEST" ] ; then
-	DEST="/etc/init.d"
-fi
-
-if [ -z "$INIT" ] ; then
-	INIT="$PRODUCT"
-fi
-
 while [ $# -gt 0 ] ; do
    case "$1" in
 	-h|help|?)
@@ -138,31 +132,56 @@ case "$LIBEXEC" in
    /*)
 	;;
    *)
-	LIBEXEC=/usr/${LIBEXEC}
+	echo "The LIBEXEC setting must be an absolute path name" >&2
+	exit 1
 	;;
 esac

 #
 # Determine where to install the firewall script
 #
-CYGWIN=
+cygwin=
 INSTALLD='-D'
+INITFILE=$PRODUCT
 T='-T'

-case $(uname) in
-    CYGWIN*)
-	if [ -z "$DESTDIR" ]; then
-	    DEST=
-	    INIT=
-	fi
+if [ -z "$BUILD" ]; then
+    case $(uname) in
+	cygwin*)
+	    BUILD=cygwin
+	    ;;
+	Darwin)
+	    BUILD=apple
+	    ;;
+	*)
+	    if [ -f /etc/debian_version ]; then
+		BUILD=debian
+	    elif [ -f /etc/redhat-release ]; then
+		BUILD=redhat
+	    elif [ -f /etc/SuSE-release ]; then
+		BUILD=suse
+	    elif [ -f /etc/slackware-version ] ; then
+		BUILD=slackware
+	    elif [ -f /etc/arch-release ] ; then
+		BUILD=archlinux
+	    else
+		BUILD=linux
+	    fi
+	    ;;
+    esac
+fi

+case $BUILD in
+    cygwin*)
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;
-    Darwin)
+    apple)
+	[ -z "$OWNER" ] && OWNER=root
+	[ -z "$GROUP" ] && GROUP=wheel
 	INSTALLD=
 	T=
-	;;	   
+	;;
    *)
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=root
@@ -171,6 +190,45 @@ esac

 OWNERSHIP="-o $OWNER -g $GROUP"

+[ -n "$HOST" ] || HOST=$BUILD
+
+case "$HOST" in
+    cygwin)
+	echo "$PRODUCT is not supported on Cygwin" >&2
+	exit 1
+	;;
+    apple)
+	echo "$PRODUCT is not supported on OS X" >&2
+	exit 1
+	;;
+    debian)
+	echo "Installing Debian-specific configuration..."
+	SPARSE=yes
+	;;
+    redhat)
+	echo "Installing Redhat/Fedora-specific configuration..."
+	[ -n "$INITDIR" ]  || INITDIR=/etc/rc.d/init.d
+	;;
+    slackware)
+	echo "Installing Slackware-specific configuration..."
+	[ -n "$INITDIR" ]  || INITDIR="/etc/rc.d"
+	[ -n "$INITFILE" ] || INITFILE="rc.firewall"
+	[ -n "$MANDIR=" ]  || MANDIR=/usr/man
+	;;
+    archlinux)
+	echo "Installing ArchLinux-specific configuration..."
+	[ -n "$INITDIR" ]  || INITDIR="/etc/rc.d"
+	;;
+    linux|suse)
+	;;
+    *)
+	echo "ERROR: Unknown HOST \"$HOST\"" >&2
+	exit 1;
+	;;
+esac
+
+[ -z "$INITDIR" ] && INITDIR="/etc/init.d"
+
 if [ -n "$DESTDIR" ]; then
    if [ `id -u` != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
@@ -178,21 +236,13 @@ if [ -n "$DESTDIR" ]; then
    fi
    
    install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
-elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
-    DEBIAN=yes
-elif [ -f /etc/redhat-release ]; then
-    FEDORA=yes
-elif [ -f /etc/slackware-version ] ; then
-    DEST="/etc/rc.d"
-    INIT="rc.firewall"
-elif [ -f /etc/arch-release ] ; then
-      DEST="/etc/rc.d"
-      INIT="$PRODUCT"
-      ARCHLINUX=yes
-fi
+    install -d $OWNERSHIP -m 755 ${DESTDIR}${DESTFILE}

-if [ -z "$DESTDIR" ]; then
+    if [ -n "$SYSTEMD" ]; then
+	mkdir -p ${DESTDIR}/lib/systemd/system
+	INITFILE=
+    fi
+else
    if [ ! -f /usr/share/shorewall/coreversion ]; then
 	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
 	exit 1
@@ -200,9 +250,8 @@ if [ -z "$DESTDIR" ]; then

    if [ -f /lib/systemd/system ]; then
 	SYSTEMD=Yes
+	INITFILE=
    fi
-elif [ -n "$SYSTEMD" ]; then
-    mkdir -p ${DESTDIR}/lib/systemd/system
 fi

 echo "Installing $Product Version $VERSION"
@@ -222,7 +271,7 @@ else
    rm -rf ${DESTDIR}/etc/$PRODUCT
    rm -rf ${DESTDIR}/usr/share/$PRODUCT
    rm -rf ${DESTDIR}/var/lib/$PRODUCT
-    [ "$LIBEXEC" = /usr/share ] || rm -rf /usr/share/$PRODUCT/wait4ifup /usr/share/$PRODUCT/shorecap
+    [ "$LIBEXEC" = /usr/share ] || rm -rf ${DESTDIR}/usr/share/$PRODUCT/wait4ifup ${DESTDIR}/usr/share/$PRODUCT/shorecap
 fi

 #
@@ -240,21 +289,6 @@ install_file $PRODUCT ${DESTDIR}/sbin/$PRODUCT 0544

 echo "$Product control program installed in ${DESTDIR}/sbin/$PRODUCT"

-#
-# Install the Firewall Script
-#
-if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh ${DESTDIR}/etc/init.d/$PRODUCT 0544
-elif [ -n "$FEDORA" ]; then
-    install_file init.fedora.sh ${DESTDIR}/etc/init.d/$PRODUCT 0544
-elif [ -n "$ARCHLINUX" ]; then
-    install_file init.archlinux.sh ${DESTDIR}/${DEST}/$INIT 0544
-else
-    install_file init.sh ${DESTDIR}/${DEST}/$INIT 0544
-fi
-
-echo  "$Product script installed in ${DESTDIR}${DEST}/$INIT"
-
 #
 # Create /etc/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
 #
@@ -269,8 +303,28 @@ chmod 755 ${DESTDIR}/usr/share/$PRODUCT
 if [ -n "$DESTDIR" ]; then
    mkdir -p ${DESTDIR}/etc/logrotate.d
    chmod 755 ${DESTDIR}/etc/logrotate.d
+    mkdir -p ${DESTDIR}${INITDIR}
+    chmod 755 ${DESTDIR}${INITDIR}
 fi

+if [ -n "$INITFILE" ]; then
+    case $TARGET in
+	debian)
+	    install_file init.debian.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+	    ;;
+	redhat)
+	    install_file init.fedora.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+	    ;;
+	archlinux)
+	    install_file init.archlinux.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+	    ;;
+	*)
+	    install_file init.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+	    ;;
+    esac
+
+    echo  "$Product init script installed in ${DESTDIR}${INITDIR}/${INITFILE}"
+fi
 #
 # Install the .service file
 #
@@ -287,7 +341,7 @@ if [ ! -f ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf ]; then
   echo "Config file installed as ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf"
 fi

-if [ -n "$ARCHLINUX" ] ; then
+if [ $HOST = archlinux ] ; then
   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf
 fi

@@ -387,7 +441,7 @@ chmod 644 ${DESTDIR}/usr/share/$PRODUCT/version

 if [ -z "$DESTDIR" ]; then
    rm -f /usr/share/$PRODUCT/init
-    ln -s ${DEST}/${INIT} /usr/share/$PRODUCT/init
+    ln -s ${INITDIR}/${INITFILE} /usr/share/$PRODUCT/init
 fi

 delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.common
@@ -398,7 +452,7 @@ if [ -z "$DESTDIR" ]; then
    touch /var/log/$PRODUCT-init.log

    if [ -n "$first_install" ]; then
-	if [ -n "$DEBIAN" ]; then
+	if [ $HOST = debian ]; then
 	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/$PRODUCT

 	    update-rc.d $PRODUCT defaults
@@ -434,7 +488,7 @@ if [ -z "$DESTDIR" ]; then
 		else
 		    cant_autostart
 		fi
-	    elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
+	    elif [ "$INITFILE" != rc.firewall ]; then #Slackware starts this automatically
 		cant_autostart
 	    fi
 	fi
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@@ -517,15 +517,17 @@
          defined in the <ulink
          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
          file. A <emphasis>host-list</emphasis> is comma-separated list whose
-          elements are host or network addresses.<caution>
-              <para>The <command>add</command> command is not very robust. If
-              there are errors in the <replaceable>host-list</replaceable>,
-              you may see a large number of error messages yet a subsequent
-              <command>shorewall-lite show zones</command> command will
-              indicate that all hosts were added. If this happens, replace
-              <command>add</command> by <command>delete</command> and run the
-              same command again. Then enter the correct command.</para>
-            </caution></para>
+          elements are host or network addresses.</para>
+
+          <caution>
+            <para>The <command>add</command> command is not very robust. If
+            there are errors in the <replaceable>host-list</replaceable>, you
+            may see a large number of error messages yet a subsequent
+            <command>shorewall-lite show zones</command> command will indicate
+            that all hosts were added. If this happens, replace
+            <command>add</command> by <command>delete</command> and run the
+            same command again. Then enter the correct command.</para>
+          </caution>
        </listitem>
      </varlistentry>

--- a/Shorewall/Makefile
+++ b/Shorewall/Makefile
@@ -2,6 +2,7 @@
 VARDIR=$(shell /sbin/shorewall show vardir)
 CONFDIR=/etc/shorewall
 RESTOREFILE?=firewall
+
 all: $(VARDIR)/${RESTOREFILE}

 $(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
@@ -11,11 +12,12 @@ $(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
 	then \
 	    /sbin/shorewall -q save >/dev/null; \
 	else \
-	    /sbin/shorewall -q restart 2>&1 | tail >&2; \
+	    /sbin/shorewall -q restart 2>&1 | tail >&2; exit 1; \
 	fi

 clean:
 	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~
+
 .PHONY: clean

 # EOF
--- a/Shorewall/Perl/.project
+++ b/Shorewall/Perl/.project
@@ -1,17 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<projectDescription>
-	<name>Shorewall</name>
-	<comment></comment>
-	<projects>
-	</projects>
-	<buildSpec>
-		<buildCommand>
-			<name>org.epic.perleditor.perlbuilder</name>
-			<arguments>
-			</arguments>
-		</buildCommand>
-	</buildSpec>
-	<natures>
-		<nature>org.epic.perleditor.perlnature</nature>
-	</natures>
-</projectDescription>
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -322,7 +322,7 @@ sub process_accounting_rule( ) {
 	}
    }

-    dont_optimize( $chainref ) if $target eq 'RETURN';
+    set_optflags( $chainref, DONT_OPTIMIZE ) if $target eq 'RETURN';

    if ( $jumpchainref ) {
 	if ( $asection ) {
@@ -407,7 +407,7 @@ sub setup_accounting() {
 		}

 		if ( $tableref->{accounting} ) {
-		    dont_optimize( 'accounting' );
+		    set_optflags( 'accounting' , DONT_OPTIMIZE );
 		    for my $chain ( qw/INPUT FORWARD/ ) {
 			insert_ijump( $tableref->{$chain}, j => 'accounting', 0 );
 		    }
@@ -429,7 +429,7 @@ sub setup_accounting() {
 		    insert_ijump( $tableref->{POSTROUTING}, j => 'accountpost', 0 );
 		}
 	    } elsif ( $tableref->{accounting} ) {
-		dont_optimize( 'accounting' );
+		set_optflags( 'accounting' , DONT_OPTIMIZE );
 		for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
 		    insert_ijump( $tableref->{$chain}, j => 'accounting', 0 );
 		}
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -36,6 +36,10 @@ use strict;

 our @ISA = qw(Exporter);
 our @EXPORT = qw(
+		    DONT_OPTIMIZE
+		    DONT_DELETE
+		    DONT_MOVE
+
 		    add_rule
 		    add_irule
 		    add_jump
@@ -62,6 +66,11 @@ our @EXPORT = qw(
 		    require_audit
 		    newlogchain
 		    log_rule_limit
+		    allow_optimize
+		    allow_delete
+		    allow_move
+		    set_optflags
+		    reset_optflags
 		    dont_optimize
 		    dont_delete
 		    dont_move
@@ -182,6 +191,7 @@ our %EXPORT_TAGS = (
 				       do_time
 				       do_user
 				       do_length
+				       decode_tos
 				       do_tos
 				       do_connbytes
 				       do_helper
@@ -189,6 +199,7 @@ our %EXPORT_TAGS = (
 				       do_headers
 				       do_probability
 				       do_condition
+				       do_dscp
 				       have_ipset_rules
 				       record_runtime_address
 				       conditional_rule
@@ -228,6 +239,7 @@ our %EXPORT_TAGS = (
 				       create_chainlist_reload
 				       create_stop_load
 				       %targets
+				       %dscpmap
 				     ) ],
 		   );

@@ -246,9 +258,7 @@ our $VERSION = 'MODULEVERSION';
 #                                               builtin      => undef|1 -- If 1, one of Netfilter's built-in chains.
 #                                               manual       => undef|1 -- If 1, a manual chain.
 #                                               accounting   => undef|1 -- If 1, an accounting chain
-#                                               dont_optimize=> undef|1 -- Don't optimize away if this chain is 'short'
-#                                               dont_delete  => undef|1 -- Don't delete if this chain is not referenced
-#                                               dont_move    => undef|1 -- Don't copy the rules of this chain somewhere else
+#                                               optflags     => <optimization flags>
 #                                               log          => <logging rule number for use when LOGRULENUMBERS>
 #                                               policy       => <policy>
 #                                               policychain  => <name of policy chain> -- self-reference if this is a policy chain
@@ -360,6 +370,37 @@ use constant {

 use constant { OPTIMIZE_MASK => OPTIMIZE_POLICY_MASK | OPTIMIZE_RULESET_MASK };

+use constant { DONT_OPTIMIZE => 1 , DONT_DELETE => 2, DONT_MOVE => 4 };
+
+our %dscpmap = ( CS0  => 0x00,
+		 CS1  => 0x08,
+		 CS2  => 0x10,
+		 CS3  => 0x18,
+		 CS4  => 0x20,
+		 CS5  => 0x28,
+		 CS6  => 0x30,
+		 CS7  => 0x38,
+		 BE   => 0x00,
+		 AF11 => 0x0a,
+		 AF12 => 0x0c,
+		 AF13 => 0x0e,
+		 AF21 => 0x12,
+		 AF22 => 0x14,
+		 AF23 => 0x16,
+		 AF31 => 0x1a,
+		 AF32 => 0x1c,
+		 AF33 => 0x1e,
+		 AF41 => 0x22,
+		 AF42 => 0x24,
+		 AF43 => 0x26,
+		 EF   => 0x2e,
+	       );
+
+our %tosmap = ( 'Minimize-Delay'       => 0x10,
+		'Maximize-Throughput'  => 0x08,
+		'Maximize-Reliability' => 0x04,
+		'Minimize-Cost'        => 0x02,
+		'Normal-Service'       => 0x00 );
 #
 # These hashes hold the shell code to set shell variables. The key is the name of the variable; the value is the code to generate the variable's contents
 #
@@ -1151,7 +1192,7 @@ sub push_matches {
 	}
    }

-    $dont_optimize;
+    DONT_OPTIMIZE if $dont_optimize;
 }

 sub push_irule( $$$;@ ) {
@@ -1180,7 +1221,7 @@ sub push_irule( $$$;@ ) {
    $chainref->{referenced} = 1;

    unless ( $ruleref->{simple} = ! @matches ) {
-	$chainref->{dont_optimize} = 1 if push_matches( $ruleref, @matches );
+	$chainref->{optflags} |= push_matches( $ruleref, @matches );
    }

    push @{$chainref->{rules}}, $ruleref;
@@ -1294,7 +1335,7 @@ sub insert_irule( $$$$;@ ) {
    }

    unless ( $ruleref->{simple} = ! @matches ) {
-	$chainref->{dont_optimize} = 1 if push_matches( $ruleref, @matches );
+	$chainref->{optflags} |= push_matches( $ruleref, @matches );
    }

    if ( $comment ) {
@@ -1867,7 +1908,8 @@ sub new_chain($$)
 		     log            => 1,
 		     cmdlevel       => 0,
 		     references     => {},
-		     filtered       => 0
+		     filtered       => 0,
+		     optflags       => 0,
 		   };

    trace( $chainref, 'N', undef, '' ) if $debug;
@@ -1928,7 +1970,7 @@ sub add_jump( $$$;$$$ ) {

    my $param = $goto_ok && $toref && have_capability( 'GOTO_TARGET' ) ? 'g' : 'j';

-    $fromref->{dont_optimize} = 1 if $predicate =~ /! -[piosd] /;
+    $fromref->{optflags} |= DONT_OPTIMIZE if $predicate =~ /! -[piosd] /;

    if ( defined $index ) {
 	assert( ! $expandports );
@@ -2052,49 +2094,70 @@ sub delete_jumps ( $$ ) {
    }
 }

-#
-# Set the dont_optimize flag for a chain
-#
-sub dont_optimize( $ ) {
-    my $chain = shift;
+sub reset_optflags( $$ ) {
+    my ( $chain, $flags ) = @_;

    my $chainref = reftype $chain ? $chain : $filter_table->{$chain};

-    $chainref->{dont_optimize} = 1;
+    $chainref->{optflags} ^= $flags;
+
+    trace( $chainref, '!O', undef, '' ) if $debug;
+
+    $chainref;
+}
+
+sub set_optflags( $$ ) {
+    my ( $chain, $flags ) = @_;
+
+    my $chainref = reftype $chain ? $chain : $filter_table->{$chain};
+
+    $chainref->{optflags} |= $flags;

    trace( $chainref, '!O', undef, '' ) if $debug;

    $chainref;
 }

+#
+# Reset the dont_optimize flag for a chain
+#
+sub allow_optimize( $ ) {
+    reset_optflags( shift, DONT_OPTIMIZE );
+}
+
+#
+# Reset the dont_delete flags for a chain
+#
+sub allow_delete( $ ) {
+    reset_optflags( shift, DONT_DELETE );
+}
+
+#
+# Reset the dont_move flag for a chain
+#
+sub allow_move( $ ) {
+    reset_optflags( shift, DONT_MOVE );
+}
+
+#
+# Set the dont_optimize flag for a chain
+#
+sub dont_optimize( $ ) {
+    set_optflags( shift, DONT_OPTIMIZE );
+}
+
 #
 # Set the dont_optimize and dont_delete flags for a chain
 #
 sub dont_delete( $ ) {
-    my $chain = shift;
-
-    my $chainref = reftype $chain ? $chain : $filter_table->{$chain};
-
-    $chainref->{dont_optimize} = $chainref->{dont_delete} = 1;
-
-    trace( $chainref, '!OD', undef, '' ) if $debug;
-
-    $chainref;
+    set_optflags( shift, DONT_OPTIMIZE | DONT_DELETE );
 }

 #
 # Set the dont_move flag for a chain
 #
 sub dont_move( $ ) {
-    my $chain = shift;
-
-    my $chainref = reftype $chain ? $chain : $filter_table->{$chain};
-
-    $chainref->{dont_move} = 1;
-
-    trace( $chainref, '!M', undef, '' ) if $debug;
-
-    $chainref;
+    set_optflags( shift, DONT_MOVE );
 }

 #
@@ -2136,7 +2199,7 @@ sub ensure_accounting_chain( $$$ )
 	$chainref->{restriction} = $restriction;
 	$chainref->{restricted}  = NO_RESTRICT;
 	$chainref->{ipsec}       = $ipsec;
-	$chainref->{dont_optimize} = 1 unless $config{OPTIMIZE_ACCOUNTING};
+	$chainref->{optflags}   |= DONT_OPTIMIZE unless $config{OPTIMIZE_ACCOUNTING};

 	unless ( $chain eq 'accounting' ) {
 	    my $file = find_file $chain;
@@ -2208,7 +2271,7 @@ sub new_builtin_chain($$$)
    $chainref->{referenced}  = 1;
    $chainref->{policy}      = $policy;
    $chainref->{builtin}     = 1;
-    $chainref->{dont_delete} = 1;
+    $chainref->{optflags}    = DONT_DELETE;
    $chainref;
 }

@@ -2636,7 +2699,7 @@ sub conditionally_copy_rules( $$ ) {

    my $targetref = $chain_table{$chainref->{table}}{$basictarget};

-    if ( $targetref && ! $targetref->{dont_move} ) {
+    if ( $targetref && ! ( $targetref->{optflags} & DONT_MOVE ) ) {
 	#
 	# Move is safe -- start with an empty rule list
 	#
@@ -2678,7 +2741,7 @@ sub optimize_level0() {
 	    #
 	    # If the chain isn't branched to, then delete it
 	    #
-	    unless ( $chainref->{dont_delete} || keys %{$chainref->{references}} ) {
+	    unless ( $chainref->{optflags} & DONT_DELETE || keys %{$chainref->{references}} ) {
 		delete_chain $chainref if $chainref->{referenced};
 	    }
 	}
@@ -2696,7 +2759,7 @@ sub optimize_level4( $$ ) {
    # When a chain with a single entry is found, replace it's references by its contents
    #
    # The search continues until no short chains remain
-    # Chains with 'dont_optimize = 1' are exempted from optimization
+    # Chains with 'DONT_OPTIMIZE' are exempted from optimization
    #
    while ( $progress ) {
 	$progress = 0;
@@ -2708,15 +2771,16 @@ sub optimize_level4( $$ ) {
 	progress_message "\n Table $table pass $passes, $chains referenced chains, level 4a...";

 	for my $chainref ( @chains ) {
+	    my $optflags = $chainref->{optflags};
 	    #
 	    # If the chain isn't branched to, then delete it
 	    #
-	    unless ( $chainref->{dont_delete} || keys %{$chainref->{references}} ) {
+	    unless ( ( $optflags & DONT_DELETE ) || keys %{$chainref->{references}} ) {
 		delete_chain $chainref if $chainref->{referenced};
 		next;
 	    }

-	    unless ( $chainref->{dont_optimize} ) {
+	    unless ( $optflags & DONT_OPTIMIZE ) {
 		my $numrules = @{$chainref->{rules}};

 		if ( $numrules == 0 ) {
@@ -2727,7 +2791,7 @@ sub optimize_level4( $$ ) {
 			#
 			# Built-in -- mark it 'dont_optimize' so we ignore it in follow-on passes
 			#
-			$chainref->{dont_optimize} = 1;
+			$chainref->{optflags} |= DONT_OPTIMIZE;
 		    } else {
 			#
 			# Not a built-in -- we can delete it and it's references
@@ -2758,7 +2822,7 @@ sub optimize_level4( $$ ) {
 				#
 				# Target was a built-in. Ignore this chain in follow-on passes
 				#
-				$chainref->{dont_optimize} = 1;
+				$chainref->{optflags} |= DONT_OPTIMIZE;
 			    }
 			} else {
 			    #
@@ -2774,9 +2838,9 @@ sub optimize_level4( $$ ) {
 			if ( $chainref->{builtin} || ! $globals{KLUDGEFREE} ) {
 			    #
 			    # This case requires a new rule merging algorithm. Ignore this chain for
-			    # now.
+			    # now on.
 			    #
-			    $chainref->{dont_optimize} = 1;
+			    $chainref->{optflags} |= DONT_OPTIMIZE;
 			} else {
 			    #
 			    # Replace references to this chain with the target and add the matches
@@ -2866,7 +2930,7 @@ sub optimize_level8( $$$ ) {
 	#
 	for my $chainref1 ( @chains1 ) {
 	    next unless @{$chainref1->{rules}};
-	    next if $chainref1->{dont_delete};
+	    next if $chainref1->{optflags} & DONT_DELETE;
 	    if ( $chainref->{digest} eq $chainref1->{digest} ) {
 		progress_message "  Chain $chainref1->{name} combined with $chainref->{name}";
 		replace_references $chainref1, $chainref->{name}, undef;
@@ -3190,6 +3254,16 @@ sub set_mss( $$$ ) {
 #
 # Interate over all zones with 'mss=' settings adding TCPMSS rules as appropriate.
 #
+sub imatch_source_dev( $;$ );
+sub imatch_dest_dev( $;$ );
+sub imatch_source_net( $;$\$ );
+sub imatch_dest_net( $ );
+
+sub newmsschain( ) {
+    my $seq = $chainseq{filter}++;
+    "~mss${seq}";
+}
+
 sub setup_zone_mss() {
    for my $zone ( all_zones ) {
 	my $zoneref = find_zone( $zone );
@@ -3197,6 +3271,29 @@ sub setup_zone_mss() {
 	set_mss( $zone, $zoneref->{options}{in_out}{mss}, ''     ) if $zoneref->{options}{in_out}{mss};
 	set_mss( $zone, $zoneref->{options}{in}{mss},     '_in'  ) if $zoneref->{options}{in}{mss};
 	set_mss( $zone, $zoneref->{options}{out}{mss},    '_out' ) if $zoneref->{options}{out}{mss};
+
+	my $hosts = find_zone_hosts_by_option( $zone, 'mss' );
+
+	for my $hostref ( @$hosts ) {
+	    my $mss         = $hostref->[4];
+	    my @mssmatch    = have_capability( 'TCPMSS_MATCH' ) ? ( tcpmss => "--mss $mss:" ) : ();
+	    my @sourcedev   = imatch_source_dev $hostref->[0];
+	    my @destdev     = imatch_dest_dev   $hostref->[0];
+	    my @source      = imatch_source_net $hostref->[2];
+	    my @dest        = imatch_dest_net   $hostref->[2];
+	    my @ipsecin     = (have_ipsec ? ( policy => "--pol $hostref->[1] --dir in"  ) : () );
+	    my @ipsecout    = (have_ipsec ? ( policy => "--pol $hostref->[1] --dir out" ) : () );
+
+	    my $chainref = new_chain 'filter', newmsschain;
+	    my $target   = source_exclusion( $hostref->[3], $chainref );
+
+	    add_ijump $chainref, j => 'TCPMSS', targetopts => "--set-mss $mss", p => 'tcp --tcp-flags SYN,RST SYN';
+
+	    for my $zone1 ( all_zones ) {
+		add_ijump ensure_chain( 'filter', rules_chain( $zone, $zone1 ) ),  j => $target , @sourcedev, @source, p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @ipsecin ;
+		add_ijump ensure_chain( 'filter', rules_chain( $zone1, $zone ) ),  j => $target , @destdev,   @dest,   p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @ipsecout ;	    
+	    }
+	}
    }
 }

@@ -4011,13 +4108,56 @@ sub do_user( $ ) {
    $rule;
 }

+
+
 #
 # Create a "-m tos" match for the passed TOS
 #
-sub do_tos( $ ) {
-    my $tos = $_[0];
+# This helper is also used during tos file processing
+#
+sub decode_tos( $$ ) {
+    my ( $tos, $set ) = @_;

-    $tos ne '-' ? "-m tos --tos $tos " : '';
+    if ( $tos eq '-' ) {
+	fatal_error [ '',                                            # 0
+		      'A value must be supplied in the TOS column',  # 1
+		      'Invalid TOS() parameter (-)',                 # 2
+		    ]->[$set] if $set;
+	return '';
+    }
+
+    my $mask = 0xff;
+    my $value;
+
+    if ( $tos =~ m"^(.+)/(.+)$" ) {
+	$value = numeric_value $1;
+	$mask  = numeric_value $2;
+    } elsif ( ! defined ( $value = numeric_value( $tos ) ) ) {
+	$value = $tosmap{$tos};
+	$mask  = '';
+    }
+
+    fatal_error( [ 'Invalid TOS column value',
+		   'Invalid TOS column value',
+		   'Invalid TOS() parameter', ]->[$set] . " ($tos)" )
+	unless ( defined $value &&
+		 $value <= 0xff &&
+		 ( $mask eq '' ||
+		   ( defined $mask &&
+		     $mask <= 0xff ) ) );
+
+    unless ( $mask eq '' ) {
+	warning_message "Unmatchable TOS ($tos)" unless $set || $value & $mask;
+    }
+
+    $tos = $mask ? in_hex( $value) . '/' . in_hex( $mask ) . ' ' : in_hex( $value ) . ' ';
+
+    $set ? " --set-tos $tos" : "-m tos --tos $tos ";
+
+}
+
+sub do_tos( $ ) {
+    decode_tos( $_[0], 0 );
 }

 my %dir = ( O => 'original' ,
@@ -4098,8 +4238,17 @@ sub do_helper( $ ) {
 sub do_length( $ ) {
    my $length = $_[0];

