Another change to Debian startup at boot

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Fix debian startup at boot (again)
2012-05-01 10:56:30 -07:00 · 2012-05-01 10:16:59 -07:00 · 2012-04-30 13:43:34 -07:00 · 2012-04-30 09:11:00 -07:00 · 2012-04-30 08:41:37 -07:00 · 2012-04-30 08:18:30 -07:00
100 changed files with 4878 additions and 2743 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -0,0 +1,189 @@
 #!/bin/bash
 #
 #     Shorewall Packet Filtering Firewall RPM configuration program - V4.5
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2012 - Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License
 #	as published by the Free Software Foundation.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #       Usage: ./configure [ <option>=<setting> ] ...
 #
 #
 ################################################################################################
 #
 # Build updates this
 #
 VERSION=4.5.2.1
 case "$BASH_VERSION" in
    [4-9].*)
 	;;
    *)
 	echo "ERROR: This program requires Bash 4.0 or later" >&2
 	exit 1
 	;;
 esac
 declare -A params
 declare -A options
 getfileparams() {
    while read option; do
 	case $option in
 	    \#*)
 		;;
 	    *)
 		on=${option%=*}
 		ov=${option#*=}
 		ov=${ov%#*}
 		[ -n "$on" ] && options[${on}]="${ov}"
 		;;
 	esac
    done
    return 0
 }
 for p in $@; do
    if [ -n "${p}" ]; then
 	declare -u pn
 	pn=${p%=*}
 	pn=${pn#--}
 	pv=${p#*=}
 	if [ -n "${pn}" ]; then
 	    case ${pn} in
 		VENDOR)
 		    pn=HOST
 		    ;;
 		SHAREDSTATEDIR)
 		    pn=VARDIR
 		    ;;
 		DATADIR)
 		    pn=SHAREDIR
 		    ;;
 		SYSCONFDIR)
 		    pn=CONFDIR
 		    ;;
 	    esac
 	    params[${pn}]="${pv}"
 	else
 	    echo "ERROR: Invalid option ($p)" >&2
 	    exit 1
 	fi
    fi
 done
 vendor=${params[HOST]}
 if [ -z "$vendor" ]; then
    case `uname` in
 	Darwin)
 	    $params[HOST]=apple
 	    rcfile=shorewallrc.apple
 	    ;;
 	cygwin*)
 	    $params[HOST]=cygwin
 	    rcfile=shorewallrc.cygwin
 	    ;;
 	*)
 	    if [ -f /etc/debian_version ]; then
 		params[HOST]=debian
 		rcfile=shorewallrc.debian
 	    elif [ -f /etc/redhat-release ]; then
 		params[HOST]=redhat
 		rcfile=shorewallrc.redhat
 	    elif [ -f /etc/slackware-version ] ; then
 		params[HOST]=slackware
 		rcfile=shorewallrc.slackware
 	    elif [ -f /etc/SuSE-release ]; then
 		params[HOST]=suse
 		rcfile=shorewallrc.suse
 	    elif [ -f /etc/arch-release ] ; then
 		params[HOST]=archlinux
 		rcfile=shorewallrc.archlinux
 	    else
 		params[HOST]=linux
 		rcfile=shorewallrc.default
 	    fi
 	    ;;
    esac
    vendor=${params[HOST]}
 elif [ $vendor = linux ]; then
    rcfile=$shorewallrc.default;
 else
    rcfile=shorewallrc.$vendor
    if [ ! -f $rcfile ]; then
 	echo "ERROR: $vendor is not a recognized host type" >&2
 	exit 1
    fi
 fi
 if [ $vendor = linux ]; then
    echo "INFO: Creating a generic Linux installation - " `date`;
 else
    echo "INFO: Creating a ${vendor}-specific installation - " `date`;
 fi
 echo
 getfileparams < $rcfile || exit 1
 for p in ${!params[@]}; do
    options[${p}]="${params[${p}]}"
 done
 echo '#'                                                                 > shorewallrc
 echo "# Created by Shorewall Core version $VERSION configure - " `date` >> shorewallrc
 echo '#'                                                                >> shorewallrc
 if [ $# -gt 0 ]; then
    echo "# Input: $@" >> shorewallrc
    echo '#'           >> shorewallrc
 fi
 for on in \
    HOST \
    PREFIX \
    SHAREDIR \
    LIBEXECDIR \
    PERLLIBDIR \
    CONFDIR \
    SBINDIR \
    MANDIR \
    INITDIR \
    INITSOURCE \
    INITFILE \
    AUXINITSOURCE \
    AUXINITFILE \
    SYSTEMD \
    SYSCONFFILE \
    SYSCONFDIR \
    ANNOTATED \
    VARDIR
 do
    echo "$on=${options[${on}]}"
    echo "$on=${options[${on}]}" >> shorewallrc
 done
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -0,0 +1,154 @@
 #! /usr/bin/perl -w
 #
 #     Shorewall Packet Filtering Firewall RPM configuration program - V4.5
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2012 - Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License
 #	as published by the Free Software Foundation.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #       Usage: ./configure.pl <option>=<setting> ...
 #
 #
 ################################################################################################
 use strict;
 #
 # Build updates this
 #
 use constant { 
    VERSION => '4.5.2.1'
 };
 my %params;
 my %options;
 my %aliases = ( VENDOR         => 'HOST',
 		SHAREDSTATEDIR => 'VARDIR',
 		DATADIR        => 'SHAREDIR',
 		SYSCONFDIR     => 'CONFDIR' );
 for ( @ARGV ) {
    die "ERROR: Invalid option specification ( $_ )" unless /^(?:--)?(\w+)=(.*)$/;
    my $pn = uc $1;
    my $pv = $2 || '';
    $pn = $aliases{$pn} if exists $aliases{$pn};
    $params{$pn} = $pv;
 }
 my $vendor = $params{HOST};
 my $rcfile;
 my $rcfilename;
 if ( defined $vendor ) {
    $rcfilename = $vendor eq 'linux' ? 'shorewallrc.default' : 'shorewallrc.' . $vendor;
    die qq("ERROR: $vendor" is not a recognized host type) unless -f $rcfilename;
 } else {
    if ( -f '/etc/debian_version' ) {
 	$vendor = 'debian';
 	$rcfilename = 'shorewallrc.debian';
    } elsif ( -f '/etc/redhat-release' ){
 	$vendor = 'redhat';
 	$rcfilename = 'shorewallrc.redhat';
    } elsif ( -f '/etc/slackware-version' ) {
 	$vendor = 'slackware';
 	$rcfilename = 'shorewallrc.slackware';
    } elsif ( -f '/etc/SuSE-release' ) {
 	$vendor = 'suse';
 	$rcfilename = 'shorewallrc.suse';
    } elsif ( -f '/etc/arch-release' ) {
 	$vendor = 'archlinux';
 	$rcfilename = 'shorewallrc.archlinux';
    } elsif ( `uname` =~ '^Darwin' ) {
 	$vendor = 'apple';
 	$rcfilename = 'shorewallrc.apple';
    } elsif ( `uname` =~ '^Cygwin' ) {
 	$vendor = 'cygwin';
 	$rcfilename = 'shorewallrc.cygwin';
    } else {
 	$vendor = 'linux';
 	$rcfilename = 'shorewallrc.default';
    }
    $params{HOST} = $vendor;
 }
 my @localtime = localtime;
 my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
 if ( $vendor eq 'linux' ) {
    printf "INFO: Creating a generic Linux installation - %s %2d %04d %02d:%02d:%02d\n\n", $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
 } else {
    printf "INFO: Creating a %s-specific installation - %s %2d %04d %02d:%02d:%02d\n\n", $vendor, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
 }
 open $rcfile, '<', $rcfilename or die "Unable to open $rcfilename for input: $!";
 while ( <$rcfile> ) {
    s/\s*#.*//;
    unless ( /^\s*$/ ) {
 	chomp;
 	die "ERROR: Invalid entry ($_) in $rcfilename, line $." unless /\s*(\w+)=(.*)/;
 	$options{$1} = $2;
    }
 }
 close $rcfile;
 while ( my ( $p, $v ) = each %params ) {
    $options{$p} = ${v};
 }
 my $outfile;
 open $outfile, '>', 'shorewallrc' or die "Can't open 'shorewallrc' for output: $!";
 printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n#\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
 print  $outfile "# Input: @ARGV\n#\n" if @ARGV;
 for ( qw/ HOST
 	  PREFIX
 	  SHAREDIR
 	  LIBEXECDIR
 	  PERLLIBDIR
 	  CONFDIR
 	  SBINDIR
 	  MANDIR 
 	  INITDIR
 	  INITSOURCE
 	  INITFILE
 	  AUXINITSOURCE
 	  AUXINITFILE
 	  SYSTEMD
 	  SYSCONFFILE
 	  SYSCONFDIR
 	  ANNOTATED
 	  VARDIR / ) {
    my $val = $options{$_} || '';
    print          "$_=$val\n";
    print $outfile "$_=$val\n";
 }
 close $outfile;
 1;
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -27,12 +27,18 @@ VERSION=xxx #The Build script inserts the actual version
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME"
+    echo "usage: $ME [ <configuration-file> ] "
    echo "       $ME -v"
    echo "       $ME -h"
    exit $1
 }
 fatal_error() 
 {
    echo "   ERROR: $@" >&2
    exit 1
 }
 split() {
    local ifs
    ifs=$IFS
@@ -85,43 +91,87 @@ install_file() # $1 = source $2 = target $3 = mode
    run_install $T $OWNERSHIP -m $3 $1 ${2}
 }
 require() 
 {
    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
 }
 cd "$(dirname $0)"
 #
 # Load packager's settings if any
 #
 [ -f ../shorewall-pkg.config ] && . ../shorewall-pkg.config
 [ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
 #
 # Parse the run line
 #
-# ARGS is "yes" if we've already parsed an argument
+finished=0
 while [ $finished -eq 0 ]; do
    option=$1
    case "$option" in
 	-*)
 	    option=${option#-}
 	    while [ -n "$option" ]; do
 		case $option in
 		    h)
 			usage 0
 			;;
 		    v)
 			echo "Shorewall Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    *)
 			usage 1
 			;;
 		esac
 	    done
 	    shift
 	    ;;
 	*)
 	    finished=1
 	    ;;
    esac
 done
 #
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
 	. ./shorewallrc
 	file=./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
 	file=~/.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
 	file=/usr/share/shorewall/shorewallrc
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
 elif [ $# -eq 1 ]; then
    file=$1
    case $file in
 	/*|.*)
 	    ;;
 	*)
 	    file=./$file || exit 1
 	    ;;
    esac
    . $file
 else
    usage 1
 fi
 for var in SHAREDIR LIBEXECDIR PERLLIBDIR CONFDIR SBINDIR VARDIR; do
    require $var
 done
 [ "${INITFILE}" != 'none/' ] && require INITSOURCE && require INITDIR
 T="-T"
 [ -n "${LIBEXEC:=/usr/share}" ]
 [ -n "${PERLLIB:=/usr/share/shorewall}" ]
 case "$LIBEXEC" in
    /*)
 	;;
    *)
 	echo "The LIBEXEC setting must be an absolute path name" >&2
 	exit 1
 	;;
 esac
 case "$PERLLIB" in
    /*)
 	;;
    *)
 	echo "The PERLLIB setting must be an absolute path name" >&2
 	exit 1
 	;;
 esac
 INSTALLD='-D'
 if [ -z "$BUILD" ]; then
@@ -180,41 +230,6 @@ esac
 OWNERSHIP="-o $OWNER -g $GROUP"
 finished=0
 while [ $finished -eq 0 ]; do
    option=$1
    case "$option" in
 	-*)
 	    option=${option#-}
 	    while [ -n "$option" ]; do
 		case $option in
 		    h)
 			usage 0
 			;;
 		    v)
 			echo "Shorewall Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    *)
 			usage 1
 			;;
 		esac
 	    done
 	    shift
 	    ;;
 	*)
 	    [ -n "$option" ] && usage 1
 	    finished=1
 	    ;;
    esac
 done
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 #
 # Determine where to install the firewall script
 #
@@ -236,6 +251,23 @@ case "$HOST" in
 	;;
 esac
 if [ -z "$file" ]; then
    if $HOST = linux; then
 	file=shorewallrc.default
    else
 	file=shorewallrc.${HOST}
    fi
    echo "You have not specified a configuration file and ~/.shorewallrc does not exist" >&2
    echo "Shorewall-core $VERSION has determined that the $file configuration is appropriate for your system" >&2
    echo "Please review the settings in that file. If you wish to change them, make a copy and modify the copy" >&2
    echo "Then re-run install.sh passing either $file or the name of your modified copy" >&2
    echo "" >&2
    echo "Example:" >&2
    echo "" >&2
    echo "   ./install.sh $file" &>2
 fi
 if [ -n "$DESTDIR" ]; then
    if [ $BUILD != cygwin ]; then
 	if [ `id -u` != 0 ] ; then
@@ -245,56 +277,78 @@ if [ -n "$DESTDIR" ]; then
    fi
 fi
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"
 echo "Installing Shorewall Core Version $VERSION"
 #
-# Create /usr/share/shorewall
+# Create directories
 #
-mkdir -p ${DESTDIR}${LIBEXEC}/shorewall
+mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall
-chmod 755 ${DESTDIR}${LIBEXEC}/shorewall
+chmod 755 ${DESTDIR}${LIBEXECDIR}/shorewall
-if [ $LIBEXEC != /usr/shorewall/ ]; then
+mkdir -p ${DESTDIR}${SHAREDIR}/shorewall
-    mkdir -p ${DESTDIR}/usr/share/shorewall
+chmod 755 ${DESTDIR}${SHAREDIR}/shorewall
-    chmod 755 ${DESTDIR}/usr/share/shorewall
+
 mkdir -p ${DESTDIR}${CONFDIR}
 chmod 755 ${DESTDIR}${CONFDIR}
 if [ -n "${SYSCONFDIR}" ]; then
    mkdir -p ${DESTDIR}${SYSCONFDIR}
    chmod 755 ${DESTDIR}${SYSCONFDIR}
 fi
 if [ -n "${SYSTEMD}" ]; then
    mkdir -p ${DESTDIR}${SYSTEMD}
    chmod 755 ${DESTDIR}${SYSTEMD}
 fi
 mkdir -p ${DESTDIR}${SBINDIR}
 chmod 755 ${DESTDIR}${SBINDIR}
 mkdir -p ${DESTDIR}${MANDIR}
 chmod 755 ${DESTDIR}${MANDIR}
 #
 # Note: ${VARDIR} is created at run-time since it has always been
 #       a relocatable directory on a per-product basis
 #
 # Install wait4ifup
 #
-install_file wait4ifup ${DESTDIR}${LIBEXEC}/shorewall/wait4ifup 0755
+install_file wait4ifup ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup 0755
 echo
-echo "wait4ifup installed in ${DESTDIR}${LIBEXEC}/shorewall/wait4ifup"
+echo "wait4ifup installed in ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup"
 #
 # Install the libraries
 #
 for f in lib.* ; do
-    install_file $f ${DESTDIR}/usr/share/shorewall/$f 0644
+    install_file $f ${DESTDIR}${SHAREDIR}/shorewall/$f 0644
-    echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall/$f"
+    echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/shorewall/$f"
 done
 if [ $BUILD != apple ]; then
    eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
    eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
 else
    eval sed -i \'\' -e \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
    eval sed -i \'\' -e \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
 fi
 #
 # Symbolically link 'functions' to lib.base
 #
-ln -sf lib.base ${DESTDIR}/usr/share/shorewall/functions
+ln -sf lib.base ${DESTDIR}${SHAREDIR}/shorewall/functions
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall/coreversion
+echo "$VERSION" > ${DESTDIR}${SHAREDIR}/shorewall/coreversion
-chmod 644 ${DESTDIR}/usr/share/shorewall/coreversion
+chmod 644 ${DESTDIR}${SHAREDIR}/shorewall/coreversion
 [ $file != "${SHAREDIR}/shorewall/shorewallrc" ] && cp $file ${DESTDIR}${SHAREDIR}/shorewall/shorewallrc
 [ -z "${DESTDIR}" ] && [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc ~/.shorewallrc
 if [ ${SHAREDIR} != /usr/share ]; then
    for f in lib.*; do
 	if [ $BUILD != apple ]; then
 	    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SHAREDIR}/shorewall/$f
 	else
 	    eval sed -i \'\' -e \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SHAREDIR}/shorewall/$f
 	fi
    done
 fi
 #
 #  Report Success
 #
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -27,50 +27,57 @@
 #   and /usr/share/shorewall[6]-lite/shorecap.
 #
-SHOREWALL_LIBVERSION=40500
+SHOREWALL_LIBVERSION=40502
-SHOREWALL_CAPVERSION=40501
+SHOREWALL_CAPVERSION=40502
 [ -n "${g_program:=shorewall}" ]
 if [ -z "$g_readrc" ]; then
    #
    # This is modified by the installer when ${SHAREDIR} != /usr/share
    #
    . /usr/share/shorewall/shorewallrc
    g_libexec="$LIBEXECDIR"
    g_sharedir="$SHAREDIR"/$g_program
    g_sbindir="$SBINDIR"
    g_perllib="$PERLLIBDIR"
    g_vardir="$VARDIR"
    g_confdir="$CONFDIR"/$g_program
    g_readrc=1
 fi
 g_basedir=${SHAREDIR}/shorewall
 case $g_program in
    shorewall)
 	SHAREDIR=/usr/share/shorewall
 	CONFDIR=/etc/shorewall
 	g_product="Shorewall"
 	g_family=4
 	g_tool=
 	g_basedir=/usr/share/shorewall
 	g_lite=
 	;;
    shorewall6)
 	SHAREDIR=/usr/share/shorewall6
 	CONFDIR=/etc/shorewall6
 	g_product="Shorewall6"
 	g_family=6
 	g_tool=
 	g_basedir=/usr/share/shorewall
 	g_lite=
 	;;
    shorewall-lite)
 	SHAREDIR=/usr/share/shorewall-lite
 	CONFDIR=/etc/shorewall-lite
 	g_product="Shorewall Lite"
 	g_family=4
 	g_tool=iptables
 	g_basedir=/usr/share/shorewall-lite
 	g_lite=Yes
 	;;
    shorewall6-lite)
 	SHAREDIR=/usr/share/shorewall6-lite
 	CONFDIR=/etc/shorewall6-lite
 	g_product="Shorewall6 Lite"
 	g_family=6
 	g_tool=ip6tables
 	g_basedir=/usr/share/shorewall6-lite
 	g_lite=Yes
 	;;
 esac
 VARDIR=${VARDIR}/${g_program}
 #
 # Conditionally produce message
 #
@@ -186,7 +193,7 @@ mutex_off()
    rm -f ${LOCKFILE:=${VARDIR}/lock}
 }
-[ -z "$LEFTSHIFT" ] && . /usr/share/shorewall/lib.common
+[ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
 #
 # Validate an IP address
@@ -344,7 +351,7 @@ ip_vlsm() {
 #
 ensure_config_path() {
    local F
-    F=${SHAREDIR}/configpath
+    F=${g_sharedir}/configpath
    if [ -z "$CONFIG_PATH" ]; then
 	[ -f $F ] || { echo "   ERROR: $F does not exist"; exit 2; }
 	. $F
@@ -455,14 +462,14 @@ mktempfile() {
    else
 	case "$MKTEMP" in
 	    BSD)
-		mktemp /tmp/shorewall.XXXXXX
+		mktemp ${TMPDIR:-/tmp}/shorewall.XXXXXX
 		;;
 	    STD)
 		mktemp -t shorewall.XXXXXX
 		;;
 	    None)
-		rm -f /tmp/shorewall-$$
+		rm -f ${TMPDIR:-/tmp}/shorewall-$$
-		> /tmp/shorewall-$$ && echo /tmp/shorewall-$$
+		> ${TMPDIR:-}/shorewall-$$ && echo ${TMPDIR:-/tmp}/shorewall-$$
 		;;
 	    *)
 		error_message "ERROR:Internal error in mktempfile"
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -23,7 +23,25 @@
 # This library contains the command processing code common to /sbin/shorewall[6] and
 # /sbin/shorewall[6]-lite.
 #
-. /usr/share/shorewall/lib.base
+
 if [ -z "$g_readrc" ]; then
    #
    # This is modified by the installer when ${SHAREDIR} <> /usr/share
    #
    . /usr/share/shorewall/shorewallrc
    g_libexec="$LIBEXECDIR"
    g_sharedir="$SHAREDIR"/$g_program
    g_sbindir="$SBINDIR"
    g_perllib="$PERLLIBDIR"
    g_vardir="$VARDIR"
    g_confdir="$CONFDIR"/$g_program
    g_readrc=1
 fi
 . ${SHAREDIR}/shorewall/lib.base
 #
 # Fatal Error
 #
@@ -438,16 +456,28 @@ sort_routes() {
    done | sort -r | while read dest rest; do echo $rest; done
 }
 #
 # Isolate the table in the routing rules being read from stdin.
 # Piping through sed to remove trailing whitespace works around
 # recent 'features' in dash and ip.
 #
 find_tables() {
    sed -r 's/[[:space:]]+$//' | while read rule; do
 	echo ${rule##* }
    done
 }
 #
 # Show routing configuration
 #
 show_routing() {
    local rule
    local table 
    if [ -n "$(ip -$g_family rule list)" ]; then
 	heading "Routing Rules"
 	ip -$g_family rule list
-	ip -$g_family rule list | while read rule; do
+	ip -$g_family rule list | find_tables | sort -u | while read table; do
 	    echo ${rule##* }
 	done | sort -u | while read table; do
 	    heading "Table $table:"
 	    if [ $g_family -eq 6 ]; then
 		ip -$g_family -o route list table $table | fgrep -v cache
@@ -543,11 +573,11 @@ version_command() {
    [ $# -gt 0 ] && usage 1
    if [ -n "$all" ]; then
-	echo "shorewall-core: $(cat /usr/share/shorewall/coreversion)"
+	echo "shorewall-core: $(cat $g_sharedir/coreversion)"
 	for product in shorewall shorewall6 shorewall-lite shorewall6-lite shorewall-init; do
-	    if [ -f /usr/share/$product/version ]; then
+	    if [ -f ${SHAREDIR}/$product/version ]; then
-		echo "$product: $(cat /usr/share/$product/version)"
+		echo "$product: $(cat ${SHAREDIR}/$product/version)"
 	    fi
 	done
    else
@@ -837,16 +867,20 @@ show_command() {
 	    show_routing
 	    ;;
 	config)
-	    . ${SHAREDIR}/configpath
+	    . ${g_sharedir}/configpath
 	    if [ -n "$g_filemode" ]; then
 		echo "CONFIG_PATH=$CONFIG_PATH"
 		echo "VARDIR=$VARDIR"
 		echo "LIBEXEC=$g_libexec"
-		[ -n "$g_lite" ] && ${VARDIR} ne /var/lib/$program && echo "LITEDIR=${VARDIR}"
+		echo "SBINDIR=$g_sbindir"
 		echo "CONFDIR=${CONFDIR}"
 		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR=${VARDIR}"
 	    else
 		echo "Default CONFIG_PATH is $CONFIG_PATH"
 		echo "Default VARDIR is /var/lib/$g_program"
 		echo "LIBEXEC is $g_libexec"
 		echo "SBINDIR is $g_sbindir"
 		echo "CONFDIR is ${CONFDIR}"
 		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR is ${VARDIR}"
 	    fi
 	    ;;
@@ -907,10 +941,10 @@ show_command() {
 			    echo "forwardUPnP         # Allow traffic that upnpd has redirected from"
 			    echo "rejNotSyn           # Silently Reject Non-syn TCP packets"
-			    if [ -f ${CONFDIR}/actions ]; then
+			    if [ -f ${g_confdir}/actions ]; then
-				cat ${SHAREDIR}/actions.std ${CONFDIR}/actions | grep -Ev '^\#|^$'
+				cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^\#|^$'
 			    else
-				grep -Ev '^\#|^$' ${SHAREDIR}/actions.std
+				grep -Ev '^\#|^$' ${g_sharedir}/actions.std
 			    fi
 			    return
@@ -1108,8 +1142,8 @@ do_dump_command() {
    echo "$g_product $SHOREWALL_VERSION Dump at $g_hostname - $(date)"
    echo
-    if [ $g_family -eq 6 ] && [ -f /usr/share/shorewall/version ]; then
+    if [ $g_family -eq 6 ] && [ -f ${SHAREDIR}/shorewall/version ]; then
-	echo "   Shorewall $(cat /usr/share/shorewall/version)"
+	echo "   Shorewall $(cat ${SHAREDIR}/shorewall/version)"
 	echo
    fi
    show_status
@@ -1908,6 +1942,7 @@ determine_capabilities() {
    IPRANGE_MATCH=
    RECENT_MATCH=
    OWNER_MATCH=
    OWNER_NAME_MATCH=
    IPSET_MATCH=
    OLD_IPSET_MATCH=
    IPSET_V5=
@@ -2046,6 +2081,11 @@ determine_capabilities() {
    qt $g_tool -A $chain -m recent --update -j ACCEPT     && RECENT_MATCH=Yes
    qt $g_tool -A $chain -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes
    local name
    name=$(id -un 2> /dev/null)
    [ -n "$name" ] && qt $g_tool -A $chain -m owner --uid-owner $name -j ACCEPT && OWNER_NAME_MATCH=Yes
    if qt $g_tool -A $chain -m connmark --mark 2  -j ACCEPT; then
 	CONNMARK_MATCH=Yes
 	qt $g_tool -A $chain -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes
@@ -2209,81 +2249,82 @@ report_capabilities() {
    if [ $VERBOSITY -gt 1 ]; then
 	echo "$g_product has detected the following iptables/netfilter capabilities:"
-	report_capability "NAT" $NAT_ENABLED
+	report_capability "NAT (NAT_ENABLED)" $NAT_ENABLED
-	report_capability "Packet Mangling" $MANGLE_ENABLED
+	report_capability "Packet Mangling (MANGLE_ENABLED)" $MANGLE_ENABLED
-	report_capability "Multi-port Match" $MULTIPORT
+	report_capability "Multi-port Match (MULTIPORT)" $MULTIPORT
-	[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
+	[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match (XMULIPORT)" $XMULTIPORT
-	report_capability "Connection Tracking Match" $CONNTRACK_MATCH
+	report_capability "Connection Tracking Match (CONNTRACK_MATCH)" $CONNTRACK_MATCH
 	if [ -n "$CONNTRACK_MATCH" ]; then
-	    report_capability "Extended Connection Tracking Match Support" $NEW_CONNTRACK_MATCH
+	    report_capability "Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH)" $NEW_CONNTRACK_MATCH
-	    [ -n "$OLD_CONNTRACK_MATCH" ] && report_capability "Old Connection Tracking Match Syntax" $OLD_CONNTRACK_MATCH
+	    [ -n "$OLD_CONNTRACK_MATCH" ] && report_capability "Old Connection Tracking Match Syntax (OLD_CONNTRACK_MATCH)" $OLD_CONNTRACK_MATCH
 	fi
-	report_capability "Packet Type Match" $USEPKTTYPE
+	report_capability "Packet Type Match (USEPKTTYPE)" $USEPKTTYPE
-	report_capability "Policy Match" $POLICY_MATCH
+	report_capability "Policy Match (POLICY_MATCH)" $POLICY_MATCH
-	report_capability "Physdev Match" $PHYSDEV_MATCH
+	report_capability "Physdev Match (PHYSDEV_MATCH)" $PHYSDEV_MATCH
-	report_capability "Physdev-is-bridged Support" $PHYSDEV_BRIDGE
+	report_capability "Physdev-is-bridged Support (PHYSDEV_BRIDGE)" $PHYSDEV_BRIDGE
-	report_capability "Packet length Match" $LENGTH_MATCH
+	report_capability "Packet length Match (LENGTH_MATCH)" $LENGTH_MATCH
-	report_capability "IP range Match" $IPRANGE_MATCH
+	report_capability "IP range Match(IPRANGE_MATCH)" $IPRANGE_MATCH
-	report_capability "Recent Match" $RECENT_MATCH
+	report_capability "Recent Match (RECENT_MATCH)" $RECENT_MATCH
-	report_capability "Owner Match" $OWNER_MATCH
+	report_capability "Owner Match (OWNER_MATCH)" $OWNER_MATCH
 	report_capability "Owner Name Match (OWNER_NAME_MATCH)" $OWNER_NAME_MATCH
 	if [ -n "$IPSET_MATCH" ]; then
-	    report_capability "Ipset Match" $IPSET_MATCH
+	    report_capability "Ipset Match (IPSET_MATCH)" $IPSET_MATCH
-	    [ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match" $OLD_IPSET_MATCH
+	    [ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match (OLD_IPSET_MATCH)" $OLD_IPSET_MATCH
 	fi
-	report_capability "CONNMARK Target" $CONNMARK
+	report_capability "CONNMARK Target (CONNMARK)" $CONNMARK
-	[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
+	[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target (XCONNMARK)" $XCONNMARK
-	report_capability "Connmark Match" $CONNMARK_MATCH
+	report_capability "Connmark Match (CONNMARK_MATCH)" $CONNMARK_MATCH
-	[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH
+	[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match (XCONNMARK_MATCH)" $XCONNMARK_MATCH
-	report_capability "Raw Table" $RAW_TABLE
+	report_capability "Raw Table (RAW_TABLE)" $RAW_TABLE
-	report_capability "Rawpost Table" $RAWPOST_TABLE
+	report_capability "Rawpost Table (RAWPOST_TABLE)" $RAWPOST_TABLE
-	report_capability "IPP2P Match" $IPP2P_MATCH
+	report_capability "IPP2P Match (IPP2P_MATCH)" $IPP2P_MATCH
-	[ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax" $OLD_IPP2P_MATCH
+	[ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax (OLD_IPP2P_MATCH)" $OLD_IPP2P_MATCH
-	report_capability "CLASSIFY Target" $CLASSIFY_TARGET
+	report_capability "CLASSIFY Target (CLASSIFY_TARGET)" $CLASSIFY_TARGET
-	report_capability "Extended REJECT" $ENHANCED_REJECT
+	report_capability "Extended REJECT (ENHANCED_REJECT)" $ENHANCED_REJECT
-	report_capability "Repeat match" $KLUDGEFREE
+	report_capability "Repeat match (KLUDGEFREE)" $KLUDGEFREE
-	report_capability "MARK Target" $MARK
+	report_capability "MARK Target (MARK)" $MARK
-	[ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK
+	[ -n "$MARK" ] && report_capability "Extended MARK Target (XMARK)" $XMARK
-	[ -n "$XMARK" ] && report_capability "Extended MARK Target 2" $EXMARK
+	[ -n "$XMARK" ] && report_capability "Extended MARK Target 2 (EXMARK)" $EXMARK
-	report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD
+	report_capability "Mangle FORWARD Chain (MANGLE_FORWARD)" $MANGLE_FORWARD
-	report_capability "Comments" $COMMENTS
+	report_capability "Comments (COMMENTS)" $COMMENTS
-	report_capability "Address Type Match" $ADDRTYPE
+	report_capability "Address Type Match (ADDRTYPE)" $ADDRTYPE
-	report_capability "TCPMSS Match" $TCPMSS_MATCH
+	report_capability "TCPMSS Match (TCPMSS_MATCH)" $TCPMSS_MATCH
-	report_capability "Hashlimit Match" $HASHLIMIT_MATCH
+	report_capability "Hashlimit Match (HASHLIMIT_MATCH)" $HASHLIMIT_MATCH
-	[ -n "$OLD_HL_MATCH" ] && report_capability "Old Hashlimit Match" $OLD_HL_MATCH
+	[ -n "$OLD_HL_MATCH" ] && report_capability "Old Hashlimit Match (OLD_HL_MATCH)" $OLD_HL_MATCH
-	report_capability "NFQUEUE Target" $NFQUEUE_TARGET
+	report_capability "NFQUEUE Target (NFQUEUE_TARGET)" $NFQUEUE_TARGET
-	report_capability "Realm Match" $REALM_MATCH
+	report_capability "Realm Match (REALM_MATCH)" $REALM_MATCH
-	report_capability "Helper Match" $HELPER_MATCH
+	report_capability "Helper Match (HELPER_MATCH)" $HELPER_MATCH
-	report_capability "Connlimit Match" $CONNLIMIT_MATCH
+	report_capability "Connlimit Match (CONNLIMIT_MATCH)" $CONNLIMIT_MATCH
-	report_capability "Time Match" $TIME_MATCH
+	report_capability "Time Match (TIME_MATCH)" $TIME_MATCH
-	report_capability "Goto Support" $GOTO_TARGET
+	report_capability "Goto Support (GOTO_TARGET)" $GOTO_TARGET
-	report_capability "LOGMARK Target" $LOGMARK_TARGET
+	report_capability "LOGMARK Target (LOGMARK_TARGET)" $LOGMARK_TARGET
-	report_capability "IPMARK Target" $IPMARK_TARGET
+	report_capability "IPMARK Target (IPMARK_TARGET)" $IPMARK_TARGET
-	report_capability "LOG Target" $LOG_TARGET
+	report_capability "LOG Target (LOG_TARGET)" $LOG_TARGET
-	report_capability "ULOG Target" $ULOG_TARGET
+	report_capability "ULOG Target (ULOG_TARGET)" $ULOG_TARGET
-	report_capability "NFLOG Target" $NFLOG_TARGET
+	report_capability "NFLOG Target (NFLOG_TARGET)" $NFLOG_TARGET
-	report_capability "Persistent SNAT" $PERSISTENT_SNAT
+	report_capability "Persistent SNAT (PERSISTENT_SNAT)" $PERSISTENT_SNAT
-	report_capability "TPROXY Target" $TPROXY_TARGET
+	report_capability "TPROXY Target (TPROXY_TARGET)" $TPROXY_TARGET
-	report_capability "FLOW Classifier" $FLOW_FILTER
+	report_capability "FLOW Classifier (FLOW_FILTER)" $FLOW_FILTER
-	report_capability "fwmark route mask" $FWMARK_RT_MASK
+	report_capability "fwmark route mask (FWMARK_RT_MASK)" $FWMARK_RT_MASK
-	report_capability "Mark in any table" $MARK_ANYWHERE
+	report_capability "Mark in any table (MARK_ANYWHERE)" $MARK_ANYWHERE
-	report_capability "Header Match" $HEADER_MATCH
+	report_capability "Header Match (HEADER_MATCH)" $HEADER_MATCH
-        report_capability "ACCOUNT Target" $ACCOUNT_TARGET
+        report_capability "ACCOUNT Target (ACCOUNT_TARGET)" $ACCOUNT_TARGET
-	report_capability "AUDIT Target" $AUDIT_TARGET
+	report_capability "AUDIT Target (AUDIT_TARGET)" $AUDIT_TARGET
-	report_capability "ipset V5" $IPSET_V5
+	report_capability "ipset V5 (IPSET_V5)" $IPSET_V5
-	report_capability "Condition Match" $CONDITION_MATCH
+	report_capability "Condition Match (CONDITION_MATCH)" $CONDITION_MATCH
-	report_capability "Statistic Match" $STATISTIC_MATCH
+	report_capability "Statistic Match (STATISTIC_MATCH)" $STATISTIC_MATCH
-	report_capability "IMQ Target" $IMQ_TARGET
+	report_capability "IMQ Target (IMQ_TARGET)" $IMQ_TARGET
-	report_capability "DSCP Match" $DSCP_MATCH
+	report_capability "DSCP Match (DSCP_MATCH)" $DSCP_MATCH
-	report_capability "DSCP Target" $DSCP_TARGET
+	report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET
 	if [ $g_family -eq 4 ]; then
-	    report_capability "iptables -S" $IPTABLES_S
+	    report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
 	else
-	    report_capability "ip6tables -S" $IPTABLES_S
+	    report_capability "ip6tables -S (IPTABLES_S)" $IPTABLES_S
 	fi
-	report_capability "Basic Filter" $BASIC_FILTER
+	report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
-	report_capability "CT Target" $CT_TARGET
+	report_capability "CT Target (CT_TARGET)" $CT_TARGET
    fi
    [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -2314,6 +2355,7 @@ report_capabilities1() {
    report_capability1 IPRANGE_MATCH
    report_capability1 RECENT_MATCH
    report_capability1 OWNER_MATCH
    report_capability1 OWNER_NAME_MATCH
    report_capability1 IPSET_MATCH
    report_capability1 OLD_IPSET_MATCH
    report_capability1 CONNMARK
@@ -2950,14 +2992,12 @@ shorewall_cli() {
    g_annotate=
    g_recovering=
    g_timestamp=
    g_libexec=/usr/share
    g_perllib=/usr/share/shorewall
    g_shorewalldir=
    VERBOSE=
    VERBOSITY=
-    [ -n "$g_lite" ] || . /usr/share/shorewall/lib.cli-std
+    [ -n "$g_lite" ] || . ${g_basedir}/lib.cli-std
    finished=0
@@ -3062,7 +3102,7 @@ shorewall_cli() {
    PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
    MUTEX_TIMEOUT=
-    [ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir
+    [ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir
    [ -n "${VARDIR:=/var/lib/$g_program}" ]
@@ -3072,7 +3112,7 @@ shorewall_cli() {
    g_firewall=${VARDIR}/firewall
-    version_file=$SHAREDIR/version
+    version_file=${g_sharedir}/version
    if [ -f $version_file ]; then
 	SHOREWALL_VERSION=$(cat $version_file)
    else
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -676,7 +676,7 @@ find_file()
 		fi
 	    done
-	    echo ${CONFDIR}/$1
+	    echo ${g_confdir}/$1
 	    ;;
    esac
 }
--- a/Shorewall-core/shorewallrc.apple
+++ b/Shorewall-core/shorewallrc.apple
@@ -0,0 +1,20 @@
 #
 # Apple OS X Shorewall 4.5 rc file
 #
 BUILD=apple
 HOST=apple
 PREFIX=/usr                            #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share               #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share             #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/share/shorewall   #Directory to install Shorewall Perl module directory
 CONFDIR=/etc                           #Directory where subsystem configurations are installed
 SBINDIR=/sbin                          #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man                 #Directory where manpages are installed.
