Correct configure and configure.pl to output SPARSE

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Fix interface_is_usable()
2012-05-15 11:32:35 -07:00 · 2012-05-15 06:50:49 -07:00 · 2012-05-13 13:56:48 -07:00 · 2012-05-13 12:29:01 -07:00 · 2012-05-12 07:45:55 -07:00 · 2012-05-12 07:45:32 -07:00
163 changed files with 6215 additions and 3588 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -0,0 +1,190 @@
+#!/bin/bash
+#
+#     Shorewall Packet Filtering Firewall RPM configuration program - V4.5
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2012 - Tom Eastep (teastep@shorewall.net)
+#
+#	Shorewall documentation is available at http://www.shorewall.net
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of Version 2 of the GNU General Public License
+#	as published by the Free Software Foundation.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, write to the Free Software
+#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#       Usage: ./configure [ <option>=<setting> ] ...
+#
+#
+################################################################################################
+#
+# Build updates this
+#
+VERSION=4.5.2.1
+
+case "$BASH_VERSION" in
+    [4-9].*)
+	;;
+    *)
+	echo "ERROR: This program requires Bash 4.0 or later" >&2
+	exit 1
+	;;
+esac
+
+declare -A params
+declare -A options
+
+getfileparams() {
+    while read option; do
+	case $option in
+	    \#*)
+		;;
+	    *)
+		on=${option%=*}
+		ov=${option#*=}
+		ov=${ov%#*}
+		[ -n "$on" ] && options[${on}]="${ov}"
+		;;
+	esac
+
+    done
+
+    return 0
+}
+
+for p in $@; do
+
+    if [ -n "${p}" ]; then
+	declare -u pn
+
+	pn=${p%=*}
+	pn=${pn#--}
+	pv=${p#*=}
+
+	if [ -n "${pn}" ]; then
+
+	    case ${pn} in
+		VENDOR)
+		    pn=HOST
+		    ;;
+		SHAREDSTATEDIR)
+		    pn=VARDIR
+		    ;;
+		DATADIR)
+		    pn=SHAREDIR
+		    ;;
+		SYSCONFDIR)
+		    pn=CONFDIR
+		    ;;
+	    esac
+
+	    params[${pn}]="${pv}"
+	else
+	    echo "ERROR: Invalid option ($p)" >&2
+	    exit 1
+	fi
+    fi
+done
+
+vendor=${params[HOST]}
+
+if [ -z "$vendor" ]; then
+    case `uname` in
+	Darwin)
+	    $params[HOST]=apple
+	    rcfile=shorewallrc.apple
+	    ;;
+
+	cygwin*)
+	    $params[HOST]=cygwin
+	    rcfile=shorewallrc.cygwin
+	    ;;
+	*)
+	    if [ -f /etc/debian_version ]; then
+		params[HOST]=debian
+		rcfile=shorewallrc.debian
+	    elif [ -f /etc/redhat-release ]; then
+		params[HOST]=redhat
+		rcfile=shorewallrc.redhat
+	    elif [ -f /etc/slackware-version ] ; then
+		params[HOST]=slackware
+		rcfile=shorewallrc.slackware
+	    elif [ -f /etc/SuSE-release ]; then
+		params[HOST]=suse
+		rcfile=shorewallrc.suse
+	    elif [ -f /etc/arch-release ] ; then
+		params[HOST]=archlinux
+		rcfile=shorewallrc.archlinux
+	    else
+		params[HOST]=linux
+		rcfile=shorewallrc.default
+	    fi
+	    ;;
+    esac
+
+    vendor=${params[HOST]}
+elif [ $vendor = linux ]; then
+    rcfile=$shorewallrc.default;
+else
+    rcfile=shorewallrc.$vendor
+    if [ ! -f $rcfile ]; then
+	echo "ERROR: $vendor is not a recognized host type" >&2
+	exit 1
+    fi
+fi
+
+if [ $vendor = linux ]; then
+    echo "INFO: Creating a generic Linux installation - " `date`;
+else
+    echo "INFO: Creating a ${vendor}-specific installation - " `date`;
+fi
+
+echo
+
+getfileparams < $rcfile || exit 1
+
+for p in ${!params[@]}; do
+    options[${p}]="${params[${p}]}"
+done
+
+echo '#'                                                                 > shorewallrc
+echo "# Created by Shorewall Core version $VERSION configure - " `date` >> shorewallrc
+echo '#'                                                                >> shorewallrc
+
+if [ $# -gt 0 ]; then
+    echo "# Input: $@" >> shorewallrc
+    echo '#'           >> shorewallrc
+fi
+
+for on in \
+    HOST \
+    PREFIX \
+    SHAREDIR \
+    LIBEXECDIR \
+    PERLLIBDIR \
+    CONFDIR \
+    SBINDIR \
+    MANDIR \
+    INITDIR \
+    INITSOURCE \
+    INITFILE \
+    AUXINITSOURCE \
+    AUXINITFILE \
+    SYSTEMD \
+    SYSCONFFILE \
+    SYSCONFDIR \
+    SPARSE \
+    ANNOTATED \
+    VARDIR
+do
+    echo "$on=${options[${on}]}"
+    echo "$on=${options[${on}]}" >> shorewallrc
+done
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -0,0 +1,155 @@
+#! /usr/bin/perl -w
+#
+#     Shorewall Packet Filtering Firewall RPM configuration program - V4.5
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2012 - Tom Eastep (teastep@shorewall.net)
+#
+#	Shorewall documentation is available at http://www.shorewall.net
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of Version 2 of the GNU General Public License
+#	as published by the Free Software Foundation.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, write to the Free Software
+#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#       Usage: ./configure.pl <option>=<setting> ...
+#
+#
+################################################################################################
+use strict;
+
+#
+# Build updates this
+#
+use constant {
+    VERSION => '4.5.2.1'
+};
+
+my %params;
+my %options;
+
+my %aliases = ( VENDOR         => 'HOST',
+		SHAREDSTATEDIR => 'VARDIR',
+		DATADIR        => 'SHAREDIR',
+		SYSCONFDIR     => 'CONFDIR' );
+
+for ( @ARGV ) {
+    die "ERROR: Invalid option specification ( $_ )" unless /^(?:--)?(\w+)=(.*)$/;
+
+    my $pn = uc $1;
+    my $pv = $2 || '';
+
+    $pn = $aliases{$pn} if exists $aliases{$pn};
+
+    $params{$pn} = $pv;
+}
+
+my $vendor = $params{HOST};
+my $rcfile;
+my $rcfilename;
+
+if ( defined $vendor ) {
+    $rcfilename = $vendor eq 'linux' ? 'shorewallrc.default' : 'shorewallrc.' . $vendor;
+    die qq("ERROR: $vendor" is not a recognized host type) unless -f $rcfilename;
+} else {
+    if ( -f '/etc/debian_version' ) {
+	$vendor = 'debian';
+	$rcfilename = 'shorewallrc.debian';
+    } elsif ( -f '/etc/redhat-release' ){
+	$vendor = 'redhat';
+	$rcfilename = 'shorewallrc.redhat';
+    } elsif ( -f '/etc/slackware-version' ) {
+	$vendor = 'slackware';
+	$rcfilename = 'shorewallrc.slackware';
+    } elsif ( -f '/etc/SuSE-release' ) {
+	$vendor = 'suse';
+	$rcfilename = 'shorewallrc.suse';
+    } elsif ( -f '/etc/arch-release' ) {
+	$vendor = 'archlinux';
+	$rcfilename = 'shorewallrc.archlinux';
+    } elsif ( `uname` =~ '^Darwin' ) {
+	$vendor = 'apple';
+	$rcfilename = 'shorewallrc.apple';
+    } elsif ( `uname` =~ '^Cygwin' ) {
+	$vendor = 'cygwin';
+	$rcfilename = 'shorewallrc.cygwin';
+    } else {
+	$vendor = 'linux';
+	$rcfilename = 'shorewallrc.default';
+    }
+
+    $params{HOST} = $vendor;
+}
+
+my @localtime = localtime;
+my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
+
+if ( $vendor eq 'linux' ) {
+    printf "INFO: Creating a generic Linux installation - %s %2d %04d %02d:%02d:%02d\n\n", $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
+} else {
+    printf "INFO: Creating a %s-specific installation - %s %2d %04d %02d:%02d:%02d\n\n", $vendor, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
+}
+
+open $rcfile, '<', $rcfilename or die "Unable to open $rcfilename for input: $!";
+
+while ( <$rcfile> ) {
+    s/\s*#.*//;
+    unless ( /^\s*$/ ) {
+	chomp;
+	die "ERROR: Invalid entry ($_) in $rcfilename, line $." unless /\s*(\w+)=(.*)/;
+	$options{$1} = $2;
+    }
+}
+
+close $rcfile;
+
+while ( my ( $p, $v ) = each %params ) {
+    $options{$p} = ${v};
+}
+
+my $outfile;
+
+open $outfile, '>', 'shorewallrc' or die "Can't open 'shorewallrc' for output: $!";
+
+printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n#\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
+
+print  $outfile "# Input: @ARGV\n#\n" if @ARGV;
+
+for ( qw/ HOST
+	  PREFIX
+	  SHAREDIR
+	  LIBEXECDIR
+	  PERLLIBDIR
+	  CONFDIR
+	  SBINDIR
+	  MANDIR
+	  INITDIR
+	  INITSOURCE
+	  INITFILE
+	  AUXINITSOURCE
+	  AUXINITFILE
+	  SYSTEMD
+	  SYSCONFFILE
+	  SYSCONFDIR
+	  SPARSE
+	  ANNOTATED
+	  VARDIR / ) {
+
+    my $val = $options{$_} || '';
+
+    print          "$_=$val\n";
+    print $outfile "$_=$val\n";
+}
+
+close $outfile;
+
+1;
--- a/Shorewall-core/init.slackware.firewall.sh
+++ b/Shorewall-core/init.slackware.firewall.sh
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -27,12 +27,18 @@ VERSION=xxx #The Build script inserts the actual version
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME"
+    echo "usage: $ME [ <configuration-file> ] "
    echo "       $ME -v"
    echo "       $ME -h"
    exit $1
 }

+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
 split() {
    local ifs
    ifs=$IFS
@@ -85,43 +91,87 @@ install_file() # $1 = source $2 = target $3 = mode
    run_install $T $OWNERSHIP -m $3 $1 ${2}
 }

+require()
+{
+    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
+}
+
 cd "$(dirname $0)"

-#
-# Load packager's settings if any
-#
-[ -f ../shorewall-pkg.config ] && . ../shorewall-pkg.config
-
-[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
-
 #
 # Parse the run line
 #
-# ARGS is "yes" if we've already parsed an argument
+finished=0
+
+while [ $finished -eq 0 ]; do
+    option=$1
+
+    case "$option" in
+	-*)
+	    option=${option#-}
+
+	    while [ -n "$option" ]; do
+		case $option in
+		    h)
+			usage 0
+			;;
+		    v)
+			echo "Shorewall Firewall Installer Version $VERSION"
+			exit 0
+			;;
+		    *)
+			usage 1
+			;;
+		esac
+	    done
+
+	    shift
+	    ;;
+	*)
+	    finished=1
+	    ;;
+    esac
+done
+
 #
+# Read the RC file
+#
+if [ $# -eq 0 ]; then
+    if [ -f ./shorewallrc ]; then
+	. ./shorewallrc
+	file=./shorewallrc
+    elif [ -f ~/.shorewallrc ]; then
+	. ~/.shorewallrc || exit 1
+	file=~/.shorewallrc
+    elif [ -f /usr/share/shorewall/shorewallrc ]; then
+	. /usr/share/shorewall/shorewallrc
+	file=/usr/share/shorewall/shorewallrc
+    else
+	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
+    fi
+elif [ $# -eq 1 ]; then
+    file=$1
+    case $file in
+	/*|.*)
+	    ;;
+	*)
+	    file=./$file || exit 1
+	    ;;
+    esac
+
+    . $file
+else
+    usage 1
+fi
+
+for var in SHAREDIR LIBEXECDIR PERLLIBDIR CONFDIR SBINDIR VARDIR; do
+    require $var
+done
+
+[ "${INITFILE}" != 'none/' ] && require INITSOURCE && require INITDIR
+
 T="-T"

-[ -n "${LIBEXEC:=/usr/share}" ]
-[ -n "${PERLLIB:=/usr/share/shorewall}" ]
-
-case "$LIBEXEC" in
-    /*)
-	;;
-    *)
-	echo "The LIBEXEC setting must be an absolute path name" >&2
-	exit 1
-	;;
-esac
-
-case "$PERLLIB" in
-    /*)
-	;;
-    *)
-	echo "The PERLLIB setting must be an absolute path name" >&2
-	exit 1
-	;;
-esac
-
 INSTALLD='-D'

 if [ -z "$BUILD" ]; then
@@ -180,41 +230,6 @@ esac

 OWNERSHIP="-o $OWNER -g $GROUP"

-finished=0
-
-while [ $finished -eq 0 ]; do
-    option=$1
-
-    case "$option" in
-	-*)
-	    option=${option#-}
-	    
-	    while [ -n "$option" ]; do
-		case $option in
-		    h)
-			usage 0
-			;;
-		    v)
-			echo "Shorewall Firewall Installer Version $VERSION"
-			exit 0
-			;;
-		    *)
-			usage 1
-			;;
-		esac
-	    done
-
-	    shift
-	    ;;
-	*)
-	    [ -n "$option" ] && usage 1
-	    finished=1
-	    ;;
-    esac
-done
-
-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-
 #
 # Determine where to install the firewall script
 #
@@ -236,6 +251,23 @@ case "$HOST" in
 	;;
 esac

+if [ -z "$file" ]; then
+    if $HOST = linux; then
+	file=shorewallrc.default
+    else
+	file=shorewallrc.${HOST}
+    fi
+
+    echo "You have not specified a configuration file and ~/.shorewallrc does not exist" >&2
+    echo "Shorewall-core $VERSION has determined that the $file configuration is appropriate for your system" >&2
+    echo "Please review the settings in that file. If you wish to change them, make a copy and modify the copy" >&2
+    echo "Then re-run install.sh passing either $file or the name of your modified copy" >&2
+    echo "" >&2
+    echo "Example:" >&2
+    echo "" >&2
+    echo "   ./install.sh $file" &>2
+fi
+
 if [ -n "$DESTDIR" ]; then
    if [ $BUILD != cygwin ]; then
 	if [ `id -u` != 0 ] ; then
@@ -245,56 +277,88 @@ if [ -n "$DESTDIR" ]; then
    fi
 fi

-#
-# Change to the directory containing this script
-#
-cd "$(dirname $0)"
-
 echo "Installing Shorewall Core Version $VERSION"

 #
-# Create /usr/share/shorewall
+# Create directories
 #
-mkdir -p ${DESTDIR}${LIBEXEC}/shorewall
-chmod 755 ${DESTDIR}${LIBEXEC}/shorewall
+mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall
+chmod 755 ${DESTDIR}${LIBEXECDIR}/shorewall

-if [ $LIBEXEC != /usr/shorewall/ ]; then
-    mkdir -p ${DESTDIR}/usr/share/shorewall
-    chmod 755 ${DESTDIR}/usr/share/shorewall
+mkdir -p ${DESTDIR}${SHAREDIR}/shorewall
+chmod 755 ${DESTDIR}${SHAREDIR}/shorewall
+
+mkdir -p ${DESTDIR}${CONFDIR}
+chmod 755 ${DESTDIR}${CONFDIR}
+
+if [ -n "${SYSCONFDIR}" ]; then
+    mkdir -p ${DESTDIR}${SYSCONFDIR}
+    chmod 755 ${DESTDIR}${SYSCONFDIR}
 fi
+
+if [ -n "${SYSTEMD}" ]; then
+    mkdir -p ${DESTDIR}${SYSTEMD}
+    chmod 755 ${DESTDIR}${SYSTEMD}
+fi
+
+mkdir -p ${DESTDIR}${SBINDIR}
+chmod 755 ${DESTDIR}${SBINDIR}
+
+mkdir -p ${DESTDIR}${MANDIR}
+chmod 755 ${DESTDIR}${MANDIR}
+
+if [ -n "${INITFILE}" ]; then
+    mkdir -p ${DESTDIR}${INITDIR}
+    chmod 755 ${DESTDIR}${INITDIR}
+
+    if [ -n "$AUXINITSOURCE" -a -f "$AUXINITSOURCE" ]; then
+	install_file $AUXINITSOURCE ${DESTDIR}${INITDIR}/$AUXINITFILE 0544
+	[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$AUXINITFILE
+	echo  "$Product script installed in ${DESTDIR}${INITDIR}/$AUXINITFILE"
+    fi
+fi
+#
+# Note: ${VARDIR} is created at run-time since it has always been
+#       a relocatable directory on a per-product basis
 #
 # Install wait4ifup
 #
-install_file wait4ifup ${DESTDIR}${LIBEXEC}/shorewall/wait4ifup 0755
+install_file wait4ifup ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup 0755

 echo
-echo "wait4ifup installed in ${DESTDIR}${LIBEXEC}/shorewall/wait4ifup"
+echo "wait4ifup installed in ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup"

 #
 # Install the libraries
 #
 for f in lib.* ; do
-    install_file $f ${DESTDIR}/usr/share/shorewall/$f 0644
-    echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall/$f"
+    install_file $f ${DESTDIR}${SHAREDIR}/shorewall/$f 0644
+    echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/shorewall/$f"
 done

-if [ $BUILD != apple ]; then
-    eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
-    eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
-else
-    eval sed -i \'\' -e \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
-    eval sed -i \'\' -e \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
-fi
-
 #
 # Symbolically link 'functions' to lib.base
 #
-ln -sf lib.base ${DESTDIR}/usr/share/shorewall/functions
+ln -sf lib.base ${DESTDIR}${SHAREDIR}/shorewall/functions
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall/coreversion
-chmod 644 ${DESTDIR}/usr/share/shorewall/coreversion
+echo "$VERSION" > ${DESTDIR}${SHAREDIR}/shorewall/coreversion
+chmod 644 ${DESTDIR}${SHAREDIR}/shorewall/coreversion
+
+[ $file != "${SHAREDIR}/shorewall/shorewallrc" ] && cp $file ${DESTDIR}${SHAREDIR}/shorewall/shorewallrc
+
+[ -z "${DESTDIR}" ] && [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc ~/.shorewallrc
+
+if [ ${SHAREDIR} != /usr/share ]; then
+    for f in lib.*; do
+	if [ $BUILD != apple ]; then
+	    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SHAREDIR}/shorewall/$f
+	else
+	    eval sed -i \'\' -e \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SHAREDIR}/shorewall/$f
+	fi
+    done
+fi
 #
 #  Report Success
 #
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -27,50 +27,57 @@
 #   and /usr/share/shorewall[6]-lite/shorecap.
 #

-SHOREWALL_LIBVERSION=40500
-SHOREWALL_CAPVERSION=40501
+SHOREWALL_LIBVERSION=40502
+SHOREWALL_CAPVERSION=40502

 [ -n "${g_program:=shorewall}" ]

+if [ -z "$g_readrc" ]; then
+    #
+    # This is modified by the installer when ${SHAREDIR} != /usr/share
+    #
+    . /usr/share/shorewall/shorewallrc
+
+    g_libexec="$LIBEXECDIR"
+    g_sharedir="$SHAREDIR"/$g_program
+    g_sbindir="$SBINDIR"
+    g_perllib="$PERLLIBDIR"
+    g_vardir="$VARDIR"
+    g_confdir="$CONFDIR"/$g_program
+    g_readrc=1
+fi
+
+g_basedir=${SHAREDIR}/shorewall
+
 case $g_program in
    shorewall)
-	SHAREDIR=/usr/share/shorewall
-	CONFDIR=/etc/shorewall
 	g_product="Shorewall"
 	g_family=4
 	g_tool=
-	g_basedir=/usr/share/shorewall
 	g_lite=
 	;;
    shorewall6)
-	SHAREDIR=/usr/share/shorewall6
-	CONFDIR=/etc/shorewall6
 	g_product="Shorewall6"
 	g_family=6
 	g_tool=
-	g_basedir=/usr/share/shorewall
 	g_lite=
 	;;
    shorewall-lite)
-	SHAREDIR=/usr/share/shorewall-lite
-	CONFDIR=/etc/shorewall-lite
 	g_product="Shorewall Lite"
 	g_family=4
 	g_tool=iptables
-	g_basedir=/usr/share/shorewall-lite
 	g_lite=Yes
 	;;
    shorewall6-lite)
-	SHAREDIR=/usr/share/shorewall6-lite
-	CONFDIR=/etc/shorewall6-lite
 	g_product="Shorewall6 Lite"
 	g_family=6
 	g_tool=ip6tables
-	g_basedir=/usr/share/shorewall6-lite
 	g_lite=Yes
 	;;
 esac

+VARDIR=${VARDIR}/${g_program}
+
 #
 # Conditionally produce message
 #
@@ -186,7 +193,7 @@ mutex_off()
    rm -f ${LOCKFILE:=${VARDIR}/lock}
 }

-[ -z "$LEFTSHIFT" ] && . /usr/share/shorewall/lib.common
+[ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common

 #
 # Validate an IP address
@@ -344,7 +351,7 @@ ip_vlsm() {
 #
 ensure_config_path() {
    local F
-    F=${SHAREDIR}/configpath
+    F=${g_sharedir}/configpath
    if [ -z "$CONFIG_PATH" ]; then
 	[ -f $F ] || { echo "   ERROR: $F does not exist"; exit 2; }
 	. $F
@@ -455,14 +462,14 @@ mktempfile() {
    else
 	case "$MKTEMP" in
 	    BSD)
-		mktemp /tmp/shorewall.XXXXXX
+		mktemp ${TMPDIR:-/tmp}/shorewall.XXXXXX
 		;;
 	    STD)
 		mktemp -t shorewall.XXXXXX
 		;;
 	    None)
-		rm -f /tmp/shorewall-$$
-		> /tmp/shorewall-$$ && echo /tmp/shorewall-$$
+		rm -f ${TMPDIR:-/tmp}/shorewall-$$
+		> ${TMPDIR:-}/shorewall-$$ && echo ${TMPDIR:-/tmp}/shorewall-$$
 		;;
 	    *)
 		error_message "ERROR:Internal error in mktempfile"
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -23,7 +23,25 @@
 # This library contains the command processing code common to /sbin/shorewall[6] and
 # /sbin/shorewall[6]-lite.
 #
-. /usr/share/shorewall/lib.base
+
+if [ -z "$g_readrc" ]; then
+    #
+    # This is modified by the installer when ${SHAREDIR} <> /usr/share
+    #
+    . /usr/share/shorewall/shorewallrc
+
+    g_libexec="$LIBEXECDIR"
+    g_sharedir="$SHAREDIR"/$g_program
+    g_sbindir="$SBINDIR"
+    g_perllib="$PERLLIBDIR"
+    g_vardir="$VARDIR"
+    g_confdir="$CONFDIR"/$g_program
+    g_readrc=1
+fi
+
+. ${SHAREDIR}/shorewall/lib.base
+
+
 #
 # Fatal Error
 #
@@ -438,16 +456,28 @@ sort_routes() {
    done | sort -r | while read dest rest; do echo $rest; done
 }

+#
+# Isolate the table in the routing rules being read from stdin.
+# Piping through sed to remove trailing whitespace works around
+# recent 'features' in dash and ip.
+#
+find_tables() {
+    sed -r 's/[[:space:]]+$//' | while read rule; do
+	echo ${rule##* }
+    done
+}
+
 #
 # Show routing configuration
 #
 show_routing() {
+    local rule
+    local table
+
    if [ -n "$(ip -$g_family rule list)" ]; then
 	heading "Routing Rules"
 	ip -$g_family rule list
-	ip -$g_family rule list | while read rule; do
-	    echo ${rule##* }
-	done | sort -u | while read table; do
+	ip -$g_family rule list | find_tables | sort -u | while read table; do
 	    heading "Table $table:"
 	    if [ $g_family -eq 6 ]; then
 		ip -$g_family -o route list table $table | fgrep -v cache
@@ -543,11 +573,11 @@ version_command() {
    [ $# -gt 0 ] && usage 1

    if [ -n "$all" ]; then
-	echo "shorewall-core: $(cat /usr/share/shorewall/coreversion)"
+	echo "shorewall-core: $(cat $g_sharedir/coreversion)"

 	for product in shorewall shorewall6 shorewall-lite shorewall6-lite shorewall-init; do
-	    if [ -f /usr/share/$product/version ]; then
-		echo "$product: $(cat /usr/share/$product/version)"
+	    if [ -f ${SHAREDIR}/$product/version ]; then
+		echo "$product: $(cat ${SHAREDIR}/$product/version)"
 	    fi
 	done
    else
@@ -837,16 +867,20 @@ show_command() {
 	    show_routing
 	    ;;
 	config)
-	    . ${SHAREDIR}/configpath
+	    . ${g_sharedir}/configpath
 	    if [ -n "$g_filemode" ]; then
 		echo "CONFIG_PATH=$CONFIG_PATH"
 		echo "VARDIR=$VARDIR"
 		echo "LIBEXEC=$g_libexec"
-		[ -n "$g_lite" ] && ${VARDIR} ne /var/lib/$program && echo "LITEDIR=${VARDIR}"
+		echo "SBINDIR=$g_sbindir"
+		echo "CONFDIR=${CONFDIR}"
+		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR=${VARDIR}"
 	    else
 		echo "Default CONFIG_PATH is $CONFIG_PATH"
 		echo "Default VARDIR is /var/lib/$g_program"
 		echo "LIBEXEC is $g_libexec"
+		echo "SBINDIR is $g_sbindir"
+		echo "CONFDIR is ${CONFDIR}"
 		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR is ${VARDIR}"
 	    fi
 	    ;;
@@ -907,10 +941,10 @@ show_command() {
 			    echo "forwardUPnP         # Allow traffic that upnpd has redirected from"
 			    echo "rejNotSyn           # Silently Reject Non-syn TCP packets"

-			    if [ -f ${CONFDIR}/actions ]; then
-				cat ${SHAREDIR}/actions.std ${CONFDIR}/actions | grep -Ev '^\#|^$'
+			    if [ -f ${g_confdir}/actions ]; then
+				cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^\#|^$'
 			    else
-				grep -Ev '^\#|^$' ${SHAREDIR}/actions.std
+				grep -Ev '^\#|^$' ${g_sharedir}/actions.std
 			    fi

 			    return
@@ -1108,8 +1142,8 @@ do_dump_command() {
    echo "$g_product $SHOREWALL_VERSION Dump at $g_hostname - $(date)"
    echo

-    if [ $g_family -eq 6 ] && [ -f /usr/share/shorewall/version ]; then
-	echo "   Shorewall $(cat /usr/share/shorewall/version)"
+    if [ $g_family -eq 6 ] && [ -f ${SHAREDIR}/shorewall/version ]; then
+	echo "   Shorewall $(cat ${SHAREDIR}/shorewall/version)"
 	echo
    fi
    show_status
@@ -1908,6 +1942,7 @@ determine_capabilities() {
    IPRANGE_MATCH=
    RECENT_MATCH=
    OWNER_MATCH=
+    OWNER_NAME_MATCH=
    IPSET_MATCH=
    OLD_IPSET_MATCH=
    IPSET_V5=
@@ -2046,6 +2081,11 @@ determine_capabilities() {
    qt $g_tool -A $chain -m recent --update -j ACCEPT     && RECENT_MATCH=Yes
    qt $g_tool -A $chain -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes

+    local name
+    name=$(id -un 2> /dev/null)
+
+    [ -n "$name" ] && qt $g_tool -A $chain -m owner --uid-owner $name -j ACCEPT && OWNER_NAME_MATCH=Yes
+
    if qt $g_tool -A $chain -m connmark --mark 2  -j ACCEPT; then
 	CONNMARK_MATCH=Yes
 	qt $g_tool -A $chain -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes
@@ -2209,81 +2249,82 @@ report_capabilities() {

    if [ $VERBOSITY -gt 1 ]; then
 	echo "$g_product has detected the following iptables/netfilter capabilities:"
-	report_capability "NAT" $NAT_ENABLED
-	report_capability "Packet Mangling" $MANGLE_ENABLED
-	report_capability "Multi-port Match" $MULTIPORT
-	[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
-	report_capability "Connection Tracking Match" $CONNTRACK_MATCH
+	report_capability "NAT (NAT_ENABLED)" $NAT_ENABLED
+	report_capability "Packet Mangling (MANGLE_ENABLED)" $MANGLE_ENABLED
+	report_capability "Multi-port Match (MULTIPORT)" $MULTIPORT
+	[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match (XMULIPORT)" $XMULTIPORT
+	report_capability "Connection Tracking Match (CONNTRACK_MATCH)" $CONNTRACK_MATCH
 	if [ -n "$CONNTRACK_MATCH" ]; then
-	    report_capability "Extended Connection Tracking Match Support" $NEW_CONNTRACK_MATCH
-	    [ -n "$OLD_CONNTRACK_MATCH" ] && report_capability "Old Connection Tracking Match Syntax" $OLD_CONNTRACK_MATCH
+	    report_capability "Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH)" $NEW_CONNTRACK_MATCH
+	    [ -n "$OLD_CONNTRACK_MATCH" ] && report_capability "Old Connection Tracking Match Syntax (OLD_CONNTRACK_MATCH)" $OLD_CONNTRACK_MATCH
 	fi
-	report_capability "Packet Type Match" $USEPKTTYPE
-	report_capability "Policy Match" $POLICY_MATCH
-	report_capability "Physdev Match" $PHYSDEV_MATCH
-	report_capability "Physdev-is-bridged Support" $PHYSDEV_BRIDGE
-	report_capability "Packet length Match" $LENGTH_MATCH
-	report_capability "IP range Match" $IPRANGE_MATCH
-	report_capability "Recent Match" $RECENT_MATCH
-	report_capability "Owner Match" $OWNER_MATCH
+	report_capability "Packet Type Match (USEPKTTYPE)" $USEPKTTYPE
+	report_capability "Policy Match (POLICY_MATCH)" $POLICY_MATCH
+	report_capability "Physdev Match (PHYSDEV_MATCH)" $PHYSDEV_MATCH
+	report_capability "Physdev-is-bridged Support (PHYSDEV_BRIDGE)" $PHYSDEV_BRIDGE
+	report_capability "Packet length Match (LENGTH_MATCH)" $LENGTH_MATCH
+	report_capability "IP range Match(IPRANGE_MATCH)" $IPRANGE_MATCH
+	report_capability "Recent Match (RECENT_MATCH)" $RECENT_MATCH
+	report_capability "Owner Match (OWNER_MATCH)" $OWNER_MATCH
+	report_capability "Owner Name Match (OWNER_NAME_MATCH)" $OWNER_NAME_MATCH
 	if [ -n "$IPSET_MATCH" ]; then
-	    report_capability "Ipset Match" $IPSET_MATCH
-	    [ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match" $OLD_IPSET_MATCH
+	    report_capability "Ipset Match (IPSET_MATCH)" $IPSET_MATCH
+	    [ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match (OLD_IPSET_MATCH)" $OLD_IPSET_MATCH
 	fi
-	report_capability "CONNMARK Target" $CONNMARK
-	[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
-	report_capability "Connmark Match" $CONNMARK_MATCH
-	[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH
-	report_capability "Raw Table" $RAW_TABLE
-	report_capability "Rawpost Table" $RAWPOST_TABLE
-	report_capability "IPP2P Match" $IPP2P_MATCH
-	[ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax" $OLD_IPP2P_MATCH
-	report_capability "CLASSIFY Target" $CLASSIFY_TARGET
-	report_capability "Extended REJECT" $ENHANCED_REJECT
-	report_capability "Repeat match" $KLUDGEFREE
-	report_capability "MARK Target" $MARK
-	[ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK
-	[ -n "$XMARK" ] && report_capability "Extended MARK Target 2" $EXMARK
-	report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD
-	report_capability "Comments" $COMMENTS
-	report_capability "Address Type Match" $ADDRTYPE
-	report_capability "TCPMSS Match" $TCPMSS_MATCH
-	report_capability "Hashlimit Match" $HASHLIMIT_MATCH
-	[ -n "$OLD_HL_MATCH" ] && report_capability "Old Hashlimit Match" $OLD_HL_MATCH
-	report_capability "NFQUEUE Target" $NFQUEUE_TARGET
-	report_capability "Realm Match" $REALM_MATCH
-	report_capability "Helper Match" $HELPER_MATCH
-	report_capability "Connlimit Match" $CONNLIMIT_MATCH
-	report_capability "Time Match" $TIME_MATCH
-	report_capability "Goto Support" $GOTO_TARGET
-	report_capability "LOGMARK Target" $LOGMARK_TARGET
-	report_capability "IPMARK Target" $IPMARK_TARGET
-	report_capability "LOG Target" $LOG_TARGET
-	report_capability "ULOG Target" $ULOG_TARGET
-	report_capability "NFLOG Target" $NFLOG_TARGET
-	report_capability "Persistent SNAT" $PERSISTENT_SNAT
-	report_capability "TPROXY Target" $TPROXY_TARGET
-	report_capability "FLOW Classifier" $FLOW_FILTER
-	report_capability "fwmark route mask" $FWMARK_RT_MASK
-	report_capability "Mark in any table" $MARK_ANYWHERE
-	report_capability "Header Match" $HEADER_MATCH
-        report_capability "ACCOUNT Target" $ACCOUNT_TARGET
-	report_capability "AUDIT Target" $AUDIT_TARGET
-	report_capability "ipset V5" $IPSET_V5
-	report_capability "Condition Match" $CONDITION_MATCH
-	report_capability "Statistic Match" $STATISTIC_MATCH
-	report_capability "IMQ Target" $IMQ_TARGET
-	report_capability "DSCP Match" $DSCP_MATCH
-	report_capability "DSCP Target" $DSCP_TARGET
+	report_capability "CONNMARK Target (CONNMARK)" $CONNMARK
+	[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target (XCONNMARK)" $XCONNMARK
+	report_capability "Connmark Match (CONNMARK_MATCH)" $CONNMARK_MATCH
+	[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match (XCONNMARK_MATCH)" $XCONNMARK_MATCH
+	report_capability "Raw Table (RAW_TABLE)" $RAW_TABLE
+	report_capability "Rawpost Table (RAWPOST_TABLE)" $RAWPOST_TABLE
+	report_capability "IPP2P Match (IPP2P_MATCH)" $IPP2P_MATCH
+	[ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax (OLD_IPP2P_MATCH)" $OLD_IPP2P_MATCH
+	report_capability "CLASSIFY Target (CLASSIFY_TARGET)" $CLASSIFY_TARGET
+	report_capability "Extended REJECT (ENHANCED_REJECT)" $ENHANCED_REJECT
+	report_capability "Repeat match (KLUDGEFREE)" $KLUDGEFREE
+	report_capability "MARK Target (MARK)" $MARK
+	[ -n "$MARK" ] && report_capability "Extended MARK Target (XMARK)" $XMARK
+	[ -n "$XMARK" ] && report_capability "Extended MARK Target 2 (EXMARK)" $EXMARK
+	report_capability "Mangle FORWARD Chain (MANGLE_FORWARD)" $MANGLE_FORWARD
+	report_capability "Comments (COMMENTS)" $COMMENTS
+	report_capability "Address Type Match (ADDRTYPE)" $ADDRTYPE
+	report_capability "TCPMSS Match (TCPMSS_MATCH)" $TCPMSS_MATCH
+	report_capability "Hashlimit Match (HASHLIMIT_MATCH)" $HASHLIMIT_MATCH
+	[ -n "$OLD_HL_MATCH" ] && report_capability "Old Hashlimit Match (OLD_HL_MATCH)" $OLD_HL_MATCH
+	report_capability "NFQUEUE Target (NFQUEUE_TARGET)" $NFQUEUE_TARGET
+	report_capability "Realm Match (REALM_MATCH)" $REALM_MATCH
+	report_capability "Helper Match (HELPER_MATCH)" $HELPER_MATCH
+	report_capability "Connlimit Match (CONNLIMIT_MATCH)" $CONNLIMIT_MATCH
+	report_capability "Time Match (TIME_MATCH)" $TIME_MATCH
+	report_capability "Goto Support (GOTO_TARGET)" $GOTO_TARGET
+	report_capability "LOGMARK Target (LOGMARK_TARGET)" $LOGMARK_TARGET
+	report_capability "IPMARK Target (IPMARK_TARGET)" $IPMARK_TARGET
+	report_capability "LOG Target (LOG_TARGET)" $LOG_TARGET
+	report_capability "ULOG Target (ULOG_TARGET)" $ULOG_TARGET
+	report_capability "NFLOG Target (NFLOG_TARGET)" $NFLOG_TARGET
+	report_capability "Persistent SNAT (PERSISTENT_SNAT)" $PERSISTENT_SNAT
+	report_capability "TPROXY Target (TPROXY_TARGET)" $TPROXY_TARGET
+	report_capability "FLOW Classifier (FLOW_FILTER)" $FLOW_FILTER
+	report_capability "fwmark route mask (FWMARK_RT_MASK)" $FWMARK_RT_MASK
+	report_capability "Mark in any table (MARK_ANYWHERE)" $MARK_ANYWHERE
+	report_capability "Header Match (HEADER_MATCH)" $HEADER_MATCH
+        report_capability "ACCOUNT Target (ACCOUNT_TARGET)" $ACCOUNT_TARGET
+	report_capability "AUDIT Target (AUDIT_TARGET)" $AUDIT_TARGET
+	report_capability "ipset V5 (IPSET_V5)" $IPSET_V5
+	report_capability "Condition Match (CONDITION_MATCH)" $CONDITION_MATCH
+	report_capability "Statistic Match (STATISTIC_MATCH)" $STATISTIC_MATCH
+	report_capability "IMQ Target (IMQ_TARGET)" $IMQ_TARGET
+	report_capability "DSCP Match (DSCP_MATCH)" $DSCP_MATCH
+	report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET

 	if [ $g_family -eq 4 ]; then
-	    report_capability "iptables -S" $IPTABLES_S
+	    report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
 	else
-	    report_capability "ip6tables -S" $IPTABLES_S
+	    report_capability "ip6tables -S (IPTABLES_S)" $IPTABLES_S
 	fi

-	report_capability "Basic Filter" $BASIC_FILTER
-	report_capability "CT Target" $CT_TARGET
+	report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
+	report_capability "CT Target (CT_TARGET)" $CT_TARGET
    fi

    [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -2314,6 +2355,7 @@ report_capabilities1() {
    report_capability1 IPRANGE_MATCH
    report_capability1 RECENT_MATCH
    report_capability1 OWNER_MATCH
+    report_capability1 OWNER_NAME_MATCH
    report_capability1 IPSET_MATCH
    report_capability1 OLD_IPSET_MATCH
    report_capability1 CONNMARK
@@ -2950,14 +2992,12 @@ shorewall_cli() {
    g_annotate=
    g_recovering=
    g_timestamp=
-    g_libexec=/usr/share
-    g_perllib=/usr/share/shorewall
    g_shorewalldir=

    VERBOSE=
    VERBOSITY=

-    [ -n "$g_lite" ] || . /usr/share/shorewall/lib.cli-std
+    [ -n "$g_lite" ] || . ${g_basedir}/lib.cli-std

    finished=0

@@ -3062,7 +3102,7 @@ shorewall_cli() {
    PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
    MUTEX_TIMEOUT=

-    [ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir
+    [ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir

    [ -n "${VARDIR:=/var/lib/$g_program}" ]

@@ -3072,7 +3112,7 @@ shorewall_cli() {

    g_firewall=${VARDIR}/firewall

-    version_file=$SHAREDIR/version
+    version_file=${g_sharedir}/version
    if [ -f $version_file ]; then
 	SHOREWALL_VERSION=$(cat $version_file)
    else
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -676,7 +676,7 @@ find_file()
 		fi
 	    done

-	    echo ${CONFDIR}/$1
+	    echo ${g_confdir}/$1
 	    ;;
    esac
 }
--- a/Shorewall-core/shorewallrc.apple
+++ b/Shorewall-core/shorewallrc.apple
@@ -0,0 +1,20 @@
+#
+# Apple OS X Shorewall 4.5 rc file
+#
+BUILD=apple
+HOST=apple
+PREFIX=/usr                            #Top-level directory for shared files, libraries, etc.
+SHAREDIR=${PREFIX}/share               #Directory for arch-neutral files.
+LIBEXECDIR=${PREFIX}/share             #Directory for executable scripts.
+PERLLIBDIR=${PREFIX}/share/shorewall   #Directory to install Shorewall Perl module directory
+CONFDIR=/etc                           #Directory where subsystem configurations are installed
+SBINDIR=/sbin                          #Directory where system administration programs are installed
+MANDIR=${SHAREDIR}/man                 #Directory where manpages are installed.
+INITDIR=                               #Unused on OS X
+INITFILE=                              #Unused on OS X
+INITSOURCE=                            #Unused on OS X
+ANNOTATED=                             #Unused on OS X
+SYSTEMD=                               #Unused on OS X
+SYSCONFDIR=                            #Unused on OS X
+SPARSE=Yes                             #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
+VARDIR=/var/lib                        #Unused on OS X
--- a/Shorewall-core/shorewallrc.archlinux
+++ b/Shorewall-core/shorewallrc.archlinux
@@ -0,0 +1,20 @@
+#
+# Archlinux Shorewall 4.5 rc file
+#
+BUILD=archlinux
+HOST=archlinux
+PREFIX=/usr                            #Top-level directory for shared files, libraries, etc.
+SHAREDIR=${PREFIX}/share               #Directory for arch-neutral files.
+LIBEXECDIR=${PREFIX}/share             #Directory for executable scripts.
+PERLLIBDIR=${PREFIX}/share/shorewall   #Directory to install Shorewall Perl module directory
+CONFDIR=/etc                           #Directory where subsystem configurations are installed
+SBINDIR=/sbin                          #Directory where system administration programs are installed
+MANDIR=${SHAREDIR}/man                 #Directory where manpages are installed.
+INITDIR=/etc/rc.d                      #Directory where SysV init scripts are installed.
+INITFILE=$PRODUCT                      #Name of the product's installed SysV init script
+INITSOURCE=init.sh                     #Name of the distributed file to be installed as the SysV init script
+ANNOTATED=                             #If non-zero, annotated configuration files are installed
+SYSCONFDIR=                            #Directory where SysV init parameter files are installed
+SYSTEMD=                               #Directory where .service files are installed (systems running systemd only)
+SPARSE=                                #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
+VARDIR=/var/lib                        #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.cygwin
+++ b/Shorewall-core/shorewallrc.cygwin
@@ -0,0 +1,20 @@
+#
+# Cygwin Shorewall 4.5 rc file
+#
+BUILD=cygwin
+HOST=cygwin
+PREFIX=/usr                           #Top-level directory for shared files, libraries, etc.
+SHAREDIR=${PREFIX}/share              #Directory for arch-neutral files.
+LIBEXECDIR=${PREFIX}/share            #Directory for executable scripts.
+PERLLIBDIR=${PREFIX}/share/shorewall  #Directory to install Shorewall Perl module directory
+CONFDIR=/etc                          #Directory where subsystem configurations are installed
+SBINDIR=/bin                          #Directory where system administration programs are installed
+MANDIR=${SHAREDIR}/man                #Directory where manpages are installed.
+INITDIR=/etc/init.d                   #Unused on Cygwin
+INITFILE=                             #Unused on Cygwin
+INITSOURCE=                           #Unused on Cygwin
+ANNOTATED=                            #Unused on Cygwin
+SYSTEMD=                              #Unused on Cygwin
+SYSCONFDIR=                           #Unused on Cygwin
+SPARSE=Yes                            #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
+VARDIR=/var/lib                       #Unused on Cygwin
--- a/Shorewall-core/shorewallrc.debian
+++ b/Shorewall-core/shorewallrc.debian
@@ -0,0 +1,21 @@
+#
+# Debian Shorewall 4.5 rc file
+#
+BUILD=                                  #Default is to detect the build system
+HOST=debian
+PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
+SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
+LIBEXECDIR=${PREFIX}/share              #Directory for executable scripts.
+PERLLIBDIR=${PREFIX}/share/shorewall    #Directory to install Shorewall Perl module directory
+CONFDIR=/etc                            #Directory where subsystem configurations are installed
+SBINDIR=/sbin                           #Directory where system administration programs are installed
+MANDIR=${PREFIX}/share/man              #Directory where manpages are installed.
+INITDIR=/etc/init.d                     #Directory where SysV init scripts are installed.
+INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
+INITSOURCE=init.debian.sh               #Name of the distributed file to be installed as the SysV init script
+ANNOTATED=                              #If non-zero, annotated configuration files are installed
+SYSCONFFILE=default.debian              #Name of the distributed file to be installed in $SYSCONFDIR
+SYSCONFDIR=/etc/default                 #Directory where SysV init parameter files are installed
+SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
+SPARSE=Yes                              #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
+VARDIR=/var/lib                         #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.default
+++ b/Shorewall-core/shorewallrc.default
@@ -0,0 +1,21 @@
+#
+# Default Shorewall 4.5 rc file
+#
+HOST=linux                              #Generic Linux
+BUILD=                                  #Default is to detect the build system
+PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
+SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
+LIBEXECDIR=${PREFIX}/share              #Directory for executable scripts.
+PERLLIBDIR=${PREFIX}/share/shorewall    #Directory to install Shorewall Perl module directory
+CONFDIR=/etc                            #Directory where subsystem configurations are installed
+SBINDIR=/sbin                           #Directory where system administration programs are installed
+MANDIR=${PREFIX}/man                    #Directory where manpages are installed.
+INITDIR=etc/init.d                      #Directory where SysV init scripts are installed.
+INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
+INITSOURCE=init.sh                      #Name of the distributed file to be installed as the SysV init script
+ANNOTATED=                              #If non-zero, annotated configuration files are installed
+SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
+SYSCONFFILE=                            #Name of the distributed file to be installed in $SYSCONFDIR
+SYSCONFDIR=                             #Directory where SysV init parameter files are installed
+SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
+VARDIR=/var/lib                         #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.redhat
+++ b/Shorewall-core/shorewallrc.redhat
@@ -0,0 +1,21 @@
+#
+# RedHat/FedoraShorewall 4.5 rc file
+#
+BUILD=                                  #Default is to detect the build system
+HOST=redhat
+PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
+SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
+LIBEXECDIR=${PREFIX}/libexec            #Directory for executable scripts.
+PERLLIBDIR=/usr/share/perl5/vendor_perl #Directory to install Shorewall Perl module directory
+CONFDIR=/etc                            #Directory where subsystem configurations are installed
+SBINDIR=/sbin                           #Directory where system administration programs are installed
+MANDIR=${SHAREDIR}/man                  #Directory where manpages are installed.
+INITDIR=/etc/rc.d/init.d                #Directory where SysV init scripts are installed.
+INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
+INITSOURCE=init.fedora.sh               #Name of the distributed file to be installed as the SysV init script
+ANNOTATED=                              #If non-zero, annotated configuration files are installed
+SYSTEMD=/lib/systemd/system             #Directory where .service files are installed (systems running systemd only)
+SYSCONFFILE=sysconfig                   #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT
+SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter files are installed
+SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
+VARDIR=/var/lib                         #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.slackware
+++ b/Shorewall-core/shorewallrc.slackware
@@ -0,0 +1,22 @@
+#
+# Slackware Shorewall 4.5 rc file
+#
+BUILD=slackware
+HOST=slackware
+PREFIX=/usr                                #Top-level directory for shared files, libraries, etc.
+SHAREDIR=${PREFIX}/share                   #Directory for arch-neutral files.
+LIBEXECDIR=${PREFIX}/share                 #Directory for executable scripts.
+PERLLIBDIR=${PREFIX}/share/shorewall       #Directory to install Shorewall Perl module directory
+CONFDIR=/etc                               #Directory where subsystem configurations are installed
+SBINDIR=/sbin                              #Directory where system administration programs are installed
+MANDIR=${PREFIX}/man                       #Directory where manpages are installed.
+INITDIR=/etc/rc.d                          #Directory where SysV init scripts are installed.
+AUXINITSOURCE=init.slackware.firewall.sh   #Name of the distributed file to be installed as the SysV init script
+AUXINITFILE=rc.firewall                    #Name of the product's installed SysV init script
+INITSOURCE=init.slackware.$PRODUCT.sh      #Name of the distributed file to be installed as a second SysV init script
+INITFILE=rc.$PRODUCT                       #Name of the product's installed second init script
+SYSTEMD=                                   #Name of the directory where .service files are installed (systems running systemd only)
+SYSCONFFILE=                               #Name of the distributed file to be installed in $SYSCONFDIR
+SYSCONFDIR=                                #Name of the directory where SysV init parameter files are installed.
+ANNOTATED=                                 #If non-empty, install annotated configuration files
+VARDIR=/var/lib                            #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.suse
+++ b/Shorewall-core/shorewallrc.suse
@@ -0,0 +1,21 @@
+#
+# SuSE Shorewall 4.5 rc file
+#
+BUILD=                                                #Default is to detect the build system
+HOST=suse
+PREFIX=/usr                                           #Top-level directory for shared files, libraries, etc.
+CONFDIR=/etc                                          #Directory where subsystem configurations are installed
+SHAREDIR=${PREFIX}/share                              #Directory for arch-neutral files.
+LIBEXECDIR=${PREFIX}/lib                              #Directory for executable scripts.
+PERLLIBDIR=${PREFIX}/lib/perl5/vendor_perl/5.14.2     #Directory to install Shorewall Perl module directory
+SBINDIR=/sbin                                         #Directory where system administration programs are installed
+MANDIR=${SHAREDIR}/man/                               #Directory where manpages are installed.
+INITDIR=/etc/init.d                                   #Directory where SysV init scripts are installed.
+INITFILE=$PRODUCT                                     #Name of the product's SysV init script
+INITSOURCE=init.sh                                    #Name of the distributed file to be installed as the SysV init script
+ANNOTATED=                                            #If non-zero, annotated configuration files are installed
+SYSTEMD=                                              #Directory where .service files are installed (systems running systemd only)
+SYSCONFFILE=                                          #Name of the distributed file to be installed in $SYSCONFDIR
+SYSCONFDIR=/etc/sysconfig/                            #Directory where SysV init parameter files are installed
+SPARSE=                                               #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
+VARDIR=/var/lib                                       #Directory where persistent product data is stored.
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -31,7 +31,7 @@ VERSION=xxx #The Build script inserts the actual version
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME"
+    echo "usage: $ME [ <shorewallrc file> ]"
    exit $1
 }

@@ -60,8 +60,37 @@ remove_file() # $1 = file to restore
    fi
 }

-if [ -f /usr/share/shorewall/coreversion ]; then
-    INSTALLED_VERSION="$(cat /usr/share/shorewall/coreversion)"
+#
+# Read the RC file
+#
+if [ $# -eq 0 ]; then
+    if [ -f ./shorewallrc ]; then
+	. ./shorewallrc
+    elif [ -f ~/.shorewallrc ]; then
+	. ~/.shorewallrc || exit 1
+	file=./.shorewallrc
+    elif [ -f /usr/share/shorewall/shorewallrc ]; then
+	. /usr/share/shorewall/shorewallrc
+    else
+	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
+    fi
+elif [ $# -eq 1 ]; then
+    file=$1
+    case $file in
+	/*|.*)
+	    ;;
+	*)
+	    file=./$file
+	    ;;
+    esac
+
+    . $file
+else
+    usage 1
+fi
+
+if [ -f ${SHAREDIR}/shorewall/coreversion ]; then
+    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall/coreversion)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
 	echo "WARNING: Shorewall Core Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
@@ -72,12 +101,9 @@ else
    VERSION=""
 fi

-[ -n "${LIBEXEC:=/usr/share}" ]
-[ -n "${PERLLIB:=/usr/share/shorewall}" ]
-
 echo "Uninstalling Shorewall Core $VERSION"

-rm -rf /usr/share/shorewall
+rm -rf ${SHAREDIR}/shorewall

 echo "Shorewall Core Uninstalled"

--- a/Shorewall-init/ifupdown.sh
+++ b/Shorewall-init/ifupdown.sh
@@ -71,6 +71,11 @@ Debian_SuSE_ppp() {
 IFUPDOWN=0
 PRODUCTS=

+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
 if [ -f /etc/default/shorewall-init ]; then
    . /etc/default/shorewall-init
 elif [ -f /etc/sysconfig/shorewall-init ]; then
@@ -182,15 +187,19 @@ else
 fi

 for PRODUCT in $PRODUCTS; do
-    VARDIR=/var/lib/$PRODUCT
-    [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir
-    if [ -x $VARDIR/firewall ]; then
-	  ( . /usr/share/shorewall/lib.base
+    #
+    # For backward compatibility, lib.base appends the product name to VARDIR
+    # Save it here and restore it below
+    #
+    save_vardir=${VARDIR}
+    if [ -x $VARDIR/$PRODUCT/firewall ]; then
+	  ( . ${SHAREDIR}/shorewall/lib.base
 	    mutex_on
 	    ${VARDIR}/firewall -V0 $COMMAND $INTERFACE || echo_notdone
 	    mutex_off
 	  )
    fi
+    VARDIR=${save_vardir}
 done

 exit 0
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -1,10 +1,10 @@
 #!/bin/sh
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       On most distributions, this file should be called /etc/init.d/shorewall.
 #
@@ -62,10 +62,15 @@ not_configured () {
 	exit 0
 }

+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
 # check if shorewall-init is configured or not
-if [ -f "/etc/default/shorewall-init" ]
+if [ -f "$SYSCONFDIR/shorewall-init" ]
 then
-	. /etc/default/shorewall-init
+	. $SYSCONFDIR/shorewall-init
 	if [ -z "$PRODUCTS" ]
 	then
 		not_configured
--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -13,6 +13,15 @@
 # Description:       Place the firewall in a safe state at boot time
 #                    prior to bringing up the network.  
 ### END INIT INFO
+#determine where the files were installed
+if [ -f ~/.shorewallrc ]; then
+    . ~/.shorewallrc || exit 1
+else
+    SBINDIR=/sbin
+    SYSCONFDIR=/etc/default
+    VARDIR=/var/lib
+fi
+
 prog="shorewall-init"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/shorewall-init"
@@ -44,10 +53,8 @@ start () {

    echo -n "Initializing \"Shorewall-based firewalls\": "
    for product in $PRODUCTS; do
-	vardir=/var/lib/$product
-	[ -f /etc/$product/vardir ] && . /etc/$product/vardir 
-	if [ -x ${vardir}/firewall ]; then
-	    ${vardir}/firewall stop 2>&1 | $logger
+	if [ -x ${VARDIR}/$product/firewall ]; then
+	    ${VARDIR}/$product/firewall stop 2>&1 | $logger
 	    retval=${PIPESTATUS[0]}
 	    [ retval -ne 0 ] && break
 	fi
@@ -70,10 +77,8 @@ stop () {

    echo -n "Clearing \"Shorewall-based firewalls\": "
    for product in $PRODUCTS; do
-	vardir=/var/lib/$product
-	[ -f /etc/$product/vardir ] && . /etc/$product/vardir 
-	if [ -x ${vardir}/firewall ]; then
-	    ${vardir}/firewall clear 2>&1 | $logger
+	if [ -x ${VARDIR}/$product/firewall ]; then
+	    ${VARDIR}/$product/firewall clear 2>&1 | $logger
 	    retval=${PIPESTATUS[0]}
 	    [ retval -ne 0 ] && break
 	fi
--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -1,9 +1,9 @@
 #! /bin/bash
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       On most distributions, this file should be called /etc/init.d/shorewall.
 #
@@ -53,6 +53,11 @@ else
 	exit 0
 fi

+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
 # Initialize the firewall
 shorewall_start () {
  local PRODUCT
@@ -60,10 +65,8 @@ shorewall_start () {

  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-      VARDIR=/var/lib/$PRODUCT
-      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
      if [ -x ${VARDIR}/firewall ]; then
-	  if ! /sbin/$PRODUCT status > /dev/null 2>&1; then
+	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
 	      ${VARDIR}/firewall stop || echo_notdone
 	  fi
      fi
@@ -83,8 +86,6 @@ shorewall_stop () {

  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-      VARDIR=/var/lib/$PRODUCT
-      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
      if [ -x ${VARDIR}/firewall ]; then
 	  ${VARDIR}/firewall clear || exit 1
      fi
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -28,12 +28,18 @@ VERSION=xxx #The Build script inserts the actual version.
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME"
+    echo "usage: $ME [ <configuration-file> ]"
    echo "       $ME -v"
    echo "       $ME -h"
    exit $1
 }

+fatal_error() 
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
 split() {
    local ifs
    ifs=$IFS
@@ -76,9 +82,9 @@ cant_autostart()
    echo  "WARNING: Unable to configure shorewall init to start automatically at boot" >&2
 }

-delete_file() # $1 = file to delete
+require() 
 {
-    rm -f $1
+    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
 }

 install_file() # $1 = source $2 = target $3 = mode
@@ -88,44 +94,78 @@ install_file() # $1 = source $2 = target $3 = mode

 cd "$(dirname $0)"

-#
-# Load packager's settings if any
-#
-[ -f ../shorewall-pkg.config ] && . ../shorewall-pkg.config
+PRODUCT=shorewall-init

-[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
+#
+# Parse the run line
+#
+finished=0

-while [ $# -gt 0 ] ; do
+while [ $finished -eq 0 ] ; do
    case "$1" in
-	-h|help|?)
-	    usage 0
-	    ;;
-        -v)
-	    echo "Shorewall Init Installer Version $VERSION"
-	    exit 0
+	-*)
+	    option=${option#-}
+
+	    while [ -n "$option" ]; do
+		case $option in
+		    h)
+			usage 0
+			;;
+		    v)
+			echo "Shorewall-init Firewall Installer Version $VERSION"
+			exit 0
+			;;
+		    *)
+			usage 1
+			;;
+		esac
+	    done
+
+	    shift
 	    ;;
 	*)
-	    usage 1
+	    finished=1
 	    ;;
    esac
-    shift
+done
+
+#
+# Read the RC file
+#
+if [ $# -eq 0 ]; then
+    #
+    # Load packager's settings if any
+    #
+    if [ -f ./shorewallrc ]; then
+	. ./shorewallrc || exit 1
+	file=~/.shorewallrc
+    elif [ -f ~/.shorewallrc ]; then
+	. ~/.shorewallrc || exit 1
+	file=./.shorewallrc
+     else
+	fatal_error "No configuration file specified and ~/.shorewallrc not found"
+    fi
+elif [ $# -eq 1 ]; then
+    file=$1
+    case $file in
+	/*|.*)
+	    ;;
+	*)
+	    file=./$file
+	    ;;
+    esac
+
+    . $file
+else
+    usage 1
+fi
+
+for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARDIR; do
+    require $var
 done

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

-[ -n "${LIBEXEC:=/usr/share}" ]
-
-case "$LIBEXEC" in
-    /*)
-	;;
-    *)
-	echo "The LIBEXEC setting must be an absolute path name" >&2
-	exit 1
-	;;
-esac
-
-INITFILE="shorewall-init"
-
 if [ -z "$BUILD" ]; then
    case $(uname) in
 	cygwin*)
@@ -174,11 +214,9 @@ OWNERSHIP="-o $OWNER -g $GROUP"
 case "$HOST" in
    debian)
 	echo "Installing Debian-specific configuration..."
-	SPARSE=yes
 	;;
    redhat|redhat)
 	echo "Installing Redhat/Fedora-specific configuration..."
-	[ -n "$INITDIR" ] || INITDIR=/etc/rc.d/init.d
 	;;
    slackware)
 	echo "Shorewall-init is currently not supported on Slackware" >&2
@@ -202,10 +240,6 @@ esac

 [ -z "$TARGET" ] && TARGET=$HOST

-if [ -z "$INITDIR" -a -n "$INITFILE" ] ; then
-    INITDIR="/etc/init.d"
-fi
-
 if [ -n "$DESTDIR" ]; then
    if [ `id -u` != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
@@ -215,57 +249,44 @@ if [ -n "$DESTDIR" ]; then
    install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
 fi

-if [ -z "$DESTDIR" ]; then
-    if [ -d /lib/systemd/system ]; then
-	SYSTEMD=Yes
-	INITFILE=
-    fi
-elif [ -n "$SYSTEMD" ]; then
-    mkdir -p ${DESTDIR}/lib/systemd/system
-    INITFILE=
-fi
-
 echo "Installing Shorewall Init Version $VERSION"

 #
 # Check for /usr/share/shorewall-init/version
 #
-if [ -f ${DESTDIR}/usr/share/shorewall-init/version ]; then
+if [ -f ${DESTDIR}${SHAREDIR}/shorewall-init/version ]; then
    first_install=""
 else
    first_install="Yes"
 fi

+#
+# Install the Firewall Script
+#
 if [ -n "$INITFILE" ]; then
-    #
-    # Install the Init Script
-    #
-    case $TARGET in
-	debian)
-	    install_file init.debian.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
-	    ;;
-	redhat)
-	    install_file init.fedora.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
-	    ;;
-	*)
-	    install_file init.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
-	    ;;
-    esac
+    install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
+    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$INITFILE
    