+    return '' if $length eq '-';
+
    require_capability( 'LENGTH_MATCH' , 'A Non-empty LENGTH' , 's' );
-    $length ne '-' ? "-m length --length $length " : '';
+
+    fatal_error "Invalid LENGTH ($length)" unless $length =~/^(\d+)(:(\d+))?$/;
+
+    if ( supplied $2 ) {
+	fatal_error "First length must be < second length" unless $1 < $3;
+    }
+
+    "-m length --length $length ";
 }

 #
@@ -4186,6 +4335,26 @@ sub do_condition( $ ) {
    "-m condition ${invert}--condition $condition "
 }

+#
+# Generate a -m dscp match
+#
+sub do_dscp( $ ) {
+    my $dscp = shift;
+
+    return '' if $dscp eq '-';
+
+    require_capability 'DSCP_MATCH', 'A non-empty DSCP column', 's';
+
+    my $invert = $dscp =~ s/^!// ? '! ' : '';
+    my $value  = numeric_value( $dscp );
+
+    $value = $dscpmap{$value} unless defined $value;
+
+    fatal_error( "Invalid DSCP ($dscp)" ) unless defined $value && $value < 0x2f && ! ( $value & 1 );
+
+    "-m dscp ${invert}--dscp $value ";
+}
+
 #
 # Match Source Interface
 #
@@ -4313,16 +4482,27 @@ sub get_set_flags( $$ ) {
    } elsif ( $setname =~ /^(.*)\[((src|dst)(,(src|dst))*)\]$/ ) {
 	$setname = $1;
 	$options = $2;
+
+	my @options = split /,/, $options;
+	my %typemap = ( src => 'Source', dst => 'Destination' );
+
+	if ( $config{IPSET_WARNINGS} ) {
+	    for ( @options ) {
+		warning_message( "The '$_' ipset flag is used in a $typemap{$option} column" ), last unless $_ eq $option;
+	    }
+	}
    }

    $setname =~ s/^\+//;

-    unless ( $export || $> != 0 ) {
-	unless ( $ipset_exists{$setname} ) {
-	    warning_message "Ipset $setname does not exist" unless qt "ipset -L $setname";
-	}
+    if ( $config{IPSET_WARNINGS} ) {
+	unless ( $export || $> != 0 ) {
+	    unless ( $ipset_exists{$setname} ) {
+		warning_message "Ipset $setname does not exist" unless qt "ipset -L $setname";
+	    }

-	$ipset_exists{$setname} = 1; # Suppress subsequent checks/warnings
+	    $ipset_exists{$setname} = 1; # Suppress subsequent checks/warnings
+	}
    }

    fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z]\w*/;
@@ -4337,11 +4517,21 @@ sub have_ipset_rules() {

 sub get_interface_address( $ );

-sub record_runtime_address( $ ) {
-    my $interface = shift;
+sub record_runtime_address( $$;$ ) {
+    my ( $addrtype, $interface, $protect ) = @_;
    fatal_error "Unknown interface address variable (&$interface)" unless known_interface( $interface );
    fatal_error "Invalid interface address variable (&$interface)" if $interface =~ /\+$/;
-    get_interface_address( $interface ) . ' ';
+
+    my $addr;
+
+    if ( $addrtype eq '&' ) {
+	$addr = get_interface_address( $interface );
+    } else {
+	$addr = get_interface_gateway( $interface, $protect );
+    }
+
+    $addr . ' ';
+   
 }

 #
@@ -4353,12 +4543,19 @@ sub record_runtime_address( $ ) {
 sub conditional_rule( $$ ) {
    my ( $chainref, $address ) = @_;

-    if ( $address =~ /^!?&(.+)$/ ) {
-	my $interface = $1;
+    if ( $address =~ /^!?([&%])(.+)$/ ) {
+	my ($type, $interface) = ($1, $2);
 	if ( my $ref = known_interface $interface ) {
 	    if ( $ref->{options}{optional} ) {
-		my $variable = get_interface_address( $interface );
-		add_commands( $chainref , "if [ $variable != " . NILIP . ' ]; then' );
+		my $variable;
+		if ( $type eq '&' ) {
+		    $variable = get_interface_address( $interface );
+		    add_commands( $chainref , "if [ $variable != " . NILIP . ' ]; then' );
+		} else {
+		    $variable = get_interface_gateway( $interface );
+		    add_commands( $chainref , qq(if [ -n "$variable" ]; then) );
+		}
+
 		incr_cmd_level $chainref;
 		return 1;
 	    }
@@ -4422,16 +4619,16 @@ sub match_source_net( $;$\$ ) {
    }

    if ( $net =~ s/^!// ) {
-	if ( $net =~ /^&(.+)/ ) {
-	    return '! -s ' . record_runtime_address $1;
+	if ( $net =~ /^([&%])(.+)/ ) {
+	    return '! -s ' . record_runtime_address $1, $2;
 	}

 	validate_net $net, 1;
 	return "! -s $net ";
    }

-    if ( $net =~ /^&(.+)/ ) {
-	return '-s ' . record_runtime_address $1;
+    if ( $net =~ /^([&%])(.+)/ ) {
+	return '-s ' . record_runtime_address $1, $2;
    }

    validate_net $net, 1;
@@ -4476,16 +4673,16 @@ sub imatch_source_net( $;$\$ ) {
    }

    if ( $net =~ s/^!// ) {
-	if ( $net =~ /^&(.+)/ ) {
-	    return  ( s => '! ' . record_runtime_address $1 );
+	if ( $net =~ /^([&%])(.+)/ ) {
+	    return  ( s => '! ' . record_runtime_address( $1, $2, 1 ) );
 	}

 	validate_net $net, 1;
 	return ( s => "! $net " );
    }

-    if ( $net =~ /^&(.+)/ ) {
-	return ( s =>  record_runtime_address $1 );
+    if ( $net =~ /^([&%])(.+)/ ) {
+	return ( s =>  record_runtime_address( $1, $2, 1 ) );
    }

    validate_net $net, 1;
@@ -4525,16 +4722,16 @@ sub match_dest_net( $ ) {
    }

    if ( $net =~ s/^!// ) {
-	if ( $net =~ /^&(.+)/ ) {
-	    return '! -d ' . record_runtime_address $1;
+	if ( $net =~ /^([&%])(.+)/ ) {
+	    return '! -d ' . record_runtime_address $1, $2;
 	}
 	
 	validate_net $net, 1;
 	return "! -d $net ";
    }

-    if ( $net =~ /^&(.+)/ ) {
-	return '-d ' . record_runtime_address $1;
+    if ( $net =~ /^([&%])(.+)/ ) {
+	return '-d ' . record_runtime_address $1, $2;
    }

    validate_net $net, 1;
@@ -4572,16 +4769,16 @@ sub imatch_dest_net( $ ) {
    }

    if ( $net =~ s/^!// ) {
-	if ( $net =~ /^&(.+)/ ) {
-	    return ( d => '! ' . record_runtime_address $1 );
+	if ( $net =~ /^([&%])(.+)/ ) {
+	    return ( d => '! ' . record_runtime_address( $1, $2, 1 ) );
 	}
 	
 	validate_net $net, 1;
 	return ( d => "! $net " );
    }

-    if ( $net =~ /^&(.+)/ ) {
-	return ( d => record_runtime_address $1 );
+    if ( $net =~ /^([&%])(.+)/ ) {
+	return ( d => record_runtime_address( $1, $2, 1 ) );
    }

    validate_net $net, 1;
@@ -4599,7 +4796,7 @@ sub match_orig_dest ( $ ) {

    if ( $net =~ s/^!// ) {
 	if ( $net =~ /^&(.+)/ ) {
-	    $net = record_runtime_address $1;
+	    $net = record_runtime_address '&', $1;
 	} else {
 	    validate_net $net, 1;
 	}
@@ -4607,7 +4804,7 @@ sub match_orig_dest ( $ ) {
 	have_capability( 'OLD_CONNTRACK_MATCH' ) ? "-m conntrack --ctorigdst ! $net " : "-m conntrack ! --ctorigdst $net ";
    } else {
 	if ( $net =~ /^&(.+)/ ) {
-	    $net = record_runtime_address $1;
+	    $net = record_runtime_address '&', $1;
 	} else {
 	    validate_net $net, 1;
 	}
@@ -4623,10 +4820,10 @@ sub match_ipsec_in( $$ ) {
    my ( $zone , $hostref ) = @_;
    my @match;
    my $zoneref    = find_zone( $zone );
-    my $optionsref = $zoneref->{options};

-    unless ( $optionsref->{super} || $zoneref->{type} == VSERVER ) {
+    unless ( $zoneref->{super} || $zoneref->{type} == VSERVER ) {
 	my $match = '--dir in --pol ';
+	my $optionsref = $zoneref->{options};

 	if ( $zoneref->{type} & IPSEC ) {
 	    $match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
@@ -5055,8 +5252,8 @@ sub interface_gateway( $ ) {
 #
 # Record that the ruleset requires the gateway address on the passed interface
 #
-sub get_interface_gateway ( $ ) {
-    my ( $logical ) = $_[0];
+sub get_interface_gateway ( $;$ ) {
+    my ( $logical, $protect ) = @_;

    my $interface = get_physical $logical;
    my $variable = interface_gateway( $interface );
@@ -5073,7 +5270,7 @@ sub get_interface_gateway ( $ ) {
 );
    }

-    "\$$variable";
+    $protect ? "\${$variable:-" . NILIP . '}' : "\$$variable";
 }

 #
@@ -5383,7 +5580,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 	    } else {
 		$inets = $source;
 	    }
-	} elsif ( $source =~ /(?:\+|&|~|\..*\.)/ ) {
+	} elsif ( $source =~ /(?:\+|&|%|~|\..*\.)/ ) {
 	    $inets = $source;
 	} else {
 	    $iiface = $source;
@@ -5468,7 +5665,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 	    if ( $dest =~ /^(.+?):(.+)$/ ) {
 		$diface = $1;
 		$dnets  = $2;
-	    } elsif ( $dest =~ /\+|&|~|\..*\./ ) {
+	    } elsif ( $dest =~ /\+|&|%|~|\..*\./ ) {
 		$dnets = $dest;
 	    } else {
 		$diface = $dest;
@@ -6413,7 +6610,7 @@ sub create_netfilter_load( $ ) {
    #
    emit(  'exec 3>&-',
 	   '',
-	   '[ -n "$DEBUG" ] && command=debug_restore_input || command=$' . $UTILITY,
+	   '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY,
 	   '',
 	   'progress_message2 "Running $command..."',
 	   '',
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -709,10 +709,6 @@ sub compiler {
    # Proxy Arp/Ndp
    #
    setup_proxy_arp;
-    #
-    # Handle MSS settings in the zones file
-    #
-    setup_zone_mss;

    if ( $scriptfilename || $debug ) {
 	emit 'return 0';
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -292,6 +292,8 @@ my  %capdesc = ( NAT_ENABLED     => 'NAT',
 		 STATISTIC_MATCH => 
 		                    'Statistics Match',
 		 IMQ_TARGET      => 'IMQ Target',
+		 DSCP_MATCH      => 'DSCP Match',
+		 DSCP_TARGET     => 'DSCP Target',
 		 CAPVERSION      => 'Capability Version',
 		 KERNELVERSION   => 'Kernel Version',
 	       );
@@ -389,8 +391,8 @@ my  $toolNAME;               # Tool name in CAPS
 our $product;                # Name of product that will run the generated script
 our $Product;                # $product with initial cap.

-my $sillyname;               # Name of temporary filter chains for testing capabilities
-my $sillyname1;
+our $sillyname;              # Name of temporary filter chains for testing capabilities
+our $sillyname1;
 my $iptables;                # Path to iptables/ip6tables
 my $tc;                      # Path to tc
 my $ip;                      # Path to ip
@@ -418,6 +420,18 @@ my %deprecated = ( LOGRATE            => '' ,
 		   WIDE_TC_MARKS      => 'no',
 		   HIGH_ROUTE_MARKS   => 'no'
 		 );
+#
+# Deprecated options that are eliminated via update
+#
+my %converted = ( WIDE_TC_MARKS => 1,
+		  HIGH_ROUTE_MARKS => 1 );
+#
+# Variables involved in ?IF, ?ELSE ?ENDIF processing
+#
+my $omitting;
+my @ifstack;
+my $ifstack;
+
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
@@ -451,6 +465,9 @@ sub initialize( $ ) {
    $tempfile       = '';      # Temporary File Name
    $sillyname      = 
    $sillyname1     = '';      # Temporary ipchains
+    $omitting       = 0;
+    $ifstack        = 0;
+    @ifstack        = ();

    #
    # Misc Globals
@@ -551,6 +568,7 @@ sub initialize( $ ) {
 	  MAPOLDACTIONS => undef,
 	  FASTACCEPT => undef,
 	  IMPLICIT_CONTINUE => undef,
+	  IPSET_WARNINGS => undef,
 	  HIGH_ROUTE_MARKS => undef,
 	  USE_ACTIONS=> undef,
 	  OPTIMIZE => undef,
@@ -692,6 +710,8 @@ sub initialize( $ ) {
 	       CT_TARGET => undef,
 	       STATISTIC_MATCH => undef,
 	       IMQ_TARGET => undef,
+	       DSCP_MATCH => undef,
+	       DSCP_TARGET => undef,
 	       CAPVERSION => undef,
 	       KERNELVERSION => undef,
 	       );
@@ -747,7 +767,7 @@ my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
 sub warning_message
 {
    my $linenumber = $currentlinenumber || 1;
-    my $currentlineinfo = $currentfile ?  " : $currentfilename (line $linenumber)" : '';
+    my $currentlineinfo = $currentfile ?  " : $currentfilename " . ( $linenumber eq 'EOF' ? '(EOF)' : "(line $linenumber)" ) : '';
    our @localtime;

    $| = 1; #Reset output buffering (flush any partially filled buffers).
@@ -803,7 +823,7 @@ sub cleanup() {
 #
 sub fatal_error	{
    my $linenumber = $currentlinenumber || 1;
-    my $currentlineinfo = $currentfile ?  " : $currentfilename (line $linenumber)" : '';
+    my $currentlineinfo = $currentfile ?  " : $currentfilename " . ( $linenumber eq 'EOF' ? '(EOF)' : "(line $linenumber)" ) : '';

    $| = 1; #Reset output buffering (flush any partially filled buffers).

@@ -1450,6 +1470,7 @@ sub do_open_file( $ ) {
    my $fname = $_[0];
    open $currentfile, '<', $fname or fatal_error "Unable to open $fname: $!";
    $currentlinenumber = 0;
+    $ifstack           = @ifstack;
    $currentfilename   = $fname;
 }

@@ -1462,6 +1483,7 @@ sub open_file( $ ) {
 	$first_entry = 0;
 	do_open_file $fname;;
    } else {
+	$ifstack = @ifstack;
 	'';
    }
 }
@@ -1472,10 +1494,17 @@ sub open_file( $ ) {
 sub pop_include() {
    my $arrayref = pop @includestack;

+    unless ( $ifstack == @ifstack ) {
+	my $lastref = $ifstack[-1];
+	$currentlinenumber = 'EOF';
+	fatal_error qq(Missing "?ENDIF" to match ?IF at line number $lastref->[2])
+    }
+
    if ( $arrayref ) {
-	( $currentfile, $currentfilename, $currentlinenumber ) = @$arrayref;
+	( $currentfile, $currentfilename, $currentlinenumber, $ifstack ) = @$arrayref;
    } else {
-	$currentfile = undef;
+	$currentfile       = undef;
+	$currentlinenumber = 'EOF';
    }
 }

@@ -1496,6 +1525,53 @@ sub close_file() {
    }
 }

+sub process_conditional( $$ ) {
+    my ( $omitting, $line ) = @_;
+
+    fatal_error "Invalid compiler directive ($line)" unless $line =~ /^\s*\?(IF\s+|ELSE|ENDIF)(.*)$/;
+    
+    my ($keyword, $rest) = ( $1, $2 );
+
+    $rest = '' unless supplied $rest;
+
+    my ( $lastkeyword, $prioromit, $lastomit, $lastlinenumber ) = @ifstack ? @{$ifstack[-1]} : ('', 0, 0, 0 );
+
+    if ( $keyword =~ /^IF/ ) {
+	fatal_error "Missing IF variable" unless $rest;
+	my $invert = $rest =~ s/^!\s*//;
+	
+	fatal_error "Invalid IF variable ($rest)" unless $rest =~ s/^\$// && $rest =~ /^\w+$/;
+
+	push @ifstack, [ 'IF', $lastomit, $omitting, $currentlinenumber ];
+
+	if ( $rest eq '__IPV6' ) {
+	    $omitting = $family == F_IPV4;
+	} elsif ( $rest eq '__IPV4' ) {
+	    $omitting = $family == F_IPV6;
+	} else {
+	    $omitting = ! ( exists $ENV{$rest}    ? $ENV{$rest}    : 
+			    exists $params{$rest} ? $params{$rest} : 
+			    exists $config{$rest} ? $config{$rest} : 0 );
+	}
+
+	$omitting = ! $omitting if $invert;
+
+	$omitting ||= $lastomit; #?IF cannot transition from omitting -> not omitting
+    } elsif ( $keyword eq 'ELSE' ) {
+	fatal_error "Invalid ?ELSE" unless $rest eq '';
+	fatal_error "?ELSE has no matching ?IF" unless @ifstack > $ifstack && $lastkeyword eq 'IF';
+	$omitting = ! $omitting unless $lastomit;
+	$ifstack[-1] = [ 'ELSE', $prioromit, $omitting, $lastlinenumber ];
+    } else {
+	fatal_error "Invalid ?ENDIF" unless $rest eq '';
+	fatal_error q(Unexpected "?ENDIF" without matching ?IF or ?ELSE) if @ifstack <= $ifstack;
+	$omitting = $prioromit;
+	pop @ifstack;
+    }
+
+    $omitting;
+}   
+
 #
 # Functions for copying a file into the script
 #
@@ -1598,7 +1674,7 @@ sub copy1( $ ) {
 			fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _;

 			if ( -s _ ) {
-			    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
+			    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber, $ifstack ];
 			    $currentfile = undef;
 			    do_open_file $filename;
 			} else {
@@ -1714,7 +1790,7 @@ EOF
 #
 sub push_open( $ ) {

-    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
+    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber, $ifstack ];
    my @a = @includestack;
    push @openstack, \@a;
    @includestack = ();
@@ -1789,7 +1865,7 @@ sub embedded_shell( $ ) {

 	while ( <$currentfile> ) {
 	    $currentlinenumber++;
-	    last if $last = s/^\s*END(\s+SHELL)?\s*;?//;
+	    last if $last = s/^\s*\??END(\s+SHELL)?\s*;?//;
 	    $command .= $_;
 	}

@@ -1799,12 +1875,13 @@ sub embedded_shell( $ ) {

    $command .= q(');

-    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
+    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber, $ifstack ];
    $currentfile = undef;
    open $currentfile , '-|', $command or fatal_error qq(Shell Command failed);
    $currentfilename = "SHELL\@$currentfilename:$currentlinenumber";
    $currentline = '';
    $currentlinenumber = 0;
+    $ifstack = @ifstack;
 }

 sub embedded_perl( $ ) {
@@ -1823,7 +1900,7 @@ sub embedded_perl( $ ) {

 	while ( <$currentfile> ) {
 	    $currentlinenumber++;
-	    last if $last = s/^\s*END(\s+PERL)?\s*;?//;
+	    last if $last = s/^\s*\??END(\s+PERL)?\s*;?//;
 	    $command .= $_;
 	}

@@ -1855,7 +1932,7 @@ sub embedded_perl( $ ) {

 	$perlscript = undef;

-	push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
+	push @includestack, [ $currentfile, $currentfilename, $currentlinenumber , $ifstack ];
 	$currentfile = undef;

 	open $currentfile, '<', $perlscriptname or fatal_error "Unable to open Perl Script $perlscriptname";
@@ -1867,6 +1944,7 @@ sub embedded_perl( $ ) {
 	$currentfilename = "PERL\@$currentfilename:$linenumber";
 	$currentline = '';
 	$currentlinenumber = 0;
+	$ifstack = @ifstack;
    }
 }

@@ -1971,6 +2049,7 @@ sub expand_variables( \$ ) {
 #   - Handle embedded SHELL and PERL scripts
 #   - Expand shell variables from %params and %ENV.
 #   - Handle INCLUDE <filename>
+#   - Handle ?IF, ?ELSE, ?ENDIF
 #

 sub read_a_line(;$$$) {
@@ -2010,6 +2089,20 @@ sub read_a_line(;$$$) {
 	    #
 	    $currentline = '', $currentlinenumber = 0, next if $currentline =~ /^\s*$/;
 	    #
+	    # Line not blank -- Handle conditionals
+	    #
+	    if ( $currentline =~ /^\s*\?/ ) {
+		$omitting = process_conditional( $omitting, $currentline);
+		$currentline='';
+		next;
+	    }		
+		    
+	    if ( $omitting ) {
+		progress_message "  OMITTED: $currentline";
+		$currentline='';
+		next;
+	    }
+	    #
 	    # Line not blank -- Handle any first-entry message/capabilities check
 	    #
 	    if ( $first_entry ) {
@@ -2024,12 +2117,12 @@ sub read_a_line(;$$$) {
 	    # Must check for shell/perl before doing variable expansion
 	    #
 	    if ( $embedded_enabled ) {
-		if ( $currentline =~ s/^\s*(BEGIN\s+)?SHELL\s*;?// ) {
+		if ( $currentline =~ s/^\s*\??(BEGIN\s+)?SHELL\s*;?// ) {
 		    embedded_shell( $1 );
 		    next;
 		}

-		if ( $currentline =~ s/^\s*(BEGIN\s+)?PERL\s*\;?// ) {
+		if ( $currentline =~ s/^\s*\??(BEGIN\s+)?PERL\s*\;?// ) {
 		    embedded_perl( $1 );
 		    next;
 		}
@@ -2041,7 +2134,7 @@ sub read_a_line(;$$$) {
 	    #
 	    expand_variables( $currentline ) if $expand_variables;

-	    if ( $currentline =~ /^\s*INCLUDE\s/ ) {
+	    if ( $currentline =~ /^\s*\??INCLUDE\s/ ) {

 		my @line = split ' ', $currentline;

@@ -2054,7 +2147,7 @@ sub read_a_line(;$$$) {
 		fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _;

 		if ( -s _ ) {
-		    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
+		    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber, $ifstack ];
 		    $currentfile = undef;
 		    do_open_file $filename;
 		} else {
@@ -2358,7 +2451,7 @@ sub load_kernel_modules( ) {

 	my @suffixes = split /\s+/ , $config{MODULE_SUFFIX};

-	while ( read_a_line ) {
+	while ( read_a_line1 ) {
 	    fatal_error "Invalid modules file entry" unless ( $currentline =~ /^loadmodule\s+([a-zA-Z]\w*)\s*(.*)$/ );
 	    my ( $module, $arguments ) = ( $1, $2 );
 	    unless ( $loadedmodules{ $module } ) {
@@ -2778,7 +2871,15 @@ sub Statistic_Match() {
 }

 sub Imq_Target() {
-    qt1( "$iptables -t mangle -A $sillyname -j IMQ --todev 0" );
+    have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j IMQ --todev 0" );
+}
+
+sub Dscp_Match() {
+    have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -m dscp --dscp 0" );
+}
+
+sub Dscp_Target() {
+    have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j DSCP --set-dscp 0" );
 }

 our %detect_capability =
@@ -2794,6 +2895,8 @@ our %detect_capability =
      CONNMARK_MATCH => \&Connmark_Match,
      CONNTRACK_MATCH => \&Conntrack_Match,
      CT_TARGET => \&Ct_Target,
+      DSCP_MATCH => \&Dscp_Match,
+      DSCP_TARGET => \&Dscp_Target,
      ENHANCED_REJECT => \&Enhanced_Reject,
      EXMARK => \&Exmark,
      FLOW_FILTER => \&Flow_Filter,
@@ -2941,11 +3044,6 @@ sub determine_capabilities() {
 	$capabilities{IPMARK_TARGET}   = detect_capability( 'IPMARK_TARGET' );
 	$capabilities{TPROXY_TARGET}   = detect_capability( 'TPROXY_TARGET' );

-	if ( $capabilities{MANGLE_ENABLED} ) {
-	    qt1( "$iptables -t mangle -F $sillyname" );
-	    qt1( "$iptables -t mangle -X $sillyname" );
-	}
-
 	$capabilities{MANGLE_FORWARD}  = detect_capability( 'MANGLE_FORWARD' );
 	$capabilities{RAW_TABLE}       = detect_capability( 'RAW_TABLE' );
 	$capabilities{RAWPOST_TABLE}   = detect_capability( 'RAWPOST_TABLE' );
@@ -2975,6 +3073,8 @@ sub determine_capabilities() {
 	$capabilities{CT_TARGET}       = detect_capability( 'CT_TARGET' );
 	$capabilities{STATISTIC_MATCH} = detect_capability( 'STATISTIC_MATCH' );
 	$capabilities{IMQ_TARGET}      = detect_capability( 'IMQ_TARGET' );
+	$capabilities{DSCP_MATCH}      = detect_capability( 'DSCP_MATCH' );
+	$capabilities{DSCP_TARGET}     = detect_capability( 'DSCP_TARGET' );


 	qt1( "$iptables -F $sillyname" );
@@ -2982,6 +3082,16 @@ sub determine_capabilities() {
 	qt1( "$iptables -F $sillyname1" );
 	qt1( "$iptables -X $sillyname1" );

+	if ( $capabilities{MANGLE_ENABLED} ) {
+	    qt1( "$iptables -t mangle -F $sillyname" );
+	    qt1( "$iptables -t mangle -X $sillyname" );
+	}
+
+	if ( $capabilities{NAT_ENABLED} ) {
+	    qt1( "$iptables -t nat -F $sillyname" );
+	    qt1( "$iptables -t nat -X $sillyname" );
+	}
+
 	$sillyname = $sillyname1 = undef;
    }
 }
@@ -3145,7 +3255,7 @@ sub update_config_file( $ ) {

 	my $heading_printed;

-	for ( keys %deprecated ) {
+	for ( grep ! $converted{$_} , keys %deprecated ) {
 	    if ( supplied( my $val = $config{$_} ) ) {
 		if ( lc $val ne $deprecated{$_} ) {
 		    unless ( $heading_printed ) {
@@ -3181,7 +3291,7 @@ EOF
 		progress_message3 "No update required to configuration file $configfile; $configfile.bak not saved";
 	    } else {
 		warning_message "Unable to unlink $configfile.bak";
-		progress_message3 "No update required to configuration file $configfile; $configfile.b";
+		progress_message3 "No update required to configuration file $configfile";
 	    }

 	    exit 0 unless -f find_file 'blacklist';
@@ -3209,7 +3319,7 @@ sub process_shorewall_conf( $$ ) {
 	    #
 	    # Don't expand shell variables or allow embedded scripting
 	    #
-	    while ( read_a_line( 0, 0 ) ) {
+	    while ( read_a_line1 ) {
 		if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*?)\s*$/ ) {
 		    my ($var, $val) = ($1, $2);

@@ -3355,6 +3465,8 @@ sub unsupported_yes_no_warning( $ ) {
 sub get_params() {
    my $fn = find_file 'params';

+    my %reserved = ( COMMAND => 1, CONFDIR => 1, SHAREDIR => 1, VARDIR => 1 );
+
    if ( -f $fn ) {
 	progress_message2 "Processing $fn ...";

@@ -3458,6 +3570,13 @@ sub get_params() {
 	    }
 	}

+	for ( keys %params ) {
+	    unless ( $_ eq 'SHOREWALL_INIT_SCRIPT' ) {
+		fatal_error "The variable name $_ is reserved and may not be set in the params file"
+		    if /^SW_/ || /^SHOREWALL_/ || ( exists $config{$_} && ! exists $ENV{$_} ) || exists $reserved{$_};
+	    }
+	}
+
 	if ( $debug ) {
 	    print "PARAMS:\n";
 	    my $value;
@@ -3758,6 +3877,7 @@ sub get_configuration( $$$ ) {
    default_yes_no 'EXPORTMODULES'              , '';
    default_yes_no 'LEGACY_FASTSTART'           , 'Yes';
    default_yes_no 'USE_PHYSICAL_NAMES'         , '';
+    default_yes_no 'IPSET_WARNINGS'             , 'Yes';

    require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};