 INITDIR=                               #Unused on OS X
 INITFILE=                              #Unused on OS X
 INITSOURCE=                            #Unused on OS X
 ANNOTATED=                             #Unused on OS X
 SYSTEMD=                               #Unused on OS X
 SYSCONFDIR=                            #Unused on OS X
 SPARSE=Yes                             #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
 VARDIR=/var/lib                        #Unused on OS X
--- a/Shorewall-core/shorewallrc.archlinux
+++ b/Shorewall-core/shorewallrc.archlinux
@@ -0,0 +1,20 @@
 #
 # Archlinux Shorewall 4.5 rc file
 #
 BUILD=archlinux
 HOST=archlinux
 PREFIX=/usr                            #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share               #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share             #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/share/shorewall   #Directory to install Shorewall Perl module directory
 CONFDIR=/etc                           #Directory where subsystem configurations are installed
 SBINDIR=/sbin                          #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man                 #Directory where manpages are installed.
 INITDIR=/etc/rc.d                      #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                      #Name of the product's installed SysV init script
 INITSOURCE=init.sh                     #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                             #If non-zero, annotated configuration files are installed
 SYSCONFDIR=                            #Directory where SysV init parameter files are installed
 SYSTEMD=                               #Directory where .service files are installed (systems running systemd only)
 SPARSE=                                #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARDIR=/var/lib                        #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.cygwin
+++ b/Shorewall-core/shorewallrc.cygwin
@@ -0,0 +1,20 @@
 #
 # Cygwin Shorewall 4.5 rc file
 #
 BUILD=cygwin
 HOST=cygwin
 PREFIX=/usr                           #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share              #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share            #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/share/shorewall  #Directory to install Shorewall Perl module directory
 CONFDIR=/etc                          #Directory where subsystem configurations are installed
 SBINDIR=/bin                          #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man                #Directory where manpages are installed.
 INITDIR=/etc/init.d                   #Unused on Cygwin
 INITFILE=                             #Unused on Cygwin
 INITSOURCE=                           #Unused on Cygwin
 ANNOTATED=                            #Unused on Cygwin
 SYSTEMD=                              #Unused on Cygwin
 SYSCONFDIR=                           #Unused on Cygwin
 SPARSE=Yes                            #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.                     
 VARDIR=/var/lib                       #Unused on Cygwin
--- a/Shorewall-core/shorewallrc.debian
+++ b/Shorewall-core/shorewallrc.debian
@@ -0,0 +1,21 @@
 #
 # Debian Shorewall 4.5 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=debian
 PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share              #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/share/shorewall    #Directory to install Shorewall Perl module directory
 CONFDIR=/etc                            #Directory where subsystem configurations are installed
 SBINDIR=/sbin                           #Directory where system administration programs are installed
 MANDIR=${PREFIX}/share/man              #Directory where manpages are installed.
 INITDIR=/etc/init.d                     #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.debian.sh               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
 SYSCONFFILE=default.debian              #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=/etc/default                 #Directory where SysV init parameter files are installed
 SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes                              #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARDIR=/var/lib                         #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.default
+++ b/Shorewall-core/shorewallrc.default
@@ -0,0 +1,21 @@
 #
 # Default Shorewall 4.5 rc file
 #
 HOST=linux                              #Generic Linux
 BUILD=                                  #Default is to detect the build system
 PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share              #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/share/shorewall    #Directory to install Shorewall Perl module directory
 CONFDIR=/etc                            #Directory where subsystem configurations are installed
 SBINDIR=/sbin                           #Directory where system administration programs are installed
 MANDIR=${PREFIX}/man                    #Directory where manpages are installed.
 INITDIR=etc/init.d                      #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.sh                      #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
 SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
 SYSCONFFILE=                            #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                             #Directory where SysV init parameter files are installed
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARDIR=/var/lib                         #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.redhat
+++ b/Shorewall-core/shorewallrc.redhat
@@ -0,0 +1,21 @@
 #
 # RedHat/FedoraShorewall 4.5 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=redhat
 PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/libexec            #Directory for executable scripts.
 PERLLIBDIR=/usr/share/perl5/vendor_perl #Directory to install Shorewall Perl module directory
 CONFDIR=/etc                            #Directory where subsystem configurations are installed
 SBINDIR=/sbin                           #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man                  #Directory where manpages are installed.
 INITDIR=/etc/rc.d/init.d                #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.fedora.sh               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
 SYSTEMD=/lib/systemd/system             #Directory where .service files are installed (systems running systemd only)
 SYSCONFFILE=sysconfig                   #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT
 SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter files are installed
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARDIR=/var/lib                         #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.slackware
+++ b/Shorewall-core/shorewallrc.slackware
@@ -0,0 +1,22 @@
 #
 # Slackware Shorewall 4.5 rc file
 #
 BUILD=slackware
 HOST=slackware
 PREFIX=/usr                                #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share                   #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share                 #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/share/shorewall       #Directory to install Shorewall Perl module directory
 CONFDIR=/etc                               #Directory where subsystem configurations are installed
 SBINDIR=/sbin                              #Directory where system administration programs are installed
 MANDIR=${PREFIX}/man                       #Directory where manpages are installed.
 INITDIR=/etc/rc.d                          #Directory where SysV init scripts are installed.
 INITSOURCE=init.slackware.firewall.sh      #Name of the distributed file to be installed as the SysV init script
 INITFILE=rc.firewall                       #Name of the product's installed SysV init script
 AUXINITSOURCE=init.slackware.$PRODUCT.sh   #Name of the distributed file to be installed as a second SysV init script
 AUXINITFILE=rc.$PRODUCT                    #Name of the product's installed second init script
 SYSTEMD=                                   #Name of the directory where .service files are installed (systems running systemd only)
 SYSCONFFILE=                               #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                                #Name of the directory where SysV init parameter files are installed.
 ANNOTATED=                                 #If non-empty, install annotated configuration files
 VARDIR=/var/lib                            #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.suse
+++ b/Shorewall-core/shorewallrc.suse
@@ -0,0 +1,21 @@
 #
 # SuSE Shorewall 4.5 rc file
 #
 BUILD=                                                #Default is to detect the build system
 HOST=suse
 PREFIX=/usr                                           #Top-level directory for shared files, libraries, etc.
 CONFDIR=/etc                                          #Directory where subsystem configurations are installed
 SHAREDIR=${PREFIX}/share                              #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/lib                              #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/lib/perl5/vendor_perl/5.14.2     #Directory to install Shorewall Perl module directory
 SBINDIR=/sbin                                         #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man/                               #Directory where manpages are installed.
 INITDIR=/etc/init.d                                   #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                                     #Name of the product's SysV init script
 INITSOURCE=init.sh                                    #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                                            #If non-zero, annotated configuration files are installed
 SYSTEMD=                                              #Directory where .service files are installed (systems running systemd only)
 SYSCONFFILE=                                          #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=/etc/sysconfig/                            #Directory where SysV init parameter files are installed
 SPARSE=                                               #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARDIR=/var/lib                                       #Directory where persistent product data is stored.
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -31,7 +31,7 @@ VERSION=xxx #The Build script inserts the actual version
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME"
+    echo "usage: $ME [ <shorewallrc file> ]"
    exit $1
 }
@@ -60,8 +60,37 @@ remove_file() # $1 = file to restore
    fi
 }
-if [ -f /usr/share/shorewall/coreversion ]; then
+#
-    INSTALLED_VERSION="$(cat /usr/share/shorewall/coreversion)"
+# Read the RC file
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
 	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
 	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
 elif [ $# -eq 1 ]; then
    file=$1
    case $file in
 	/*|.*)
 	    ;;
 	*)
 	    file=./$file
 	    ;;
    esac
    . $file
 else
    usage 1
 fi
 if [ -f ${SHAREDIR}/shorewall/coreversion ]; then
    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall/coreversion)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
 	echo "WARNING: Shorewall Core Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
@@ -72,12 +101,9 @@ else
    VERSION=""
 fi
 [ -n "${LIBEXEC:=/usr/share}" ]
 [ -n "${PERLLIB:=/usr/share/shorewall}" ]
 echo "Uninstalling Shorewall Core $VERSION"
-rm -rf /usr/share/shorewall
+rm -rf ${SHAREDIR}/shorewall
 echo "Shorewall Core Uninstalled"
--- a/Shorewall-init/ifupdown.sh
+++ b/Shorewall-init/ifupdown.sh
@@ -71,6 +71,11 @@ Debian_SuSE_ppp() {
 IFUPDOWN=0
 PRODUCTS=
 #
 # The installer may alter this
 #
 . /usr/share/shorewall/shorewallrc
 if [ -f /etc/default/shorewall-init ]; then
    . /etc/default/shorewall-init
 elif [ -f /etc/sysconfig/shorewall-init ]; then
@@ -182,15 +187,19 @@ else
 fi
 for PRODUCT in $PRODUCTS; do
-    VARDIR=/var/lib/$PRODUCT
+    #
-    [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir
+    # For backward compatibility, lib.base appends the product name to VARDIR
-    if [ -x $VARDIR/firewall ]; then
+    # Save it here and restore it below
-	  ( . /usr/share/$PRODUCT/lib.base
+    #
    save_vardir=${VARDIR}
    if [ -x $VARDIR/$PRODUCT/firewall ]; then
 	  ( . ${SHAREDIR}/shorewall/lib.base
 	    mutex_on
 	    ${VARDIR}/firewall -V0 $COMMAND $INTERFACE || echo_notdone
 	    mutex_off
 	  )
    fi
    VARDIR=${save_vardir}
 done
 exit 0
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -1,10 +1,10 @@
 #!/bin/sh
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       On most distributions, this file should be called /etc/init.d/shorewall.
 #
@@ -62,10 +62,15 @@ not_configured () {
 	exit 0
 }
 #
 # The installer may alter this
 #
 . /usr/share/shorewall/shorewallrc
 # check if shorewall-init is configured or not
-if [ -f "/etc/default/shorewall-init" ]
+if [ -f "$SYSCONFDIR/shorewall-init" ]
 then
-	. /etc/default/shorewall-init
+	. $SYSCONFDIR/shorewall-init
 	if [ -z "$PRODUCTS" ]
 	then
 		not_configured
--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -13,6 +13,15 @@
 # Description:       Place the firewall in a safe state at boot time
 #                    prior to bringing up the network.  
 ### END INIT INFO
 #determine where the files were installed
 if [ -f ~/.shorewallrc ]; then
    . ~/.shorewallrc || exit 1
 else
    SBINDIR=/sbin
    SYSCONFDIR=/etc/default
    VARDIR=/var/lib
 fi
 prog="shorewall-init"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/shorewall-init"
@@ -44,10 +53,8 @@ start () {
    echo -n "Initializing \"Shorewall-based firewalls\": "
    for product in $PRODUCTS; do
-	vardir=/var/lib/$product
+	if [ -x ${VARDIR}/$product/firewall ]; then
-	[ -f /etc/$product/vardir ] && . /etc/$product/vardir 
+	    ${VARDIR}/$product/firewall stop 2>&1 | $logger
 	if [ -x ${vardir}/firewall ]; then
 	    ${vardir}/firewall stop 2>&1 | $logger
 	    retval=${PIPESTATUS[0]}
 	    [ retval -ne 0 ] && break
 	fi
@@ -70,10 +77,8 @@ stop () {
    echo -n "Clearing \"Shorewall-based firewalls\": "
    for product in $PRODUCTS; do
-	vardir=/var/lib/$product
+	if [ -x ${VARDIR}/$product/firewall ]; then
-	[ -f /etc/$product/vardir ] && . /etc/$product/vardir 
+	    ${VARDIR}/$product/firewall clear 2>&1 | $logger
 	if [ -x ${vardir}/firewall ]; then
 	    ${vardir}/firewall clear 2>&1 | $logger
 	    retval=${PIPESTATUS[0]}
 	    [ retval -ne 0 ] && break
 	fi
--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -1,9 +1,9 @@
 #! /bin/bash
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       On most distributions, this file should be called /etc/init.d/shorewall.
 #
@@ -53,6 +53,11 @@ else
 	exit 0
 fi
 #
 # The installer may alter this
 #
 . /usr/share/shorewall/shorewallrc
 # Initialize the firewall
 shorewall_start () {
  local PRODUCT
@@ -60,10 +65,8 @@ shorewall_start () {
  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      VARDIR=/var/lib/$PRODUCT
      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
      if [ -x ${VARDIR}/firewall ]; then
-	  if ! /sbin/$PRODUCT status > /dev/null 2>&1; then
+	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
 	      ${VARDIR}/firewall stop || echo_notdone
 	  fi
      fi
@@ -83,8 +86,6 @@ shorewall_stop () {
  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      VARDIR=/var/lib/$PRODUCT
      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
      if [ -x ${VARDIR}/firewall ]; then
 	  ${VARDIR}/firewall clear || exit 1
      fi
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -28,12 +28,18 @@ VERSION=xxx #The Build script inserts the actual version.
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME"
+    echo "usage: $ME [ <configuration-file> ]"
    echo "       $ME -v"
    echo "       $ME -h"
    exit $1
 }
 fatal_error() 
 {
    echo "   ERROR: $@" >&2
    exit 1
 }
 split() {
    local ifs
    ifs=$IFS
@@ -76,9 +82,9 @@ cant_autostart()
    echo  "WARNING: Unable to configure shorewall init to start automatically at boot" >&2
 }
-delete_file() # $1 = file to delete
+require() 
 {
-    rm -f $1
+    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
 }
 install_file() # $1 = source $2 = target $3 = mode
@@ -88,44 +94,78 @@ install_file() # $1 = source $2 = target $3 = mode
 cd "$(dirname $0)"
-#
+PRODUCT=shorewall-init
 # Load packager's settings if any
 #
 [ -f ../shorewall-pkg.config ] && . ../shorewall-pkg.config
-[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
+#
 # Parse the run line
 #
 finished=0
-while [ $# -gt 0 ] ; do
+while [ $finished -eq 0 ] ; do
    case "$1" in
-	-h|help|?)
+	-*)
-	    usage 0
+	    option=${option#-}
-	    ;;
+
-        -v)
+	    while [ -n "$option" ]; do
-	    echo "Shorewall Init Installer Version $VERSION"
+		case $option in
-	    exit 0
+		    h)
 			usage 0
 			;;
 		    v)
 			echo "Shorewall-init Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    *)
 			usage 1
 			;;
 		esac
 	    done
 	    shift
 	    ;;
 	*)
-	    usage 1
+	    finished=1
 	    ;;
    esac
-    shift
+done
 #
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
    #
    # Load packager's settings if any
    #
    if [ -f ./shorewallrc ]; then
 	. ./shorewallrc || exit 1
 	file=~/.shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
 	file=./.shorewallrc
     else
 	fatal_error "No configuration file specified and ~/.shorewallrc not found"
    fi
 elif [ $# -eq 1 ]; then
    file=$1
    case $file in
 	/*|.*)
 	    ;;
 	*)
 	    file=./$file
 	    ;;
    esac
    . $file
 else
    usage 1
 fi
 for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARDIR; do
    require $var
 done
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 [ -n "${LIBEXEC:=/usr/share}" ]
 case "$LIBEXEC" in
    /*)
 	;;
    *)
 	echo "The LIBEXEC setting must be an absolute path name" >&2
 	exit 1
 	;;
 esac
 INITFILE="shorewall-init"
 if [ -z "$BUILD" ]; then
    case $(uname) in
 	cygwin*)
@@ -174,11 +214,9 @@ OWNERSHIP="-o $OWNER -g $GROUP"
 case "$HOST" in
    debian)
 	echo "Installing Debian-specific configuration..."
 	SPARSE=yes
 	;;
    redhat|redhat)
 	echo "Installing Redhat/Fedora-specific configuration..."
 	[ -n "$INITDIR" ] || INITDIR=/etc/rc.d/init.d
 	;;
    slackware)
 	echo "Shorewall-init is currently not supported on Slackware" >&2
@@ -202,10 +240,6 @@ esac
 [ -z "$TARGET" ] && TARGET=$HOST
 if [ -z "$INITDIR" -a -n "$INITFILE" ] ; then
    INITDIR="/etc/init.d"
 fi
 if [ -n "$DESTDIR" ]; then
    if [ `id -u` != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
@@ -215,57 +249,44 @@ if [ -n "$DESTDIR" ]; then
    install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
 fi
 if [ -z "$DESTDIR" ]; then
    if [ -d /lib/systemd/system ]; then
 	SYSTEMD=Yes
 	INITFILE=
    fi
 elif [ -n "$SYSTEMD" ]; then
    mkdir -p ${DESTDIR}/lib/systemd/system
    INITFILE=
 fi
 echo "Installing Shorewall Init Version $VERSION"
 #
 # Check for /usr/share/shorewall-init/version
 #
-if [ -f ${DESTDIR}/usr/share/shorewall-init/version ]; then
+if [ -f ${DESTDIR}${SHAREDIR}/shorewall-init/version ]; then
    first_install=""
 else
    first_install="Yes"
 fi
 #
 # Install the Firewall Script
 #
 if [ -n "$INITFILE" ]; then
-    #
+    install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
-    # Install the Init Script
+    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$INITFILE
-    #
+    
-    case $TARGET in
+    if [ -n "${AUXINITSOURCE}" ]; then
-	debian)
+	install_file $INITSOURCE ${DESTDIR}${INITDIR}/$AUXINITFILE 0544
-	    install_file init.debian.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
+    fi
 	    ;;
 	redhat)
 	    install_file init.fedora.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
 	    ;;
 	*)
 	    install_file init.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
 	    ;;
    esac
-    echo  "Shorewall-init script installed in ${DESTDIR}${INITDIR}/${INITFILE}"
+    echo  "Shorewall-init script installed in ${DESTDIR}${INITDIR}/$INITFILE"
 fi
 #
 # Install the .service file
 #
 if [ -n "$SYSTEMD" ]; then
-    run_install $OWNERSHIP -m 600 shorewall-init.service ${DESTDIR}/lib/systemd/system/shorewall-init.service
+    mkdir -p ${DESTDIR}${SYSTEMD}
-    echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall-init.service"
+    run_install $OWNERSHIP -m 600 shorewall-init.service ${DESTDIR}${SYSTEMD}/shorewall-init.service
    echo "Service file installed as ${DESTDIR}${SYSTEMD}/shorewall-init.service"
    if [ -n "$DESTDIR" ]; then
-	mkdir -p ${DESTDIR}/sbin/
+	mkdir -p ${DESTDIR}${SBINDIR}
-        chmod 755 ${DESTDIR}/sbin
+        chmod 755 ${DESTDIR}${SBINDIR}
    fi
-    run_install $OWNERSHIP -m 700 shorewall-init ${DESTDIR}/sbin/shorewall-init
+    run_install $OWNERSHIP -m 700 shorewall-init ${DESTDIR}${SBINDIR}/shorewall-init
-    echo "CLI installed as ${DESTDIR}/sbin/shorewall-init"
+    echo "CLI installed as ${DESTDIR}${SBINDIR}/shorewall-init"
 fi
 #
@@ -285,7 +306,7 @@ chmod 644 ${DESTDIR}/usr/share/shorewall-init/version
 #
 if [ -z "$DESTDIR" ]; then
    rm -f /usr/share/shorewall-init/init
-    ln -s ${INITDIR}/${INITFILE} /usr/share/shorewall-init/init
+    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/shorewall-init/init
 fi
 if [ $HOST = debian ]; then
@@ -303,20 +324,20 @@ if [ $HOST = debian ]; then
    fi
 else
    if [ -n "$DESTDIR" ]; then
-	mkdir -p ${DESTDIR}/etc/sysconfig
+	mkdir -p ${DESTDIR}${SYSCONFDIR}
 	if [ -z "$RPM" ]; then
 	    if [ $HOST = suse ]; then
 		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d
-		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-down.d
+		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d
 	    else
 		mkdir -p ${DESTDIR}/etc/NetworkManager/dispatcher.d
 	    fi
 	fi
    fi
-    if [ -d ${DESTDIR}/etc/sysconfig -a ! -f ${DESTDIR}/etc/sysconfig/shorewall-init ]; then
+    if [ -d ${DESTDIR}${SYSCONFDIR} -a ! -f ${DESTDIR}${SYSCONFDIR}/shorewall-init ]; then
-	install_file sysconfig ${DESTDIR}/etc/sysconfig/shorewall-init 0644
+	install_file sysconfig ${DESTDIR}${SYSCONFDIR}/shorewall-init 0644
    fi 
 fi
@@ -324,31 +345,35 @@ fi
 # Install the ifupdown script
 #
-mkdir -p ${DESTDIR}${LIBEXEC}/shorewall-init
+cp ifupdown.sh ifupdown
-install_file ifupdown.sh ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown 0544
+d[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown
 mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
 install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544
 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    install_file ifupdown.sh ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
+    install_file ifupdown ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
 fi
 case $HOST in
    debian)
-	install_file ifupdown.sh ${DESTDIR}/etc/network/if-up.d/shorewall 0544
+	install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
-	install_file ifupdown.sh ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
+	install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
 	;;
    suse)
 	if [ -z "$RPM" ]; then
-	    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-up.d/shorewall 0544
+	    install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-up.d/shorewall 0544
-	    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-down.d/shorewall 0544
+	    install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-down.d/shorewall 0544
 	fi
 	;;
    redhat)
-	if [ -f ${DESTDIR}/sbin/ifup-local -o -f ${DESTDIR}/sbin/ifdown-local ]; then
+	if [ -f ${DESTDIR}${SBINDIR}/ifup-local -o -f ${DESTDIR}${SBINDIR}/ifdown-local ]; then
-	    echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; up/down events will not be handled"
+	    echo "WARNING: ${SBINDIR}/ifup-local and/or ${SBINDIR}/ifdown-local already exist; up/down events will not be handled"
 	elif [ -z "$DESTDIR" ]; then
-	    install_file ifupdown.sh ${DESTDIR}/sbin/ifup-local 0544
+	    install_file ifupdown ${DESTDIR}${SBINDIR}/ifup-local 0544
-	    install_file ifupdown.sh ${DESTDIR}/sbin/ifdown-local 0544
+	    install_file ifupdown ${DESTDIR}${SBINDIR}/ifdown-local 0544
 	fi
 	;;
 esac
@@ -365,20 +390,20 @@ if [ -z "$DESTDIR" ]; then
 		if systemctl enable shorewall-init; then
 		    echo "Shorewall Init will start automatically at boot"
 		fi
-	    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+	    elif [ -x ${SBINDIR}/insserv -o -x /usr${SBINDIR}/insserv ]; then
-		if insserv /etc/init.d/shorewall-init ; then
+		if insserv ${INITDIR}/shorewall-init ; then
 		    echo "Shorewall Init will start automatically at boot"
 		else
 		    cant_autostart
 		fi
-	    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
+	    elif [ -x ${SBINDIR}/chkconfig -o -x /usr${SBINDIR}/chkconfig ]; then
 		if chkconfig --add shorewall-init ; then
 		    echo "Shorewall Init will start automatically in run levels as follows:"
 		    chkconfig --list shorewall-init
 		else
 		    cant_autostart
 		fi
-	    elif [ -x /sbin/rc-update ]; then
+	    elif [ -x ${SBINDIR}/rc-update ]; then
 		if rc-update add shorewall-init default; then
 		    echo "Shorewall Init will start automatically at boot"
 		else
@@ -387,7 +412,6 @@ if [ -z "$DESTDIR" ]; then
 	    else
 		cant_autostart
 	    fi
 	fi
    fi
 else
@@ -397,18 +421,20 @@ else
 		mkdir -p ${DESTDIR}/etc/rcS.d
 	    fi
-	    ln -sf ../init.d/shorewall-init ${DESTDIR}/etc/rcS.d/S38shorewall-init
+	    ln -sf ../init.d/shorewall-init ${DESTDIR}${CONFDIR}/rcS.d/S38shorewall-init
 	    echo "Shorewall Init will start automatically at boot"
 	fi
    fi
 fi
 [ -z "${DESTDIR}" ] && [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc .
 if [ -f ${DESTDIR}/etc/ppp ]; then
    case $HOST in
 	debian|suse)
 	    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
 		mkdir -p ${DESTDIR}/etc/ppp/$directory #SuSE doesn't create the IPv6 directories
-		cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown ${DESTDIR}/etc/ppp/$directory/shorewall
+		cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown ${DESTDIR}${CONFDIR}/ppp/$directory/shorewall
 	    done
 	    ;;
 	redhat)
@@ -419,13 +445,13 @@ if [ -f ${DESTDIR}/etc/ppp ]; then
 		FILE=${DESTDIR}/etc/ppp/$file
 		if [ -f $FILE ]; then
 		    if fgrep -q Shorewall-based $FILE ; then
-			cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown $FILE
+			cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown $FILE
 		    else
 			echo "$FILE already exists -- ppp devices will not be handled"
 			break
 		    fi
 		else
-		    cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown $FILE
+		    cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown $FILE
 		fi
 	    done
 	    ;;
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -23,9 +23,14 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #########################################################################################
 #
 # This is modified by the installer when ${SHAREDIR} <> /usr/share
 #
 . /usr/share/shorewall/shorewallrc
 # check if shorewall-init is configured or not
-if [ -f "/etc/sysconfig/shorewall-init" ]; then
+if [ -f "$SYSCONFDIR/shorewall-init" ]; then
-    . /etc/sysconfig/shorewall-init
+    . $SYSCONFDIR/shorewall-init
    if [ -z "$PRODUCTS" ]; then
        echo "ERROR: No products configured" >&2
 	exit 1
@@ -42,8 +47,6 @@ shorewall_start () {
  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      VARDIR=/var/lib/$PRODUCT
      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
      if [ -x ${VARDIR}/firewall ]; then
 	  if ! /sbin/$PRODUCT status > /dev/null 2>&1; then
 	      ${VARDIR}/firewall stop || exit 1
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -31,7 +31,7 @@ VERSION=xxx  #The Build script inserts the actual version
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME"
+    echo "usage: $ME [ <shorewallrc file> ]"
    exit $1
 }
@@ -40,6 +40,27 @@ qt()
    "$@" >/dev/null 2>&1
 }
 split() {
    local ifs
    ifs=$IFS
    IFS=:
    set -- $1
    echo $*
    IFS=$ifs
 }
 mywhich() {
    local dir
    for dir in $(split $PATH); do
 	if [ -x $dir/$1 ]; then
 	    return 0
 	fi
    done
    return 2
 }
 remove_file() # $1 = file to restore
 {
    if [ -f $1 -o -L $1 ] ; then
@@ -48,8 +69,37 @@ remove_file() # $1 = file to restore
    fi
 }
-if [ -f /usr/share/shorewall-init/version ]; then
+#
-    INSTALLED_VERSION="$(cat /usr/share/shorewall-init/version)"
+# Read the RC file
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
 	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
 	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
 elif [ $# -eq 1 ]; then
    file=$1
    case $file in
 	/*|.*)
 	    ;;
 	*)
 	    file=./$file
 	    ;;
    esac
    . $file || exit 1
 else
    usage 1
 fi
 if [ -f ${SHAREDIR}/shorewall-init/version ]; then
    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall-init/version)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
 	echo "WARNING: Shorewall Init Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
@@ -60,56 +110,55 @@ else
    VERSION=""
 fi
-[ -n "${LIBEXEC:=/usr/share}" ]
+[ -n "${LIBEXEC:=${SHAREDIR}}" ]
 echo "Uninstalling Shorewall Init $VERSION"
-INITSCRIPT=/etc/init.d/shorewall-init
+INITSCRIPT=${CONFDIR}/init.d/shorewall-init
-if [ -n "$INITSCRIPT" ]; then
+if [ -f "$INITSCRIPT" ]; then
-    if [ -x /usr/sbin/updaterc.d ]; then
+    if mywhich updaterc.d ; then
 	updaterc.d shorewall-init remove
-    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+    elif mywhich insserv ; then
        insserv -r $INITSCRIPT
-    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
+    elif mywhich chkconfig ; then
 	chkconfig --del $(basename $INITSCRIPT)
-    elif [ -x /sbin/systemctl ]; then
+    elif mywhich systemctl ; then
 	systemctl disable shorewall-init
    else
 	rm -f /etc/rc*.d/*$(basename $INITSCRIPT)
    fi
    remove_file $INITSCRIPT
 fi
-[ "$(readlink -m -q /sbin/ifup-local)"   = /usr/share/shorewall-init ] && remove_file /sbin/ifup-local
+[ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
-[ "$(readlink -m -q /sbin/ifdown-local)" = /usr/share/shorewall-init ] && remove_file /sbin/ifdown-local
+[ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
-remove_file /etc/default/shorewall-init
+remove_file ${CONFDIR}/default/shorewall-init
-remove_file /etc/sysconfig/shorewall-init
+remove_file ${CONFDIR}/sysconfig/shorewall-init
-remove_file /etc/NetworkManager/dispatcher.d/01-shorewall
+remove_file ${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall
-remove_file /etc/network/if-up.d/shorewall
+remove_file ${CONFDIR}/network/if-up.d/shorewall
-remove_file /etc/network/if-down.d/shorewall
+remove_file ${CONFDIR}/network/if-down.d/shorewall
-remove_file /etc/sysconfig/network/if-up.d/shorewall
+remove_file ${CONFDIR}/sysconfig/network/if-up.d/shorewall
-remove_file /etc/sysconfig/network/if-down.d/shorewall
+remove_file ${CONFDIR}/sysconfig/network/if-down.d/shorewall
 remove_file /lib/systemd/system/shorewall.service
-if [ -d /etc/ppp ]; then
+[ -n "$SYSTEMD" ] && remove_file ${SYSTEMD}/shorewall.service
 if [ -d ${CONFDIR}/ppp ]; then
    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
-	remove_file /etc/ppp/$directory/shorewall
+	remove_file ${CONFDIR}/ppp/$directory/shorewall
    done
    for file in if-up.local if-down.local; do
-	if fgrep -q Shorewall-based /etc/ppp/$FILE; then
+	if fgrep -q Shorewall-based ${CONFDIR}/ppp/$FILE; then
-	    remove_file /etc/ppp/$FILE
+	    remove_file ${CONFDIR}/ppp/$FILE
 	fi
    done
 fi
-rm -rf /usr/share/shorewall-init
+rm -rf ${SHAREDIR}/shorewall-init
 rm -rf ${LIBEXEC}/shorewall-init
 echo "Shorewall Init Uninstalled"
--- a/Shorewall-lite/Makefile
+++ b/Shorewall-lite/Makefile
@@ -3,9 +3,9 @@ VARDIR=$(shell /sbin/shorewall-lite show vardir)
 SHAREDIR=/usr/share/shorewall-lite
 RESTOREFILE?=.restore
-all: $(VARDIR)/${RESTOREFILE}
+all: $(VARDIR)/$(RESTOREFILE)
-$(VARDIR)/${RESTOREFILE}: $(VARDIR)/firewall
+$(VARDIR)/$(RESTOREFILE): $(VARDIR)/firewall
 	@/sbin/shorewall-lite -q save >/dev/null; \
 	if \
 	    /sbin/shorewall-lite -q restart >/dev/null 2>&1; \
--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@@ -57,17 +57,23 @@ not_configured () {
 	exit 0
 }
 #
 # The installer may alter this
 #
 . /usr/share/shorewall/shorewallrc
 # parse the shorewall params file in order to use params in
 # /etc/default/shorewall
-if [ -f "/etc/shorewall-lite/params" ]
+
 if [ -f "$CONFDIR/shorewall-lite/params" ]
 then
-	. /etc/shorewall-lite/params
+	. $CONFDIR/shorewall-lite/params
 fi
 # check if shorewall is configured or not
-if [ -f "/etc/default/shorewall-lite" ]
+if [ -f "$SYSCONFDIR/shorewall-lite" ]
 then
-	. /etc/default/shorewall-lite
+	. $SYSCONFDIR/shorewall-lite
 	SRWL_OPTS="$SRWL_OPTS $OPTIONS"
 	if [ "$startup" != "1" ]
 	then
--- a/Shorewall-lite/init.fedora.sh
+++ b/Shorewall-lite/init.fedora.sh
@@ -20,16 +20,21 @@
 # Source function library.
 . /etc/rc.d/init.d/functions
 #
 # The installer may alter this
 #
 . /usr/share/shorewall/shorewallrc
 prog="shorewall-lite"
-shorewall="/sbin/$prog"
+shorewall="${SBINDIR}/$prog"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/$prog"
 # Get startup options (override default)
 OPTIONS=
-if [ -f /etc/sysconfig/$prog ]; then
+if [ -f ${SYSCONFDIR}/$prog ]; then
-    . /etc/sysconfig/$prog
+    . ${SYSCONFDIR}/$prog
 fi
 start() {
--- a/Shorewall-lite/init.sh
+++ b/Shorewall-lite/init.sh
@@ -1,11 +1,11 @@
 #!/bin/sh
 RCDLINKS="2,S41 3,S41 6,K41"
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.1
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
@@ -61,10 +61,14 @@ usage() {
 # Get startup options (override default)
 ################################################################################
 OPTIONS=
-if [ -f /etc/sysconfig/shorewall ]; then
+
-    . /etc/sysconfig/shorewall
+#
-elif [ -f /etc/default/shorewall ] ; then
+# The installer may alter this
-    . /etc/default/shorewall
+#
 . /usr/share/shorewall/shorewallrc
 if [ -f ${SYSCONFDIR}/shorewall-lite ]; then
    . ${SYSCONFDIR}/shorewall-lite
 fi
 SHOREWALL_INIT_SCRIPT=1
@@ -76,13 +80,13 @@ command="$1"
 case "$command" in
    start)
-	exec /sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
+	exec ${SBINDIR}/shorewall-lite $OPTIONS start $STARTOPTIONS
 	;;
    restart|reload)
-	exec /sbin/shorewall-lite $OPTIONS restart $RESTARTOPTIONS
+	exec ${SBINDIR}/shorewall-lite $OPTIONS restart $RESTARTOPTIONS
 	;;
    status|stop)
-	exec /sbin/shorewall-lite $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $@
 	;;
    *)
 	usage
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -27,12 +27,18 @@ VERSION=xxx #The Build script inserts the actual version
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME"
+    echo "usage: $ME [ <configuration-file> ]"
    echo "       $ME -v"
    echo "       $ME -h"
    exit $1
 }
 fatal_error() 
 {
    echo "   ERROR: $@" >&2
    exit 1
 }
 split() {
    local ifs
    ifs=$IFS
@@ -85,16 +91,16 @@ install_file() # $1 = source $2 = target $3 = mode
    run_install $T $OWNERSHIP -m $3 $1 ${2}
 }
 require() 
 {
    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
 }
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"
 #
 # Load packager's settings if any
 #
 [ -f ../shorewall-pkg.config ] && . ../shorewall-pkg.config
 if [ -f shorewall-lite ]; then
    PRODUCT=shorewall-lite
    Product="Shorewall Lite"
@@ -103,39 +109,73 @@ else
    Product="Shorewall6 Lite"
 fi
 [ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
 #
 # Parse the run line
 #
-while [ $# -gt 0 ] ; do
+finished=0
 while [ $finished -eq 0 ] ; do
    case "$1" in
-	-h|help|?)