-    echo  "Shorewall-init script installed in ${DESTDIR}${INITDIR}/${INITFILE}"
+    if [ -n "${AUXINITSOURCE}" ]; then
+	install_file $INITSOURCE ${DESTDIR}${INITDIR}/$AUXINITFILE 0544
+    fi
+
+    echo  "Shorewall-init script installed in ${DESTDIR}${INITDIR}/$INITFILE"
 fi
+
 #
 # Install the .service file
 #
 if [ -n "$SYSTEMD" ]; then
-    run_install $OWNERSHIP -m 600 shorewall-init.service ${DESTDIR}/lib/systemd/system/shorewall-init.service
-    echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall-init.service"
+    mkdir -p ${DESTDIR}${SYSTEMD}
+    run_install $OWNERSHIP -m 600 shorewall-init.service ${DESTDIR}${SYSTEMD}/shorewall-init.service
+    echo "Service file installed as ${DESTDIR}${SYSTEMD}/shorewall-init.service"
    if [ -n "$DESTDIR" ]; then
-	mkdir -p ${DESTDIR}/sbin/
-        chmod 755 ${DESTDIR}/sbin
+	mkdir -p ${DESTDIR}${SBINDIR}
+        chmod 755 ${DESTDIR}${SBINDIR}
    fi
-    run_install $OWNERSHIP -m 700 shorewall-init ${DESTDIR}/sbin/shorewall-init
-    echo "CLI installed as ${DESTDIR}/sbin/shorewall-init"
+    run_install $OWNERSHIP -m 700 shorewall-init ${DESTDIR}${SBINDIR}/shorewall-init
+    echo "CLI installed as ${DESTDIR}${SBINDIR}/shorewall-init"
 fi

 #
@@ -285,7 +306,7 @@ chmod 644 ${DESTDIR}/usr/share/shorewall-init/version
 #
 if [ -z "$DESTDIR" ]; then
    rm -f /usr/share/shorewall-init/init
-    ln -s ${INITDIR}/${INITFILE} /usr/share/shorewall-init/init
+    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/shorewall-init/init
 fi

 if [ $HOST = debian ]; then
@@ -303,20 +324,20 @@ if [ $HOST = debian ]; then
    fi
 else
    if [ -n "$DESTDIR" ]; then
-	mkdir -p ${DESTDIR}/etc/sysconfig
+	mkdir -p ${DESTDIR}${SYSCONFDIR}

 	if [ -z "$RPM" ]; then
 	    if [ $HOST = suse ]; then
 		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d
-		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-down.d
+		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d
 	    else
 		mkdir -p ${DESTDIR}/etc/NetworkManager/dispatcher.d
 	    fi
 	fi
    fi

-    if [ -d ${DESTDIR}/etc/sysconfig -a ! -f ${DESTDIR}/etc/sysconfig/shorewall-init ]; then
-	install_file sysconfig ${DESTDIR}/etc/sysconfig/shorewall-init 0644
+    if [ -d ${DESTDIR}${SYSCONFDIR} -a ! -f ${DESTDIR}${SYSCONFDIR}/shorewall-init ]; then
+	install_file sysconfig ${DESTDIR}${SYSCONFDIR}/shorewall-init 0644
    fi 
 fi

@@ -324,31 +345,35 @@ fi
 # Install the ifupdown script
 #

-mkdir -p ${DESTDIR}${LIBEXEC}/shorewall-init
+cp ifupdown.sh ifupdown

-install_file ifupdown.sh ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown 0544
+d[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown
+
+mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
+
+install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544

 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    install_file ifupdown.sh ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
+    install_file ifupdown ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
 fi

 case $HOST in
    debian)
-	install_file ifupdown.sh ${DESTDIR}/etc/network/if-up.d/shorewall 0544
-	install_file ifupdown.sh ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
+	install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
+	install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
 	;;
    suse)
 	if [ -z "$RPM" ]; then
-	    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-up.d/shorewall 0544
-	    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-down.d/shorewall 0544
+	    install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-up.d/shorewall 0544
+	    install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-down.d/shorewall 0544
 	fi
 	;;
    redhat)
-	if [ -f ${DESTDIR}/sbin/ifup-local -o -f ${DESTDIR}/sbin/ifdown-local ]; then
-	    echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; up/down events will not be handled"
+	if [ -f ${DESTDIR}${SBINDIR}/ifup-local -o -f ${DESTDIR}${SBINDIR}/ifdown-local ]; then
+	    echo "WARNING: ${SBINDIR}/ifup-local and/or ${SBINDIR}/ifdown-local already exist; up/down events will not be handled"
 	elif [ -z "$DESTDIR" ]; then
-	    install_file ifupdown.sh ${DESTDIR}/sbin/ifup-local 0544
-	    install_file ifupdown.sh ${DESTDIR}/sbin/ifdown-local 0544
+	    install_file ifupdown ${DESTDIR}${SBINDIR}/ifup-local 0544
+	    install_file ifupdown ${DESTDIR}${SBINDIR}/ifdown-local 0544
 	fi
 	;;
 esac
@@ -365,20 +390,20 @@ if [ -z "$DESTDIR" ]; then
 		if systemctl enable shorewall-init; then
 		    echo "Shorewall Init will start automatically at boot"
 		fi
-	    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
-		if insserv /etc/init.d/shorewall-init ; then
+	    elif [ -x ${SBINDIR}/insserv -o -x /usr${SBINDIR}/insserv ]; then
+		if insserv ${INITDIR}/shorewall-init ; then
 		    echo "Shorewall Init will start automatically at boot"
 		else
 		    cant_autostart
 		fi
-	    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
+	    elif [ -x ${SBINDIR}/chkconfig -o -x /usr${SBINDIR}/chkconfig ]; then
 		if chkconfig --add shorewall-init ; then
 		    echo "Shorewall Init will start automatically in run levels as follows:"
 		    chkconfig --list shorewall-init
 		else
 		    cant_autostart
 		fi
-	    elif [ -x /sbin/rc-update ]; then
+	    elif [ -x ${SBINDIR}/rc-update ]; then
 		if rc-update add shorewall-init default; then
 		    echo "Shorewall Init will start automatically at boot"
 		else
@@ -387,7 +412,6 @@ if [ -z "$DESTDIR" ]; then
 	    else
 		cant_autostart
 	    fi
-
 	fi
    fi
 else
@@ -397,18 +421,20 @@ else
 		mkdir -p ${DESTDIR}/etc/rcS.d
 	    fi

-	    ln -sf ../init.d/shorewall-init ${DESTDIR}/etc/rcS.d/S38shorewall-init
+	    ln -sf ../init.d/shorewall-init ${DESTDIR}${CONFDIR}/rcS.d/S38shorewall-init
 	    echo "Shorewall Init will start automatically at boot"
 	fi
    fi
 fi

+[ -z "${DESTDIR}" ] && [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc .
+
 if [ -f ${DESTDIR}/etc/ppp ]; then
    case $HOST in
 	debian|suse)
 	    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
 		mkdir -p ${DESTDIR}/etc/ppp/$directory #SuSE doesn't create the IPv6 directories
-		cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown ${DESTDIR}/etc/ppp/$directory/shorewall
+		cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown ${DESTDIR}${CONFDIR}/ppp/$directory/shorewall
 	    done
 	    ;;
 	redhat)
@@ -419,13 +445,13 @@ if [ -f ${DESTDIR}/etc/ppp ]; then
 		FILE=${DESTDIR}/etc/ppp/$file
 		if [ -f $FILE ]; then
 		    if fgrep -q Shorewall-based $FILE ; then
-			cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown $FILE
+			cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown $FILE
 		    else
 			echo "$FILE already exists -- ppp devices will not be handled"
 			break
 		    fi
 		else
-		    cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown $FILE
+		    cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown $FILE
 		fi
 	    done
 	    ;;
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -23,9 +23,14 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #########################################################################################
+#
+# This is modified by the installer when ${SHAREDIR} <> /usr/share
+#
+. /usr/share/shorewall/shorewallrc
+
 # check if shorewall-init is configured or not
-if [ -f "/etc/sysconfig/shorewall-init" ]; then
-    . /etc/sysconfig/shorewall-init
+if [ -f "$SYSCONFDIR/shorewall-init" ]; then
+    . $SYSCONFDIR/shorewall-init
    if [ -z "$PRODUCTS" ]; then
        echo "ERROR: No products configured" >&2
 	exit 1
@@ -42,8 +47,6 @@ shorewall_start () {

  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-      VARDIR=/var/lib/$PRODUCT
-      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
      if [ -x ${VARDIR}/firewall ]; then
 	  if ! /sbin/$PRODUCT status > /dev/null 2>&1; then
 	      ${VARDIR}/firewall stop || exit 1
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -31,7 +31,7 @@ VERSION=xxx  #The Build script inserts the actual version
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME"
+    echo "usage: $ME [ <shorewallrc file> ]"
    exit $1
 }

@@ -40,6 +40,27 @@ qt()
    "$@" >/dev/null 2>&1
 }

+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
 remove_file() # $1 = file to restore
 {
    if [ -f $1 -o -L $1 ] ; then
@@ -48,8 +69,37 @@ remove_file() # $1 = file to restore
    fi
 }

-if [ -f /usr/share/shorewall-init/version ]; then
-    INSTALLED_VERSION="$(cat /usr/share/shorewall-init/version)"
+#
+# Read the RC file
+#
+if [ $# -eq 0 ]; then
+    if [ -f ./shorewallrc ]; then
+	. ./shorewallrc
+    elif [ -f ~/.shorewallrc ]; then
+	. ~/.shorewallrc || exit 1
+	file=./.shorewallrc
+    elif [ -f /usr/share/shorewall/shorewallrc ]; then
+	. /usr/share/shorewall/shorewallrc
+    else
+	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
+    fi
+elif [ $# -eq 1 ]; then
+    file=$1
+    case $file in
+	/*|.*)
+	    ;;
+	*)
+	    file=./$file
+	    ;;
+    esac
+
+    . $file || exit 1
+else
+    usage 1
+fi
+
+if [ -f ${SHAREDIR}/shorewall-init/version ]; then
+    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall-init/version)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
 	echo "WARNING: Shorewall Init Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
@@ -60,56 +110,55 @@ else
    VERSION=""
 fi

-[ -n "${LIBEXEC:=/usr/share}" ]
+[ -n "${LIBEXEC:=${SHAREDIR}}" ]

 echo "Uninstalling Shorewall Init $VERSION"

-INITSCRIPT=/etc/init.d/shorewall-init
+INITSCRIPT=${CONFDIR}/init.d/shorewall-init

-if [ -n "$INITSCRIPT" ]; then
-    if [ -x /usr/sbin/updaterc.d ]; then
+if [ -f "$INITSCRIPT" ]; then
+    if mywhich updaterc.d ; then
 	updaterc.d shorewall-init remove
-    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+    elif mywhich insserv ; then
        insserv -r $INITSCRIPT
-    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
+    elif mywhich chkconfig ; then
 	chkconfig --del $(basename $INITSCRIPT)
-    elif [ -x /sbin/systemctl ]; then
+    elif mywhich systemctl ; then
 	systemctl disable shorewall-init
-    else
-	rm -f /etc/rc*.d/*$(basename $INITSCRIPT)
    fi

    remove_file $INITSCRIPT
 fi

-[ "$(readlink -m -q /sbin/ifup-local)"   = /usr/share/shorewall-init ] && remove_file /sbin/ifup-local
-[ "$(readlink -m -q /sbin/ifdown-local)" = /usr/share/shorewall-init ] && remove_file /sbin/ifdown-local
+[ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
+[ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local

-remove_file /etc/default/shorewall-init
-remove_file /etc/sysconfig/shorewall-init
+remove_file ${CONFDIR}/default/shorewall-init
+remove_file ${CONFDIR}/sysconfig/shorewall-init

-remove_file /etc/NetworkManager/dispatcher.d/01-shorewall
+remove_file ${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall

-remove_file /etc/network/if-up.d/shorewall
-remove_file /etc/network/if-down.d/shorewall
+remove_file ${CONFDIR}/network/if-up.d/shorewall
+remove_file ${CONFDIR}/network/if-down.d/shorewall

-remove_file /etc/sysconfig/network/if-up.d/shorewall
-remove_file /etc/sysconfig/network/if-down.d/shorewall
-remove_file /lib/systemd/system/shorewall.service
+remove_file ${CONFDIR}/sysconfig/network/if-up.d/shorewall
+remove_file ${CONFDIR}/sysconfig/network/if-down.d/shorewall

-if [ -d /etc/ppp ]; then
+[ -n "$SYSTEMD" ] && remove_file ${SYSTEMD}/shorewall.service
+
+if [ -d ${CONFDIR}/ppp ]; then
    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
-	remove_file /etc/ppp/$directory/shorewall
+	remove_file ${CONFDIR}/ppp/$directory/shorewall
    done

    for file in if-up.local if-down.local; do
-	if fgrep -q Shorewall-based /etc/ppp/$FILE; then
-	    remove_file /etc/ppp/$FILE
+	if fgrep -q Shorewall-based ${CONFDIR}/ppp/$FILE; then
+	    remove_file ${CONFDIR}/ppp/$FILE
 	fi
    done
 fi

-rm -rf /usr/share/shorewall-init
+rm -rf ${SHAREDIR}/shorewall-init
 rm -rf ${LIBEXEC}/shorewall-init

 echo "Shorewall Init Uninstalled"
--- a/Shorewall-lite/Makefile
+++ b/Shorewall-lite/Makefile
@@ -3,9 +3,9 @@ VARDIR=$(shell /sbin/shorewall-lite show vardir)
 SHAREDIR=/usr/share/shorewall-lite
 RESTOREFILE?=.restore

-all: $(VARDIR)/${RESTOREFILE}
+all: $(VARDIR)/$(RESTOREFILE)

-$(VARDIR)/${RESTOREFILE}: $(VARDIR)/firewall
+$(VARDIR)/$(RESTOREFILE): $(VARDIR)/firewall
 	@/sbin/shorewall-lite -q save >/dev/null; \
 	if \
 	    /sbin/shorewall-lite -q restart >/dev/null 2>&1; \
--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@@ -57,17 +57,23 @@ not_configured () {
 	exit 0
 }

+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
 # parse the shorewall params file in order to use params in
 # /etc/default/shorewall
-if [ -f "/etc/shorewall-lite/params" ]
+
+if [ -f "$CONFDIR/shorewall-lite/params" ]
 then
-	. /etc/shorewall-lite/params
+	. $CONFDIR/shorewall-lite/params
 fi

 # check if shorewall is configured or not
-if [ -f "/etc/default/shorewall-lite" ]
+if [ -f "$SYSCONFDIR/shorewall-lite" ]
 then
-	. /etc/default/shorewall-lite
+	. $SYSCONFDIR/shorewall-lite
 	SRWL_OPTS="$SRWL_OPTS $OPTIONS"
 	if [ "$startup" != "1" ]
 	then
--- a/Shorewall-lite/init.fedora.sh
+++ b/Shorewall-lite/init.fedora.sh
@@ -20,16 +20,21 @@
 # Source function library.
 . /etc/rc.d/init.d/functions

+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
 prog="shorewall-lite"
-shorewall="/sbin/$prog"
+shorewall="${SBINDIR}/$prog"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/$prog"

 # Get startup options (override default)
 OPTIONS=

-if [ -f /etc/sysconfig/$prog ]; then
-    . /etc/sysconfig/$prog
+if [ -f ${SYSCONFDIR}/$prog ]; then
+    . ${SYSCONFDIR}/$prog
 fi

 start() {
--- a/Shorewall-lite/init.sh
+++ b/Shorewall-lite/init.sh
@@ -1,11 +1,11 @@
 #!/bin/sh
 RCDLINKS="2,S41 3,S41 6,K41"
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.1
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
@@ -61,10 +61,14 @@ usage() {
 # Get startup options (override default)
 ################################################################################
 OPTIONS=
-if [ -f /etc/sysconfig/shorewall ]; then
-    . /etc/sysconfig/shorewall
-elif [ -f /etc/default/shorewall ] ; then
-    . /etc/default/shorewall
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
+if [ -f ${SYSCONFDIR}/shorewall-lite ]; then
+    . ${SYSCONFDIR}/shorewall-lite
 fi

 SHOREWALL_INIT_SCRIPT=1
@@ -76,13 +80,13 @@ command="$1"

 case "$command" in
    start)
-	exec /sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
+	exec ${SBINDIR}/shorewall-lite $OPTIONS start $STARTOPTIONS
 	;;
    restart|reload)
-	exec /sbin/shorewall-lite $OPTIONS restart $RESTARTOPTIONS
+	exec ${SBINDIR}/shorewall-lite $OPTIONS restart $RESTARTOPTIONS
 	;;
    status|stop)
-	exec /sbin/shorewall-lite $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $@
 	;;
    *)
 	usage
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -27,12 +27,18 @@ VERSION=xxx #The Build script inserts the actual version
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME"
+    echo "usage: $ME [ <configuration-file> ]"
    echo "       $ME -v"
    echo "       $ME -h"
    exit $1
 }

+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
 split() {
    local ifs
    ifs=$IFS
@@ -85,16 +91,16 @@ install_file() # $1 = source $2 = target $3 = mode
    run_install $T $OWNERSHIP -m $3 $1 ${2}
 }

+require()
+{
+    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
+}
+
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"

-#
-# Load packager's settings if any
-#
-[ -f ../shorewall-pkg.config ] && . ../shorewall-pkg.config
-
 if [ -f shorewall-lite ]; then
    PRODUCT=shorewall-lite
    Product="Shorewall Lite"
@@ -103,39 +109,73 @@ else
    Product="Shorewall6 Lite"
 fi

-[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
-
 #
 # Parse the run line
 #
-while [ $# -gt 0 ] ; do
+finished=0
+
+while [ $finished -eq 0 ] ; do
    case "$1" in
-	-h|help|?)
-	    usage 0
-	    ;;
-        -v)
-	    echo "$Product Firewall Installer Version $VERSION"
-	    exit 0
+	-*)
+	    option=${option#-}
+
+	    while [ -n "$option" ]; do
+		case $option in
+		    h)
+			usage 0
+			;;
+		    v)
+			echo "$Product Firewall Installer Version $VERSION"
+			exit 0
+			;;
+		    *)
+			usage 1
+			;;
+		esac
+	    done
+
+	    shift
 	    ;;
 	*)
-	    usage 1
+	    finished=1
 	    ;;
    esac
-    shift
 done

-PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
+#
+# Read the RC file
+#
+if [ $# -eq 0 ]; then
+    if [ -f ./shorewallrc ]; then
+	. ./shorewallrc || exit 1
+	file=./shorewallrc
+    elif [ -f ~/.shorewallrc ]; then
+	. ~/.shorewallrc
+    elif [ -f /usr/share/shorewall/shorewallrc ]; then
+	. /usr/share/shorewall/shorewallrc
+    else
+	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
+    fi
+elif [ $# -eq 1 ]; then
+    file=$1
+    case $file in
+	/*|.*)
+	    ;;
+	*)
+	    file=./$file
+	    ;;
+    esac

-[ -n "${LIBEXEC:=/usr/share}" ]
+    . $file
+else
+    usage 1
+fi

-case "$LIBEXEC" in
-    /*)
-	;;
-    *)
-	echo "The LIBEXEC setting must be an absolute path name" >&2
-	exit 1
-	;;
-esac
+for var in SHAREDIR LIBEXECDIRDIRDIR CONFDIR SBINDIR VARDIR; do
+    require $var
+done
+
+PATH=${SBINDIR}:/bin:/usr${SBINDIR}:/usr/bin:/usr/local/bin:/usr/local${SBINDIR}

 #
 # Determine where to install the firewall script
@@ -154,15 +194,15 @@ if [ -z "$BUILD" ]; then
 	    BUILD=apple
 	    ;;
 	*)
-	    if [ -f /etc/debian_version ]; then
+	    if [ -f ${CONFDIR}/debian_version ]; then
 		BUILD=debian
-	    elif [ -f /etc/redhat-release ]; then
+	    elif [ -f ${CONFDIR}/redhat-release ]; then
 		BUILD=redhat
-	    elif [ -f /etc/SuSE-release ]; then
+	    elif [ -f ${CONFDIR}/SuSE-release ]; then
 		BUILD=suse
-	    elif [ -f /etc/slackware-version ] ; then
+	    elif [ -f ${CONFDIR}/slackware-version ] ; then
 		BUILD=slackware
-	    elif [ -f /etc/arch-release ] ; then
+	    elif [ -f ${CONFDIR}/arch-release ] ; then
 		BUILD=archlinux
 	    else
 		BUILD=linux
@@ -203,21 +243,15 @@ case "$HOST" in
 	;;
    debian)
 	echo "Installing Debian-specific configuration..."
-	SPARSE=yes
 	;;
    redhat)
 	echo "Installing Redhat/Fedora-specific configuration..."
-	[ -n "$INITDIR" ]  || INITDIR=/etc/rc.d/init.d
 	;;
    slackware)
 	echo "Installing Slackware-specific configuration..."
-	[ -n "$INITDIR" ]  || INITDIR="/etc/rc.d"
-	[ -n "$INITFILE" ] || INITFILE="rc.firewall"
-	[ -n "$MANDIR=" ]  || MANDIR=/usr/man
 	;;
    archlinux)
 	echo "Installing ArchLinux-specific configuration..."
-	[ -n "$INITDIR" ]  || INITDIR="/etc/rc.d"
 	;;
    linux|suse)
 	;;
@@ -227,7 +261,7 @@ case "$HOST" in
 	;;
 esac

-[ -z "$INITDIR" ] && INITDIR="/etc/init.d"
+[ -z "$INITDIR" ] && INITDIR="${CONFDIR}/init.d"

 if [ -n "$DESTDIR" ]; then
    if [ `id -u` != 0 ] ; then
@@ -235,8 +269,8 @@ if [ -n "$DESTDIR" ]; then
 	OWNERSHIP=""
    fi

-    install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${DESTFILE}
+    install -d $OWNERSHIP -m 755 ${DESTDIR}/${SBINDIR}
+    install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}

    if [ -n "$SYSTEMD" ]; then
 	mkdir -p ${DESTDIR}/lib/systemd/system
@@ -257,27 +291,27 @@ fi
 echo "Installing $Product Version $VERSION"

 #
-# Check for /etc/$PRODUCT
+# Check for ${CONFDIR}/$PRODUCT
 #
-if [ -z "$DESTDIR" -a -d /etc/$PRODUCT ]; then
+if [ -z "$DESTDIR" -a -d ${CONFDIR}/$PRODUCT ]; then
    if [ ! -f /usr/share/shorewall/coreversion ]; then
 	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
 	exit 1
    fi

-    [ -f /etc/$PRODUCT/shorewall.conf ] && \
-	mv -f /etc/$PRODUCT/shorewall.conf /etc/$PRODUCT/$PRODUCT.conf
+    [ -f ${CONFDIR}/$PRODUCT/shorewall.conf ] && \
+	mv -f ${CONFDIR}/$PRODUCT/shorewall.conf ${CONFDIR}/$PRODUCT/$PRODUCT.conf
 else
-    rm -rf ${DESTDIR}/etc/$PRODUCT
+    rm -rf ${DESTDIR}${CONFDIR}/$PRODUCT
    rm -rf ${DESTDIR}/usr/share/$PRODUCT
    rm -rf ${DESTDIR}/var/lib/$PRODUCT
-    [ "$LIBEXEC" = /usr/share ] || rm -rf ${DESTDIR}/usr/share/$PRODUCT/wait4ifup ${DESTDIR}/usr/share/$PRODUCT/shorecap
+    [ "$LIBEXECDIR" = /usr/share ] || rm -rf ${DESTDIR}/usr/share/$PRODUCT/wait4ifup ${DESTDIR}/usr/share/$PRODUCT/shorecap
 fi

 #
-# Check for /sbin/$PRODUCT
+# Check for ${SBINDIR}/$PRODUCT
 #
-if [ -f ${DESTDIR}/sbin/$PRODUCT ]; then
+if [ -f ${DESTDIR}${SBINDIR}/$PRODUCT ]; then
    first_install=""
 else
    first_install="Yes"
@@ -285,118 +319,111 @@ fi

 delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules

-install_file $PRODUCT ${DESTDIR}/sbin/$PRODUCT 0544
+install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0544

-echo "$Product control program installed in ${DESTDIR}/sbin/$PRODUCT"
+echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"

 #
-# Create /etc/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
+# Create ${CONFDIR}/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
 #
-mkdir -p ${DESTDIR}/etc/$PRODUCT
+mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
 mkdir -p ${DESTDIR}/usr/share/$PRODUCT
-mkdir -p ${DESTDIR}${LIBEXEC}/$PRODUCT
+mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
 mkdir -p ${DESTDIR}/var/lib/$PRODUCT

-chmod 755 ${DESTDIR}/etc/$PRODUCT
+chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
 chmod 755 ${DESTDIR}/usr/share/$PRODUCT

 if [ -n "$DESTDIR" ]; then
-    mkdir -p ${DESTDIR}/etc/logrotate.d
-    chmod 755 ${DESTDIR}/etc/logrotate.d
+    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
+    chmod 755 ${DESTDIR}${CONFDIR}/logrotate.d
    mkdir -p ${DESTDIR}${INITDIR}
    chmod 755 ${DESTDIR}${INITDIR}
 fi

 if [ -n "$INITFILE" ]; then
-    case $HOST in
-	debian)
-	    install_file init.debian.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
-	    ;;
-	redhat)
-	    install_file init.fedora.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
-	    ;;
-	archlinux)
-	    install_file init.archlinux.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
-	    ;;
-	*)
-	    install_file init.sh ${DESTDIR}${INITDIR}/${INITFILE} 0544
-	    ;;
-    esac

-    echo  "$Product init script installed in ${DESTDIR}${INITDIR}/${INITFILE}"
+    initfile="${DESTDIR}/${INITDIR}/${INITFILE}"
+    install_file ${INITSOURCE} "$initfile" 0544
+
+    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' "$initfile"
+
+    echo  "$Product init script installed in $initfile"
 fi
 #
 # Install the .service file
 #
 if [ -n "$SYSTEMD" ]; then
-    run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}/lib/systemd/system/$PRODUCT.service
+    run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}/${SYSTEMD}/$PRODUCT.service
    echo "Service file installed as ${DESTDIR}/lib/systemd/system/$PRODUCT.service"
 fi

 #
 # Install the config file
 #
-if [ ! -f ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf ]; then
-   install_file $PRODUCT.conf ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf 0744
-   echo "Config file installed as ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf"
+if [ ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf ]; then
+   install_file $PRODUCT.conf ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf 0744
+   echo "Config file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf"
 fi

 if [ $HOST = archlinux ] ; then
-   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf
+   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
 fi

 #
 # Install the  Makefile
 #
-run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/$PRODUCT
-echo "Makefile installed as ${DESTDIR}/etc/$PRODUCT/Makefile"
+run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}${CONFDIR}/$PRODUCT
+[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${CONFDIR}/$PRODUCT/Makefile
+[ $SBINDIR = /sbin ]       || eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\'       ${DESTDIR}/${CONFDIR}/$PRODUCT/Makefile
+echo "Makefile installed as ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile"

 #
 # Install the default config path file
 #
-install_file configpath ${DESTDIR}/usr/share/$PRODUCT/configpath 0644
-echo "Default config path file installed as ${DESTDIR}/usr/share/$PRODUCT/configpath"
+install_file configpath ${DESTDIR}${SHAREDIR}/$PRODUCT/configpath 0644
+echo "Default config path file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/configpath"

 #
 # Install the libraries
 #
 for f in lib.* ; do
    if [ -f $f ]; then
-	install_file $f ${DESTDIR}/usr/share/$PRODUCT/$f 0644
-	echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/$PRODUCT/$f"
+	install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
+	echo "Library ${f#*.} file installed as ${DESTDIR}/${SHAREDIR}/$PRODUCT/$f"
    fi
 done

-ln -sf lib.base ${DESTDIR}/usr/share/$PRODUCT/functions
+ln -sf lib.base ${DESTDIR}${SHAREDIR}/$PRODUCT/functions

-echo "Common functions linked through ${DESTDIR}/usr/share/$PRODUCT/functions"
+echo "Common functions linked through ${DESTDIR}${SHAREDIR}/$PRODUCT/functions"

 #
 # Install Shorecap
 #

-install_file shorecap ${DESTDIR}${LIBEXEC}/$PRODUCT/shorecap 0755
+install_file shorecap ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap 0755

 echo
-echo "Capability file builder installed in ${DESTDIR}${LIBEXEC}/$PRODUCT/shorecap"
+echo "Capability file builder installed in ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap"

 #
 # Install the Modules files
 #

 if [ -f modules ]; then
-    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/$PRODUCT
-    echo "Modules file installed as ${DESTDIR}/usr/share/$PRODUCT/modules"
+    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}${SHAREDIR}/$PRODUCT
+    echo "Modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/modules"
 fi

 if [ -f helpers ]; then
-    run_install $OWNERSHIP -m 0600 helpers ${DESTDIR}/usr/share/$PRODUCT
-    echo "Helper modules file installed as ${DESTDIR}/usr/share/$PRODUCT/helpers"
+    run_install $OWNERSHIP -m 0600 helpers ${DESTDIR}${SHAREDIR}/$PRODUCT
+    echo "Helper modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers"
 fi

 for f in modules.*; do
-    run_install $OWNERSHIP -m 0644 $f ${DESTDIR}/usr/share/$PRODUCT/$f
-    echo "Module file $f installed as ${DESTDIR}/usr/share/$PRODUCT/$f"
+    run_install $OWNERSHIP -m 0644 $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f
+    echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
 done

 #
@@ -406,18 +433,18 @@ done
 if [ -d manpages ]; then
    cd manpages

-    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}/usr/share/man/man5/ ${DESTDIR}/usr/share/man/man8/
+    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${SHAREDIR}/man/man5/ ${DESTDIR}${SHAREDIR}/man/man8/

    for f in *.5; do
 	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}/usr/share/man/man5/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}/usr/share/man/man5/$f.gz"
+	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${SHAREDIR}/man/man5/$f.gz
+	echo "Man page $f.gz installed to ${DESTDIR}${SHAREDIR}/man/man5/$f.gz"
    done

    for f in *.8; do
 	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}/usr/share/man/man8/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}/usr/share/man/man8/$f.gz"
+	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${SHAREDIR}/man/man8/$f.gz
+	echo "Man page $f.gz installed to ${DESTDIR}${SHAREDIR}/man/man8/$f.gz"
    done

    cd ..
@@ -425,73 +452,79 @@ if [ -d manpages ]; then
    echo "Man Pages Installed"
 fi

-if [ -d ${DESTDIR}/etc/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}/etc/logrotate.d/$PRODUCT
-    echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/$PRODUCT"
+if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
+    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT
+    echo "Logrotate file installed as ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT"
 fi

 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/usr/share/$PRODUCT/version
-chmod 644 ${DESTDIR}/usr/share/$PRODUCT/version
+echo "$VERSION" > ${DESTDIR}${SHAREDIR}/$PRODUCT/version
+chmod 644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
 #
 # Remove and create the symbolic link to the init script
 #

 if [ -z "$DESTDIR" ]; then
-    rm -f /usr/share/$PRODUCT/init
-    ln -s ${INITDIR}/${INITFILE} /usr/share/$PRODUCT/init
+    rm -f ${SHAREDIR}/$PRODUCT/init
+    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/$PRODUCT/init
 fi

-delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.common
-delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.cli
-delete_file ${DESTDIR}/usr/share/$PRODUCT/wait4ifup
+delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.common
+delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.cli
+delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/wait4ifup

-if [ -z "$DESTDIR" ]; then
-    touch /var/log/$PRODUCT-init.log
+if [ -n "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
+    if [ ${DESTDIR} ]; then
+	mkdir -p ${DESTDIR}${SYSCONFDIR}
+	chmod 755 ${DESTDIR}${SYSCONFDIR}
+    fi

-    if [ -n "$first_install" ]; then
-	if [ $HOST = debian ]; then
-	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/$PRODUCT
+    run_install $OWNERSHIP -m 0644 default.debian ${DESTDIR}${SYSCONFDIR}/${PRODUCT}
+    echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+fi

-	    update-rc.d $PRODUCT defaults
-
-	    if [ -x /sbin/insserv ]; then
-		insserv /etc/init.d/$PRODUCT
-	    else
-		ln -s ../init.d/$PRODUCT /etc/rcS.d/S40$PRODUCT
-	    fi
+if [ ${SHAREDIR} != /usr/share ]; then
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SHAREDIR}/${PRODUCT}/lib.base
+    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SBINDIR}/$PRODUCT
+fi

+if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
+    if mywhich update-rc.d ; then
+	echo "$PRODUCT will start automatically at boot"
+	echo "Set startup=1 in ${SYSCONFDIR}/$PRODUCT to enable"
+	touch /var/log/$PRODUCT-init.log
+	perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' ${CONFDIR}/${PRODUCT}/${PRODUCT}.conf
+	update-rc.d $PRODUCT enable defaults
+    elif [ -n "$SYSTEMD" ]; then
+	if systemctl enable $PRODUCT; then
 	    echo "$Product will start automatically at boot"
-	else
-	    if [ -n "$SYSTEMD" ]; then
-		if systemctl enable $PRODUCT; then
-		    echo "$Product will start automatically at boot"
-		fi
-	    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
-		if insserv /etc/init.d/$PRODUCT ; then
-		    echo "$Product will start automatically at boot"
-		else
-		    cant_autostart
-		fi
-	    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
-		if chkconfig --add $PRODUCT ; then
-		    echo "$Product will start automatically in run levels as follows:"
-		    chkconfig --list $PRODUCT
-		else
-		    cant_autostart
-		fi
-	    elif [ -x /sbin/rc-update ]; then
-		if rc-update add $PRODUCT default; then
-		    echo "$Product will start automatically at boot"
-		else
-		    cant_autostart
-		fi
-	    elif [ "$INITFILE" != rc.firewall ]; then #Slackware starts this automatically
-		cant_autostart
-	    fi
 	fi
+    elif mywhich insserv; then
+	if insserv ${INITDIR}/${INITFILE} ; then
+	    echo "$PRODUCT will start automatically at boot"
+	    echo "Set STARTUP_ENABLED=Yes in ${CONFDIR}/$PRODUCT/${PRODUCT}.conf to enable"
+	else
+	    cant_autostart
+	fi
+    elif mywhich chkconfig; then
+	if chkconfig --add $PRODUCT ; then
+	    echo "$PRODUCT will start automatically in run levels as follows:"
+	    echo "Set STARTUP_ENABLED=Yes in ${CONFDIR}/$PRODUCT/${PRODUCT}.conf to enable"
+	    chkconfig --list $PRODUCT
+	else
+	    cant_autostart
+	fi
+    elif mywhich rc-update ; then
+	if rc-update add $PRODUCT default; then
+	    echo "$PRODUCT will start automatically at boot"
+	    echo "Set STARTUP_ENABLED=Yes in ${CONFDIR}/$PRODUCT/$PRODUCT.conf to enable"
+	else
+	    cant_autostart
+	fi
+    elif [ "$INITFILE" != rc.${PRODUCT} ]; then #Slackware starts this automatically
+	cant_autostart
    fi
 fi

--- a/Shorewall-lite/lib.base
+++ b/Shorewall-lite/lib.base
@@ -24,11 +24,10 @@

 g_program=shorewall-lite
 g_family=4
+#
+# This may be altered by the installer
+#
 g_basedir=/usr/share/shorewall

-[ -n "${VARDIR:=/var/lib/$g_program}" ]
-[ -n "${SHAREDIR:=/usr/share/$g_program}" ]
-[ -n "${CONFDIR:=/etc/$g_program}" ]
-
-. /usr/share/shorewall/lib.base
+. ${g_basedir}/lib.base

--- a/Shorewall-lite/manpages/shorewall-lite-vardir.xml
+++ b/Shorewall-lite/manpages/shorewall-lite-vardir.xml
@@ -1,4 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
  <refmeta>
    <refentrytitle>shorewall-lite-vardir</refentrytitle>
@@ -34,6 +36,28 @@
    directory. If you add this file, you should copy the files from
    <filename>/var/lib/shorewall-lite</filename> to the new directory before
    performing a <command>shorewall-lite restart</command>.</para>
+
+    <note>
+      <para>Beginning with Shorewall 4.5.2, use of this file is deprecated in
+      favor of specifying VARDIR in the <filename>shorewallrc</filename> file
+      used during installation of Shorewall Core. While the name of the
+      variable remains VARDIR, the meaning is slightly different. When set in
+      shorewallrc, Shorewall Lite, will create a directory under the specified
+      path name to hold state information.</para>
+
+      <para>Example:</para>
+
+      <blockquote>
+        <para>VARDIR=<filename><filename>/opt/var/lib/</filename></filename></para>
+
+        <para>The state directory for Shorewall Lite will be
+        /opt/var/lib/shorewall-lite/.</para>
+      </blockquote>
+
+      <para> When VARDIR is set in /etc/shorewall-lite/vardir, Shorewall Lite
+      will save its state in the <replaceable>directory</replaceable>
+      specified.</para>
+    </note>
  </refsect1>

  <refsect1>
--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -27,6 +27,18 @@
 ################################################################################################
 g_program=shorewall-lite

-. /usr/share/shorewall/lib.cli
+#
+# This is modified by the installer when ${SHAREDIR} != /usr/share
+#
+. /usr/share/shorewall/shorewallrc
+
+g_libexec="$LIBEXECDIR"
+g_sharedir="$SHAREDIR"/shorewall-lite
+g_sbindir="$SBINDIR"
+g_vardir="$VARDIR"
+g_confdir="$CONFDIR"/shorewall-lite
+g_readrc=1
+
+. ${SHAREDIR}/shorewall/lib.cli

 shorewall_cli $@
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -31,7 +31,7 @@ VERSION=xxx  #The Build script inserts the actual version
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME"
+    echo "usage: $ME [ <shorewallrc file> ]"
    exit $1
 }

@@ -40,16 +40,25 @@ qt()
    "$@" >/dev/null 2>&1
 }

-restore_file() # $1 = file to restore
-{
-    if [ -f ${1}-shorewall.bkout ]; then
-	if (mv -f ${1}-shorewall-lite.bkout $1); then
-	    echo
-	    echo "$1 restored"
-        else
-	    exit 1
-        fi
-    fi
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    return 0
+	fi
+    done
+
+    return 2
 }

 remove_file() # $1 = file to restore
@@ -60,8 +69,37 @@ remove_file() # $1 = file to restore
    fi
 }

-if [ -f /usr/share/shorewall-lite/version ]; then
-    INSTALLED_VERSION="$(cat /usr/share/shorewall-lite/version)"
+#
+# Read the RC file
+#
+if [ $# -eq 0 ]; then
+    if [ -f ./shorewallrc ]; then
+	. ./shorewallrc
+    elif [ -f ~/.shorewallrc ]; then
+	. ~/.shorewallrc || exit 1
+	file=./.shorewallrc
+    elif [ -f /usr/share/shorewall/shorewallrc ]; then
+	. /usr/share/shorewall/shorewallrc
+    else
+	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
+    fi
+elif [ $# -eq 1 ]; then
+    file=$1
+    case $file in
+	/*|.*)
+	    ;;
+	*)
+	    file=./$file
+	    ;;
+    esac
+
+    . $file
+else
+    usage 1
+fi
+
+if [ -f ${SHAREDIR}/shorewall-lite/version ]; then
+    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall-lite/version)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
 	echo "WARNING: Shorewall Lite Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
@@ -72,49 +110,40 @@ else
    VERSION=""
 fi

-[ -n "${LIBEXEC:=/usr/share}" ]
-
 echo "Uninstalling Shorewall Lite $VERSION"

-if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall ]; then
-   /sbin/shorewall-lite clear
+if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall ]; then
+   shorewall-lite clear
 fi

-if [ -L /usr/share/shorewall-lite/init ]; then
-    FIREWALL=$(readlink -m -q /usr/share/shorewall-lite/init)
-else
-    FIREWALL=/etc/init.d/shorewall-lite
+if [ -L ${SHAREDIR}/shorewall-lite/init ]; then
+    FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall-lite/init)
+elIF [ -n "$INITFILE" ]; then
+    FIREWALL=${INITDIR}/${INITFILE}
 fi

-if [ -n "$FIREWALL" ]; then
-    if [ -x /usr/sbin/updaterc.d ]; then
+if [ -f "$FIREWALL" ]; then
+    if mywhich updaterc.d ; then
 	updaterc.d shorewall-lite remove
-    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+    elif if mywhich insserv ; then
        insserv -r $FIREWALL
-    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
+    elif [ mywhich chkconfig ; then
 	chkconfig --del $(basename $FIREWALL)
-    elif [ -x /sbin/systemctl ]; then
+    elif mywhich systemctl ; then
 	systemctl disable shorewall-lite
-    else
-	rm -f /etc/rc*.d/*$(basename $FIREWALL)
    fi

    remove_file $FIREWALL
-    rm -f ${FIREWALL}-*.bkout
 fi

-rm -f /sbin/shorewall-lite
-rm -f /sbin/shorewall-lite-*.bkout
+rm -f ${SBINDIR}/shorewall-lite

-rm -rf /etc/shorewall-lite
-rm -rf /etc/shorewall-lite-*.bkout
-rm -rf /var/lib/shorewall-lite
-rm -rf /var/lib/shorewall-lite-*.bkout
-rm -rf /usr/share/shorewall-lite
+rm -rf ${SBINDIR}/shorewall-lite
+rm -rf ${VARDIR}/shorewall-lite
+rm -rf ${SHAREDIR}/shorewall-lite
 rm -rf ${LIBEXEC}/shorewall-lite
-rm -rf /usr/share/shorewall-lite-*.bkout
-rm -f  /etc/logrotate.d/shorewall-lite
-rm -f  /lib/systemd/system/shorewall-lite.service
+rm -f  ${CONFDIR}/logrotate.d/shorewall-lite
+[ -n "$SYSTEMD" ] && rm -f  ${SYSTEMD}/shorewall-lite.service

 echo "Shorewall Lite Uninstalled"

--- a/Shorewall/Macros/macro.Amanda
+++ b/Shorewall/Macros/macro.Amanda
@@ -11,6 +11,7 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	10080
+PARAM	-	-	tcp	10080
 #
 # You may also need this rule.  With AMANDA 2.4.4 on Linux kernel 2.6,
 # it should not be necessary to use this.  The ip_conntrack_amanda
--- a/Shorewall/Macros/macro.BLACKLIST
+++ b/Shorewall/Macros/macro.BLACKLIST
@@ -0,0 +1,15 @@
+#
+# Shorewall version 4 - blacklist Macro
+#
+# /usr/share/shorewall/macro.blacklist
+#
+#	This macro handles blacklisting using BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+?IF $BLACKLIST_LOGLEVEL
+blacklog
+?ELSE
+$BLACKLIST_DISPOSITION
+?ENDIF
--- a/Shorewall/Makefile
+++ b/Shorewall/Makefile
@@ -3,9 +3,9 @@ VARDIR=$(shell /sbin/shorewall show vardir)
 CONFDIR=/etc/shorewall
 RESTOREFILE?=firewall

-all: $(VARDIR)/${RESTOREFILE}
+all: $(VARDIR)/$(RESTOREFILE)

-$(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
+$(VARDIR)/$(RESTOREFILE): $(CONFDIR)/*
 	@/sbin/shorewall -q save >/dev/null; \
 	if \
 	    /sbin/shorewall -q restart >/dev/null 2>&1; \
--- a/Shorewall/Perl/.includepath
+++ b/Shorewall/Perl/.includepath
@@ -1,3 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<includepath />
-
--- a/Shorewall/Perl/.project
+++ b/Shorewall/Perl/.project
@@ -1,17 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<projectDescription>
-	<name>Shorewall</name>
-	<comment></comment>
-	<projects>
-	</projects>
-	<buildSpec>
-		<buildCommand>
-			<name>org.epic.perleditor.perlbuilder</name>
-			<arguments>
-			</arguments>
-		</buildCommand>
-	</buildSpec>
-	<natures>
-		<nature>org.epic.perleditor.perlnature</nature>
-	</natures>
-</projectDescription>
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -394,7 +394,7 @@ sub setup_accounting() {

 	my $nonEmpty = 0;

-	$nonEmpty |= process_accounting_rule while read_a_line;
+	$nonEmpty |= process_accounting_rule while read_a_line( NORMAL_READ );

 	clear_comment;

--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -219,6 +219,7 @@ our %EXPORT_TAGS = (
 				       do_ipsec_options
 				       do_ipsec
 				       log_rule
+				       handle_network_list
 				       expand_rule
 				       addnatjump
 				       set_chain_variables
@@ -699,7 +700,7 @@ sub incr_cmd_level( $ ) {
 }

 sub decr_cmd_level( $ ) {
-    assert( --$_[0]->{cmdlevel} >= 0);
+    assert( --$_[0]->{cmdlevel} >= 0, $_[0] );
 }

 #
@@ -714,14 +715,14 @@ sub decr_cmd_level( $ ) {
 sub set_rule_option( $$$ ) {
    my ( $ruleref, $option, $value ) = @_;

-    assert( defined $value && reftype $ruleref );
+    assert( defined $value && reftype $ruleref , $value, $ruleref );

    $ruleref->{simple} = 0;

    my $opttype = $opttype{$option} || MATCH;

    if ( exists $ruleref->{$option} ) {
-	assert( defined( my $value1 = $ruleref->{$option} ) );
+	assert( defined( my $value1 = $ruleref->{$option} ) , $ruleref );

 	if ( $opttype == MATCH ) {
 	    if ( $globals{KLUDGEFREE} ) {
@@ -735,14 +736,14 @@ sub set_rule_option( $$$ ) {

 		push @{$ruleref->{$option}}, ( reftype $value ? @$value : $value );
 	    } else {
-		$ruleref->{$option} = join(' ', $value1, $value );
+		$ruleref->{$option} = join(' ', $value1, $value ) unless $value1 eq $value;
 	    }
 	} elsif ( $opttype == EXCLUSIVE ) {
 	    $ruleref->{$option} .= ",$value";
 	} elsif ( $opttype == UNIQUE ) {
 	    fatal_error "Multiple $option settings in one rule is prohibited";
 	} else {
-	    assert(0);
+	    assert(0, $opttype );
 	}
    } else {
 	$ruleref->{$option} = $value;
@@ -823,7 +824,7 @@ sub rule_target( $ ) {
 sub clear_rule_target( $ ) {
    my $ruleref = shift;

-    assert( reftype $ruleref );
+    assert( reftype $ruleref , $ruleref );

    delete $ruleref->{jump};
    delete $ruleref->{targetopts};
@@ -835,7 +836,7 @@ sub clear_rule_target( $ ) {
 sub set_rule_target( $$$ ) {
    my ( $ruleref, $target, $opts) = @_;

-    assert( reftype $ruleref );
+    assert( reftype $ruleref , $ruleref );

    $ruleref->{jump}     = 'j';
    $ruleref->{target}   = $target;
@@ -1033,7 +1034,7 @@ sub push_rule( $$ ) {
 sub add_trule( $$ ) {
    my ( $chainref, $ruleref ) = @_;

-    assert( reftype $ruleref );
+    assert( reftype $ruleref , $ruleref );
    push @{$chainref->{rules}}, $ruleref;
    $chainref->{referenced} = 1;

@@ -1129,7 +1130,7 @@ sub add_rule($$;$) {

    our $splitcount;

-    assert( ! reftype $rule );
+    assert( ! reftype $rule , $rule );

    $iprangematch = 0;
    #
@@ -1180,7 +1181,7 @@ sub push_matches {
    my $dont_optimize = 0;

    while ( @_ ) {
-	my ( $option, $value ) = ( shift , shift );
+	my ( $option, $value ) = ( shift, shift );

 	assert( defined $value );

@@ -1301,7 +1302,7 @@ sub insert_rule1($$$)
    my $ruleref = transform_rule( $rule );

    $ruleref->{comment}  = "$comment" if $comment;
-    assert( ! ( $ruleref->{cmdlevel} = $chainref->{cmdlevel}) );
+    assert( ! ( $ruleref->{cmdlevel} = $chainref->{cmdlevel}) , $chainref->{name} );
    $ruleref->{mode} = CAT_MODE;

    splice( @{$chainref->{rules}}, $number, 0, $ruleref );
@@ -1435,7 +1436,7 @@ sub decrement_reference_count( $$ ) {
    my ($toref, $chain) = @_;

    if ( $toref && $toref->{referenced} ) {
-	assert($toref->{references}{$chain} > 0 );
+	assert($toref->{references}{$chain} > 0 , $toref, $chain );
 	delete $toref->{references}{$chain} unless --$toref->{references}{$chain};
 	delete_chain( $toref )              unless ( keys %{$toref->{references}} );
    }
@@ -2085,7 +2086,7 @@ sub delete_jumps ( $$ ) {
 	    }
 	}

-	assert( ! $refs );
+	assert( ! $refs , $from, $to );
    }

    delete $toref->{references}{$from};
@@ -2201,7 +2202,7 @@ sub ensure_accounting_chain( $$$ )
 	$chainref->{restriction} = $restriction;
 	$chainref->{restricted}  = NO_RESTRICT;
 	$chainref->{ipsec}       = $ipsec;
-	$chainref->{optflags}   |= DONT_OPTIMIZE unless $config{OPTIMIZE_ACCOUNTING};
+	$chainref->{optflags}   |= ( DONT_OPTIMIZE | DONT_MOVE | DONT_DELETE ) unless $config{OPTIMIZE_ACCOUNTING};

 	unless ( $chain eq 'accounting' ) {
 	    my $file = find_file $chain;
@@ -2588,7 +2589,7 @@ sub delete_references( $ ) {
    #
    # Make sure the above loop found all references
    #
-    assert ( ! $toref->{referenced} );
+    assert ( ! $toref->{referenced}, $toref->{name} );

    $count;
 }
@@ -2879,7 +2880,9 @@ sub optimize_level4( $$ ) {
 		# Last rule is a simple branch
 		my $targetref = $tableref->{$lastrule->{target}};

-		if ( $targetref && ( keys %{$targetref->{references}} < 2 || @{$targetref->{rules}} < 4 ) ) {
+		if ( $targetref &&
+		     ($targetref->{optflags} & DONT_MOVE) == 0 &&
+		     ( keys %{$targetref->{references}} < 2 || @{$targetref->{rules}} < 4 ) ) {
 		    copy_rules( $targetref, $chainref );
 		    $progress = 1;
 		}
@@ -3256,6 +3259,16 @@ sub set_mss( $$$ ) {
 #
 # Interate over all zones with 'mss=' settings adding TCPMSS rules as appropriate.
 #
+sub imatch_source_dev( $;$ );
+sub imatch_dest_dev( $;$ );
+sub imatch_source_net( $;$\$ );
+sub imatch_dest_net( $ );
+
+sub newmsschain( ) {
+    my $seq = $chainseq{filter}++;
+    "~mss${seq}";
+}
+
 sub setup_zone_mss() {
    for my $zone ( all_zones ) {
 	my $zoneref = find_zone( $zone );
@@ -3263,6 +3276,29 @@ sub setup_zone_mss() {
 	set_mss( $zone, $zoneref->{options}{in_out}{mss}, ''     ) if $zoneref->{options}{in_out}{mss};
 	set_mss( $zone, $zoneref->{options}{in}{mss},     '_in'  ) if $zoneref->{options}{in}{mss};
 	set_mss( $zone, $zoneref->{options}{out}{mss},    '_out' ) if $zoneref->{options}{out}{mss};
+
+	my $hosts = find_zone_hosts_by_option( $zone, 'mss' );
+
+	for my $hostref ( @$hosts ) {
+	    my $mss         = $hostref->[4];
+	    my @mssmatch    = have_capability( 'TCPMSS_MATCH' ) ? ( tcpmss => "--mss $mss:" ) : ();
+	    my @sourcedev   = imatch_source_dev $hostref->[0];
+	    my @destdev     = imatch_dest_dev   $hostref->[0];
+	    my @source      = imatch_source_net $hostref->[2];
+	    my @dest        = imatch_dest_net   $hostref->[2];
+	    my @ipsecin     = (have_ipsec ? ( policy => "--pol $hostref->[1] --dir in"  ) : () );
+	    my @ipsecout    = (have_ipsec ? ( policy => "--pol $hostref->[1] --dir out" ) : () );
+
+	    my $chainref = new_chain 'filter', newmsschain;
+	    my $target   = source_exclusion( $hostref->[3], $chainref );
+
+	    add_ijump $chainref, j => 'TCPMSS', targetopts => "--set-mss $mss", p => 'tcp --tcp-flags SYN,RST SYN';
+
+	    for my $zone1 ( all_zones ) {
+		add_ijump ensure_chain( 'filter', rules_chain( $zone, $zone1 ) ),  j => $target , @sourcedev, @source, p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @ipsecin ;
+		add_ijump ensure_chain( 'filter', rules_chain( $zone1, $zone ) ),  j => $target , @destdev,   @dest,   p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @ipsecout ;
+	    }
+	}
    }
 }

@@ -3934,7 +3970,7 @@ sub do_ratelimit( $$ ) {
 	if ( $rate =~ /^[sd]:((\w*):)?((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) {
 	    fatal_error "Invalid Rate ($3)" unless $4;
 	    fatal_error "Invalid Burst ($7)" unless $7;
-	    $limit .= "--hashlimit $3 --hashlimit-burst $7 --hashlimit-name ";
+	    $limit .= "--$match $3 --hashlimit-burst $7 --hashlimit-name ";
 	    $limit .= $2 ? $2 : 'shorewall' . $hashlimitset++;
 	    $limit .= ' --hashlimit-mode ';
 	    $units = $6;
@@ -4023,7 +4059,7 @@ sub do_time( $ ) {
 	    }
 	} elsif ( $element =~ /^(datestart|datestop)=(\d{4}(-\d{2}(-\d{2}(T\d{1,2}(:\d{1,2}){0,2})?)?)?)$/ ) {
 	    $result .= "--$1 $2 ";
-	} elsif ( $element =~ /^(utc|localtz)$/ ) {
+	} elsif ( $element =~ /^(utc|localtz|kerneltz)$/ ) {
 	    $result .= "--$1 ";
 	} else {
 	    fatal_error "Invalid time element ($element)";
@@ -4033,6 +4069,21 @@ sub do_time( $ ) {
    $result;
 }

+sub resolve_id( $$ ) {
+    my ( $id, $type ) = @_;
+
+    if ( $globals{EXPORT} ) {
+	require_capability 'OWNER_NAME_MATCH', "Specifying a $type name", 's';
+    } else {
+	my $num = $type eq 'user' ? getpwnam( $id ) : getgrnam( $id );
+	fatal_error "Unknown $type ($id)" unless supplied $num;
+	$id = $num;
+    }
+
+    $id;
+}
+
+
 #
 # Create a "-m owner" match for the passed USER/GROUP
 #
@@ -4042,6 +4093,8 @@ sub do_user( $ ) {

    return '' unless defined $user and $user ne '-';

+    require_capability 'OWNER_MATCH', 'A non-empty USER column', 's';
+
    if ( $user =~ /^(!)?(.*)\+(.*)$/ ) {
 	$rule .= "! --cmd-owner $2 " if supplied $2;
 	$user = "!$1";
@@ -4053,24 +4106,26 @@ sub do_user( $ ) {
    if ( $user =~ /^(!)?(.*):(.*)$/ ) {
 	my $invert = $1 ? '! ' : '';
 	my $group  = defined $3 ? $3 : '';
+
 	if ( supplied $2 ) {
-	    $user = $2;
-	    fatal_error "Unknown user ($user)" unless $user =~ /^\d+$/ || $globals{EXPORT} || defined getpwnam( $user );
+	    $user  = $2;
+	    $user  = resolve_id( $user, 'user' ) unless $user =~ /\d+$/;
 	    $rule .= "${invert}--uid-owner $user ";
 	}

 	if ( $group ne '' ) {
-	    fatal_error "Unknown group ($group)" unless $group =~ /\d+$/ || $globals{EXPORT} || defined getgrnam( $group );
+	    $group = resolve_id( $group, 'group' ) unless $group =~ /^\d+$/;
 	    $rule .= "${invert}--gid-owner $group ";
 	}
    } elsif ( $user =~ /^(!)?(.*)$/ ) {
 	my $invert = $1 ? '! ' : '';
 	$user   = $2;
+
 	fatal_error "Invalid USER/GROUP (!)" if $user eq '';
-	fatal_error "Unknown user ($user)" unless $user =~ /^\d+$/ || $globals{EXPORT} || defined getpwnam( $user );
+	$user = resolve_id ($user, 'user' ) unless $user =~ /\d+$/;
 	$rule .= "${invert}--uid-owner $user ";
    } else {
-	fatal_error "Unknown user ($user)" unless $user =~ /^\d+$/ || $globals{EXPORT} || defined getpwnam( $user );
+	$user  = resolve_id( $user, 'user' ) unless $user =~ /\d+$/;
 	$rule .= "--uid-owner $user ";
    }

@@ -4471,20 +4526,25 @@ sub get_set_flags( $$ ) {
 	my @options = split /,/, $options;
 	my %typemap = ( src => 'Source', dst => 'Destination' );

-	for ( @options ) {
-	    warning_message( "The '$_' ipset flag is used in a $typemap{$option} column" ), last unless $_ eq $option;
+	if ( $config{IPSET_WARNINGS} ) {
+	    for ( @options ) {
+		warning_message( "The '$_' ipset flag is used in a $typemap{$option} column" ), last unless $_ eq $option;
+	    }
 	}
    }

    $setname =~ s/^\+//;

-    unless ( $export || $> != 0 ) {
-	unless ( $ipset_exists{$setname} ) {
-	    warning_message "Ipset $setname does not exist" unless qt "ipset -L $setname";
-	}
+    if ( $config{IPSET_WARNINGS} ) {
+	unless ( $export || $> != 0 ) {
+	    unless ( $ipset_exists{$setname} ) {
+		warning_message "Ipset $setname does not exist" unless qt "ipset -L $setname";
+	    }

-	$ipset_exists{$setname} = 1; # Suppress subsequent checks/warnings
+	    $ipset_exists{$setname} = 1; # Suppress subsequent checks/warnings
+	}
    }
+
    fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z]\w*/;

    have_capability 'OLD_IPSET_MATCH' ? "--set $setname $options " : "--match-set $setname $options ";
@@ -4800,10 +4860,10 @@ sub match_ipsec_in( $$ ) {
    my ( $zone , $hostref ) = @_;
    my @match;
    my $zoneref    = find_zone( $zone );
-    my $optionsref = $zoneref->{options};

-    unless ( $optionsref->{super} || $zoneref->{type} == VSERVER ) {
+    unless ( $zoneref->{super} || $zoneref->{type} == VSERVER ) {
 	my $match = '--dir in --pol ';
+	my $optionsref = $zoneref->{options};

 	if ( $zoneref->{type} & IPSEC ) {
 	    $match .= "ipsec $optionsref->{in_out}{ipsec}$optionsref->{in}{ipsec}";
@@ -6390,16 +6450,24 @@ sub ensure_ipset( $ ) {

    if ( $family == F_IPV4 ) {
 	if ( have_capability 'IPSET_V5' ) {
-	    emit ( "    qt \$IPSET -L $set -n || \$IPSET -N $_ hash:ip family inet" );
+	    emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
+		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:ip set") ,
+		   qq(        \$IPSET -N $set hash:ip family inet) ,
+		   qq(    fi) );
 	} else {
-	    emit ( "    qt \$IPSET -L $set -n || \$IPSET -N $_ iphash" );
+	    emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
+		   qq(        error_message "WARNING: ipset $set does not exist; creating it as an iphash set") ,
+		   qq(        \$IPSET -N $set iphash) ,
+		   qq(    fi) );
 	}
    } else {
-	emit ( "    qt \$IPSET -L $set -n || \$IPSET -N $_ hash:ip family inet6" );
+	emit ( qq(    if ! qt \$IPSET -L $set -n; then) ,
+	       qq(        error_message "WARNING: ipset $set does not exist; creating it as an hash:ip set") ,
+	       qq(        \$IPSET -N $set hash:ip family inet6) ,
+	       qq(    fi) );
    }
 }

-
 sub load_ipsets() {

    my @ipsets = all_ipsets;
@@ -6555,7 +6623,7 @@ sub create_netfilter_load( $ ) {
 	for my $chain ( @builtins ) {
 	    my $chainref = $chain_table{$table}{$chain};
 	    if ( $chainref ) {
-		assert( $chainref->{cmdlevel} == 0 );
+		assert( $chainref->{cmdlevel} == 0, $chainref->{name} );
 		emit_unindented ":$chain $chainref->{policy} [0:0]";
 		push @chains, $chainref;
 	    }
@@ -6566,7 +6634,7 @@ sub create_netfilter_load( $ ) {
 	for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
 	    my $chainref =  $chain_table{$table}{$chain};
 	    unless ( $chainref->{builtin} ) {
-		assert( $chainref->{cmdlevel} == 0 );
+		assert( $chainref->{cmdlevel} == 0 , $chainref->{name} );
 		emit_unindented ":$chainref->{name} - [0:0]";
 		push @chains, $chainref;
 	    }
@@ -6638,7 +6706,7 @@ sub preview_netfilter_load() {
 	for my $chain ( @builtins ) {
 	    my $chainref = $chain_table{$table}{$chain};
 	    if ( $chainref ) {
-		assert( $chainref->{cmdlevel} == 0 );
+		assert( $chainref->{cmdlevel} == 0 , $chainref->{name} );
 		print ":$chain $chainref->{policy} [0:0]\n";
 		push @chains, $chainref;
 	    }
@@ -6649,7 +6717,7 @@ sub preview_netfilter_load() {
 	for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
 	    my $chainref =  $chain_table{$table}{$chain};
 	    unless ( $chainref->{builtin} ) {
-		assert( $chainref->{cmdlevel} == 0 );
+		assert( $chainref->{cmdlevel} == 0, $chainref->{name} );
 		print ":$chainref->{name} - [0:0]\n";
 		push @chains, $chainref;
 	    }
@@ -6868,7 +6936,7 @@ sub create_stop_load( $ ) {
 	for my $chain ( @builtins ) {
 	    my $chainref = $chain_table{$table}{$chain};
 	    if ( $chainref ) {
-		assert( $chainref->{cmdlevel} == 0 );
+		assert( $chainref->{cmdlevel} == 0 , $chainref->{name} );
 		emit_unindented ":$chain $chainref->{policy} [0:0]";
 		push @chains, $chainref;
 	    }
@@ -6879,7 +6947,7 @@ sub create_stop_load( $ ) {
 	for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
 	    my $chainref =  $chain_table{$table}{$chain};
 	    unless ( $chainref->{builtin} ) {
-		assert( $chainref->{cmdlevel} == 0 );
+		assert( $chainref->{cmdlevel} == 0 , $chainref->{name} );
 		emit_unindented ":$chainref->{name} - [0:0]";
 		push @chains, $chainref;
 	    }
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -54,10 +54,10 @@ my $family;
 #
 # Initilize the package-globals in the other modules
 #
-sub initialize_package_globals( $ ) {
-    Shorewall::Config::initialize($family);
+sub initialize_package_globals( $$ ) {
+    Shorewall::Config::initialize($family, $_[1]);
    Shorewall::Chains::initialize ($family, 1, $export );
-    Shorewall::Zones::initialize ($family, shift);
+    Shorewall::Zones::initialize ($family, $_[0]);
    Shorewall::Nat::initialize;
    Shorewall::Providers::initialize($family);
    Shorewall::Tc::initialize($family);
@@ -71,7 +71,7 @@ sub initialize_package_globals( $ ) {
 #
 # First stage of script generation.
 #
-#    Copy prog.header, lib.core and lib.common to the generated script.
+#    Copy lib.core and lib.common to the generated script.
 #    Generate the various user-exit jacket functions.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
@@ -89,13 +89,7 @@ sub generate_script_1( $ ) {