--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -76,6 +76,7 @@ our @EXPORT = qw( ALLIPv4
 		  proto_name
 		  validate_port
 		  validate_portpair
+		  validate_portpair1
 		  validate_port_list
 		  validate_icmp
 		  validate_icmp6
@@ -371,6 +372,7 @@ sub validate_port( $$ ) {

 sub validate_portpair( $$ ) {
    my ($proto, $portpair) = @_;
+    my $what;

    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/:/:/ > 1;

@@ -379,16 +381,57 @@ sub validate_portpair( $$ ) {

    my @ports = split /:/, $portpair, 2;

-    $_ = validate_port( $proto, $_) for ( grep $_, @ports );
+    my $protonum = resolve_proto( $proto ) || 0;
+
+    $_ = validate_port( $protonum, $_) for grep $_, @ports;

    if ( @ports == 2 ) {
+	$what = 'port range';
 	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
+    } else {
+	$what = 'port';
    }

+    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless 
+	defined $protonum && ( $protonum == TCP  ||
+			       $protonum == UDP  ||
+			       $protonum == SCTP ||
+			       $protonum == DCCP );
    join ':', @ports;

 }

+sub validate_portpair1( $$ ) {
+    my ($proto, $portpair) = @_;
+    my $what;
+
+    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;
+
+    $portpair = "0$portpair"       if substr( $portpair,  0, 1 ) eq ':';
+    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
+
+    my @ports = split /-/, $portpair, 2;
+
+    my $protonum = resolve_proto( $proto ) || 0;
+
+    $_ = validate_port( $protonum, $_) for grep $_, @ports;
+
+    if ( @ports == 2 ) {
+	$what = 'port range';
+	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
+    } else {
+	$what = 'port';
+    }
+
+    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless 
+	defined $protonum && ( $protonum == TCP  ||
+			       $protonum == UDP  ||
+			       $protonum == SCTP ||
+			       $protonum == DCCP );
+    join '-', @ports;
+
+}
+
 sub validate_port_list( $$ ) {
    my $result = '';
    my ( $proto, $list ) = @_;
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -67,18 +67,17 @@ sub process_tos() {
    my $chain    = have_capability( 'MANGLE_FORWARD' ) ? 'fortos'  : 'pretos';
    my $stdchain = have_capability( 'MANGLE_FORWARD' ) ? 'FORWARD' : 'PREROUTING';

-    my %tosoptions = ( 'minimize-delay'       => 0x10 ,
-		       'maximize-throughput'  => 0x08 ,
-		       'maximize-reliability' => 0x04 ,
-		       'minimize-cost'        => 0x02 ,
-		       'normal-service'       => 0x00 );
-
-    if ( my $fn = open_file 'tos' ) {
+   if ( my $fn = open_file 'tos' ) {
 	my $first_entry = 1;

 	my ( $pretosref, $outtosref );

-	first_entry( sub { progress_message2 "$doing $fn..."; $pretosref = ensure_chain 'mangle' , $chain; $outtosref = ensure_chain 'mangle' , 'outtos'; } );
+	first_entry( sub { progress_message2 "$doing $fn..."; 
+			   warning_message "Use of the tos file is deprecated in favor of the TOS target in tcrules";
+			   $pretosref = ensure_chain 'mangle' , $chain; 
+			   $outtosref = ensure_chain 'mangle' , 'outtos';
+		       }
+		   );

 	while ( read_a_line ) {

@@ -86,14 +85,7 @@ sub process_tos() {

 	    $first_entry = 0;

-	    fatal_error 'A value must be supplied in the TOS column' if $tos eq '-';
-
-	    if ( defined ( my $tosval = $tosoptions{"\L$tos"} ) ) {
-		$tos = $tosval;
-	    } else {
-		my $val = numeric_value( $tos );
-		fatal_error "Invalid TOS value ($tos)" unless defined( $val ) && $val < 0x1f;
-	    }
+	    $tos = decode_tos( $tos , 1 );

 	    my $chainref;

@@ -129,7 +121,7 @@ sub process_tos() {
 		$src ,
 		$dst ,
 		'' ,
-		"TOS --set-tos $tos" ,
+		'TOS' . $tos ,
 		'' ,
 		'TOS' ,
 		'';
@@ -216,8 +208,8 @@ sub setup_blacklist() {
    # for 'refresh' to work properly.
    #
    if ( @$zones || @$zones1 ) {
-	$chainref  = dont_delete new_standard_chain 'blacklst' if @$zones;
-	$chainref1 = dont_delete new_standard_chain 'blackout' if @$zones1;
+	$chainref  = set_optflags( new_standard_chain( 'blacklst' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones;
+	$chainref1 = set_optflags( new_standard_chain( 'blackout' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones1;

 	if ( supplied $level ) {
 	    $target = ensure_blacklog_chain ( $target, $disposition, $level, $audit );
@@ -695,9 +687,9 @@ sub add_common_rules ( $ ) {
    my $rejectref = $filter_table->{reject};

    if ( $config{DYNAMIC_BLACKLIST} ) {
-	add_rule_pair dont_delete( new_standard_chain( 'logdrop' ) ),   '' , 'DROP'   , $level ;
-	add_rule_pair dont_delete( new_standard_chain( 'logreject' ) ), '' , 'reject' , $level ;
-	$dynamicref = dont_optimize( new_standard_chain( 'dynamic' ) );
+	add_rule_pair( set_optflags( new_standard_chain( 'logdrop' )  , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP'   , $level );
+	add_rule_pair( set_optflags( new_standard_chain( 'logreject' ), DONT_OPTIMIZE | DONT_DELETE ), '' , 'reject' , $level );
+	$dynamicref =  set_optflags( new_standard_chain( 'dynamic' ) ,  DONT_OPTIMIZE );
 	add_commands( $dynamicref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' );
    }

@@ -994,7 +986,7 @@ sub add_common_rules ( $ ) {
 	if ( @$list ) {
 	    progress_message2 "$doing UPnP";

-	    $chainref = dont_optimize new_nat_chain( 'UPnP' );
+	    $chainref = set_optflags( new_nat_chain( 'UPnP' ), DONT_OPTIMIZE );

 	    add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );

@@ -1013,9 +1005,10 @@ sub add_common_rules ( $ ) {
 	    for $interface ( @$list ) {
 		my $chainref = $filter_table->{input_option_chain $interface};
 		my $base     = uc chain_base get_physical $interface;
-		my $variable = get_interface_gateway $interface;
+		my $optional = interface_is_optional( $interface );
+		my $variable = get_interface_gateway( $interface, ! $optional );

-		if ( interface_is_optional $interface ) {
+		if ( $optional ) {
 		    add_commands( $chainref,
 				  qq(if [ -n "SW_\$${base}_IS_USABLE" -a -n "$variable" ]; then) );
 		    incr_cmd_level( $chainref );
@@ -1481,7 +1474,7 @@ sub generate_matrix() {
    for my $zone ( @zones ) {
 	my $zoneref = find_zone( $zone );
 	
-	next if  @zones <= 2 && ! $zoneref->{options}{complex};
+	next if  @zones <= 2 && ! $zoneref->{complex};
 	#
 	# Complex zone or we have more than one non-firewall zone -- process_rules created a zone forwarding chain
 	#
@@ -1560,13 +1553,12 @@ sub generate_matrix() {
 	my $source_hosts_ref = $zoneref->{hosts};
 	my $chain1           = rules_target firewall_zone , $zone;
 	my $chain2           = rules_target $zone, firewall_zone;
-	my $complex          = $zoneref->{options}{complex} || 0;
 	my $type             = $zoneref->{type};
 	my $frwd_ref         = $filter_table->{zone_forward_chain $zone};
 	my $chain            = 0;
 	my $dnatref          = ensure_chain 'nat' , dnat_chain( $zone );
 	my $notrackref       = ensure_chain 'raw' , notrack_chain( $zone );
-	my $nested           = $zoneref->{options}{nested};
+	my $nested           = @{$zoneref->{parents}};
 	my $parenthasnat     = 0;
 	my $parenthasnotrack = 0;

--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -54,8 +54,8 @@ sub initialize() {
 #
 sub process_one_masq( )
 {
-    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user ) = 
-	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7 };
+    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition ) = 
+	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8 };

    if ( $interfacelist eq 'COMMENT' ) {
 	process_comment;
@@ -88,7 +88,7 @@ sub process_one_masq( )
 	$interfacelist = $1;
    } elsif ( $interfacelist =~ /^([^:]+):([^:]*)$/ ) {
 	my ( $one, $two ) = ( $1, $2 );
-	if ( $2 =~ /\./ ) {
+	if ( $2 =~ /\./ || $2 =~ /^%/ ) {
 	    $interfacelist = $one;
 	    $destnets = $two;
 	}
@@ -117,9 +117,9 @@ sub process_one_masq( )
    }

    #
-    # Handle Protocol and Ports
+    # Handle Protocol, Ports and Condition
    #
-    $baserule .= do_proto $proto, $ports, '';
+    $baserule .= do_proto( $proto, $ports, '' ) . do_condition( $condition );
    #
    # Handle Mark
    #
@@ -195,7 +195,7 @@ sub process_one_masq( )
 			    if ( $conditional = conditional_rule( $chainref, $addr ) ) {
 				$addrlist .= '--to-source ' . get_interface_address $1;
 			    } else {
-				$addrlist .= '--to-source ' . record_runtime_address $1;
+				$addrlist .= '--to-source ' . record_runtime_address( '&', $1 );
 			    }
 			} elsif ( $addr =~ /^.*\..*\..*\./ ) {
 			    $target = 'SNAT ';
@@ -210,9 +210,7 @@ sub process_one_masq( )
 			} else {
 			    my $ports = $addr; 
 			    $ports =~ s/^://;
-			    my $portrange = $ports;
-			    $portrange =~ s/-/:/;
-			    validate_portpair( $proto, $portrange );
+			    validate_portpair1( $proto, $ports );
 			    $addrlist .= "--to-ports $ports ";
 			    $exceptionrule = do_proto( $proto, '', '' );
 			}
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -160,9 +160,7 @@ sub setup_route_marking() {

 	    my $chainref2 = new_chain( 'mangle', load_chain( $physical ) );

-	    dont_optimize $chainref2;
-	    dont_move     $chainref2;
-	    dont_delete   $chainref2;
+	    set_optflags( $chainref2, DONT_OPTIMIZE | DONT_MOVE | DONT_DELETE );
 	
  	    add_ijump ( $chainref1,
 			j => $chainref2 ,
@@ -918,7 +916,7 @@ sub add_an_rtrule( ) {
    if ( $source eq '-' ) {
 	$source = 'from ' . ALLIP;
    } elsif ( $source =~ s/^&// ) {
-	$source = 'from ' . record_runtime_address $source;
+	$source = 'from ' . record_runtime_address '&', $source;
    } elsif ( $family == F_IPV4 ) {
 	if ( $source =~ /:/ ) {
 	    ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -963,7 +963,7 @@ sub createlogactionchain( $$$$$ ) {

    unless ( $targets{$action} & BUILTIN ) {

-	dont_optimize $chainref;
+	set_optflags( $chainref, DONT_OPTIMIZE );

 	my $file = find_file $chain;

@@ -997,7 +997,7 @@ sub createsimpleactionchain( $ ) {

    unless ( $targets{$action} & BUILTIN ) {

-	dont_optimize $chainref;
+	set_optflags( $chainref, DONT_OPTIMIZE );

 	my $file = find_file $action;

@@ -1306,7 +1306,7 @@ sub allowInvalid ( $$$$ ) {
 }

 sub forwardUPnP ( $$$$ ) {
-    my $chainref = dont_optimize 'forwardUPnP';
+    my $chainref = set_optflags( 'forwardUPnP', DONT_OPTIMIZE );

    add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' );
 }
@@ -2238,7 +2238,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 	    }
 	}

-	dont_move( dont_optimize( $nonat_chain ) ) if $tgt eq 'RETURN';
+	set_optflags( $nonat_chain, DONT_MOVE | DONT_OPTIMIZE ) if $tgt eq 'RETURN';

 	expand_rule( $nonat_chain ,
 		     PREROUTE_RESTRICT ,
@@ -2262,7 +2262,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 	    $action = $usedactions{$normalized_target}{name};
 	    $loglevel = '';
 	} else {
-	    dont_move( dont_optimize ( $chainref ) ) if $action eq 'RETURN';
+	    set_optflags( $chainref , DONT_MOVE | DONT_OPTIMIZE ) if $action eq 'RETURN';
 	}

 	if ( $origdest ) {
@@ -2458,6 +2458,12 @@ sub process_rule ( ) {
    progress_message qq(   Rule "$thisline" $done);
 }

+sub intrazone_allowed( $$ ) {
+    my ( $zone, $zoneref ) = @_;
+
+    $zoneref->{complex} && $filter_table->{rules_chain( $zone, $zone )}{policy} ne 'NONE';
+}
+
 #
 # Add jumps to the blacklst and blackout chains
 #
@@ -2470,7 +2476,7 @@ sub classic_blacklist() {
    
    for my $zone ( @zones ) {
 	my $zoneref = find_zone( $zone );
-	my $simple  =  @zones <= 2 && ! $zoneref->{options}{complex};
+	my $simple  =  @zones <= 2 && ! $zoneref->{complex};
 	
 	if ( $zoneref->{options}{in}{blacklist} ) {
 	    my $blackref = $filter_table->{blacklst};
@@ -2484,7 +2490,7 @@ sub classic_blacklist() {
 		    my $ruleschain    = rules_chain( $zone, $zone1 );
 		    my $ruleschainref = $filter_table->{$ruleschain};

-		    if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
+		    if ( $zone ne $zone1 || intrazone_allowed( $zone, $zoneref ) ) {
 			add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
 		    }
 		}
@@ -2501,7 +2507,7 @@ sub classic_blacklist() {
 		my $ruleschain    = rules_chain( $zone1, $zone );
 		my $ruleschainref = $filter_table->{$ruleschain};

-		if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
+		if ( ( $zone ne $zone1 || intrazone_allowed( $zone, $zoneref ) ) ) {
 		    add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
 		}
 	    }
@@ -2568,6 +2574,11 @@ sub process_rules( $ ) {

    add_interface_options( $blrules );

+    #
+    # Handle MSS settings in the zones file
+    #
+    setup_zone_mss;
+
    $fn = open_file 'rules';

    if ( $fn ) {
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -194,14 +194,14 @@ sub initialize( $ ) {
 }

 sub process_tc_rule( ) {
-    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability );
+    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp );
    if ( $family == F_IPV4 ) {
-	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability ) =
-	    split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 };
+	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp ) =
+	    split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13 };
 	$headers = '-';
    } else {
-	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability ) = 
-	    split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 };
+	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp ) = 
+	    split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 };
    }

    our @tccmd;
@@ -239,6 +239,157 @@ sub process_tc_rule( ) {
    my $device   = '';
    my $fw       = firewall_zone;
    my $list;
+    my $restriction = 0;
+    my $cmd;
+    my $rest;
+
+    my %processtcc = ( sticky => sub() {
+			                  if ( $chain eq 'tcout' ) {
+					      $target = 'sticko';
+					  } else {
+					      fatal_error "SAME rules are only allowed in the PREROUTING and OUTPUT chains" if $chain ne 'tcpre';
+					  }
+
+					  $restriction = DESTIFACE_DISALLOW;
+
+					  ensure_mangle_chain($target);
+
+					  $sticky++;
+				      },
+		       IPMARK => sub() {
+			                  my ( $srcdst, $mask1, $mask2, $shift ) = ('src', 255, 0, 0 );
+
+					  require_capability 'IPMARK_TARGET', 'IPMARK', 's';
+
+					  if ( $cmd =~ /^IPMARK\((.+?)\)$/ ) {
+					      my $params = $1;
+					      my $val;
+
+					      my ( $sd, $m1, $m2, $s , $bad ) = split ',', $params;
+
+					      fatal_error "Invalid IPMARK parameters ($params)" if $bad;
+					      fatal_error "Invalid IPMARK parameter ($sd)" unless ( $sd eq 'src' || $sd eq 'dst' );
+					      $srcdst = $sd;
+
+					      if ( supplied $m1 ) {
+						  $val = numeric_value ($m1);
+						  fatal_error "Invalid Mask ($m1)" unless defined $val && $val && $val <= 0xffffffff;
+						  $mask1 = in_hex ( $val & 0xffffffff );
+					      }
+
+					      if ( supplied $m2 ) {
+						  $val = numeric_value ($m2);
+						  fatal_error "Invalid Mask ($m2)" unless defined $val && $val <= 0xffffffff;
+						  $mask2 = in_hex ( $val & 0xffffffff );
+					      }
+
+					      if ( defined $s ) {
+						  $val = numeric_value ($s);
+						  fatal_error "Invalid Shift Bits ($s)" unless defined $val && $val >= 0 && $val < 128;
+						  $shift = $s;
+					      }			    
+					  } else {
+					      fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless $cmd eq 'IPMARK';
+					  }
+
+					  $target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
+				      },
+		       TPROXY => sub() {
+			                  require_capability( 'TPROXY_TARGET', 'Use of TPROXY', 's');
+
+			                  fatal_error "Invalid TPROXY specification( $cmd/$rest )" if $rest;
+
+					  $chain = 'tcpre';
+
+					  $cmd =~ /TPROXY\((.+?)\)$/;
+
+					  my $params = $1;
+
+					  fatal_error "Invalid TPROXY specification( $cmd )" unless defined $params;
+
+					  ( $mark, my $port, my $ip, my $bad ) = split ',', $params;
+
+					  fatal_error "Invalid TPROXY specification( $cmd )" if defined $bad;
+
+					  if ( $port ) {
+					      $port = validate_port( 'tcp', $port );
+					  } else {
+					      $port = 0;
+					  }
+
+					  $target .= " --on-port $port";
+
+					  if ( supplied $ip ) {
+					      if ( $family == F_IPV6 ) {
+						  $ip = $1 if $ip =~ /^\[(.+)\]$/ || $ip =~ /^<(.+)>$/;
+					      }
+
+					      validate_address $ip, 1;
+					      $target .= " --on-ip $ip";
+					  }
+
+					  $target .= ' --tproxy-mark';
+				      },
+		       TTL => sub() {
+			                  fatal_error "TTL is not supported in IPv6 - use HL instead" if $family == F_IPV6;
+					  fatal_error "Invalid TTL specification( $cmd/$rest )" if $rest;
+					  fatal_error "Chain designator $designator not allowed with TTL" if $designator && ! ( $designator eq 'F' );
+
+					  $chain = 'tcfor';
+
+					  $cmd =~ /^TTL\(([-+]?\d+)\)$/;
+
+					  my $param =  $1;
+
+					  fatal_error "Invalid TTL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
+
+					  if ( $1 =~ /^\+/ ) {
+					      $target .= " --ttl-inc $param";
+					  } elsif ( $1 =~ /\-/ ) {
+					      $target .= " --ttl-dec $param";
+					  } else {
+					      $target .= " --ttl-set $param";
+					  }
+				      },
+		       HL => sub() {
+			                  fatal_error "HL is not supported in IPv4 - use TTL instead" if $family == F_IPV4;
+					  fatal_error "Invalid HL specification( $cmd/$rest )" if $rest;
+					  fatal_error "Chain designator $designator not allowed with HL" if $designator && ! ( $designator eq 'F' );
+
+					  $chain = 'tcfor';
+
+					  $cmd =~ /^HL\(([-+]?\d+)\)$/;
+
+					  my $param =  $1;
+
+					  fatal_error "Invalid HL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
+
+					  if ( $1 =~ /^\+/ ) {
+					      $target .= " --hl-inc $param";
+					  } elsif ( $1 =~ /\-/ ) {
+					      $target .= " --hl-dec $param";
+					  } else {
+					      $target .= " --hl-set $param";
+					  }
+				      },
+		       IMQ => sub() {
+			                  assert( $cmd =~ /^IMQ\((\d+)\)$/ );
+					  require_capability 'IMQ_TARGET', 'IMQ', 's';
+					  $target .= " --todev $1";
+				      },
+		       DSCP => sub() {
+			                  assert( $cmd =~ /^DSCP\((\w+)\)$/ );
+					  require_capability 'DSCP_TARGET', 'The DSCP action', 's'; 
+					  my $dscp = numeric_value( $1 );
+					  $dscp = $dscpmap{$1} unless defined $dscp;
+					  fatal_error( "Invalid DSCP ($1)" ) unless defined $dscp && $dscp <= 0x38 && ! ( $dscp & 1 );
+					  $target .= ' --set-dscp ' . in_hex( $dscp );
+				      },
+		       TOS => sub() {
+			                  assert( $cmd =~ /^TOS\((.+)\)$/ );
+					  $target .= decode_tos( $1 , 2 );
+				      },
+		     );

    if ( $source ) {
 	if ( $source eq $fw ) {
@@ -312,12 +463,15 @@ sub process_tc_rule( ) {
 	}
    }

-    my ($cmd, $rest) = split( '/', $mark, 2 );
+    if ( $mark =~ /^TOS/ ) {
+	$cmd = $mark;
+	$rest = '';
+    } else {
+	($cmd, $rest) = split( '/', $mark, 2 );
+    }

    $list = '';

-    my $restriction = 0;
-
    unless ( $classid ) {
      MARK:
 	{
@@ -336,134 +490,8 @@ sub process_tc_rule( ) {
 			$mark =~ s/^[|&]//;
 		    }

-		    if ( $target eq 'sticky' ) {
-			if ( $chain eq 'tcout' ) {
-			    $target = 'sticko';
-			} else {
-			    fatal_error "SAME rules are only allowed in the PREROUTING and OUTPUT chains" if $chain ne 'tcpre';
-			}
-
-			$restriction = DESTIFACE_DISALLOW;
-
-			ensure_mangle_chain($target);
-
-			$sticky++;
-		    } elsif ( $target eq 'IPMARK' ) {
-			my ( $srcdst, $mask1, $mask2, $shift ) = ('src', 255, 0, 0 );
-
-			require_capability 'IPMARK_TARGET', 'IPMARK', 's';
-
-			if ( $cmd =~ /^IPMARK\((.+?)\)$/ ) {
-			    my $params = $1;
-			    my $val;
-
-			    my ( $sd, $m1, $m2, $s , $bad ) = split ',', $params;
-
-			    fatal_error "Invalid IPMARK parameters ($params)" if $bad;
-			    fatal_error "Invalid IPMARK parameter ($sd)" unless ( $sd eq 'src' || $sd eq 'dst' );
-			    $srcdst = $sd;
-
-			    if ( supplied $m1 ) {
-				$val = numeric_value ($m1);
-				fatal_error "Invalid Mask ($m1)" unless defined $val && $val && $val <= 0xffffffff;
-				$mask1 = in_hex ( $val & 0xffffffff );
-			    }
-
-			    if ( supplied $m2 ) {
-				$val = numeric_value ($m2);
-				fatal_error "Invalid Mask ($m2)" unless defined $val && $val <= 0xffffffff;
-				$mask2 = in_hex ( $val & 0xffffffff );
-			    }
-
-			    if ( defined $s ) {
-				$val = numeric_value ($s);
-				fatal_error "Invalid Shift Bits ($s)" unless defined $val && $val >= 0 && $val < 128;
-				$shift = $s;
-			    }			    
-			} else {
-			    fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless $cmd eq 'IPMARK';
-			}
-
-			$target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
-		    } elsif ( $target eq 'TPROXY' ) {
-			require_capability( 'TPROXY_TARGET', 'Use of TPROXY', 's');
-
-			fatal_error "Invalid TPROXY specification( $cmd/$rest )" if $rest;
-
-			$chain = 'tcpre';
-
-			$cmd =~ /TPROXY\((.+?)\)$/;
-
-			my $params = $1;
-
-			fatal_error "Invalid TPROXY specification( $cmd )" unless defined $params;
-
-			( $mark, my $port, my $ip, my $bad ) = split ',', $params;
-
-			fatal_error "Invalid TPROXY specification( $cmd )" if defined $bad;
-
-			if ( $port ) {
-			    $port = validate_port( 'tcp', $port );
-			} else {
-			    $port = 0;
-			}
-
-			$target .= " --on-port $port";
-
-			if ( supplied $ip ) {
-			    if ( $family == F_IPV6 ) {
-				$ip = $1 if $ip =~ /^\[(.+)\]$/ || $ip =~ /^<(.+)>$/;
-			    }
-
-			    validate_address $ip, 1;
-			    $target .= " --on-ip $ip";
-			}
-
-			$target .= ' --tproxy-mark';
-		    } elsif ( $target eq 'TTL' ) {
-			fatal_error "TTL is not supported in IPv6 - use HL instead" if $family == F_IPV6;
-			fatal_error "Invalid TTL specification( $cmd/$rest )" if $rest;
-			fatal_error "Chain designator $designator not allowed with TTL" if $designator && ! ( $designator eq 'F' );
-
-			$chain = 'tcfor';
-
-			$cmd =~ /^TTL\(([-+]?\d+)\)$/;
-
-			my $param =  $1;
-
-			fatal_error "Invalid TTL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
-
-			if ( $1 =~ /^\+/ ) {
-			    $target .= " --ttl-inc $param";
-			} elsif ( $1 =~ /\-/ ) {
-			    $target .= " --ttl-dec $param";
-			} else {
-			    $target .= " --ttl-set $param";
-			}
-		    } elsif ( $target eq 'HL' ) {
-			fatal_error "HL is not supported in IPv4 - use TTL instead" if $family == F_IPV4;
-			fatal_error "Invalid HL specification( $cmd/$rest )" if $rest;
-			fatal_error "Chain designator $designator not allowed with HL" if $designator && ! ( $designator eq 'F' );
-
-			$chain = 'tcfor';
-
-			$cmd =~ /^HL\(([-+]?\d+)\)$/;
-
-			my $param =  $1;
-
-			fatal_error "Invalid HL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
-
-			if ( $1 =~ /^\+/ ) {
-			    $target .= " --hl-inc $param";
-			} elsif ( $1 =~ /\-/ ) {
-			    $target .= " --hl-dec $param";
-			} else {
-			    $target .= " --hl-set $param";
-			}
-		    } elsif ( $target eq 'IMQ' ) {
-			assert( $cmd =~ /^IMQ\((\d+)\)$/ );
-			require_capability 'IMQ_TARGET', 'IMQ', 's';
-			$target .= " --todev $1";
+		    if ( my $f = $processtcc{$target} ) {
+			$f->();
 		    }

 		    if ( $rest ) {
@@ -510,7 +538,8 @@ sub process_tc_rule( ) {
 				     do_connbytes( $connbytes ) .
 				     do_helper( $helper ) .
 				     do_headers( $headers ) .
-				     do_probability( $probability ) ,
+				     do_probability( $probability ) .
+				     do_dscp( $dscp ),
 				     $source ,
 				     $dest ,
 				     '' ,
@@ -855,7 +884,7 @@ sub validate_tc_device( ) {
 			    pfifo         => $pfifo,
 			    tablenumber   => 1 ,
 			    redirected    => \@redirected,
-			    default       => 0,
+			    default       => undef,
 			    nextclass     => 2,
 			    qdisc         => $qdisc,
 			    guarantee     => 0,
@@ -998,6 +1027,7 @@ sub validate_tc_class( ) {
 	}
    } else {
 	fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
+	$markval = '-';
    }

    if ( $parentclass != 1 ) {
@@ -1114,8 +1144,10 @@ sub validate_tc_class( ) {
    }

    unless ( $devref->{classify} || $occurs > 1 ) {
-	fatal_error "Missing MARK" if $mark eq '-';
-	warning_message "Class NUMBER ignored -- INTERFACE $device does not have the 'classify' option"	if $devclass =~ /:/;
+	if ( $mark ne '-' ) {
+	    fatal_error "Missing MARK" if $mark eq '-';
+	    warning_message "Class NUMBER ignored -- INTERFACE $device does not have the 'classify' option"	if $devclass =~ /:/;
+	}
    }

    $tcref->{flow}  = $devref->{flow}  unless $tcref->{flow};
@@ -1596,7 +1628,7 @@ sub process_traffic_shaping() {
 	my $devnum  = in_hexp $devref->{number};
 	my $r2q     = int calculate_r2q $devref->{out_bandwidth};

-	fatal_error "No default class defined for device $devname" unless $devref->{default};
+	fatal_error "No default class defined for device $devname" unless defined $devref->{default};

 	my $device = physical_name $devname;

@@ -1708,7 +1740,7 @@ sub process_traffic_shaping() {
 		#
 		# add filters
 		#
-		unless ( $devref->{classify} ) {
+		unless ( $mark eq '-' ) {
 		    emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid" if $tcref->{occurs} == 1;
 		}