+	-*)
-	    usage 0
+	    option=${option#-}
-	    ;;
+	    
-        -v)
+	    while [ -n "$option" ]; do
-	    echo "$Product Firewall Installer Version $VERSION"
+		case $option in
-	    exit 0
+		    h)
 			usage 0
 			;;
 		    v)
 			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    *)
 			usage 1
 			;;
 		esac
 	    done
 	    shift
 	    ;;
 	*)
-	    usage 1
+	    finished=1
 	    ;;
    esac
    shift
 done
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+#
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
 	. ./shorewallrc || exit 1
 	file=./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
 elif [ $# -eq 1 ]; then
    file=$1
    case $file in
 	/*|.*)
 	    ;;
 	*)
 	    file=./$file
 	    ;;
    esac
-[ -n "${LIBEXEC:=/usr/share}" ]
+    . $file
 else
    usage 1
 fi
-case "$LIBEXEC" in
+for var in SHAREDIR LIBEXECDIRDIRDIR CONFDIR SBINDIR VARDIR; do
-    /*)
+    require $var
-	;;
+done
-    *)
+
-	echo "The LIBEXEC setting must be an absolute path name" >&2
+PATH=${SBINDIR}:/bin:/usr${SBINDIR}:/usr/bin:/usr/local/bin:/usr/local${SBINDIR}
 	exit 1
 	;;
 esac
 #
 # Determine where to install the firewall script
@@ -154,15 +194,15 @@ if [ -z "$BUILD" ]; then
 	    BUILD=apple
 	    ;;
 	*)
-	    if [ -f /etc/debian_version ]; then
+	    if [ -f ${CONFDIR}/debian_version ]; then
 		BUILD=debian
-	    elif [ -f /etc/redhat-release ]; then
+	    elif [ -f ${CONFDIR}/redhat-release ]; then
 		BUILD=redhat
-	    elif [ -f /etc/SuSE-release ]; then
+	    elif [ -f ${CONFDIR}/SuSE-release ]; then
 		BUILD=suse
-	    elif [ -f /etc/slackware-version ] ; then
+	    elif [ -f ${CONFDIR}/slackware-version ] ; then
 		BUILD=slackware
-	    elif [ -f /etc/arch-release ] ; then
+	    elif [ -f ${CONFDIR}/arch-release ] ; then
 		BUILD=archlinux
 	    else
 		BUILD=linux
@@ -203,21 +243,15 @@ case "$HOST" in
 	;;
    debian)
 	echo "Installing Debian-specific configuration..."
 	SPARSE=yes
 	;;
    redhat)
 	echo "Installing Redhat/Fedora-specific configuration..."
 	[ -n "$INITDIR" ]  || INITDIR=/etc/rc.d/init.d
 	;;
    slackware)
 	echo "Installing Slackware-specific configuration..."
 	[ -n "$INITDIR" ]  || INITDIR="/etc/rc.d"
 	[ -n "$INITFILE" ] || INITFILE="rc.firewall"
 	[ -n "$MANDIR=" ]  || MANDIR=/usr/man
 	;;
    archlinux)
 	echo "Installing ArchLinux-specific configuration..."
 	[ -n "$INITDIR" ]  || INITDIR="/etc/rc.d"
 	;;
    linux|suse)
 	;;
@@ -227,7 +261,7 @@ case "$HOST" in
 	;;
 esac
-[ -z "$INITDIR" ] && INITDIR="/etc/init.d"
+[ -z "$INITDIR" ] && INITDIR="${CONFDIR}/init.d"
 if [ -n "$DESTDIR" ]; then
    if [ `id -u` != 0 ] ; then
@@ -235,8 +269,8 @@ if [ -n "$DESTDIR" ]; then
 	OWNERSHIP=""
    fi
-    install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
+    install -d $OWNERSHIP -m 755 ${DESTDIR}/${SBINDIR}
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DESTFILE}
+    install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
    if [ -n "$SYSTEMD" ]; then
 	mkdir -p ${DESTDIR}/lib/systemd/system
@@ -257,27 +291,27 @@ fi
 echo "Installing $Product Version $VERSION"
 #
-# Check for /etc/$PRODUCT
+# Check for ${CONFDIR}/$PRODUCT
 #
-if [ -z "$DESTDIR" -a -d /etc/$PRODUCT ]; then
+if [ -z "$DESTDIR" -a -d ${CONFDIR}/$PRODUCT ]; then
    if [ ! -f /usr/share/shorewall/coreversion ]; then
 	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
 	exit 1
    fi
-    [ -f /etc/$PRODUCT/shorewall.conf ] && \
+    [ -f ${CONFDIR}/$PRODUCT/shorewall.conf ] && \
-	mv -f /etc/$PRODUCT/shorewall.conf /etc/$PRODUCT/$PRODUCT.conf
+	mv -f ${CONFDIR}/$PRODUCT/shorewall.conf ${CONFDIR}/$PRODUCT/$PRODUCT.conf
 else
-    rm -rf ${DESTDIR}/etc/$PRODUCT
+    rm -rf ${DESTDIR}${CONFDIR}/$PRODUCT
    rm -rf ${DESTDIR}/usr/share/$PRODUCT
    rm -rf ${DESTDIR}/var/lib/$PRODUCT
-    [ "$LIBEXEC" = /usr/share ] || rm -rf ${DESTDIR}/usr/share/$PRODUCT/wait4ifup ${DESTDIR}/usr/share/$PRODUCT/shorecap
+    [ "$LIBEXECDIR" = /usr/share ] || rm -rf ${DESTDIR}/usr/share/$PRODUCT/wait4ifup ${DESTDIR}/usr/share/$PRODUCT/shorecap
 fi
 #
-# Check for /sbin/$PRODUCT
+# Check for ${SBINDIR}/$PRODUCT
 #
-if [ -f ${DESTDIR}/sbin/$PRODUCT ]; then
+if [ -f ${DESTDIR}${SBINDIR}/$PRODUCT ]; then
    first_install=""
 else
    first_install="Yes"
@@ -285,118 +319,111 @@ fi
 delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules
-install_file $PRODUCT ${DESTDIR}/sbin/$PRODUCT 0544
+install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0544
-echo "$Product control program installed in ${DESTDIR}/sbin/$PRODUCT"
+echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
 #
-# Create /etc/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
+# Create ${CONFDIR}/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
 #
-mkdir -p ${DESTDIR}/etc/$PRODUCT
+mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
 mkdir -p ${DESTDIR}/usr/share/$PRODUCT
-mkdir -p ${DESTDIR}${LIBEXEC}/$PRODUCT
+mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
 mkdir -p ${DESTDIR}/var/lib/$PRODUCT
-chmod 755 ${DESTDIR}/etc/$PRODUCT
+chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
 chmod 755 ${DESTDIR}/usr/share/$PRODUCT
 if [ -n "$DESTDIR" ]; then
-    mkdir -p ${DESTDIR}/etc/logrotate.d
+    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
-    chmod 755 ${DESTDIR}/etc/logrotate.d
+    chmod 755 ${DESTDIR}${CONFDIR}/logrotate.d
    mkdir -p ${DESTDIR}${INITDIR}
    chmod 755 ${DESTDIR}${INITDIR}
 fi
 if [ -n "$INITFILE" ]; then
    case $TARGET in
 	debian)
 	    install_file init.debian.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
 	    ;;
 	redhat)
 	    install_file init.fedora.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
 	    ;;
 	archlinux)
 	    install_file init.archlinux.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
 	    ;;
 	*)
 	    install_file init.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
 	    ;;
    esac
-    echo  "$Product init script installed in ${DESTDIR}${INITDIR}/${INITFILE}"
+    initfile="${DESTDIR}/${INITDIR}/${INITFILE}"
    install_file ${INITSOURCE} "$initfile" 0544
    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' "$initfile"
    echo  "$Product init script installed in $initfile"
 fi
 #
 # Install the .service file
 #
 if [ -n "$SYSTEMD" ]; then
-    run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}/lib/systemd/system/$PRODUCT.service
+    run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}/${SYSTEMD}/$PRODUCT.service
    echo "Service file installed as ${DESTDIR}/lib/systemd/system/$PRODUCT.service"
 fi
 #
 # Install the config file
 #
-if [ ! -f ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf ]; then
+if [ ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf ]; then
-   install_file $PRODUCT.conf ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf 0744
+   install_file $PRODUCT.conf ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf 0744
-   echo "Config file installed as ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf"
+   echo "Config file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf"
 fi
 if [ $HOST = archlinux ] ; then
-   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf
+   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
 fi
 #
 # Install the  Makefile
 #
-run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/$PRODUCT
+run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}${CONFDIR}/$PRODUCT
-echo "Makefile installed as ${DESTDIR}/etc/$PRODUCT/Makefile"
+[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${CONFDIR}/$PRODUCT/Makefile
 [ $SBINDIR = /sbin ]       || eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\'       ${DESTDIR}/${CONFDIR}/$PRODUCT/Makefile
 echo "Makefile installed as ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile"
 #
 # Install the default config path file
 #
-install_file configpath ${DESTDIR}/usr/share/$PRODUCT/configpath 0644
+install_file configpath ${DESTDIR}${SHAREDIR}/$PRODUCT/configpath 0644
-echo "Default config path file installed as ${DESTDIR}/usr/share/$PRODUCT/configpath"
+echo "Default config path file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/configpath"
 #
 # Install the libraries
 #
 for f in lib.* ; do
    if [ -f $f ]; then
-	install_file $f ${DESTDIR}/usr/share/$PRODUCT/$f 0644
+	install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
-	echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/$PRODUCT/$f"
+	echo "Library ${f#*.} file installed as ${DESTDIR}/${SHAREDIR}/$PRODUCT/$f"
    fi
 done
-ln -sf lib.base ${DESTDIR}/usr/share/$PRODUCT/functions
+ln -sf lib.base ${DESTDIR}${SHAREDIR}/$PRODUCT/functions
-echo "Common functions linked through ${DESTDIR}/usr/share/$PRODUCT/functions"
+echo "Common functions linked through ${DESTDIR}${SHAREDIR}/$PRODUCT/functions"
 #
 # Install Shorecap
 #
-install_file shorecap ${DESTDIR}${LIBEXEC}/$PRODUCT/shorecap 0755
+install_file shorecap ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap 0755
 echo
-echo "Capability file builder installed in ${DESTDIR}${LIBEXEC}/$PRODUCT/shorecap"
+echo "Capability file builder installed in ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap"
 #
 # Install the Modules files
 #
 if [ -f modules ]; then
-    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/$PRODUCT
+    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}${SHAREDIR}/$PRODUCT
-    echo "Modules file installed as ${DESTDIR}/usr/share/$PRODUCT/modules"
+    echo "Modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/modules"
 fi
 if [ -f helpers ]; then
-    run_install $OWNERSHIP -m 0600 helpers ${DESTDIR}/usr/share/$PRODUCT
+    run_install $OWNERSHIP -m 0600 helpers ${DESTDIR}${SHAREDIR}/$PRODUCT
-    echo "Helper modules file installed as ${DESTDIR}/usr/share/$PRODUCT/helpers"
+    echo "Helper modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers"
 fi
 for f in modules.*; do
-    run_install $OWNERSHIP -m 0644 $f ${DESTDIR}/usr/share/$PRODUCT/$f
+    run_install $OWNERSHIP -m 0644 $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f
-    echo "Module file $f installed as ${DESTDIR}/usr/share/$PRODUCT/$f"
+    echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
 done
 #
@@ -406,18 +433,18 @@ done
 if [ -d manpages ]; then
    cd manpages
-    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}/usr/share/man/man5/ ${DESTDIR}/usr/share/man/man8/
+    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${SHAREDIR}/man/man5/ ${DESTDIR}${SHAREDIR}/man/man8/
    for f in *.5; do
 	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}/usr/share/man/man5/$f.gz
+	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${SHAREDIR}/man/man5/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}/usr/share/man/man5/$f.gz"
+	echo "Man page $f.gz installed to ${DESTDIR}${SHAREDIR}/man/man5/$f.gz"
    done
    for f in *.8; do
 	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}/usr/share/man/man8/$f.gz
+	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${SHAREDIR}/man/man8/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}/usr/share/man/man8/$f.gz"
+	echo "Man page $f.gz installed to ${DESTDIR}${SHAREDIR}/man/man8/$f.gz"
    done
    cd ..
@@ -425,73 +452,79 @@ if [ -d manpages ]; then
    echo "Man Pages Installed"
 fi
-if [ -d ${DESTDIR}/etc/logrotate.d ]; then
+if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}/etc/logrotate.d/$PRODUCT
+    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT
-    echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/$PRODUCT"
+    echo "Logrotate file installed as ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT"
 fi
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/usr/share/$PRODUCT/version
+echo "$VERSION" > ${DESTDIR}${SHAREDIR}/$PRODUCT/version
-chmod 644 ${DESTDIR}/usr/share/$PRODUCT/version
+chmod 644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
 #
 # Remove and create the symbolic link to the init script
 #
 if [ -z "$DESTDIR" ]; then
-    rm -f /usr/share/$PRODUCT/init
+    rm -f ${SHAREDIR}/$PRODUCT/init
-    ln -s ${INITDIR}/${INITFILE} /usr/share/$PRODUCT/init
+    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/$PRODUCT/init
 fi
-delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.common
+delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.common
-delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.cli
+delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.cli
-delete_file ${DESTDIR}/usr/share/$PRODUCT/wait4ifup
+delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/wait4ifup
-if [ -z "$DESTDIR" ]; then
+if [ -n "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
-    touch /var/log/$PRODUCT-init.log
+    if [ ${DESTDIR} ]; then
 	mkdir -p ${DESTDIR}${SYSCONFDIR}
 	chmod 755 ${DESTDIR}${SYSCONFDIR}
    fi
-    if [ -n "$first_install" ]; then
+    run_install $OWNERSHIP -m 0644 default.debian ${DESTDIR}${SYSCONFDIR}/${PRODUCT}
-	if [ $HOST = debian ]; then
+    echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
-	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/$PRODUCT
+fi
-	    update-rc.d $PRODUCT defaults
+if [ ${SHAREDIR} != /usr/share ]; then
-
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SHAREDIR}/${PRODUCT}/lib.base
-	    if [ -x /sbin/insserv ]; then
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SBINDIR}/$PRODUCT
-		insserv /etc/init.d/$PRODUCT
+fi
 	    else
 		ln -s ../init.d/$PRODUCT /etc/rcS.d/S40$PRODUCT
 	    fi
 if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
    if mywhich update-rc.d ; then
 	echo "$PRODUCT will start automatically at boot"
 	echo "Set startup=1 in ${SYSCONFDIR}/$PRODUCT to enable"
 	touch /var/log/$PRODUCT-init.log
 	perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' ${CONFDIR}/${PRODUCT}/${PRODUCT}.conf
 	update-rc.d $PRODUCT enable defaults
    elif [ -n "$SYSTEMD" ]; then
 	if systemctl enable $PRODUCT; then
 	    echo "$Product will start automatically at boot"
 	else
 	    if [ -n "$SYSTEMD" ]; then
 		if systemctl enable $PRODUCT; then
 		    echo "$Product will start automatically at boot"
 		fi
 	    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
 		if insserv /etc/init.d/$PRODUCT ; then
 		    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 		if chkconfig --add $PRODUCT ; then
 		    echo "$Product will start automatically in run levels as follows:"
 		    chkconfig --list $PRODUCT
 		else
 		    cant_autostart
 		fi
 	    elif [ -x /sbin/rc-update ]; then
 		if rc-update add $PRODUCT default; then
 		    echo "$Product will start automatically at boot"
 		else
 		    cant_autostart
 		fi
 	    elif [ "$INITFILE" != rc.firewall ]; then #Slackware starts this automatically
 		cant_autostart
 	    fi
 	fi
    elif mywhich insserv; then
 	if insserv ${INITDIR}/${INITFILE} ; then
 	    echo "$PRODUCT will start automatically at boot"
 	    echo "Set STARTUP_ENABLED=Yes in ${CONFDIR}/$PRODUCT/${PRODUCT}.conf to enable"
 	else
 	    cant_autostart
 	fi
    elif mywhich chkconfig; then
 	if chkconfig --add $PRODUCT ; then
 	    echo "$PRODUCT will start automatically in run levels as follows:"
 	    echo "Set STARTUP_ENABLED=Yes in ${CONFDIR}/$PRODUCT/${PRODUCT}.conf to enable"
 	    chkconfig --list $PRODUCT
 	else
 	    cant_autostart
 	fi
    elif mywhich rc-update ; then
 	if rc-update add $PRODUCT default; then
 	    echo "$PRODUCT will start automatically at boot"
 	    echo "Set STARTUP_ENABLED=Yes in ${CONFDIR}/$PRODUCT/$PRODUCT.conf to enable"
 	else
 	    cant_autostart
 	fi
    elif [ "$INITFILE" != rc.${PRODUCT} ]; then #Slackware starts this automatically
 	cant_autostart
    fi
 fi
--- a/Shorewall-lite/lib.base
+++ b/Shorewall-lite/lib.base
@@ -24,11 +24,10 @@
 g_program=shorewall-lite
 g_family=4
 #
 # This may be altered by the installer
 #
 g_basedir=/usr/share/shorewall
-[ -n "${VARDIR:=/var/lib/$g_program}" ]
+. ${g_basedir}/lib.base
 [ -n "${SHAREDIR:=/usr/share/$g_program}" ]
 [ -n "${CONFDIR:=/etc/$g_program}" ]
 . /usr/share/shorewall/lib.base
--- a/Shorewall-lite/manpages/shorewall-lite-vardir.xml
+++ b/Shorewall-lite/manpages/shorewall-lite-vardir.xml
@@ -1,4 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
  <refmeta>
    <refentrytitle>shorewall-lite-vardir</refentrytitle>
@@ -34,6 +36,28 @@
    directory. If you add this file, you should copy the files from
    <filename>/var/lib/shorewall-lite</filename> to the new directory before
    performing a <command>shorewall-lite restart</command>.</para>
    <note>
      <para>Beginning with Shorewall 4.5.2, use of this file is deprecated in
      favor of specifying VARDIR in the <filename>shorewallrc</filename> file
      used during installation of Shorewall Core. While the name of the
      variable remains VARDIR, the meaning is slightly different. When set in
      shorewallrc, Shorewall Lite, will create a directory under the specified
      path name to hold state information.</para>
      <para>Example:</para>
      <blockquote>
        <para>VARDIR=<filename><filename>/opt/var/lib/</filename></filename></para>
        <para>The state directory for Shorewall Lite will be
        /opt/var/lib/shorewall-lite/.</para>
      </blockquote>
      <para> When VARDIR is set in /etc/shorewall-lite/vardir, Shorewall Lite
      will save its state in the <replaceable>directory</replaceable>
      specified.</para>
    </note>
  </refsect1>
  <refsect1>
@@ -61,4 +85,4 @@
    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
-</refentry>
+</refentry>
--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -27,6 +27,18 @@
 ################################################################################################
 g_program=shorewall-lite
-. /usr/share/shorewall/lib.cli
+#
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc
 g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR"/shorewall-lite
 g_sbindir="$SBINDIR"
 g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall-lite
 g_readrc=1
 . ${SHAREDIR}/shorewall/lib.cli
 shorewall_cli $@
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -31,7 +31,7 @@ VERSION=xxx  #The Build script inserts the actual version
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME"
+    echo "usage: $ME [ <shorewallrc file> ]"
    exit $1
 }
@@ -40,16 +40,25 @@ qt()
    "$@" >/dev/null 2>&1
 }
-restore_file() # $1 = file to restore
+split() {
-{
+    local ifs
-    if [ -f ${1}-shorewall.bkout ]; then
+    ifs=$IFS
-	if (mv -f ${1}-shorewall-lite.bkout $1); then
+    IFS=:
-	    echo
+    set -- $1
-	    echo "$1 restored"
+    echo $*
-        else
+    IFS=$ifs
-	    exit 1
+}
-        fi
+
-    fi
+mywhich() {
    local dir
    for dir in $(split $PATH); do
 	if [ -x $dir/$1 ]; then
 	    return 0
 	fi
    done
    return 2
 }
 remove_file() # $1 = file to restore
@@ -60,8 +69,37 @@ remove_file() # $1 = file to restore
    fi
 }
-if [ -f /usr/share/shorewall-lite/version ]; then
+#
-    INSTALLED_VERSION="$(cat /usr/share/shorewall-lite/version)"
+# Read the RC file
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
 	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
 	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
 elif [ $# -eq 1 ]; then
    file=$1
    case $file in
 	/*|.*)
 	    ;;
 	*)
 	    file=./$file
 	    ;;
    esac
    . $file
 else
    usage 1
 fi
 if [ -f ${SHAREDIR}/shorewall-lite/version ]; then
    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall-lite/version)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
 	echo "WARNING: Shorewall Lite Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
@@ -72,49 +110,40 @@ else
    VERSION=""
 fi
 [ -n "${LIBEXEC:=/usr/share}" ]
 echo "Uninstalling Shorewall Lite $VERSION"
-if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall ]; then
+if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall ]; then
-   /sbin/shorewall-lite clear
+   shorewall-lite clear
 fi
-if [ -L /usr/share/shorewall-lite/init ]; then
+if [ -L ${SHAREDIR}/shorewall-lite/init ]; then
-    FIREWALL=$(readlink -m -q /usr/share/shorewall-lite/init)
+    FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall-lite/init)
-else
+elIF [ -n "$INITFILE" ]; then
-    FIREWALL=/etc/init.d/shorewall-lite
+    FIREWALL=${INITDIR}/${INITFILE}
 fi
-if [ -n "$FIREWALL" ]; then
+if [ -f "$FIREWALL" ]; then
-    if [ -x /usr/sbin/updaterc.d ]; then
+    if mywhich updaterc.d ; then
 	updaterc.d shorewall-lite remove
-    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+    elif if mywhich insserv ; then
        insserv -r $FIREWALL
-    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
+    elif [ mywhich chkconfig ; then
 	chkconfig --del $(basename $FIREWALL)
-    elif [ -x /sbin/systemctl ]; then
+    elif mywhich systemctl ; then
 	systemctl disable shorewall-lite
    else
 	rm -f /etc/rc*.d/*$(basename $FIREWALL)
    fi
    remove_file $FIREWALL
    rm -f ${FIREWALL}-*.bkout
 fi
-rm -f /sbin/shorewall-lite
+rm -f ${SBINDIR}/shorewall-lite
 rm -f /sbin/shorewall-lite-*.bkout
-rm -rf /etc/shorewall-lite
+rm -rf ${SBINDIR}/shorewall-lite
-rm -rf /etc/shorewall-lite-*.bkout
+rm -rf ${VARDIR}/shorewall-lite
-rm -rf /var/lib/shorewall-lite
+rm -rf ${SHAREDIR}/shorewall-lite
 rm -rf /var/lib/shorewall-lite-*.bkout
 rm -rf /usr/share/shorewall-lite
 rm -rf ${LIBEXEC}/shorewall-lite
-rm -rf /usr/share/shorewall-lite-*.bkout
+rm -f  ${CONFDIR}/logrotate.d/shorewall-lite
-rm -f  /etc/logrotate.d/shorewall-lite
+[ -n "$SYSTEMD" ] && rm -f  ${SYSTEMD}/shorewall-lite.service
 rm -f  /lib/systemd/system/shorewall-lite.service
 echo "Shorewall Lite Uninstalled"
--- a/Shorewall/Macros/macro.Amanda
+++ b/Shorewall/Macros/macro.Amanda
@@ -11,6 +11,7 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	10080
 PARAM	-	-	tcp	10080
 #
 # You may also need this rule.  With AMANDA 2.4.4 on Linux kernel 2.6,
 # it should not be necessary to use this.  The ip_conntrack_amanda
--- a/Shorewall/Macros/macro.BLACKLIST
+++ b/Shorewall/Macros/macro.BLACKLIST
@@ -0,0 +1,11 @@
 #
 # Shorewall version 4 - blacklist Macro
 #
 # /usr/share/shorewall/macro.blacklist
 #
 #	This macro handles blacklisting using BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 $BLACKLIST_DISPOSITION:$BLACKLIST_LOGLEVEL
--- a/Shorewall/Makefile
+++ b/Shorewall/Makefile
@@ -3,9 +3,9 @@ VARDIR=$(shell /sbin/shorewall show vardir)
 CONFDIR=/etc/shorewall
 RESTOREFILE?=firewall
-all: $(VARDIR)/${RESTOREFILE}
+all: $(VARDIR)/$(RESTOREFILE)
-$(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
+$(VARDIR)/$(RESTOREFILE): $(CONFDIR)/*
 	@/sbin/shorewall -q save >/dev/null; \
 	if \
 	    /sbin/shorewall -q restart >/dev/null 2>&1; \
--- a/Shorewall/Perl/.project
+++ b/Shorewall/Perl/.project
@@ -1,17 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <projectDescription>
 	<name>Shorewall</name>
 	<comment></comment>
 	<projects>
 	</projects>
 	<buildSpec>
 		<buildCommand>
 			<name>org.epic.perleditor.perlbuilder</name>
 			<arguments>
 			</arguments>
 		</buildCommand>
 	</buildSpec>
 	<natures>
 		<nature>org.epic.perleditor.perlnature</nature>
 	</natures>
 </projectDescription>
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -724,17 +724,19 @@ sub set_rule_option( $$$ ) {
 	assert( defined( my $value1 = $ruleref->{$option} ) );
 	if ( $opttype == MATCH ) {
-	    assert( $globals{KLUDGEFREE} );
+	    if ( $globals{KLUDGEFREE} ) {
 		unless ( reftype $value1 ) {
 		    unless ( reftype $value ) {
 			return if $value1 eq $value;
 		    }
-	    unless ( reftype $value1 ) {
+		    $ruleref->{$option} = [ $ruleref->{$option} ];
 		unless ( reftype $value ) {
 		    return if $value1 eq $value;
 		}
-		$ruleref->{$option} = [ $ruleref->{$option} ];
+		push @{$ruleref->{$option}}, ( reftype $value ? @$value : $value );
 	    } else {
 		$ruleref->{$option} = join(' ', $value1, $value );
 	    }
 	    push @{$ruleref->{$option}}, ( reftype $value ? @$value : $value );
 	} elsif ( $opttype == EXCLUSIVE ) {
 	    $ruleref->{$option} .= ",$value";
 	} elsif ( $opttype == UNIQUE ) {
@@ -2199,7 +2201,7 @@ sub ensure_accounting_chain( $$$ )
 	$chainref->{restriction} = $restriction;
 	$chainref->{restricted}  = NO_RESTRICT;
 	$chainref->{ipsec}       = $ipsec;
-	$chainref->{optflags}   |= DONT_OPTIMIZE unless $config{OPTIMIZE_ACCOUNTING};
+	$chainref->{optflags}   |= ( DONT_OPTIMIZE | DONT_MOVE | DONT_DELETE ) unless $config{OPTIMIZE_ACCOUNTING};
 	unless ( $chain eq 'accounting' ) {
 	    my $file = find_file $chain;
@@ -2877,7 +2879,9 @@ sub optimize_level4( $$ ) {
 		# Last rule is a simple branch
 		my $targetref = $tableref->{$lastrule->{target}};
-		if ( $targetref && ( keys %{$targetref->{references}} < 2 || @{$targetref->{rules}} < 4 ) ) {
+		if ( $targetref && 
 		     ($targetref->{optflags} & DONT_MOVE) == 0 && 
 		     ( keys %{$targetref->{references}} < 2 || @{$targetref->{rules}} < 4 ) ) {
 		    copy_rules( $targetref, $chainref );
 		    $progress = 1;