 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";

-	    if ( $family == F_IPV4 ) {
-		copy $globals{SHAREDIRPL} . 'prog.header';
-	    } else {
-		copy $globals{SHAREDIRPL} . 'prog.header6';
-	    }
-
-	    copy2 $globals{SHAREDIRPL} . '/lib.core', 0;
+	    copy  $globals{SHAREDIRPL} . '/lib.core', 0;
 	    copy2 $globals{SHAREDIRPL} . '/lib.common', 0;
 	}

@@ -154,7 +148,9 @@ sub generate_script_2() {
 	   '    #',
 	   '    # Be sure that umask is sane',
 	   '    #',
-	   '    umask 077',
+	   '    umask 077' );
+
+    emit ( '',
 	   '    #',
 	   '    # These variables are required by the library functions called in this script',
 	   '    #'
@@ -162,61 +158,63 @@ sub generate_script_2() {

    push_indent;

+    if ( $shorewallrc{TEMPDIR} ) {
+	emit( '',
+	      qq(TMPDIR="$shorewallrc{TEMPDIR}") ,
+	      q(export TMPDIR) );
+    }
+
    if ( $family == F_IPV4 ) {
 	emit( 'g_family=4' );

 	if ( $export ) {
-	    emit ( 'SHAREDIR=/usr/share/shorewall-lite',
-		   'CONFDIR=/etc/shorewall-lite',
+	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall-lite),
 		   'g_product="Shorewall Lite"',
 		   'g_program=shorewall-lite',
 		   'g_basedir=/usr/share/shorewall-lite',
+		   qq(CONFIG_PATH="$shorewallrc{CONFDIR}/shorewall-lite:$shorewallrc{SHAREDIR}/shorewall-lite") ,
 		 );
 	} else {
-	    emit ( 'SHAREDIR=/usr/share/shorewall',
-		   'CONFDIR=/etc/shorewall',
+	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall),
 		   'g_product=Shorewall',
 		   'g_program=shorewall',
 		   'g_basedir=/usr/share/shorewall',
+		   qq(CONFIG_PATH="$config{CONFIG_PATH}") ,
 		 );
 	}
    } else {
 	emit( 'g_family=6' );

 	if ( $export ) {
-	    emit ( 'SHAREDIR=/usr/share/shorewall6-lite',
-		   'CONFDIR=/etc/shorewall6-lite',
+	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall6-lite),
 		   'g_product="Shorewall6 Lite"',
 		   'g_program=shorewall6-lite',
 		   'g_basedir=/usr/share/shorewall6',
+		   qq(CONFIG_PATH="$shorewallrc{CONFDIR}/shorewall6-lite:$shorewallrc{SHAREDIR}/shorewall6-lite") ,
 		 );
 	} else {
-	    emit ( 'SHAREDIR=/usr/share/shorewall6',
-		   'CONFDIR=/etc/shorewall6',
+	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall6),
 		   'g_product=Shorewall6',
 		   'g_program=shorewall6',
-		   'g_basedir=/usr/share/shorewall'
+		   'g_basedir=/usr/share/shorewall',
+		   qq(CONFIG_PATH="$config{CONFIG_PATH}") ,
 		 );
 	}
    }

-    emit( '[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir' );
+    emit( '[ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir' );

    if ( $family == F_IPV4 ) {
 	if ( $export ) {
-	    emit ( 'CONFIG_PATH="/etc/shorewall-lite:/usr/share/shorewall-lite"' ,
-		   '[ -n "${VARDIR:=/var/lib/shorewall-lite}" ]' );
+	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall-lite}" ]' );
 	} else {
-	    emit ( qq(CONFIG_PATH="$config{CONFIG_PATH}") ,
-		   '[ -n "${VARDIR:=/var/lib/shorewall}" ]' );
+	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall}" ]' );
 	}
    } else {
 	if ( $export ) {
-	    emit ( 'CONFIG_PATH="/etc/shorewall6-lite:/usr/share/shorewall6-lite"' ,
-		   '[ -n "${VARDIR:=/var/lib/shorewall6-lite}" ]' );
+	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall6-lite}" ]' );
 	} else {
-	    emit ( qq(CONFIG_PATH="$config{CONFIG_PATH}") ,
-		   '[ -n "${VARDIR:=/var/lib/shorewall6}" ]' );
+	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall6}" ]' );
 	}
    }

@@ -356,7 +354,7 @@ sub generate_script_3($) {
 	    emit 'cat > ${VARDIR}/.modules << EOF';
 	    open_file $fn;

-	    emit_unindented $currentline while read_a_line;
+	    emit_unindented $currentline while read_a_line( NORMAL_READ );

 	    emit_unindented 'EOF';
 	    emit '', 'reload_kernel_modules < ${VARDIR}/.modules';
@@ -547,8 +545,8 @@ EOF
 #
 sub compiler {

-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , '');
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc ) =
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , ''          , '');

    $export = 0;
    $test   = 0;
@@ -586,6 +584,7 @@ sub compiler {
 		  convert       => { store => \$convert,       validate=> \&validate_boolean    } ,
 		  annotate      => { store => \$annotate,      validate=> \&validate_boolean    } ,
 		  config_path   => { store => \$config_path } ,
+		  shorewallrc   => { store => \$shorewallrc } ,
 		);
    #
    #                               P A R A M E T E R    P R O C E S S I N G
@@ -603,7 +602,7 @@ sub compiler {
    #
    # Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals
    #
-    initialize_package_globals( $update );
+    initialize_package_globals( $update, $shorewallrc );

    set_config_path( $config_path ) if $config_path;

@@ -709,10 +708,6 @@ sub compiler {
    # Proxy Arp/Ndp
    #
    setup_proxy_arp;
-    #
-    # Handle MSS settings in the zones file
-    #
-    setup_zone_mss;

    if ( $scriptfilename || $debug ) {
 	emit 'return 0';
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -141,6 +141,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       %config
 				       %globals
 				       %config_files
+				       %shorewallrc

 				       @auditoptions

@@ -149,6 +150,15 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script

 				       MIN_VERBOSITY
 				       MAX_VERBOSITY
+
+				       PLAIN_READ
+				       EMBEDDED_ENABLED
+				       EXPAND_VARIABLES
+				       STRIP_COMMENTS
+				       SUPPRESS_WHITESPACE
+				       CONFIG_CONTINUATION
+				       DO_INCLUDE
+				       NORMAL_READ
 				     ) ] );

 Exporter::export_ok_tags('internal');
@@ -243,6 +253,8 @@ my  %capdesc = ( NAT_ENABLED     => 'NAT',
 		 IPRANGE_MATCH   => 'IP Range Match',
 		 RECENT_MATCH    => 'Recent Match',
 		 OWNER_MATCH     => 'Owner Match',
+		 OWNER_NAME_MATCH
+		                 => 'Owner Name Match',
 		 IPSET_MATCH     => 'Ipset Match',
 		 OLD_IPSET_MATCH => 'Old Ipset Match',
 		 IPSET_V5        => 'Version 5 ipsets',
@@ -426,6 +438,32 @@ my %deprecated = ( LOGRATE            => '' ,
 my %converted = ( WIDE_TC_MARKS => 1,
 		  HIGH_ROUTE_MARKS => 1 );
 #
+# Variables involved in ?IF, ?ELSE ?ENDIF processing
+#
+my $omitting;
+my @ifstack;
+my $ifstack;
+#
+# From .shorewallrc
+#
+our %shorewallrc;
+#
+# read_a_line options
+#
+use constant { PLAIN_READ          => 0,     # No read_a_line options
+               EMBEDDED_ENABLED    => 1,     # Look for embedded Shell and Perl
+	       EXPAND_VARIABLES    => 2,     # Expand Shell variables
+	       STRIP_COMMENTS      => 4,     # Remove comments
+	       SUPPRESS_WHITESPACE => 8,     # Ignore blank lines
+	       CHECK_GUNK          => 16,    # Look for unprintable characters
+	       CONFIG_CONTINUATION => 32,    # Suppress leading whitespace if
+                                             # continued line ends in ',' or ':'
+	       DO_INCLUDE          => 64,    # Look for INCLUDE <filename>
+               NORMAL_READ         => -1     # All options
+	   };
+
+sub process_shorewallrc($);
+#
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
 #
@@ -435,8 +473,8 @@ my %converted = ( WIDE_TC_MARKS => 1,
 #   2. The compiler can run multiple times in the same process so it has to be
 #      able to re-initialize its dependent modules' state.
 #
-sub initialize( $ ) {
-    $family = shift;
+sub initialize( $;$ ) {
+    ( $family, my $shorewallrc ) = @_;

    if ( $family == F_IPV4 ) {
 	( $product, $Product, $toolname, $toolNAME ) = qw( shorewall  Shorewall iptables  IPTABLES );
@@ -458,13 +496,16 @@ sub initialize( $ ) {
    $tempfile       = '';      # Temporary File Name
    $sillyname      =
    $sillyname1     = '';      # Temporary ipchains
+    $omitting       = 0;
+    $ifstack        = 0;
+    @ifstack        = ();

    #
    # Misc Globals
    #
-    %globals  =   ( SHAREDIRPL => '/usr/share/shorewall/' ,
-		    CONFDIR    => '/etc/shorewall',     # Run-time configuration directory
-		    CONFIGDIR  => '',                  # Compile-time configuration directory (location of $product.conf)
+    %globals  =   ( SHAREDIRPL => '' ,
+		    CONFDIR    => '',         # Run-time configuration directory
+		    CONFIGDIR  => '',         # Compile-time configuration directory (location of $product.conf)
 		    LOGPARMS   => '',
 		    TC_SCRIPT  => '',
 		    EXPORT     => 0,
@@ -472,7 +513,7 @@ sub initialize( $ ) {
 		    STATEMATCH => '-m state --state',
 		    UNTRACKED  => 0,
 		    VERSION    => "4.4.22.1",
-		    CAPVERSION => 40501 ,
+		    CAPVERSION => 40502 ,
 		  );
    #
    # From shorewall.conf file
@@ -558,6 +599,7 @@ sub initialize( $ ) {
 	  MAPOLDACTIONS => undef,
 	  FASTACCEPT => undef,
 	  IMPLICIT_CONTINUE => undef,
+	  IPSET_WARNINGS => undef,
 	  HIGH_ROUTE_MARKS => undef,
 	  USE_ACTIONS=> undef,
 	  OPTIMIZE => undef,
@@ -651,6 +693,7 @@ sub initialize( $ ) {
 	       IPRANGE_MATCH => undef,
 	       RECENT_MATCH => undef,
 	       OWNER_MATCH => undef,
+	       OWNER_NAME_MATCH => undef,
 	       IPSET_MATCH => undef,
 	       OLD_IPSET_MATCH => undef,
 	       IPSET_V5 => undef,
@@ -734,15 +777,24 @@ sub initialize( $ ) {

    @actparms = ();

+    %shorewallrc = (
+		    SHAREDIR => '/usr/share/',
+		    CONFDIR  => '/etc/',
+		    );
+
+    process_shorewallrc( $shorewallrc ) if $shorewallrc;
+
+    $globals{SHAREDIRPL} = "$shorewallrc{SHAREDIR}/shorewall/";
+
    if ( $family == F_IPV4 ) {
-	$globals{SHAREDIR}      = '/usr/share/shorewall';
-	$globals{CONFDIR}       = '/etc/shorewall';
+	$globals{SHAREDIR}      = "$shorewallrc{SHAREDIR}/shorewall";
+	$globals{CONFDIR}       = "$shorewallrc{CONFDIR}/shorewall";
 	$globals{PRODUCT}       = 'shorewall';
 	$config{IPTABLES}       = undef;
 	$validlevels{ULOG}      = 'ULOG';
    } else {
-	$globals{SHAREDIR}      = '/usr/share/shorewall6';
-	$globals{CONFDIR}       = '/etc/shorewall6';
+	$globals{SHAREDIR}      = "$shorewallrc{SHAREDIR}/shorewall6";
+	$globals{CONFDIR}       = "$shorewallrc{CONFDIR}/shorewall6";
 	$globals{PRODUCT}       = 'shorewall6';
 	$config{IP6TABLES}      = undef;
    }
@@ -750,13 +802,53 @@ sub initialize( $ ) {

 my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );

+#
+# Create 'currentlineinfo'
+#
+sub currentlineinfo() {
+    my $linenumber = $currentlinenumber || 1;
+
+    if ( $currentfile ) {
+	my $lineinfo = " $currentfilename ";
+	
+	if ( $linenumber eq 'EOF' ) {
+	    $lineinfo .= '(EOF)'
+	} else {
+	    $lineinfo .= "(line $linenumber)";
+	}
+	#
+	# Unwind the current include stack
+	#
+	for ( my $i = @includestack - 1; $i >= 0; $i-- ) {
+	    my $info = $includestack[$i];
+	    $linenumber = $info->[2] || 1;
+	    $lineinfo .= "\n      from $info->[1] (line $linenumber)";
+	}
+	#
+	# Now unwind the open stack; each element is an include stack
+	#
+	for ( my $i = @openstack - 1; $i >= 0; $i-- ) {
+	    my $istack = $openstack[$i];
+	    for ( my $j = ( @$istack - 1 ); $j >= 0; $j-- ) {
+		my $info = $istack->[$j];
+		$linenumber = $info->[2] || 1;
+		$lineinfo .= "\n      from $info->[1] (line $linenumber)";
+	    }
+	}
+
+	$lineinfo;
+
+    } else {
+	'';
+    }
+}
+
 #
 # Issue a Warning Message
 #
 sub warning_message
 {
-    my $linenumber = $currentlinenumber || 1;
-    my $currentlineinfo = $currentfile ?  " : $currentfilename (line $linenumber)" : '';
+    my $currentlineinfo = currentlineinfo;
    our @localtime;

    $| = 1; #Reset output buffering (flush any partially filled buffers).
@@ -784,6 +876,30 @@ sub cleanup() {
    close  $script, $script = undef         if $script;
    close  $perlscript, $perlscript = undef if $perlscript;
    close  $log, $log = undef               if $log;
+
+    if ( $currentfile ) {
+	#
+	# We have a current input file; close it
+	#
+	close $currentfile;
+	#
+	# Unwind the current include stack
+	#
+	for ( my $i = @includestack - 1; $i >= 0; $i-- ) {
+	    my $info = $includestack[$i];
+	    close $info->[0];
+	}
+	#
+	# Now unwind the open stack; each element is an include stack
+	#
+	for ( my $i = @openstack - 1; $i >= 0; $i-- ) {
+	    my $istack = $openstack[$i];
+	    for ( my $j = ( @$istack - 1 ); $j >= 0; $j-- ) {
+		my $info = $istack->[$j];
+		close $info->[0];
+	    }
+	}
+    }
    #
    # Unlink temporary files
    #
@@ -811,8 +927,7 @@ sub cleanup() {
 # Issue fatal error message and die
 #
 sub fatal_error	{
-    my $linenumber = $currentlinenumber || 1;
-    my $currentlineinfo = $currentfile ?  " : $currentfilename (line $linenumber)" : '';
+    my $currentlineinfo = currentlineinfo;

    $| = 1; #Reset output buffering (flush any partially filled buffers).

@@ -858,13 +973,16 @@ sub fatal_error1 {
 }

 #
-# C/C++-like assertion checker
+# C/C++-like assertion checker -- the optional arguments are not used but will
+#                                 appear in the stack trace
 #
-sub assert( $;$ ) {
+sub assert( $;@ ) {
    unless ( $_[0] ) {
 	my @caller0 = caller 0; # Where assert() was called
 	my @caller1 = caller 1; # Who called assert()

+	$confess = 1;
+
 	fatal_error "Internal error in $caller1[3] at $caller0[1] line $caller0[2]";
    }
 }
@@ -912,7 +1030,9 @@ sub normalize_hex( $ ) {
 # Return the argument expressed in Hex
 #
 sub in_hex( $ ) {
-    sprintf '0x%x', $_[0];
+    my $value = $_[0];
+
+    $value =~ /^0x/ ? $value : sprintf '0x%x', $_[0];
 }

 sub in_hex2( $ ) {
@@ -1303,9 +1423,7 @@ sub find_file($)

    return $filename if $filename =~ '/';

-    my $directory;
-
-    for $directory ( @config_path ) {
+    for my $directory ( @config_path ) {
 	my $file = "$directory$filename";
 	return $file if -f $file;
    }
@@ -1374,11 +1492,13 @@ sub supplied( $ ) {
 #    supply '-' in omitted trailing columns.
 #    Handles all of the supported forms of column/pair specification
 #
-sub split_line1( $$;$ ) {
-    my ( $description, $columnsref, $nopad) = @_;
+sub split_line1( $$;$$ ) {
+    my ( $description, $columnsref, $nopad, $maxcolumns ) = @_;

-    my @maxcolumns = ( keys %$columnsref );
-    my $maxcolumns = @maxcolumns;
+    unless ( defined $maxcolumns ) {
+	my @maxcolumns = ( keys %$columnsref );
+	$maxcolumns = @maxcolumns;
+    }
    #
    # First see if there is a semicolon on the line; what follows will be column/value paris
    #
@@ -1459,6 +1579,7 @@ sub do_open_file( $ ) {
    my $fname = $_[0];
    open $currentfile, '<', $fname or fatal_error "Unable to open $fname: $!";
    $currentlinenumber = 0;
+    $ifstack           = @ifstack;
    $currentfilename   = $fname;
 }

@@ -1471,6 +1592,7 @@ sub open_file( $ ) {
 	$first_entry = 0;
 	do_open_file $fname;;
    } else {
+	$ifstack = @ifstack;
 	'';
    }
 }
@@ -1481,10 +1603,17 @@ sub open_file( $ ) {
 sub pop_include() {
    my $arrayref = pop @includestack;

+    unless ( $ifstack == @ifstack ) {
+	my $lastref = $ifstack[-1];
+	$currentlinenumber = 'EOF';
+	fatal_error qq(Missing "?ENDIF" to match ?IF at line number $lastref->[2])
+    }
+
    if ( $arrayref ) {
-	( $currentfile, $currentfilename, $currentlinenumber ) = @$arrayref;
+	( $currentfile, $currentfilename, $currentlinenumber, $ifstack ) = @$arrayref;
    } else {
-	$currentfile = undef;
+	$currentfile       = undef;
+	$currentlinenumber = 'EOF';
    }
 }

@@ -1505,6 +1634,70 @@ sub close_file() {
    }
 }

+#
+# Process an ?IF, ?ELSE or ?END directive
+#
+sub have_capability( $ );
+
+sub process_conditional( $$$ ) {
+    my ( $omitting, $line, $linenumber ) = @_;
+
+    print "CD===> $currentline\n" if $debug;
+
+    fatal_error "Invalid compiler directive ($line)" unless $line =~ /^\s*\?(IF\s+|ELSE|ENDIF)(.*)$/;
+
+    my ($keyword, $rest) = ( $1, $2 );
+
+    if ( supplied $rest ) {
+	$rest =~ s/#.*//;
+	$rest =~ s/\s*$//;
+    } else {
+	$rest = '';
+    }
+
+    my ( $lastkeyword, $prioromit, $lastomit, $lastlinenumber ) = @ifstack ? @{$ifstack[-1]} : ('', 0, 0, 0 );
+
+    if ( $keyword =~ /^IF/ ) {
+	fatal_error "Missing IF variable" unless $rest;
+	my $invert = $rest =~ s/^!\s*//;
+
+	fatal_error "Invalid IF variable ($rest)" unless ($rest =~ s/^\$// || $rest =~ /^__/ ) && $rest =~ /^\w+$/;
+
+	push @ifstack, [ 'IF', $omitting, $omitting, $linenumber ];
+
+	if ( $rest eq '__IPV6' ) {
+	    $omitting = $family == F_IPV4;
+	} elsif ( $rest eq '__IPV4' ) {
+	    $omitting = $family == F_IPV6;
+	} else {
+	    my $cap = $rest;
+
+	    $cap =~ s/^__//;
+
+	    $omitting = ! ( exists $ENV{$rest}    ? $ENV{$rest}    :
+			    exists $params{$rest} ? $params{$rest} :
+			    exists $config{$rest} ? $config{$rest} :
+			    exists $capdesc{$cap} ? have_capability( $cap ) : 0 );
+	}
+
+	$omitting = ! $omitting if $invert;
+
+	$omitting ||= $lastomit; #?IF cannot transition from omitting -> not omitting
+    } elsif ( $keyword eq 'ELSE' ) {
+	fatal_error "Invalid ?ELSE" unless $rest eq '';
+	fatal_error "?ELSE has no matching ?IF" unless @ifstack > $ifstack && $lastkeyword eq 'IF';
+	$omitting = ! $omitting unless $lastomit;
+	$ifstack[-1] = [ 'ELSE', $prioromit, $omitting, $lastlinenumber ];
+    } else {
+	fatal_error "Invalid ?ENDIF" unless $rest eq '';
+	fatal_error q(Unexpected "?ENDIF" without matching ?IF or ?ELSE) if @ifstack <= $ifstack;
+	$omitting = $prioromit;
+	pop @ifstack;
+    }
+
+    $omitting;
+}
+
 #
 # Functions for copying a file into the script
 #
@@ -1512,12 +1705,27 @@ sub copy( $ ) {
    assert( $script_enabled );

    if ( $script ) {
-	my $file = $_[0];
+	my $file         = $_[0];
+	my $omitting     = 0;
+	my $save_ifstack = $ifstack;
+	my $lineno       = 0;
+
+	$ifstack = @ifstack;

 	open IF , $file or fatal_error "Unable to open $file: $!";

 	while ( <IF> ) {
 	    chomp;
+
+	    $lineno++;
+
+	    if ( /^\s*\?/ ) {
+		$omitting = process_conditional( $omitting, $_, $lineno );
+		next;
+	    }
+
+	    next if $omitting;
+
 	    if ( /^\s*$/ ) {
 		print $script "\n" unless $lastlineblank;
 		$lastlineblank = 1;
@@ -1533,6 +1741,14 @@ sub copy( $ ) {
 	    }
 	}

+	if ( $ifstack < @ifstack ) {
+	    $currentlinenumber = 'EOF';
+	    $currentfilename   = $file;
+	    fatal_error "Missing ?ENDIF to match the ?IF at line $ifstack[-1]->[3]";
+	} else {
+	    $ifstack = $save_ifstack;
+	}
+
 	close IF;
    }
 }
@@ -1556,6 +1772,11 @@ sub copy1( $ ) {

 		chomp;

+		if ( /^\s*\?/ ) {
+		    $omitting = process_conditional( $omitting, $_, $currentlinenumber );
+		    next;
+		}
+
 		if ( /^${here_documents}\s*$/ ) {
 		    if ( $script ) {
 			print $script $here_documents if $here_documents;
@@ -1607,7 +1828,7 @@ sub copy1( $ ) {
 			fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _;

 			if ( -s _ ) {
-			    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
+			    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber, $ifstack ];
 			    $currentfile = undef;
 			    do_open_file $filename;
 			} else {
@@ -1658,10 +1879,14 @@ sub copy2( $$ ) {

    if ( $script || $trace ) {
 	my $file = $_[0];
+	my $omitting     = 0;
+	my $save_ifstack = $ifstack;
+	my $lineno       = 0;

 	open IF , $file or fatal_error "Unable to open $file: $!";

 	while ( <IF> ) {
+	    $lineno++;
 	    $empty = 0, last unless /^#/;
 	}

@@ -1675,7 +1900,16 @@ EOF
 	    emit( $_ ) unless /^\s*$/;

 	    while ( <IF> ) {
+		$lineno++;
 		chomp;
+
+		if ( /^\s*\?/ ) {
+		    $omitting = process_conditional( $omitting, $_, $lineno );
+		    next;
+		}
+
+		next if $omitting;
+
 		if ( /^\s*$/ ) {
 		    unless ( $lastlineblank ) {
 			print $script "\n" if $script;
@@ -1703,8 +1937,6 @@ EOF
 		}
 	    }

-	    close IF;
-
 	    unless ( $lastlineblank ) {
 		print $script "\n" if $script;
 		print "GS----->\n" if $trace;
@@ -1714,6 +1946,17 @@ EOF
 		  "#   End of imports from $file",
 		  '################################################################################' );
 	}
+
+	if ( $ifstack < @ifstack ) {
+	    $currentfilename   = $file;
+	    $currentlinenumber = 'EOF';
+	    fatal_error "Missing ?ENDIF to match the ?IF at line $ifstack[-1]->[3]";
+	} else {
+	    $ifstack = $save_ifstack;
+	}
+
+	close IF;
+
    }
 }

@@ -1723,7 +1966,7 @@ EOF
 #
 sub push_open( $ ) {

-    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
+    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber, $ifstack ] if $currentfile;
    my @a = @includestack;
    push @openstack, \@a;
    @includestack = ();
@@ -1776,11 +2019,11 @@ sub shorewall {
 sub first_entry( $ ) {
    $first_entry = $_[0];
    my $reftype = reftype $first_entry;
-    if ( $reftype ) {
-	fatal_error "Invalid argument to first_entry()" unless $reftype eq 'CODE';
-    }
+    assert( $reftype eq 'CODE' ) if $reftype;
 }

+sub read_a_line($);
+
 sub embedded_shell( $ ) {
    my $multiline = shift;

@@ -1796,24 +2039,24 @@ sub embedded_shell( $ ) {

 	my $last = 0;

-	while ( <$currentfile> ) {
-	    $currentlinenumber++;
-	    last if $last = s/^\s*END(\s+SHELL)?\s*;?//;
-	    $command .= $_;
+	while ( read_a_line( PLAIN_READ ) ) {
+	    last if $last = $currentline =~ s/^\s*END(\s+SHELL)?\s*;?//;
+	    $command .= "$currentline\n";
 	}

 	fatal_error ( "Missing END SHELL" ) unless $last;
-	fatal_error ( "Invalid END SHELL directive" ) unless /^\s*$/;
+	fatal_error ( "Invalid END SHELL directive" ) unless $currentline =~ /^\s*$/;
    }

    $command .= q(');

-    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
+    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber, $ifstack ];
    $currentfile = undef;
    open $currentfile , '-|', $command or fatal_error qq(Shell Command failed);
    $currentfilename = "SHELL\@$currentfilename:$currentlinenumber";
    $currentline = '';
    $currentlinenumber = 0;
+    $ifstack = @ifstack;
 }

 sub embedded_perl( $ ) {
@@ -1830,21 +2073,20 @@ sub embedded_perl( $ ) {

 	my $last = 0;

-	while ( <$currentfile> ) {
-	    $currentlinenumber++;
-	    last if $last = s/^\s*END(\s+PERL)?\s*;?//;
-	    $command .= $_;
+	while ( read_a_line( PLAIN_READ ) ) {
+	    last if $last = $currentline =~ s/^\s*END(\s+PERL)?\s*;?//;
+	    $command .= "$currentline\n";
 	}

 	fatal_error ( "Missing END PERL" ) unless $last;
-	fatal_error ( "Invalid END PERL directive" ) unless /^\s*$/;
+	fatal_error ( "Invalid END PERL directive" ) unless $currentline =~ /^\s*$/;
    }

    unless (my $return = eval $command ) {
+	#
+	# Perl found the script offensive or the script itself died
+	#
 	if ( $@ ) {
-	    #
-	    # Perl found the script offensive or the script itself died
-	    #
 	    $@ =~ s/, <\$currentfile> line \d+//g;
 	    fatal_error1 "$@";
 	}
@@ -1864,7 +2106,7 @@ sub embedded_perl( $ ) {

 	$perlscript = undef;

-	push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
+	push @includestack, [ $currentfile, $currentfilename, $currentlinenumber , $ifstack ];
 	$currentfile = undef;

 	open $currentfile, '<', $perlscriptname or fatal_error "Unable to open Perl Script $perlscriptname";
@@ -1876,6 +2118,7 @@ sub embedded_perl( $ ) {
 	$currentfilename = "PERL\@$currentfilename:$linenumber";
 	$currentline = '';
 	$currentlinenumber = 0;
+	$ifstack = @ifstack;
    }
 }

@@ -1944,11 +2187,11 @@ sub set_action_param( $$ ) {
 }

 #
-# Expand Shell Variables in the passed buffer using %params and @actparms
+# Expand Shell Variables in the passed buffer using @actparms, %params, %shorewallrc and %config, 
 #
 sub expand_variables( \$ ) {
    my ( $lineref, $count ) = ( $_[0], 0 );
-    #                    $1      $2   $3      -     $4
+    #                         $1      $2   $3      -     $4
    while ( $$lineref =~ m( ^(.*?) \$({)? (\w+) (?(2)}) (.*)$ )x ) {

 	my ( $first, $var, $rest ) = ( $1, $3, $4);
@@ -1960,6 +2203,8 @@ sub expand_variables( \$ ) {
 	    $val = $actparms[$var];
 	} elsif ( exists $params{$var} ) {
 	    $val = $params{$var};
+	} elsif ( exists $shorewallrc{$var} ) {
+	    $val = $shorewallrc{$var}
 	} else {
 	    fatal_error "Undefined shell variable (\$$var)" unless exists $config{$var};
 	    $val = $config{$var};
@@ -1972,7 +2217,19 @@ sub expand_variables( \$ ) {
 }