@@ -1988,6 +2020,18 @@ sub setup_tc() {
 			  mask      => '',
 			  connmark  => 0
 			},
+			{ match     => sub( $ ) { $_[0] =~ /^DSCP\(\w+\)$/ },
+			  target    => 'DSCP',
+			  mark      => NOMARK,
+			  mask      => '',
+			  connmark  => 0
+			},
+			{ match     => sub( $ ) { $_[0] =~ /^TOS\(.+\)$/ },
+			  target    => 'TOS',
+			  mark      => NOMARK,
+			  mask      => '',
+			  connmark  => 0
+			},
 		      );

 	if ( my $fn = open_file 'tcrules' ) {
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -83,6 +83,7 @@ our @EXPORT = qw( NOTHING
 		  compile_updown
 		  validate_hosts_file
 		  find_hosts_by_option
+		  find_zone_hosts_by_option
 		  find_zones_by_option
 		  all_ipsets
 		  have_ipsec
@@ -113,11 +114,10 @@ use constant { IN_OUT     => 1,
 #
 #     @zones contains the ordered list of zones with sub-zones appearing before their parents.
 #
-#     %zones{<zone1> => {type = >      <zone type>       FIREWALL, IP, IPSEC, BPORT;
-#                        options =>    { complex => 0|1
-#                                        nested  => 0|1
-#                                        super   => 0|1
-#                                        in_out  => < policy match string >
+#     %zones{<zone1> => {type =>       <zone type>       FIREWALL, IP, IPSEC, BPORT;
+#                        complex =>    0|1
+#                        super   =>    0|1
+#                        options =>    { in_out  => < policy match string >
 #                                        in      => < policy match string >
 #                                        out     => < policy match string >
 #                                      }
@@ -227,6 +227,25 @@ my %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 );

 my %validhostoptions;

+my %validzoneoptions = ( mss          => NUMERIC,
+			 nomark       => NOTHING,
+			 blacklist    => NOTHING,
+			 strict       => NOTHING,
+			 next         => NOTHING,
+			 reqid        => NUMERIC,
+			 spi          => NUMERIC,
+			 proto        => IPSECPROTO,
+			 mode         => IPSECMODE,
+			 "tunnel-src" => NETWORK,
+			 "tunnel-dst" => NETWORK,
+		       );
+
+use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
+#
+# Hash of options that have their own key in the returned hash.
+#
+my %zonekey = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW, nomark => NOFW | IN_OUT_ONLY );
+
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
@@ -290,6 +309,7 @@ sub initialize( $$ ) {
 			     broadcast => 1,
 			     destonly => 1,
 			     sourceonly => 1,
+			     mss => 1,
 			    );
 	%zonetypes = ( 1 => 'firewall', 2 => 'ipv4', 4 => 'bport4', 8 => 'ipsec4', 16 => 'vserver' );
    } else {
@@ -316,6 +336,7 @@ sub initialize( $$ ) {
 			     maclist => 1,
 			     routeback => 1,
 			     tcpflags => 1,
+			     mss => 1,
 			    );
 	%zonetypes = ( 1 => 'firewall', 2 => 'ipv6', 4 => 'bport6', 8 => 'ipsec4', 16 => 'vserver' );
    }
@@ -329,25 +350,6 @@ sub initialize( $$ ) {
 #
 sub parse_zone_option_list($$\$$)
 {
-    my %validoptions = ( mss          => NUMERIC,
-			 nomark       => NOTHING,
-			 blacklist    => NOTHING,
-			 strict       => NOTHING,
-			 next         => NOTHING,
-			 reqid        => NUMERIC,
-			 spi          => NUMERIC,
-			 proto        => IPSECPROTO,
-			 mode         => IPSECMODE,
-			 "tunnel-src" => NETWORK,
-			 "tunnel-dst" => NETWORK,
-		       );
-
-    use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
-    #
-    # Hash of options that have their own key in the returned hash.
-    #
-    my %key = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW, nomark => NOFW | IN_OUT_ONLY );
-
    my ( $list, $zonetype, $complexref, $column ) = @_;
    my %h;
    my $options = '';
@@ -367,7 +369,7 @@ sub parse_zone_option_list($$\$$)
 		$e   = $1;
 	    }

-	    $fmt = $validoptions{$e};
+	    $fmt = $validzoneoptions{$e};

 	    fatal_error "Invalid Option ($e)" unless $fmt;

@@ -378,7 +380,7 @@ sub parse_zone_option_list($$\$$)
 		fatal_error "Invalid value ($val) for option \"$e\"" unless $val =~ /^($fmt)$/;
 	    }

-	    my $key = $key{$e};
+	    my $key = $zonekey{$e};

 	    if ( $key ) {
 		fatal_error "Option '$e' not permitted with this zone type " if $key & NOFW && ($zonetype & ( FIREWALL | VSERVER) );
@@ -403,13 +405,13 @@ sub parse_zone_option_list($$\$$)
 #
 # Set the super option on the passed zoneref and propagate to its parents
 #
-sub set_super( $ );
+sub set_super( $ ); #required for recursion

 sub set_super( $ ) {
    my $zoneref = shift;

-    unless ( $zoneref->{options}{super} ) {
-	$zoneref->{options}{super} = 1;
+    unless ( $zoneref->{super} ) {
+	$zoneref->{super} = 1;
 	set_super( $zones{$_} ) for @{$zoneref->{parents}};
    }
 }
@@ -487,10 +489,9 @@ sub process_zone( \$ ) {
 				    options    => { in_out  => parse_zone_option_list( $options , $type, $complex , IN_OUT ) ,
 						    in      => parse_zone_option_list( $in_options , $type , $complex , IN ) ,
 						    out     => parse_zone_option_list( $out_options , $type , $complex , OUT ) ,
-						    complex => ( $type & IPSEC || $complex ) ,
-						    nested  => @parents > 0 ,
-						    super   => 0 ,
 						  } ,
+				    super      => 0 ,
+				    complex    => ( $type & IPSEC || $complex ) ,
 				    interfaces => {} ,
 				    children   => [] ,
 				    hosts      => {}
@@ -506,7 +507,7 @@ sub process_zone( \$ ) {
 		fatal_error "Zone mark overflow - please increase the setting of ZONE_BITS" if $zonemark >= $zonemarklimit;
 		$mark      = $zonemark;
 		$zonemark += $zonemarkincr;
-		$zoneref->{options}{complex} = 1;
+		$zoneref->{complex} = 1;
 	    }
 	}

@@ -516,7 +517,6 @@ sub process_zone( \$ ) {
 	    progress_message_nocompress "   Zone $zone:\tmark value " . in_hex( $zoneref->{mark} = $mark );
 	}
    }
-	

    if ( $zoneref->{options}{in_out}{blacklist} ) {
 	for ( qw/in out/ ) {
@@ -769,13 +769,13 @@ sub add_group_to_zone($$$$$)

    my $gtype = $type & IPSEC ? 'ipsec' : 'ip';

-    $hostsref     = ( $zoneref->{hosts}           || ( $zoneref->{hosts} = {} ) );
-    $typeref      = ( $hostsref->{$gtype}         || ( $hostsref->{$gtype} = {} ) );
-    $interfaceref = ( $typeref->{$interface}      || ( $typeref->{$interface} = [] ) );
+    $hostsref     = ( $zoneref->{hosts}      ||= {} );
+    $typeref      = ( $hostsref->{$gtype}    ||= {} );
+    $interfaceref = ( $typeref->{$interface} ||= [] );

    fatal_error "Duplicate Host Group ($interface:" . ALLIP . ") in zone $zone" if $allip && @$interfaceref;

-    $zoneref->{options}{complex} = 1 if @$interfaceref || ( @newnetworks > 1 ) || ( @exclusions ) || $options->{routeback};
+    $zoneref->{complex} = 1 if @$interfaceref || @newnetworks > 1 || @exclusions || $options->{routeback};

    push @{$interfaceref}, { options => $options,
 			     hosts   => \@newnetworks,
@@ -838,7 +838,7 @@ sub all_parent_zones() {
 }

 sub complex_zones() {
-    grep( $zones{$_}{options}{complex} , @zones );
+    grep( $zones{$_}{complex} , @zones );
 }

 sub vserver_zones() {
@@ -912,10 +912,27 @@ sub process_interface( $$ ) {
    my ( $nextinum, $export ) = @_;
    my $netsref   = '';
    my $filterref = [];
-    my ($zone, $originalinterface, $bcasts, $options ) = split_line 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 };
+    my ($zone, $originalinterface, $bcasts, $options );
    my $zoneref;
    my $bridge = '';
+    our $format;

+    if ( $format == 1 ) {
+	($zone, $originalinterface, $bcasts, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 }, { COMMENT => 0, FORMAT => 2 };
+    } else {
+	($zone, $originalinterface, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, options => 2 }, { COMMENT => 0, FORMAT => 2 };
+	$bcasts = '-';
+    }
+
+    if ( $zone eq 'FORMAT' ) {
+	if ( $originalinterface =~ /^([12])$/ ) {
+	    $format = $1;
+	    return;
+	}
+
+	fatal_error "Invalid FORMAT ($1)";
+    }
+	
    if ( $zone eq '-' ) {
 	$zone = '';
    } else {
@@ -1185,7 +1202,8 @@ sub process_interface( $$ ) {
 # Parse the interfaces file.
 #
 sub validate_interfaces_file( $ ) {
-    my $export = shift;
+    my  $export = shift;
+    our $format = 1;
    
    my @ifaces;
    my $nextinum = 1;
@@ -1820,7 +1838,7 @@ sub process_host( ) {
    }

    if ( $hosts =~ /^!?\+/ ) {
-	$zoneref->{options}{complex} = 1;
+	$zoneref->{complex} = 1;
 	fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/;
 	fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^!?\+[a-zA-Z][-\w]*$/;
    }
@@ -1844,12 +1862,16 @@ sub process_host( ) {
 	    if ( $option eq 'ipsec' ) {
 		require_capability 'POLICY_MATCH' , q(The 'ipsec' option), 's';
 		$type = IPSEC;
-		$zoneref->{options}{complex} = 1;
+		$zoneref->{complex} = 1;
 		$ipsec = $interfaceref->{ipsec} = 1;
 	    } elsif ( $option eq 'norfc1918' ) {
 		warning_message "The 'norfc1918' host option is no longer supported"
 	    } elsif ( $option eq 'blacklist' ) {
 		$zoneref->{options}{in}{blacklist} = 1;
+	    } elsif ( $option =~ /^mss=(\d+)$/ ) {
+		fatal_error "Invalid mss ($1)" unless $1 >= 500;
+		$options{mss} = $1;
+		$zoneref->{options}{complex} = 1;
 	    } elsif ( $validhostoptions{$option}) {
 		fatal_error qq(The "$option" option is not allowed with Vserver zones) if $type & VSERVER && ! ( $validhostoptions{$option} & IF_OPTION_VSERVER );
 		$options{$option} = 1;
@@ -1914,8 +1936,7 @@ sub validate_hosts_file()

    $have_ipsec = $ipsec || haveipseczones;

-    $_->{options}{complex} ||= ( keys %{$_->{interfaces}} > 1 ) for values %zones;
-
+    $_->{complex} ||= ( keys %{$_->{interfaces}} > 1 ) for values %zones;
 }

 #
@@ -1927,7 +1948,7 @@ sub have_ipsec() {

 #
 # Returns a reference to a array of host entries. Each entry is a
-# reference to an array containing ( interface , polciy match type {ipsec|none} , network , exclusions );
+# reference to an array containing ( interface , polciy match type {ipsec|none} , network , exclusions, value );
 #
 sub find_hosts_by_option( $ ) {
    my $option = $_[0];
@@ -1937,9 +1958,9 @@ sub find_hosts_by_option( $ ) {
 	while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
 	    while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
 		for my $host ( @{$arrayref} ) {
-		    if ( $host->{options}{$option} ) {
+		    if ( my $value = $host->{options}{$option} ) {
 			for my $net ( @{$host->{hosts}} ) {
-			    push @hosts, [ $interface, $host->{ipsec} , $net , $host->{exclusions}];
+			    push @hosts, [ $interface, $host->{ipsec} , $net , $host->{exclusions}, $value ];
 			}
 		    }
 		}
@@ -1956,6 +1977,30 @@ sub find_hosts_by_option( $ ) {
    \@hosts;
 }

+#
+# As above but for a single zone
+#
+sub find_zone_hosts_by_option( $$ ) {
+    my ($zone, $option ) = @_;
+    my @hosts;
+
+    unless ( $zones{$zone}{type} & FIREWALL ) {
+	while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
+	    while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
+		for my $host ( @{$arrayref} ) {
+		    if ( my $value = $host->{options}{$option} ) {
+			for my $net ( @{$host->{hosts}} ) {
+			    push @hosts, [ $interface, $host->{ipsec} , $net , $host->{exclusions}, $value ];
+			}
+		    }
+		}
+	    }
+	}
+    }
+
+    \@hosts;
+}
+
 #
 # Returns a reference to a list of zones with the passed in/out option
 #
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -62,12 +62,14 @@ checkkernelversion() {
 #
 # Start trace if first arg is "debug" or "trace"
 #
+g_debug_iptables=
+
 if [ $# -gt 1 ]; then
    if [ "x$1" = "xtrace" ]; then
 	set -x
 	shift
    elif [ "x$1" = "xdebug" ]; then
-	DEBUG=Yes
+	g_debug_iptables=Yes
 	shift
    fi
 fi
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -138,6 +138,8 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=On

 KEEP_RT_TABLES=No
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -149,6 +149,8 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=Off

 KEEP_RT_TABLES=No
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -147,6 +147,8 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=On

 KEEP_RT_TABLES=No
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -150,6 +150,8 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=On

 KEEP_RT_TABLES=No
--- a/Shorewall/action.Invalid
+++ b/Shorewall/action.Invalid
@@ -49,7 +49,7 @@ my $target           = require_audit ( $action , $audit );
 log_rule_limit $level, $chainref, 'Invalid' , $action, '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
 add_jump $chainref , $target, 0, "$globals{STATEMATCH} INVALID ";

-$chainref->{dont_optimize} = 0;
+allow_optimize( $chainref );

 1;

--- a/Shorewall/action.NotSyn
+++ b/Shorewall/action.NotSyn
@@ -49,7 +49,7 @@ my $target           = require_audit ( $action , $audit );
 log_rule_limit $level, $chainref, 'NotSyn' , $action, '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
 add_jump $chainref , $target, 0, '-p 6 ! --syn ';

-$chainref->{dont_optimize} = 0;
+allow_optimize( $chainref );

 1;

--- a/Shorewall/configfiles/interfaces
+++ b/Shorewall/configfiles/interfaces
@@ -7,4 +7,8 @@
 # http://www.shorewall.net/manpages/shorewall-interfaces.html
 #
 ###############################################################################
+FORMAT 1
 #ZONE	INTERFACE	BROADCAST	OPTIONS
+
+FORMAT 2
+#ZONE		INTERFACE		OPTIONS
--- a/Shorewall/configfiles/masq
+++ b/Shorewall/configfiles/masq
@@ -6,6 +6,6 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-masq.html
 #
-#############################################################################################
-#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/
+######################################################################################################
+#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH
 #											GROUP
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -138,6 +138,8 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=On

 KEEP_RT_TABLES=No
--- a/Shorewall/configfiles/tcrules
+++ b/Shorewall/configfiles/tcrules
@@ -9,7 +9,7 @@
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
-######################################################################################################################################
-#MARK	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER    PROBABILITY
+##########################################################################################################################################
+#ACTION	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER    PROBABILITY DSCP
 #						PORT(S)	PORT(S)

--- a/Shorewall/configfiles/tos
+++ b/Shorewall/configfiles/tos
@@ -4,5 +4,5 @@
 # For information about entries in this file, type "man shorewall-tos"
 #
 ###############################################################################
-#SOURCE		DEST		PROTOCOL	SOURCE	DEST	TOS	MARK
+#SOURCE		DEST		PROTOCOL	DEST	SOURCE	TOS	MARK
 #						PORTS	PORTS
--- a/Shorewall/init.sh
+++ b/Shorewall/init.sh
@@ -78,13 +78,13 @@ shift

 case "$command" in
    start)
-	exec /sbin/shorewall $OPTIONS start $STARTOPTIONS $@
+	exec /sbin/shorewall $OPTIONS start $STARTOPTIONS
 	;;
    restart|reload)
-	exec /sbin/shorewall $OPTIONS restart $RESTARTOPTIONS $@
+	exec /sbin/shorewall $OPTIONS restart $RESTARTOPTIONS
 	;;
    status|stop)
-	exec /sbin/shorewall $OPTIONS $command $@
+	exec /sbin/shorewall $OPTIONS $command
 	;;
    *)
 	usage
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -92,6 +92,11 @@ install_file() # $1 = source $2 = target $3 = mode

 cd "$(dirname $0)"

+#
+# Load packager's settings if any
+#
+[ -f ../shorewall-pkg.config ] && . ../shorewall-pkg.config
+
 if [ -f shorewall ]; then
    PRODUCT=shorewall
    Product=Shorewall
@@ -105,26 +110,15 @@ fi
 #
 # Parse the run line
 #
-# DEST is the SysVInit script directory
-# INIT is the name of the script in the $DEST directory
 #
 T="-T"

-if [ -z "$DEST" ] ; then
-	DEST="/etc/init.d"
-fi
-
-if [ -z "$INIT" ] ; then
-	INIT="$PRODUCT"
-fi
-
 ANNOTATED=
-CYGWIN=
-MAC=
-MACHOST=
 MANDIR=${MANDIR:-"/usr/share/man"}
 SPARSE=
 INSTALLD='-D'
+INITFILE="$PRODUCT"
+
 [ -n "${LIBEXEC:=/usr/share}" ]
 [ -n "${PERLLIB:=/usr/share/shorewall}" ]

@@ -132,7 +126,8 @@ case "$LIBEXEC" in
    /*)
 	;;
    *)
-	LIBEXEC=/usr/${LIBEXEC}
+	echo "The LIBEXEC setting must be an absolute path name" >&2
+	exit 1
 	;;
 esac

@@ -140,33 +135,45 @@ case "$PERLLIB" in
    /*)
 	;;
    *)
-	PERLLIB=/usr/${PERLLIB}
+	echo "The PERLLIB setting must be an absolute path name" >&2
+	exit 1
 	;;
 esac

-case $(uname) in
-    CYGWIN*)
-	if [ -z "$DESTDIR" ]; then
-	    DEST=
-	    INIT=
-	fi
+if [ -z "$BUILD" ]; then
+    case $(uname) in
+	cygwin*)
+	    BUILD=cygwin
+	    ;;
+	Darwin)
+	    BUILD=apple
+	    ;;
+	*)
+	    if [ -f /etc/debian_version ]; then
+		BUILD=debian
+	    elif [ -f /etc/redhat-release ]; then
+		BUILD=redhat
+	    elif [ -f /etc/slackware-version ] ; then
+		BUILD=slackware
+	    elif [ -f /etc/SuSE-release ]; then
+		BUILD=suse
+	    elif [ -f /etc/arch-release ] ; then
+		BUILD=archlinux
+	    else
+		BUILD=linux
+	    fi
+	    ;;
+    esac
+fi

+case $BUILD in
+    cygwin*)
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
-	CYGWIN=Yes
-	SPARSE=Yes
 	;;
-    Darwin)
-	if [ -z "$DESTDIR" ]; then
-	    DEST=
-	    INIT=
-	    SPARSE=Yes
-	fi
-
+    apple)
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=wheel
-	MAC=Yes
-	MACHOST=Yes
 	INSTALLD=
 	T=
 	;;
@@ -229,8 +236,64 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 # Determine where to install the firewall script
 #

+if [ $PRODUCT = shorewall -a -z "${DESTDIR}" ]; then
+    #
+    # Verify that Perl is installed
+    #
+    if ! perl -c Perl/compiler.pl; then
+	echo "ERROR: $Product $VERSION requires Perl which either is not installed or is not able to compile the $Product perl code" >&2
+	echo "       Try perl -c $PWD/Perl/compiler.pl" >&2
+	exit 1
+    fi
+fi
+
+[ -n "$HOST" ] || HOST=$BUILD
+
+case "$HOST" in
+    cygwin)
+	echo "Installing Cygwin-specific configuration..."
+	INITFILE=
+	;;
+    apple)
+	echo "Installing Mac-specific configuration...";
+	INITFILE=
+	;;
+    debian)
+	echo "Installing Debian-specific configuration..."
+	SPARSE=yes
+	;;
+    redhat)
+	echo "Installing Redhat/Fedora-specific configuration..."
+	[ -n "$INITDIR" ]  || INITDIR="/etc/rc.d/init.d"
+	;;
+    suse)
+	echo "Installing SuSE-specific configuration...";
+	;;
+    slackware)
+	echo "Installing Slackware-specific configuration..."
+	[ -n "$INITDIR" ]  || INITDIR="/etc/rc.d"
+	[ -n "$MANDIR" ]   || MANDIR="/usr/man"
+	[ -n "$INITFILE" ] || INITFILE="rc.firewall"
+	;;
+    archlinux)
+	echo "Installing ArchLinux-specific configuration..."
+	[ -n "$INITDIR" ]  || INITDIR="/etc/rc.d"
+	[ -n "$INITFILE" ] || INITFILE="$PRODUCT"
+	;;
+    linux)
+	;;
+    *)
+	echo "ERROR: Unknown HOST \"$HOST\"" >&2
+	exit 1;
+	;;
+esac
+
+if [ -z "$INITDIR" -a -n "$INITFILE" ] ; then
+    INITDIR="/etc/init.d"
+fi
+
 if [ -n "$DESTDIR" ]; then
-    if [ -z "$CYGWIN" ]; then
+    if [ $BUILD != cygwin ]; then
 	if [ `id -u` != 0 ] ; then
 	    echo "Not setting file owner/group permissions, not running as root."
 	    OWNERSHIP=""
@@ -238,58 +301,20 @@ if [ -n "$DESTDIR" ]; then
    fi

    install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
-
-    CYGWIN=
-    MAC=
-else
-    if [ $PRODUCT = shorewall ]; then
-        #
-        # Verify that Perl is installed
-        #
-	if ! perl -c Perl/compiler.pl; then
-	    echo "ERROR: $Product $VERSION requires Perl which either is not installed or is not able to compile the $Product perl code" >&2
-	    echo "       Try perl -c $PWD/Perl/compiler.pl" >&2
-	    exit 1
-	fi
-    else
-	[ -x /usr/share/shorewall/compiler.pl ] || \
-	    { echo "   ERROR: Shorewall >= 4.3.5 is not installed" >&2; exit 1; }
-    fi
-
-    if [ -n "$CYGWIN" ]; then
-	echo "Installing Cygwin-specific configuration..."
-    elif [ -n "$MAC" ]; then
-	echo "Installing Mac-specific configuration..."
-    else
-	if [ -f /etc/debian_version ]; then
-	    echo "Installing Debian-specific configuration..."
-	    DEBIAN=yes
-	    SPARSE=yes
-	elif [ -f /etc/redhat-release ]; then
-	    echo "Installing Redhat/Fedora-specific configuration..."
-	    FEDORA=yes
-	elif [ -f /etc/slackware-version ] ; then
-	    echo "Installing Slackware-specific configuration..."
-	    DEST="/etc/rc.d"
-	    MANDIR="/usr/man"
-	    SLACKWARE=yes
-	    INIT="rc.firewall"
-	elif [ -f /etc/arch-release ] ; then
-	    echo "Installing ArchLinux-specific configuration..."
-	    DEST="/etc/rc.d"
-	    INIT="$PRODUCT"
-	    ARCHLINUX=yes
-	fi
-    fi
+    install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
+elif [ $PRODUCT != shorewall ]; then
+    [ -x ${LIBEXEC}/shorewall/compiler.pl ] || \
+	{ echo "   ERROR: Shorewall >= 4.5.0 is not installed" >&2; exit 1; }
 fi

 if [ -z "$DESTDIR" ]; then
    if [ -f /lib/systemd/system ]; then
 	SYSTEMD=Yes
+	INITFILE=
    fi
 elif [ -n "$SYSTEMD" ]; then
    mkdir -p ${DESTDIR}/lib/systemd/system
+    INITFILE=
 fi

 echo "Installing $Product Version $VERSION"
@@ -308,7 +333,7 @@ if [ -z "${DESTDIR}" -a $PRODUCT = shorewall -a ! -f /usr/share/$PRODUCT/corever
    exit 1
 fi

-if [ -z "$CYGWIN" ]; then
+if [ $HOST != cygwin ]; then
   install_file $PRODUCT ${DESTDIR}/sbin/$PRODUCT 0755
   echo "$PRODUCT control program installed in ${DESTDIR}/sbin/$PRODUCT"
 else
@@ -319,20 +344,27 @@ fi
 #
 # Install the Firewall Script
 #
-if [ -n "$DEBIAN" ]; then
-    install_file init.debian.sh ${DESTDIR}/etc/init.d/$PRODUCT 0544
-elif [ -n "$FEDORA" ]; then
-    install_file init.fedora.sh ${DESTDIR}/etc/init.d/$PRODUCT 0544
-elif [ -n "$ARCHLINUX" ]; then
-    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
-elif [ -n "$SLACKWARE" -a $PRODUCT = shorewall ]; then
-	install_file init.slackware.firewall.sh ${DESTDIR}${DEST}/rc.firewall 0644
-	install_file init.slackware.$PRODUCT.sh ${DESTDIR}${DEST}/rc.$PRODUCT 0644
-elif [ -n "$INIT" ]; then
-    install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
-fi
+if [ -n "$INITFILE" ]; then
+    case $HOST in
+	debian)
+	    install_file init.debian.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+	    ;;
+	redhat)
+	    install_file init.fedora.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+	    ;;
+	slackware)
+            if [ $PRODUCT = shorewall ]; then
+		install_file init.slackware.firewall.sh ${DESTDIR}${DEST}/rc.firewall 0644
+		install_file init.slackware.$PRODUCT.sh ${DESTDIR}${DEST}/rc.$PRODUCT 0644
+	    fi
+	    ;;
+	*)
+	    install_file init.sh ${DESTDIR}${INITDIR}/$INITFILE 0544
+	    ;;
+    esac

-[ -n "$INIT" ] && echo  "$Product script installed in ${DESTDIR}${DEST}/$INIT"
+    echo  "$Product script installed in ${DESTDIR}${INITDIR}/$INITFILE"
+fi

 #
 # Create /etc/$PRODUCT and /var/lib/$PRODUCT if needed
@@ -427,7 +459,7 @@ run_install $OWNERSHIP -m 0644 $PRODUCT.conf.annotated ${DESTDIR}/usr/share/$PRO
 if [ ! -f ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf ]; then
   run_install $OWNERSHIP -m 0644 $PRODUCT.conf${suffix} ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf

-   if [ -n "$DEBIAN" ] && mywhich perl; then
+   if [ $HOST = debian ] && mywhich perl; then
       #
       # Make a Debian-like $PRODUCT.conf
       #
@@ -438,7 +470,7 @@ if [ ! -f ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf ]; then
 fi


-if [ -n "$ARCHLINUX" ] ; then
+if [ $HOST = archlinux ] ; then
   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf
 fi

@@ -582,7 +614,7 @@ run_install $OWNERSHIP -m 0644 maclist.annotated ${DESTDIR}/usr/share/$PRODUCT/c

 if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/$PRODUCT/maclist ]; then
    run_install $OWNERSHIP -m 0600 maclist${suffix} ${DESTDIR}/etc/$PRODUCT/maclist
-    echo "MAC list file installed as ${DESTDIR}/etc/$PRODUCT/maclist"
+    echo "mac list file installed as ${DESTDIR}/etc/$PRODUCT/maclist"
 fi

 if [ -f masq ]; then
@@ -888,11 +920,6 @@ fi
 # Install the Isusable file
 #
 run_install $OWNERSHIP -m 0644 isusable ${DESTDIR}/usr/share/$PRODUCT/configfiles/isusable
-
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}/etc/$PRODUCT/isusable ]; then
-    run_install $OWNERSHIP -m 0600 isusable ${DESTDIR}/etc/$PRODUCT/isusable
-    echo "Isusable file installed as ${DESTDIR}/etc/$PRODUCT/isusable"
-fi
 #
 # Install the Refresh file
 #
@@ -1048,7 +1075,7 @@ chmod 644 ${DESTDIR}/usr/share/$PRODUCT/version

 if [ -z "$DESTDIR" ]; then
    rm -f /usr/share/$PRODUCT/init
-    ln -s ${DEST}/${INIT} /usr/share/$PRODUCT/init
+    ln -s ${INITDIR}/${INITFILE} /usr/share/$PRODUCT/init
 fi