 		}
@@ -3254,6 +3258,16 @@ sub set_mss( $$$ ) {
 #
 # Interate over all zones with 'mss=' settings adding TCPMSS rules as appropriate.
 #
 sub imatch_source_dev( $;$ );
 sub imatch_dest_dev( $;$ );
 sub imatch_source_net( $;$\$ );
 sub imatch_dest_net( $ );
 sub newmsschain( ) {
    my $seq = $chainseq{filter}++;
    "~mss${seq}";
 }
 sub setup_zone_mss() {
    for my $zone ( all_zones ) {
 	my $zoneref = find_zone( $zone );
@@ -3261,6 +3275,29 @@ sub setup_zone_mss() {
 	set_mss( $zone, $zoneref->{options}{in_out}{mss}, ''     ) if $zoneref->{options}{in_out}{mss};
 	set_mss( $zone, $zoneref->{options}{in}{mss},     '_in'  ) if $zoneref->{options}{in}{mss};
 	set_mss( $zone, $zoneref->{options}{out}{mss},    '_out' ) if $zoneref->{options}{out}{mss};
 	my $hosts = find_zone_hosts_by_option( $zone, 'mss' );
 	for my $hostref ( @$hosts ) {
 	    my $mss         = $hostref->[4];
 	    my @mssmatch    = have_capability( 'TCPMSS_MATCH' ) ? ( tcpmss => "--mss $mss:" ) : ();
 	    my @sourcedev   = imatch_source_dev $hostref->[0];
 	    my @destdev     = imatch_dest_dev   $hostref->[0];
 	    my @source      = imatch_source_net $hostref->[2];
 	    my @dest        = imatch_dest_net   $hostref->[2];
 	    my @ipsecin     = (have_ipsec ? ( policy => "--pol $hostref->[1] --dir in"  ) : () );
 	    my @ipsecout    = (have_ipsec ? ( policy => "--pol $hostref->[1] --dir out" ) : () );
 	    my $chainref = new_chain 'filter', newmsschain;
 	    my $target   = source_exclusion( $hostref->[3], $chainref );
 	    add_ijump $chainref, j => 'TCPMSS', targetopts => "--set-mss $mss", p => 'tcp --tcp-flags SYN,RST SYN';
 	    for my $zone1 ( all_zones ) {
 		add_ijump ensure_chain( 'filter', rules_chain( $zone, $zone1 ) ),  j => $target , @sourcedev, @source, p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @ipsecin ;
 		add_ijump ensure_chain( 'filter', rules_chain( $zone1, $zone ) ),  j => $target , @destdev,   @dest,   p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @ipsecout ;	    
 	    }
 	}
    }
 }
@@ -3932,7 +3969,7 @@ sub do_ratelimit( $$ ) {
 	if ( $rate =~ /^[sd]:((\w*):)?((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) {
 	    fatal_error "Invalid Rate ($3)" unless $4;
 	    fatal_error "Invalid Burst ($7)" unless $7;
-	    $limit .= "--hashlimit $3 --hashlimit-burst $7 --hashlimit-name ";
+	    $limit .= "--$match $3 --hashlimit-burst $7 --hashlimit-name ";
 	    $limit .= $2 ? $2 : 'shorewall' . $hashlimitset++;
 	    $limit .= ' --hashlimit-mode ';
 	    $units = $6;
@@ -4021,7 +4058,7 @@ sub do_time( $ ) {
 	    }
 	} elsif ( $element =~ /^(datestart|datestop)=(\d{4}(-\d{2}(-\d{2}(T\d{1,2}(:\d{1,2}){0,2})?)?)?)$/ ) {
 	    $result .= "--$1 $2 ";
-	} elsif ( $element =~ /^(utc|localtz)$/ ) {
+	} elsif ( $element =~ /^(utc|localtz|kerneltz)$/ ) {
 	    $result .= "--$1 ";
 	} else {
 	    fatal_error "Invalid time element ($element)";
@@ -4031,6 +4068,21 @@ sub do_time( $ ) {
    $result;
 }
 sub resolve_id( $$ ) {
    my ( $id, $type ) = @_;
    if ( $globals{EXPORT} ) {
 	require_capability 'OWNER_NAME_MATCH', "Specifying a $type name", 's';
    } else {
 	my $num = $type eq 'user' ? getpwnam( $id ) : getgrnam( $id );
 	fatal_error "Unknown $type ($id)" unless supplied $num;
 	$id = $num;
    }
    $id;
 }
 #
 # Create a "-m owner" match for the passed USER/GROUP
 #
@@ -4040,6 +4092,8 @@ sub do_user( $ ) {
    return '' unless defined $user and $user ne '-';
    require_capability 'OWNER_MATCH', 'A non-empty USER column', 's';
    if ( $user =~ /^(!)?(.*)\+(.*)$/ ) {
 	$rule .= "! --cmd-owner $2 " if supplied $2;
 	$user = "!$1";
@@ -4051,24 +4105,26 @@ sub do_user( $ ) {
    if ( $user =~ /^(!)?(.*):(.*)$/ ) {
 	my $invert = $1 ? '! ' : '';
 	my $group  = defined $3 ? $3 : '';
 	if ( supplied $2 ) {
-	    $user = $2;
+	    $user  = $2;
-	    fatal_error "Unknown user ($user)" unless $user =~ /^\d+$/ || $globals{EXPORT} || defined getpwnam( $user );
+	    $user  = resolve_id( $user, 'user' ) unless $user =~ /\d+$/;
 	    $rule .= "${invert}--uid-owner $user ";
 	}
 	if ( $group ne '' ) {
-	    fatal_error "Unknown group ($group)" unless $group =~ /\d+$/ || $globals{EXPORT} || defined getgrnam( $group );
+	    $group = resolve_id( $group, 'group' ) unless $group =~ /^\d+$/;
 	    $rule .= "${invert}--gid-owner $group ";
 	}
    } elsif ( $user =~ /^(!)?(.*)$/ ) {
 	my $invert = $1 ? '! ' : '';
 	$user   = $2;
 	fatal_error "Invalid USER/GROUP (!)" if $user eq '';
-	fatal_error "Unknown user ($user)" unless $user =~ /^\d+$/ || $globals{EXPORT} || defined getpwnam( $user );
+	$user = resolve_id ($user, 'user' ) unless $user =~ /\d+$/;
 	$rule .= "${invert}--uid-owner $user ";
    } else {
-	fatal_error "Unknown user ($user)" unless $user =~ /^\d+$/ || $globals{EXPORT} || defined getpwnam( $user );
+	$user  = resolve_id( $user, 'user' ) unless $user =~ /\d+$/;
 	$rule .= "--uid-owner $user ";
    }
@@ -4209,10 +4265,26 @@ sub do_length( $ ) {
    require_capability( 'LENGTH_MATCH' , 'A Non-empty LENGTH' , 's' );
-    fatal_error "Invalid LENGTH ($length)" unless $length =~/^(\d+)(:(\d+))?$/;
+    my ( $max, $min );
-    if ( supplied $2 ) {
+    if ( $length =~ /^\d+$/ ) {
-	fatal_error "First length must be < second length" unless $1 < $3;
+	fatal_error "Invalid LENGTH ($length)" unless $length < 65536;
 	$min = $max = $1;
    } else {
 	if ( $length =~ /^:(\d+)$/ ) {
 	    $min = 0;
 	    $max = $1;
 	} elsif ( $length =~ /^(\d+):$/ ) {
 	    $min = $1;
 	    $max = 65535;
 	} elsif ( $length =~ /^(\d+):(\d+)$/ ) {
 	    $min = $1;
 	    $max = $2;
 	} else {
 	    fatal_error "Invalid LENGTH ($length)";
 	}
 	fatal_error "First length must be < second length" unless $min < $max;
    }
    "-m length --length $length ";
@@ -4453,20 +4525,25 @@ sub get_set_flags( $$ ) {
 	my @options = split /,/, $options;
 	my %typemap = ( src => 'Source', dst => 'Destination' );
-	for ( @options ) {
+	if ( $config{IPSET_WARNINGS} ) {
-	    warning_message( "The '$_' ipset flag is used in a $typemap{$option} column" ), last unless $_ eq $option;
+	    for ( @options ) {
 		warning_message( "The '$_' ipset flag is used in a $typemap{$option} column" ), last unless $_ eq $option;
 	    }
 	}
    }
    $setname =~ s/^\+//;
-    unless ( $export || $> != 0 ) {
+    if ( $config{IPSET_WARNINGS} ) {
-	unless ( $ipset_exists{$setname} ) {
+	unless ( $export || $> != 0 ) {
-	    warning_message "Ipset $setname does not exist" unless qt "ipset -L $setname";
+	    unless ( $ipset_exists{$setname} ) {
-	}
+		warning_message "Ipset $setname does not exist" unless qt "ipset -L $setname";
 	    }
-	$ipset_exists{$setname} = 1; # Suppress subsequent checks/warnings
+	    $ipset_exists{$setname} = 1; # Suppress subsequent checks/warnings
 	}
    }
    fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z]\w*/;
    have_capability 'OLD_IPSET_MATCH' ? "--set $setname $options " : "--match-set $setname $options ";
@@ -4782,10 +4859,10 @@ sub match_ipsec_in( $$ ) {
    my ( $zone , $hostref ) = @_;
    my @match;
    my $zoneref    = find_zone( $zone );
    my $optionsref = $zoneref->{options};
-    unless ( $optionsref->{super} || $zoneref->{type} == VSERVER ) {
+    unless ( $zoneref->{super} || $zoneref->{type} == VSERVER ) {
 	my $match = '--dir in --pol ';
 	my $optionsref = $zoneref->{options};
 	if ( $zoneref->{type} & IPSEC ) {
 	    $match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
@@ -6372,15 +6449,23 @@ sub ensure_ipset( $ ) {
    if ( $family == F_IPV4 ) {
 	if ( have_capability 'IPSET_V5' ) {
-	    emit ( "    qt \$IPSET -L $set -n || \$IPSET -N $_ hash:ip family inet" );
+	    emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
 		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:ip set") ,
 		   qq(        \$IPSET -N $set hash:ip family inet) ,
 		   qq(    fi) );
 	} else {
-	    emit ( "    qt \$IPSET -L $set -n || \$IPSET -N $_ iphash" );
+	    emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
 		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an iphash set") ,
 		   qq(        \$IPSET -N $set iphash) ,
 		   qq(    fi) );
 	}
    } else {
-	emit ( "    qt \$IPSET -L $set -n || \$IPSET -N $_ hash:ip family inet6" );
+	emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
 	       qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:ip set") ,
 	       qq(        \$IPSET -N $set hash:ip family inet6) ,
 	       qq(    fi) );
    }
 }
 sub load_ipsets() {
@@ -6440,7 +6525,7 @@ sub load_ipsets() {
 	} else {
 	    ensure_ipset( $_ ) for @ipsets;
 	}
-	
+
 	if ( @ipsets ) {
 	    emit ( 'elif [ "$COMMAND" = restart ]; then' );
 	    ensure_ipset( $_ ) for @ipsets;
@@ -6452,7 +6537,7 @@ sub load_ipsets() {
 	    ensure_ipset( $_ ) for @ipsets;
 	    emit( '' );
 	}
-	
+
 	if ( $family == F_IPV4 ) {
 	    emit ( '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
 		   '        #',
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -54,10 +54,10 @@ my $family;
 #
 # Initilize the package-globals in the other modules
 #
-sub initialize_package_globals( $ ) {
+sub initialize_package_globals( $$ ) {
-    Shorewall::Config::initialize($family);
+    Shorewall::Config::initialize($family, $_[1]);
    Shorewall::Chains::initialize ($family, 1, $export );
-    Shorewall::Zones::initialize ($family, shift);
+    Shorewall::Zones::initialize ($family, $_[0]);
    Shorewall::Nat::initialize;
    Shorewall::Providers::initialize($family);
    Shorewall::Tc::initialize($family);
@@ -71,7 +71,7 @@ sub initialize_package_globals( $ ) {
 #
 # First stage of script generation.
 #
-#    Copy prog.header, lib.core and lib.common to the generated script.
+#    Copy lib.core and lib.common to the generated script.
 #    Generate the various user-exit jacket functions.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
@@ -89,13 +89,7 @@ sub generate_script_1( $ ) {
 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
-	    if ( $family == F_IPV4 ) {
+	    copy  $globals{SHAREDIRPL} . '/lib.core', 0;
 		copy $globals{SHAREDIRPL} . 'prog.header';
 	    } else {
 		copy $globals{SHAREDIRPL} . 'prog.header6';
 	    }
 	    copy2 $globals{SHAREDIRPL} . '/lib.core', 0;
 	    copy2 $globals{SHAREDIRPL} . '/lib.common', 0;
 	}
@@ -154,7 +148,9 @@ sub generate_script_2() {
 	   '    #',
 	   '    # Be sure that umask is sane',
 	   '    #',
-	   '    umask 077',
+	   '    umask 077' );
    emit ( '',
 	   '    #',
 	   '    # These variables are required by the library functions called in this script',
 	   '    #'
@@ -162,61 +158,63 @@ sub generate_script_2() {
    push_indent;
    if ( $shorewallrc{TEMPDIR} ) {
 	emit( '',
 	      qq(TMPDIR="$shorewallrc{TEMPDIR}") ,
 	      q(export TMPDIR) );
    }
    if ( $family == F_IPV4 ) {
 	emit( 'g_family=4' );
 	if ( $export ) {
-	    emit ( 'SHAREDIR=/usr/share/shorewall-lite',
+	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall-lite),
 		   'CONFDIR=/etc/shorewall-lite',
 		   'g_product="Shorewall Lite"',
 		   'g_program=shorewall-lite',
 		   'g_basedir=/usr/share/shorewall-lite',
 		   qq(CONFIG_PATH="$shorewallrc{CONFDIR}/shorewall-lite:$shorewallrc{SHAREDIR}/shorewall-lite") ,
 		 );
 	} else {
-	    emit ( 'SHAREDIR=/usr/share/shorewall',
+	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall),
 		   'CONFDIR=/etc/shorewall',
 		   'g_product=Shorewall',
 		   'g_program=shorewall',
 		   'g_basedir=/usr/share/shorewall',
 		   qq(CONFIG_PATH="$config{CONFIG_PATH}") ,
 		 );
 	}
    } else {
 	emit( 'g_family=6' );
 	if ( $export ) {
-	    emit ( 'SHAREDIR=/usr/share/shorewall6-lite',
+	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall6-lite),
 		   'CONFDIR=/etc/shorewall6-lite',
 		   'g_product="Shorewall6 Lite"',
 		   'g_program=shorewall6-lite',
 		   'g_basedir=/usr/share/shorewall6',
 		   qq(CONFIG_PATH="$shorewallrc{CONFDIR}/shorewall6-lite:$shorewallrc{SHAREDIR}/shorewall6-lite") ,
 		 );
 	} else {
-	    emit ( 'SHAREDIR=/usr/share/shorewall6',
+	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall6),
 		   'CONFDIR=/etc/shorewall6',
 		   'g_product=Shorewall6',
 		   'g_program=shorewall6',
-		   'g_basedir=/usr/share/shorewall'
+		   'g_basedir=/usr/share/shorewall',
 		   qq(CONFIG_PATH="$config{CONFIG_PATH}") ,
 		 );
 	}
    }
-    emit( '[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir' );
+    emit( '[ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir' );
    if ( $family == F_IPV4 ) {
 	if ( $export ) {
-	    emit ( 'CONFIG_PATH="/etc/shorewall-lite:/usr/share/shorewall-lite"' ,
+	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall-lite}" ]' );
 		   '[ -n "${VARDIR:=/var/lib/shorewall-lite}" ]' );
 	} else {
-	    emit ( qq(CONFIG_PATH="$config{CONFIG_PATH}") ,
+	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall}" ]' );
 		   '[ -n "${VARDIR:=/var/lib/shorewall}" ]' );
 	}
    } else {
 	if ( $export ) {
-	    emit ( 'CONFIG_PATH="/etc/shorewall6-lite:/usr/share/shorewall6-lite"' ,
+	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall6-lite}" ]' );
 		   '[ -n "${VARDIR:=/var/lib/shorewall6-lite}" ]' );
 	} else {
-	    emit ( qq(CONFIG_PATH="$config{CONFIG_PATH}") ,
+	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall6}" ]' );
 		   '[ -n "${VARDIR:=/var/lib/shorewall6}" ]' );
 	}
    }
@@ -547,8 +545,8 @@ EOF
 #
 sub compiler {
-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path ) =
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , '');
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , ''          , '');
    $export = 0;
    $test   = 0;
@@ -586,6 +584,7 @@ sub compiler {
 		  convert       => { store => \$convert,       validate=> \&validate_boolean    } ,
 		  annotate      => { store => \$annotate,      validate=> \&validate_boolean    } ,
 		  config_path   => { store => \$config_path } ,
 		  shorewallrc   => { store => \$shorewallrc } ,
 		);
    #
    #                               P A R A M E T E R    P R O C E S S I N G
@@ -603,7 +602,7 @@ sub compiler {
    #
    # Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals
    #
-    initialize_package_globals( $update );
+    initialize_package_globals( $update, $shorewallrc );
    set_config_path( $config_path ) if $config_path;
@@ -709,10 +708,6 @@ sub compiler {
    # Proxy Arp/Ndp
    #
    setup_proxy_arp;
    #
    # Handle MSS settings in the zones file
    #
    setup_zone_mss;
    if ( $scriptfilename || $debug ) {
 	emit 'return 0';
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -141,6 +141,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       %config
 				       %globals
 				       %config_files
 				       %shorewallrc
 				       @auditoptions
@@ -243,6 +244,8 @@ my  %capdesc = ( NAT_ENABLED     => 'NAT',
 		 IPRANGE_MATCH   => 'IP Range Match',
 		 RECENT_MATCH    => 'Recent Match',
 		 OWNER_MATCH     => 'Owner Match',
 		 OWNER_NAME_MATCH
 		                 => 'Owner Name Match',
 		 IPSET_MATCH     => 'Ipset Match',
 		 OLD_IPSET_MATCH => 'Old Ipset Match',
 		 IPSET_V5        => 'Version 5 ipsets',
@@ -426,6 +429,18 @@ my %deprecated = ( LOGRATE            => '' ,
 my %converted = ( WIDE_TC_MARKS => 1,
 		  HIGH_ROUTE_MARKS => 1 );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
 #
 my $omitting;
 my @ifstack;
 my $ifstack;
 #
 # From .shorewallrc
 #
 our %shorewallrc;
 sub process_shorewallrc($);
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
 #
@@ -435,8 +450,8 @@ my %converted = ( WIDE_TC_MARKS => 1,
 #   2. The compiler can run multiple times in the same process so it has to be
 #      able to re-initialize its dependent modules' state.
 #
-sub initialize( $ ) {
+sub initialize( $;$ ) {
-    $family = shift;
+    ( $family, my $shorewallrc ) = @_;
    if ( $family == F_IPV4 ) {
 	( $product, $Product, $toolname, $toolNAME ) = qw( shorewall  Shorewall iptables  IPTABLES );
@@ -458,13 +473,16 @@ sub initialize( $ ) {
    $tempfile       = '';      # Temporary File Name
    $sillyname      = 
    $sillyname1     = '';      # Temporary ipchains
    $omitting       = 0;
    $ifstack        = 0;
    @ifstack        = ();
    #
    # Misc Globals
    #
-    %globals  =   ( SHAREDIRPL => '/usr/share/shorewall/' ,
+    %globals  =   ( SHAREDIRPL => '' ,
-		    CONFDIR    => '/etc/shorewall',     # Run-time configuration directory
+		    CONFDIR    => '',         # Run-time configuration directory
-		    CONFIGDIR  => '',                  # Compile-time configuration directory (location of $product.conf)
+		    CONFIGDIR  => '',         # Compile-time configuration directory (location of $product.conf)
 		    LOGPARMS   => '',
 		    TC_SCRIPT  => '',
 		    EXPORT     => 0,
@@ -472,7 +490,7 @@ sub initialize( $ ) {
 		    STATEMATCH => '-m state --state',
 		    UNTRACKED  => 0,
 		    VERSION    => "4.4.22.1",
-		    CAPVERSION => 40501 ,
+		    CAPVERSION => 40502 ,
 		  );
    #
    # From shorewall.conf file
@@ -558,6 +576,7 @@ sub initialize( $ ) {
 	  MAPOLDACTIONS => undef,
 	  FASTACCEPT => undef,
 	  IMPLICIT_CONTINUE => undef,
 	  IPSET_WARNINGS => undef,
 	  HIGH_ROUTE_MARKS => undef,
 	  USE_ACTIONS=> undef,
 	  OPTIMIZE => undef,
@@ -651,6 +670,7 @@ sub initialize( $ ) {
 	       IPRANGE_MATCH => undef,
 	       RECENT_MATCH => undef,
 	       OWNER_MATCH => undef,
 	       OWNER_NAME_MATCH => undef,
 	       IPSET_MATCH => undef,
 	       OLD_IPSET_MATCH => undef,
 	       IPSET_V5 => undef,
@@ -734,17 +754,28 @@ sub initialize( $ ) {
    @actparms = ();
-    if ( $family == F_IPV4 ) {
+    %shorewallrc = (
-	$globals{SHAREDIR}      = '/usr/share/shorewall';
+		    SHAREDIR => '/usr/share/',
-	$globals{CONFDIR}       = '/etc/shorewall';
+		    CONFDIR  => '/etc/',
-	$globals{PRODUCT}       = 'shorewall';
+		    );
-	$config{IPTABLES}       = undef;
+
-	$validlevels{ULOG}      = 'ULOG';
+    if ( $shorewallrc ) {
-    } else {
+	process_shorewallrc( $shorewallrc );
-	$globals{SHAREDIR}      = '/usr/share/shorewall6';
+
-	$globals{CONFDIR}       = '/etc/shorewall6';
+	$globals{SHAREDIRPL} = "$shorewallrc{SHAREDIR}/shorewall/";
-	$globals{PRODUCT}       = 'shorewall6';
+
-	$config{IP6TABLES}      = undef;
+	if ( $family == F_IPV4 ) {
 	    $globals{SHAREDIR}      = "$shorewallrc{SHAREDIR}/shorewall";
 	    $globals{CONFDIR}       = "$shorewallrc{CONFDIR}/shorewall";
 	    $globals{PRODUCT}       = 'shorewall';
 	    $config{IPTABLES}       = undef;
 	    $validlevels{ULOG}      = 'ULOG';
 	} else {
 	    $globals{SHAREDIR}      = "$shorewallrc{SHAREDIR}/shorewall6";
 	    $globals{CONFDIR}       = "$shorewallrc{CONFDIR}/shorewall6";
 	    $globals{PRODUCT}       = 'shorewall6';
 	    $config{IP6TABLES}      = undef;
 	}
    }
 }
@@ -756,7 +787,7 @@ my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
 sub warning_message
 {
    my $linenumber = $currentlinenumber || 1;
-    my $currentlineinfo = $currentfile ?  " : $currentfilename (line $linenumber)" : '';
+    my $currentlineinfo = $currentfile ?  " : $currentfilename " . ( $linenumber eq 'EOF' ? '(EOF)' : "(line $linenumber)" ) : '';
    our @localtime;
    $| = 1; #Reset output buffering (flush any partially filled buffers).
@@ -812,7 +843,7 @@ sub cleanup() {
 #
 sub fatal_error	{
    my $linenumber = $currentlinenumber || 1;
-    my $currentlineinfo = $currentfile ?  " : $currentfilename (line $linenumber)" : '';
+    my $currentlineinfo = $currentfile ?  " : $currentfilename " . ( $linenumber eq 'EOF' ? '(EOF)' : "(line $linenumber)" ) : '';
    $| = 1; #Reset output buffering (flush any partially filled buffers).
@@ -1459,6 +1490,7 @@ sub do_open_file( $ ) {
    my $fname = $_[0];
    open $currentfile, '<', $fname or fatal_error "Unable to open $fname: $!";
    $currentlinenumber = 0;
    $ifstack           = @ifstack;
    $currentfilename   = $fname;
 }
@@ -1471,6 +1503,7 @@ sub open_file( $ ) {
 	$first_entry = 0;
 	do_open_file $fname;;
    } else {
 	$ifstack = @ifstack;
 	'';
    }
 }
@@ -1481,10 +1514,17 @@ sub open_file( $ ) {
 sub pop_include() {
    my $arrayref = pop @includestack;
    unless ( $ifstack == @ifstack ) {
 	my $lastref = $ifstack[-1];
 	$currentlinenumber = 'EOF';
 	fatal_error qq(Missing "?ENDIF" to match ?IF at line number $lastref->[2])
    }
    if ( $arrayref ) {
-	( $currentfile, $currentfilename, $currentlinenumber ) = @$arrayref;
+	( $currentfile, $currentfilename, $currentlinenumber, $ifstack ) = @$arrayref;
    } else {
-	$currentfile = undef;
+	$currentfile       = undef;
 	$currentlinenumber = 'EOF';
    }
 }
@@ -1505,6 +1545,70 @@ sub close_file() {
    }
 }
 #
 # Process an ?IF, ?ELSE or ?END directive
 #
 sub have_capability( $ );
 sub process_conditional( $$$ ) {
    my ( $omitting, $line, $linenumber ) = @_;
    print "CD===> $currentline\n" if $debug;
    fatal_error "Invalid compiler directive ($line)" unless $line =~ /^\s*\?(IF\s+|ELSE|ENDIF)(.*)$/;
    my ($keyword, $rest) = ( $1, $2 );
    if ( supplied $rest ) {
 	$rest =~ s/#.*//;
 	$rest =~ s/\s*$//;
    } else {
 	$rest = '';
    }
    my ( $lastkeyword, $prioromit, $lastomit, $lastlinenumber ) = @ifstack ? @{$ifstack[-1]} : ('', 0, 0, 0 );
    if ( $keyword =~ /^IF/ ) {
 	fatal_error "Missing IF variable" unless $rest;
 	my $invert = $rest =~ s/^!\s*//;
 	fatal_error "Invalid IF variable ($rest)" unless ($rest =~ s/^\$// || $rest =~ /^__/ ) && $rest =~ /^\w+$/;
 	push @ifstack, [ 'IF', $lastomit, $omitting, $linenumber ];
 	if ( $rest eq '__IPV6' ) {
 	    $omitting = $family == F_IPV4;
 	} elsif ( $rest eq '__IPV4' ) {
 	    $omitting = $family == F_IPV6;
 	} else {
 	    my $cap = $rest;
 	    $cap =~ s/^__//;
 	    $omitting = ! ( exists $ENV{$rest}    ? $ENV{$rest}    : 
 			    exists $params{$rest} ? $params{$rest} : 
 			    exists $config{$rest} ? $config{$rest} :
 			    exists $capdesc{$cap} ? have_capability( $cap ) : 0 );
 	}
 	$omitting = ! $omitting if $invert;
 	$omitting ||= $lastomit; #?IF cannot transition from omitting -> not omitting
    } elsif ( $keyword eq 'ELSE' ) {
 	fatal_error "Invalid ?ELSE" unless $rest eq '';
 	fatal_error "?ELSE has no matching ?IF" unless @ifstack > $ifstack && $lastkeyword eq 'IF';
 	$omitting = ! $omitting unless $lastomit;
 	$ifstack[-1] = [ 'ELSE', $prioromit, $omitting, $lastlinenumber ];
    } else {
 	fatal_error "Invalid ?ENDIF" unless $rest eq '';
 	fatal_error q(Unexpected "?ENDIF" without matching ?IF or ?ELSE) if @ifstack <= $ifstack;
 	$omitting = $prioromit;
 	pop @ifstack;
    }
    $omitting;
 }   
 #
 # Functions for copying a file into the script
 #
@@ -1512,12 +1616,27 @@ sub copy( $ ) {
    assert( $script_enabled );
    if ( $script ) {
-	my $file = $_[0];
+	my $file         = $_[0];
 	my $omitting     = 0;
 	my $save_ifstack = $ifstack;
 	my $lineno       = 0;
 	$ifstack = @ifstack;
 	open IF , $file or fatal_error "Unable to open $file: $!";
 	while ( <IF> ) {
 	    chomp;
 	    $lineno++;
 	    if ( /^\s*\?/ ) {
 		$omitting = process_conditional( $omitting, $_, $lineno );
 		next;
 	    }
 	    next if $omitting;
 	    if ( /^\s*$/ ) {
 		print $script "\n" unless $lastlineblank;
 		$lastlineblank = 1;
@@ -1533,6 +1652,14 @@ sub copy( $ ) {
 	    }
 	}
 	if ( $ifstack < @ifstack ) {
 	    $currentlinenumber = 'EOF';
 	    $currentfilename   = $file;
 	    fatal_error "Missing ?ENDIF to match the ?IF at line $ifstack[-1]->[3]";
 	} else {
 	    $ifstack = $save_ifstack;
 	}
 	close IF;
    }
 }
@@ -1556,6 +1683,11 @@ sub copy1( $ ) {
 		chomp;
 		if ( /^\s*\?/ ) {
 		    $omitting = process_conditional( $omitting, $_, $currentlinenumber );
 		    next;
 		}
 		if ( /^${here_documents}\s*$/ ) {
 		    if ( $script ) {
 			print $script $here_documents if $here_documents;
@@ -1607,7 +1739,7 @@ sub copy1( $ ) {
 			fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _;
 			if ( -s _ ) {
-			    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
+			    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber, $ifstack ];
 			    $currentfile = undef;
 			    do_open_file $filename;
 			} else {
@@ -1658,10 +1790,14 @@ sub copy2( $$ ) {
    if ( $script || $trace ) {
 	my $file = $_[0];
 	my $omitting     = 0;
 	my $save_ifstack = $ifstack;
 	my $lineno       = 0;
 	open IF , $file or fatal_error "Unable to open $file: $!";
 	while ( <IF> ) {
 	    $lineno++;
 	    $empty = 0, last unless /^#/;
 	}
@@ -1675,7 +1811,16 @@ EOF
 	    emit( $_ ) unless /^\s*$/;
 	    while ( <IF> ) {
 		$lineno++;
 		chomp;
 		if ( /^\s*\?/ ) {
 		    $omitting = process_conditional( $omitting, $_, $lineno );
 		    next;
 		}
 		next if $omitting;
 		if ( /^\s*$/ ) {
 		    unless ( $lastlineblank ) {
 			print $script "\n" if $script;
@@ -1703,8 +1848,6 @@ EOF
 		}
 	    }
 	    close IF;
 	    unless ( $lastlineblank ) {
 		print $script "\n" if $script;
 		print "GS----->\n" if $trace;
@@ -1714,6 +1857,17 @@ EOF
 		  "#   End of imports from $file",
 		  '################################################################################' );
 	}
 	if ( $ifstack < @ifstack ) {
 	    $currentfilename   = $file;
 	    $currentlinenumber = 'EOF';
 	    fatal_error "Missing ?ENDIF to match the ?IF at line $ifstack[-1]->[3]";
 	} else {
 	    $ifstack = $save_ifstack;
 	}
 	close IF;
    }
 }
@@ -1723,7 +1877,7 @@ EOF
 #
 sub push_open( $ ) {
-    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
+    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber, $ifstack ];
    my @a = @includestack;
    push @openstack, \@a;
    @includestack = ();
@@ -1781,6 +1935,8 @@ sub first_entry( $ ) {
    }
 }
 sub read_a_line(;$$$$);
 sub embedded_shell( $ ) {
    my $multiline = shift;
@@ -1796,24 +1952,24 @@ sub embedded_shell( $ ) {
 	my $last = 0;
-	while ( <$currentfile> ) {
+	while ( read_a_line( 0, 0, 0, 0 ) ) {
-	    $currentlinenumber++;
+	    last if $last = $currentline =~ s/^\s*END(\s+SHELL)?\s*;?//;
-	    last if $last = s/^\s*END(\s+SHELL)?\s*;?//;
+	    $command .= "$currentline\n";
 	    $command .= $_;
 	}
 	fatal_error ( "Missing END SHELL" ) unless $last;
-	fatal_error ( "Invalid END SHELL directive" ) unless /^\s*$/;
+	fatal_error ( "Invalid END SHELL directive" ) unless $currentline =~ /^\s*$/;
    }
    $command .= q(');
-    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
+    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber, $ifstack ];
    $currentfile = undef;
    open $currentfile , '-|', $command or fatal_error qq(Shell Command failed);
    $currentfilename = "SHELL\@$currentfilename:$currentlinenumber";
    $currentline = '';
    $currentlinenumber = 0;
    $ifstack = @ifstack;
 }
 sub embedded_perl( $ ) {
@@ -1830,21 +1986,20 @@ sub embedded_perl( $ ) {
 	my $last = 0;
-	while ( <$currentfile> ) {
+	while ( read_a_line( 0, 0, 0, 0 ) ) {
-	    $currentlinenumber++;
+	    last if $last = $currentline =~ s/^\s*END(\s+PERL)?\s*;?//;
-	    last if $last = s/^\s*END(\s+PERL)?\s*;?//;
+	    $command .= "$currentline\n";
 	    $command .= $_;
 	}
 	fatal_error ( "Missing END PERL" ) unless $last;
-	fatal_error ( "Invalid END PERL directive" ) unless /^\s*$/;
+	fatal_error ( "Invalid END PERL directive" ) unless $currentline =~ /^\s*$/;
    }
    unless (my $return = eval $command ) {
 	#
 	# Perl found the script offensive or the script itself died
 	#
 	if ( $@ ) {
 	    #
 	    # Perl found the script offensive or the script itself died
 	    #
 	    $@ =~ s/, <\$currentfile> line \d+//g;
 	    fatal_error1 "$@";
 	}
@@ -1864,7 +2019,7 @@ sub embedded_perl( $ ) {
 	$perlscript = undef;
-	push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
+	push @includestack, [ $currentfile, $currentfilename, $currentlinenumber , $ifstack ];
 	$currentfile = undef;
 	open $currentfile, '<', $perlscriptname or fatal_error "Unable to open Perl Script $perlscriptname";
@@ -1876,6 +2031,7 @@ sub embedded_perl( $ ) {
 	$currentfilename = "PERL\@$currentfilename:$linenumber";
 	$currentline = '';
 	$currentlinenumber = 0;
 	$ifstack = @ifstack;
    }
 }
@@ -1960,6 +2116,8 @@ sub expand_variables( \$ ) {
 	    $val = $actparms[$var];
 	} elsif ( exists $params{$var} ) {
 	    $val = $params{$var};
 	} elsif ( exists $shorewallrc{$var} ) {
 	    $val = $shorewallrc{$var}
 	} else {
 	    fatal_error "Undefined shell variable (\$$var)" unless exists $config{$var};
 	    $val = $config{$var};
@@ -1971,6 +2129,18 @@ sub expand_variables( \$ ) {
    }
 }
 #
 # Handle first-entry processing
 #
 sub handle_first_entry() {
    #
    # $first_entry can contain either a function reference or a message. If it
    # contains a reference, call the function -- otherwise issue the message
    #
    reftype( $first_entry ) ? $first_entry->() : progress_message2( $first_entry );
    $first_entry = 0;
 }
 #
 # Read a line from the current include stack.
 #
@@ -1980,12 +2150,14 @@ sub expand_variables( \$ ) {
 #   - Handle embedded SHELL and PERL scripts
 #   - Expand shell variables from %params and %ENV.
 #   - Handle INCLUDE <filename>
 #   - Handle ?IF, ?ELSE, ?ENDIF
 #
-sub read_a_line(;$$$) {
+sub read_a_line(;$$$$) {
-    my $embedded_enabled = defined $_[0] ? shift : 1;
+    my $embedded_enabled    = defined $_[0] ? shift : 1;
-    my $expand_variables = defined $_[0] ? shift : 1;
+    my $expand_variables    = defined $_[0] ? shift : 1;
-    my $strip_comments   = defined $_[0] ? shift : 1;
+    my $strip_comments      = defined $_[0] ? shift : 1;
    my $suppress_whitespace = defined $_[0] ? shift : 1;
    while ( $currentfile ) {
@@ -2000,57 +2172,65 @@ sub read_a_line(;$$$) {
 	    #
 	    # Suppress leading whitespace in certain continuation lines
 	    #
-	    s/^\s*// if $currentline =~ /[,:]$/;
+	    s/^\s*// if $currentline =~ /[,:]$/ && $suppress_whitespace;
 	    #
-	    # If this isn't a continued line, remove trailing comments. Note that
+	    # If this is a continued line with a trailing comment, remove comment. Note that
-	    # the result may now end in '\'.
+	    # the result will now end in '\'.