 #
-# Read a line from the current include stack.
+# Handle first-entry processing
+#
+sub handle_first_entry() {
+    #
+    # $first_entry can contain either a function reference or a message. If it
+    # contains a reference, call the function -- otherwise issue the message
+    #
+    reftype( $first_entry ) ? $first_entry->() : progress_message2( $first_entry );
+    $first_entry = 0;
+}
+
+#
+# Read a line from the current include stack. Based on the passed options, it will conditionally:
 #
 #   - Ignore blank or comment-only lines.
 #   - Remove trailing comments.
@@ -1980,12 +2237,11 @@ sub expand_variables( \$ ) {
 #   - Handle embedded SHELL and PERL scripts
 #   - Expand shell variables from %params and %ENV.
 #   - Handle INCLUDE <filename>
+#   - Handle ?IF, ?ELSE, ?ENDIF
 #

-sub read_a_line(;$$$) {
-    my $embedded_enabled = defined $_[0] ? shift : 1;
-    my $expand_variables = defined $_[0] ? shift : 1;
-    my $strip_comments   = defined $_[0] ? shift : 1;
+sub read_a_line($) {
+    my $options = $_[0];

    while ( $currentfile ) {

@@ -2000,57 +2256,72 @@ sub read_a_line(;$$$) {
 	    #
 	    # Suppress leading whitespace in certain continuation lines
 	    #
-	    s/^\s*// if $currentline =~ /[,:]$/;
+	    s/^\s*// if $currentline =~ /[,:]$/ && $options & CONFIG_CONTINUATION;
 	    #
-	    # If this isn't a continued line, remove trailing comments. Note that
-	    # the result may now end in '\'.
+	    # If this is a continued line with a trailing comment, remove comment. Note that
+	    # the result will now end in '\'.
 	    #
-	    s/\s*#.*$// if $strip_comments && ! /\\$/;
+	    s/\s*#.*$// if ($options & STRIP_COMMENTS) && /[\\]\s*#.*$/;
 	    #
 	    # Continuation
 	    #
-	    chop $currentline, next if substr( ( $currentline .= $_ ), -1, 1 ) eq '\\';
+	    chop $currentline, next if ($currentline .= $_) =~ /\\$/;
 	    #
-	    # Now remove concatinated comments
+	    # Handle conditionals
 	    #
-	    $currentline =~ s/#.*$// if $strip_comments;
-	    #
-	    # Ignore ( concatenated ) Blank Lines
-	    #
-	    $currentline = '', $currentlinenumber = 0, next if $currentline =~ /^\s*$/;
-	    #
-	    # Line not blank -- Handle any first-entry message/capabilities check
-	    #
-	    if ( $first_entry ) {
-		#
-		# $first_entry can contain either a function reference or a message. If it
-		# contains a reference, call the function -- otherwise issue the message
-		#
-		reftype( $first_entry ) ? $first_entry->() : progress_message2( $first_entry );
-		$first_entry = 0;
+	    if ( $currentline =~ /^\s*\?(?:IF|ELSE|ENDIF)/ ) {
+		$omitting = process_conditional( $omitting, $currentline, $currentlinenumber );
+		$currentline='';
+		next;
+	    }
+
+	    if ( $omitting ) {
+		print "OMIT=> $currentline\n" if $debug;
+		$currentline='';
+		$currentlinenumber = 0;
+		next;
 	    }
 	    #
 	    # Must check for shell/perl before doing variable expansion
 	    #
-	    if ( $embedded_enabled ) {
+	    if ( $options & EMBEDDED_ENABLED ) {
 		if ( $currentline =~ s/^\s*(BEGIN\s+)?SHELL\s*;?// ) {
+		    handle_first_entry if $first_entry;
 		    embedded_shell( $1 );
 		    next;
 		}

 		if ( $currentline =~ s/^\s*(BEGIN\s+)?PERL\s*\;?// ) {
+		    handle_first_entry if $first_entry;
 		    embedded_perl( $1 );
 		    next;
 		}
 	    }
+	    #
+	    # Now remove concatinated comments if asked
+	    #
+	    $currentline =~ s/\s*#.*$// if $options & STRIP_COMMENTS;

-	    my $count = 0;
+	    if ( $options & SUPPRESS_WHITESPACE ) {
+		#
+		# Ignore (concatinated) blank lines
+		#
+		$currentline = '', $currentlinenumber = 0, next if $currentline =~ /^\s*$/;
+		#
+		# Eliminate trailing whitespace
+		#
+		$currentline =~ s/\s*$//;
+	    }
+	    #
+	    # Line not blank -- Handle any first-entry message/capabilities check
+	    #
+	    handle_first_entry if $first_entry;
 	    #
 	    # Expand Shell Variables using %params and @actparms
 	    #
-	    expand_variables( $currentline ) if $expand_variables;
+	    expand_variables( $currentline ) if $options & EXPAND_VARIABLES;

-	    if ( $currentline =~ /^\s*INCLUDE\s/ ) {
+	    if ( ( $options & DO_INCLUDE ) && $currentline =~ /^\s*\??INCLUDE\s/ ) {

 		my @line = split ' ', $currentline;

@@ -2063,7 +2334,7 @@ sub read_a_line(;$$$) {
 		fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _;

 		if ( -s _ ) {
-		    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber ];
+		    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber, $ifstack ];
 		    $currentfile = undef;
 		    do_open_file $filename;
 		} else {
@@ -2072,6 +2343,7 @@ sub read_a_line(;$$$) {

 		$currentline = '';
 	    } else {
+		fatal_error "Non-ASCII gunk in file" if ( $options && CHECK_GUNK ) && $currentline =~ /[^\s[:print:]]/;
 		print "IN===> $currentline\n" if $debug;
 		return 1;
 	    }
@@ -2081,23 +2353,24 @@ sub read_a_line(;$$$) {
    }
 }

-#
-# Simple version of the above. Doesn't do line concatenation, shell variable expansion or INCLUDE processing
-#
-sub read_a_line1() {
-    while ( $currentfile ) {
-	while ( $currentline = <$currentfile> ) {
-	    next if $currentline =~ /^\s*#/;
-	    chomp $currentline;
-	    next if $currentline =~ /^\s*$/;
-	    $currentline =~ s/#.*$//;       # Remove Trailing Comments
-	    fatal_error "Non-ASCII gunk in file" if $currentline =~ /[^\s[:print:]]/;
-	    $currentlinenumber = $.;
-	    print "IN===> $currentline\n" if $debug;
-	    return 1;
-	}
+sub process_shorewallrc( $ ) {
+    my $shorewallrc = shift;

-	close_file;
+    $shorewallrc{PRODUCT} = $family == F_IPV4 ? 'shorewall' : 'shorewall6';
+
+    if ( open_file $shorewallrc ) {
+	while ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE | CHECK_GUNK ) ) {
+	    if ( $currentline =~ /^([a-zA-Z]\w*)=(.*)$/ ) {
+		my ($var, $val) = ($1, $2);
+		$val = $1 if $val =~ /^\"([^\"]*)\"$/;
+		expand_variables($val) if supplied $val;
+		$shorewallrc{$var} = $val;
+	    } else {
+		fatal_error "Unrecognized shorewallrc entry";
+	    }
+	}
+    } else {
+	fatal_error "Failed to open $shorewallrc: $!";
    }
 }

@@ -2367,7 +2640,7 @@ sub load_kernel_modules( ) {

 	my @suffixes = split /\s+/ , $config{MODULE_SUFFIX};

-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {
 	    fatal_error "Invalid modules file entry" unless ( $currentline =~ /^loadmodule\s+([a-zA-Z]\w*)\s*(.*)$/ );
 	    my ( $module, $arguments ) = ( $1, $2 );
 	    unless ( $loadedmodules{ $module } ) {
@@ -2425,8 +2698,6 @@ sub determine_kernelversion() {
 #
 # Capability Reporting and detection.
 #
-sub have_capability( $ );
-
 sub Nat_Enabled() {
    $family == F_IPV4 ? qt1( "$iptables -t nat -L -n" ) : '';
 }
@@ -2524,6 +2795,12 @@ sub Owner_Match() {
    qt1( "$iptables -A $sillyname -m owner --uid-owner 0 -j ACCEPT" );
 }

+sub Owner_Name_Match() {
+    if ( my $name = `id -un 2> /dev/null` ) {
+	qt1( "$iptables -A $sillyname -m owner --uid-owner $name -j ACCEPT" );
+    }
+}
+
 sub Connmark_Match() {
    qt1( "$iptables -A $sillyname -m connmark --mark 2  -j ACCEPT" );
 }
@@ -2847,6 +3124,7 @@ our %detect_capability =
      OLD_HL_MATCH => \&Old_Hashlimit_Match,
      OLD_IPP2P_MATCH => \&Old_Ipp2p_Match,
      OWNER_MATCH => \&Owner_Match,
+      OWNER_NAME_MATCH => \&Owner_Name_Match,
      PERSISTENT_SNAT => \&Persistent_Snat,
      PHYSDEV_BRIDGE => \&Physdev_Bridge,
      PHYSDEV_MATCH => \&Physdev_Match,
@@ -2942,6 +3220,8 @@ sub determine_capabilities() {
 	$capabilities{IPRANGE_MATCH}   = detect_capability( 'IPRANGE_MATCH' );
 	$capabilities{RECENT_MATCH}    = detect_capability( 'RECENT_MATCH' );
 	$capabilities{OWNER_MATCH}     = detect_capability( 'OWNER_MATCH' );
+	$capabilities{OWNER_NAME_MATCH}
+                                       = detect_capability( 'OWNER_NAME_MATCH' );
 	$capabilities{CONNMARK_MATCH}  = detect_capability( 'CONNMARK_MATCH' );
 	$capabilities{XCONNMARK_MATCH} = detect_capability( 'XCONNMARK_MATCH' );
 	$capabilities{IPP2P_MATCH}     = detect_capability( 'IPP2P_MATCH' );
@@ -3028,7 +3308,7 @@ sub ensure_config_path() {

    my $f = "$globals{SHAREDIR}/configpath";

-    $globals{CONFDIR} = "/usr/share/$product/configfiles/" if $> != 0;
+    $globals{CONFDIR} = "$shorewallrc{SHAREDIR}/$product/configfiles/" if $> != 0;

    unless ( $config{CONFIG_PATH} ) {
 	fatal_error "$f does not exist" unless -f $f;
@@ -3037,7 +3317,7 @@ sub ensure_config_path() {

 	add_param( CONFDIR => $globals{CONFDIR} );

-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {
 	    if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*?)\s*$/ ) {
 		my ($var, $val) = ($1, $2);
 		$config{$var} = ( $val =~ /\"([^\"]*)\"$/ ? $1 : $val ) if exists $config{$var};
@@ -3116,7 +3396,7 @@ sub update_config_file( $ ) {
 	#
 	# Debian or derivative
 	#
-	$fn = $annotate ? "/usr/share/doc/${product}/default-config/${product}.conf.annotated" : "/usr/share/doc/${product}/default-config/${product}.conf";
+	$fn = $annotate ? "$shorewallrc{SHAREDIR}/doc/${product}/default-config/${product}.conf.annotated" : "$shorewallrc{SHAREDIR}/doc/${product}/default-config/${product}.conf";
    } else {
 	#
 	# The rest of the World
@@ -3235,7 +3515,7 @@ sub process_shorewall_conf( $$ ) {
 	    #
 	    # Don't expand shell variables or allow embedded scripting
 	    #
-	    while ( read_a_line( 0, 0 ) ) {
+	    while ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE  | CHECK_GUNK ) ) {
 		if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*?)\s*$/ ) {
 		    my ($var, $val) = ($1, $2);

@@ -3275,7 +3555,7 @@ sub process_shorewall_conf( $$ ) {
 # Process the records in the capabilities file
 #
 sub read_capabilities() {
-    while ( read_a_line1 ) {
+    while ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE  | CHECK_GUNK ) ) {
 	if ( $currentline =~ /^([a-zA-Z]\w*)=(.*)$/ ) {
 	    my ($var, $val) = ($1, $2);
 	    unless ( exists $capabilities{$var} ) {
@@ -3793,6 +4073,7 @@ sub get_configuration( $$$ ) {
    default_yes_no 'EXPORTMODULES'              , '';
    default_yes_no 'LEGACY_FASTSTART'           , 'Yes';
    default_yes_no 'USE_PHYSICAL_NAMES'         , '';
+    default_yes_no 'IPSET_WARNINGS'             , 'Yes';

    require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};

@@ -4059,7 +4340,7 @@ sub append_file( $;$$ ) {

    $indent = '' if $unindented;

-    unless ( $user_exit =~ m(^/usr/share/shorewall6?/) ) {
+    unless ( $user_exit =~ m(^$shorewallrc{SHAREDIR}/shorewall6?/) ) {
 	if ( -f $user_exit ) {
 	    if ( $nomsg ) {
 		#
@@ -4070,8 +4351,9 @@ sub append_file( $;$$ ) {
 		#
 		# Include progress message -- Pretend progress_message call was in the file
 		#
+		my $name = $globals{EXPORT} ? "$file user exit" : $user_exit;
 		$result = 1;
-		save_progress_message "Processing $user_exit ...";
+		save_progress_message "Processing $name ...";
 		copy1 $user_exit;
 	    }
 	}
@@ -4117,8 +4399,9 @@ sub run_user_exit1( $ ) {
 	#
 	push_open $file;

-	if ( read_a_line1 ) {
+	if ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE  | CHECK_GUNK ) ) {
 	    close_file;
+	    pop_open;

 	    my $command = qq(package Shorewall::User;\n# line 1 "$file"\n) . `cat $file`;

@@ -4148,8 +4431,9 @@ sub run_user_exit2( $$ ) {
 	#
 	push_open $file;

-	if ( read_a_line1 ) {
+	if ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE  | CHECK_GUNK ) ) {
 	    close_file;
+	    pop_open;

 	    unless (my $return = eval `cat $file` ) {
 		fatal_error "Couldn't parse $file: $@" if $@;
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -79,7 +79,7 @@ sub process_tos() {
 		       }
 		   );

-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {

 	    my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) = split_line 'tos file entry', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 } ;

@@ -149,7 +149,7 @@ sub setup_ecn()
 			   warning_message 'ECN will not be applied to forwarded packets' unless have_capability 'MANGLE_FORWARD';
 		       } );

-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {

 	    my ($interface, $hosts ) = split_line 'ecn file entry', { interface => 0, hosts => 1 };

@@ -227,7 +227,7 @@ sub setup_blacklist() {

 	    first_entry "$doing $fn...";

-	    while ( read_a_line ) {
+	    while ( read_a_line ( NORMAL_READ ) ) {

 		if ( $first_entry ) {
 		    unless  ( @$zones || @$zones1 ) {
@@ -346,7 +346,7 @@ sub remove_blacklist( $ ) {

    open $newfile, '>', "$fn.new" or fatal_error "Unable to open $fn.new for output: $!";

-    while ( read_a_line(1,1,0) ) {
+    while ( read_a_line( EMBEDDED_ENABLED | EXPAND_VARIABLES ) ) {
 	my ( $rule, $comment ) = split '#', $currentline, 2;

 	if ( $rule =~ /blacklist/ ) {
@@ -396,7 +396,7 @@ sub convert_blacklist() {

 	first_entry "Converting $fn...";

-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {
 	    my ( $networks, $protocol, $ports, $options ) = split_line 'blacklist file', { networks => 0, proto => 1, port => 2, options => 3 };

 	    if ( $options eq '-' ) {
@@ -468,7 +468,7 @@ sub convert_blacklist() {
 		open $blrules, '>',  $fn1 or fatal_error "Unable to open $fn1: $!";
 		print $blrules <<'EOF';
 #
-# Shorewall version 5 - Blacklist Rules File
+# Shorewall version 4.5 - Blacklist Rules File
 #
 # For information about entries in this file, type "man shorewall-blrules"
 #
@@ -554,7 +554,7 @@ sub process_routestopped() {

 	first_entry "$doing $fn...";

-	while ( read_a_line ) {
+	while ( read_a_line ( NORMAL_READ ) ) {

 	    my ($interface, $hosts, $options , $proto, $ports, $sports ) =
 		split_line 'routestopped file', { interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 };
@@ -1097,7 +1097,7 @@ sub setup_mac_lists( $ ) {

 	    first_entry "$doing $fn...";

-	    while ( read_a_line ) {
+	    while ( read_a_line( NORMAL_READ ) ) {

 		my ( $original_disposition, $interface, $mac, $addresses  ) = split_line1 'maclist file', { disposition => 0, interface => 1, mac => 2, addresses => 3 };

@@ -1403,11 +1403,12 @@ sub add_interface_jumps {

 	if ( $interfaceref->{options}{port} ) {
 	    my $bridge = $interfaceref->{bridge};
+
 	    add_ijump ( $filter_table->{forward_chain $bridge},
 			j => 'ACCEPT',
 			imatch_source_dev( $interface, 1),
 			imatch_dest_dev( $interface, 1)
-		     ) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge};
+		     ) unless $interfaceref->{nets};

 	    add_ijump( $filter_table->{forward_chain $bridge} ,
 		       j => $forwardref ,
@@ -1476,22 +1477,26 @@ sub generate_matrix() {
    progress_message  '  Handling complex zones...';

    #
-    # Special processing for complex configurations
+    # Special processing for configurations with more than 2 off-firewall zones or with other special considerations like IPSEC.
    #
    for my $zone ( @zones ) {
 	my $zoneref = find_zone( $zone );

-	next if  @zones <= 2 && ! $zoneref->{options}{complex};
+	next if  @zones <= 2 && ! $zoneref->{complex};
 	#
-	# Complex zone or we have more than one non-firewall zone -- process_rules created a zone forwarding chain
+	# Complex zone or we have more than two off-firewall zones -- Shorewall::Rules::classic_blacklist created a zone forwarding chain
 	#
 	my $frwd_ref = $filter_table->{zone_forward_chain( $zone )};

+	assert( $frwd_ref, $zone );
+	#
+	# Add Zone mark if any
+	#
 	add_ijump( $frwd_ref , j => 'MARK --set-mark ' . in_hex( $zoneref->{mark} ) . '/' . in_hex( $globals{ZONE_MASK} ) ) if $zoneref->{mark};

 	if ( have_ipsec ) {
 	    #
-	    # Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the
+	    # Prior to KLUDGEFREE, policy match could only match an 'in' or an 'out' policy (but not both), so we place the
 	    # '--pol ipsec --dir in' rules at the front of the (interface) forwarding chains. Otherwise, decrypted packets
 	    # can match '--pol none --dir out' rules and send the packets down the wrong rules chain.
 	    #
@@ -1509,6 +1514,9 @@ sub generate_matrix() {
 			copy_rules( $sourcechainref, $frwd_ref, 1 ) unless $ipsec_jump_added{$zone}++;
 			$sourcechainref = $filter_table->{FORWARD};
 		    } elsif ( $interfaceref->{options}{port} ) {
+			#
+			# The forwarding chain for a bridge with ports is always used
+			#
 			add_ijump( $filter_table->{ forward_chain $interfaceref->{bridge} } ,
 				   j => $sourcechainref ,
 				   imatch_source_dev( $interface , 1 ) )
@@ -1518,6 +1526,9 @@ sub generate_matrix() {
 		    }
 		} else {
 		    if ( $interfaceref->{options}{port} ) {
+			#
+			# The forwarding chain for a bridge with ports is always used
+			#
 			$sourcechainref = $filter_table->{ forward_chain $interfaceref->{bridge} };
 			@interfacematch = imatch_source_dev $interface, 1;
 		    } else {
@@ -1560,13 +1571,12 @@ sub generate_matrix() {
 	my $source_hosts_ref = $zoneref->{hosts};
 	my $chain1           = rules_target firewall_zone , $zone;
 	my $chain2           = rules_target $zone, firewall_zone;
-	my $complex          = $zoneref->{options}{complex} || 0;
 	my $type             = $zoneref->{type};
 	my $frwd_ref         = $filter_table->{zone_forward_chain $zone};
 	my $chain            = 0;
 	my $dnatref          = ensure_chain 'nat' , dnat_chain( $zone );
 	my $notrackref       = ensure_chain 'raw' , notrack_chain( $zone );
-	my $nested           = $zoneref->{options}{nested};
+	my $nested           = @{$zoneref->{parents}};
 	my $parenthasnat     = 0;
 	my $parenthasnotrack = 0;

--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -276,7 +276,7 @@ sub setup_masq()

 	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } );

-	process_one_masq while read_a_line;
+	process_one_masq while read_a_line( NORMAL_READ );

 	clear_comment;
    }
@@ -373,7 +373,7 @@ sub setup_nat() {

 	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } );

-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {

 	    my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 'nat file', { external => 0, interface => 1, internal => 2, allints => 3, local => 4 };

@@ -409,7 +409,7 @@ sub setup_netmap() {

 	first_entry "$doing $fn...";

-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {

 	    my ( $type, $net1, $interfacelist, $net2, $net3, $proto, $dport, $sport ) = split_line 'netmap file', { type => 0, net1 => 1, interface => 2, net2 => 3, net3 => 4, proto => 5, dport => 6, sport => 7 };

--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -608,7 +608,8 @@ sub add_a_provider( $$ ) {
 	}
    }

-    emit( qq(echo $load > \${VARDIR}/${physical}_load) ) if $load;
+    emit( "echo $load > \${VARDIR}/${physical}_load",
+	  'echo ' . in_hex( $mark ) . '/' . in_hex( $globals{PROVIDER_MASK} ) . " > \${VARDIR}/${physical}_mark" ) if $load;

    emit( '',
 	  "cat <<EOF >> \${VARDIR}/undo_${table}_routing" );
@@ -618,6 +619,7 @@ sub add_a_provider( $$ ) {
    emit_unindented '        ;;';
    emit_unindented '    *)';
    emit_unindented "        rm -f \${VARDIR}/${physical}_load" if $load;
+    emit_unindented "        rm -f \${VARDIR}/${physical}_mark" if $load;
    emit_unindented <<"CEOF", 1;
        rm -f \${VARDIR}/${physical}.status
        ;;
@@ -630,12 +632,13 @@ CEOF
    setup_interface_proc( $interface );

    if ( $mark ne '-' ) {
+	my $hexmark = in_hex( $mark );
 	my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : '';

-	emit ( "qt \$IP -$family rule del fwmark ${mark}${mask}" ) if $config{DELETE_THEN_ADD};
+	emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $config{DELETE_THEN_ADD};

-	emit ( "run_ip rule add fwmark ${mark}${mask} pref $pref table $number",
-	       "echo \"qt \$IP -$family rule del fwmark ${mark}${mask}\" >> \${VARDIR}/undo_${table}_routing"
+	emit ( "run_ip rule add fwmark ${hexmark}${mask} pref $pref table $number",
+	       "echo \"qt \$IP -$family rule del fwmark ${hexmark}${mask}\" >> \${VARDIR}/undo_${table}_routing"
 	     );
    }

@@ -759,7 +762,7 @@ CEOF
 		if ( $gateway ) {
 		    emit qq(add_gateway "via $gateway dev $physical $realm" ) . $tbl;
 		} else {
-		    emit qq(add_gateway "nexthop dev $physical $realm" ) . $tbl;
+		    emit qq(add_gateway "dev $physical $realm" ) . $tbl;
 		}
 	    }
 	    	} else {
@@ -861,7 +864,8 @@ CEOF
 		  "qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface};
 	}

-	emit( "progress_message2 \"   Provider $table ($number) stopped\"" );
+	emit( "echo 1 > \${VARDIR}/${physical}.status",
+	      "progress_message2 \"   Provider $table ($number) stopped\"" );

 	pop_indent;

@@ -928,7 +932,7 @@ sub add_an_rtrule( ) {
 	    validate_net ( $source, 0 );
 	    $source = "from $source";
 	} else {
-	    $source = "iif $source";
+	    $source = 'iif ' . physical_name $source;
 	}
    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ||  $source =~  /^(.+?):\[(.+)\]\s*$/ ) {
 	my ($interface, $source ) = ($1, $2);
@@ -939,7 +943,7 @@ sub add_an_rtrule( ) {
 	validate_net ( $source, 0 );
 	$source = "from $source";
    } else {
-	$source = "iif $source";
+	$source = 'iif ' . physical_name $source;
    }

    my $mark = '';
@@ -1114,6 +1118,10 @@ sub finish_providers() {
 	       '# We don\'t have any \'balance\' providers so we restore any default route that we\'ve saved',
 	       '#',
 	       "restore_default_route $config{USE_DEFAULT_RT}" ,
+	       '#',
+	       '# And delete any routes in the \'balance\' table',
+	       '#',
+	       "qt \$IP -$family route del default table " . BALANCE_TABLE,
 	       '' );
    }

@@ -1164,7 +1172,7 @@ sub process_providers( $ ) {

    if ( my $fn = open_file 'providers' ) {
 	first_entry "$doing $fn...";
-	process_a_provider, $providers++ while read_a_line;
+	process_a_provider, $providers++ while read_a_line( NORMAL_READ );
    }

    if ( $providers ) {
@@ -1183,7 +1191,7 @@ sub process_providers( $ ) {

 	    emit '';

-	    add_an_rtrule while read_a_line;
+	    add_an_rtrule while read_a_line( NORMAL_READ );
 	}

 	$fn = open_file 'routes';
@@ -1191,7 +1199,7 @@ sub process_providers( $ ) {
 	if ( $fn ) {
 	    first_entry "$doing $fn...";
 	    emit '';
-	    add_a_route while read_a_line;
+	    add_a_route while read_a_line( NORMAL_READ );
 	}
    }

--- a/Shorewall/Perl/Shorewall/Proxyarp.pm
+++ b/Shorewall/Perl/Shorewall/Proxyarp.pm
@@ -120,7 +120,7 @@ sub setup_proxy_arp() {

 	my ( %set, %reset );

-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {

 	    my ( $address, $interface, $external, $haveroute, $persistent ) =
 		split_line $file_opt . 'file ', { address => 0, interface => 1, external => 2, haveroute => 3, persistent => 4 };
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -130,7 +130,7 @@ sub setup_notrack() {

 	my $nonEmpty = 0;

-	while ( read_a_line ) {	    
+	while ( read_a_line( NORMAL_READ ) ) {
 	    my ( $source, $dest, $proto, $ports, $sports, $user );

 	    if ( $format == 1 ) {
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -529,7 +529,7 @@ sub process_policies()

    if ( my $fn = open_file 'policy' ) {
 	first_entry "$doing $fn...";
-	process_a_policy while read_a_line;
+	process_a_policy while read_a_line( NORMAL_READ );
    } else {
 	fatal_error q(The 'policy' file does not exist or has zero size);
    }
@@ -1394,7 +1394,7 @@ sub process_actions() {
    for my $file ( qw/actions.std actions/ ) {
 	open_file $file;

-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {
 	    my ( $action ) = split_line 'action file' , { action => 0 };

 	    if ( $action =~ /:/ ) {
@@ -1454,7 +1454,7 @@ sub process_action( $) {

 	push_comment( '' );

-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {

 	    my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition );

@@ -1547,7 +1547,7 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {

    push_open $macrofile;

-    while ( read_a_line ) {
+    while ( read_a_line( NORMAL_READ ) ) {

 	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition );

@@ -1589,7 +1589,7 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {

 	my $actiontype = $targets{$action} || find_macro( $action );

-	fatal_error "Invalid Action ($mtarget) in macro" unless $actiontype & ( ACTION +  STANDARD + NATRULE +  MACRO );
+	fatal_error "Invalid Action ($mtarget) in macro" unless $actiontype & ( ACTION +  STANDARD + NATRULE + MACRO + CHAIN );

 	if ( $msource ) {
 	    if ( $msource eq '-' ) {
@@ -2458,6 +2458,12 @@ sub process_rule ( ) {
    progress_message qq(   Rule "$thisline" $done);
 }

+sub intrazone_allowed( $$ ) {
+    my ( $zone, $zoneref ) = @_;
+
+    $zoneref->{complex} && $filter_table->{rules_chain( $zone, $zone )}{policy} ne 'NONE';
+}
+
 #
 # Add jumps to the blacklst and blackout chains
 #
@@ -2470,7 +2476,7 @@ sub classic_blacklist() {

    for my $zone ( @zones ) {
 	my $zoneref = find_zone( $zone );
-	my $simple  =  @zones <= 2 && ! $zoneref->{options}{complex};
+	my $simple  =  @zones <= 2 && ! $zoneref->{complex};

 	if ( $zoneref->{options}{in}{blacklist} ) {
 	    my $blackref = $filter_table->{blacklst};
@@ -2484,7 +2490,7 @@ sub classic_blacklist() {
 		    my $ruleschain    = rules_chain( $zone, $zone1 );
 		    my $ruleschainref = $filter_table->{$ruleschain};

-		    if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
+		    if ( $zone ne $zone1 || intrazone_allowed( $zone, $zoneref ) ) {
 			add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
 		    }
 		}
@@ -2501,7 +2507,7 @@ sub classic_blacklist() {
 		my $ruleschain    = rules_chain( $zone1, $zone );
 		my $ruleschainref = $filter_table->{$ruleschain};

-		if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
+		if ( ( $zone ne $zone1 || intrazone_allowed( $zone, $zoneref ) ) ) {
 		    add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
 		}
 	    }
@@ -2561,20 +2567,25 @@ sub process_rules( $ ) {
 		     }
 		   );

-	process_rule while read_a_line;
+	process_rule while read_a_line( NORMAL_READ );
    }

    $section = '';

    add_interface_options( $blrules );

+    #
+    # Handle MSS settings in the zones file
+    #
+    setup_zone_mss;
+
    $fn = open_file 'rules';

    if ( $fn ) {

 	first_entry "$doing $fn...";

-	process_rule while read_a_line;
+	process_rule while read_a_line( NORMAL_READ );

 	clear_comment;
    }
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -197,11 +197,11 @@ sub process_tc_rule( ) {
    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp );
    if ( $family == F_IPV4 ) {
 	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp ) =
-	    split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13 };
+	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13 }, undef , 14;
 	$headers = '-';
    } else {
 	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp ) =
-	    split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 };
+	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 }, undef, 15;
    }

    our @tccmd;
@@ -1039,7 +1039,7 @@ sub validate_tc_class( ) {
 	fatal_error "Unknown Parent class ($parentnum)" unless $parentref && $parentref->{occurs} == 1;
 	fatal_error "The class ($parentnum) specifies UMAX and/or DMAX; it cannot serve as a parent" if $parentref->{dmax};
 	fatal_error "The class ($parentnum) specifies flow; it cannot serve as a parent"             if $parentref->{flow};
-	fatal_error "The default class ($parentnum) may not have sub-classes"                        if defined $devref->{default} && $devref->{default} == $parentclass;
+	fatal_error "The default class ($parentnum) may not have sub-classes"                        if ( $devref->{default} || 0 ) == $parentclass;
 	$parentref->{leaf} = 0;
 	$ratemax  = $parentref->{rate};
 	$ratename = q(the parent class's RATE);
@@ -1455,7 +1455,7 @@ sub process_tcfilters() {

 	first_entry( "$doing $fn..." );