 #
@@ -1080,8 +1107,8 @@ if [ -d ${DESTDIR}/etc/logrotate.d ]; then
    echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/$PRODUCT"
 fi

-if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
-    if [ -n "$DEBIAN" ]; then
+if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
+    if [ $HOST = debian ]; then
 	run_install $OWNERSHIP -m 0644 default.debian /etc/default/$PRODUCT

 	update-rc.d $PRODUCT defaults
@@ -1117,7 +1144,7 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${CYGWIN}${MAC}" ]; then
 	    else
 		cant_autostart
 	    fi
-	elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
+	elif [ "$INITFILE" != rc.f ]; then #Slackware starts this automatically
 	    cant_autostart
 	fi
    fi
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -239,7 +239,7 @@ get_config() {
 	LOG_VERBOSITY=-1
    fi

-    if [ -n "$SHOREWALL_SHELL" ]; then
+    if [ -n "$SHOREWALL_SHELL" -a -z "$g_export" ]; then
 	if [ ! -x "$SHOREWALL_SHELL" ]; then
 	    echo "   WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
 	    SHOREWALL_SHELL=/bin/sh
--- a/Shorewall/lib.core
+++ b/Shorewall/lib.core
@@ -510,6 +510,20 @@ debug_restore_input() {
 	qt1 $g_tool -t raw -P $chain ACCEPT
    done

+    qt1 $g_tool -t rawpost -F
+    qt1 $g_tool -t rawpost    -X
+
+    for chain in POSTROUTING; do
+	qt1 $g_tool -t rawpost -P $chain ACCEPT
+    done
+
+    qt1 $g_tool -t nat    -F
+    qt1 $g_tool -t nat    -X
+
+    for chain in PREROUTING POSTROUTING; do
+        qt1 $g_tool -t nat -P $chain ACCEPT
+    done
+
    qt1 $g_tool -t filter -F
    qt1 $g_tool -t filter -X

--- a/Shorewall/manpages/shorewall-accounting.xml
+++ b/Shorewall/manpages/shorewall-accounting.xml
@@ -75,12 +75,9 @@

    <itemizedlist>
      <listitem>
-        <para>A jump to a user-defined accounting chain before entries that
-        add rules to that chain.</para>
-      </listitem>
-
-      <listitem>
-        <para>This eliminates loops and unreferenced chains.</para>
+        <para>A jump to a user-defined accounting chain must appear before
+        entries that add rules to that chain. This eliminates loops and
+        unreferenced chains.</para>
      </listitem>

      <listitem>
--- a/Shorewall/manpages/shorewall-hosts.xml
+++ b/Shorewall/manpages/shorewall-hosts.xml
@@ -118,32 +118,6 @@
          must have no embedded white space.</para>

          <variablelist>
-            <varlistentry>
-              <term><emphasis role="bold">maclist</emphasis></term>
-
-              <listitem>
-                <para>Connection requests from these hosts are compared
-                against the contents of <ulink
-                url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
-                this option is specified, the interface must be an ethernet
-                NIC or equivalent and must be up before Shorewall is
-                started.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">routeback</emphasis></term>
-
-              <listitem>
-                <para>Shorewall should set up the infrastructure to pass
-                packets from this/these address(es) back to themselves. This
-                is necessary if hosts in this group use the services of a
-                transparent proxy that is a member of the group or if DNAT is
-                used to send requests originating from this group to a server
-                in the group.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis role="bold">blacklist</emphasis></term>

@@ -154,48 +128,6 @@
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term><emphasis role="bold">tcpflags</emphasis></term>
-
-              <listitem>
-                <para>Packets arriving from these hosts are checked for
-                certain illegal combinations of TCP flags. Packets found to
-                have such a combination of flags are handled according to the
-                setting of TCP_FLAGS_DISPOSITION after having been logged
-                according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">nosmurfs</emphasis></term>
-
-              <listitem>
-                <para>This option only makes sense for ports on a
-                bridge.</para>
-
-                <para>Filter packets for smurfs (packets with a broadcast
-                address as the source).</para>
-
-                <para>Smurfs will be optionally logged based on the setting of
-                SMURF_LOG_LEVEL in <ulink
-                url="shorewall.conf.html">shorewall.conf</ulink>(5). After
-                logging, the packets are dropped.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">ipsec</emphasis></term>
-
-              <listitem>
-                <para>The zone is accessed via a kernel 2.6 ipsec SA. Note
-                that if the zone named in the ZONE column is specified as an
-                IPSEC zone in the <ulink
-                url="shorewall-zones.html">shorewall-zones</ulink>(5) file
-                then you do NOT need to specify the 'ipsec' option
-                here.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis role="bold">broadcast</emphasis></term>

@@ -229,6 +161,86 @@
                net(s).</para>
              </listitem>
            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">ipsec</emphasis></term>
+
+              <listitem>
+                <para>The zone is accessed via a kernel 2.6 ipsec SA. Note
+                that if the zone named in the ZONE column is specified as an
+                IPSEC zone in the <ulink
+                url="shorewall-zones.html">shorewall-zones</ulink>(5) file
+                then you do NOT need to specify the 'ipsec' option
+                here.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">maclist</emphasis></term>
+
+              <listitem>
+                <para>Connection requests from these hosts are compared
+                against the contents of <ulink
+                url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
+                this option is specified, the interface must be an ethernet
+                NIC or equivalent and must be up before Shorewall is
+                started.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">mss</emphasis>=<replaceable>mss</replaceable></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.2. When present, causes the TCP
+                mss for new connections to/from the hosts given in the HOST(S)
+                column to be clamped at the specified
+                <replaceable>mss</replaceable>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">nosmurfs</emphasis></term>
+
+              <listitem>
+                <para>This option only makes sense for ports on a
+                bridge.</para>
+
+                <para>Filter packets for smurfs (packets with a broadcast
+                address as the source).</para>
+
+                <para>Smurfs will be optionally logged based on the setting of
+                SMURF_LOG_LEVEL in <ulink
+                url="shorewall.conf.html">shorewall.conf</ulink>(5). After
+                logging, the packets are dropped.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">routeback</emphasis></term>
+
+              <listitem>
+                <para>Shorewall should set up the infrastructure to pass
+                packets from this/these address(es) back to themselves. This
+                is necessary if hosts in this group use the services of a
+                transparent proxy that is a member of the group or if DNAT is
+                used to send requests originating from this group to a server
+                in the group.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">tcpflags</emphasis></term>
+
+              <listitem>
+                <para>Packets arriving from these hosts are checked for
+                certain illegal combinations of TCP flags. Packets found to
+                have such a combination of flags are handled according to the
+                setting of TCP_FLAGS_DISPOSITION after having been logged
+                according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
+              </listitem>
+            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall-masq.xml
+++ b/Shorewall/manpages/shorewall-masq.xml
@@ -35,8 +35,8 @@
      <para>If you have more than one ISP link, adding entries to this file
      will <emphasis role="bold">not</emphasis> force connections to go out
      through a particular link. You must use entries in <ulink
-      url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or
-      PREROUTING entries in <ulink
+      url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or PREROUTING
+      entries in <ulink
      url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5) to do
      that.</para>
    </warning>
@@ -88,7 +88,8 @@
          addresses to indicate that you only want to change the source IP
          address for packets being sent to those particular destinations.
          Exclusion is allowed (see <ulink
-          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
+          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)) as
+          are ipset names preceded by a plus sign '+';</para>

          <para>If you wish to inhibit the action of ADD_SNAT_ALIASES for this
          entry then include the ":" but omit the digit:</para>
@@ -149,6 +150,10 @@

          <para>In that example traffic from eth1 would be masqueraded unless
          it came from 192.168.1.4 or 196.168.32.0/27</para>
+
+          <para>The preferred way to specify the SOURCE is to supply one or
+          more host or network addresses separated by comma. You may use ipset
+          names preceded by a plus sign (+) to specify a set of hosts.</para>
        </listitem>
      </varlistentry>

@@ -467,6 +472,43 @@
          </variablelist>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">SWITCH -
+        [!]<replaceable>switch-name</replaceable></emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.1 and allows enabling and disabling the
+          rule without requiring <command>shorewall restart</command>.</para>
+
+          <para>The rule is enabled if the value stored in
+          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
+          is 1. The rule is disabled if that file contains 0 (the default). If
+          '!' is supplied, the test is inverted such that the rule is enabled
+          if the file contains 0. <replaceable>switch-name</replaceable> must
+          begin with a letter and be composed of letters, decimal digits,
+          underscores or hyphens. Switch names must be 30 characters or less
+          in length.</para>
+
+          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
+          turn a switch <emphasis role="bold">on</emphasis>:</para>
+
+          <simplelist>
+            <member><command>echo 1 &gt;
+            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
+          </simplelist>
+
+          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
+
+          <simplelist>
+            <member><command>echo 0 &gt;
+            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
+          </simplelist>
+
+          <para>Switch settings are retained over <command>shorewall
+          restart</command>.</para>
+        </listitem>
+      </varlistentry>
    </variablelist>
  </refsect1>

@@ -548,6 +590,19 @@
          </warning>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term>Example 6:</term>
+
+        <listitem>
+          <para>Connections leaving on eth0 and destined to any host defined
+          in the ipset <emphasis>myset</emphasis> should have the source IP
+          address changed to 206.124.146.177.</para>
+
+          <programlisting>        #INTERFACE              SOURCE          ADDRESS
+        eth0:+myset[dst]        -               206.124.146.177</programlisting>
+        </listitem>
+      </varlistentry>
    </variablelist>
  </refsect1>

--- a/Shorewall/manpages/shorewall-params.xml
+++ b/Shorewall/manpages/shorewall-params.xml
@@ -23,7 +23,11 @@
  <refsect1>
    <title>Description</title>

-    <para>Assign any shell variables that you need in this file.</para>
+    <para>Assign any shell variables that you need in this file. The file is
+    always processed by <filename>/bin/sh</filename> or by the shell specified
+    through SHOREWALL_SHELL in <ulink
+    url="shorewall.conf.html">shorewall.conf</ulink> (5) so the full range of
+    shell capabilities may be used.</para>

    <para>It is suggested that variable names begin with an upper case letter
    to distinguish them from variables used internally within the Shorewall
@@ -128,12 +132,13 @@ net     eth0            130.252.100.255 routefilter,norfc1918</programlisting>
    url="http://www.shorewall.net/configuration_file_basics.htm#Variables?">http://www.shorewall.net/configuration_file_basics.htm#Variables</ulink></para>

    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
-    shorewall-netmap(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-proxyarp(5), shorewall-rtrules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-tcrules.xml
+++ b/Shorewall/manpages/shorewall-tcrules.xml
@@ -44,7 +44,7 @@

    <variablelist>
      <varlistentry>
-        <term><emphasis role="bold">MARK/CLASSIFY</emphasis> (mark) -
+        <term><emphasis role="bold">ACTION</emphasis> (mark) -
        <replaceable>mark</replaceable></term>

        <listitem>
@@ -271,8 +271,8 @@
              target allows you to work around that problem. SAME may be used
              in the PREROUTING and OUTPUT chains. When used in PREROUTING, it
              causes matching connections from an individual local system to
-              all use the same provider. For example: <programlisting>#MARK/            SOURCE         DEST         PROTO      DEST
-#CLASSIFY                                                PORT(S)
+              all use the same provider. For example: <programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
+#                                                        PORT(S)
 SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
              If a host in 192.168.1.0/24 attempts a connection on TCP port 80
              or 443 and it has sent a packet on either of those ports in the
@@ -282,8 +282,8 @@ SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>

              <para>When used in the OUTPUT chain, it causes all matching
              connections to an individual remote system to all use the same
-              provider. For example:<programlisting>#MARK/            SOURCE         DEST         PROTO      DEST
-#CLASSIFY                                                PORT(S)
+              provider. For example:<programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
+#                                                        PORT(S)
 SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
              If the firewall attempts a connection on TCP port 80 or 443 and
              it has sent a packet on either of those ports in the last five
@@ -468,6 +468,112 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
              <replaceable>number</replaceable>. Requires IMQ Target support
              in your kernel and iptables.</para>
            </listitem>
+
+            <listitem>
+              <para><emphasis
+              role="bold">DSCP</emphasis>(<replaceable>dscp</replaceable>)</para>
+
+              <para>Added in Shorewall 4.5.1. Sets the
+              <firstterm>Differentiated Services Code Point</firstterm> field
+              in the IP header. The <replaceable>dscp</replaceable> value may
+              be given as an even number (hex or decimal) or as the name of a
+              DSCP class. Valid class names and their associated hex numeric
+              values are:</para>
+
+              <programlisting>    CS0  =&gt; 0x00
+    CS1  =&gt; 0x08
+    CS2  =&gt; 0x10
+    CS3  =&gt; 0x18
+    CS4  =&gt; 0x20
+    CS5  =&gt; 0x28
+    CS6  =&gt; 0x30
+    CS7  =&gt; 0x38
+    BE   =&gt; 0x00
+    AF11 =&gt; 0x0a
+    AF12 =&gt; 0x0c
+    AF13 =&gt; 0x0e
+    AF21 =&gt; 0x12
+    AF22 =&gt; 0x14
+    AF23 =&gt; 0x16
+    AF31 =&gt; 0x1a
+    AF32 =&gt; 0x1c
+    AF33 =&gt; 0x1e
+    AF41 =&gt; 0x22
+    AF42 =&gt; 0x24
+    AF43 =&gt; 0x26
+    EF   =&gt; 0x2e</programlisting>
+
+              <para>May be optionally followed by ':' and a capital letter
+              designating the chain where classification is to occur.</para>
+
+              <variablelist>
+                <varlistentry>
+                  <term>F</term>
+
+                  <listitem>
+                    <para>FORWARD chain.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>T</term>
+
+                  <listitem>
+                    <para>POSTROUTING chain (default).</para>
+                  </listitem>
+                </varlistentry>
+              </variablelist>
+            </listitem>
+
+            <listitem>
+              <para><emphasis
+              role="bold">TOS</emphasis>(<replaceable>tos</replaceable>[/<replaceable>mask</replaceable>])</para>
+
+              <para>Added in Shorewall 4.5.1. Sets the <firstterm>Type of
+              Service</firstterm> field in the IP header. The
+              <replaceable>tos</replaceable> value may be given as an number
+              (hex or decimal) or as the name of a TOS type. Valid type names
+              and their associated hex numeric values are:</para>
+
+              <programlisting>Minimize-Delay       =&gt; 0x10,
+Maximize-Throughput  =&gt; 0x08,
+Maximize-Reliability =&gt; 0x04,
+Minimize-Cost        =&gt; 0x02,
+Normal-Service       =&gt; 0x00</programlisting>
+
+              <para>When <replaceable>tos</replaceable> is given as a number,
+              it may be optionally followed by '/' and a
+              <replaceable>mask</replaceable>. When no
+              <replaceable>mask</replaceable> is given, the value 0xff is
+              assumed. When <replaceable>tos</replaceable> is given as a type
+              name, the <replaceable>mask</replaceable> 0x3f is
+              assumed.</para>
+
+              <para>The action performed is to zero out the bits specified by
+              the <replaceable>mask</replaceable>, then set the bits specified
+              by <replaceable>tos</replaceable>.</para>
+
+              <para>May be optionally followed by ':' and a capital letter
+              designating the chain where classification is to occur.</para>
+
+              <variablelist>
+                <varlistentry>
+                  <term>F</term>
+
+                  <listitem>
+                    <para>FORWARD chain.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>T</term>
+
+                  <listitem>
+                    <para>POSTROUTING chain (default).</para>
+                  </listitem>
+                </varlistentry>
+              </variablelist>
+            </listitem>
          </orderedlist>
        </listitem>
      </varlistentry>
@@ -494,7 +600,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
              MAC addresses. <emphasis role="bold">This form will not match
              traffic that originates on the firewall itself unless either
              &lt;major&gt;&lt;minor&gt; or the :T chain qualifier is used in
-              the MARK column.</emphasis></para>
+              the ACTION column.</emphasis></para>

              <para>Examples:<simplelist>
                  <member>0.0.0.0/0</member>
@@ -516,7 +622,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
              <para>$FW optionally followed by a colon (":") and a
              comma-separated list of host or network IP addresses. Matches
              packets originating on the firewall. May not be used with a
-              chain qualifier (:P, :F, etc.) in the MARK column.</para>
+              chain qualifier (:P, :F, etc.) in the ACTION column.</para>
            </listitem>
          </orderedlist>

@@ -832,15 +938,15 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
          original connection was made on.</para>

          <para>Example: Mark all FTP data connections with mark
-          4:<programlisting>#MARK/    SOURCE    DEST      PROTO   PORT(S)    SOURCE  USER TEST LENGTH TOS CONNBYTES HELPER
-#CLASSIFY                                        PORT(S)
+          4:<programlisting>#ACTION   SOURCE    DEST      PROTO   PORT(S)    SOURCE  USER TEST LENGTH TOS CONNBYTES HELPER
+#                                                PORT(S)
 4:T       0.0.0.0/0 0.0.0.0/0 TCP     -          -       -    -    -      -   -         ftp</programlisting></para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">PROBABILITY</emphasis> -
-        [probability]</term>
+        [<replaceable>probability</replaceable>]</term>

        <listitem>
          <para>Added in Shorewall 4.5.0. When non-empty, requires the
@@ -852,6 +958,44 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
          at up to 8 decimal points of precision.</para>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">DSCP -</emphasis>
+        [[!]<replaceable>dscp</replaceable>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.1. When non-empty, match packets whose
+          <firstterm>Differentiated Service Code Point</firstterm> field
+          matches the supplied value (when '!' is given, the rule matches
+          packets whose DSCP field does not match the supplied value). The
+          <replaceable>dscp</replaceable> value may be given as an even number
+          (hex or decimal) or as the name of a DSCP class. Valid class names
+          and their associated hex numeric values are:</para>
+
+          <programlisting>    CS0  =&gt; 0x00
+    CS1  =&gt; 0x08
+    CS2  =&gt; 0x10
+    CS3  =&gt; 0x18
+    CS4  =&gt; 0x20
+    CS5  =&gt; 0x28
+    CS6  =&gt; 0x30
+    CS7  =&gt; 0x38
+    BE   =&gt; 0x00
+    AF11 =&gt; 0x0a
+    AF12 =&gt; 0x0c
+    AF13 =&gt; 0x0e
+    AF21 =&gt; 0x12
+    AF22 =&gt; 0x14
+    AF23 =&gt; 0x16
+    AF31 =&gt; 0x1a
+    AF32 =&gt; 0x1c
+    AF33 =&gt; 0x1e
+    AF41 =&gt; 0x22
+    AF42 =&gt; 0x24
+    AF43 =&gt; 0x26
+    EF   =&gt; 0x2e</programlisting>
+        </listitem>
+      </varlistentry>
    </variablelist>
  </refsect1>

@@ -873,8 +1017,8 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>

          <para>We assume packet/connection mark 0 means unclassified.</para>

-          <programlisting>       #MARK/     SOURCE    DEST         PROTO   PORT(S)       SOURCE  USER    TEST
-       #CLASSIFY                                               PORT(S)
+          <programlisting>       #ACTION    SOURCE    DEST         PROTO   PORT(S)       SOURCE  USER    TEST
+       #                                                       PORT(S)
       1:T        0.0.0.0/0 0.0.0.0/0    icmp    echo-request
       1:T        0.0.0.0/0 0.0.0.0/0    icmp    echo-reply
       RESTORE:T  0.0.0.0/0 0.0.0.0/0    all     -             -       -       0
--- a/Shorewall/manpages/shorewall-tos.xml
+++ b/Shorewall/manpages/shorewall-tos.xml
@@ -23,7 +23,9 @@
  <refsect1>
    <title>Description</title>

-    <para>This file defines rules for setting Type Of Service (TOS)</para>
+    <para>This file defines rules for setting Type Of Service (TOS). Its use
+    is deprecated, beginning in Shorewall 4.5.1, in favor of the TOS target in
+    <ulink url="shorewall-tcrules.html">shorewall-tcrules</ulink> (5).</para>

    <para>The columns in the file are as follows (where the column name is
    followed by a different name in parentheses, the different name is used in
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -848,6 +848,29 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">IPSET_WARNINGS=</emphasis>{<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.2. Default is Yes. When set, causes the
+          rules compiler to issue a warning when:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>The compiler is being run by root and an ipset specified
+              in the configuration does not exists. Only one warning is issued
+              for each missing ipset.</para>
+            </listitem>
+
+            <listitem>
+              <para>When [src] is specified in a destination column and when
+              [dst] is specified in a source column.</para>
+            </listitem>
+          </itemizedlist>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis
        role="bold">IPTABLES=</emphasis>[<emphasis>pathname</emphasis>]</term>
@@ -2092,14 +2115,14 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
          tcrules. This was done so that tcrules could reset the packet mark
          to zero, thus allowing the packet to be routed using the 'main'
          routing table. Using the main table allowed dynamic routes (such as
-          those added for VPNs) to be effective. The rtrules file was
-          created to provide a better alternative to clearing the packet mark.
-          As a consequence, passing these packets to PREROUTING complicates
-          things without providing any real benefit. Beginning with Shorewall
-          4.4.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving
-          through 'tracked' interfaces will not be passed to the PREROUTING
-          rules. Since TRACK_PROVIDERS was just introduced in 4.4.3, this
-          change should be transparent to most, if not all, users.</para>
+          those added for VPNs) to be effective. The rtrules file was created
+          to provide a better alternative to clearing the packet mark. As a
+          consequence, passing these packets to PREROUTING complicates things
+          without providing any real benefit. Beginning with Shorewall 4.4.6,
+          when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving through
+          'tracked' interfaces will not be passed to the PREROUTING rules.
+          Since TRACK_PROVIDERS was just introduced in 4.4.3, this change
+          should be transparent to most, if not all, users.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall.xml
+++ b/Shorewall/manpages/shorewall.xml
@@ -1243,7 +1243,7 @@
          directory is given, then Shorewall will look in that directory first
          when opening configuration files.</para>

-          <para>Begining with Shorewall 4.5.0, you may specify a different
+          <para>Beginning with Shorewall 4.5.0, you may specify a different
          <replaceable>timeout</replaceable> value using the
          <option>-t</option> option. The numeric
          <replaceable>timeout</replaceable> may optionally be followed by an
@@ -1265,7 +1265,7 @@
          Shorewall will look in that directory first when opening
          configuration files.</para>

-          <para>Begining with Shorewall 4.5.0, you may specify a different
+          <para>Beginning with Shorewall 4.5.0, you may specify a different
          <replaceable>timeout</replaceable> value using the
          <option>-t</option> option. The numeric
          <replaceable>timeout</replaceable> may optionally be followed by an
@@ -1600,7 +1600,7 @@
          role="bold">restore</emphasis> is performed after
          <replaceable>timeout</replaceable> seconds.</para>

-          <para>Begining with Shorewall 4.5.0, the numeric
+          <para>Beginning with Shorewall 4.5.0, the numeric
          <replaceable>timeout</replaceable> may optionally be followed by an
          <option>s</option>, <option>m</option> or <option>h</option> suffix
          (e.g., 5m) to specify seconds, minutes or hours respectively. If the
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -112,7 +112,7 @@ rm -rf /etc/shorewall
 rm -rf /etc/shorewall-*.bkout
 rm -rf /var/lib/shorewall
 rm -rf /var/lib/shorewall-*.bkout
-rm -rf $PERLLIB}/Shorewall/*
+rm -rf ${PERLLIB}/Shorewall/*
 rm -rf ${LIBEXEC}/shorewall
 rm -rf /usr/share/shorewall/configfiles/
 rm -rf /usr/share/shorewall/Samples/
--- a/Shorewall6-lite/Makefile
+++ b/Shorewall6-lite/Makefile
@@ -12,7 +12,7 @@ $(VARDIR)/${RESTOREFILE}: $(VARDIR)/firewall
 	then \
 	    /sbin/shorewall6-lite -q save >/dev/null; \
 	else \
-	    /sbin/shorewall6-lite -q restart 2>&1 | tail >&2; \
+	    /sbin/shorewall6-lite -q restart 2>&1 | tail >&2; exit 1; \
 	fi

 # EOF
--- a/Shorewall6-lite/init.sh
+++ b/Shorewall6-lite/init.sh
@@ -76,10 +76,10 @@ command="$1"

 case "$command" in
    start)
-	exec /sbin/shorewall6-lite $OPTIONS start $STARTOPTIONS $@
+	exec /sbin/shorewall6-lite $OPTIONS start $STARTOPTIONS
 	;;
    restart|reload)
-	exec /sbin/shorewall6-lite $OPTIONS restart $RESTARTOPTIONS $@
+	exec /sbin/shorewall6-lite $OPTIONS restart $RESTARTOPTIONS
 	;;
    status|stop)
 	exec /sbin/shorewall6-lite $OPTIONS $command $@
--- a/Shorewall6/Makefile
+++ b/Shorewall6/Makefile
@@ -2,6 +2,7 @@
 VARDIR=$(shell /sbin/shorewall6 show vardir)
 CONFDIR=/etc/shorewall6
 RESTOREFILE?=firewall
+
 all: $(VARDIR)/${RESTOREFILE}

 $(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
@@ -11,11 +12,12 @@ $(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
 	then \
 	    /sbin/shorewall6 -q save >/dev/null; \
 	else \
-	    /sbin/shorewall6 -q restart 2>&1 | tail >&2; \
+	    /sbin/shorewall6 -q restart 2>&1 | tail >&2; exit 1; \
 	fi

 clean:
 	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~
+
 .PHONY: clean

 # EOF
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=Off

 KEEP_RT_TABLES=Yes
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=Off

 KEEP_RT_TABLES=Yes
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=On

 KEEP_RT_TABLES=Yes
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=On

 KEEP_RT_TABLES=Yes
--- a/Shorewall6/configfiles/interfaces
+++ b/Shorewall6/configfiles/interfaces
@@ -7,4 +7,8 @@
 # http://www.shorewall.net/manpages6/shorewall6-interfaces.html
 #
 ###############################################################################
+FORMAT 1
 #ZONE	INTERFACE	ANYCAST		OPTIONS
+
+FORMAT 2
+#ZONE		INTERFACE		OPTIONS
--- a/Shorewall6/configfiles/isusable
+++ b/Shorewall6/configfiles/isusable
@@ -8,13 +8,15 @@
 #
 #	The script is invoked inside a function that accepts an interface
 #	name as a single argument. The file below is designed to work with
-#	both swping and lsm as described at http://www.shorewall.net/MultiISP.html
+#	both swping and lsm as described at
+#	http://www.shorewall.net/MultiISP.html
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.
 #
 ###############################################################################
-local status=0
+local status
+status=0

 [ -f ${VARDIR}/${1}.status ] && status=$(cat ${VARDIR}/${1}.status)

--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=Yes

 IMPLICIT_CONTINUE=No

+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=Off

 KEEP_RT_TABLES=Yes
--- a/Shorewall6/configfiles/tcrules
+++ b/Shorewall6/configfiles/tcrules
@@ -9,6 +9,6 @@
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
-##############################################################################################################################################
-#MARK	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER	HEADERS    PROBABILITY
+###################################################################################################################################################
+#ACTION	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER	HEADERS    PROBABILITY DSCP
 #						PORT(S)	PORT(S)
--- a/Shorewall6/configfiles/tos
+++ b/Shorewall6/configfiles/tos
@@ -4,5 +4,5 @@
 # For information about entries in this file, type "man shorewall6-tos"
 #
 ###############################################################################
-#SOURCE		DEST		PROTOCOL	SOURCE	DEST	TOS	MARK
+#SOURCE		DEST		PROTOCOL	DEST	SOURCE	TOS	MARK
 #						PORTS	PORTS
--- a/Shorewall6/init.sh
+++ b/Shorewall6/init.sh
@@ -77,10 +77,10 @@ command="$1"

 case "$command" in
    start)
-	exec /sbin/shorewall6 $OPTIONS start $STARTOPTIONS $@
+	exec /sbin/shorewall6 $OPTIONS start $STARTOPTIONS
 	;;
    restart|reload)
-	exec /sbin/shorewall6 $OPTIONS restart $RESTARTOPTIONS $@
+	exec /sbin/shorewall6 $OPTIONS restart $RESTARTOPTIONS
 	;;
    status|stop)
 	exec /sbin/shorewall6 $OPTIONS $command $@
--- a/Shorewall6/manpages/shorewall6-accounting.xml
+++ b/Shorewall6/manpages/shorewall6-accounting.xml
@@ -75,12 +75,9 @@