 	    #
-	    s/\s*#.*$// if $strip_comments && ! /\\$/;
+	    s/\s*#.*$// if $strip_comments && /[\\]\s*#.*$/;
 	    #
 	    # Continuation
 	    #
-	    chop $currentline, next if substr( ( $currentline .= $_ ), -1, 1 ) eq '\\';
+	    chop $currentline, next if ($currentline .= $_) =~ /\\$/;
 	    #
-	    # Now remove concatinated comments
+	    # Handle conditionals
 	    #
-	    $currentline =~ s/#.*$// if $strip_comments;
+	    if ( $currentline =~ /^\s*\?(?:IF|ELSE|ENDIF)/ ) {
-	    #
+		$omitting = process_conditional( $omitting, $currentline, $currentlinenumber );
-	    # Ignore ( concatenated ) Blank Lines
+		$currentline='';
-	    #
+		next;
-	    $currentline = '', $currentlinenumber = 0, next if $currentline =~ /^\s*$/;
+	    }		
-	    #
+		    
-	    # Line not blank -- Handle any first-entry message/capabilities check
+	    if ( $omitting ) {
-	    #
+		print "OMIT=> $currentline\n" if $debug;
-	    if ( $first_entry ) {
+		$currentline='';
-		#
+		$currentlinenumber = 0;
-		# $first_entry can contain either a function reference or a message. If it
+		next;
 		# contains a reference, call the function -- otherwise issue the message
 		#
 		reftype( $first_entry ) ? $first_entry->() : progress_message2( $first_entry );
 		$first_entry = 0;
 	    }
 	    #
 	    # Must check for shell/perl before doing variable expansion
 	    #
 	    if ( $embedded_enabled ) {
 		if ( $currentline =~ s/^\s*(BEGIN\s+)?SHELL\s*;?// ) {
 		    handle_first_entry if $first_entry;
 		    embedded_shell( $1 );
 		    next;
 		}
 		if ( $currentline =~ s/^\s*(BEGIN\s+)?PERL\s*\;?// ) {
 		    handle_first_entry if $first_entry;
 		    embedded_perl( $1 );
 		    next;
 		}
 	    }
-
+	    #
-	    my $count = 0;
+	    # Now remove concatinated comments
 	    #
 	    $currentline =~ s/\s*#.*$// if $strip_comments;
 	    #
 	    # Ignore ( concatenated ) Blank Lines after comments are removed.
 	    #
 	    $currentline = '', $currentlinenumber = 0, next if $currentline =~ /^\s*$/ && $suppress_whitespace;
 	    #
 	    # Line not blank -- Handle any first-entry message/capabilities check
 	    #
 	    handle_first_entry if $first_entry;
 	    #
 	    # Expand Shell Variables using %params and @actparms
 	    #
 	    expand_variables( $currentline ) if $expand_variables;
-	    if ( $currentline =~ /^\s*INCLUDE\s/ ) {
+	    if ( $currentline =~ /^\s*\??INCLUDE\s/ ) {
 		my @line = split ' ', $currentline;
@@ -2063,7 +2243,7 @@ sub read_a_line(;$$$) {
 		fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _;
 		if ( -s _ ) {
-		    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
+		    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber, $ifstack ];
 		    $currentfile = undef;
 		    do_open_file $filename;
 		} else {
@@ -2089,8 +2269,9 @@ sub read_a_line1() {
 	while ( $currentline = <$currentfile> ) {
 	    next if $currentline =~ /^\s*#/;
 	    chomp $currentline;
 	    next if $currentline =~ /^\s*$/;
 	    $currentline =~ s/#.*$//;       # Remove Trailing Comments
 	    $currentline =~ s/\s*$//;       # Remove Trailing Whitespace
 	    next if $currentline =~ /^\s*$/;
 	    fatal_error "Non-ASCII gunk in file" if $currentline =~ /[^\s[:print:]]/;
 	    $currentlinenumber = $.;
 	    print "IN===> $currentline\n" if $debug;
@@ -2101,6 +2282,27 @@ sub read_a_line1() {
    }
 }
 sub process_shorewallrc( $ ) {
    my $shorewallrc = shift;
    $shorewallrc{PRODUCT} = $family == F_IPV4 ? 'shorewall' : 'shorewall6';
    if ( open_file $shorewallrc ) {
 	while ( read_a_line1 ) {
 	    if ( $currentline =~ /^([a-zA-Z]\w*)=(.*)$/ ) {
 		my ($var, $val) = ($1, $2);
 		$val = $1 if $val =~ /^\"([^\"]*)\"$/;
 		expand_variables($val) if supplied $val;
 		$shorewallrc{$var} = $val;
 	    } else {
 		fatal_error "Unrecognized shorewallrc entry";
 	    }
 	}
    } else {
 	fatal_error "Failed to open $shorewallrc: $!";
    }
 }
 #
 # Provide the passed default value for the passed configuration variable
 #
@@ -2425,8 +2627,6 @@ sub determine_kernelversion() {
 #
 # Capability Reporting and detection.
 #
 sub have_capability( $ );
 sub Nat_Enabled() {
    $family == F_IPV4 ? qt1( "$iptables -t nat -L -n" ) : '';
 }
@@ -2524,6 +2724,12 @@ sub Owner_Match() {
    qt1( "$iptables -A $sillyname -m owner --uid-owner 0 -j ACCEPT" );
 }
 sub Owner_Name_Match() {
    if ( my $name = `id -un 2> /dev/null` ) {
 	qt1( "$iptables -A $sillyname -m owner --uid-owner $name -j ACCEPT" );
    }
 }
 sub Connmark_Match() {
    qt1( "$iptables -A $sillyname -m connmark --mark 2  -j ACCEPT" );
 }
@@ -2847,6 +3053,7 @@ our %detect_capability =
      OLD_HL_MATCH => \&Old_Hashlimit_Match,
      OLD_IPP2P_MATCH => \&Old_Ipp2p_Match,
      OWNER_MATCH => \&Owner_Match,
      OWNER_NAME_MATCH => \&Owner_Name_Match,
      PERSISTENT_SNAT => \&Persistent_Snat,
      PHYSDEV_BRIDGE => \&Physdev_Bridge,
      PHYSDEV_MATCH => \&Physdev_Match,
@@ -2942,6 +3149,8 @@ sub determine_capabilities() {
 	$capabilities{IPRANGE_MATCH}   = detect_capability( 'IPRANGE_MATCH' );
 	$capabilities{RECENT_MATCH}    = detect_capability( 'RECENT_MATCH' );
 	$capabilities{OWNER_MATCH}     = detect_capability( 'OWNER_MATCH' );
 	$capabilities{OWNER_NAME_MATCH}
                                       = detect_capability( 'OWNER_NAME_MATCH' );
 	$capabilities{CONNMARK_MATCH}  = detect_capability( 'CONNMARK_MATCH' );
 	$capabilities{XCONNMARK_MATCH} = detect_capability( 'XCONNMARK_MATCH' );
 	$capabilities{IPP2P_MATCH}     = detect_capability( 'IPP2P_MATCH' );
@@ -3028,7 +3237,7 @@ sub ensure_config_path() {
    my $f = "$globals{SHAREDIR}/configpath";
-    $globals{CONFDIR} = "/usr/share/$product/configfiles/" if $> != 0;
+    $globals{CONFDIR} = "$shorewallrc{SHAREDIR}/$product/configfiles/" if $> != 0;
    unless ( $config{CONFIG_PATH} ) {
 	fatal_error "$f does not exist" unless -f $f;
@@ -3235,7 +3444,7 @@ sub process_shorewall_conf( $$ ) {
 	    #
 	    # Don't expand shell variables or allow embedded scripting
 	    #
-	    while ( read_a_line( 0, 0 ) ) {
+	    while ( read_a_line1 ) {
 		if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*?)\s*$/ ) {
 		    my ($var, $val) = ($1, $2);
@@ -3793,6 +4002,7 @@ sub get_configuration( $$$ ) {
    default_yes_no 'EXPORTMODULES'              , '';
    default_yes_no 'LEGACY_FASTSTART'           , 'Yes';
    default_yes_no 'USE_PHYSICAL_NAMES'         , '';
    default_yes_no 'IPSET_WARNINGS'             , 'Yes';
    require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};
@@ -4070,8 +4280,9 @@ sub append_file( $;$$ ) {
 		#
 		# Include progress message -- Pretend progress_message call was in the file
 		#
 		my $name = $globals{EXPORT} ? "$file user exit" : $user_exit;
 		$result = 1;
-		save_progress_message "Processing $user_exit ...";
+		save_progress_message "Processing $name ...";
 		copy1 $user_exit;
 	    }
 	}
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -919,6 +919,13 @@ sub add_common_rules ( $ ) {
 		       p =>  "udp --dport $ports" ,
 		       imatch_dest_dev( $interface ) )
 		if get_interface_option( $interface, 'bridge' );
 	    unless ( $family == F_IPV6 || get_interface_option( $interface, 'allip' ) ) {
 		add_ijump( $filter_table->{input_chain( $interface ) } , 
 			   j => 'ACCEPT' ,
 			   p => "udp --dport $ports" ,
 			   s => NILIPv4 . '/32' );
 	    }
 	}
    }
@@ -1474,7 +1481,7 @@ sub generate_matrix() {
    for my $zone ( @zones ) {
 	my $zoneref = find_zone( $zone );
-	next if  @zones <= 2 && ! $zoneref->{options}{complex};
+	next if  @zones <= 2 && ! $zoneref->{complex};
 	#
 	# Complex zone or we have more than one non-firewall zone -- process_rules created a zone forwarding chain
 	#
@@ -1553,13 +1560,12 @@ sub generate_matrix() {
 	my $source_hosts_ref = $zoneref->{hosts};
 	my $chain1           = rules_target firewall_zone , $zone;
 	my $chain2           = rules_target $zone, firewall_zone;
 	my $complex          = $zoneref->{options}{complex} || 0;
 	my $type             = $zoneref->{type};
 	my $frwd_ref         = $filter_table->{zone_forward_chain $zone};
 	my $chain            = 0;
 	my $dnatref          = ensure_chain 'nat' , dnat_chain( $zone );
 	my $notrackref       = ensure_chain 'raw' , notrack_chain( $zone );
-	my $nested           = $zoneref->{options}{nested};
+	my $nested           = @{$zoneref->{parents}};
 	my $parenthasnat     = 0;
 	my $parenthasnotrack = 0;
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -1021,7 +1021,7 @@ sub add_a_route( ) {
 sub setup_null_routing() {
    save_progress_message "Null Routing the RFC 1918 subnets";
-    emit "> \${VARDIR}undo_rfc1918_routing\n";
+    emit "> \${VARDIR}/undo_rfc1918_routing\n";
    for ( rfc1918_networks ) {
 	emit( qq(if ! \$IP -4 route ls | grep -q '^$_.* dev '; then),
 	      qq(    run_ip route replace unreachable $_),
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -2458,6 +2458,12 @@ sub process_rule ( ) {
    progress_message qq(   Rule "$thisline" $done);
 }
 sub intrazone_allowed( $$ ) {
    my ( $zone, $zoneref ) = @_;
    $zoneref->{complex} && $filter_table->{rules_chain( $zone, $zone )}{policy} ne 'NONE';
 }
 #
 # Add jumps to the blacklst and blackout chains
 #
@@ -2470,7 +2476,7 @@ sub classic_blacklist() {
    for my $zone ( @zones ) {
 	my $zoneref = find_zone( $zone );
-	my $simple  =  @zones <= 2 && ! $zoneref->{options}{complex};
+	my $simple  =  @zones <= 2 && ! $zoneref->{complex};
 	if ( $zoneref->{options}{in}{blacklist} ) {
 	    my $blackref = $filter_table->{blacklst};
@@ -2484,7 +2490,7 @@ sub classic_blacklist() {
 		    my $ruleschain    = rules_chain( $zone, $zone1 );
 		    my $ruleschainref = $filter_table->{$ruleschain};
-		    if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
+		    if ( $zone ne $zone1 || intrazone_allowed( $zone, $zoneref ) ) {
 			add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
 		    }
 		}
@@ -2501,7 +2507,7 @@ sub classic_blacklist() {
 		my $ruleschain    = rules_chain( $zone1, $zone );
 		my $ruleschainref = $filter_table->{$ruleschain};
-		if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
+		if ( ( $zone ne $zone1 || intrazone_allowed( $zone, $zoneref ) ) ) {
 		    add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
 		}
 	    }
@@ -2568,6 +2574,11 @@ sub process_rules( $ ) {
    add_interface_options( $blrules );
    #
    # Handle MSS settings in the zones file
    #
    setup_zone_mss;
    $fn = open_file 'rules';
    if ( $fn ) {
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -1039,7 +1039,7 @@ sub validate_tc_class( ) {
 	fatal_error "Unknown Parent class ($parentnum)" unless $parentref && $parentref->{occurs} == 1;
 	fatal_error "The class ($parentnum) specifies UMAX and/or DMAX; it cannot serve as a parent" if $parentref->{dmax};
 	fatal_error "The class ($parentnum) specifies flow; it cannot serve as a parent"             if $parentref->{flow};
-	fatal_error "The default class ($parentnum) may not have sub-classes"                        if $devref->{default} == $parentclass;
+	fatal_error "The default class ($parentnum) may not have sub-classes"                        if ( $devref->{default} || 0 ) == $parentclass;
 	$parentref->{leaf} = 0;
 	$ratemax  = $parentref->{rate};
 	$ratename = q(the parent class's RATE);
@@ -1959,13 +1959,13 @@ sub setup_tc() {
    if ( $config{TC_ENABLED} ) {
 	our  @tccmd = ( { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
 			  target    => 'CONNMARK --save-mark --mask' ,
-			  mark      => SMALLMARK ,
+			  mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK,
 			  mask      => in_hex( $globals{TC_MASK} ) ,
 			  connmark  => 1
 			} ,
 			{ match     => sub ( $ ) { $_[0] eq 'RESTORE' },
 			  target    => 'CONNMARK --restore-mark --mask' ,
-			  mark      => SMALLMARK ,
+			  mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK ,
 			  mask      => in_hex( $globals{TC_MASK} ) ,
 			  connmark  => 1
 			} ,
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -83,6 +83,7 @@ our @EXPORT = qw( NOTHING
 		  compile_updown
 		  validate_hosts_file
 		  find_hosts_by_option
 		  find_zone_hosts_by_option
 		  find_zones_by_option
 		  all_ipsets
 		  have_ipsec
@@ -113,11 +114,10 @@ use constant { IN_OUT     => 1,
 #
 #     @zones contains the ordered list of zones with sub-zones appearing before their parents.
 #
-#     %zones{<zone1> => {type = >      <zone type>       FIREWALL, IP, IPSEC, BPORT;
+#     %zones{<zone1> => {type =>       <zone type>       FIREWALL, IP, IPSEC, BPORT;
-#                        options =>    { complex => 0|1
+#                        complex =>    0|1
-#                                        nested  => 0|1
+#                        super   =>    0|1
-#                                        super   => 0|1
+#                        options =>    { in_out  => < policy match string >
 #                                        in_out  => < policy match string >
 #                                        in      => < policy match string >
 #                                        out     => < policy match string >
 #                                      }
@@ -309,6 +309,7 @@ sub initialize( $$ ) {
 			     broadcast => 1,
 			     destonly => 1,
 			     sourceonly => 1,
 			     mss => 1,
 			    );
 	%zonetypes = ( 1 => 'firewall', 2 => 'ipv4', 4 => 'bport4', 8 => 'ipsec4', 16 => 'vserver' );
    } else {
@@ -335,6 +336,7 @@ sub initialize( $$ ) {
 			     maclist => 1,
 			     routeback => 1,
 			     tcpflags => 1,
 			     mss => 1,
 			    );
 	%zonetypes = ( 1 => 'firewall', 2 => 'ipv6', 4 => 'bport6', 8 => 'ipsec4', 16 => 'vserver' );
    }
@@ -408,8 +410,8 @@ sub set_super( $ ); #required for recursion
 sub set_super( $ ) {
    my $zoneref = shift;
-    unless ( $zoneref->{options}{super} ) {
+    unless ( $zoneref->{super} ) {
-	$zoneref->{options}{super} = 1;
+	$zoneref->{super} = 1;
 	set_super( $zones{$_} ) for @{$zoneref->{parents}};
    }
 }
@@ -487,10 +489,9 @@ sub process_zone( \$ ) {
 				    options    => { in_out  => parse_zone_option_list( $options , $type, $complex , IN_OUT ) ,
 						    in      => parse_zone_option_list( $in_options , $type , $complex , IN ) ,
 						    out     => parse_zone_option_list( $out_options , $type , $complex , OUT ) ,
 						    complex => ( $type & IPSEC || $complex ) ,
 						    nested  => @parents > 0 ,
 						    super   => 0 ,
 						  } ,
 				    super      => 0 ,
 				    complex    => ( $type & IPSEC || $complex ) ,
 				    interfaces => {} ,
 				    children   => [] ,
 				    hosts      => {}
@@ -506,7 +507,7 @@ sub process_zone( \$ ) {
 		fatal_error "Zone mark overflow - please increase the setting of ZONE_BITS" if $zonemark >= $zonemarklimit;
 		$mark      = $zonemark;
 		$zonemark += $zonemarkincr;
-		$zoneref->{options}{complex} = 1;
+		$zoneref->{complex} = 1;
 	    }
 	}
@@ -516,7 +517,6 @@ sub process_zone( \$ ) {
 	    progress_message_nocompress "   Zone $zone:\tmark value " . in_hex( $zoneref->{mark} = $mark );
 	}
    }
    if ( $zoneref->{options}{in_out}{blacklist} ) {
 	for ( qw/in out/ ) {
@@ -775,14 +775,18 @@ sub add_group_to_zone($$$$$)
    fatal_error "Duplicate Host Group ($interface:" . ALLIP . ") in zone $zone" if $allip && @$interfaceref;
-    $zoneref->{options}{complex} = 1 if @$interfaceref || @newnetworks > 1 || @exclusions || $options->{routeback};
+    $zoneref->{complex} = 1 if @$interfaceref || @newnetworks > 1 || @exclusions || $options->{routeback};
    push @{$interfaceref}, { options => $options,
 			     hosts   => \@newnetworks,
 			     ipsec   => $type & IPSEC ? 'ipsec' : 'none' ,
 			     exclusions => \@exclusions };
-    $interfaces{$interface}{options}{routeback} ||= ( $type != IPSEC && $options->{routeback} );
+    if ( $type != IPSEC ) {
 	my $optref = $interfaces{$interface}{options};
 	$optref->{routeback} ||= $options->{routeback};
 	$optref->{allip}     ||= $allip;
    }
 }
 #
@@ -838,7 +842,7 @@ sub all_parent_zones() {
 }
 sub complex_zones() {
-    grep( $zones{$_}{options}{complex} , @zones );
+    grep( $zones{$_}{complex} , @zones );
 }
 sub vserver_zones() {
@@ -1838,7 +1842,7 @@ sub process_host( ) {
    }
    if ( $hosts =~ /^!?\+/ ) {
-	$zoneref->{options}{complex} = 1;
+	$zoneref->{complex} = 1;
 	fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/;
 	fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^!?\+[a-zA-Z][-\w]*$/;
    }
@@ -1862,12 +1866,16 @@ sub process_host( ) {
 	    if ( $option eq 'ipsec' ) {
 		require_capability 'POLICY_MATCH' , q(The 'ipsec' option), 's';
 		$type = IPSEC;
-		$zoneref->{options}{complex} = 1;
+		$zoneref->{complex} = 1;
 		$ipsec = $interfaceref->{ipsec} = 1;
 	    } elsif ( $option eq 'norfc1918' ) {
 		warning_message "The 'norfc1918' host option is no longer supported"
 	    } elsif ( $option eq 'blacklist' ) {
 		$zoneref->{options}{in}{blacklist} = 1;
 	    } elsif ( $option =~ /^mss=(\d+)$/ ) {
 		fatal_error "Invalid mss ($1)" unless $1 >= 500;
 		$options{mss} = $1;
 		$zoneref->{options}{complex} = 1;
 	    } elsif ( $validhostoptions{$option}) {
 		fatal_error qq(The "$option" option is not allowed with Vserver zones) if $type & VSERVER && ! ( $validhostoptions{$option} & IF_OPTION_VSERVER );
 		$options{$option} = 1;
@@ -1932,7 +1940,7 @@ sub validate_hosts_file()
    $have_ipsec = $ipsec || haveipseczones;
-    $_->{options}{complex} ||= ( keys %{$_->{interfaces}} > 1 ) for values %zones;
+    $_->{complex} ||= ( keys %{$_->{interfaces}} > 1 ) for values %zones;
 }
 #
@@ -1944,7 +1952,7 @@ sub have_ipsec() {
 #
 # Returns a reference to a array of host entries. Each entry is a
-# reference to an array containing ( interface , polciy match type {ipsec|none} , network , exclusions );
+# reference to an array containing ( interface , polciy match type {ipsec|none} , network , exclusions, value );
 #
 sub find_hosts_by_option( $ ) {
    my $option = $_[0];
@@ -1954,9 +1962,9 @@ sub find_hosts_by_option( $ ) {
 	while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
 	    while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
 		for my $host ( @{$arrayref} ) {
-		    if ( $host->{options}{$option} ) {
+		    if ( my $value = $host->{options}{$option} ) {
 			for my $net ( @{$host->{hosts}} ) {
-			    push @hosts, [ $interface, $host->{ipsec} , $net , $host->{exclusions}];
+			    push @hosts, [ $interface, $host->{ipsec} , $net , $host->{exclusions}, $value ];
 			}
 		    }
 		}
@@ -1973,6 +1981,30 @@ sub find_hosts_by_option( $ ) {
    \@hosts;
 }
 #
 # As above but for a single zone
 #
 sub find_zone_hosts_by_option( $$ ) {
    my ($zone, $option ) = @_;
    my @hosts;
    unless ( $zones{$zone}{type} & FIREWALL ) {
 	while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
 	    while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
 		for my $host ( @{$arrayref} ) {
 		    if ( my $value = $host->{options}{$option} ) {
 			for my $net ( @{$host->{hosts}} ) {
 			    push @hosts, [ $interface, $host->{ipsec} , $net , $host->{exclusions}, $value ];
 			}
 		    }
 		}
 	    }
 	}
    }
    \@hosts;
 }
 #
 # Returns a reference to a list of zones with the passed in/out option
 #
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -65,6 +65,7 @@ sub usage( $ ) {
    [ --annotate ]
    [ --update ]
    [ --convert ]
    [ --shorewallrc ]
    [ --config_path=<path-list> ]
 ';
@@ -91,6 +92,7 @@ my $annotate      = 0;
 my $update        = 0;
 my $convert       = 0;
 my $config_path   = '';
 my $shorewallrc   = '';
 Getopt::Long::Configure ('bundling');
@@ -122,6 +124,7 @@ my $result = GetOptions('h'               => \$help,
 			'update'          => \$update,
 			'convert'         => \$convert,
 			'config_path=s'   => \$config_path,
 			'shorewallrc=s'   => \$shorewallrc,
 		       );
 usage(1) unless $result && @ARGV < 2;
@@ -144,4 +147,5 @@ compiler( script          => $ARGV[0] || '',
 	  convert         => $convert,
 	  annotate        => $annotate,
 	  config_path     => $config_path,
 	  shorewallrc     => $shorewallrc
 	);
--- a/Shorewall/Perl/getparams
+++ b/Shorewall/Perl/getparams
@@ -33,7 +33,19 @@ else
    g_program=shorewall
 fi
-. /usr/share/shorewall/lib.cli
+#
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc
 g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR"/shorewall
 g_sbindir="$SBINDIR"
 g_perllib="$PERLLIBDIR"
 g_confdir="$CONFDIR"/shorewall
 g_readrc=1
 . $g_sharedir/lib.cli
 CONFIG_PATH="$2"
--- a/Shorewall/Perl/macro.BLACKLIST
+++ b/Shorewall/Perl/macro.BLACKLIST
@@ -0,0 +1,11 @@
 #
 # Shorewall version 4 - blacklist Macro
 #
 # /usr/share/shorewall/macro.blacklist
 #
 #	This macro handles blacklisting using BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 $BLACKLIST_DISPOSITION:$BLACKLIST_LOGLEVEL
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -235,8 +235,8 @@ case "$COMMAND" in
 	    status=2
 	elif checkkernelversion; then
 	    if [ $# -eq 1 ]; then
-		$IP6TABLES -Z
+		$g_tool -Z
-		$IP6TABLES -t mangle -Z
+		$g_tool -t mangle -Z
 		date > ${VARDIR}/restarted
 		status=0
 		progress_message3 "$g_product Counters Reset"
@@ -245,7 +245,7 @@ case "$COMMAND" in
 		status=0
 		for chain in $@; do
 		    if chain_exists $chain; then
-			if qt $IP6TABLES -Z $chain; then
+			if qt $g_tool-Z $chain; then
 			    progress_message3 "Filter $chain Counters Reset"
 			else
 			    error_message "ERROR: Reset of chain $chain failed"
--- a/Shorewall/Perl/prog.header
+++ b/Shorewall/Perl/prog.header
@@ -1,402 +0,0 @@
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 1999-2011 - Tom Eastep (teastep@shorewall.net)
 #
 #	Options are:
 #
 #	    -n				  Don't alter Routing
 #	    -v and -q			  Standard Shorewall Verbosity control
 #           -t                            Timestamp progress messages
 #           -p                            Purge conntrack table
 #           -r                            Recover from failed start/restart
 #           -V <verbosity>                Set verbosity level explicitly
 #           -R <restore>                  Overrides RESTOREFILE setting
 #
 #	Commands are:
 #
 #	   start			  Starts the firewall
 #          refresh                        Refresh the firewall
 #	   restart			  Restarts the firewall
 #	   reload			  Reload the firewall
 #	   clear			  Removes all firewall rules
 #	   stop				  Stops the firewall
 #	   status			  Displays firewall status
 #	   version			  Displays the version of Shorewall that
 #	   				  generated this program
 #
 ################################################################################
 # Functions imported from /usr/share/shorewall/prog.header
 ################################################################################
 #
 # Find the value 'weight' in the passed arguments then echo the next value
 #
 find_weight() {
    while [ $# -gt 1 ]; do
 	[ "x$1" = xweight ] && echo $2 && return
 	shift
    done
 }
 #
 # Find the interfaces that have a route to the passed address - the default
 # route is not used.
 #
 find_rt_interface() {
    $IP -4 route list | while read addr rest; do
 	case $addr in
 	    */*)
 		in_network ${1%/*} $addr && echo $(find_device $rest)
 		;;
 	    default)
 		;;
 	    *)
 		if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then
 		    echo $(find_device $rest)
 		fi
 		;;
 	esac
    done
 }
 #
 # Echo the name of the interface(s) that will be used to send to the
 # passed address
 #
 find_interface_by_address() {
    local dev
    dev="$(find_rt_interface $1)"
    local first
    local rest
    [ -z "$dev" ] && dev=$(find_default_interface)
    [ -n "$dev" ] && echo $dev
 }
 #
 #  echo the list of networks routed out of a given interface
 #
 get_routed_networks() # $1 = interface name, $2-n = Fatal error message
 {
    local address
    local rest
    $IP -4 route show dev $1 2> /dev/null |
 	while read address rest; do
 	    case "$address" in
 		default)
 		    if [ $# -gt 1 ]; then
 			shift
 			fatal_error "$@"
 		    else
 			echo "WARNING: default route ignored on interface $1" >&2
 		    fi
 		    ;;
 		multicast|broadcast|prohibit|nat|throw|nexthop)
 		    ;;
 		*)
 		    [ "$address" = "${address%/*}" ] && address="${address}/32"
 		    echo $address
 		    ;;
 	    esac
        done
 }
 #
 # Get the broadcast addresses associated with an interface
 #
 get_interface_bcasts() # $1 = interface
 {
    local addresses
    addresses=
    $IP -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
 }
 #
 # Delete IP address
 #
 del_ip_addr() # $1 = address, $2 = interface
 {
    [ $(find_first_interface_address_if_any $2) = $1 ] || qtnoin $IP addr del $1 dev $2
 }
 # Add IP Aliases
 #
 add_ip_aliases() # $* = List of addresses
 {
    local local
    local addresses
    local external
    local interface
    local inet
    local cidr
    local rest
    local val
    local arping
    arping=$(mywhich arping)
    address_details()
    {
 	#
 	# Folks feel uneasy if they don't see all of the same
 	# decoration on these IP addresses that they see when their
 	# distro's net config tool adds them. In an attempt to reduce
 	# the anxiety level, we have the following code which sets
 	# the VLSM and BRD from an existing address in the same networks
 	#
 	# Get all of the lines that contain inet addresses with broadcast
 	#
 	$IP -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do
 	    case $cidr in
 		*/*)
 		    if in_network $external $cidr; then
 			echo "/${cidr#*/} brd $(broadcastaddress $cidr)"
 			break
 		    fi
 		    ;;
 	    esac
 	done
    }
    do_one()
    {
 	val=$(address_details)
 	$IP addr add ${external}${val} dev $interface $label
 	[ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external
 	echo "$external $interface" >> $VARDIR/nat
 	[ -n "$label" ] && label="with $label"
 	progress_message "   IP Address $external added to interface $interface $label"
    }
    progress_message "Adding IP Addresses..."
    while [ $# -gt 0 ]; do
 	external=$1
 	interface=$2
 	label=
 	if [ "$interface" != "${interface%:*}" ]; then
 	    label="${interface#*:}"
 	    interface="${interface%:*}"
 	    label="label $interface:$label"
 	fi
 	shift 2
 	list_search $external $(find_interface_addresses $interface) || do_one
    done
 }
 #
 # Detect the gateway through a PPP or DHCP-configured interface
 #
 detect_dynamic_gateway() { # $1 = interface
    local interface
    interface=$1
    local GATEWAYS
    GATEWAYS=
    local gateway
    gateway=$(run_findgw_exit $1);
    if [ -z "$gateway" ]; then
 	gateway=$( find_peer $($IP addr list $interface ) )
    fi
    if [ -z "$gateway" -a -f /var/lib/dhcpcd/dhcpcd-${1}.info ]; then
 	eval $(grep ^GATEWAYS=  /var/lib/dhcpcd/dhcpcd-${1}.info 2> /dev/null)
 	[ -n "$GATEWAYS" ] && GATEWAYS=${GATEWAYS%,*} && gateway=$GATEWAYS
    fi
    if [ -z "$gateway" -a -f /var/lib/dhcp/dhclient-${1}.lease ]; then
 	gateway=$(grep 'option routers' /var/lib/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done)
    fi
    [ -n "$gateway" ] && echo $gateway
 }
 #
 # Detect the gateway through an interface
 #
 detect_gateway() # $1 = interface
 {
    local interface
    interface=$1
    local gateway
    #
    # First assume that this is some sort of dynamic interface
    #
    gateway=$( detect_dynamic_gateway $interface )
    #
    # Maybe there's a default route through this gateway already
    #
    [ -n "$gateway" ] || gateway=$(find_gateway $($IP -4 route list dev $interface | grep ^default))
    #
    # Last hope -- is there a load-balancing route through the interface?
    #
    [ -n "$gateway" ] || gateway=$(find_nexthop $interface)
    #
    # Be sure we found one
    #
    [ -n "$gateway" ] && echo $gateway
 }
 #
 # Disable IPV6
 #
 disable_ipv6() {
    local foo
    foo="$($IP -f inet6 addr list 2> /dev/null)"
    if [ -n "$foo" ]; then
 	if [ -x "$IP6TABLES" ]; then
 	    $IP6TABLES -P FORWARD DROP
 	    $IP6TABLES -P INPUT DROP
 	    $IP6TABLES -P OUTPUT DROP
 	    $IP6TABLES -F
 	    $IP6TABLES -X
 	    $IP6TABLES -A OUTPUT -o lo -j ACCEPT
 	    $IP6TABLES -A INPUT -i lo -j ACCEPT
 	else
 	    error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
 	fi
    fi
 }
 #
 # Add an additional gateway to the default route
 #
 add_gateway() # $1 = Delta $2 = Table Number
 {
    local route
    local weight
    local delta
    local dev
    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/default //; s/[\]//g'`
    if [ -z "$route" ]; then
 	run_ip route add default scope global table $2 $1
    else
 	delta=$1
 	if ! echo $route | fgrep -q ' nexthop '; then
 	    route=`echo $route | sed 's/via/nexthop via/'`
 	    dev=$(find_device $route)
 	    if [ -f ${VARDIR}/${dev}_weight ]; then
 		weight=`cat ${VARDIR}/${dev}_weight`
 		route="$route weight $weight"
 	    fi
 	fi
 	run_ip route replace default scope global table $2 $route $delta
    fi
 }
 #
 # Remove a gateway from the default route
 #
 delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
 {
    local route
    local gateway
    local dev
    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
    gateway=$1
    if [ -n "$route" ]; then
 	if echo $route | fgrep -q ' nexthop '; then
 	    gateway="nexthop $gateway"
 	    eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
 	    run_ip route replace table $2 $route
 	else
 	    dev=$(find_device $route)
 	    [ "$dev" = "$3" ] && run_ip route delete default table $2
 	fi
    fi
 }
 #
 # Determine the MAC address of the passed IP through the passed interface
 #
 find_mac() # $1 = IP address, $2 = interface
 {
    if interface_is_usable $2 ; then
 	qt ping -nc 1 -t 2 -I $2 $1
 	local result
 	result=$($IP neigh list |  awk "/^$1 / {print \$5}")
 	case $result in
 	    \<*\>)
 		;;
 	    *)
 		[ -n "$result" ] && echo $result
 		;;
 	esac
    fi
 }
 #
 # Clear Proxy Arp
 #
 delete_proxyarp() {
    if [ -f ${VARDIR}/proxyarp ]; then
 	while read address interface external haveroute; do
 	    qtnoin $IP -4 neigh del proxy $address dev $external
 	    [ -z "${haveroute}${g_noroutes}" ] && qtnoin $IP -4 route del $address/32 dev $interface
 	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
 	    [ -f $f ] && echo 0 > $f
 	done < ${VARDIR}/proxyarp
 	rm -f ${VARDIR}/proxyarp
    fi
 }
 #
 # Remove all Shorewall-added rules
 #
 clear_firewall() {
    stop_firewall
    setpolicy INPUT ACCEPT
    setpolicy FORWARD ACCEPT
    setpolicy OUTPUT ACCEPT
    run_iptables -F
    qt $IPTABLES -t raw -F
    echo 1 > /proc/sys/net/ipv4/ip_forward
    if [ -n "$DISABLE_IPV6" ]; then
 	if [ -x $IP6TABLES ]; then
    	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
 	    $IP6TABLES -P OUTPUT  ACCEPT 2> /dev/null
 	    $IP6TABLES -P FORWARD ACCEPT 2> /dev/null
 	fi
    fi
    run_clear_exit
    set_state "Cleared"
    logger -p kern.info "$g_product Cleared"
 }
 #
 # Get a list of all configured broadcast addresses on the system
 #
 get_all_bcasts()
 {
    $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
 }
 ################################################################################
 # End of functions in /usr/share/shorewall/prog.header
 ################################################################################
--- a/Shorewall/Perl/prog.header6
+++ b/Shorewall/Perl/prog.header6
@@ -1,311 +0,0 @@
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 1999-2011- Tom Eastep (teastep@shorewall.net)
 #
 #	Options are:
 #
 #	    -n				  Don't alter Routing
 #	    -v and -q			  Standard Shorewall Verbosity control
 #           -t                            Timestamp progress messages
 #           -p                            Purge conntrack table
 #           -r                            Recover from failed start/restart
 #           -V <verbosity>                Set verbosity level explicitly
 #           -R <restore>                  Overrides RESTOREFILE setting
 #
 #	Commands are:
 #
 #	   start			  Starts the firewall
 #          refresh                        Refresh the firewall
 #	   restart			  Restarts the firewall
 #	   reload			  Reload the firewall
 #	   clear			  Removes all firewall rules
 #	   stop				  Stops the firewall
 #	   status			  Displays firewall status
 #	   version			  Displays the version of Shorewall that
 #	   				  generated this program
 #
 ################################################################################
 # Functions imported from /usr/share/shorewall/prog.header6
 ################################################################################
 #
 # Get all interface addresses with VLSMs
 #
 find_interface_full_addresses() # $1 = interface
 {
    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
 }
 #
 # Normalize an IPv6 Address by compressing out consecutive zero elements
 #
 normalize_address() # $1 = valid IPv6 Address
 {
    local address
    address=$1
    local j
    while true; do
 	case $address in
 	    ::*)
 		address=0$address
 		;;
 	    *::*)
 		list_count $(split $address)
 		j=$?
 		if [ $j -eq 7 ]; then
 		    address=${address%::*}:0:${address#*::}
 		elif [ $j -eq 8 ]; then
 		    $address=${address%::*}:${address#*::}
 		    break 2
 		else
 		    address=${address%::*}:0::${address#*::}
 		fi
 		;;
 	    *)
 		echo $address
 		break 2
 		;;
 	esac
    done
 }
 #
 # Reads correctly-formed and fully-qualified host and subnet addresses from STDIN. For each
 # that defines a /120 or larger network, it sends to STDOUT:
 #
 #    The corresponding subnet-router anycast address (all host address bits are zero)
 #    The corresponding anycast addresses defined by RFC 2526 (the last 128 addresses in the subnet)
 #
 convert_to_anycast() {
    local address
    local badress
    local vlsm
    local host
    local o
    local m
    m=
    local z
    z=65535
    local l
    while read address; do
 	case $address in
 	    2*|3*)
 		vlsm=${address#*/}
 		vlsm=${vlsm:=128}
 		if [ $vlsm -le 120 ]; then
 	            #
 	            # Defines a viable subnet -- first get the subnet-router anycast address
 	            #
 		    host=$((128 - $vlsm))
 		    address=$(normalize_address ${address%/*})
 		    while [ $host -ge 16 ]; do
 			address=${address%:*}
 			host=$(($host - 16))
 		    done
 		    if [ $host -gt 0 ]; then
 			#
 			# VLSM is not a multiple of 16
 			#
 			host=$((16 - $host))
 			o=$((0x${address##*:}))
 			m=0
 			while [ $host -gt 0 ]; do
 			    m=$((($m >> 1) | 0x8000))
 			    z=$(($z >> 1))
 			    host=$(($host - 1))
 			done
 			o=$(($o & $m))
 			badress=${address%:*}
 			address=$badress:$(printf %04x $o)
 			z=$(($o | $z))
 			if [ $vlsm -gt 112 ]; then
 			    z=$(($z & 0xff80))
 			fi
 			badress=$badress:$(printf %04x $z)
 		    else
 			badress=$address
 		    fi
 		    #
 		    # Note: at this point $address and $badress are the same except possibly for
 		    #       the contents of the last half-word
 		    #
 		    list_count $(split $address)
 		    l=$?