-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {
 	    if ( $currentline =~ /^\s*IPV4\s*$/ ) {
 		Shorewall::IPAddrs::initialize( $family = F_IPV4 ) unless $family == F_IPV4;
 	    } elsif ( $currentline =~ /^\s*IPV6\s*$/ ) {
@@ -1555,7 +1555,7 @@ sub process_tcinterfaces() {

    if ( $fn ) {
 	first_entry "$doing $fn...";
-	process_simple_device while read_a_line;
+	process_simple_device while read_a_line( NORMAL_READ );
    }
 }

@@ -1573,7 +1573,7 @@ sub process_tcpri() {
 		warning_message "There are entries in $fn1 but $fn was empty" unless @tcdevices || $family == F_IPV6;
 	    };

-	process_tc_priority while read_a_line;
+	process_tc_priority while read_a_line( NORMAL_READ );

 	clear_comment;

@@ -1604,7 +1604,7 @@ sub process_traffic_shaping() {
    if ( $fn ) {
 	first_entry "$doing $fn...";

-	validate_tc_device while read_a_line;
+	validate_tc_device while read_a_line( NORMAL_READ );
    }

    $devnum = $devnum > 10 ? 10 : 1;
@@ -1614,7 +1614,7 @@ sub process_traffic_shaping() {
    if ( $fn ) {
 	first_entry "$doing $fn...";

-	validate_tc_class while read_a_line;
+	validate_tc_class while read_a_line( NORMAL_READ );
    }

    process_tcfilters;
@@ -1959,13 +1959,13 @@ sub setup_tc() {
    if ( $config{TC_ENABLED} ) {
 	our  @tccmd = ( { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
 			  target    => 'CONNMARK --save-mark --mask' ,
-			  mark      => SMALLMARK ,
+			  mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK,
 			  mask      => in_hex( $globals{TC_MASK} ) ,
 			  connmark  => 1
 			} ,
 			{ match     => sub ( $ ) { $_[0] eq 'RESTORE' },
 			  target    => 'CONNMARK --restore-mark --mask' ,
-			  mark      => SMALLMARK ,
+			  mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK ,
 			  mask      => in_hex( $globals{TC_MASK} ) ,
 			  connmark  => 1
 			} ,
@@ -2038,7 +2038,7 @@ sub setup_tc() {

 	    first_entry "$doing $fn...";

-	    process_tc_rule while read_a_line;
+	    process_tc_rule while read_a_line( NORMAL_READ );

 	    clear_comment;
 	}
@@ -2049,7 +2049,7 @@ sub setup_tc() {

 	    first_entry "$doing $fn...";

-	    process_secmark_rule while read_a_line;
+	    process_secmark_rule while read_a_line( NORMAL_READ );

 	    clear_comment;
 	}
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -234,7 +234,7 @@ sub setup_tunnels() {
    }

    sub setup_one_tunnel($$$$) {
-	my ( $kind , $zone, $gateway, $gatewayzones ) = @_;
+	my ( $kind , $zone, $gateways, $gatewayzones ) = @_;

 	my $zonetype = zone_type( $zone );

@@ -243,35 +243,42 @@ sub setup_tunnels() {
 	my $inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
 	my $outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );

-	$gateway = ALLIP if $gateway eq '-';
+	$gateways = ALLIP if $gateways eq '-';

-	my @source = imatch_source_net $gateway;
-	my @dest   = imatch_dest_net   $gateway;
+	my ( $net, $excl ) = handle_network_list( $gateways , 'src' );
+	( $net, $excl )    = handle_network_list( $gateways , 'dst' );

-	my %tunneltypes = ( 'ipsec'         => { function => \&setup_one_ipsec ,         params   => [ $kind, \@source, \@dest , $gatewayzones ] } ,
-			    'ipsecnat'      => { function => \&setup_one_ipsec ,         params   => [ $kind, \@source, \@dest , $gatewayzones ] } ,
-			    'ipip'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 4 ] } ,
-			    'gre'           => { function => \&setup_one_other,          params   => [ \@source, \@dest , 47 ] } ,
-			    '6to4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
-			    '6in4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
-			    'pptpclient'    => { function => \&setup_pptp_client,        params   => [ $kind, \@source, \@dest ] } ,
-			    'pptpserver'    => { function => \&setup_pptp_server,        params   => [ $kind, \@source, \@dest ] } ,
-			    'openvpn'       => { function => \&setup_one_openvpn,        params   => [ $kind, \@source, \@dest ] } ,
-			    'openvpnclient' => { function => \&setup_one_openvpn_client, params   => [ $kind, \@source, \@dest ] } ,
-			    'openvpnserver' => { function => \&setup_one_openvpn_server, params   => [ $kind, \@source, \@dest ] } ,
-			    'l2tp'          => { function => \&setup_one_l2tp ,          params   => [ $kind, \@source, \@dest ] } ,
-			    'generic'       => { function => \&setup_one_generic ,       params   => [ $kind, \@source, \@dest ] } ,
-			  );
+	fatal_error "Exclusion is not allowed in the GATEWAYS column" if $excl;

-	$kind = "\L$kind";
+	for my $gateway ( split_list $gateways, 'GATEWAYS' ) {
+	    my @source = imatch_source_net $gateway;
+	    my @dest   = imatch_dest_net   $gateway;

-	(my $type) = split /:/, $kind;
+	    my %tunneltypes = ( 'ipsec'         => { function => \&setup_one_ipsec ,         params   => [ $kind, \@source, \@dest , $gatewayzones ] } ,
+				'ipsecnat'      => { function => \&setup_one_ipsec ,         params   => [ $kind, \@source, \@dest , $gatewayzones ] } ,
+				'ipip'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 4 ] } ,
+				'gre'           => { function => \&setup_one_other,          params   => [ \@source, \@dest , 47 ] } ,
+				'6to4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
+				'6in4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
+				'pptpclient'    => { function => \&setup_pptp_client,        params   => [ $kind, \@source, \@dest ] } ,
+				'pptpserver'    => { function => \&setup_pptp_server,        params   => [ $kind, \@source, \@dest ] } ,
+				'openvpn'       => { function => \&setup_one_openvpn,        params   => [ $kind, \@source, \@dest ] } ,
+				'openvpnclient' => { function => \&setup_one_openvpn_client, params   => [ $kind, \@source, \@dest ] } ,
+				'openvpnserver' => { function => \&setup_one_openvpn_server, params   => [ $kind, \@source, \@dest ] } ,
+				'l2tp'          => { function => \&setup_one_l2tp ,          params   => [ $kind, \@source, \@dest ] } ,
+				'generic'       => { function => \&setup_one_generic ,       params   => [ $kind, \@source, \@dest ] } ,
+			      );

-	my $tunnelref = $tunneltypes{ $type };
+	    $kind = "\L$kind";

-	fatal_error "Tunnels of type $type are not supported" unless $tunnelref;
+	    (my $type) = split /:/, $kind;

-	$tunnelref->{function}->( $inchainref, $outchainref, @{$tunnelref->{params}} );
+	    my $tunnelref = $tunneltypes{ $type };
+
+	    fatal_error "Tunnels of type $type are not supported" unless $tunnelref;
+
+	    $tunnelref->{function}->( $inchainref, $outchainref, @{$tunnelref->{params}} );
+	}

 	progress_message "   Tunnel \"$currentline\" $done";
    }
@@ -283,16 +290,16 @@ sub setup_tunnels() {

 	first_entry "$doing $fn...";

-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {

-	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateway_zone => 3 };
+	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateways => 2, gateway_zone => 3 }, undef, 4;

 	    fatal_error 'TYPE must be specified' if $kind eq '-';
-	    fatal_error 'ZONE must be specified' if $zone eq '-';

 	    if ( $kind eq 'COMMENT' ) {
 		process_comment;
 	    } else {
+		fatal_error 'ZONE must be specified' if $zone eq '-';
 		setup_one_tunnel $kind, $zone, $gateway, $gatewayzones;
 	    }
 	}
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -83,6 +83,7 @@ our @EXPORT = qw( NOTHING
 		  compile_updown
 		  validate_hosts_file
 		  find_hosts_by_option
+		  find_zone_hosts_by_option
 		  find_zones_by_option
 		  all_ipsets
 		  have_ipsec
@@ -113,11 +114,10 @@ use constant { IN_OUT     => 1,
 #
 #     @zones contains the ordered list of zones with sub-zones appearing before their parents.
 #
-#     %zones{<zone1> => {type = >      <zone type>       FIREWALL, IP, IPSEC, BPORT;
-#                        options =>    { complex => 0|1
-#                                        nested  => 0|1
-#                                        super   => 0|1
-#                                        in_out  => < policy match string >
+#     %zones{<zone1> => {type =>       <zone type>       FIREWALL, IP, IPSEC, BPORT;
+#                        complex =>    0|1
+#                        super   =>    0|1
+#                        options =>    { in_out  => < policy match string >
 #                                        in      => < policy match string >
 #                                        out     => < policy match string >
 #                                      }
@@ -309,6 +309,7 @@ sub initialize( $$ ) {
 			     broadcast => 1,
 			     destonly => 1,
 			     sourceonly => 1,
+			     mss => 1,
 			    );
 	%zonetypes = ( 1 => 'firewall', 2 => 'ipv4', 4 => 'bport4', 8 => 'ipsec4', 16 => 'vserver' );
    } else {
@@ -335,6 +336,7 @@ sub initialize( $$ ) {
 			     maclist => 1,
 			     routeback => 1,
 			     tcpflags => 1,
+			     mss => 1,
 			    );
 	%zonetypes = ( 1 => 'firewall', 2 => 'ipv6', 4 => 'bport6', 8 => 'ipsec4', 16 => 'vserver' );
    }
@@ -408,8 +410,8 @@ sub set_super( $ ); #required for recursion
 sub set_super( $ ) {
    my $zoneref = shift;

-    unless ( $zoneref->{options}{super} ) {
-	$zoneref->{options}{super} = 1;
+    unless ( $zoneref->{super} ) {
+	$zoneref->{super} = 1;
 	set_super( $zones{$_} ) for @{$zoneref->{parents}};
    }
 }
@@ -487,10 +489,9 @@ sub process_zone( \$ ) {
 				    options    => { in_out  => parse_zone_option_list( $options , $type, $complex , IN_OUT ) ,
 						    in      => parse_zone_option_list( $in_options , $type , $complex , IN ) ,
 						    out     => parse_zone_option_list( $out_options , $type , $complex , OUT ) ,
-						    complex => ( $type & IPSEC || $complex ) ,
-						    nested  => @parents > 0 ,
-						    super   => 0 ,
 						  } ,
+				    super      => 0 ,
+				    complex    => ( $type & IPSEC || $complex ) ,
 				    interfaces => {} ,
 				    children   => [] ,
 				    hosts      => {}
@@ -506,7 +507,7 @@ sub process_zone( \$ ) {
 		fatal_error "Zone mark overflow - please increase the setting of ZONE_BITS" if $zonemark >= $zonemarklimit;
 		$mark      = $zonemark;
 		$zonemark += $zonemarkincr;
-		$zoneref->{options}{complex} = 1;
+		$zoneref->{complex} = 1;
 	    }
 	}

@@ -517,7 +518,6 @@ sub process_zone( \$ ) {
 	}
    }

-
    if ( $zoneref->{options}{in_out}{blacklist} ) {
 	for ( qw/in out/ ) {
 	    unless ( $zoneref->{options}{$_}{blacklist} ) {
@@ -545,7 +545,7 @@ sub determine_zones()

    if ( my $fn = open_file 'zones' ) {
 	first_entry "$doing $fn...";
-	push @z, process_zone( $ip ) while read_a_line;
+	push @z, process_zone( $ip ) while read_a_line( NORMAL_READ );
    } else {
 	fatal_error q(The 'zones' file does not exist or has zero size);
    }
@@ -775,7 +775,7 @@ sub add_group_to_zone($$$$$)

    fatal_error "Duplicate Host Group ($interface:" . ALLIP . ") in zone $zone" if $allip && @$interfaceref;

-    $zoneref->{options}{complex} = 1 if @$interfaceref || @newnetworks > 1 || @exclusions || $options->{routeback};
+    $zoneref->{complex} = 1 if @$interfaceref || @newnetworks > 1 || @exclusions || $options->{routeback};

    push @{$interfaceref}, { options => $options,
 			     hosts   => \@newnetworks,
@@ -842,7 +842,7 @@ sub all_parent_zones() {
 }

 sub complex_zones() {
-    grep( $zones{$_}{options}{complex} , @zones );
+    grep( $zones{$_}{complex} , @zones );
 }

 sub vserver_zones() {
@@ -934,7 +934,7 @@ sub process_interface( $$ ) {
 	    return;
 	}

-	fatal_error "Invalid FORMAT ($1)";
+	fatal_error "Invalid FORMAT ($originalinterface)";
    }

    if ( $zone eq '-' ) {
@@ -1214,7 +1214,7 @@ sub validate_interfaces_file( $ ) {

    if ( my $fn = open_file 'interfaces' ) {
 	first_entry "$doing $fn...";
-	push @ifaces, process_interface( $nextinum++, $export ) while read_a_line;
+	push @ifaces, process_interface( $nextinum++, $export ) while read_a_line( NORMAL_READ );
    } else {
 	fatal_error q(The 'interfaces' file does not exist or has zero size);
    }
@@ -1842,7 +1842,7 @@ sub process_host( ) {
    }

    if ( $hosts =~ /^!?\+/ ) {
-	$zoneref->{options}{complex} = 1;
+	$zoneref->{complex} = 1;
 	fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/;
 	fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^!?\+[a-zA-Z][-\w]*$/;
    }
@@ -1866,12 +1866,16 @@ sub process_host( ) {
 	    if ( $option eq 'ipsec' ) {
 		require_capability 'POLICY_MATCH' , q(The 'ipsec' option), 's';
 		$type = IPSEC;
-		$zoneref->{options}{complex} = 1;
+		$zoneref->{complex} = 1;
 		$ipsec = $interfaceref->{ipsec} = 1;
 	    } elsif ( $option eq 'norfc1918' ) {
 		warning_message "The 'norfc1918' host option is no longer supported"
 	    } elsif ( $option eq 'blacklist' ) {
 		$zoneref->{options}{in}{blacklist} = 1;
+	    } elsif ( $option =~ /^mss=(\d+)$/ ) {
+		fatal_error "Invalid mss ($1)" unless $1 >= 500;
+		$options{mss} = $1;
+		$zoneref->{options}{complex} = 1;
 	    } elsif ( $validhostoptions{$option}) {
 		fatal_error qq(The "$option" option is not allowed with Vserver zones) if $type & VSERVER && ! ( $validhostoptions{$option} & IF_OPTION_VSERVER );
 		$options{$option} = 1;
@@ -1931,12 +1935,12 @@ sub validate_hosts_file()

    if ( my $fn = open_file 'hosts' ) {
 	first_entry "$doing $fn...";
-	$ipsec |= process_host while read_a_line;
+	$ipsec |= process_host while read_a_line( NORMAL_READ );
    }

    $have_ipsec = $ipsec || haveipseczones;

-    $_->{options}{complex} ||= ( keys %{$_->{interfaces}} > 1 ) for values %zones;
+    $_->{complex} ||= ( keys %{$_->{interfaces}} > 1 ) for values %zones;
 }

 #
@@ -1948,7 +1952,7 @@ sub have_ipsec() {

 #
 # Returns a reference to a array of host entries. Each entry is a
-# reference to an array containing ( interface , polciy match type {ipsec|none} , network , exclusions );
+# reference to an array containing ( interface , polciy match type {ipsec|none} , network , exclusions, value );
 #
 sub find_hosts_by_option( $ ) {
    my $option = $_[0];
@@ -1958,9 +1962,9 @@ sub find_hosts_by_option( $ ) {
 	while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
 	    while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
 		for my $host ( @{$arrayref} ) {
-		    if ( $host->{options}{$option} ) {
+		    if ( my $value = $host->{options}{$option} ) {
 			for my $net ( @{$host->{hosts}} ) {
-			    push @hosts, [ $interface, $host->{ipsec} , $net , $host->{exclusions}];
+			    push @hosts, [ $interface, $host->{ipsec} , $net , $host->{exclusions}, $value ];
 			}
 		    }
 		}
@@ -1977,6 +1981,30 @@ sub find_hosts_by_option( $ ) {
    \@hosts;
 }

+#
+# As above but for a single zone
+#
+sub find_zone_hosts_by_option( $$ ) {
+    my ($zone, $option ) = @_;
+    my @hosts;
+
+    unless ( $zones{$zone}{type} & FIREWALL ) {
+	while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
+	    while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
+		for my $host ( @{$arrayref} ) {
+		    if ( my $value = $host->{options}{$option} ) {
+			for my $net ( @{$host->{hosts}} ) {
+			    push @hosts, [ $interface, $host->{ipsec} , $net , $host->{exclusions}, $value ];
+			}
+		    }
+		}
+	    }
+	}
+    }
+
+    \@hosts;
+}
+
 #
 # Returns a reference to a list of zones with the passed in/out option
 #
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -37,6 +37,7 @@
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
 #         --preview                   # Preview the ruleset.
+#         --shorewallrc=<path>        # Path to shorewallrc file.
 #         --config_path=<path-list>   # Search path for config files
 #
 use strict;
@@ -65,6 +66,7 @@ sub usage( $ ) {
    [ --annotate ]
    [ --update ]
    [ --convert ]
+    [ --shorewallrc=<pathname> ]
    [ --config_path=<path-list> ]
 ';

@@ -91,6 +93,7 @@ my $annotate      = 0;
 my $update        = 0;
 my $convert       = 0;
 my $config_path   = '';
+my $shorewallrc   = '';

 Getopt::Long::Configure ('bundling');

@@ -122,6 +125,7 @@ my $result = GetOptions('h'               => \$help,
 			'update'          => \$update,
 			'convert'         => \$convert,
 			'config_path=s'   => \$config_path,
+			'shorewallrc=s'   => \$shorewallrc,
 		       );

 usage(1) unless $result && @ARGV < 2;
@@ -144,4 +148,5 @@ compiler( script          => $ARGV[0] || '',
 	  convert         => $convert,
 	  annotate        => $annotate,
 	  config_path     => $config_path,
+	  shorewallrc     => $shorewallrc
 	);
--- a/Shorewall/Perl/getparams
+++ b/Shorewall/Perl/getparams
@@ -33,7 +33,19 @@ else
    g_program=shorewall
 fi

-. /usr/share/shorewall/lib.cli
+#
+# This is modified by the installer when ${SHAREDIR} != /usr/share
+#
+. /usr/share/shorewall/shorewallrc
+
+g_libexec="$LIBEXECDIR"
+g_sharedir="$SHAREDIR"/shorewall
+g_sbindir="$SBINDIR"
+g_perllib="$PERLLIBDIR"
+g_confdir="$CONFDIR"/shorewall
+g_readrc=1
+
+. $g_sharedir/lib.cli

 CONFIG_PATH="$2"

--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -235,8 +235,8 @@ case "$COMMAND" in
 	    status=2
 	elif checkkernelversion; then
 	    if [ $# -eq 1 ]; then
-		$IP6TABLES -Z
-		$IP6TABLES -t mangle -Z
+		$g_tool -Z
+		$g_tool -t mangle -Z
 		date > ${VARDIR}/restarted
 		status=0
 		progress_message3 "$g_product Counters Reset"
@@ -245,7 +245,7 @@ case "$COMMAND" in
 		status=0
 		for chain in $@; do
 		    if chain_exists $chain; then
-			if qt $IP6TABLES -Z $chain; then
+			if qt $g_tool-Z $chain; then
 			    progress_message3 "Filter $chain Counters Reset"
 			else
 			    error_message "ERROR: Reset of chain $chain failed"
--- a/Shorewall/Perl/prog.header
+++ b/Shorewall/Perl/prog.header
@@ -1,402 +0,0 @@
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 1999-2011 - Tom Eastep (teastep@shorewall.net)
-#
-#	Options are:
-#
-#	    -n				  Don't alter Routing
-#	    -v and -q			  Standard Shorewall Verbosity control
-#           -t                            Timestamp progress messages
-#           -p                            Purge conntrack table
-#           -r                            Recover from failed start/restart
-#           -V <verbosity>                Set verbosity level explicitly
-#           -R <restore>                  Overrides RESTOREFILE setting
-#
-#	Commands are:
-#
-#	   start			  Starts the firewall
-#          refresh                        Refresh the firewall
-#	   restart			  Restarts the firewall
-#	   reload			  Reload the firewall
-#	   clear			  Removes all firewall rules
-#	   stop				  Stops the firewall
-#	   status			  Displays firewall status
-#	   version			  Displays the version of Shorewall that
-#	   				  generated this program
-#
-################################################################################
-# Functions imported from /usr/share/shorewall/prog.header
-################################################################################
-#
-# Find the value 'weight' in the passed arguments then echo the next value
-#
-
-find_weight() {
-    while [ $# -gt 1 ]; do
-	[ "x$1" = xweight ] && echo $2 && return
-	shift
-    done
-}
-
-#
-# Find the interfaces that have a route to the passed address - the default
-# route is not used.
-#
-
-find_rt_interface() {
-    $IP -4 route list | while read addr rest; do
-	case $addr in
-	    */*)
-		in_network ${1%/*} $addr && echo $(find_device $rest)
-		;;
-	    default)
-		;;
-	    *)
-		if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then
-		    echo $(find_device $rest)
-		fi
-		;;
-	esac
-    done
-}
-
-#
-# Echo the name of the interface(s) that will be used to send to the
-# passed address
-#
-
-find_interface_by_address() {
-    local dev
-    dev="$(find_rt_interface $1)"
-    local first
-    local rest
-
-    [ -z "$dev" ] && dev=$(find_default_interface)
-
-    [ -n "$dev" ] && echo $dev
-}
-
-#
-#  echo the list of networks routed out of a given interface
-#
-get_routed_networks() # $1 = interface name, $2-n = Fatal error message
-{
-    local address
-    local rest
-
-    $IP -4 route show dev $1 2> /dev/null |
-	while read address rest; do
-	    case "$address" in
-		default)
-		    if [ $# -gt 1 ]; then
-			shift
-			fatal_error "$@"
-		    else
-			echo "WARNING: default route ignored on interface $1" >&2
-		    fi
-		    ;;
-		multicast|broadcast|prohibit|nat|throw|nexthop)
-		    ;;
-		*)
-		    [ "$address" = "${address%/*}" ] && address="${address}/32"
-		    echo $address
-		    ;;
-	    esac
-        done
-}
-
-#
-# Get the broadcast addresses associated with an interface
-#
-get_interface_bcasts() # $1 = interface
-{
-    local addresses
-    addresses=
-
-    $IP -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
-}
-
-#
-# Delete IP address
-#
-del_ip_addr() # $1 = address, $2 = interface
-{
-    [ $(find_first_interface_address_if_any $2) = $1 ] || qtnoin $IP addr del $1 dev $2
-}
-
-# Add IP Aliases
-#
-add_ip_aliases() # $* = List of addresses
-{
-    local local
-    local addresses
-    local external
-    local interface
-    local inet
-    local cidr
-    local rest
-    local val
-    local arping
-    arping=$(mywhich arping)
-
-    address_details()
-    {
-	#
-	# Folks feel uneasy if they don't see all of the same
-	# decoration on these IP addresses that they see when their
-	# distro's net config tool adds them. In an attempt to reduce
-	# the anxiety level, we have the following code which sets
-	# the VLSM and BRD from an existing address in the same networks
-	#
-	# Get all of the lines that contain inet addresses with broadcast
-	#
-	$IP -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do
-	    case $cidr in
-		*/*)
-		    if in_network $external $cidr; then
-			echo "/${cidr#*/} brd $(broadcastaddress $cidr)"
-			break
-		    fi
-		    ;;
-	    esac
-	done
-    }
-
-    do_one()
-    {
-	val=$(address_details)
-
-	$IP addr add ${external}${val} dev $interface $label
-	[ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external
-	echo "$external $interface" >> $VARDIR/nat
-	[ -n "$label" ] && label="with $label"
-	progress_message "   IP Address $external added to interface $interface $label"
-    }
-
-    progress_message "Adding IP Addresses..."
-
-    while [ $# -gt 0 ]; do
-	external=$1
-	interface=$2
-	label=
-
-	if [ "$interface" != "${interface%:*}" ]; then
-	    label="${interface#*:}"
-	    interface="${interface%:*}"
-	    label="label $interface:$label"
-	fi
-
-	shift 2
-
-	list_search $external $(find_interface_addresses $interface) || do_one
-    done
-}
-
-#
-# Detect the gateway through a PPP or DHCP-configured interface
-#
-detect_dynamic_gateway() { # $1 = interface
-    local interface
-    interface=$1
-    local GATEWAYS
-    GATEWAYS=
-    local gateway
-
-    gateway=$(run_findgw_exit $1);
-
-    if [ -z "$gateway" ]; then
-	gateway=$( find_peer $($IP addr list $interface ) )
-    fi
-
-    if [ -z "$gateway" -a -f /var/lib/dhcpcd/dhcpcd-${1}.info ]; then
-	eval $(grep ^GATEWAYS=  /var/lib/dhcpcd/dhcpcd-${1}.info 2> /dev/null)
-	[ -n "$GATEWAYS" ] && GATEWAYS=${GATEWAYS%,*} && gateway=$GATEWAYS
-    fi
-
-    if [ -z "$gateway" -a -f /var/lib/dhcp/dhclient-${1}.lease ]; then
-	gateway=$(grep 'option routers' /var/lib/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done)
-    fi
-
-    [ -n "$gateway" ] && echo $gateway
-}
-
-#
-# Detect the gateway through an interface
-#
-detect_gateway() # $1 = interface
-{
-    local interface
-    interface=$1
-    local gateway
-    #
-    # First assume that this is some sort of dynamic interface
-    #
-    gateway=$( detect_dynamic_gateway $interface )
-    #
-    # Maybe there's a default route through this gateway already
-    #
-    [ -n "$gateway" ] || gateway=$(find_gateway $($IP -4 route list dev $interface | grep ^default))
-    #
-    # Last hope -- is there a load-balancing route through the interface?
-    #
-    [ -n "$gateway" ] || gateway=$(find_nexthop $interface)
-    #
-    # Be sure we found one
-    #
-    [ -n "$gateway" ] && echo $gateway
-}
-
-#
-# Disable IPV6
-#
-disable_ipv6() {
-    local foo
-    foo="$($IP -f inet6 addr list 2> /dev/null)"
-
-    if [ -n "$foo" ]; then
-	if [ -x "$IP6TABLES" ]; then
-	    $IP6TABLES -P FORWARD DROP
-	    $IP6TABLES -P INPUT DROP
-	    $IP6TABLES -P OUTPUT DROP
-	    $IP6TABLES -F
-	    $IP6TABLES -X
-	    $IP6TABLES -A OUTPUT -o lo -j ACCEPT
-	    $IP6TABLES -A INPUT -i lo -j ACCEPT
-	else
-	    error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
-	fi
-    fi
-}
-
-#
-# Add an additional gateway to the default route
-#
-add_gateway() # $1 = Delta $2 = Table Number
-{
-    local route
-    local weight
-    local delta
-    local dev
-    
-    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/default //; s/[\]//g'`
-
-    if [ -z "$route" ]; then
-	run_ip route add default scope global table $2 $1
-    else
-	delta=$1
-
-	if ! echo $route | fgrep -q ' nexthop '; then
-	    route=`echo $route | sed 's/via/nexthop via/'`
-	    dev=$(find_device $route)
-	    if [ -f ${VARDIR}/${dev}_weight ]; then
-		weight=`cat ${VARDIR}/${dev}_weight`
-		route="$route weight $weight"
-	    fi
-	fi
-
-	run_ip route replace default scope global table $2 $route $delta
-    fi
-}
-
-#
-# Remove a gateway from the default route
-#
-delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
-{
-    local route
-    local gateway
-    local dev
-
-    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
-    gateway=$1
-  
-    if [ -n "$route" ]; then
-	if echo $route | fgrep -q ' nexthop '; then
-	    gateway="nexthop $gateway"
-	    eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
-	    run_ip route replace table $2 $route
-	else
-	    dev=$(find_device $route)
-	    [ "$dev" = "$3" ] && run_ip route delete default table $2
-	fi
-    fi
-}
-
-#
-# Determine the MAC address of the passed IP through the passed interface
-#
-find_mac() # $1 = IP address, $2 = interface
-{
-    if interface_is_usable $2 ; then
-	qt ping -nc 1 -t 2 -I $2 $1
-
-	local result
-	result=$($IP neigh list |  awk "/^$1 / {print \$5}")
-
-	case $result in
-	    \<*\>)
-		;;
-	    *)
-		[ -n "$result" ] && echo $result
-		;;
-	esac
-    fi
-}
-
-#
-# Clear Proxy Arp
-#
-delete_proxyarp() {
-    if [ -f ${VARDIR}/proxyarp ]; then
-	while read address interface external haveroute; do
-	    qtnoin $IP -4 neigh del proxy $address dev $external
-	    [ -z "${haveroute}${g_noroutes}" ] && qtnoin $IP -4 route del $address/32 dev $interface
-	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
-	    [ -f $f ] && echo 0 > $f
-	done < ${VARDIR}/proxyarp
-
-	rm -f ${VARDIR}/proxyarp
-    fi
-}
-
-#
-# Remove all Shorewall-added rules
-#
-clear_firewall() {
-    stop_firewall
-
-    setpolicy INPUT ACCEPT
-    setpolicy FORWARD ACCEPT
-    setpolicy OUTPUT ACCEPT
-
-    run_iptables -F
-    qt $IPTABLES -t raw -F
-
-    echo 1 > /proc/sys/net/ipv4/ip_forward
-
-    if [ -n "$DISABLE_IPV6" ]; then
-	if [ -x $IP6TABLES ]; then
-    	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
-	    $IP6TABLES -P OUTPUT  ACCEPT 2> /dev/null
-	    $IP6TABLES -P FORWARD ACCEPT 2> /dev/null
-	fi
-    fi
-
-    run_clear_exit
-
-    set_state "Cleared"
-
-    logger -p kern.info "$g_product Cleared"
-}
-
-#
-# Get a list of all configured broadcast addresses on the system
-#
-get_all_bcasts()
-{
-    $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
-}
-
-################################################################################
-# End of functions in /usr/share/shorewall/prog.header
-################################################################################
--- a/Shorewall/Perl/prog.header6
+++ b/Shorewall/Perl/prog.header6
@@ -1,311 +0,0 @@
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 1999-2011- Tom Eastep (teastep@shorewall.net)
-#
-#	Options are:
-#
-#	    -n				  Don't alter Routing
-#	    -v and -q			  Standard Shorewall Verbosity control
-#           -t                            Timestamp progress messages
-#           -p                            Purge conntrack table
-#           -r                            Recover from failed start/restart
-#           -V <verbosity>                Set verbosity level explicitly
-#           -R <restore>                  Overrides RESTOREFILE setting
-#
-#	Commands are:
-#
-#	   start			  Starts the firewall
-#          refresh                        Refresh the firewall
-#	   restart			  Restarts the firewall
-#	   reload			  Reload the firewall
-#	   clear			  Removes all firewall rules
-#	   stop				  Stops the firewall
-#	   status			  Displays firewall status
-#	   version			  Displays the version of Shorewall that
-#	   				  generated this program
-#
-################################################################################
-# Functions imported from /usr/share/shorewall/prog.header6
-################################################################################
-#
-# Get all interface addresses with VLSMs
-#
-
-find_interface_full_addresses() # $1 = interface
-{
-    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
-}
-
-#
-# Normalize an IPv6 Address by compressing out consecutive zero elements
-#
-normalize_address() # $1 = valid IPv6 Address
-{
-    local address
-    address=$1
-    local j
-
-    while true; do
-	case $address in
-	    ::*)
-		address=0$address
-		;;
-	    *::*)
-		list_count $(split $address)
-
-		j=$?
-
-		if [ $j -eq 7 ]; then
-		    address=${address%::*}:0:${address#*::}
-		elif [ $j -eq 8 ]; then
-		    $address=${address%::*}:${address#*::}
-		    break 2
-		else
-		    address=${address%::*}:0::${address#*::}
-		fi
-		;;
-	    *)
-		echo $address
-		break 2
-		;;
-	esac
-    done
-}
-
-#
-# Reads correctly-formed and fully-qualified host and subnet addresses from STDIN. For each
-# that defines a /120 or larger network, it sends to STDOUT:
-#
-#    The corresponding subnet-router anycast address (all host address bits are zero)
-#    The corresponding anycast addresses defined by RFC 2526 (the last 128 addresses in the subnet)
-#
-convert_to_anycast() {
-    local address
-    local badress
-    local vlsm
-    local host
-    local o
-    local m
-    m=
-    local z
-    z=65535
-    local l
-
-    while read address; do
-	case $address in
-	    2*|3*)
-		vlsm=${address#*/}
-		vlsm=${vlsm:=128}
-
-		if [ $vlsm -le 120 ]; then
-	            #
-	            # Defines a viable subnet -- first get the subnet-router anycast address
-	            #
-		    host=$((128 - $vlsm))
-
-		    address=$(normalize_address ${address%/*})
-
-		    while [ $host -ge 16 ]; do
-			address=${address%:*}
-			host=$(($host - 16))
-		    done
-
-		    if [ $host -gt 0 ]; then
-			#
-			# VLSM is not a multiple of 16
-			#
-			host=$((16 - $host))
-			o=$((0x${address##*:}))
-			m=0
-			while [ $host -gt 0 ]; do
-			    m=$((($m >> 1) | 0x8000))
-			    z=$(($z >> 1))
-			    host=$(($host - 1))
-			done
-
-			o=$(($o & $m))
-
-			badress=${address%:*}
-
-			address=$badress:$(printf %04x $o)
-
-			z=$(($o | $z))
-
-			if [ $vlsm -gt 112 ]; then
-			    z=$(($z & 0xff80))
-			fi
-
-			badress=$badress:$(printf %04x $z)
-		    else
-			badress=$address
-		    fi
-		    #
-		    # Note: at this point $address and $badress are the same except possibly for
-		    #       the contents of the last half-word
-		    #
-		    list_count $(split $address)
-
-		    l=$?
-		    #
-		    # Now generate the anycast addresses defined by RFC 2526
-		    #
-		    if [ $l -lt 8 ]; then
-			#
-			# The subnet-router address
-			#
-			echo $address::
-
-		    	while [ $l -lt 8 ]; do
-			    badress=$badress:ffff
-			    l=$(($l + 1 ))
-			done
-		    else
-			#
-			# The subnet-router address
-			#
-			echo $address
-		    fi
-		    #
-		    # And the RFC 2526 addresses
-		    #
-		    echo $badress/121
-		fi
-		;;
-	esac
-    done
-}
-
-#
-# Generate a list of anycast addresses for a given interface
-#
-
-get_interface_acasts() # $1 = interface
-{
-    local addresses
-    addresses=
-
-    find_interface_full_addresses $1 | convert_to_anycast | sort -u
-}
-
-#
-# Get a list of all configured anycast addresses on the system
-#
-get_all_acasts()
-{
-    find_interface_full_addresses | convert_to_anycast | sort -u
-}
-
-#
-# Detect the gateway through an interface
-#
-detect_gateway() # $1 = interface
-{
-    local interface
-    interface=$1
-    #
-    # First assume that this is some sort of point-to-point interface
-    #
-    gateway=$( find_peer $($IP -6 addr list $interface ) )
-    #
-    # Maybe there's a default route through this gateway already
-    #
-    [ -n "$gateway" ] || gateway=$(find_gateway $($IP -6 route list dev $interface | grep '^default'))
-    #
-    # Last hope -- is there a load-balancing route through the interface?
-    #
-    [ -n "$gateway" ] || gateway=$(find_nexthop $interface)
-    #
-    # Be sure we found one
-    #
-    [ -n "$gateway" ] && echo $gateway
-}
-
-#
-# Add an additional gateway to the default route
-#
-add_gateway() # $1 = Delta $2 = Table Number
-{
-    local route
-    local weight
-    local delta
-    local dev
-    
-    run_ip route add default scope global table $2 $1
-}
-
-#
-# Remove a gateway from the default route
-#
-delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
-{
-    local route
-    local gateway
-    local dev
-
-    route=`$IP -6 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
-    gateway=$1
-  
-    dev=$(find_device $route)
-    [ "$dev" = "$3" ] && run_ip route delete default table $2
-}
-
-#
-# Determine how to do "echo -e"
-#
-
-find_echo() {
-    local result
-
-    result=$(echo "a\tb")
-    [ ${#result} -eq 3 ] && { echo echo; return; }
-
-    result=$(echo -e "a\tb")
-    [ ${#result} -eq 3 ] && { echo "echo -e"; return; }
-
-    result=$(which echo)
-    [ -n "$result" ] && { echo "$result -e"; return; }
-
-    echo echo
-}
-
-#
-# Clear Proxy NDP
-#
-delete_proxyndp() {
-    if [ -f ${VARDIR}/proxyndp ]; then
-	while read address interface external haveroute; do
-	    qt $IP -6 neigh del proxy $address dev $external
-	    [ -z "${haveroute}${g_noroutes}" ] && qt $IP -6 route del $address/128 dev $interface
-	    f=/proc/sys/net/ipv6/conf/$interface/proxy_ndp
-	    [ -f $f ] && echo 0 > $f
-	done < ${VARDIR}/proxyndp
-
-	rm -f ${VARDIR}/proxyndp
-    fi
-}
-
-#
-# Remove all Shorewall-added rules
-#
-clear_firewall() {
-    stop_firewall
-
-    setpolicy INPUT ACCEPT
-    setpolicy FORWARD ACCEPT
-    setpolicy OUTPUT ACCEPT
-
-    run_iptables -F
-    qt $IP6TABLES -t raw -F
-
-    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
-
-    run_clear_exit
-
-    set_state "Cleared"
-
-    logger -p kern.info "$g_product Cleared"
-}
-
-################################################################################
-# End of functions imported from /usr/share/shorewall/prog.header6
-################################################################################
--- a/Shorewall/Samples/LICENSE
+++ b/Shorewall/Samples/LICENSE
@@ -55,7 +55,7 @@ modified by someone else and passed on, the recipients should know
 that what they have is not the original version, so that the original
 author's reputation will not be affected by problems that might be
 introduced by others.
-
+
  Finally, software patents pose a constant threat to the existence of
 any free program.  We wish to make sure that a company cannot
 effectively restrict the users of a free program by obtaining a
@@ -111,7 +111,7 @@ modification follow.  Pay close attention to the difference between a
 "work based on the library" and a "work that uses the library".  The
 former contains code derived from the library, whereas the latter must
 be combined with the library in order to run.
-
+
 		  GNU LESSER GENERAL PUBLIC LICENSE
   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