    <itemizedlist>
      <listitem>
-        <para>A jump to a user-defined accounting chain before entries that
-        add rules to that chain.</para>
-      </listitem>
-
-      <listitem>
-        <para>This eliminates loops and unreferenced chains.</para>
+        <para>A jump to a user-defined accounting chain must appear before
+        entries that add rules to that chain. This eliminates loops and
+        unreferenced chains.</para>
      </listitem>

      <listitem>
--- a/Shorewall6/manpages/shorewall6-hosts.xml
+++ b/Shorewall6/manpages/shorewall6-hosts.xml
@@ -120,19 +120,6 @@
          the list must have no embedded white space.</para>

          <variablelist>
-            <varlistentry>
-              <term><emphasis role="bold">routeback</emphasis></term>
-
-              <listitem>
-                <para>shorewall6 should set up the infrastructure to pass
-                packets from this/these address(es) back to themselves. This
-                is necessary if hosts in this group use the services of a
-                transparent proxy that is a member of the group or if DNAT is
-                used to send requests originating from this group to a server
-                in the group.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis role="bold">blacklist</emphasis></term>

@@ -143,18 +130,6 @@
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term><emphasis role="bold">tcpflags</emphasis></term>
-
-              <listitem>
-                <para>Packets arriving from these hosts are checked for
-                certain illegal combinations of TCP flags. Packets found to
-                have such a combination of flags are handled according to the
-                setting of TCP_FLAGS_DISPOSITION after having been logged
-                according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis role="bold">ipsec</emphasis></term>

@@ -167,6 +142,43 @@
                here.</para>
              </listitem>
            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">mss</emphasis>=<replaceable>mss</replaceable></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.2. When present, causes the TCP
+                mss for new connections to/from the hosts given in the HOST(S)
+                column to be clamped at the specified
+                <replaceable>mss</replaceable>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">routeback</emphasis></term>
+
+              <listitem>
+                <para>shorewall6 should set up the infrastructure to pass
+                packets from this/these address(es) back to themselves. This
+                is necessary if hosts in this group use the services of a
+                transparent proxy that is a member of the group or if DNAT is
+                used to send requests originating from this group to a server
+                in the group.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">tcpflags</emphasis></term>
+
+              <listitem>
+                <para>Packets arriving from these hosts are checked for
+                certain illegal combinations of TCP flags. Packets found to
+                have such a combination of flags are handled according to the
+                setting of TCP_FLAGS_DISPOSITION after having been logged
+                according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
+              </listitem>
+            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
--- a/Shorewall6/manpages/shorewall6-params.xml
+++ b/Shorewall6/manpages/shorewall6-params.xml
@@ -23,7 +23,11 @@
  <refsect1>
    <title>Description</title>

-    <para>Assign any shell variables that you need in this file.</para>
+    <para>Assign any shell variables that you need in this file. The file is
+    always processed by <filename>/bin/sh</filename> or by the shell specified
+    through SHOREWALL_SHELL in <ulink
+    url="shorewall6.conf.html">shorewall6.conf</ulink> (5) so the full range
+    of shell capabilities may be used.</para>

    <para>It is suggested that variable names begin with an upper case letter
    to distinguish them from variables used internally within the Shorewall
@@ -130,8 +134,8 @@ net     eth0            -               dhcp,nosmurfs</programlisting>
    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
    shorewall6-maclist(5), shorewall6-policy(5), shorewall6-providers(5),
-    shorewall6-rtrules(5), shorewall6-routestopped(5),
-    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),
+    shorewall6-rtrules(5), shorewall6-routestopped(5), shorewall6-rules(5),
+    shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),
    shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
    shorewall6-tunnels(5), shorewall6-zones(5)</para>
  </refsect1>
--- a/Shorewall6/manpages/shorewall6-tcrules.xml
+++ b/Shorewall6/manpages/shorewall6-tcrules.xml
@@ -44,11 +44,11 @@

    <variablelist>
      <varlistentry>
-        <term><emphasis role="bold">MARK/CLASSIFY</emphasis> -
-        <replaceable>mark</replaceable></term>
+        <term><emphasis role="bold">ACTION</emphasis> -
+        <replaceable>action</replaceable></term>

        <listitem>
-          <para><replaceable>mark</replaceable> may assume one of the
+          <para><replaceable>action</replaceable> may assume one of the
          following values.</para>

          <orderedlist numeration="arabic">
@@ -272,8 +272,8 @@
              SAME may be used in the PREROUTING and OUTPUT chains. When used
              in PREROUTING, it causes matching connections from an individual
              local system to all use the same provider. For example:
-              <programlisting>#MARK/            SOURCE         DEST         PROTO      DEST
-#CLASSIFY                                                PORT(S)
+              <programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
+#                                                        PORT(S)
 SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
              If a host in 192.168.1.0/24 attempts a connection on TCP port 80
              or 443 and it has sent a packet on either of those ports in the
@@ -283,8 +283,8 @@ SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>

              <para>When used in the OUTPUT chain, it causes all matching
              connections to an individual remote system to all use the same
-              provider. For example:<programlisting>#MARK/            SOURCE         DEST         PROTO      DEST
-#CLASSIFY                                                PORT(S)
+              provider. For example:<programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
+#                                                        PORT(S)
 SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
              If the firewall attempts a connection on TCP port 80 or 443 and
              it has sent a packet on either of those ports in the last five
@@ -365,6 +365,112 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
              <replaceable>number</replaceable>. Requires IMQ Target support
              in your kernel and ip6tables.</para>
            </listitem>
+
+            <listitem>
+              <para><emphasis
+              role="bold">DSCP</emphasis>(<replaceable>dscp</replaceable>)</para>
+
+              <para>Added in Shorewall 4.5.1. Sets the
+              <firstterm>Differentiated Services Code Point</firstterm> field
+              in the IP header. The <replaceable>dscp</replaceable> value may
+              be given as an even number (hex or decimal) or as the name of a
+              DSCP class. Valid class names and their associated hex numeric
+              values are:</para>
+
+              <programlisting>    CS0  =&gt; 0x00
+    CS1  =&gt; 0x08
+    CS2  =&gt; 0x10
+    CS3  =&gt; 0x18
+    CS4  =&gt; 0x20
+    CS5  =&gt; 0x28
+    CS6  =&gt; 0x30
+    CS7  =&gt; 0x38
+    BE   =&gt; 0x00
+    AF11 =&gt; 0x0a
+    AF12 =&gt; 0x0c
+    AF13 =&gt; 0x0e
+    AF21 =&gt; 0x12
+    AF22 =&gt; 0x14
+    AF23 =&gt; 0x16
+    AF31 =&gt; 0x1a
+    AF32 =&gt; 0x1c
+    AF33 =&gt; 0x1e
+    AF41 =&gt; 0x22
+    AF42 =&gt; 0x24
+    AF43 =&gt; 0x26
+    EF   =&gt; 0x2e</programlisting>
+
+              <para>May be optionally followed by ':' and a capital letter
+              designating the chain where classification is to occur.</para>
+
+              <variablelist>
+                <varlistentry>
+                  <term>F</term>
+
+                  <listitem>
+                    <para>FORWARD chain.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>T</term>
+
+                  <listitem>
+                    <para>POSTROUTING chain (default).</para>
+                  </listitem>
+                </varlistentry>
+              </variablelist>
+            </listitem>
+
+            <listitem>
+              <para><emphasis
+              role="bold">TOS</emphasis>(<replaceable>tos</replaceable>[/<replaceable>mask</replaceable>])</para>
+
+              <para>Added in Shorewall 4.5.1. Sets the <firstterm>Type of
+              Service</firstterm> field in the IP header. The
+              <replaceable>tos</replaceable> value may be given as an number
+              (hex or decimal) or as the name of a TOS type. Valid type names
+              and their associated hex numeric values are:</para>
+
+              <programlisting>Minimize-Delay       =&gt; 0x10,
+Maximize-Throughput  =&gt; 0x08,
+Maximize-Reliability =&gt; 0x04,
+Minimize-Cost        =&gt; 0x02,
+Normal-Service       =&gt; 0x00</programlisting>
+
+              <para>When <replaceable>tos</replaceable> is given as a number,
+              it may be optionally followed by '/' and a
+              <replaceable>mask</replaceable>. When no
+              <replaceable>mask</replaceable> is given, the value 0xff is
+              assumed. When <replaceable>tos</replaceable> is given as a type
+              name, the <replaceable>mask</replaceable> 0x3f is
+              assumed.</para>
+
+              <para>The action performed is to zero out the bits specified by
+              the <replaceable>mask</replaceable>, then set the bits specified
+              by <replaceable>tos</replaceable>.</para>
+
+              <para>May be optionally followed by ':' and a capital letter
+              designating the chain where classification is to occur.</para>
+
+              <variablelist>
+                <varlistentry>
+                  <term>F</term>
+
+                  <listitem>
+                    <para>FORWARD chain.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>T</term>
+
+                  <listitem>
+                    <para>POSTROUTING chain (default).</para>
+                  </listitem>
+                </varlistentry>
+              </variablelist>
+            </listitem>
          </orderedlist>
        </listitem>
      </varlistentry>
@@ -389,7 +495,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>

          <para>Accordingly, use $<emphasis role="bold">FW</emphasis> in its
          own separate rule for packets originating on the firewall. In such a
-          rule, the MARK column may NOT specify either <emphasis
+          rule, the ACTION column may NOT specify either <emphasis
          role="bold">:P</emphasis> or <emphasis role="bold">:F</emphasis>
          because marking for firewall-originated packets always occurs in the
          OUTPUT chain.</para>
@@ -420,7 +526,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
          iprange match support, IP address ranges are also allowed. List
          elements may also consist of an interface name followed by ":" and
          an address (e.g., eth1:&lt;2002:ce7c:92b4::/48&gt;). If the
-          <emphasis role="bold">MARK</emphasis> column specificies a
+          <emphasis role="bold">ACTION</emphasis> column specificies a
          classification of the form
          <emphasis>major</emphasis>:<emphasis>minor</emphasis> then this
          column may also contain an interface name.</para>
@@ -689,8 +795,8 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
          that the original connection was made on.</para>

          <para>Example: Mark all FTP data connections with mark
-          4:<programlisting>#MARK/    SOURCE    DEST      PROTO   PORT(S)    SOURCE  USER TEST LENGTH TOS CONNBYTES HELPER
-#CLASSIFY                                        PORT(S)
+          4:<programlisting>#ACTION   SOURCE    DEST      PROTO   PORT(S)    SOURCE  USER TEST LENGTH TOS CONNBYTES HELPER
+#                                                PORT(S)
 4         ::/0      ::/0      TCP     -          -       -    -    -      -   -         ftp</programlisting></para>
        </listitem>
      </varlistentry>
@@ -824,8 +930,8 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>

          <para>We assume packet/connection mark 0 means unclassified.</para>

-          <programlisting>       #MARK/    SOURCE    DEST         PROTO   PORT(S)       SOURCE  USER    TEST
-       #CLASSIFY                                              PORT(S)
+          <programlisting>       #ACTION   SOURCE    DEST         PROTO   PORT(S)       SOURCE  USER    TEST
+       #                                                      PORT(S)
       1         ::/0      ::/0         icmp    echo-request
       1         ::/0      ::/0         icmp    echo-reply
       RESTORE   ::/0      ::/0         all     -             -       -       0
--- a/Shorewall6/manpages/shorewall6-tos.xml
+++ b/Shorewall6/manpages/shorewall6-tos.xml
@@ -23,7 +23,10 @@
  <refsect1>
    <title>Description</title>

-    <para>This file defines rules for setting Type Of Service (TOS)</para>
+    <para>This file defines rules for setting Type Of Service (TOS). Its use
+    is deprecated, beginning in Shorewall 4.5.1, in favor of the TOS target in
+    <ulink url="shorewall6-tcrules.html">shorewall6-tcrules</ulink>
+    (5).</para>

    <para>The columns in the file are as follows.</para>

--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -756,6 +756,29 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">IPSET_WARNINGS=</emphasis>{<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.2. Default is Yes. When set, causes the
+          rules compiler to issue a warning when:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>The compiler is being run by root and an ipset specified
+              in the configuration does not exists. Only one warning is issued
+              for each missing ipset.</para>
+            </listitem>
+
+            <listitem>
+              <para>When [src] is specified in a destination column and when
+              [dst] is specified in a source column.</para>
+            </listitem>
+          </itemizedlist>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">KEEP_RT_TABLES=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@@ -1809,15 +1832,14 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
          to zero, thus allowing the packet to be routed using the 'main'
          routing table. Using the main table allowed dynamic routes (such as
          those added for VPNs) to be effective. The <ulink
-          url="shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5)
-          file was created to provide a better alternative to clearing the
-          packet mark. As a consequence, passing these packets to PREROUTING
-          complicates things without providing any real benefit. Beginning
-          with Shorewall 4.4.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No,
-          packets arriving through 'tracked' interfaces will not be passed to
-          the PREROUTING rules. Since TRACK_PROVIDERS was just introduced in
-          4.4.3, this change should be transparent to most, if not all,
-          users.</para>
+          url="shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5) file was
+          created to provide a better alternative to clearing the packet mark.
+          As a consequence, passing these packets to PREROUTING complicates
+          things without providing any real benefit. Beginning with Shorewall
+          4.4.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving
+          through 'tracked' interfaces will not be passed to the PREROUTING
+          rules. Since TRACK_PROVIDERS was just introduced in 4.4.3, this
+          change should be transparent to most, if not all, users.</para>
        </listitem>
      </varlistentry>

@@ -1977,10 +1999,9 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
    shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5),
    shorewall6-nat(5), shorewall6-netmap(5),
    shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
-    shorewall6-providers(5), shorewall6-proxyarp(5),
-    shorewall6-rtrules(5), shorewall6-routestopped(5),
-    shorewall6-rules(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
-    shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
-    shorewall6-zones(5)</para>
+    shorewall6-providers(5), shorewall6-proxyarp(5), shorewall6-rtrules(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6-tcclasses(5),
+    shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
+    shorewall6-tunnels(5), shorewall6-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall6/manpages/shorewall6.xml
+++ b/Shorewall6/manpages/shorewall6.xml
@@ -1108,7 +1108,7 @@
          directory is given, then Shorewall6 will look in that directory
          first when opening configuration files.</para>

-          <para>Begining with Shorewall 4.5.0, you may specify a different
+          <para>Beginning with Shorewall 4.5.0, you may specify a different
          <replaceable>timeout</replaceable> value using the
          <option>-t</option> option. The numeric
          <replaceable>timeout</replaceable> may optionally be followed by an
@@ -1130,7 +1130,7 @@
          Shorewall6 will look in that directory first when opening
          configuration files.</para>

-          <para>Begining with Shorewall 4.5.0, you may specify a different
+          <para>Beginning with Shorewall 4.5.0, you may specify a different
          <replaceable>timeout</replaceable> value using the
          <option>-t</option> option. The numeric
          <replaceable>timeout</replaceable> may optionally be followed by an
@@ -1422,7 +1422,7 @@
          role="bold">restore</emphasis> is performed after
          <replaceable>timeout</replaceable> seconds.</para>

-          <para>Begining with Shorewall 4.5.0, the numeric
+          <para>Beginning with Shorewall 4.5.0, the numeric
          <replaceable>timeout</replaceable> may optionally be followed by an
          <option>s</option>, <option>m</option> or <option>h</option> suffix
          (e.g., 5m) to specify seconds, minutes or hours respectively. If the
--- a/docs/Anatomy.xml
+++ b/docs/Anatomy.xml
@@ -106,7 +106,7 @@

      <para>The <filename>/sbin/shorewall</filename> shell program is used to
      interact with Shorewall. See <ulink
-      url="manpages/shorewall.html">shorewall</ulink>(8). </para>
+      url="manpages/shorewall.html">shorewall</ulink>(8).</para>
    </section>

    <section id="share-shorewall">
--- a/docs/Documentation_Index.xml
+++ b/docs/Documentation_Index.xml
@@ -223,8 +223,8 @@

            <entry><ulink url="OpenVZ.html">OpenVZ</ulink></entry>

-            <entry><ulink url="LennyToSqueeze.html">Upgrading to Shorewall 4.4
-            (Upgrading Debian Lenny to Squeeze)</ulink></entry>
+            <entry><ulink url="upgrade_issues.htm">Upgrade
+            Issues</ulink></entry>
          </row>

          <row>
@@ -234,7 +234,8 @@
            <entry><ulink url="starting_and_stopping_shorewall.htm">Operating
            Shorewall</ulink></entry>

-            <entry><ulink url="VPNBasics.html">VPN</ulink></entry>
+            <entry><ulink url="LennyToSqueeze.html">Upgrading to Shorewall 4.4
+            (Upgrading Debian Lenny to Squeeze)</ulink></entry>
          </row>

          <row>
@@ -245,7 +246,7 @@
            <entry><ulink url="PacketMarking.html">Packet
            Marking</ulink></entry>

-            <entry><ulink url="VPN.htm">VPN Passthrough</ulink></entry>
+            <entry><ulink url="VPNBasics.html">VPN</ulink></entry>
          </row>

          <row>
@@ -255,8 +256,7 @@
            <entry><ulink url="PacketHandling.html">Packet Processing in a
            Shorewall-based Firewall</ulink></entry>

-            <entry><ulink url="blacklisting_support.htm#whitelisting">White
-            List Creation</ulink></entry>
+            <entry><ulink url="VPN.htm">VPN Passthrough</ulink></entry>
          </row>

          <row>
@@ -264,8 +264,8 @@

            <entry><ulink url="ping.html">'Ping' Management</ulink></entry>

-            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
-            DomU</ulink></entry>
+            <entry><ulink url="blacklisting_support.htm#whitelisting">White
+            List Creation</ulink></entry>
          </row>

          <row>
@@ -275,8 +275,8 @@
            <entry><ulink url="two-interface.htm#DNAT">Port
            Forwarding</ulink></entry>

-            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
-            Xen Dom0</ulink></entry>
+            <entry><ulink url="XenMyWay.html">Xen - Shorewall in a Bridged Xen
+            DomU</ulink></entry>
          </row>

          <row>
@@ -285,7 +285,8 @@

            <entry><ulink url="ports.htm">Port Information</ulink></entry>

-            <entry/>
+            <entry><ulink url="XenMyWay-Routed.html">Xen - Shorewall in Routed
+            Xen Dom0</ulink></entry>
          </row>

          <row>
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -247,7 +247,7 @@ DNAT    net:<emphasis>address</emphasis>   loc:<emphasis>local-IP-address</empha
        <itemizedlist>
          <listitem>
            <para>You are trying to test from inside your firewall (no, that
-            won't work -- see <xref linkend="faq2" />).</para>
+            won't work -- see <xref linkend="faq2"/>).</para>
          </listitem>

          <listitem>
@@ -2837,7 +2837,7 @@ Shorewall has detected the following iptables/netfilter capabilities:
   Persistent SNAT: Available
 gateway:~# </programlisting>

-      <para></para>
+      <para/>
    </section>

    <section id="faq19">
@@ -2982,5 +2982,53 @@ EXT_IF:192.168.1.1	     	0.0.0.0/0		192.168.1.254
        examples, macros, etc. easier.</para>
      </section>
    </section>
+
+    <section id="faq98">
+      <title>(FAQ 98) How do I Unsubscribe from the Mailing List</title>
+
+      <para><emphasis role="bold">Answer</emphasis>: There are two
+      ways:</para>
+
+      <orderedlist>
+        <listitem>
+          <para>On the web</para>
+
+          <para>Go to <ulink
+          url="https://lists.sourceforge.net/lists/listinfo/shorewall-users">https://lists.sourceforge.net/lists/listinfo/shorewall-users</ulink>.
+          At the bottom of the form is a section entitled "<emphasis
+          role="bold">Shorewall-users Subscribers</emphasis>". At the bottom
+          of that section find:</para>
+
+          <blockquote>
+            <para>"To <emphasis role="bold">unsubscribe</emphasis> from
+            Shorewall-users, get a password reminder, or change your
+            subscription options <emphasis role="bold">enter your subscription
+            email address</emphasis>:".</para>
+          </blockquote>
+
+          <para>Enter your email address in the box provided and click on the
+          "<emphasis role="bold"><ulink url="???">Unsubscribe or edit
+          options</ulink></emphasis>" button. That will take you to a second
+          form.</para>
+
+          <para>At the top of the second form is a box to <emphasis
+          role="bold">enter your password</emphasis> -- enter it there then
+          click the <emphasis role="bold">Unsubscribe</emphasis> button in the
+          center of the form. You will be unsubscribed.</para>
+
+          <para>If you <emphasis role="bold">don't remember your
+          password</emphasis>, click on the <emphasis
+          role="bold">Remind</emphasis> button at the bottom of the form and
+          your password will be emailed to you.</para>
+        </listitem>
+
+        <listitem>
+          <para>Via email using this link: <ulink
+          url="mailto:shorewall-users-request@lists.sourceforge.net?subject=unsubscribe">mailto:shorewall-users-request@lists.sourceforge.net?subject=unsubscribe</ulink>.
+          You will receive a confirmation email shortly; follow the
+          instructions in that email.</para>
+        </listitem>
+      </orderedlist>
+    </section>
  </section>
 </article>
--- a/docs/Install.xml
+++ b/docs/Install.xml
@@ -24,6 +24,8 @@

      <year>2009</year>

+      <year>2012</year>
+
      <holder>Thomas M. Eastep</holder>
    </copyright>

@@ -135,11 +137,31 @@
  <section id="Install_Tarball">
    <title>Install using tarball</title>

+    <para>Beginning with Shorewall-4.5.0, the Shorewall packages depend on
+    Shorewall-core. So the first step is to install that package:</para>
+
+    <orderedlist>
+      <listitem>
+        <para>unpack the tarballs:<programlisting><command>tar -jxf shorewall-core-4.5.0.tar.bz2</command></programlisting></para>
+      </listitem>
+
+      <listitem>
+        <para>cd to the shorewall directory (the version is encoded in the
+        directory name as in <quote>shorewall-core-4.5.0</quote>).</para>
+      </listitem>
+
+      <listitem>
+        <para>Type:</para>
+
+        <programlisting><command>./install.sh </command></programlisting>
+      </listitem>
+    </orderedlist>
+
    <para>To install Shorewall using the tarball and install script:</para>

    <orderedlist>
      <listitem>
-        <para>unpack the tarballs:<programlisting><command>tar -jxf shorewall-4.3.5.tar.bz2</command></programlisting></para>
+        <para>unpack the tarballs:<programlisting><command>tar -jxf shorewall-4.5.0.tar.bz2</command></programlisting></para>
      </listitem>

      <listitem>
@@ -241,6 +263,9 @@
            <para>Beginning with Shorewall 4.4.20, you can specify an absolute
            path name for LIBEXEC, in which case the listed executables will
            be installed in ${LIBEXEC}/shorewall*.</para>
+
+            <para>Beginning with Shorewall 4.5.1, you must specify an absolute
+            pathname for LIBEXEC.</para>
          </listitem>
        </varlistentry>

@@ -258,10 +283,311 @@
            <para>Beginning with Shorewall 4.4.20, you can specify an absolute
            path name for PERLLIB, in which case the Shorewall Perl modules
            will be installed in ${PERLLIB}/Shorewall/.</para>
+
+            <para>Beginning with Shorewall 4.5.1, you must specify an absolute
+            pathname for PERLLIB.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>MANDIR</term>
+
+          <listitem>
+            <para>Determines where the man pages are installed. Default is
+            distribution-dependent as shown below.</para>
          </listitem>
        </varlistentry>
      </variablelist>
    </section>
+
+    <section id="Locations">
+      <title>Default Install Locations</title>
+
+      <para>The default install locations are distribution dependent as shown
+      in the following sections. These are the locations that are chosen by
+      the install.sh scripts.</para>
+
+      <section>
+        <title>All Distributions</title>
+
+        <informaltable>
+          <tgroup cols="2">
+            <tbody>
+              <row>
+                <entry><emphasis role="bold">COMPONENT</emphasis></entry>
+
+                <entry><emphasis role="bold">LOCATION</emphasis></entry>
+              </row>
+
+              <row>
+                <entry>man pages</entry>
+
+                <entry>/usr/share/man/ (may ve overridden using
+                MANDIR)</entry>
+              </row>
+
+              <row>
+                <entry>Shorewall Perl Modules</entry>
+
+                <entry>/usr/share/shorewall/ (may be overridden using
+                PERLLIB)</entry>
+              </row>
+
+              <row>
+                <entry>Executable helper scripts (compiler.pl, getparams,
+                wait4ifup)</entry>
+
+                <entry>/usr/share/shorewall/ (may be overridden using
+                LIBEXEC)</entry>
+              </row>
+
+              <row>
+                <entry>ifupdown.sh (from Shorewall-init)</entry>
+
+                <entry>/usr/share/shorewall-init/ (may be overridden using
+                LIBEXEC)</entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </informaltable>
+      </section>
+
+      <section>
+        <title>Debian</title>
+
+        <informaltable>
+          <tgroup cols="2">
+            <tbody>
+              <row>
+                <entry><emphasis role="bold">COMPONENT</emphasis></entry>
+
+                <entry><emphasis role="bold">LOCATION</emphasis></entry>
+              </row>
+
+              <row>
+                <entry>CLI programs</entry>
+
+                <entry>/sbin/<replaceable>product</replaceable></entry>
+              </row>
+
+              <row>
+                <entry>Distribution-specific configuration file</entry>
+
+                <entry>/etc/default/<replaceable>product</replaceable></entry>
+              </row>
+
+              <row>
+                <entry>Init Scripts</entry>
+
+                <entry>/etc/init.d/<replaceable>product</replaceable></entry>
+              </row>
+
+              <row>
+                <entry>ifupdown scripts from Shorewall-init</entry>
+
+                <entry>/etc/network/if-up.d/shorewall,
+                /etc/network/if-post-down.d/shorewall</entry>
+              </row>
+
+              <row>
+                <entry>ppp ifupdown scripts from Shorewall-init</entry>
+
+                <entry>/etc/ppp/ip-up.d/shorewall,
+                /etc/ppp/ip-down.d/shorewall /etc/ppp/ipv6-up.d/shorewall
+                /etc/ppp/ipv6-down.d/shorewall</entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </informaltable>
+      </section>
+
+      <section>
+        <title>Redhat and Derivatives</title>
+
+        <informaltable>
+          <tgroup cols="2">
+            <tbody>
+              <row>
+                <entry><emphasis role="bold">COMPONENT</emphasis></entry>
+
+                <entry><emphasis role="bold">LOCATION</emphasis></entry>
+              </row>
+
+              <row>
+                <entry>CLI programs</entry>
+
+                <entry>/sbin/<replaceable>product</replaceable></entry>
+              </row>
+
+              <row>
+                <entry>Distribution-specific configuration file</entry>
+
+                <entry>/etc/sysconfig/<replaceable>product</replaceable></entry>
+              </row>
+
+              <row>
+                <entry>Init Scripts</entry>
+
+                <entry>/etc/rc.d/init.d/<replaceable>product</replaceable></entry>
+              </row>
+
+              <row>
+                <entry>ifupdown scripts from Shorewall-init</entry>
+
+                <entry>/sbin/ifup-local, /sbin/ifdown-local</entry>
+              </row>
+
+              <row>
+                <entry>ppp ifupdown scripts from Shorewall-init</entry>
+
+                <entry>/etc/ppp/ip-up.local, /etc/ppp/ip-down.local</entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </informaltable>
+      </section>
+
+      <section>
+        <title>SuSE</title>
+
+        <informaltable>
+          <tgroup cols="2">
+            <tbody>
+              <row>
+                <entry><emphasis role="bold">COMPONENT</emphasis></entry>
+
+                <entry><emphasis role="bold">LOCATION</emphasis></entry>
+              </row>
+
+              <row>
+                <entry>CLI programs</entry>
+
+                <entry>/sbin/<replaceable>product</replaceable></entry>
+              </row>
+
+              <row>
+                <entry>Distribution-specific configuration file</entry>
+
+                <entry>/etc/sysconfig/<replaceable>product</replaceable></entry>
+              </row>
+
+              <row>
+                <entry>Init Scripts</entry>
+
+                <entry>/etc/init.d/<replaceable>product</replaceable></entry>
+              </row>
+
+              <row>
+                <entry>ifupdown scripts from Shorewall-init</entry>
+
+                <entry>/etc/sysconfig/network/if-up.d/shorewall,
+                /etc/sysconfig/network/if-down.d/shorewall</entry>
+              </row>
+
+              <row>
+                <entry>ppp ifupdown scripts from Shorewall-init</entry>
+
+                <entry>/etc/ppp/ip-up.d/shorewall,
+                /etc/ppp/ip-down.d/shorewall /etc/ppp/ipv6-up.d/shorewall
+                /etc/ppp/ipv6-down.d/shorewall</entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </informaltable>
+      </section>
+
+      <section>
+        <title>Cygwin</title>
+
+        <informaltable>
+          <tgroup cols="2">
+            <tbody>
+              <row>
+                <entry><emphasis role="bold">COMPONENT</emphasis></entry>
+
+                <entry><emphasis role="bold">LOCATION</emphasis></entry>
+              </row>
+
+              <row>
+                <entry>CLI programs</entry>
+
+                <entry>/bin/<replaceable>product</replaceable></entry>
+              </row>
+
+              <row>
+                <entry>Distribution-specific configuration file</entry>
+
+                <entry>N/A</entry>
+              </row>
+
+              <row>
+                <entry>Init Scripts</entry>
+
+                <entry>N/A</entry>
+              </row>
+
+              <row>
+                <entry>ifupdown scripts from Shorewall-init</entry>
+
+                <entry>N/A</entry>
+              </row>
+
+              <row>
+                <entry>ppp ifupdown scripts from Shorewall-init</entry>
+
+                <entry>N/A</entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </informaltable>
+      </section>
+
+      <section>
+        <title>OS X</title>
+
+        <informaltable>
+          <tgroup cols="2">
+            <tbody>
+              <row>
+                <entry><emphasis role="bold">COMPONENT</emphasis></entry>
+
+                <entry><emphasis role="bold">LOCATION</emphasis></entry>
+              </row>
+
+              <row>
+                <entry>CLI programs</entry>
+
+                <entry>/sbin/<replaceable>product</replaceable></entry>
+              </row>
+
+              <row>
+                <entry>Distribution-specific configuration file</entry>
+
+                <entry>N/A</entry>
+              </row>
+
+              <row>
+                <entry>Init Scripts</entry>
+
+                <entry>N/A</entry>
+              </row>
+
+              <row>
+                <entry>ifupdown scripts from Shorewall-init</entry>
+
+                <entry>N/A</entry>
+              </row>
+
+              <row>
+                <entry>ppp ifupdown scripts from Shorewall-init</entry>
+
+                <entry>N/A</entry>
+              </row>
+            </tbody>
+          </tgroup>
+        </informaltable>
+      </section>
+    </section>
  </section>