 		    #
 		    # Now generate the anycast addresses defined by RFC 2526
 		    #
 		    if [ $l -lt 8 ]; then
 			#
 			# The subnet-router address
 			#
 			echo $address::
 		    	while [ $l -lt 8 ]; do
 			    badress=$badress:ffff
 			    l=$(($l + 1 ))
 			done
 		    else
 			#
 			# The subnet-router address
 			#
 			echo $address
 		    fi
 		    #
 		    # And the RFC 2526 addresses
 		    #
 		    echo $badress/121
 		fi
 		;;
 	esac
    done
 }
 #
 # Generate a list of anycast addresses for a given interface
 #
 get_interface_acasts() # $1 = interface
 {
    local addresses
    addresses=
    find_interface_full_addresses $1 | convert_to_anycast | sort -u
 }
 #
 # Get a list of all configured anycast addresses on the system
 #
 get_all_acasts()
 {
    find_interface_full_addresses | convert_to_anycast | sort -u
 }
 #
 # Detect the gateway through an interface
 #
 detect_gateway() # $1 = interface
 {
    local interface
    interface=$1
    #
    # First assume that this is some sort of point-to-point interface
    #
    gateway=$( find_peer $($IP -6 addr list $interface ) )
    #
    # Maybe there's a default route through this gateway already
    #
    [ -n "$gateway" ] || gateway=$(find_gateway $($IP -6 route list dev $interface | grep '^default'))
    #
    # Last hope -- is there a load-balancing route through the interface?
    #
    [ -n "$gateway" ] || gateway=$(find_nexthop $interface)
    #
    # Be sure we found one
    #
    [ -n "$gateway" ] && echo $gateway
 }
 #
 # Add an additional gateway to the default route
 #
 add_gateway() # $1 = Delta $2 = Table Number
 {
    local route
    local weight
    local delta
    local dev
    run_ip route add default scope global table $2 $1
 }
 #
 # Remove a gateway from the default route
 #
 delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
 {
    local route
    local gateway
    local dev
    route=`$IP -6 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
    gateway=$1
    dev=$(find_device $route)
    [ "$dev" = "$3" ] && run_ip route delete default table $2
 }
 #
 # Determine how to do "echo -e"
 #
 find_echo() {
    local result
    result=$(echo "a\tb")
    [ ${#result} -eq 3 ] && { echo echo; return; }
    result=$(echo -e "a\tb")
    [ ${#result} -eq 3 ] && { echo "echo -e"; return; }
    result=$(which echo)
    [ -n "$result" ] && { echo "$result -e"; return; }
    echo echo
 }
 #
 # Clear Proxy NDP
 #
 delete_proxyndp() {
    if [ -f ${VARDIR}/proxyndp ]; then
 	while read address interface external haveroute; do
 	    qt $IP -6 neigh del proxy $address dev $external
 	    [ -z "${haveroute}${g_noroutes}" ] && qt $IP -6 route del $address/128 dev $interface
 	    f=/proc/sys/net/ipv6/conf/$interface/proxy_ndp
 	    [ -f $f ] && echo 0 > $f
 	done < ${VARDIR}/proxyndp
 	rm -f ${VARDIR}/proxyndp
    fi
 }
 #
 # Remove all Shorewall-added rules
 #
 clear_firewall() {
    stop_firewall
    setpolicy INPUT ACCEPT
    setpolicy FORWARD ACCEPT
    setpolicy OUTPUT ACCEPT
    run_iptables -F
    qt $IP6TABLES -t raw -F
    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
    run_clear_exit
    set_state "Cleared"
    logger -p kern.info "$g_product Cleared"
 }
 ################################################################################
 # End of functions imported from /usr/share/shorewall/prog.header6
 ################################################################################
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -53,7 +53,7 @@ TCP_FLAGS_LOG_LEVEL=info
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
-CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
+CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
 IPTABLES=
@@ -138,6 +138,8 @@ FORWARD_CLEAR_MARK=
 IMPLICIT_CONTINUE=No
 IPSET_WARNINGS=Yes
 IP_FORWARDING=On
 KEEP_RT_TABLES=No
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -64,7 +64,7 @@ TCP_FLAGS_LOG_LEVEL=info
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
-CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
+CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
 IPTABLES=
@@ -149,6 +149,8 @@ FORWARD_CLEAR_MARK=
 IMPLICIT_CONTINUE=No
 IPSET_WARNINGS=Yes
 IP_FORWARDING=Off
 KEEP_RT_TABLES=No
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -62,7 +62,7 @@ TCP_FLAGS_LOG_LEVEL=info
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
-CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
+CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
 IPTABLES=
@@ -147,6 +147,8 @@ FORWARD_CLEAR_MARK=
 IMPLICIT_CONTINUE=No
 IPSET_WARNINGS=Yes
 IP_FORWARDING=On
 KEEP_RT_TABLES=No
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -65,7 +65,7 @@ TCP_FLAGS_LOG_LEVEL=info
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
-CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
+CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
 IPTABLES=
@@ -150,6 +150,8 @@ FORWARD_CLEAR_MARK=
 IMPLICIT_CONTINUE=No
 IPSET_WARNINGS=Yes
 IP_FORWARDING=On
 KEEP_RT_TABLES=No
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -53,7 +53,7 @@ TCP_FLAGS_LOG_LEVEL=info
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
-CONFIG_PATH="/etc/shorewall:/usr/share/shorewall"
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 IPTABLES=
@@ -138,6 +138,8 @@ FORWARD_CLEAR_MARK=
 IMPLICIT_CONTINUE=No
 IPSET_WARNINGS=Yes
 IP_FORWARDING=On
 KEEP_RT_TABLES=No
--- a/Shorewall/configfiles/tcrules
+++ b/Shorewall/configfiles/tcrules
@@ -10,6 +10,6 @@
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
 ##########################################################################################################################################
-#MARK	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER    PROBABILITY DSCP
+#ACTION	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER    PROBABILITY DSCP
 #						PORT(S)	PORT(S)
--- a/Shorewall/configpath
+++ b/Shorewall/configpath
@@ -10,4 +10,4 @@
 #	/usr/share/shorewall/configfiles/. This prevents 'compile -e'
 #	from trying to use configuration information from /etc/shorewall.
-CONFIG_PATH=${CONFDIR}:/usr/share/shorewall
+CONFIG_PATH=${CONFDIR}:${SHAREDIR}/shorewall
--- a/Shorewall/init.debian.sh
+++ b/Shorewall/init.debian.sh
@@ -11,7 +11,6 @@
 ### END INIT INFO
 SRWL=/sbin/shorewall
 SRWL_OPTS="-tvv"
 WAIT_FOR_IFUP=/usr/share/shorewall/wait4ifup
@@ -54,10 +53,15 @@ not_configured () {
 	exit 0
 }
 #
 # The installer may alter this
 #
 . /usr/share/shorewall/shorewallrc
 # check if shorewall is configured or not
-if [ -f "/etc/default/shorewall" ]
+if [ -f "${SYSCONFDIR}/shorewall" ]
 then
-	. /etc/default/shorewall
+	. ${SYSCONFDIR}/shorewall
 	SRWL_OPTS="$SRWL_OPTS $OPTIONS"
 	if [ "$startup" != "1" ]
 	then
--- a/Shorewall/init.fedora.sh
+++ b/Shorewall/init.fedora.sh
@@ -20,16 +20,21 @@
 # Source function library.
 . /etc/rc.d/init.d/functions
 #
 # The installer may alter this
 #
 . /usr/share/shorewall/shorewallrc
 prog="shorewall"
-shorewall="/sbin/$prog"
+shorewall="${SBINDIR}/$prog"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/$prog"
 # Get startup options (override default)
 OPTIONS=
-if [ -f /etc/sysconfig/$prog ]; then
+if [ -f ${SYSCONFDIR}/$prog ]; then
-    . /etc/sysconfig/$prog
+    . ${SYSCONFDIR}/$prog
 fi
 start() {
--- a/Shorewall/init.sh
+++ b/Shorewall/init.sh
@@ -54,7 +54,7 @@ RCDLINKS="2,S41 3,S41 6,K41"
 # Give Usage Information						       #
 ################################################################################
 usage() {
-    echo "Usage: $0 start|stop|reload|restart|status"
+    echo "Usage: $0 start|stop|reload|restart|status" >&2
    exit 1
 }
@@ -62,10 +62,14 @@ usage() {
 # Get startup options (override default)
 ################################################################################
 OPTIONS="-v0"
-if [ -f /etc/sysconfig/shorewall ]; then
+
-    . /etc/sysconfig/shorewall
+#
-elif [ -f /etc/default/shorewall ] ; then
+# The installer may alter this
-    . /etc/default/shorewall
+#
 . /usr/share/shorewall/shorewallrc
 if [ -f ${SYSCONFDIR}/shorewall ]; then
    . ${SYSCONFDIR}/shorewall
 fi
 export SHOREWALL_INIT_SCRIPT=1
@@ -78,13 +82,13 @@ shift
 case "$command" in
    start)
-	exec /sbin/shorewall $OPTIONS start $STARTOPTIONS
+	exec $SBINDIR/shorewall $OPTIONS start $STARTOPTIONS
 	;;
    restart|reload)
-	exec /sbin/shorewall $OPTIONS restart $RESTARTOPTIONS
+	exec $SBINDIR/shorewall $OPTIONS restart $RESTARTOPTIONS
 	;;
    status|stop)
-	exec /sbin/shorewall $OPTIONS $command
+	exec $SBINDIR/shorewall $OPTIONS $command
 	;;
    *)
 	usage
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -34,6 +34,8 @@ get_config() {
    ensure_config_path
    if [ "$1" = Yes ]; then
 	params=$(find_file params)
@@ -360,6 +362,8 @@ uptodate() {
 #
 compiler() {
    local pc
    local shorewallrc
    pc=$g_libexec/shorewall/compiler.pl
    if [ $(id -u) -ne 0 ]; then
@@ -374,7 +378,7 @@ compiler() {
    #
    # Get the config from $g_shorewalldir
    #
-    [ -n "$g_shorewalldir" -a "$g_shorewalldir" != /etc/$g_program ] && get_config
+    [ -n "$g_shorewalldir" -a "$g_shorewalldir" != ${g_confdir} ] && get_config
    case $COMMAND in
 	*start|try|refresh)
@@ -395,7 +399,14 @@ compiler() {
    [ "$1" = nolock ] && shift;
    shift
-    options="--verbose=$VERBOSITY --family=$g_family --config_path=$CONFIG_PATH"
+    if [ -n "$g_export" ]; then
 	shorewallrc=$(find_file shorewallrc)
 	[ -f "$shorewallrc" ] || fatal_error "Compiling for export requires a shorewallrc file"
    else
 	shorewallrc="${g_basedir}/shorewallrc"
    fi
    options="--verbose=$VERBOSITY --family=$g_family --config_path=$CONFIG_PATH --shorewallrc=${shorewallrc}"
    [ -n "$STARTUP_LOG" ] && options="$options --log=$STARTUP_LOG"
    [ -n "$LOG_VERBOSITY" ] && options="$options --log_verbosity=$LOG_VERBOSITY";
    [ -n "$g_export" ] && options="$options --export"
@@ -1297,6 +1308,10 @@ reload_command() # $* = original arguments less the command.
    root=root
    local libexec
    libexec=/usr/share
    local confdir
    confdir=/etc
    local sbindir
    sbindir=/sbin
    litedir=/var/lib/${g_program}-lite
@@ -1353,11 +1368,11 @@ reload_command() # $* = original arguments less the command.
 	    ;;
    esac
-    temp=$(rsh_command /sbin/${g_program}-lite show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')
+    temp=$(rsh_command ${g_program}-lite show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')
    [ -n "$temp" ] && litedir="$temp"
-    temp=$(rsh_command /sbin/${g_program}-lite show config 2> /dev/null | grep ^LIBEXEC | sed 's/LIBEXEC is //')
+    temp=$(rsh_command ${g_program}-lite show config 2> /dev/null | grep ^LIBEXEC | sed 's/LIBEXEC is //')
    if [ -n "$temp" ]; then
 	case $temp in
@@ -1370,6 +1385,14 @@ reload_command() # $* = original arguments less the command.
 	esac
    fi
    temp=$(rsh_command ${g_program}-lite show config 2> /dev/null | grep ^SBINDIR | sed 's/SBINDIR is //')
    [ -n "$temp" ] && sbindir="$temp"
    temp=$(rsh_command ${g_program}-lite show config 2> /dev/null | grep ^CONFDIR | sed 's/CONFDIR is //')
    [ -n "$temp" ] && confdir="$temp"
    if [ -z "$getcaps" ]; then
 	g_shorewalldir=$(resolve_file $directory)
 	ensure_config_path
@@ -1410,19 +1433,20 @@ reload_command() # $* = original arguments less the command.
    then
 	save=$(find_file save);
-	[ -f $save ] && progress_message3 "Copying $save to ${system}:/etc/${g_program}-lite/" && rcp_command $save /etc/shorewall-lite/
+	[ -f $save ] && progress_message3 "Copying $save to ${system}:${confdir}/${g_program}-lite/" && rcp_command $save ${confdir}/shorewall-lite/
 	progress_message3 "Copy complete"
 	if [ $COMMAND = reload ]; then
-	    rsh_command "/sbin/${g_program}-lite $g_debugging $verbose $timestamp restart" && \
+	    rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp restart" && \
 	    progress_message3 "System $system reloaded" || saveit=
 	else
-	    rsh_command "/sbin/${g_program}-lite $g_debugging $verbose $timestamp start" && \
+	    rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp start" && \
 	    progress_message3 "System $system loaded" || saveit=
 	fi
 	if [ -n "$saveit" ]; then
-	    rsh_command "/sbin/${g_program}-lite $g_debugging $verbose $timestamp save" && \
+	    rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp save" && \
 	    progress_message3 "Configuration on system $system saved"
 	fi
    fi
--- a/Shorewall/lib.core
+++ b/Shorewall/lib.core
@@ -1,30 +1,34 @@
 #
 # Shorewall 4.5 -- /usr/share/shorewall/lib.core.
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2010-2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2012 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Options are:
 #
-#	This program is free software; you can redistribute it and/or modify
+#	    -n				  Don't alter Routing
-#	it under the terms of Version 2 of the GNU General Public License
+#	    -v and -q			  Standard Shorewall Verbosity control
-#	as published by the Free Software Foundation.
+#           -t                            Timestamp progress messages
 #           -p                            Purge conntrack table
 #           -r                            Recover from failed start/restart
 #           -V <verbosity>                Set verbosity level explicitly
 #           -R <restore>                  Overrides RESTOREFILE setting
 #
-#	This program is distributed in the hope that it will be useful,
+#	Commands are:
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
-#	You should have received a copy of the GNU General Public License
+#	   start			  Starts the firewall
-#	along with this program; if not, write to the Free Software
+#          refresh                        Refresh the firewall
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#	   restart			  Restarts the firewall
 #	   reload			  Reload the firewall
 #	   clear			  Removes all firewall rules
 #	   stop				  Stops the firewall
 #	   status			  Displays firewall status
 #	   version			  Displays the version of Shorewall that
 #	   				  generated this program
 #
-# The purpose of this library is to hold those functions used by the generated
+################################################################################
-# scripts (both IPv4 and IPv6 -- the functions that are specific to one or the other
+# Functions imported from /usr/share/shorewall/lib.core
-# are found in prog.header and prog.header6).
+################################################################################
-#
+#                     Address family-neutral Functions
-#########################################################################################
+################################################################################
 #
 # Conditionally produce message
 #
@@ -630,3 +634,642 @@ EOF
 	done
    fi
 }
 ?IF __IPV4
 #################################################################################
 #                        IPv4-specific Functions
 #################################################################################
 # Find the value 'weight' in the passed arguments then echo the next value
 #
 find_weight() {
    while [ $# -gt 1 ]; do
 	[ "x$1" = xweight ] && echo $2 && return
 	shift
    done
 }
 #
 # Find the interfaces that have a route to the passed address - the default
 # route is not used.
 #
 find_rt_interface() {
    $IP -4 route list | while read addr rest; do
 	case $addr in
 	    */*)
 		in_network ${1%/*} $addr && echo $(find_device $rest)
 		;;
 	    default)
 		;;
 	    *)
 		if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then
 		    echo $(find_device $rest)
 		fi
 		;;
 	esac
    done
 }
 #
 # Echo the name of the interface(s) that will be used to send to the
 # passed address
 #
 find_interface_by_address() {
    local dev
    dev="$(find_rt_interface $1)"
    local first
    local rest
    [ -z "$dev" ] && dev=$(find_default_interface)
    [ -n "$dev" ] && echo $dev
 }
 #
 #  echo the list of networks routed out of a given interface
 #
 get_routed_networks() # $1 = interface name, $2-n = Fatal error message
 {
    local address
    local rest
    $IP -4 route show dev $1 2> /dev/null |
 	while read address rest; do
 	    case "$address" in
 		default)
 		    if [ $# -gt 1 ]; then
 			shift
 			fatal_error "$@"
 		    else
 			echo "WARNING: default route ignored on interface $1" >&2
 		    fi
 		    ;;
 		multicast|broadcast|prohibit|nat|throw|nexthop)
 		    ;;
 		*)
 		    [ "$address" = "${address%/*}" ] && address="${address}/32"
 		    echo $address
 		    ;;
 	    esac
        done
 }
 #
 # Get the broadcast addresses associated with an interface
 #
 get_interface_bcasts() # $1 = interface
 {
    local addresses
    addresses=
    $IP -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
 }
 #
 # Delete IP address
 #
 del_ip_addr() # $1 = address, $2 = interface
 {
    [ $(find_first_interface_address_if_any $2) = $1 ] || qtnoin $IP addr del $1 dev $2
 }
 # Add IP Aliases
 #
 add_ip_aliases() # $* = List of addresses
 {
    local local
    local addresses
    local external
    local interface
    local inet
    local cidr
    local rest
    local val
    local arping
    arping=$(mywhich arping)
    address_details()
    {
 	#
 	# Folks feel uneasy if they don't see all of the same
 	# decoration on these IP addresses that they see when their
 	# distro's net config tool adds them. In an attempt to reduce
 	# the anxiety level, we have the following code which sets
 	# the VLSM and BRD from an existing address in the same network
 	#
 	# Get all of the lines that contain inet addresses with broadcast
 	#
 	$IP -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do
 	    case $cidr in
 		*/*)
 		    if in_network $external $cidr; then
 			echo "/${cidr#*/} brd $(broadcastaddress $cidr)"
 			break
 		    fi
 		    ;;
 	    esac
 	done
    }
    do_one()
    {
 	val=$(address_details)
 	$IP addr add ${external}${val} dev $interface $label
 	[ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external
 	echo "$external $interface" >> $VARDIR/nat
 	[ -n "$label" ] && label="with $label"
 	progress_message "   IP Address $external added to interface $interface $label"
    }
    progress_message "Adding IP Addresses..."
    while [ $# -gt 0 ]; do
 	external=$1
 	interface=$2
 	label=
 	if [ "$interface" != "${interface%:*}" ]; then
 	    label="${interface#*:}"
 	    interface="${interface%:*}"
 	    label="label $interface:$label"
 	fi
 	shift 2
 	list_search $external $(find_interface_addresses $interface) || do_one
    done
 }
 #
 # Detect the gateway through a PPP or DHCP-configured interface
 #
 detect_dynamic_gateway() { # $1 = interface
    local interface
    interface=$1
    local GATEWAYS
    GATEWAYS=
    local gateway
    gateway=$(run_findgw_exit $1);
    if [ -z "$gateway" ]; then
 	gateway=$( find_peer $($IP addr list $interface ) )
    fi
    if [ -z "$gateway" -a -f /var/lib/dhcpcd/dhcpcd-${1}.info ]; then
 	eval $(grep ^GATEWAYS=  /var/lib/dhcpcd/dhcpcd-${1}.info 2> /dev/null)
 	[ -n "$GATEWAYS" ] && GATEWAYS=${GATEWAYS%,*} && gateway=$GATEWAYS
    fi
    if [ -z "$gateway" -a -f /var/lib/dhcp/dhclient-${1}.lease ]; then
 	gateway=$(grep 'option routers' /var/lib/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done)
    fi
    [ -n "$gateway" ] && echo $gateway
 }
 #
 # Detect the gateway through an interface
 #
 detect_gateway() # $1 = interface
 {
    local interface
    interface=$1
    local gateway
    #
    # First assume that this is some sort of dynamic interface
    #
    gateway=$( detect_dynamic_gateway $interface )
    #
    # Maybe there's a default route through this gateway already
    #
    [ -n "$gateway" ] || gateway=$(find_gateway $($IP -4 route list dev $interface | grep ^default))
    #
    # Last hope -- is there a load-balancing route through the interface?
    #
    [ -n "$gateway" ] || gateway=$(find_nexthop $interface)
    #
    # Be sure we found one
    #
    [ -n "$gateway" ] && echo $gateway
 }
 #
 # Disable IPV6
 #
 disable_ipv6() {
    local foo
    foo="$($IP -f inet6 addr list 2> /dev/null)"
    if [ -n "$foo" ]; then
 	if [ -x "$IP6TABLES" ]; then
 	    $IP6TABLES -P FORWARD DROP
 	    $IP6TABLES -P INPUT DROP
 	    $IP6TABLES -P OUTPUT DROP
 	    $IP6TABLES -F
 	    $IP6TABLES -X
 	    $IP6TABLES -A OUTPUT -o lo -j ACCEPT
 	    $IP6TABLES -A INPUT -i lo -j ACCEPT
 	else
 	    error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
 	fi
    fi
 }
 #
 # Add an additional gateway to the default route
 #
 add_gateway() # $1 = Delta $2 = Table Number
 {
    local route
    local weight
    local delta
    local dev
    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/default //; s/[\]//g'`
    if [ -z "$route" ]; then
 	run_ip route add default scope global table $2 $1
    else
 	delta=$1
 	if ! echo $route | fgrep -q ' nexthop '; then
 	    route=`echo $route | sed 's/via/nexthop via/'`
 	    dev=$(find_device $route)
 	    if [ -f ${VARDIR}/${dev}_weight ]; then
 		weight=`cat ${VARDIR}/${dev}_weight`
 		route="$route weight $weight"
 	    fi
 	fi
 	run_ip route replace default scope global table $2 $route $delta
    fi
 }
 #
 # Remove a gateway from the default route
 #
 delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
 {
    local route
    local gateway
    local dev
    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
    gateway=$1
    if [ -n "$route" ]; then
 	if echo $route | fgrep -q ' nexthop '; then
 	    gateway="nexthop $gateway"
 	    eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
 	    run_ip route replace table $2 $route
 	else
 	    dev=$(find_device $route)
 	    [ "$dev" = "$3" ] && run_ip route delete default table $2
 	fi
    fi
 }
 #
 # Determine the MAC address of the passed IP through the passed interface
 #
 find_mac() # $1 = IP address, $2 = interface
 {
    if interface_is_usable $2 ; then
 	qt ping -nc 1 -t 2 -I $2 $1
 	local result
 	result=$($IP neigh list |  awk "/^$1 / {print \$5}")
 	case $result in
 	    \<*\>)
 		;;
 	    *)
 		[ -n "$result" ] && echo $result
 		;;
 	esac
    fi
 }
 #
 # Clear Proxy Arp
 #
 delete_proxyarp() {
    if [ -f ${VARDIR}/proxyarp ]; then
 	while read address interface external haveroute; do
 	    qtnoin $IP -4 neigh del proxy $address dev $external
 	    [ -z "${haveroute}${g_noroutes}" ] && qtnoin $IP -4 route del $address/32 dev $interface
 	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
 	    [ -f $f ] && echo 0 > $f
 	done < ${VARDIR}/proxyarp
 	rm -f ${VARDIR}/proxyarp
    fi
 }
 #
 # Remove all Shorewall-added rules
 #
 clear_firewall() {
    stop_firewall
    setpolicy INPUT ACCEPT
    setpolicy FORWARD ACCEPT
    setpolicy OUTPUT ACCEPT
    run_iptables -F
    qt $IPTABLES -t raw -F
    echo 1 > /proc/sys/net/ipv4/ip_forward
    if [ -n "$DISABLE_IPV6" ]; then
 	if [ -x $IP6TABLES ]; then
    	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
 	    $IP6TABLES -P OUTPUT  ACCEPT 2> /dev/null
 	    $IP6TABLES -P FORWARD ACCEPT 2> /dev/null
 	fi
    fi
    run_clear_exit
    set_state "Cleared"
    logger -p kern.info "$g_product Cleared"
 }
 #
 # Get a list of all configured broadcast addresses on the system
 #
 get_all_bcasts()
 {
    $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
 }
 ?ELSE
 #################################################################################
 #                        IPv6-specific Functions
 #################################################################################
 #
 # Get all interface addresses with VLSMs
 #
 find_interface_full_addresses() # $1 = interface
 {
    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
 }
 #
 # Normalize an IPv6 Address by compressing out consecutive zero elements
 #
 normalize_address() # $1 = valid IPv6 Address
 {
    local address
    address=$1
    local j
    while true; do
 	case $address in
 	    ::*)
 		address=0$address
 		;;
 	    *::*)
 		list_count $(split $address)
 		j=$?
 		if [ $j -eq 7 ]; then
 		    address=${address%::*}:0:${address#*::}
 		elif [ $j -eq 8 ]; then
 		    $address=${address%::*}:${address#*::}
 		    break 2
 		else
 		    address=${address%::*}:0::${address#*::}
 		fi
 		;;
 	    *)
 		echo $address
 		break 2
 		;;
 	esac
    done
 }
 #
 # Reads correctly-formed and fully-qualified host and subnet addresses from STDIN. For each
 # that defines a /120 or larger network, it sends to STDOUT:
 #
 #    The corresponding subnet-router anycast address (all host address bits are zero)
 #    The corresponding anycast addresses defined by RFC 2526 (the last 128 addresses in the subnet)
 #
 convert_to_anycast() {
    local address
    local badress
    local vlsm
    local host
    local o
    local m
    m=
    local z
    z=65535
    local l
    while read address; do
 	case $address in
 	    2*|3*)
 		vlsm=${address#*/}
 		vlsm=${vlsm:=128}
 		if [ $vlsm -le 120 ]; then
 	            #
 	            # Defines a viable subnet -- first get the subnet-router anycast address
 	            #
 		    host=$((128 - $vlsm))
 		    address=$(normalize_address ${address%/*})
 		    while [ $host -ge 16 ]; do
 			address=${address%:*}
 			host=$(($host - 16))
 		    done
 		    if [ $host -gt 0 ]; then
 			#
 			# VLSM is not a multiple of 16
 			#
 			host=$((16 - $host))
 			o=$((0x${address##*:}))
 			m=0
 			while [ $host -gt 0 ]; do
 			    m=$((($m >> 1) | 0x8000))
 			    z=$(($z >> 1))
 			    host=$(($host - 1))
 			done
 			o=$(($o & $m))
 			badress=${address%:*}
 			address=$badress:$(printf %04x $o)
 			z=$(($o | $z))
 			if [ $vlsm -gt 112 ]; then
 			    z=$(($z & 0xff80))
 			fi
 			badress=$badress:$(printf %04x $z)
 		    else
 			badress=$address
 		    fi
 		    #
 		    # Note: at this point $address and $badress are the same except possibly for
 		    #       the contents of the last half-word
 		    #
 		    list_count $(split $address)
 		    l=$?
 		    #
 		    # Now generate the anycast addresses defined by RFC 2526
 		    #
 		    if [ $l -lt 8 ]; then
 			#
 			# The subnet-router address
 			#
 			echo $address::
 		    	while [ $l -lt 8 ]; do
 			    badress=$badress:ffff
 			    l=$(($l + 1 ))
 			done
 		    else
 			#
 			# The subnet-router address
 			#
 			echo $address
 		    fi
 		    #
 		    # And the RFC 2526 addresses
 		    #
 		    echo $badress/121
 		fi
 		;;
 	esac
    done
 }
 #
 # Generate a list of anycast addresses for a given interface
 #
 get_interface_acasts() # $1 = interface
 {
    local addresses
    addresses=
    find_interface_full_addresses $1 | convert_to_anycast | sort -u
 }
 #
 # Get a list of all configured anycast addresses on the system
 #
 get_all_acasts()
 {
    find_interface_full_addresses | convert_to_anycast | sort -u
 }
 #
 # Detect the gateway through an interface
 #
 detect_gateway() # $1 = interface
 {
    local interface
    interface=$1
    #
    # First assume that this is some sort of point-to-point interface
    #
    gateway=$( find_peer $($IP -6 addr list $interface ) )
    #
    # Maybe there's a default route through this gateway already
    #
    [ -n "$gateway" ] || gateway=$(find_gateway $($IP -6 route list dev $interface | grep '^default'))
    #
    # Last hope -- is there a load-balancing route through the interface?
    #
    [ -n "$gateway" ] || gateway=$(find_nexthop $interface)
    #
    # Be sure we found one
    #
    [ -n "$gateway" ] && echo $gateway
 }
 #
 # Add an additional gateway to the default route
 #
 add_gateway() # $1 = Delta $2 = Table Number
 {
    local route
    local weight
    local delta
    local dev
    run_ip route add default scope global table $2 $1
 }
 #
 # Remove a gateway from the default route
 #
 delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
 {
    local route
    local gateway
    local dev
    route=`$IP -6 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
    gateway=$1
    dev=$(find_device $route)
    [ "$dev" = "$3" ] && run_ip route delete default table $2
 }
 #
 # Clear Proxy NDP
 #
 delete_proxyndp() {
    if [ -f ${VARDIR}/proxyndp ]; then
 	while read address interface external haveroute; do
 	    qt $IP -6 neigh del proxy $address dev $external
 	    [ -z "${haveroute}${g_noroutes}" ] && qt $IP -6 route del $address/128 dev $interface
 	    f=/proc/sys/net/ipv6/conf/$interface/proxy_ndp
 	    [ -f $f ] && echo 0 > $f
 	done < ${VARDIR}/proxyndp
 	rm -f ${VARDIR}/proxyndp
    fi
 }
 #
 # Remove all Shorewall-added rules
 #
 clear_firewall() {
    stop_firewall
    setpolicy INPUT ACCEPT
    setpolicy FORWARD ACCEPT
    setpolicy OUTPUT ACCEPT
    run_iptables -F
    qt $IP6TABLES -t raw -F
    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
    run_clear_exit
    set_state "Cleared"
    logger -p kern.info "$g_product Cleared"
 }
 ?ENDIF
--- a/Shorewall/manpages/shorewall-accounting.xml
+++ b/Shorewall/manpages/shorewall-accounting.xml
@@ -57,6 +57,17 @@
    of them may be omitted). The first non-commentary record in the accounting
    file must be a section header when sectioning is used.</para>
    <warning>
      <para>If sections are not used, the Shorewall rules compiler cannot
      detect certain violations of netfilter restrictions. These violations
      can result in run-time errors such as the following:</para>
      <blockquote>
        <para><emphasis role="bold">iptables-restore v1.4.13: Can't use -o
        with INPUT</emphasis></para>
      </blockquote>
    </warning>
    <para>Beginning with Shorewall 4.4.20, the ACCOUNTING_TABLE setting was
    added to shorewall.conf and shorewall6.conf. That setting determines the
    Netfilter table (filter or mangle) where the accounting rules are added.
--- a/Shorewall/manpages/shorewall-hosts.xml
+++ b/Shorewall/manpages/shorewall-hosts.xml
@@ -118,32 +118,6 @@
          must have no embedded white space.</para>
          <variablelist>
            <varlistentry>
              <term><emphasis role="bold">maclist</emphasis></term>
              <listitem>
                <para>Connection requests from these hosts are compared
                against the contents of <ulink
                url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
                this option is specified, the interface must be an ethernet
                NIC or equivalent and must be up before Shorewall is
                started.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">routeback</emphasis></term>
              <listitem>
                <para>Shorewall should set up the infrastructure to pass
                packets from this/these address(es) back to themselves. This
                is necessary if hosts in this group use the services of a
                transparent proxy that is a member of the group or if DNAT is
                used to send requests originating from this group to a server
                in the group.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">blacklist</emphasis></term>
@@ -154,48 +128,6 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">tcpflags</emphasis></term>
              <listitem>
                <para>Packets arriving from these hosts are checked for
                certain illegal combinations of TCP flags. Packets found to
                have such a combination of flags are handled according to the
                setting of TCP_FLAGS_DISPOSITION after having been logged
                according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">nosmurfs</emphasis></term>
              <listitem>
                <para>This option only makes sense for ports on a
                bridge.</para>
                <para>Filter packets for smurfs (packets with a broadcast
                address as the source).</para>
                <para>Smurfs will be optionally logged based on the setting of
                SMURF_LOG_LEVEL in <ulink
                url="shorewall.conf.html">shorewall.conf</ulink>(5). After
                logging, the packets are dropped.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">ipsec</emphasis></term>
              <listitem>
                <para>The zone is accessed via a kernel 2.6 ipsec SA. Note
                that if the zone named in the ZONE column is specified as an
                IPSEC zone in the <ulink
                url="shorewall-zones.html">shorewall-zones</ulink>(5) file
                then you do NOT need to specify the 'ipsec' option
                here.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">broadcast</emphasis></term>
@@ -229,6 +161,86 @@
                net(s).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">ipsec</emphasis></term>
              <listitem>
                <para>The zone is accessed via a kernel 2.6 ipsec SA. Note
                that if the zone named in the ZONE column is specified as an
                IPSEC zone in the <ulink
                url="shorewall-zones.html">shorewall-zones</ulink>(5) file
                then you do NOT need to specify the 'ipsec' option
                here.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">maclist</emphasis></term>
              <listitem>
                <para>Connection requests from these hosts are compared
                against the contents of <ulink
                url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
                this option is specified, the interface must be an ethernet
                NIC or equivalent and must be up before Shorewall is
                started.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">mss</emphasis>=<replaceable>mss</replaceable></term>
              <listitem>
                <para>Added in Shorewall 4.5.2. When present, causes the TCP
                mss for new connections to/from the hosts given in the HOST(S)
                column to be clamped at the specified
                <replaceable>mss</replaceable>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">nosmurfs</emphasis></term>
              <listitem>
                <para>This option only makes sense for ports on a
                bridge.</para>
                <para>Filter packets for smurfs (packets with a broadcast
                address as the source).</para>
                <para>Smurfs will be optionally logged based on the setting of
                SMURF_LOG_LEVEL in <ulink
                url="shorewall.conf.html">shorewall.conf</ulink>(5). After
                logging, the packets are dropped.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">routeback</emphasis></term>
              <listitem>
                <para>Shorewall should set up the infrastructure to pass
                packets from this/these address(es) back to themselves. This
                is necessary if hosts in this group use the services of a
                transparent proxy that is a member of the group or if DNAT is
                used to send requests originating from this group to a server
                in the group.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">tcpflags</emphasis></term>
              <listitem>
                <para>Packets arriving from these hosts are checked for
                certain illegal combinations of TCP flags. Packets found to
                have such a combination of flags are handled according to the
                setting of TCP_FLAGS_DISPOSITION after having been logged
                according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall-params.xml
+++ b/Shorewall/manpages/shorewall-params.xml
@@ -23,7 +23,11 @@
  <refsect1>
    <title>Description</title>
-    <para>Assign any shell variables that you need in this file.</para>
+    <para>Assign any shell variables that you need in this file. The file is
    always processed by <filename>/bin/sh</filename> or by the shell specified
    through SHOREWALL_SHELL in <ulink
    url="shorewall.conf.html">shorewall.conf</ulink> (5) so the full range of
    shell capabilities may be used.</para>
    <para>It is suggested that variable names begin with an upper case letter
    to distinguish them from variables used internally within the Shorewall
@@ -128,12 +132,13 @@ net     eth0            130.252.100.255 routefilter,norfc1918</programlisting>
    url="http://www.shorewall.net/configuration_file_basics.htm#Variables?">http://www.shorewall.net/configuration_file_basics.htm#Variables</ulink></para>
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
-    shorewall-netmap(5), shorewall-policy(5), shorewall-providers(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-policy(5),
-    shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -226,7 +226,7 @@
              <listitem>
                <para>like DROP but exempts the rule from being suppressed by
                OPTIMIZE=1 in <ulink
-                url="shorewall.conf.html">shorewall.conf</ulink>(5). </para>
+                url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
              </listitem>
            </varlistentry>
@@ -782,7 +782,7 @@
            </orderedlist></para>
          <blockquote>
-            <para></para>
+            <para/>
            <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
            role="bold">+]|[-</emphasis>] is specified, the server may be
@@ -1230,8 +1230,18 @@
              <term>localtz</term>
              <listitem>
-                <para>Times are expressed in Local Civil Time
+                <para>Deprecated by the Netfilter team in favor of <emphasis
-                (default).</para>
+                role="bold">kerneltz</emphasis>. Times are expressed in Local
                Civil Time (default).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>kerneltz</term>
              <listitem>
                <para>Added in Shorewall 4.5.2. Times are expressed in Local
                Kernel Time (requires iptables 1.4.12 or later).</para>
              </listitem>
            </varlistentry>
@@ -1548,9 +1558,9 @@
    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5),
-    shorewall-routestopped(5), shorewall.conf(5), shorewall-secmarks(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-tcrules.xml
+++ b/Shorewall/manpages/shorewall-tcrules.xml
@@ -44,7 +44,7 @@
    <variablelist>
      <varlistentry>
-        <term><emphasis role="bold">MARK/CLASSIFY</emphasis> (mark) -
+        <term><emphasis role="bold">ACTION</emphasis> (mark) -
        <replaceable>mark</replaceable></term>
        <listitem>
@@ -271,8 +271,8 @@
              target allows you to work around that problem. SAME may be used
              in the PREROUTING and OUTPUT chains. When used in PREROUTING, it
              causes matching connections from an individual local system to
-              all use the same provider. For example: <programlisting>#MARK/            SOURCE         DEST         PROTO      DEST
+              all use the same provider. For example: <programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
-#CLASSIFY                                                PORT(S)
+#                                                        PORT(S)
 SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
              If a host in 192.168.1.0/24 attempts a connection on TCP port 80
              or 443 and it has sent a packet on either of those ports in the
@@ -282,8 +282,8 @@ SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
              <para>When used in the OUTPUT chain, it causes all matching
              connections to an individual remote system to all use the same
-              provider. For example:<programlisting>#MARK/            SOURCE         DEST         PROTO      DEST
+              provider. For example:<programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
-#CLASSIFY                                                PORT(S)
+#                                                        PORT(S)
 SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
              If the firewall attempts a connection on TCP port 80 or 443 and
              it has sent a packet on either of those ports in the last five
@@ -569,7 +569,7 @@ Normal-Service       =&gt; 0x00</programlisting>
                  <term>T</term>
                  <listitem>
-                    <para>POSTROUTING chain (default).</para>
+                    <para>POSTROUTING chain.</para>
                  </listitem>
                </varlistentry>
              </variablelist>
@@ -600,7 +600,7 @@ Normal-Service       =&gt; 0x00</programlisting>
              MAC addresses. <emphasis role="bold">This form will not match
              traffic that originates on the firewall itself unless either
              &lt;major&gt;&lt;minor&gt; or the :T chain qualifier is used in
-              the MARK column.</emphasis></para>
+              the ACTION column.</emphasis></para>
              <para>Examples:<simplelist>
                  <member>0.0.0.0/0</member>
@@ -622,7 +622,7 @@ Normal-Service       =&gt; 0x00</programlisting>
              <para>$FW optionally followed by a colon (":") and a
              comma-separated list of host or network IP addresses. Matches
              packets originating on the firewall. May not be used with a
-              chain qualifier (:P, :F, etc.) in the MARK column.</para>
+              chain qualifier (:P, :F, etc.) in the ACTION column.</para>
            </listitem>
          </orderedlist>
@@ -938,8 +938,8 @@ Normal-Service       =&gt; 0x00</programlisting>
          original connection was made on.</para>
          <para>Example: Mark all FTP data connections with mark
-          4:<programlisting>#MARK/    SOURCE    DEST      PROTO   PORT(S)    SOURCE  USER TEST LENGTH TOS CONNBYTES HELPER
+          4:<programlisting>#ACTION   SOURCE    DEST      PROTO   PORT(S)    SOURCE  USER TEST LENGTH TOS CONNBYTES HELPER
-#CLASSIFY                                        PORT(S)
+#                                                PORT(S)
 4:T       0.0.0.0/0 0.0.0.0/0 TCP     -          -       -    -    -      -   -         ftp</programlisting></para>
        </listitem>
      </varlistentry>
@@ -1017,8 +1017,8 @@ Normal-Service       =&gt; 0x00</programlisting>
          <para>We assume packet/connection mark 0 means unclassified.</para>
-          <programlisting>       #MARK/     SOURCE    DEST         PROTO   PORT(S)       SOURCE  USER    TEST
+          <programlisting>       #ACTION    SOURCE    DEST         PROTO   PORT(S)       SOURCE  USER    TEST
-       #CLASSIFY                                               PORT(S)
+       #                                                       PORT(S)
       1:T        0.0.0.0/0 0.0.0.0/0    icmp    echo-request
       1:T        0.0.0.0/0 0.0.0.0/0    icmp    echo-reply
       RESTORE:T  0.0.0.0/0 0.0.0.0/0    all     -             -       -       0
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -848,6 +848,29 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">IPSET_WARNINGS=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
        <listitem>
          <para>Added in Shorewall 4.5.2. Default is Yes. When set, causes the
          rules compiler to issue a warning when:</para>
          <itemizedlist>
            <listitem>
              <para>The compiler is being run by root and an ipset specified
              in the configuration does not exists. Only one warning is issued
              for each missing ipset.</para>
            </listitem>
            <listitem>
              <para>When [src] is specified in a destination column and when
              [dst] is specified in a source column.</para>
            </listitem>
          </itemizedlist>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">IPTABLES=</emphasis>[<emphasis>pathname</emphasis>]</term>
@@ -2092,14 +2115,14 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
          tcrules. This was done so that tcrules could reset the packet mark
          to zero, thus allowing the packet to be routed using the 'main'
          routing table. Using the main table allowed dynamic routes (such as
-          those added for VPNs) to be effective. The rtrules file was
+          those added for VPNs) to be effective. The rtrules file was created
-          created to provide a better alternative to clearing the packet mark.
+          to provide a better alternative to clearing the packet mark. As a
-          As a consequence, passing these packets to PREROUTING complicates
+          consequence, passing these packets to PREROUTING complicates things
-          things without providing any real benefit. Beginning with Shorewall
+          without providing any real benefit. Beginning with Shorewall 4.4.6,
-          4.4.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving
+          when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving through
-          through 'tracked' interfaces will not be passed to the PREROUTING
+          'tracked' interfaces will not be passed to the PREROUTING rules.
-          rules. Since TRACK_PROVIDERS was just introduced in 4.4.3, this
+          Since TRACK_PROVIDERS was just introduced in 4.4.3, this change
-          change should be transparent to most, if not all, users.</para>
+          should be transparent to most, if not all, users.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@@ -27,6 +27,19 @@
 ################################################################################################
 g_program=shorewall
-. /usr/share/shorewall/lib.cli
+#
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc
 g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR"/shorewall
 g_sbindir="$SBINDIR"
 g_perllib="$PERLLIBDIR"
 g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall
 g_readrc=1
 . $g_sharedir/lib.cli
 shorewall_cli $@
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -31,7 +31,7 @@ VERSION=xxx #The Build script inserts the actual version
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME"
+    echo "usage: $ME [ <shorewallrc file> ]"
    exit $1
 }
@@ -40,16 +40,25 @@ qt()
    "$@" >/dev/null 2>&1
 }
-restore_file() # $1 = file to restore
+split() {
-{
+    local ifs
-    if [ -f ${1}-shorewall.bkout ]; then
+    ifs=$IFS
-	if (mv -f ${1}-shorewall.bkout $1); then
+    IFS=:
-	    echo
+    set -- $1
-	    echo "$1 restored"
+    echo $*
-        else
+    IFS=$ifs
-	    exit 1
+}
-        fi
+
-    fi
+mywhich() {
    local dir
    for dir in $(split $PATH); do
 	if [ -x $dir/$1 ]; then
 	    return 0
 	fi
    done
    return 2
 }
 remove_file() # $1 = file to restore
@@ -60,8 +69,34 @@ remove_file() # $1 = file to restore
    fi
 }
-if [ -f /usr/share/shorewall/version ]; then
+if [ $# -eq 0 ]; then
-    INSTALLED_VERSION="$(cat /usr/share/shorewall/version)"
+    if [ -f ./shorewallrc ]; then
 	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
 	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
 elif [ $# -eq 1 ]; then
    file=$1
    case $file in
 	/*|.*)
 	    ;;
 	*)
 	    file=./$file
 	    ;;
    esac
    . $file
 else
    usage 1
 fi
 if [ -f ${SHAREDIR}/shorewall/version ]; then
    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall/version)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
 	echo "WARNING: Shorewall Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
@@ -72,62 +107,33 @@ else
    VERSION=""
 fi
 [ -n "${LIBEXEC:=/usr/share}" ]
 [ -n "${PERLLIB:=/usr/share/shorewall}" ]
 echo "Uninstalling shorewall $VERSION"
-if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall-lite ]; then
+if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall-lite ]; then
-   /sbin/shorewall clear
+   shorewall clear
 fi
-if [ -L /usr/share/shorewall/init ]; then
+rm -f ${SBINDIR}/shorewall
    FIREWALL=$(readlink -m -q /usr/share/shorewall/init)
 else
    FIREWALL=/etc/init.d/shorewall
 fi
-if [ -n "$FIREWALL" ]; then
+rm -rf ${SHAREDIR}/shorewall/version
-    if [ -x /usr/sbin/updaterc.d ]; then
+rm -rf ${CONFDIR}/shorewall
-	updaterc.d shorewall remove
+rm -rf ${VARDIR}/shorewall
    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
        insserv -r $FIREWALL
    elif [ -x /sbin/systemctl ]; then
 	systemctl disable shorewall
    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 	chkconfig --del $(basename $FIREWALL)
    else
 	rm -f /etc/rc*.d/*$(basename $FIREWALL)
    fi
    remove_file $FIREWALL
    rm -f ${FIREWALL}-*.bkout
 fi
 rm -f /sbin/shorewall
 rm -f /sbin/shorewall-*.bkout
 rm -rf /usr/share/shorewall/version
 rm -rf /etc/shorewall
 rm -rf /etc/shorewall-*.bkout
 rm -rf /var/lib/shorewall
 rm -rf /var/lib/shorewall-*.bkout
 rm -rf ${PERLLIB}/Shorewall/*
 rm -rf ${LIBEXEC}/shorewall
-rm -rf /usr/share/shorewall/configfiles/
+rm -rf ${SHAREDIR}/shorewall/configfiles/
-rm -rf /usr/share/shorewall/Samples/
+rm -rf ${SHAREDIR}/shorewall/Samples/
-rm -rf /usr/share/shorewall/Shorewall/
+rm -rf ${SHAREDIR}/shorewall/Shorewall/
-rm -f  /usr/share/shorewall/lib.cli-std
+rm -f  ${SHAREDIR}/shorewall/lib.cli-std
-rm -f  /usr/share/shorewall/lib.core
+rm -f  ${SHAREDIR}/shorewall/lib.core
-rm -f  /usr/share/shorewall/compiler.pl
+rm -f  ${SHAREDIR}/shorewall/compiler.pl
-rm -f  /usr/share/shorewall/prog.*
+rm -f  ${SHAREDIR}/shorewall/prog.*
-rm -f  /usr/share/shorewall/module*
+rm -f  ${SHAREDIR}/shorewall/module*
-rm -f  /usr/share/shorewall/helpers
+rm -f  ${SHAREDIR}/shorewall/helpers
-rm -f  /usr/share/shorewall/action*
+rm -f  ${SHAREDIR}/shorewall/action*
-rm -f  /usr/share/shorewall/init
+rm -f  ${SHAREDIR}/shorewall/init
 rm -rf /usr/share/shorewall-*.bkout
-for f in /usr/share/man/man5/shorewall* /usr/share/man/man8/shorewall*; do
+for f in ${MANDIR}/man5/shorewall* ${MANDIR}/man8/shorewall*; do
    case $f in
 	shorewall6*|shorewall-lite*)
 	    ;;
@@ -137,8 +143,10 @@ for f in /usr/share/man/man5/shorewall* /usr/share/man/man8/shorewall*; do
    esac
 done
-rm -f  /etc/logrotate.d/shorewall
+rm -f  ${CONFDIR}/logrotate.d/shorewall
-rm -f  /lib/systemd/system/shorewall.service
+
 if [ -n "$SYSTEMD" ]; THEN
 rm -f  ${SYSTEMD}/shorewall.service
 echo "Shorewall Uninstalled"
--- a/Shorewall6-lite/Makefile
+++ b/Shorewall6-lite/Makefile
@@ -3,9 +3,9 @@ VARDIR=$(shell /sbin/shorewall6-lite show vardir)
 SHAREDIR=/usr/share/shorewall6-lite
 RESTOREFILE?=.restore
-all: $(VARDIR)/${RESTOREFILE}
+all: $(VARDIR)/$(RESTOREFILE)
-$(VARDIR)/${RESTOREFILE}: $(VARDIR)/firewall
+$(VARDIR)/$(RESTOREFILE): $(VARDIR)/firewall
 	@/sbin/shorewall6-lite -q save >/dev/null; \
 	if \
 	    /sbin/shorewall6-lite -q restart >/dev/null 2>&1; \
--- a/Shorewall6-lite/init.debian.sh
+++ b/Shorewall6-lite/init.debian.sh
@@ -78,6 +78,11 @@ else
 	not_configured
 fi
 #
 # The installer may alter this
 #
 . /usr/share/shorewall/shorewallrc
 # start the firewall
 shorewall6_start () {
  echo -n "Starting \"Shorewall6 Lite firewall\": "
--- a/Shorewall6-lite/init.fedora.sh
+++ b/Shorewall6-lite/init.fedora.sh
@@ -20,16 +20,21 @@
 # Source function library.
 . /etc/rc.d/init.d/functions
 #
 # The installer may alter this
 #
 . /usr/share/shorewall/shorewallrc
 prog="shorewall6-lite"
-shorewall="/sbin/$prog"
+shorewall="${SBINDIR}/$prog"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/$prog"
 # Get startup options (override default)
 OPTIONS=
-if [ -f /etc/sysconfig/$prog ]; then
+if [ -f ${SYSCONFDIR}/$prog ]; then
-    . /etc/sysconfig/$prog
+    . ${SYSCONFDIR}/$prog
 fi
 start() {
--- a/Shorewall6-lite/init.sh
+++ b/Shorewall6-lite/init.sh
@@ -1,11 +1,11 @@
 #!/bin/sh
 RCDLINKS="2,S41 3,S41 6,K41"
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.1
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
@@ -61,11 +61,11 @@ usage() {
 # Get startup options (override default)
 ################################################################################
 OPTIONS=
-if [ -f /etc/sysconfig/shorewall6-lite ]; then
+
-    . /etc/sysconfig/shorewall6-lite
+#
-elif [ -f /etc/default/shorewall6-lite ] ; then
+# The installer may alter this
-    . /etc/default/shorewall6-lite
+#
-fi
+. /usr/share/shorewall/shorewallrc
 export SHOREWALL_INIT_SCRIPT=1
@@ -76,13 +76,13 @@ command="$1"
 case "$command" in
    start)
-	exec /sbin/shorewall6-lite $OPTIONS start $STARTOPTIONS
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS start $STARTOPTIONS
 	;;
    restart|reload)
-	exec /sbin/shorewall6-lite $OPTIONS restart $RESTARTOPTIONS
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS restart $RESTARTOPTIONS
 	;;
    status|stop)
-	exec /sbin/shorewall6-lite $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $@
 	;;
    *)
 	usage
--- a/Shorewall6-lite/manpages/shorewall6-lite-vardir.xml
+++ b/Shorewall6-lite/manpages/shorewall6-lite-vardir.xml
@@ -36,6 +36,29 @@
    directory. If you add this file, you should copy the files from
    <filename>/var/lib/shorewall6-lite</filename> to the new directory before
    performing a <command>shorewall6-lite restart</command>.</para>
    <note>
      <para>Beginning with Shorewall 4.5.2, use of this file is deprecated in
      favor of specifying VARDIR in the <filename>shorewallrc</filename> file
      used during installation of Shorewall Core. While the name of the
      variable remains VARDIR, the meaning is slightly different. When set in
      shorewallrc, Shorewall6 Lite will create a directory under the specified
      path name to hold state information.</para>
      <para>Example:</para>
      <blockquote>
        <para>VARDIR=<filename>/opt/var/lib/</filename></para>
        <para>The state directory for Shorewall Lite will be
        <filename>/opt/var/lib/shorewall6-lite</filename>.</para>
      </blockquote>
      <para>When VARDIR is set in
      <filename>/etc/shorewall6-lite/vardir</filename>, Shorewall Lite will
      save its state in the <replaceable>directory</replaceable>
      specified.</para>
    </note>
  </refsect1>
  <refsect1>
--- a/Shorewall6-lite/shorewall6-lite
+++ b/Shorewall6-lite/shorewall6-lite
@@ -27,6 +27,18 @@
 ################################################################################################
 g_program=shorewall6-lite
-. /usr/share/shorewall/lib.cli
+#
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc
 g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR"/shorewall6-lite
 g_sbindir="$SBINDIR"
 g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall6-lite
 g_readrc=1
 . ${SHAREDIR}/shorewall/lib.cli
 shorewall_cli $@
--- a/Shorewall6-lite/uninstall.sh
+++ b/Shorewall6-lite/uninstall.sh
@@ -31,7 +31,7 @@ VERSION=xxx  #The Build script inserts the actual version
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME"
+    echo "usage: $ME [ <shorewallrc file> ]"
    exit $1
 }
@@ -40,6 +40,27 @@ qt()
    "$@" >/dev/null 2>&1
 }
 split() {
    local ifs
    ifs=$IFS
    IFS=:
    set -- $1
    echo $*
    IFS=$ifs
 }
 mywhich() {
    local dir
    for dir in $(split $PATH); do
 	if [ -x $dir/$1 ]; then
 	    return 0
 	fi
    done
    return 2
 }
 remove_file() # $1 = file to restore
 {
    if [ -f $1 -o -L $1 ] ; then
@@ -48,8 +69,37 @@ remove_file() # $1 = file to restore
    fi
 }
-if [ -f /usr/share/shorewall6-lite/version ]; then
+#
-    INSTALLED_VERSION="$(cat /usr/share/shorewall6-lite/version)"
+# Read the RC file
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
 	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
 	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
 elif [ $# -eq 1 ]; then
    file=$1
    case $file in
 	/*|.*)
 	    ;;
 	*)
 	    file=./$file
 	    ;;
    esac
    . $file
 else
    usage 1
 fi
 if [ -f ${SHAREDIR}/shorewall6-lite/version ]; then
    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall6-lite/version)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
 	echo "WARNING: Shorewall Lite Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
@@ -60,49 +110,39 @@ else
    VERSION=""
 fi
 [ -n "${LIBEXEC:=/usr/share}" ]
 echo "Uninstalling Shorewall Lite $VERSION"
-if qt ip6tables -L shorewall -n && [ ! -f /sbin/shorewall6 ]; then
+if qt ip6tables -L shorewall -n && [ ! -f ${SBINDIR)/shorewall6 ]; then
-   /sbin/shorewall6-lite clear
+   ${SBINDIR}/shorewall6-lite clear
 fi
-if [ -L /usr/share/shorewall6-lite/init ]; then
+if [ -l ${SHAREDIR}/shorewall6-lite/init ]; then
-    FIREWALL=$(readlink -m -q /usr/share/shorewall6-lite/init)
+    FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall6-lite/init)
-else
+elif [ -n "$INITFILE" ]; then
-    FIREWALL=/etc/init.d/shorewall6-lite
+    FIREWALL=${INITDIR}/${INITFILE}
 fi
-if [ -n "$FIREWALL" ]; then
+if [ -f "$FIREWALL" ]; then
-    if [ -x /usr/sbin/updaterc.d ]; then
+    if mywhich updaterc.d ; then
 	updaterc.d shorewall6-lite remove
-    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+    elif mywhich insserv ; then
        insserv -r $FIREWALL
-    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
+    elif mywhich chkconfig ; then
 	chkconfig --del $(basename $FIREWALL)
-    elif [ -x /sbin/systemctl ]; then
+    elif mywhich systemctl ; then
 	systemctl disable shorewall6-lite
    else
 	rm -f /etc/rc*.d/*$(basename $FIREWALL)
    fi
    remove_file $FIREWALL
    rm -f ${FIREWALL}-*.bkout
 fi
-rm -f /sbin/shorewall6-lite
+rm -f ${SBINDIR}/shorewall6-lite
-rm -f /sbin/shorewall6-lite-*.bkout
+rm -rf ${CONFDIR}/shorewall6-lite
-
+rm -rf ${VARDIR}/shorewall6-lite
-rm -rf /etc/shorewall6-lite
+rm -rf ${SHAREDIR}/shorewall6-lite
 rm -rf /etc/shorewall6-lite-*.bkout
 rm -rf /var/lib/shorewall6-lite
 rm -rf /var/lib/shorewall6-lite-*.bkout
 rm -rf /usr/share/shorewall6-lite
 rm -rf ${LIBEXEC}/shorewall6-lite
-rm -rf /usr/share/shorewall6-lite-*.bkout
+rm -f  ${CONFDIR}/logrotate.d/shorewall6-lite
-rm -f  /etc/logrotate.d/shorewall6-lite
+[ -n "$SYSTEMD" ] && rm -f  ${SYSTEMD}/shorewall6-lite.service
 rm -f  /lib/systemd/system/shorewall6-lite.service
 echo "Shorewall6 Lite Uninstalled"
--- a/Shorewall6/Makefile
+++ b/Shorewall6/Makefile
@@ -3,9 +3,9 @@ VARDIR=$(shell /sbin/shorewall6 show vardir)
 CONFDIR=/etc/shorewall6
 RESTOREFILE?=firewall
-all: $(VARDIR)/${RESTOREFILE}
+all: $(VARDIR)/$(RESTOREFILE)
-$(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
+$(VARDIR)/$(RESTOREFILE): $(CONFDIR)/*
 	@/sbin/shorewall6 -q save >/dev/null; \
 	if \
 	    /sbin/shorewall6 -q restart >/dev/null 2>&1; \
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -52,7 +52,7 @@ TCP_FLAGS_LOG_LEVEL=info
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
-CONFIG_PATH=/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall
+CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall
 IP6TABLES=
@@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=
 IMPLICIT_CONTINUE=No
 IPSET_WARNINGS=Yes
 IP_FORWARDING=Off
 KEEP_RT_TABLES=Yes
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -52,7 +52,7 @@ TCP_FLAGS_LOG_LEVEL=info
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
-CONFIG_PATH=/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall
+CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall
 IP6TABLES=
@@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=
 IMPLICIT_CONTINUE=No
 IPSET_WARNINGS=Yes
 IP_FORWARDING=Off
 KEEP_RT_TABLES=Yes
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -52,7 +52,7 @@ TCP_FLAGS_LOG_LEVEL=info
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
-CONFIG_PATH=/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall
+CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall
 IP6TABLES=
@@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=
 IMPLICIT_CONTINUE=No
 IPSET_WARNINGS=Yes
 IP_FORWARDING=On
 KEEP_RT_TABLES=Yes
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -52,7 +52,7 @@ TCP_FLAGS_LOG_LEVEL=info
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
-CONFIG_PATH=/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall
+CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall
 IP6TABLES=
@@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=
 IMPLICIT_CONTINUE=No
 IPSET_WARNINGS=Yes
 IP_FORWARDING=On
 KEEP_RT_TABLES=Yes
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -52,7 +52,7 @@ TCP_FLAGS_LOG_LEVEL=info
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
-CONFIG_PATH="/etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall"
+CONFIG_PATH="${CONFDIR}/shorewall6:/usr/share/shorewall6:${SHAREDIR}/shorewall"
 IP6TABLES=
@@ -129,6 +129,8 @@ FORWARD_CLEAR_MARK=Yes
 IMPLICIT_CONTINUE=No
 IPSET_WARNINGS=Yes
 IP_FORWARDING=Off
 KEEP_RT_TABLES=Yes
--- a/Shorewall6/configfiles/tcrules
+++ b/Shorewall6/configfiles/tcrules
@@ -10,5 +10,5 @@
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
 ###################################################################################################################################################
-#MARK	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER	HEADERS    PROBABILITY DSCP
+#ACTION	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER	HEADERS    PROBABILITY DSCP
 #						PORT(S)	PORT(S)
--- a/Shorewall6/init.debian.sh
+++ b/Shorewall6/init.debian.sh
@@ -54,10 +54,15 @@ not_configured () {
 	exit 0
 }
 #
 # The installer may alter this
 #
 . /usr/share/shorewall/shorewallrc
 # check if shorewall is configured or not
-if [ -f "/etc/default/shorewall6" ]
+if [ -f "${SYSCONFDIR}/shorewall6" ]
 then
-	. /etc/default/shorewall6
+	. ${SYSCONFDIR}/shorewall6
 	SRWL_OPTS="$SRWL_OPTS $OPTIONS"
 	if [ "$startup" != "1" ]
 	then
--- a/Shorewall6/init.fedora.sh
+++ b/Shorewall6/init.fedora.sh
@@ -20,16 +20,21 @@
 # Source function library.
 . /etc/rc.d/init.d/functions
 #
 # The installer may alter this
 #
 . /usr/share/shorewall/shorewallrc
 prog="shorewall6"
-shorewall="/sbin/$prog"
+shorewall="${SBINDIR}/$prog"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/$prog"
 # Get startup options (override default)
 OPTIONS=
-if [ -f /etc/sysconfig/$prog ]; then
+if [ -f ${SYSCONFDIR}/$prog ]; then
-    . /etc/sysconfig/$prog
+    . ${SYSCONFDIR}/$prog
 fi
 start() {
--- a/Shorewall6/init.sh
+++ b/Shorewall6/init.sh
@@ -1,11 +1,11 @@
 #!/bin/sh
 RCDLINKS="2,S41 3,S41 6,K41"
 #
-#     The Shoreline Firewall (Shorewall6) Packet Filtering Firewall - V4.2
+#     The Shoreline Firewall (Shorewall6) Packet Filtering Firewall - V4.5
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
@@ -62,11 +62,11 @@ usage() {
 # Get startup options (override default)
 ################################################################################
 OPTIONS="-v0"
-if [ -f /etc/sysconfig/shorewall6 ]; then
+
-    . /etc/sysconfig/shorewall6
+#
-elif [ -f /etc/default/shorewall6 ] ; then
+# The installer may alter this
-    . /etc/default/shorewall6
+#
-fi
+. /usr/share/shorewall/shorewallrc
 export SHOREWALL_INIT_SCRIPT=1
@@ -77,13 +77,13 @@ command="$1"
 case "$command" in
    start)
-	exec /sbin/shorewall6 $OPTIONS start $STARTOPTIONS
+	exec ${SBINDIR}/shorewall6 $OPTIONS start $STARTOPTIONS
 	;;
    restart|reload)
-	exec /sbin/shorewall6 $OPTIONS restart $RESTARTOPTIONS
+	exec ${SBINDIR}/shorewall6 $OPTIONS restart $RESTARTOPTIONS
 	;;
    status|stop)
-	exec /sbin/shorewall6 $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall6 $OPTIONS $command $@
 	;;
    *)
 	usage
--- a/Shorewall6/lib.base
+++ b/Shorewall6/lib.base
@@ -24,11 +24,10 @@
 g_program=shorewall6
 g_family=6
 #
 # This may be altered by the installer
 #
 g_basedir=/usr/share/shorewall
-[ -n "${VARDIR:=/var/lib/$g_program}" ]
+. ${g_basedir}/lib.base
 [ -n "${SHAREDIR:=/usr/share/$g_program}" ]
 [ -n "${CONFDIR:=/etc/$g_program}" ]
 . /usr/share/shorewall/lib.base
--- a/Shorewall6/manpages/shorewall6-accounting.xml
+++ b/Shorewall6/manpages/shorewall6-accounting.xml
@@ -57,6 +57,17 @@
    of them may be omitted). The first non-commentary record in the accounting
    file must be a section header when sectioning is used.</para>
    <warning>
      <para>If sections are not used, the Shorewall rules compiler cannot
      detect certain violations of netfilter restrictions. These violations
      can result in run-time errors such as the following:</para>
      <blockquote>
        <para><emphasis role="bold">ip6tables-restore v1.4.13: Can't use -o
        with INPUT</emphasis></para>
      </blockquote>
    </warning>
    <para>Beginning with Shorewall 4.4.20, the ACCOUNTING_TABLE setting was
    added to shorewall.conf and shorewall6.conf. That setting determines the
    Netfilter table (filter or mangle) where the accounting rules are added.
--- a/Shorewall6/manpages/shorewall6-hosts.xml
+++ b/Shorewall6/manpages/shorewall6-hosts.xml
@@ -120,19 +120,6 @@
          the list must have no embedded white space.</para>
          <variablelist>
            <varlistentry>
              <term><emphasis role="bold">routeback</emphasis></term>
              <listitem>
                <para>shorewall6 should set up the infrastructure to pass
                packets from this/these address(es) back to themselves. This
                is necessary if hosts in this group use the services of a
                transparent proxy that is a member of the group or if DNAT is
                used to send requests originating from this group to a server
                in the group.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">blacklist</emphasis></term>
@@ -143,18 +130,6 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">tcpflags</emphasis></term>
              <listitem>
                <para>Packets arriving from these hosts are checked for
                certain illegal combinations of TCP flags. Packets found to
                have such a combination of flags are handled according to the
                setting of TCP_FLAGS_DISPOSITION after having been logged
                according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">ipsec</emphasis></term>
@@ -167,6 +142,43 @@
                here.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">mss</emphasis>=<replaceable>mss</replaceable></term>
              <listitem>
                <para>Added in Shorewall 4.5.2. When present, causes the TCP
                mss for new connections to/from the hosts given in the HOST(S)
                column to be clamped at the specified
                <replaceable>mss</replaceable>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">routeback</emphasis></term>
              <listitem>
                <para>shorewall6 should set up the infrastructure to pass
                packets from this/these address(es) back to themselves. This
                is necessary if hosts in this group use the services of a
                transparent proxy that is a member of the group or if DNAT is
                used to send requests originating from this group to a server
                in the group.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">tcpflags</emphasis></term>
              <listitem>
                <para>Packets arriving from these hosts are checked for
                certain illegal combinations of TCP flags. Packets found to
                have such a combination of flags are handled according to the
                setting of TCP_FLAGS_DISPOSITION after having been logged
                according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
--- a/Shorewall6/manpages/shorewall6-params.xml
+++ b/Shorewall6/manpages/shorewall6-params.xml
@@ -23,7 +23,11 @@
  <refsect1>
    <title>Description</title>
-    <para>Assign any shell variables that you need in this file.</para>
+    <para>Assign any shell variables that you need in this file. The file is
    always processed by <filename>/bin/sh</filename> or by the shell specified
    through SHOREWALL_SHELL in <ulink
    url="shorewall6.conf.html">shorewall6.conf</ulink> (5) so the full range
    of shell capabilities may be used.</para>
    <para>It is suggested that variable names begin with an upper case letter
    to distinguish them from variables used internally within the Shorewall
@@ -130,8 +134,8 @@ net     eth0            -               dhcp,nosmurfs</programlisting>
    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-actions(5),
    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
    shorewall6-maclist(5), shorewall6-policy(5), shorewall6-providers(5),
-    shorewall6-rtrules(5), shorewall6-routestopped(5),
+    shorewall6-rtrules(5), shorewall6-routestopped(5), shorewall6-rules(5),
-    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),
+    shorewall6.conf(5), shorewall6-secmarks(5), shorewall6-tcclasses(5),
    shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
    shorewall6-tunnels(5), shorewall6-zones(5)</para>
  </refsect1>
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -257,7 +257,7 @@
              <listitem>
                <para>like CONTINUE but exempts the rule from being suppressed
                by OPTIMIZE=1 in <ulink
-                url="shorewall6.conf.html">shorewall6.conf</ulink>(5). </para>
+                url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
              </listitem>
            </varlistentry>
@@ -970,8 +970,18 @@
              <term>localtz</term>
              <listitem>
-                <para>Times are expressed in Local Civil Time
+                <para>Deprecated by the Netfilter team in favor of <emphasis
-                (default).</para>
+                role="bold">kerneltz</emphasis>. Times are expressed in Local
                Civil Time (default).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>kerneltz</term>
              <listitem>
                <para>Added in Shorewall 4.5.2. Times are expressed in Local
                Kernel Time (requires iptables 1.4.12 or later).</para>
              </listitem>
            </varlistentry>
--- a/Shorewall6/manpages/shorewall6-tcrules.xml
+++ b/Shorewall6/manpages/shorewall6-tcrules.xml
@@ -44,11 +44,11 @@
    <variablelist>
      <varlistentry>
-        <term><emphasis role="bold">MARK/CLASSIFY</emphasis> -
+        <term><emphasis role="bold">ACTION</emphasis> -
-        <replaceable>mark</replaceable></term>
+        <replaceable>action</replaceable></term>
        <listitem>
-          <para><replaceable>mark</replaceable> may assume one of the
+          <para><replaceable>action</replaceable> may assume one of the
          following values.</para>
          <orderedlist numeration="arabic">
@@ -272,8 +272,8 @@
              SAME may be used in the PREROUTING and OUTPUT chains. When used
              in PREROUTING, it causes matching connections from an individual
              local system to all use the same provider. For example:
-              <programlisting>#MARK/            SOURCE         DEST         PROTO      DEST
+              <programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
-#CLASSIFY                                                PORT(S)
+#                                                        PORT(S)
 SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
              If a host in 192.168.1.0/24 attempts a connection on TCP port 80
              or 443 and it has sent a packet on either of those ports in the
@@ -283,8 +283,8 @@ SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
              <para>When used in the OUTPUT chain, it causes all matching
              connections to an individual remote system to all use the same
-              provider. For example:<programlisting>#MARK/            SOURCE         DEST         PROTO      DEST
+              provider. For example:<programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
-#CLASSIFY                                                PORT(S)
+#                                                        PORT(S)
 SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
              If the firewall attempts a connection on TCP port 80 or 443 and
              it has sent a packet on either of those ports in the last five
@@ -416,7 +416,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
                  <term>T</term>
                  <listitem>
-                    <para>POSTROUTING chain (default).</para>
+                    <para>POSTROUTING chain.</para>
                  </listitem>
                </varlistentry>
              </variablelist>
@@ -495,7 +495,7 @@ Normal-Service       =&gt; 0x00</programlisting>
          <para>Accordingly, use $<emphasis role="bold">FW</emphasis> in its
          own separate rule for packets originating on the firewall. In such a
-          rule, the MARK column may NOT specify either <emphasis
+          rule, the ACTION column may NOT specify either <emphasis
          role="bold">:P</emphasis> or <emphasis role="bold">:F</emphasis>
          because marking for firewall-originated packets always occurs in the
          OUTPUT chain.</para>
@@ -526,7 +526,7 @@ Normal-Service       =&gt; 0x00</programlisting>
          iprange match support, IP address ranges are also allowed. List
          elements may also consist of an interface name followed by ":" and
          an address (e.g., eth1:&lt;2002:ce7c:92b4::/48&gt;). If the
-          <emphasis role="bold">MARK</emphasis> column specificies a
+          <emphasis role="bold">ACTION</emphasis> column specificies a
          classification of the form
          <emphasis>major</emphasis>:<emphasis>minor</emphasis> then this
          column may also contain an interface name.</para>
@@ -795,8 +795,8 @@ Normal-Service       =&gt; 0x00</programlisting>
          that the original connection was made on.</para>
          <para>Example: Mark all FTP data connections with mark
-          4:<programlisting>#MARK/    SOURCE    DEST      PROTO   PORT(S)    SOURCE  USER TEST LENGTH TOS CONNBYTES HELPER
+          4:<programlisting>#ACTION   SOURCE    DEST      PROTO   PORT(S)    SOURCE  USER TEST LENGTH TOS CONNBYTES HELPER
-#CLASSIFY                                        PORT(S)
+#                                                PORT(S)
 4         ::/0      ::/0      TCP     -          -       -    -    -      -   -         ftp</programlisting></para>
        </listitem>
      </varlistentry>
@@ -930,8 +930,8 @@ Normal-Service       =&gt; 0x00</programlisting>
          <para>We assume packet/connection mark 0 means unclassified.</para>
-          <programlisting>       #MARK/    SOURCE    DEST         PROTO   PORT(S)       SOURCE  USER    TEST
+          <programlisting>       #ACTION   SOURCE    DEST         PROTO   PORT(S)       SOURCE  USER    TEST
-       #CLASSIFY                                              PORT(S)
+       #                                                      PORT(S)
       1         ::/0      ::/0         icmp    echo-request
       1         ::/0      ::/0         icmp    echo-reply
       RESTORE   ::/0      ::/0         all     -             -       -       0
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -756,6 +756,29 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">IPSET_WARNINGS=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
        <listitem>
          <para>Added in Shorewall 4.5.2. Default is Yes. When set, causes the
          rules compiler to issue a warning when:</para>
          <itemizedlist>
            <listitem>
              <para>The compiler is being run by root and an ipset specified
              in the configuration does not exists. Only one warning is issued
              for each missing ipset.</para>
            </listitem>
            <listitem>
              <para>When [src] is specified in a destination column and when
              [dst] is specified in a source column.</para>
            </listitem>
          </itemizedlist>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">KEEP_RT_TABLES=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@@ -1809,15 +1832,14 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
          to zero, thus allowing the packet to be routed using the 'main'
          routing table. Using the main table allowed dynamic routes (such as
          those added for VPNs) to be effective. The <ulink
-          url="shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5)
+          url="shorewall6-rtrules.html">shorewall6-rtrules</ulink>(5) file was
-          file was created to provide a better alternative to clearing the
+          created to provide a better alternative to clearing the packet mark.