  <section id="Debian">
@@ -406,17 +732,37 @@ Pin-Priority: 700</programlisting><emphasis role="bold"><emphasis>Then
        issues</ulink> for specific instructions.</para>
      </important></para>

+    <para>If you are upgrading to version 4.5.0 or later, you must first
+    install or upgrade the Shorewall-core package:</para>
+
+    <orderedlist>
+      <listitem>
+        <para>unpack the tarballs:<programlisting><command>tar -jxf shorewall-core-4.5.0.tar.bz2</command></programlisting></para>
+      </listitem>
+
+      <listitem>
+        <para>cd to the shorewall directory (the version is encoded in the
+        directory name as in <quote>shorewall-core-4.5.0</quote>).</para>
+      </listitem>
+
+      <listitem>
+        <para>Type:</para>
+
+        <programlisting><command>./install.sh </command></programlisting>
+      </listitem>
+    </orderedlist>
+
    <para>If you already have Shorewall installed and are upgrading to a new
    version using the tarball:</para>

    <orderedlist>
      <listitem>
-        <para>unpack the tarball:<programlisting><command>tar -jxf shorewall-4.3.5.tar.bz2</command></programlisting></para>
+        <para>unpack the tarball:<programlisting><command>tar -jxf shorewall-4.5.0.tar.bz2</command></programlisting></para>
      </listitem>

      <listitem>
        <para>cd to the shorewall-perl directory (the version is encoded in
-        the directory name as in <quote>shorewall-4.3.5</quote>).</para>
+        the directory name as in <quote>shorewall-4.5.0</quote>).</para>
      </listitem>

      <listitem>
--- a/docs/Introduction.xml
+++ b/docs/Introduction.xml
@@ -16,7 +16,7 @@
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>

    <copyright>
-      <year>2003-2009</year>
+      <year>2003-2012</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -385,9 +385,14 @@ ACCEPT     net           $FW       tcp        22</programlisting>
  <section id="Packages">
    <title>Shorewall Packages</title>

-    <para>Shorewall 4.3 and later consists of four packages.</para>
+    <para>Shorewall 4.5 and later consists of six packages.</para>

    <orderedlist>
+      <listitem>
+        <para><emphasis role="bold">Shorewall-core</emphasis>. All of the
+        other packages depend on this one.</para>
+      </listitem>
+
      <listitem>
        <para><emphasis role="bold">Shorewall</emphasis>. This package must be
        installed on at least one system in your network. It contains
@@ -417,6 +422,13 @@ ACCEPT     net           $FW       tcp        22</programlisting>
        scripts are generated. These scripts are copied to the firewall
        systems where they run under the control of Shorewall6-lite.</para>
      </listitem>
+
+      <listitem>
+        <para><emphasis role="bold">Shorewall-init</emphasis>. May be
+        installed with any of the other firewall packages. Allows the firewall
+        to be close prior to bringing up network interfaces. It can also react
+        to interface up/down events.</para>
+      </listitem>
    </orderedlist>
  </section>

--- a/docs/MultiISP.xml
+++ b/docs/MultiISP.xml
@@ -117,7 +117,7 @@
          ISP.</para>
        </footnote> as in the following diagram.</para>

-      <graphic align="center" fileref="images/TwoISPs.png" valign="middle" />
+      <graphic align="center" fileref="images/TwoISPs.png" valign="middle"/>

      <itemizedlist>
        <listitem>
@@ -1578,8 +1578,11 @@ DOWN_COUNT=2</programlisting>
 return $status</programlisting></para>

        <para>The above script is installed in <filename
-        class="directory">/etc/shorewall</filename>, beginning with Shorewall
-        4.3.11.</para>
+        class="directory">/etc/shorewall</filename> in Shorewall releases
+        4.3.11 - 4.5.0. Beginning with Shorewall 4.5.1, it is no longer
+        installed in <filename class="directory">/etc/shorewall</filename>,
+        but may be copied there from <filename
+        class="directory">/usr/share/shorewall/configfiles</filename>.</para>

        <para>Also included is a sample init script
        (<filename>swping.init</filename>) to start the monitoring daemon.
@@ -2088,7 +2091,7 @@ exit 0
      on ursa that I will describe here</emphasis>.</para>

      <para>Below is a diagram of our network:<graphic align="center"
-      fileref="images/Network2008a.png" /></para>
+      fileref="images/Network2008a.png"/></para>

      <para>The local wired network in my office is connected to both gateways
      and uses the private (RFC 1918) network 172.20.1.0/24. The Comcast
@@ -2242,7 +2245,7 @@ wlan0                   192.168.0.0/24</programlisting><note>

    <para>The network is pictured in the following diagram:</para>

-    <graphic align="center" fileref="images/Network2009.png" />
+    <graphic align="center" fileref="images/Network2009.png"/>

    <para>Because of the speed of the cable provider, all traffic uses that
    provider unless there is a specific need for the traffic to use the DSL
--- a/docs/PacketMarking.xml
+++ b/docs/PacketMarking.xml
@@ -117,7 +117,7 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
        <para>PREROUTING program — If MARK_IN_FORWARD_CHAIN=No in
        <filename>shorewall.conf</filename>, then by default entries in
        <filename>/etc/shorewall/tcrules</filename> are part of the PREROUTING
-        program. Entries specifying the ":P" suffix in the MARK column are
+        program. Entries specifying the ":P" suffix in the ACTION column are
        also part of the PREROUTING program. The PREROUTING program gets
        executed for each packet entering the firewall.</para>
      </listitem>
@@ -126,7 +126,7 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
        <para>FORWARD program — If MARK_IN_FORWARD_CHAIN=Yes in
        <filename>shorewall.conf</filename>, then by default entries in
        <filename>/etc/shorewall/tcrules</filename> are part of the FORWARD
-        program. Entries specifying the ":F" suffix in the MARK column are
+        program. Entries specifying the ":F" suffix in the ACTION column are
        also part of the FORWARD program. The FORWARD program gets executed
        for each packet forwarded by the firewall.</para>
      </listitem>
@@ -138,12 +138,12 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
      </listitem>

      <listitem>
-        <para>POSTROUTING program — Entries with a class-id in the MARK column
-        (and that don't specify $FW in the SOURCE column) are part of the
-        POSTROUTING program. These rules are executed for each packet leaving
-        the firewall. Entries specifying the ":T" suffix in the MARK column
-        are also part of the POSTROUTING program (Shorewall version 3.4.0 and
-        later).</para>
+        <para>POSTROUTING program — Entries with a class-id in the ACTION
+        column (and that don't specify $FW in the SOURCE column) are part of
+        the POSTROUTING program. These rules are executed for each packet
+        leaving the firewall. Entries specifying the ":T" suffix in the ACTION
+        column are also part of the POSTROUTING program (Shorewall version
+        3.4.0 and later).</para>
      </listitem>

      <listitem>
@@ -180,25 +180,25 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=

          <listitem>
            <para>the connection to which the current packet belongs receives
-            a new mark value (":C", ":CF" or ":CP" suffix in the MARK column);
-            or</para>
+            a new mark value (":C", ":CF" or ":CP" suffix in the ACTION
+            column); or</para>
          </listitem>

          <listitem>
            <para>the packet is classified for traffic shaping (class-id in
-            the MARK column); or</para>
+            the ACTION column); or</para>
          </listitem>

          <listitem>
            <para>the packet mark in the current packet is moved to the
            connection mark for the connection that the current packet is part
-            of ("SAVE" in the MARK column); or</para>
+            of ("SAVE" in the ACTION column); or</para>
          </listitem>

          <listitem>
            <para>the connection mark value for the connection that the
            current packet is part of is moved to the current packet's mark
-            ("RESTORE" in the MARK column); or</para>
+            ("RESTORE" in the ACTION column); or</para>
          </listitem>

          <listitem>
@@ -207,7 +207,7 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
          </listitem>

          <listitem>
-            <para>exit the current subroutine ("CONTINUE" in the MARK
+            <para>exit the current subroutine ("CONTINUE" in the ACTION
            column).</para>
          </listitem>
        </orderedlist>
@@ -339,9 +339,9 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
    <para>The relationship between these options is shown in this
    diagram.</para>

-    <graphic align="left" fileref="images/MarkGeometry.png" valign="top" />
+    <graphic align="left" fileref="images/MarkGeometry.png" valign="top"/>

-    <para></para>
+    <para/>

    <para>The default values of these options are determined by the settings
    of other options as follows:</para>
@@ -455,7 +455,7 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
    <para>Here's the example (slightly expanded) from the comments at the top
    of the <filename>/etc/shorewall/tcrules</filename> file.</para>

-    <programlisting>#MARK    SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST    LENGTH  TOS
+    <programlisting>#ACTION  SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST    LENGTH  TOS
 #                                                        PORT(S)
 1        0.0.0.0/0       0.0.0.0/0       icmp    echo-request                 #Rule 1
 1        0.0.0.0/0       0.0.0.0/0       icmp    echo-reply                   #Rule 2
@@ -539,7 +539,7 @@ Blarg   1       0x100   main            eth3            206.124.146.254 track,ba

    <para>Here is <filename>/etc/shorewall/tcrules</filename>:</para>

-    <programlisting>#MARK   SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST
+    <programlisting>#ACTION SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST
 #                                                       PORT(S)
 1:110   192.168.0.0/22  eth3                                            #Our internal nets get priority
                                                                        #over the server
--- a/docs/ReleaseModel.xml
+++ b/docs/ReleaseModel.xml
@@ -32,6 +32,8 @@

      <year>2010</year>

+      <year>2012</year>
+
      <holder>Thomas M. Eastep</holder>
    </copyright>

@@ -52,81 +54,64 @@
    <orderedlist>
      <listitem>
        <para>Releases have a three-level identification
-        <firstterm>x.y.z</firstterm> (e.g., 2.0.3).</para>
+        <firstterm>x.y.z</firstterm> (e.g., 4.5.0).</para>
      </listitem>

      <listitem>
        <para>The first two levels (<emphasis>x.y</emphasis>) designate the
-        <firstterm>Major Release Number</firstterm> (e.g., 2.0).</para>
+        <firstterm>major release number</firstterm> (e.g., 4.5).</para>
      </listitem>

      <listitem>
-        <para>The third level (<emphasis>z</emphasis>) designates the
-        <firstterm>Minor Release Number</firstterm>.</para>
+        <para>The third level (<emphasis>y</emphasis>) designates the
+        <firstterm>minor release Number</firstterm>.</para>
      </listitem>

      <listitem>
-        <para>Even numbered major releases (e.g., 1.4, 2.0, 2.2, ...) are
-        <firstterm>Stable Releases</firstterm>. No major new features are
-        added to stable releases and new minor releases of a stable release
-        will only contain bug fixes and simple low-risk enhancements.
-        Installing a new minor release for the major release that you are
-        currently running involves no migration issues unless you want to take
-        advantage of an enhancement (for example, if you are running 1.4.10
-        and I release 1.4.11, your current configuration is 100% compatible
-        with the new release).</para>
+        <para>Installing a new minor release involves no migration issues
+        unless you want to take advantage of an enhancement. For example, if
+        you are running 4.5.0 and I release 4.5.1, your current configuration
+        is 100% compatible with the new release.</para>
+      </listitem>
+
+      <listitem>
+        <para>A major release may have migration issues. These are listed in
+        the release notes and on the <ulink url="upgrade_issues.htm">upgrade
+        issues page</ulink>.</para>
      </listitem>

      <listitem>
        <para>Support is available through the <ulink
        url="http://sourceforge.net/mail/?group_id=22587">Mailing List</ulink>
-        for the two or three most recent Stable Releases. Three releases are
-        supported when the Shorewall release in the Stable Debian distribution
-        is two releases behind the current Shorewall development. In that
-        case, only the minor release in Stable is supported.</para>
+        for the two most recent Major Releases. Fixes will only be provided
+        for the last minor release in the previous Major Release. For example,
+        only 4.5.0 was released, the only fixes for major issues with 4.4.27
+        would be released for the 4.4 series.</para>
      </listitem>

      <listitem>
-        <para>Odd numbered major releases (e.g., 2.1, 2.3, ...) are
-        <firstterm>Development Releases</firstterm>. Development releases are
-        where new functionality is introduced. Documentation for new features
-        will be available but it may not be up to the standards of the stable
-        release documentation. Sites running Development Releases should be
-        prepared to play an active role in testing new features. Bug fixes and
-        problem resolution for the development release take a back seat to
-        support of the stable releases. Problem reports for the current
-        development release should be sent to the <ulink
-        url="mailto:shorewall-devel@lists.shorewall.net">Shorewall Development
-        Mailing List</ulink>.</para>
+        <para>Once a minor release has been announced, work begins on the next
+        minor release. Periodic Beta releases are made available through
+        announcements on the Shorewall Development and Shorewall User mailing
+        lists. Those Beta releases are numberd w.x.y-Beta1, ...Beta2, etc.
+        Support for the Beta releases is offered through the Shorewall
+        Development mailing list in the form of emailed patches. There is no
+        guarantee of compatability between one Beta release and the next as
+        features are tweaked.</para>
      </listitem>

      <listitem>
-        <para>When the level of functionality of the current development
-        release is judged adequate, the <firstterm>Beta period</firstterm> for
-        a new Stable release will begin. Beta releases have identifications of
-        the form <emphasis>x.y.0-BetaN</emphasis> where
-        <emphasis>x.y</emphasis> is the number of the next Stable Release and
-        <emphasis>N</emphasis>=1,2,3... . Betas are expected to occur roughly
-        once per year. Beta releases may contain new functionality not present
-        in the previous beta release (e.g., 2.2.0-Beta4 may contain
-        functionality not present in 2.2.0-Beta3). When I'm confident that the
-        current Beta release is stable, I will release the first
-        <firstterm>Release Candidate</firstterm>. Release candidates have
-        identifications of the form <emphasis>x.y.0-RCn</emphasis> where
-        <emphasis>x.y</emphasis> is the number of the next Stable Release and
-        <emphasis>n</emphasis>=1,2,3... . Release candidates contain no new
-        functionality -- they only contain bug fixes. When the stability of
-        the current release candidate is judged to be sufficient then that
-        release candidate will be released as the new stable release (e.g.,
-        2.2.0). At that time, the new stable release and the prior stable
-        release are those that are supported.</para>
+        <para>When the next minor release is functionally complete, one or
+        more <firstterm>release candidates</firstterm> are announced on the
+        Shorewall Development and Shorewall User mailing lists. These release
+        candidates are numbered w.x.y-RC1, ...-RC2, etc.</para>
      </listitem>

      <listitem>
        <para>What does it mean for a major release to be
-        <firstterm>supported</firstterm>? It means that I will answer
-        questions about the release and that if a bug is found, I will fix the
-        bug and include the fix in the next minor release.</para>
+        <firstterm>supported</firstterm>? It means that that if a bug is
+        found, we will fix the bug and include the fix in the next minor
+        release.</para>
      </listitem>

      <listitem>
@@ -135,16 +120,8 @@
        four-level identification <emphasis>x.y.z.N</emphasis> where x.y.z is
        the minor release being fixed and N = 1.2.3...</para>
      </listitem>
-
-      <listitem>
-        <para>Additionally, bug fixes may be made available in the form of a
-        <firstterm>patch release</firstterm>. Patch releases have four-level
-        identifications (e.g., 4.0.6.1); the first three identify the minor
-        release and the fourth identifies the patch level.</para>
-      </listitem>
    </orderedlist>

-    <para>The currently-supported major releases are and 4.0.10., 4.2.x. and
-    4.4.x.</para>
+    <para>The currently-supported major releases are 4.4 and 4.5.</para>
  </section>
 </article>
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -70,7 +70,10 @@

        <listitem>
          <para><filename>/etc/shorewall/params</filename> - use this file to
-          set shell variables that you will expand in other files.</para>
+          set shell variables that you will expand in other files. It is
+          always processed by /bin/sh or by the shell specified through
+          SHOREWALL_SHELL in
+          <filename>/etc/shorewall/shorewall.conf.</filename></para>
        </listitem>

        <listitem>
@@ -190,9 +193,9 @@
        </listitem>

        <listitem>
-          <para><filename>/etc/shorewall/rtrules</filename> - Defines
-          routing rules to be used in conjunction with the routing tables
-          defined in <filename>/etc/shorewall/providers</filename>.</para>
+          <para><filename>/etc/shorewall/rtrules</filename> - Defines routing
+          rules to be used in conjunction with the routing tables defined in
+          <filename>/etc/shorewall/providers</filename>.</para>
        </listitem>

        <listitem>
@@ -1044,6 +1047,16 @@ SHELL cat /etc/shorewall/rules.d/*.rules</programlisting></para>

      <programlisting>SECTION NEW
 SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting>
+
+      <para>Beginning with Shorewall 4.5.2, in files other than
+      <filename>/etc/shorewall/params</filename> and
+      <filename>/etc/shorewall/conf</filename>, INCLUDE may be immediately
+      preceeded with '?' to signal that the line is a compiler directive and
+      not configuration data.</para>
+
+      <para>Example:</para>
+
+      <programlisting>?INCLUDE common.rules</programlisting>
    </example>
  </section>

@@ -1287,6 +1300,11 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
        <para><ulink url="Macros.html">Macro</ulink> files</para>
      </listitem>

+      <listitem>
+        <para><ulink
+        url="manpages/shorewall-nat.html">shorewall-nat</ulink>(5)</para>
+      </listitem>
+
      <listitem>
        <para><ulink
        url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5)</para>
@@ -1324,8 +1342,88 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
    </itemizedlist>

    <para>For optional interfaces, if the interface is not usable at the time
-    that the firewall starts the all-zero address will be used (0.0.0.0 in
-    IPv4 and :: in IPv6), resulting in no packets matching the rule.</para>
+    that the firewall starts, one of two approaches are taken, depending on
+    the context:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>the all-zero address will be used (0.0.0.0 in IPv4 and :: in
+        IPv6), resulting in no packets matching the rule (or all packets if
+        used with exclusion).</para>
+      </listitem>
+
+      <listitem>
+        <para>the entire rule is omitted from the ruleset.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>Beginning with Shorewall 4.5.1, <firstterm>Run-time Gateway
+    Variables</firstterm> in the form of a percent sign ('%') followed by a
+    logical interface name are also supported. These are expanded at run-time
+    to the gateway through the named interface. For optional interfaces, if
+    the interface is not usable at the time that the firewall starts, the nil
+    address will be used (0.0.0.0 in IPv4 and :: in IPv6), resulting in no
+    packets matching the rule. Run-time gateway variables may be used in the
+    SOURCE and DEST columns of the following configuration files:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para><ulink
+        url="manapges/shorewall-accounting.html">shorewall-accounting</ulink>
+        (5)</para>
+      </listitem>
+
+      <listitem>
+        <para><ulink url="Actions.html">Action</ulink> files</para>
+      </listitem>
+
+      <listitem>
+        <para><ulink
+        url="manpages/shorewall-accounting.html">shorewall-blacklist</ulink>
+        (5)</para>
+      </listitem>
+
+      <listitem>
+        <para><ulink url="Macros.html">Macro</ulink> files</para>
+      </listitem>
+
+      <listitem>
+        <para><ulink
+        url="manpages/shorewall-nat.html">shorewall-nat</ulink>(5) (As a
+        qualifier to the INTERFACE).</para>
+      </listitem>
+
+      <listitem>
+        <para><ulink
+        url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5)</para>
+      </listitem>
+
+      <listitem>
+        <para><ulink
+        url="manpages/shorewall-tcrules.html">shorewall-tcrules</ulink>
+        (5)</para>
+      </listitem>
+
+      <listitem>
+        <para><ulink url="manpages/shorewall-tos.html">shorewall-tos</ulink>
+        (5)</para>
+      </listitem>
+    </itemizedlist>
+
+    <variablelist>
+      <varlistentry>
+        <term>Example:</term>
+
+        <listitem>
+          <para><emphasis role="bold">%eth0</emphasis> would represent the IP
+          address of the gateway out of eth0.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>If there is no gateway out of the named interface, the nil IP
+    address is used (0.0.0.0 in IPv4 and :: in IPv6). That way, the generated
+    rule will match no packets (or all packets if used with exclusion).</para>

    <para>Beginning with Shorewall 4.4.27, you may also use options in <ulink
    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) (e.g.,
@@ -1333,7 +1431,7 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting

    <note>
      <para>When an option is set to 'No' in shorewall.conf, the corresponding
-      shell variable is will be empty.</para>
+      shell variable will be empty.</para>
    </note>

    <note>
@@ -1342,6 +1440,112 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
    </note>
  </section>

+  <section id="Conditional">
+    <title>Conditional Entries</title>
+
+    <para>Beginning with Shorewall 4.5.2, lines in configuration files may be
+    conditionally included or omitted based on the setting of <link
+    linkend="Variables">Shell variables</link>.</para>
+
+    <para>The general form is:</para>
+
+    <programlisting>?IF [!] <replaceable>$variable
+
+</replaceable>&lt;lines to be included if $variable is non-empty and non-zero&gt;
+
+?ELSE
+
+&lt;lines to be omitted if $variable is non-empty and non-zero&gt;
+
+?ENDIF</programlisting>
+
+    <para>The compiler predefines two special
+    <replaceable>variable</replaceable>s that may only be used in ?IF
+    lines:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>__IPV4</term>
+
+        <listitem>
+          <para>True if this is an IPv4 compilation</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>__IPV6</term>
+
+        <listitem>
+          <para>True if this is an IPv6 compilation.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>Unless <replaceable>variable</replaceable> is one of these
+    pre-defined ones, it is searched for in the compiler's environmental
+    variables, in variables set in <filename>/etc/shorewall/params</filename>,
+    and in options set in <filename>/etc/shorewall/shorewall.conf</filename>
+    in that order. If it is not found in any of those places, the
+    <replaceable>variable</replaceable> is assumed to have a value of 0
+    (false). If "!" is present, the result of the test is inverted.</para>
+
+    <para>The setting in <filename>/etc/shorewall/params</filename> by be
+    overridden at runtime, provided the setting in
+    <filename>/etc/shorewall/params</filename> is done like this:</para>
+
+    <programlisting>[ -n "${<replaceable>variable</replaceable>:=0}" ]</programlisting>
+
+    <para>or like this:</para>
+
+    <programlisting>[ -n "${<replaceable>variable</replaceable>}" ] || <replaceable>variable</replaceable>=0</programlisting>
+
+    <para>Either of those will set variable to 0 if it is not set to a
+    non-empty value in the environment. The setting can be overridden at
+    runtime:</para>
+
+    <programlisting><replaceable>variable</replaceable>=1 shorewall restart -c # use -c to force recompilation if AUTOMAKE=Yes in /etc/shorewall/shorewall.conf</programlisting>
+
+    <para>The ?ELSE may be omitted if there are no lines to be omitted.</para>
+
+    <para>The test may also be inverted using '!':</para>
+
+    <programlisting>?IF ! <replaceable>$variable
+
+</replaceable>&lt;lines to be omitted if $variable is non-empty and non-zero&gt;
+
+?ELSE
+
+&lt;lines to be included if $variable is non-empty and non-zero&gt;
+
+?ENDIF</programlisting>
+
+    <para>Conditional entries may be nested but the number of ?IFs must match
+    the number of ?ENDs in any give file. <link linkend="INCLUDE">INCLUDE
+    directives</link> are ignored in omitted lines.</para>
+
+    <programlisting>?IF <replaceable>$variable1
+
+</replaceable>&lt;lines to be included if $variable1 is non-empty and non-zero&gt;
+
+   ?IF $variable2
+
+&lt;lines to be included if $variable1 and $variable2 are non-empty and non-zero&gt;
+
+   ?ELSE
+
+&lt;lines to be omitted if $variable1 is non-empty and non-zero and if $variable2 is empty or zero&gt;
+
+   ?ENDIF
+<replaceable>
+</replaceable>&lt;lines to be included if $variable1 is non-empty and non-zero&gt;
+
+?ELSE
+
+&lt;lines to be omitted if $variable is non-empty and non-zero&gt;
+
+?ENDIF</programlisting>
+  </section>
+
  <section id="Embedded">
    <title>Embedded Shell and Perl</title>

@@ -1353,23 +1557,31 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
    richer and more flexible extension capability.</para>

    <para>While inline scripts may be written in either Shell or Perl, those
-    written in Perl have a lot more power.</para>
+    written in Perl have a lot more power. They may be used in all
+    configuration files except <filename>/etc/shorewall/params</filename> and
+    <filename>/etc/shorewall/shorewall.conf</filename>.</para>

-    <para>Embedded scripts can be either single-line or multi-line. Single
-    line scripts take one of the following forms:</para>
+    <para><emphasis role="bold">Note:</emphasis>In this section, '[' and ']'
+    are meta-characters which indicate that what they enclose is optional and
+    may be omitted.</para>
+
+    <para>Single line scripts take one of the following forms:</para>

    <itemizedlist>
      <listitem>
-        <para><emphasis role="bold">PERL</emphasis> &lt;<emphasis>perl
+        <para><emphasis role="bold">[?]PERL</emphasis> &lt;<emphasis>perl
        script</emphasis>&gt;</para>
      </listitem>

      <listitem>
-        <para><emphasis role="bold">SHELL</emphasis> &lt;<emphasis>shell
+        <para><emphasis role="bold">[?]SHELL</emphasis> &lt;<emphasis>shell
        script</emphasis>&gt;</para>
      </listitem>
    </itemizedlist>

+    <para>The optional '?' is allowed in Shorewall versions 4.5.2 and
+    later.</para>
+
    <para>Shell scripts run in a child shell process and their output is piped
    back to the compiler which processes that output as if it were embedded at
    the point of the script.</para>
@@ -1414,18 +1626,14 @@ use Shorewall::Config ( qw/shorewall/ );</programlisting>
    </orderedlist>