-          packet mark. As a consequence, passing these packets to PREROUTING
+          As a consequence, passing these packets to PREROUTING complicates
-          complicates things without providing any real benefit. Beginning
+          things without providing any real benefit. Beginning with Shorewall
-          with Shorewall 4.4.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No,
+          4.4.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving
-          packets arriving through 'tracked' interfaces will not be passed to
+          through 'tracked' interfaces will not be passed to the PREROUTING
-          the PREROUTING rules. Since TRACK_PROVIDERS was just introduced in
+          rules. Since TRACK_PROVIDERS was just introduced in 4.4.3, this
-          4.4.3, this change should be transparent to most, if not all,
+          change should be transparent to most, if not all, users.</para>
          users.</para>
        </listitem>
      </varlistentry>
@@ -1977,10 +1999,9 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
    shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5),
    shorewall6-nat(5), shorewall6-netmap(5),
    shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
-    shorewall6-providers(5), shorewall6-proxyarp(5),
+    shorewall6-providers(5), shorewall6-proxyarp(5), shorewall6-rtrules(5),
-    shorewall6-rtrules(5), shorewall6-routestopped(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6-tcclasses(5),
-    shorewall6-rules(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
+    shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
-    shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
+    shorewall6-tunnels(5), shorewall6-zones(5)</para>
    shorewall6-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall6/shorewall6
+++ b/Shorewall6/shorewall6
@@ -27,6 +27,19 @@
 ################################################################################################
 g_program=shorewall6
-. /usr/share/shorewall/lib.cli
+#
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc
 g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR"/shorewall6
 g_sbindir="$SBINDIR"
 g_perllib="$PERLLIBDIR"
 g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall6
 g_readrc=1
 . ${SHAREDIR}/shorewall/lib.cli
 shorewall_cli $@
--- a/Shorewall6/uninstall.sh
+++ b/Shorewall6/uninstall.sh
@@ -31,7 +31,7 @@ VERSION=xxx #The Build script inserts the actual version
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME"
+    echo "usage: $ME [ <shorewallrc file> ]"
    exit $1
 }
@@ -40,16 +40,25 @@ qt()
    "$@" >/dev/null 2>&1
 }
-restore_file() # $1 = file to restore
+split() {
-{
+    local ifs
-    if [ -f ${1}-shorewall.bkout ]; then
+    ifs=$IFS
-	if (mv -f ${1}-shorewall.bkout $1); then
+    IFS=:
-	    echo
+    set -- $1
-	    echo "$1 restored"
+    echo $*
-        else
+    IFS=$ifs
-	    exit 1
+}
-        fi
+
-    fi
+mywhich() {
    local dir
    for dir in $(split $PATH); do
 	if [ -x $dir/$1 ]; then
 	    return 0
 	fi
    done
    return 2
 }
 remove_file() # $1 = file to restore
@@ -60,7 +69,36 @@ remove_file() # $1 = file to restore
    fi
 }
-if [ -f /usr/share/shorewall6/version ]; then
+#
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
 	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
 	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
 elif [ $# -eq 1 ]; then
    file=$1
    case $file in
 	/*|.*)
 	    ;;
 	*)
 	    file=./$file
 	    ;;
    esac
    . $file
 else
    usage 1
 fi
 if [ -f ${SHARDIR}/shorewall6/version ]; then
    INSTALLED_VERSION="$(cat /usr/share/shorewall6/version)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
 	echo "WARNING: Shorewall6 Version $INSTALLED_VERSION is installed"
@@ -72,49 +110,39 @@ else
    VERSION=""
 fi
 [ -n "${LIBEXEC:=/usr/share}" ]
 echo "Uninstalling shorewall6 $VERSION"
-if qt ip6tables -L shorewall6 -n && [ ! -f /sbin/shorewall6-lite ]; then
+if qt ip6tables -L shorewall6 -n && [ ! -f ${SBINDIR}/shorewall6-lite ]; then
-   /sbin/shorewall6 clear
+   ${SBINDIR}/shorewall6 clear
 fi
-if [ -L /usr/share/shorewall6/init ]; then
+if [ -L ${SHAREDIR}/shorewall6/init ]; then
-    FIREWALL=$(readlink -m -q /usr/share/shorewall6/init)
+    FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall6/init)
-else
+elif [ -n "$INITFILE" ]; then
-    FIREWALL=/etc/init.d/shorewall6
+    FIREWALL=${INITDIR}/${INITFILE}
 fi
-if [ -n "$FIREWALL" ]; then
+if [ -f "$FIREWALL" ]; then
-    if [ -x /usr/sbin/updaterc.d ]; then
+    if mywhich updaterc.d ; then
 	updaterc.d shorewall6 remove
-    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+    elif mywhich insserv ; then
        insserv -r $FIREWALL
-    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
+    elif mywhich chkconfig ; then
 	chkconfig --del $(basename $FIREWALL)
-    elif [ -x /sbin/systemctl ]; then
+    elif mywhich systemctl ; then
 	systemctl disable shorewall6
    else
 	rm -f /etc/rc*.d/*$(basename $FIREWALL)
    fi
    remove_file $FIREWALL
    rm -f ${FIREWALL}-*.bkout
 fi
-rm -f /sbin/shorewall6
+rm -f ${SBINDIR}/shorewall6
-rm -f /sbin/shorewall6-*.bkout
+rm -rf ${CONFDIR}/shorewall6
-
+rm -rf ${VARDIR}/shorewall6
 rm -rf /etc/shorewall6
 rm -rf /etc/shorewall6-*.bkout
 rm -rf /var/lib/shorewall6
 rm -rf /var/lib/shorewall6-*.bkout
 rm -rf ${LIBEXEC}/shorewall6
-rm -rf /usr/share/shorewall6
+rm -rf ${SHAREDIR}/shorewall6
 rm -rf /usr/share/shorewall6-*.bkout
-for f in /usr/share/man/man5/shorewall6* /usr/share/man/man8/shorewall6*; do
+for f in ${MANDIR}/man5/shorewall6* ${SHAREDIR}/man/man8/shorewall6*; do
    case $f in
 	shorewall6-lite*)
 	    ;;
@@ -123,8 +151,8 @@ for f in /usr/share/man/man5/shorewall6* /usr/share/man/man8/shorewall6*; do
    esac
 done
-rm -f  /etc/logrotate.d/shorewall6
+rm -f  ${CONFDIR}/logrotate.d/shorewall6
-rm -f  /lib/systemd/system/shorewall6.service
+[ -n "$SYSTEMD" ] && rm -f ${SYSTEMD}/shorewall6.service
 echo "Shorewall6 Uninstalled"
--- a/docs/Install.xml
+++ b/docs/Install.xml
--- a/docs/PacketMarking.xml
+++ b/docs/PacketMarking.xml
@@ -117,7 +117,7 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
        <para>PREROUTING program — If MARK_IN_FORWARD_CHAIN=No in
        <filename>shorewall.conf</filename>, then by default entries in
        <filename>/etc/shorewall/tcrules</filename> are part of the PREROUTING
-        program. Entries specifying the ":P" suffix in the MARK column are
+        program. Entries specifying the ":P" suffix in the ACTION column are
        also part of the PREROUTING program. The PREROUTING program gets
        executed for each packet entering the firewall.</para>
      </listitem>
@@ -126,7 +126,7 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
        <para>FORWARD program — If MARK_IN_FORWARD_CHAIN=Yes in
        <filename>shorewall.conf</filename>, then by default entries in
        <filename>/etc/shorewall/tcrules</filename> are part of the FORWARD
-        program. Entries specifying the ":F" suffix in the MARK column are
+        program. Entries specifying the ":F" suffix in the ACTION column are
        also part of the FORWARD program. The FORWARD program gets executed
        for each packet forwarded by the firewall.</para>
      </listitem>
@@ -138,12 +138,12 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
      </listitem>
      <listitem>
-        <para>POSTROUTING program — Entries with a class-id in the MARK column
+        <para>POSTROUTING program — Entries with a class-id in the ACTION
-        (and that don't specify $FW in the SOURCE column) are part of the
+        column (and that don't specify $FW in the SOURCE column) are part of
-        POSTROUTING program. These rules are executed for each packet leaving
+        the POSTROUTING program. These rules are executed for each packet
-        the firewall. Entries specifying the ":T" suffix in the MARK column
+        leaving the firewall. Entries specifying the ":T" suffix in the ACTION
-        are also part of the POSTROUTING program (Shorewall version 3.4.0 and
+        column are also part of the POSTROUTING program (Shorewall version
-        later).</para>
+        3.4.0 and later).</para>
      </listitem>
      <listitem>
@@ -180,25 +180,25 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
          <listitem>
            <para>the connection to which the current packet belongs receives
-            a new mark value (":C", ":CF" or ":CP" suffix in the MARK column);
+            a new mark value (":C", ":CF" or ":CP" suffix in the ACTION
-            or</para>
+            column); or</para>
          </listitem>
          <listitem>
            <para>the packet is classified for traffic shaping (class-id in
-            the MARK column); or</para>
+            the ACTION column); or</para>
          </listitem>
          <listitem>
            <para>the packet mark in the current packet is moved to the
            connection mark for the connection that the current packet is part
-            of ("SAVE" in the MARK column); or</para>
+            of ("SAVE" in the ACTION column); or</para>
          </listitem>
          <listitem>
            <para>the connection mark value for the connection that the
            current packet is part of is moved to the current packet's mark
-            ("RESTORE" in the MARK column); or</para>
+            ("RESTORE" in the ACTION column); or</para>
          </listitem>
          <listitem>
@@ -207,7 +207,7 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
          </listitem>
          <listitem>
-            <para>exit the current subroutine ("CONTINUE" in the MARK
+            <para>exit the current subroutine ("CONTINUE" in the ACTION
            column).</para>
          </listitem>
        </orderedlist>
@@ -339,9 +339,9 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
    <para>The relationship between these options is shown in this
    diagram.</para>
-    <graphic align="left" fileref="images/MarkGeometry.png" valign="top" />
+    <graphic align="left" fileref="images/MarkGeometry.png" valign="top"/>
-    <para></para>
+    <para/>
    <para>The default values of these options are determined by the settings
    of other options as follows:</para>
@@ -455,7 +455,7 @@ tcp      6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
    <para>Here's the example (slightly expanded) from the comments at the top
    of the <filename>/etc/shorewall/tcrules</filename> file.</para>
-    <programlisting>#MARK    SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST    LENGTH  TOS
+    <programlisting>#ACTION  SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST    LENGTH  TOS
 #                                                        PORT(S)
 1        0.0.0.0/0       0.0.0.0/0       icmp    echo-request                 #Rule 1
 1        0.0.0.0/0       0.0.0.0/0       icmp    echo-reply                   #Rule 2
@@ -539,7 +539,7 @@ Blarg   1       0x100   main            eth3            206.124.146.254 track,ba
    <para>Here is <filename>/etc/shorewall/tcrules</filename>:</para>
-    <programlisting>#MARK   SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST
+    <programlisting>#ACTION SOURCE          DEST            PROTO   PORT(S) CLIENT  USER    TEST
 #                                                       PORT(S)
 1:110   192.168.0.0/22  eth3                                            #Our internal nets get priority
                                                                        #over the server
--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -70,7 +70,10 @@
        <listitem>
          <para><filename>/etc/shorewall/params</filename> - use this file to
-          set shell variables that you will expand in other files.</para>
+          set shell variables that you will expand in other files. It is
          always processed by /bin/sh or by the shell specified through
          SHOREWALL_SHELL in
          <filename>/etc/shorewall/shorewall.conf.</filename></para>
        </listitem>
        <listitem>
@@ -1044,6 +1047,16 @@ SHELL cat /etc/shorewall/rules.d/*.rules</programlisting></para>
      <programlisting>SECTION NEW
 SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting>
      <para>Beginning with Shorewall 4.5.2, in files other than
      <filename>/etc/shorewall/params</filename> and
      <filename>/etc/shorewall/conf</filename>, INCLUDE may be immediately
      preceeded with '?' to signal that the line is a compiler directive and
      not configuration data.</para>
      <para>Example:</para>
      <programlisting>?INCLUDE common.rules</programlisting>
    </example>
  </section>
@@ -1239,11 +1252,15 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
      </listitem>
    </orderedlist>
-    <para id="Rvariables">Given that shell variables are expanded at compile
+    <para id="Rvariables">Beginning with Shorewall 4.5.2, configuration files
-    time, there is no way to cause such variables to be expended at run time.
+    can access variables defined in the <ulink
-    Prior to Shorewall 4.4.17, this made it difficult (to impossible) to
+    url="Install.htm#shorewallrc">shorewallrc file</ulink>.</para>
-    include dynamic IP addresses in a <ulink
+
-    url="Shorewall-Lite.html">Shorewall-lite</ulink> configuration.</para>
+    <para>Given that shell variables are expanded at compile time, there is no
    way to cause such variables to be expended at run time. Prior to Shorewall
    4.4.17, this made it difficult (to impossible) to include dynamic IP
    addresses in a <ulink url="Shorewall-Lite.html">Shorewall-lite</ulink>
    configuration.</para>
    <para>Version 4.4.17 implemented <firstterm>Run-time address
    variables</firstterm>. In configuration files, these variables are
@@ -1427,6 +1444,140 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
    </note>
  </section>
  <section id="Conditional">
    <title>Conditional Entries</title>
    <para>Beginning with Shorewall 4.5.2, lines in configuration files may be
    conditionally included or omitted based on the setting of <link
    linkend="Variables">Shell variables</link>.</para>
    <para>The general form is:</para>
    <programlisting>?IF <replaceable>$variable
 </replaceable>&lt;lines to be included if $variable is non-empty and non-zero&gt;
 ?ELSE
 &lt;lines to be omitted if $variable is non-empty and non-zero&gt;
 ?ENDIF</programlisting>
    <para>The compiler predefines two special
    <replaceable>variable</replaceable>s that may only be used in ?IF
    lines:</para>
    <variablelist>
      <varlistentry>
        <term>__IPV4</term>
        <listitem>
          <para>True if this is an IPv4 compilation</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>__IPV6</term>
        <listitem>
          <para>True if this is an IPv6 compilation.</para>
        </listitem>
      </varlistentry>
    </variablelist>
    <para>Unless <replaceable>variable</replaceable> is one of these
    pre-defined ones, it is searched for in the following places in the order
    listed:</para>
    <itemizedlist>
      <listitem>
        <para>the compiler's environmental variables.</para>
      </listitem>
      <listitem>
        <para>variables set in
        <filename>/etc/shorewall/params</filename>.</para>
      </listitem>
      <listitem>
        <para>options set in
        <filename>/etc/shorewall/shorewall.conf</filename>.</para>
      </listitem>
      <listitem>
        <para>options set in the <filename>shorewallrc</filename> file when
        Shorewall Core was installed.</para>
      </listitem>
    </itemizedlist>
    <para>If the <replaceable>variable</replaceable> is still not found and it
    begins with '__', then those leading characters are stripped off and the
    result is searched for in the defined <firstterm>capabilities</firstterm>.
    The current set of capabilities may be obtained by the command
    <command>shorewall show capabilities</command> (the capability names are
    in parentheses).</para>
    <para>If it is not found in any of those places, the
    <replaceable>variable</replaceable> is assumed to have a value of 0
    (false).</para>
    <para>The setting in <filename>/etc/shorewall/params</filename> by be
    overridden at runtime, provided the setting in
    <filename>/etc/shorewall/params</filename> is done like this:</para>
    <programlisting>[ -n "${<replaceable>variable</replaceable>:=0}" ]</programlisting>
    <para>or like this:</para>
    <programlisting>[ -n "${<replaceable>variable</replaceable>}" ] || <replaceable>variable</replaceable>=0</programlisting>
    <para>Either of those will set variable to 0 if it is not set to a
    non-empty value in the environment. The setting can be overridden at
    runtime:</para>
    <programlisting><replaceable>variable</replaceable>=1 shorewall restart -c # use -c to force recompilation if AUTOMAKE=Yes in /etc/shorewall/shorewall.conf</programlisting>
    <para>The ?ELSE may be omitted if there are no lines to be omitted.</para>
    <para>The test may also be inverted using '!':</para>
    <programlisting>?IF ! <replaceable>$variable
 </replaceable>&lt;lines to be omitted if $variable is non-empty and non-zero&gt;
 ?ELSE
 &lt;lines to be included if $variable is non-empty and non-zero&gt;
 ?ENDIF</programlisting>
    <para>Conditional entries may be nested but the number of ?IFs must match
    the number of ?ENDs in any give file. <link linkend="INCLUDE">INCLUDE
    directives</link> are ignored in omitted lines.</para>
    <programlisting>?IF <replaceable>$variable1
 </replaceable>&lt;lines to be included if $variable1 is non-empty and non-zero&gt;
   ?IF $variable2
 &lt;lines to be included if $variable1 and $variable2 are non-empty and non-zero&gt;
   ?ELSE
 &lt;lines to be omitted if $variable1 is non-empty and non-zero and if $variable2 is empty or zero&gt;
   ?ENDIF
 <replaceable>
 </replaceable>&lt;lines to be included if $variable1 is non-empty and non-zero&gt;
 ?ELSE
 &lt;lines to be omitted if $variable is non-empty and non-zero&gt;
 ?ENDIF</programlisting>
  </section>
  <section id="Embedded">
    <title>Embedded Shell and Perl</title>
@@ -1442,8 +1593,11 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
    configuration files except <filename>/etc/shorewall/params</filename> and
    <filename>/etc/shorewall/shorewall.conf</filename>.</para>
-    <para>Embedded scripts can be either single-line or multi-line. Single
+    <para><emphasis role="bold">Note:</emphasis>In this section, '[' and ']'
-    line scripts take one of the following forms:</para>
+    are meta-characters which indicate that what they enclose is optional and
    may be omitted.</para>
    <para>Single line scripts take one of the following forms:</para>
    <itemizedlist>
      <listitem>
@@ -1508,11 +1662,6 @@ use Shorewall::Config ( qw/shorewall/ );</programlisting>
 &lt;<emphasis>perl script</emphasis>&gt;
 <emphasis role="bold">END</emphasis> [ <emphasis role="bold">PERL</emphasis> ] [<emphasis
          role="bold">;</emphasis>]</programlisting></para>
    <para><emphasis role="bold">Note: </emphasis>The '[' and ']' above are
    meta-characters which indicate that what they enclose is optional and may
    be omitted. So you may follow PERL with a semicolon ( ';') or you may omit
    the semicolon.</para>
  </section>
  <section id="dnsnames">
@@ -1851,7 +2000,7 @@ redirect                      =&gt; 137</programlisting>
    192.168.1.3, the entry in /etc/shorewall/rules is:</para>
    <programlisting>#ACTION    SOURCE     DESTINATION     PROTO     DEST PORTS(S)
-DNAT       net        loc:192.168.1.3 tcp       4000:4100</programlisting>
+DNAT       net        loc:192.168.1.3 tcp       <emphasis role="bold">4000:4100</emphasis></programlisting>
    <para>If you omit the low port number, a value of zero is assumed; if you
    omit the high port number, a value of 65535 is assumed.</para>
@@ -1987,9 +2136,9 @@ DNAT       net        loc:192.168.1.3 tcp       4000:4100</programlisting>
    Support requires that you install xtables-addons.</para>
    <para>The SWITCH column contains the name of a
-    <firstterm>switch.</firstterm> Each switch that is initially in the
+    <firstterm>switch.</firstterm> Each switch is initially in the <emphasis
-    <emphasis role="bold">off</emphasis> position. You can turn on the switch
+    role="bold">off</emphasis> position. You can turn on the switch named
-    named <emphasis>switch1</emphasis> by:</para>
+    <emphasis>switch1</emphasis> by:</para>
    <simplelist>
      <member><command>echo 1 &gt;
@@ -2033,7 +2182,8 @@ DNAT       net        loc:192.168.1.3 tcp       4000:4100</programlisting>
      <programlisting>#ACTION     SOURCE          DEST        PROTO       DEST         SOURCE    ORIGINAL   RATE      USER/     MARK    CONNLIMIT     TIME     HEADERS    SWITCH
 #                                                   PORT(S)      PORT(S)   DEST       LIMIT     GROUP
-DNAT        net             dmz:$BACKUP tcp         80           -         -          -         -         -       -             -        -          primary_down  </programlisting>
+DNAT        net             dmz:$BACKUP tcp         80           -         -          -         -         -       -             -        -          <emphasis
          role="bold">primary_down</emphasis>  </programlisting>
    </blockquote>
  </section>
@@ -2063,11 +2213,16 @@ DNAT        net             dmz:$BACKUP tcp         80           -         -
    <para>Here is an example:</para>
    <programlisting>#ZONE  INTERFACE  BROADCAST OPTIONS
-net    COM_IF     detect    dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nosmurfs,logmartians=0,physical=eth0
+net    <emphasis role="bold">COM_IF </emphasis>    detect    dhcp,blacklist,tcpflags,optional,upnp,routefilter=0,nosmurfs,logmartians=0,<emphasis
-net    EXT_IF     detect    dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartians=0,proxyarp=1,physical=eth2
+        role="bold">physical=eth0</emphasis>
-loc    INT_IF     detect    dhcp,logmartians=1,routefilter=1,tcpflags,nets=172.20.1.0/24,physical=eth1
+net    <emphasis role="bold">EXT_IF</emphasis>     detect    dhcp,blacklist,tcpflags,optional,routefilter=0,nosmurfs,logmartians=0,proxyarp=1,<emphasis
-dmz    VPS_IF     detect    logmartians=1,routefilter=0,routeback,physical=venet0
+        role="bold">physical=eth2</emphasis>
-loc    TUN_IF     detect    physical=tun+</programlisting>
+loc    <emphasis role="bold">INT_IF </emphasis>    detect    dhcp,logmartians=1,routefilter=1,tcpflags,nets=172.20.1.0/24,<emphasis
        role="bold">physical=eth1</emphasis>
 dmz    <emphasis role="bold">VPS_IF </emphasis>    detect    logmartians=1,routefilter=0,routeback,<emphasis
        role="bold">physical=venet0</emphasis>
 loc    <emphasis role="bold">TUN_IF</emphasis>     detect    <emphasis
        role="bold">physical=tun+</emphasis></programlisting>
    <para>In this example, COM_IF is a logical interface name that refers to
    Ethernet interface <filename class="devicefile">eth0</filename>, EXT_IF is
@@ -2082,16 +2237,18 @@ loc    TUN_IF     detect    physical=tun+</programlisting>
    <programlisting>#INTERFACE SOURCE                    ADDRESS
 COMMENT Masquerade Local Network
-COM_IF     0.0.0.0/0
+<emphasis role="bold">COM_IF</emphasis>     0.0.0.0/0
-EXT_IF     !206.124.146.0/24         206.124.146.179:persistent</programlisting>
+<emphasis role="bold">EXT_IF </emphasis>    !206.124.146.0/24         206.124.146.179:persistent</programlisting>
    <para><ulink
    url="manpages/shorewall-providers.html">shorewall-providers</ulink>
    (5)</para>
    <programlisting>#NAME   NUMBER   MARK    DUPLICATE  INTERFACE  GATEWAY         OPTIONS               COPY
-Avvanta 1        0x10000 main       EXT_IF     206.124.146.254 loose,fallback        INT_IF,VPS_IF,TUN_IF
+Avvanta 1        0x10000 main       <emphasis role="bold">EXT_IF </emphasis>    206.124.146.254 loose,fallback        <emphasis
-Comcast 2        0x20000 main       COM_IF     detect          balance               INT_IF,VPS_IF,TUN_IF</programlisting>
+        role="bold">INT_IF,VPS_IF,TUN_IF</emphasis>
 Comcast 2        0x20000 main       <emphasis role="bold">COM_IF</emphasis>     detect          balance               <emphasis
        role="bold">INT_IF,VPS_IF,TUN_IF</emphasis></programlisting>
    <para>Note in particular that Shorewall translates TUN_IF to <filename
    class="devicefile">tun*</filename> in the COPY column.</para>
--- a/docs/traffic_shaping.xml
+++ b/docs/traffic_shaping.xml
@@ -223,10 +223,10 @@
    <para>This screen shot shows how I configured QoS in a 2.6.16
    Kernel:</para>
-    <graphic align="center" fileref="images/traffic_shaping2.6.png" />
+    <graphic align="center" fileref="images/traffic_shaping2.6.png"/>
    <para>And here's my recommendation for a 2.6.21 kernel:<graphic
-    align="center" fileref="images/traffic_shaping2.6.21.png" /></para>
+    align="center" fileref="images/traffic_shaping2.6.21.png"/></para>
  </section>
  <section id="Shorewall">
@@ -445,7 +445,7 @@
      </itemizedlist>
      <example id="Example0">
-        <title></title>
+        <title/>
        <para>Suppose you are using PPP over Ethernet (DSL) and ppp0 is the
        interface for this. The device has an outgoing bandwidth of 500kbit
@@ -829,11 +829,11 @@ ppp0           6000kbit         500kbit</programlisting>
      <itemizedlist>
        <listitem>
-          <para>MARK or CLASSIFY - MARK specifies the mark value is to be
+          <para>ACTION - ACTION (previously called MARK) specifies the mark
-          assigned in case of a match. This is an integer in the range 1-255
+          value is to be assigned in case of a match. This is an integer in
-          (1-16383 if you set WIDE_TC_MARKS=Yes or TC_BITS=14 in <ulink
+          the range 1-255 (1-16383 if you set WIDE_TC_MARKS=Yes or TC_BITS=14
-          url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5)
+          in <ulink url="manpages/shorewall.conf.html">shorewall.conf</ulink>
-          ).</para>
+          (5) ).</para>
          <note>
            <para>In Shorewall 4.4.26, WIDE_TC_MARKS was superseded by TC_BITS
@@ -998,7 +998,7 @@ ppp0           6000kbit         500kbit</programlisting>
              MAC addresses. <emphasis role="bold">This form will not match
              traffic that originates on the firewall itself unless either
              &lt;major&gt;&lt;minor&gt; or the :T chain qualifier is used in
-              the MARK column.</emphasis></para>
+              the ACTION column.</emphasis></para>
              <para>Examples:<simplelist>
                  <member>0.0.0.0/0</member>
@@ -1020,7 +1020,7 @@ ppp0           6000kbit         500kbit</programlisting>
              <para>$FW optionally followed by a colon (":") and a
              comma-separated list of host or network IP addresses. matches
              packets originating on the firewall. May not be used with a
-              chain qualifier (:P, :F, etc.) in the MARK column.</para>
+              chain qualifier (:P, :F, etc.) in the ACTION column.</para>
            </listitem>
          </orderedlist>
@@ -1177,13 +1177,13 @@ ppp0           6000kbit         500kbit</programlisting>
      </itemizedlist>
      <example id="Example1">
-        <title></title>
+        <title/>
        <para>All packets arriving on eth1 should be marked with 1. All
        packets arriving on eth2 and eth3 should be marked with 2. All packets
        originating on the firewall itself should be marked with 3.</para>
-        <programlisting>#MARK   SOURCE    DESTINATION    PROTOCOL   PORT(S)
+        <programlisting>#ACTION SOURCE    DESTINATION    PROTOCOL   PORT(S)
 1       eth1      0.0.0.0/0      all
 2       eth2      0.0.0.0/0      all
 2       eth3      0.0.0.0/0      all
@@ -1191,40 +1191,40 @@ ppp0           6000kbit         500kbit</programlisting>
      </example>
      <example id="Example2">
-        <title></title>
+        <title/>
        <para>All GRE (protocol 47) packets destined for 155.186.235.151
        should be marked with 12.</para>
-        <programlisting>#MARK   SOURCE    DESTINATION     PROTOCOL   PORT(S)
+        <programlisting>#ACTION SOURCE    DESTINATION     PROTOCOL   PORT(S)
 12:T    0.0.0.0/0 155.182.235.151 47</programlisting>
      </example>
      <example id="Example3">
-        <title></title>
+        <title/>
        <para>All SSH request packets originating in 192.168.1.0/24 and
        destined for 155.186.235.151 should be marked with 22.</para>
-        <programlisting>#MARK   SOURCE         DESTINATION     PROTOCOL   PORT(S)
+        <programlisting>#ACTION SOURCE         DESTINATION     PROTOCOL   PORT(S)
 22:T    192.168.1.0/24 155.182.235.151 tcp        22</programlisting>
      </example>
      <example id="Example4">
-        <title></title>
+        <title/>
        <para>All SSH packets packets going out of the first device in in
        /etc/shorewall/tcdevices should be assigned to the class with mark
        value 10.</para>
-        <programlisting>#MARK   SOURCE         DESTINATION     PROTOCOL   PORT(S)         CLIENT
+        <programlisting>#ACTION SOURCE         DESTINATION     PROTOCOL   PORT(S)         CLIENT
 #                                                                 PORT(S)
 1:110   0.0.0.0/0      0.0.0.0/0       tcp        22
 1:110   0.0.0.0/0      0.0.0.0/0       tcp        -               22</programlisting>
      </example>
      <example id="Example5">
-        <title></title>
+        <title/>
        <para>Mark all ICMP echo traffic with packet mark 1. Mark all peer to
        peer traffic with packet mark 4.</para>
@@ -1236,7 +1236,7 @@ ppp0           6000kbit         500kbit</programlisting>
        means unclassified. Traffic originating on the firewall is not covered
        by this example.</para>
-        <programlisting>#MARK    SOURCE         DESTINATION     PROTOCOL   PORT(S)       CLIENT   USER/     TEST
+        <programlisting>#ACTION  SOURCE         DESTINATION     PROTOCOL   PORT(S)       CLIENT   USER/     TEST
 #                                                                PORT(S)  GROUP
 1        0.0.0.0/0      0.0.0.0/0       icmp       echo-request
 1        0.0.0.0/0      0.0.0.0/0       icmp       echo-reply
@@ -1257,13 +1257,13 @@ SAVE     0.0.0.0/0      0.0.0.0/0       all        -             -        -
      </example>
      <example>
-        <title></title>
+        <title/>
        <para>Mark all forwarded VOIP connections with connection mark 1 and
        ensure that all VOIP packets also receive that mark (assumes that
        nf_conntrack_sip is loaded).</para>
-        <programlisting>#MARK    SOURCE         DESTINATION     PROTOCOL   PORT(S)       CLIENT   USER/     TEST      CONNBYTES      TOS      HELPER
+        <programlisting>#ACTION  SOURCE         DESTINATION     PROTOCOL   PORT(S)       CLIENT   USER/     TEST      CONNBYTES      TOS      HELPER
 #                                                                PORT(S)  GROUP
 RESTORE  0.0.0.0/0      0.0.0.0/0       all        -             -        -         0
 CONTINUE 0.0.0.0/0      0.0.0.0/0       all        -             -        -         !0
@@ -1508,8 +1508,8 @@ eth0:101     - 1kbit 230kbit        4    occurs=6</programlisting>
      <para><filename>/etc/shoreall/tcrules</filename>:</para>
-      <programlisting>#MARK                      SOURCE         DEST
+      <programlisting>#ACTION                          SOURCE             DEST
-IPMARK(src,0xff,0x10100):F 192.168.1.0/29 eth0</programlisting>
+IPMARK(src,0xff,0x10100):F       192.168.1.0/29     eth0</programlisting>
      <para>This facility also alters the way in which Shorewall generates a
      class number when none is given. Prior to the implementation of this
@@ -1568,7 +1568,7 @@ ppp0            3       2*full/10       8*full/10       2</programlisting>
        <section id="realtcr">
          <title>tcrules file</title>
-          <programlisting>#MARK           SOURCE          DEST            PROTO   PORT(S) CLIENT   USER
+          <programlisting>#ACTION         SOURCE          DEST            PROTO   PORT(S) CLIENT   USER
 #                                                              PORT(S)
 1:F             0.0.0.0/0       0.0.0.0/0       icmp    echo-request
 1:F             0.0.0.0/0       0.0.0.0/0       icmp    echo-reply
@@ -1652,7 +1652,7 @@ ppp0            4       90kbit          200kbit         3           default</pro
        <section id="simpletcr">
          <title>tcrules file</title>
-          <programlisting>#MARK           SOURCE          DEST            PROTO   PORT(S)      CLIENT   USER
+          <programlisting>#ACTION         SOURCE          DEST            PROTO   PORT(S)      CLIENT   USER
 #                                                                    PORT(S)
 1:F             0.0.0.0/0       0.0.0.0/0       icmp    echo-request
 1:F             0.0.0.0/0       0.0.0.0/0       icmp    echo-reply