    <para>Multi-line scripts use one of the following forms:<programlisting><emphasis
-          role="bold">BEGIN SHELL</emphasis>
+          role="bold">[?]BEGIN SHELL</emphasis>
 &lt;<emphasis>shell script</emphasis>&gt;
-<emphasis role="bold">END</emphasis> [ <emphasis role="bold">SHELL</emphasis> ]</programlisting><programlisting><emphasis
-          role="bold">BEGIN PERL</emphasis> [;]
+<emphasis role="bold">[?]END</emphasis> [ <emphasis role="bold">SHELL</emphasis> ]</programlisting><programlisting><emphasis
+          role="bold">[?]BEGIN PERL</emphasis> [;]
 &lt;<emphasis>perl script</emphasis>&gt;
-<emphasis role="bold">END</emphasis> [ <emphasis role="bold">PERL</emphasis> ] [<emphasis
-          role="bold">;</emphasis>]</programlisting></para>
-
-    <para><emphasis role="bold">Note: </emphasis>The '[' and ']' above are
-    meta-characters which indicate that what they enclose is optional and may
-    be omitted. So you may follow PERL with a semicolon ( ';') or you may omit
-    the semicolon.</para>
+<emphasis role="bold">[?]END</emphasis> [ <emphasis role="bold">PERL</emphasis> ] [<emphasis
+          role="bold">;</emphasis>]</programlisting>As above, the optional
+    leading '?' is allowed in Shorewall versions 4.5.2 and later.</para>
  </section>

  <section id="dnsnames">
--- a/docs/support.xml
+++ b/docs/support.xml
@@ -85,7 +85,7 @@
    problem reporting process. It will ensure that you provide us with the
    information we need to solve your problem as quickly as possible.</para>

-    <graphic align="center" fileref="images/Troubleshoot.png" />
+    <graphic align="center" fileref="images/Troubleshoot.png"/>

    <orderedlist>
      <important>
@@ -203,7 +203,7 @@
        message produced by Shorewall is "done.":</para>

        <blockquote>
-          <para></para>
+          <para/>

          <programlisting>…
 Activating Rules...
@@ -457,9 +457,7 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
  <section id="Unsubscribe">
    <title>Unsubscribing from Shorewall Mailing Lists</title>

-    <para>If you are really dim-witted enough to have to ask -- you
-    unsubscribe at the same place that you subscribed. <emphasis
-    role="bold">Doh.......</emphasis></para>
+    <para>See <ulink url="FAQ.htm#faq98">Shorewall FAQ 98</ulink>.</para>
  </section>

  <section id="Other">
--- a/docs/traffic_shaping.xml
+++ b/docs/traffic_shaping.xml
@@ -223,10 +223,10 @@
    <para>This screen shot shows how I configured QoS in a 2.6.16
    Kernel:</para>

-    <graphic align="center" fileref="images/traffic_shaping2.6.png" />
+    <graphic align="center" fileref="images/traffic_shaping2.6.png"/>

    <para>And here's my recommendation for a 2.6.21 kernel:<graphic
-    align="center" fileref="images/traffic_shaping2.6.21.png" /></para>
+    align="center" fileref="images/traffic_shaping2.6.21.png"/></para>
  </section>

  <section id="Shorewall">
@@ -445,7 +445,7 @@
      </itemizedlist>

      <example id="Example0">
-        <title></title>
+        <title/>

        <para>Suppose you are using PPP over Ethernet (DSL) and ppp0 is the
        interface for this. The device has an outgoing bandwidth of 500kbit
@@ -829,11 +829,11 @@ ppp0           6000kbit         500kbit</programlisting>

      <itemizedlist>
        <listitem>
-          <para>MARK or CLASSIFY - MARK specifies the mark value is to be
-          assigned in case of a match. This is an integer in the range 1-255
-          (1-16383 if you set WIDE_TC_MARKS=Yes or TC_BITS=14 in <ulink
-          url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5)
-          ).</para>
+          <para>ACTION - ACTION (previously called MARK) specifies the mark
+          value is to be assigned in case of a match. This is an integer in
+          the range 1-255 (1-16383 if you set WIDE_TC_MARKS=Yes or TC_BITS=14
+          in <ulink url="manpages/shorewall.conf.html">shorewall.conf</ulink>
+          (5) ).</para>

          <note>
            <para>In Shorewall 4.4.26, WIDE_TC_MARKS was superseded by TC_BITS
@@ -998,7 +998,7 @@ ppp0           6000kbit         500kbit</programlisting>
              MAC addresses. <emphasis role="bold">This form will not match
              traffic that originates on the firewall itself unless either
              &lt;major&gt;&lt;minor&gt; or the :T chain qualifier is used in
-              the MARK column.</emphasis></para>
+              the ACTION column.</emphasis></para>

              <para>Examples:<simplelist>
                  <member>0.0.0.0/0</member>
@@ -1020,7 +1020,7 @@ ppp0           6000kbit         500kbit</programlisting>
              <para>$FW optionally followed by a colon (":") and a
              comma-separated list of host or network IP addresses. matches
              packets originating on the firewall. May not be used with a
-              chain qualifier (:P, :F, etc.) in the MARK column.</para>
+              chain qualifier (:P, :F, etc.) in the ACTION column.</para>
            </listitem>
          </orderedlist>

@@ -1177,13 +1177,13 @@ ppp0           6000kbit         500kbit</programlisting>
      </itemizedlist>

      <example id="Example1">
-        <title></title>
+        <title/>

        <para>All packets arriving on eth1 should be marked with 1. All
        packets arriving on eth2 and eth3 should be marked with 2. All packets
        originating on the firewall itself should be marked with 3.</para>

-        <programlisting>#MARK   SOURCE    DESTINATION    PROTOCOL   PORT(S)
+        <programlisting>#ACTION SOURCE    DESTINATION    PROTOCOL   PORT(S)
 1       eth1      0.0.0.0/0      all
 2       eth2      0.0.0.0/0      all
 2       eth3      0.0.0.0/0      all
@@ -1191,40 +1191,40 @@ ppp0           6000kbit         500kbit</programlisting>
      </example>

      <example id="Example2">
-        <title></title>
+        <title/>

        <para>All GRE (protocol 47) packets destined for 155.186.235.151
        should be marked with 12.</para>

-        <programlisting>#MARK   SOURCE    DESTINATION     PROTOCOL   PORT(S)
+        <programlisting>#ACTION SOURCE    DESTINATION     PROTOCOL   PORT(S)
 12:T    0.0.0.0/0 155.182.235.151 47</programlisting>
      </example>

      <example id="Example3">
-        <title></title>
+        <title/>

        <para>All SSH request packets originating in 192.168.1.0/24 and
        destined for 155.186.235.151 should be marked with 22.</para>

-        <programlisting>#MARK   SOURCE         DESTINATION     PROTOCOL   PORT(S)
+        <programlisting>#ACTION SOURCE         DESTINATION     PROTOCOL   PORT(S)
 22:T    192.168.1.0/24 155.182.235.151 tcp        22</programlisting>
      </example>

      <example id="Example4">
-        <title></title>
+        <title/>

        <para>All SSH packets packets going out of the first device in in
        /etc/shorewall/tcdevices should be assigned to the class with mark
        value 10.</para>

-        <programlisting>#MARK   SOURCE         DESTINATION     PROTOCOL   PORT(S)         CLIENT
+        <programlisting>#ACTION SOURCE         DESTINATION     PROTOCOL   PORT(S)         CLIENT
 #                                                                 PORT(S)
 1:110   0.0.0.0/0      0.0.0.0/0       tcp        22
 1:110   0.0.0.0/0      0.0.0.0/0       tcp        -               22</programlisting>
      </example>

      <example id="Example5">
-        <title></title>
+        <title/>

        <para>Mark all ICMP echo traffic with packet mark 1. Mark all peer to
        peer traffic with packet mark 4.</para>
@@ -1236,7 +1236,7 @@ ppp0           6000kbit         500kbit</programlisting>
        means unclassified. Traffic originating on the firewall is not covered
        by this example.</para>

-        <programlisting>#MARK    SOURCE         DESTINATION     PROTOCOL   PORT(S)       CLIENT   USER/     TEST
+        <programlisting>#ACTION  SOURCE         DESTINATION     PROTOCOL   PORT(S)       CLIENT   USER/     TEST
 #                                                                PORT(S)  GROUP
 1        0.0.0.0/0      0.0.0.0/0       icmp       echo-request
 1        0.0.0.0/0      0.0.0.0/0       icmp       echo-reply
@@ -1257,13 +1257,13 @@ SAVE     0.0.0.0/0      0.0.0.0/0       all        -             -        -
      </example>

      <example>
-        <title></title>
+        <title/>

        <para>Mark all forwarded VOIP connections with connection mark 1 and
        ensure that all VOIP packets also receive that mark (assumes that
        nf_conntrack_sip is loaded).</para>

-        <programlisting>#MARK    SOURCE         DESTINATION     PROTOCOL   PORT(S)       CLIENT   USER/     TEST      CONNBYTES      TOS      HELPER
+        <programlisting>#ACTION  SOURCE         DESTINATION     PROTOCOL   PORT(S)       CLIENT   USER/     TEST      CONNBYTES      TOS      HELPER
 #                                                                PORT(S)  GROUP
 RESTORE  0.0.0.0/0      0.0.0.0/0       all        -             -        -         0
 CONTINUE 0.0.0.0/0      0.0.0.0/0       all        -             -        -         !0
@@ -1508,8 +1508,8 @@ eth0:101     - 1kbit 230kbit        4    occurs=6</programlisting>

      <para><filename>/etc/shoreall/tcrules</filename>:</para>

-      <programlisting>#MARK                      SOURCE         DEST
-IPMARK(src,0xff,0x10100):F 192.168.1.0/29 eth0</programlisting>
+      <programlisting>#ACTION                          SOURCE             DEST
+IPMARK(src,0xff,0x10100):F       192.168.1.0/29     eth0</programlisting>

      <para>This facility also alters the way in which Shorewall generates a
      class number when none is given. Prior to the implementation of this
@@ -1568,7 +1568,7 @@ ppp0            3       2*full/10       8*full/10       2</programlisting>
        <section id="realtcr">
          <title>tcrules file</title>

-          <programlisting>#MARK           SOURCE          DEST            PROTO   PORT(S) CLIENT   USER
+          <programlisting>#ACTION         SOURCE          DEST            PROTO   PORT(S) CLIENT   USER
 #                                                              PORT(S)
 1:F             0.0.0.0/0       0.0.0.0/0       icmp    echo-request
 1:F             0.0.0.0/0       0.0.0.0/0       icmp    echo-reply
@@ -1652,7 +1652,7 @@ ppp0            4       90kbit          200kbit         3           default</pro
        <section id="simpletcr">
          <title>tcrules file</title>

-          <programlisting>#MARK           SOURCE          DEST            PROTO   PORT(S)      CLIENT   USER
+          <programlisting>#ACTION         SOURCE          DEST            PROTO   PORT(S)      CLIENT   USER
 #                                                                    PORT(S)
 1:F             0.0.0.0/0       0.0.0.0/0       icmp    echo-request
 1:F             0.0.0.0/0       0.0.0.0/0       icmp    echo-reply
--- a/docs/upgrade_issues.xml
+++ b/docs/upgrade_issues.xml
@@ -31,9 +31,11 @@

      <year>2009</year>

+      <year>2012</year>
+
      <holder>Thomas M. Eastep</holder>

-      <holder></holder>
+      <holder/>
    </copyright>

    <legalnotice>
@@ -74,6 +76,44 @@
    zones.</para>
  </section>

+  <section>
+    <title>Versions &gt;= 4.5.0</title>
+
+    <orderedlist>
+      <listitem>
+        <para>Shorewall, Shorewall6, Shorewall-lite and Shorewall6-lite now
+        depend on the new package Shorewall-core. If you use the Shorewall
+        installers, you must install Shorewall-core prior to installing or
+        upgrading any of the other packages.</para>
+      </listitem>
+
+      <listitem>
+        <para>The BLACKLIST section of the rules file has been eliminated. If
+        you have entries in that file section, you must move them to the
+        blrules file.</para>
+      </listitem>
+
+      <listitem>
+        <para>This version of Shorewall requires the Digest::SHA1 Perl
+        module.</para>
+
+        <simplelist>
+          <member>Debian: libdigest-sha1-perl</member>
+
+          <member>Fedora: perl-Digest-SHA1</member>
+
+          <member>OpenSuSE: perl-Digest-SHA1</member>
+        </simplelist>
+      </listitem>
+
+      <listitem>
+        <para>The generated firewall script now maintains the
+        /var/lib/shorewall[6][-lite]/interface.status files used by SWPING and
+        by LSM.</para>
+      </listitem>
+    </orderedlist>
+  </section>
+
  <section>
    <title>Versions &gt;= 4.4.0</title>

@@ -318,7 +358,7 @@
      </listitem>

      <listitem>
-        <para> Beginning with Shorewall 4.4.17, the EXPORTPARAMS option is
+        <para>Beginning with Shorewall 4.4.17, the EXPORTPARAMS option is
        deprecated. With EXPORTPARAMS=No, the variables set by <ulink
        url="manpages/shorewall-params.html">/etc/shorewall/params</ulink>
        (<ulink
Author	SHA1	Message	Date
Tom Eastep	f104596b39	Merge branch '4.5.1'	2012-03-19 10:13:08 -07:00
Tom Eastep	146d66f0aa	Don't complain about SHOREWALL_INIT_SCRIPT Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-19 09:52:55 -07:00
Tom Eastep	0ccb398cec	Merge branch '4.5.1'	2012-03-19 09:22:44 -07:00
Tom Eastep	287a44be52	Allow TOS to work on RHEL5 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-19 09:22:21 -07:00
Tom Eastep	86f3667b82	Correct nested ?IF Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-19 08:19:32 -07:00
Tom Eastep	962b1cca1f	Remove Perl diagnostic Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-19 07:46:45 -07:00
Tom Eastep	2026fdab6a	Correct IPSET_WARNINGS Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-19 07:44:52 -07:00
Tom Eastep	722e888043	Fix ?IF - Allow nested ?IFs to work correctly - Correct push logic for $ifstack Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-19 07:38:52 -07:00
Tom Eastep	e3997abfb9	Merge branch '4.5.2' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-19 07:27:53 -07:00
Tom Eastep	710687bbd6	Revert "Move conditional processing to it's own function" This reverts commit `8262cff71a`.	2012-03-19 07:23:57 -07:00
Tom Eastep	d4a1e7dba9	Revert "Allow ?IF, ?ELSE and ?ENDIF in copied files" This reverts commit `29dd342118`.	2012-03-19 07:23:24 -07:00
Tom Eastep	c7237e5c8e	Revert "Move all functions from prog.header* to lib.core" This reverts commit `f9f557e1c6`.	2012-03-19 07:22:51 -07:00
Tom Eastep	c299c6d61a	Revert "Correct spelling" This reverts commit `1d021e3701`.	2012-03-19 07:22:29 -07:00
Tom Eastep	6769acc7a7	Revert "Some corrections to conditional inclusion" This reverts commit `164d2f5d1b`.	2012-03-19 07:22:07 -07:00
Tom Eastep	df33587395	Revert "Clean up of conditional inclusion." This reverts commit `5f3ba4eb40`.	2012-03-19 07:21:36 -07:00
Tom Eastep	508f33a183	Revert "Eliminate prog.header6" This reverts commit `60f1004339`.	2012-03-19 07:21:12 -07:00
Tom Eastep	11f970d1c2	Revert "Eliminate prog.header" This reverts commit `13bf383ce8`.	2012-03-19 07:20:57 -07:00
Tom Eastep	72e6330ff4	Revert "Add capabilities to ?IF conditionals" This reverts commit `0d71c590e4`.	2012-03-19 07:20:31 -07:00
Tom Eastep	5caf68bc31	Remove .project Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-18 19:31:40 -07:00
Tom Eastep	29ccde1603	Add an Id to the default location section of the Install doc Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-18 19:31:12 -07:00
Tom Eastep	826d864448	Document MANDIR Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-18 19:30:41 -07:00
Tom Eastep	78306e9f5b	Don't issue missing SHOREWALL_SHELL warning when compiling for export Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-18 19:30:32 -07:00
Tom Eastep	15ca0fd1f0	Add IPSET_WARNINGS option Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-18 19:30:04 -07:00
Tom Eastep	955a9f0051	Correct Steven's issues Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-18 19:10:46 -07:00
Tom Eastep	bd56caf74f	Don't issue missing SHOREWALL_SHELL warning when compiling for export Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-18 12:54:53 -07:00
Tom Eastep	5bfd2cc2c9	Remove some WARNINGs - Mr Dash4 has decided he doesn't want them after all.	2012-03-18 12:42:32 -07:00
Tom Eastep	e47ae4f26e	Don't issue missing SHOREWALL_SHELL warning when compiling for export Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-18 12:28:26 -07:00
Tom Eastep	c51e387e79	Document MANDIR Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-18 12:09:22 -07:00
Tom Eastep	56f66bd966	Require the correct PROTO to use a port range in the ADDRESS column of masq Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-18 11:22:37 -07:00
Tom Eastep	0415883628	Add an Id to the default location section of the Install doc Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-18 11:22:29 -07:00
Tom Eastep	6e089fb0e2	Require the correct PROTO to use a port range in the ADDRESS column of masq Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-18 11:21:53 -07:00
Tom Eastep	0fac1d182f	Add an Id to the default location section of the Install doc Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-18 11:20:24 -07:00
Tom Eastep	0d71c590e4	Add capabilities to ?IF conditionals Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-18 08:48:26 -07:00
Tom Eastep	d1661c95d5	Remove .project Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-17 18:29:32 -07:00
Tom Eastep	13bf383ce8	Eliminate prog.header Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-17 18:07:36 -07:00
Tom Eastep	60f1004339	Eliminate prog.header6 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-17 17:51:56 -07:00
Tom Eastep	81714ee81f	Document '!' in ?IF Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-17 16:58:25 -07:00
Tom Eastep	5f3ba4eb40	Clean up of conditional inclusion. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-17 12:12:32 -07:00
Tom Eastep	164d2f5d1b	Some corrections to conditional inclusion Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-17 10:26:36 -07:00
Tom Eastep	1d021e3701	Correct spelling Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-17 09:42:15 -07:00
Tom Eastep	f9f557e1c6	Move all functions from prog.header* to lib.core Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-17 09:35:35 -07:00
Tom Eastep	29dd342118	Allow ?IF, ?ELSE and ?ENDIF in copied files Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-17 09:33:40 -07:00
Tom Eastep	8262cff71a	Move conditional processing to it's own function Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-17 09:32:56 -07:00
Tom Eastep	b7465262ca	Rename MARK/CLASSIFY column to ACTION Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-16 10:09:13 -07:00
Tom Eastep	ab13fbe95e	Allow conditional compilation Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-16 08:16:12 -07:00
Tom Eastep	f7a2cd4ef1	Correct typos in accounting manpages. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-14 15:34:19 -07:00
Tom Eastep	95e4f8dd91	Fix TOS(tos/mask) in tcrules. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-14 15:34:11 -07:00
Tom Eastep	8e413a7bf0	Fix TOS(tos/mask) in tcrules. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-14 15:33:31 -07:00
Tom Eastep	3e9edcb7e8	Correct typos in accounting manpages. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-14 14:50:25 -07:00
Tom Eastep	4ba88d2e9c	Merge branch '4.5.1'	2012-03-14 11:00:56 -07:00
Tom Eastep	aa503e7211	Apply Tuomo Soini's Makefile patch Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-14 10:57:41 -07:00
Tom Eastep	2a67a202b0	Merge branch '4.5.1'	2012-03-13 20:16:01 -07:00
Tom Eastep	7e14777b8f	Fix typo Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-13 19:54:58 -07:00
Tom Eastep	c1d0681e17	Correct LENGTH column validation Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-13 17:58:18 -07:00
Tom Eastep	98f8edbde5	Apply two patches from Tuomo Soini Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-13 13:27:20 -07:00
Tom Eastep	1dd6a8b291	Document use of chain designators with DSCP and TOS Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-13 13:26:29 -07:00
Tom Eastep	e839648b8e	Add a restriction to the SHELL and PERL directives. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-13 13:26:09 -07:00
Tom Eastep	feb5cc0093	Document use of chain designators with DSCP and TOS Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-13 13:25:37 -07:00
Tom Eastep	a3219f71c9	Add a restriction to the SHELL and PERL directives. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-13 12:27:04 -07:00
Tom Eastep	e3f2c49c7e	Remove level of indirection for the 'super' property Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-13 12:23:33 -07:00
Tom Eastep	fecd091078	Remove %zones{option}{nested} Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-13 11:31:13 -07:00
Tom Eastep	e0b360513c	Remove a level of indirection for 'complex' zone flag. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-13 09:47:31 -07:00
Tom Eastep	01d99d4873	Move zone mss handling to the Rules File Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-12 15:59:35 -07:00
Tom Eastep	acb2e2a8ab	Implement mss= in hosts file. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-12 15:14:35 -07:00
Tom Eastep	0223439e2b	Don't compile if ${DESTDIR} Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-12 14:02:44 -07:00
Tom Eastep	fa9f8329b5	Apply two patches from Tuomo Soini Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-12 13:57:37 -07:00
Tom Eastep	4ffcd80b02	Don't test compilation if $DESTDIR Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-11 09:49:26 -07:00
Tom Eastep	48570227ba	Big cleanup of TOS handling - Validate settings/matches - Allow setting in the tcrules file. - Deprecate /etc/shorewall[6]/tos	2012-03-09 16:16:25 -08:00
Tom Eastep	fd5b7b20cf	Remove trailing white-space Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-08 13:05:56 -08:00
Tom Eastep	c112f20e17	Tighten editing of LENGTH column(s) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-07 14:07:04 -08:00
Tom Eastep	05f025e422	Don't install isusable script by default Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-07 07:46:53 -08:00
Tom Eastep	3ee9150deb	Fix syntax error in the generated script Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-06 09:15:34 -08:00
Tom Eastep	b2842ae8d4	Don't allow reserved variables to be set in params Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-05 15:42:53 -08:00
Tom Eastep	dff5136134	Correct issues with debugging the generated script a) Rename DEBUG to g_debug_iptablesb b) Clear all of the tables prior to handling iptables-restore input.	2012-03-05 15:21:10 -08:00
Tom Eastep	1d249567ed	Add unsubscribe instructions to the FAQ. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-05 13:32:12 -08:00
Tom Eastep	a84e131115	Fix bug in DSCP implementation. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-05 09:50:15 -08:00
Tom Eastep	4b74fe2823	Restore SAVE_IPSET functionality Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-01 07:53:42 -08:00
Tom Eastep	9493bda0cc	Mention Shorewall-core in the 4.5.0 upgrade issues. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-01 07:28:16 -08:00
Tom Eastep	36d4fff7b2	Shorewall-init tweaks 1) Remove root check 2) Fix/add progress messages in the installer. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-01 07:21:17 -08:00
Tom Eastep	67a1438a41	Tweak /sbin/shorewall-init 1) Make indentation consistent 2) Remove IPSET_SAVE logic Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-01 06:41:06 -08:00
Tom Eastep	aab6e67e70	Omit non-default geometry settings from updated shorewall.conf. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-29 12:34:06 -08:00
Tom Eastep	2397449fa4	Add /sbin/shorewall-init for use with service.d Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-29 08:39:27 -08:00
Tom Eastep	fc12125223	Include Shorewall status in the heading of the dump output Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-26 16:14:43 -08:00
Tom Eastep	61bf2d5bfd	Fix installer Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-25 16:02:20 -08:00
Tom Eastep	bd9a3e5a3e	Update the release model web page Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-25 08:24:48 -08:00
Tom Eastep	90b33af3bd	Fix incorrect manpage Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-25 07:53:05 -08:00
Tom Eastep	016fe4bcf1	Merge branch 'master' of ssh://shorewall.git.sourceforge.net/gitroot/shorewall/shorewall Conflicts: Shorewall-core/install.sh Shorewall/install.sh Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-25 07:30:07 -08:00
Roberto C. Sanchez	87381a0f65	FIx typos	2012-02-24 23:02:30 -05:00
Tom Eastep	47453a20f7	Tweak to Run-time gateway variables Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-24 09:02:04 -08:00
Tom Eastep	b78d4ca41f	Correct typo Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-23 13:54:50 -08:00
Tom Eastep	7273f4d8d4	Implement run-time gateway variables. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-23 13:36:00 -08:00
Tom Eastep	37a3dbb6f6	Don't install SysV init script if systemd is specified. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-23 10:59:10 -08:00
Tom Eastep	c252005e25	Add support for packager's config file Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-23 10:07:02 -08:00
Tom Eastep	09ad6bba1a	Fix Shorewall-core installer Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-22 15:59:28 -08:00
Tom Eastep	c975cddfda	Correct init script installation Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-22 14:51:41 -08:00
Tom Eastep	a6afac0f3c	Use standard rpm macros Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-22 13:32:10 -08:00
Tom Eastep	ef850e4537	Use standard rpm macros Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-22 12:40:16 -08:00
Tom Eastep	2624005fa8	Fix FORMAT-2 interfaces Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-21 16:41:56 -08:00
Tom Eastep	20f990f2eb	Fix install on SuSE Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-21 14:24:50 -08:00
Tom Eastep	7de961ebfe	Fix broken init scripts. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-21 13:16:12 -08:00
Tom Eastep	f6cc44eb6b	Rename HOST -> TARGET and BUILD -> HOST Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-21 13:00:09 -08:00
Tom Eastep	3acd01a44d	Rename some variables: HOST -> TARGET %initdir -> %shorewall_initdir Also add %shorewall_target Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-21 12:34:41 -08:00
Tom Eastep	d5af9c360d	Implement FORMAT-2 interfaces file. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-21 11:23:58 -08:00
Tom Eastep	2137840fec	Fix bug in DSCP support Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-20 16:40:11 -08:00
Tom Eastep	ed9e03b095	Correct FEDORA/REDHAT fiasco Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-20 16:11:28 -08:00
Tom Eastep	3180e13719	Require LIBEXEC and LIBPERL to be absolute path names Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-20 12:04:00 -08:00
Tom Eastep	c751a0ada3	Documentation updates suggested by Jeffrey Spain. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-20 11:30:06 -08:00
Tom Eastep	9869b4c068	Rename environmental variables: INSTALLSYS => BUILD TARGET => HOST Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-20 10:12:52 -08:00
Tom Eastep	8c981e0464	Cleanup of install scripts based on feedback from Mr. Dash4 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-20 10:08:42 -08:00
Tom Eastep	76f8a9e171	Update the Install article for 4.5. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-20 09:02:04 -08:00
Tom Eastep	a1ec1dc178	Add DSCP match support Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-20 08:47:48 -08:00
Tom Eastep	e2f4af6e48	Create a Perl-style switch statement to handle irregular entries in the tcrules file. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-19 17:28:49 -08:00
Tom Eastep	b1272e8835	Add DSCP target support. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-19 17:04:16 -08:00
Tom Eastep	75d5957020	Unify 'dont_' chain flags Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-19 14:20:09 -08:00
Tom Eastep	1896e56894	Rework some newbie code in add_group_to_zone() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-19 08:39:17 -08:00
Tom Eastep	7cd7f1ebbe	Make zone-option hashes and constants global Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-19 08:30:39 -08:00
Tom Eastep	7fef97d92d	Fix compiler crash from unknown interface Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-18 10:02:39 -08:00
Tom Eastep	cd3a9854f8	Change ipset flags error to a warning Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-18 08:22:16 -08:00
Tom Eastep	f8057fed88	Correct typo in the modified install scripts. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-18 08:21:50 -08:00
Tom Eastep	59950a7242	Add new install methodology to Shorewall-core Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-18 08:19:39 -08:00
Tom Eastep	6d13069ffb	Correct usage text for 'update'. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-18 08:17:52 -08:00
Tom Eastep	59fea1a05d	Add a SWITCH column to /etc/shorewall/masq Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-18 08:17:14 -08:00
Tom Eastep	1c7476fe61	Validate SOURCE/DEST fit for ipset flags Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-17 15:46:28 -08:00
Tom Eastep	58f0425d4a	Correct a typo in the blrules manpages Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-17 15:33:45 -08:00
Tom Eastep	ee7ea4adb9	Unify the supported install script os/distro set. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-17 15:26:02 -08:00
Tom Eastep	8a3f1f7111	Merge branch '4.5.0'	2012-02-17 13:39:22 -08:00
Tom Eastep	33b0821f8d	Separate install system from target system in the install.sh scripts Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-17 13:22:06 -08:00
Tom Eastep	7bf6419a7b	Install the correct init script on Fedora	2012-02-15 17:19:54 -08:00
Tom Eastep	460efbac77	Merge branch '4.5.0'	2012-02-11 11:36:38 -08:00
Tom Eastep	f4be778b86	Restore 'update -b' functionality Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-07 07:38:07 -08:00
Tom Eastep	bd959884cc	Don't require a MARK value on the default class. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-06 14:40:22 -08:00