@@ -158,7 +158,7 @@ Library.
  You may charge a fee for the physical act of transferring a copy,
 and you may at your option offer warranty protection in exchange for a
 fee.
-
+
  2. You may modify your copy or copies of the Library or any portion
 of it, thus forming a work based on the Library, and copy and
 distribute such modifications or work under the terms of Section 1
@@ -216,7 +216,7 @@ instead of to this License.  (If a newer version than version 2 of the
 ordinary GNU General Public License has appeared, then you can specify
 that version instead if you wish.)  Do not make any other change in
 these notices.
-
+
  Once this change is made in a given copy, it is irreversible for
 that copy, so the ordinary GNU General Public License applies to all
 subsequent copies and derivative works made from that copy.
@@ -267,7 +267,7 @@ Library will still fall under Section 6.)
 distribute the object code for the work under the terms of Section 6.
 Any executables containing that work also fall under Section 6,
 whether or not they are linked directly with the Library itself.
-
+
  6. As an exception to the Sections above, you may also combine or
 link a "work that uses the Library" with the Library to produce a
 work containing portions of the Library, and distribute that work
@@ -329,7 +329,7 @@ restrictions of other proprietary libraries that do not normally
 accompany the operating system.  Such a contradiction means you cannot
 use both them and the Library together in an executable that you
 distribute.
-
+
  7. You may place library facilities that are a work based on the
 Library side-by-side in a single library together with other library
 facilities not covered by this License, and distribute such a combined
@@ -370,7 +370,7 @@ subject to these terms and conditions.  You may not impose any further
 restrictions on the recipients' exercise of the rights granted herein.
 You are not responsible for enforcing compliance by third parties with
 this License.
-
+
  11. If, as a consequence of a court judgment or allegation of patent
 infringement or for any other reason (not limited to patent issues),
 conditions are imposed on you (whether by court order, agreement or
@@ -422,7 +422,7 @@ conditions either of that version or of any later version published by
 the Free Software Foundation.  If the Library does not specify a
 license version number, you may choose any version ever published by
 the Free Software Foundation.
-
+
  14. If you wish to incorporate parts of the Library into other free
 programs whose distribution conditions are incompatible with these,
 write to the author to ask for permission.  For software which is
@@ -456,7 +456,7 @@ SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
 DAMAGES.

 		     END OF TERMS AND CONDITIONS
-
+
           How to Apply These Terms to Your New Libraries

  If you develop a new library, and you want it to be of the greatest
--- a/Shorewall/Samples/Universal/interfaces
+++ b/Shorewall/Samples/Universal/interfaces
@@ -7,6 +7,8 @@
 # http://www.shorewall.net/manpages/shorewall-interfaces.html
 #
 ###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
-	lo		-		ignore
-net	all		-		dhcp,physical=+,routeback,optional
+FORMAT 2
+###############################################################################
+#ZONE	INTERFACE	OPTIONS
+-	lo		ignore
+net	all		dhcp,physical=+,routeback,optional
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -53,7 +53,7 @@ TCP_FLAGS_LOG_LEVEL=info
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

-CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
+CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall

 IPTABLES=

@@ -61,6 +61,8 @@ IP=

 IPSET=

+LOCKFILE=
+
 MODULESDIR=

 PERL=/usr/bin/perl
@@ -138,6 +140,8 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=On

 KEEP_RT_TABLES=No
--- a/Shorewall/Samples/one-interface/interfaces
+++ b/Shorewall/Samples/one-interface/interfaces
@@ -11,5 +11,7 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 ###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
-net     eth0            detect          dhcp,tcpflags,logmartians,nosmurfs
+FORMAT 2
+###############################################################################
+#ZONE	INTERFACE	OPTIONS
+net     eth0            dhcp,tcpflags,logmartians,nosmurfs
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -64,7 +64,7 @@ TCP_FLAGS_LOG_LEVEL=info
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

-CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
+CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall

 IPTABLES=

@@ -72,6 +72,8 @@ IP=

 IPSET=

+LOCKFILE=
+
 MODULESDIR=

 PERL=/usr/bin/perl
@@ -149,6 +151,8 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=Off

 KEEP_RT_TABLES=No
--- a/Shorewall/Samples/three-interfaces/interfaces
+++ b/Shorewall/Samples/three-interfaces/interfaces
@@ -11,7 +11,9 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 ###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
-net     eth0            detect          tcpflags,dhcp,nosmurfs,routefilter,logmartians
-loc     eth1            detect          tcpflags,nosmurfs,routefilter,logmartians
-dmz     eth2            detect		tcpflags,nosmurfs,routefilter,logmartians
+FORMAT 2
+###############################################################################
+#ZONE	INTERFACE	OPTIONS
+net     eth0            tcpflags,dhcp,nosmurfs,routefilter,logmartians
+loc     eth1            tcpflags,nosmurfs,routefilter,logmartians
+dmz     eth2            tcpflags,nosmurfs,routefilter,logmartians
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -62,7 +62,7 @@ TCP_FLAGS_LOG_LEVEL=info
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

-CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
+CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall

 IPTABLES=

@@ -70,6 +70,8 @@ IP=

 IPSET=

+LOCKFILE=
+
 MODULESDIR=

 PERL=/usr/bin/perl
@@ -147,6 +149,8 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=On

 KEEP_RT_TABLES=No
--- a/Shorewall/Samples/two-interfaces/interfaces
+++ b/Shorewall/Samples/two-interfaces/interfaces
@@ -11,6 +11,8 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 ###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
-net     eth0            detect          dhcp,tcpflags,nosmurfs,routefilter,logmartians
-loc     eth1            detect          tcpflags,nosmurfs,routefilter,logmartians
+FORMAT 2
+###############################################################################
+#ZONE	INTERFACE	OPTIONS
+net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians
+loc     eth1            tcpflags,nosmurfs,routefilter,logmartians
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -65,7 +65,7 @@ TCP_FLAGS_LOG_LEVEL=info
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

-CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
+CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall

 IPTABLES=

@@ -73,6 +73,8 @@ IP=

 IPSET=

+LOCKFILE=
+
 MODULESDIR=

 PERL=/usr/bin/perl
@@ -150,6 +152,8 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=On

 KEEP_RT_TABLES=No
--- a/Shorewall/action.RST
+++ b/Shorewall/action.RST
@@ -0,0 +1,56 @@
+#
+# Shorewall 4 - RST Action
+#
+#    /usr/share/shorewall/action.RST
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   RST[([<action>|-[,{audit|-}])]
+#
+#       Default action is DROP
+#
+##########################################################################################
+FORMAT 2
+
+DEFAULTS DROP,-
+
+BEGIN PERL;
+
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+
+my ( $action, $audit ) = get_action_params( 2 );
+
+fatal_error "Invalid parameter ($audit) to action NotSyn"   if supplied $audit && $audit ne 'audit';
+fatal_error "Invalid parameter ($action) to action NotSyn"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
+
+my $chainref         = get_action_chain;
+my ( $level, $tag )  = get_action_logging;
+my $target           = require_audit ( $action , $audit );
+
+log_rule_limit $level, $chainref, 'RST' , $action, '', $tag, 'add', '-p 6 --tcp-flags RST RST ' if $level ne '';
+add_jump $chainref , $target, 0, '-p 6 --tcp-flags RST RST, ';
+
+allow_optimize( $chainref );
+
+1;
+
+END PERL;
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -41,4 +41,5 @@ DropSmurfs          # Drop smurf packets
 Invalid             # Handles packets in the INVALID conntrack state
 NotSyn              # Handles TCP packets which do not have SYN=1 and ACK=0
 Reject		    # Default Action for REJECT policy
+RST		    # Handle packets with RST set
 TCPFlags            # Handle bad flag combinations.
--- a/Shorewall/configfiles/interfaces
+++ b/Shorewall/configfiles/interfaces
@@ -7,8 +7,6 @@
 # http://www.shorewall.net/manpages/shorewall-interfaces.html
 #
 ###############################################################################
-FORMAT 1
-#ZONE	INTERFACE	BROADCAST	OPTIONS
-
 FORMAT 2
+###############################################################################
 #ZONE		INTERFACE		OPTIONS
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -53,7 +53,7 @@ TCP_FLAGS_LOG_LEVEL=info
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

-CONFIG_PATH="/etc/shorewall:/usr/share/shorewall"
+CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"

 IPTABLES=

@@ -61,6 +61,8 @@ IP=

 IPSET=

+LOCKFILE=
+
 MODULESDIR=

 PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
@@ -138,6 +140,8 @@ FORWARD_CLEAR_MARK=

 IMPLICIT_CONTINUE=No

+IPSET_WARNINGS=Yes
+
 IP_FORWARDING=On

 KEEP_RT_TABLES=No
--- a/Shorewall/configfiles/tcrules
+++ b/Shorewall/configfiles/tcrules
@@ -10,6 +10,6 @@
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
 ##########################################################################################################################################
-#MARK	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER    PROBABILITY DSCP
+#ACTION	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER    PROBABILITY DSCP
 #						PORT(S)	PORT(S)

--- a/Shorewall/configfiles/tunnels
+++ b/Shorewall/configfiles/tunnels
@@ -7,5 +7,5 @@
 # http://www.shorewall.net/manpages/shorewall-tunnels.html
 #
 ###############################################################################
-#TYPE			ZONE	GATEWAY		GATEWAY
-#						ZONE
+#TYPE			ZONE	GATEWAYS			GATEWAY
+#								ZONES
--- a/Shorewall/configpath
+++ b/Shorewall/configpath
@@ -10,4 +10,4 @@
 #	/usr/share/shorewall/configfiles/. This prevents 'compile -e'
 #	from trying to use configuration information from /etc/shorewall.

-CONFIG_PATH=${CONFDIR}:/usr/share/shorewall
+CONFIG_PATH=${CONFDIR}:${SHAREDIR}/shorewall
--- a/Shorewall/init.debian.sh
+++ b/Shorewall/init.debian.sh
@@ -11,7 +11,6 @@
 ### END INIT INFO


-
 SRWL=/sbin/shorewall
 SRWL_OPTS="-tvv"
 WAIT_FOR_IFUP=/usr/share/shorewall/wait4ifup
@@ -54,10 +53,15 @@ not_configured () {
 	exit 0
 }

+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
 # check if shorewall is configured or not
-if [ -f "/etc/default/shorewall" ]
+if [ -f "${SYSCONFDIR}/shorewall" ]
 then
-	. /etc/default/shorewall
+	. ${SYSCONFDIR}/shorewall
 	SRWL_OPTS="$SRWL_OPTS $OPTIONS"
 	if [ "$startup" != "1" ]
 	then
--- a/Shorewall/init.fedora.sh
+++ b/Shorewall/init.fedora.sh
@@ -20,16 +20,21 @@
 # Source function library.
 . /etc/rc.d/init.d/functions

+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
 prog="shorewall"
-shorewall="/sbin/$prog"
+shorewall="${SBINDIR}/$prog"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/$prog"

 # Get startup options (override default)
 OPTIONS=

-if [ -f /etc/sysconfig/$prog ]; then
-    . /etc/sysconfig/$prog
+if [ -f ${SYSCONFDIR}/$prog ]; then
+    . ${SYSCONFDIR}/$prog
 fi

 start() {
--- a/Shorewall/init.sh
+++ b/Shorewall/init.sh
@@ -54,7 +54,7 @@ RCDLINKS="2,S41 3,S41 6,K41"
 # Give Usage Information						       #
 ################################################################################
 usage() {
-    echo "Usage: $0 start|stop|reload|restart|status"
+    echo "Usage: $0 start|stop|reload|restart|status" >&2
    exit 1
 }

@@ -62,10 +62,14 @@ usage() {
 # Get startup options (override default)
 ################################################################################
 OPTIONS="-v0"
-if [ -f /etc/sysconfig/shorewall ]; then
-    . /etc/sysconfig/shorewall
-elif [ -f /etc/default/shorewall ] ; then
-    . /etc/default/shorewall
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
+if [ -f ${SYSCONFDIR}/shorewall ]; then
+    . ${SYSCONFDIR}/shorewall
 fi

 export SHOREWALL_INIT_SCRIPT=1
@@ -78,13 +82,13 @@ shift

 case "$command" in
    start)
-	exec /sbin/shorewall $OPTIONS start $STARTOPTIONS
+	exec $SBINDIR/shorewall $OPTIONS start $STARTOPTIONS
 	;;
    restart|reload)
-	exec /sbin/shorewall $OPTIONS restart $RESTARTOPTIONS
+	exec $SBINDIR/shorewall $OPTIONS restart $RESTARTOPTIONS
 	;;
    status|stop)
-	exec /sbin/shorewall $OPTIONS $command
+	exec $SBINDIR/shorewall $OPTIONS $command
 	;;
    *)
 	usage
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -34,6 +34,8 @@ get_config() {

    ensure_config_path

+
+
    if [ "$1" = Yes ]; then
 	params=$(find_file params)

@@ -360,6 +362,8 @@ uptodate() {
 #
 compiler() {
    local pc
+    local shorewallrc
+
    pc=$g_libexec/shorewall/compiler.pl

    if [ $(id -u) -ne 0 ]; then
@@ -374,7 +378,7 @@ compiler() {
    #
    # Get the config from $g_shorewalldir
    #
-    [ -n "$g_shorewalldir" -a "$g_shorewalldir" != /etc/$g_program ] && get_config
+    [ -n "$g_shorewalldir" -a "$g_shorewalldir" != ${g_confdir} ] && get_config

    case $COMMAND in
 	*start|try|refresh)
@@ -395,7 +399,14 @@ compiler() {
    [ "$1" = nolock ] && shift;
    shift

-    options="--verbose=$VERBOSITY --family=$g_family --config_path=$CONFIG_PATH"
+    if [ -n "$g_export" ]; then
+	shorewallrc=$(find_file shorewallrc)
+	[ -f "$shorewallrc" ] || fatal_error "Compiling for export requires a shorewallrc file"
+    else
+	shorewallrc="${g_basedir}/shorewallrc"
+    fi
+
+    options="--verbose=$VERBOSITY --family=$g_family --config_path=$CONFIG_PATH --shorewallrc=${shorewallrc}"
    [ -n "$STARTUP_LOG" ] && options="$options --log=$STARTUP_LOG"
    [ -n "$LOG_VERBOSITY" ] && options="$options --log_verbosity=$LOG_VERBOSITY";
    [ -n "$g_export" ] && options="$options --export"
@@ -497,6 +508,10 @@ start_command() {
 			    AUTOMAKE=
 			    option=${option#c}
 			    ;;
+			T*)
+			    g_confess=Yes
+			    option=${option#T}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -869,6 +884,10 @@ restart_command() {
 			    g_purge=Yes
 			    option=${option%p}
 			    ;;
+			T*)
+			    g_confess=Yes
+			    option=${option#T}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -953,6 +972,27 @@ refresh_command() {
 			    finished=1
 			    option=
 			    ;;
+			d*)
+			    g_debug=Yes
+			    option=${option#d}
+			    ;;
+			n*)
+			    g_noroutes=Yes
+			    option=${option#n}
+			    ;;
+			T*)
+			    g_confess=Yes
+			    option=${option#T}
+			    ;;
+			D)
+			    if [ $# -gt 1 ]; then
+				g_shorewalldir="$2"
+				option=
+				shift
+			    else
+				fatal_error "ERROR: the -D option requires a directory name"
+			    fi
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -1297,6 +1337,10 @@ reload_command() # $* = original arguments less the command.
    root=root
    local libexec
    libexec=/usr/share
+    local confdir
+    confdir=/etc
+    local sbindir
+    sbindir=/sbin

    litedir=/var/lib/${g_program}-lite

@@ -1326,6 +1370,10 @@ reload_command() # $* = original arguments less the command.
 			    option=
 			    shift
 			    ;;
+			T*)
+			    g_confess=Yes
+			    option=${option#T}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -1353,11 +1401,11 @@ reload_command() # $* = original arguments less the command.
 	    ;;
    esac

-    temp=$(rsh_command /sbin/${g_program}-lite show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')
+    temp=$(rsh_command ${g_program}-lite show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')

    [ -n "$temp" ] && litedir="$temp"

-    temp=$(rsh_command /sbin/${g_program}-lite show config 2> /dev/null | grep ^LIBEXEC | sed 's/LIBEXEC is //')
+    temp=$(rsh_command ${g_program}-lite show config 2> /dev/null | grep ^LIBEXEC | sed 's/LIBEXEC is //')

    if [ -n "$temp" ]; then
 	case $temp in
@@ -1370,6 +1418,14 @@ reload_command() # $* = original arguments less the command.
 	esac
    fi

+    temp=$(rsh_command ${g_program}-lite show config 2> /dev/null | grep ^SBINDIR | sed 's/SBINDIR is //')
+
+    [ -n "$temp" ] && sbindir="$temp"
+
+    temp=$(rsh_command ${g_program}-lite show config 2> /dev/null | grep ^CONFDIR | sed 's/CONFDIR is //')
+
+    [ -n "$temp" ] && confdir="$temp"
+
    if [ -z "$getcaps" ]; then
 	g_shorewalldir=$(resolve_file $directory)
 	ensure_config_path
@@ -1410,19 +1466,20 @@ reload_command() # $* = original arguments less the command.
    then
 	save=$(find_file save);

-	[ -f $save ] && progress_message3 "Copying $save to ${system}:/etc/${g_program}-lite/" && rcp_command $save /etc/shorewall-lite/
+	[ -f $save ] && progress_message3 "Copying $save to ${system}:${confdir}/${g_program}-lite/" && rcp_command $save ${confdir}/shorewall-lite/

 	progress_message3 "Copy complete"
+
 	if [ $COMMAND = reload ]; then
-	    rsh_command "/sbin/${g_program}-lite $g_debugging $verbose $timestamp restart" && \
+	    rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp restart" && \
 	    progress_message3 "System $system reloaded" || saveit=
 	else
-	    rsh_command "/sbin/${g_program}-lite $g_debugging $verbose $timestamp start" && \
+	    rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp start" && \
 	    progress_message3 "System $system loaded" || saveit=
 	fi

 	if [ -n "$saveit" ]; then
-	    rsh_command "/sbin/${g_program}-lite $g_debugging $verbose $timestamp save" && \
+	    rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp save" && \
 	    progress_message3 "Configuration on system $system saved"
 	fi
    fi
@@ -1532,7 +1589,7 @@ usage() # $1 = exit status
    fi

    echo "   iptrace <iptables match expression>"
-    echo "   load [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
+    echo "   load [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ <directory> ] <system>"
    echo "   logdrop <address> ..."
    echo "   logreject <address> ..."
    echo "   logwatch [<refresh interval>]"
@@ -1543,11 +1600,11 @@ usage() # $1 = exit status
 	echo "   noiptrace <ip6tables match expression>"
    fi

-    echo "   refresh [ <chain>... ]"
+    echo "   refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
    echo "   reject <address> ..."
-    echo "   reload [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
+    echo "   reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ <directory> ] <system>"
    echo "   reset [ <chain> ... ]"
-    echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ][ <directory> ]"
+    echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ <directory> ]"
    echo "   restore [ -n ] [ <file name> ]"
    echo "   safe-restart [ -t <timeout> ] [ <directory> ]"
    echo "   safe-start [ -t <timeout> ] [ <directory> ]"
@@ -1575,7 +1632,7 @@ usage() # $1 = exit status
    echo "   show tc [ device ]"
    echo "   show vardir"
    echo "   show zones"
-    echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ <directory> ]"
+    echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ <directory> ]"
    echo "   status"
    echo "   stop"
    echo "   try <directory> [ <timeout> ]"
--- a/Shorewall/lib.core
+++ b/Shorewall/lib.core
@@ -1,30 +1,34 @@
-#
-# Shorewall 4.5 -- /usr/share/shorewall/lib.core.
-#
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2010-2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2012 - Tom Eastep (teastep@shorewall.net)
 #
-#	Complete documentation is available at http://shorewall.net
+#	Options are:
 #
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
+#	    -n				  Don't alter Routing
+#	    -v and -q			  Standard Shorewall Verbosity control
+#           -t                            Timestamp progress messages
+#           -p                            Purge conntrack table
+#           -r                            Recover from failed start/restart
+#           -V <verbosity>                Set verbosity level explicitly
+#           -R <restore>                  Overrides RESTOREFILE setting
 #
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
+#	Commands are:
 #
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#	   start			  Starts the firewall
+#          refresh                        Refresh the firewall
+#	   restart			  Restarts the firewall
+#	   reload			  Reload the firewall
+#	   clear			  Removes all firewall rules
+#	   stop				  Stops the firewall
+#	   status			  Displays firewall status
+#	   version			  Displays the version of Shorewall that
+#	   				  generated this program
 #
-# The purpose of this library is to hold those functions used by the generated
-# scripts (both IPv4 and IPv6 -- the functions that are specific to one or the other
-# are found in prog.header and prog.header6).
-#
-#########################################################################################
+################################################################################
+# Functions imported from /usr/share/shorewall/lib.core
+################################################################################
+#                     Address family-neutral Functions
+################################################################################
 #
 # Conditionally produce message
 #
@@ -172,8 +176,28 @@ interface_is_up() {
 #
 interface_is_usable() # $1 = interface
 {
-    [ "$1" = lo ] && return 0
-    interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && run_isusable_exit $1
+    local status;
+    status=0
+
+    if [ "$1" != lo ]; then
+	if [ $g_family -eq 4 ]; then
+	    if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ]; then
+		[ "$COMMAND" = enable ] || run_isusable_exit $1
+		status=$?
+	    else
+		status=1
+	    fi
+	else
+	    if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" ]; then
+		[ "$COMMAND" = enable ] || run_isusable_exit $1
+		status=$?
+	    else
+		status=1
+	    fi
+	fi
+    fi
+
+    return $status
 }

 #
@@ -590,6 +614,7 @@ distribute_load() {
    local interface
    local totalload
    local load
+    local mark
    local maxload

    maxload=$1
@@ -601,6 +626,8 @@ distribute_load() {
 	if interface_up $interface; then
 	    load=$(cat ${VARDIR}/${interface}_load)
 	    eval ${interface}_load=$load
+	    mark=$(cat ${VARDIR}/${interface}_mark)
+	    eval ${interface}_mark=$mark
 	    totalload=$( bc <<EOF
 scale=8
 $totalload + $load
@@ -613,6 +640,7 @@ EOF
 	for interface in $@; do
 	    qt $g_tool -t mangle -F ~$interface
 	    eval load=\$${interface}_load
+	    eval mark=\$${interface}_mark

 	    if [ -n "$load" ]; then
 		load=$(bc <<EOF
@@ -625,8 +653,647 @@ scale=8
 $totalload - $load
 EOF
 )
-		run_iptables -t mangle -A ~$interface -m statistic --mode random --probability $load
+		run_iptables -t mangle -A ~$interface -m statistic --mode random --probability $load -j MARK --set-mark $mark
 	    fi
 	done
    fi
 }
+
+?IF __IPV4
+#################################################################################
+#                        IPv4-specific Functions
+#################################################################################
+# Find the value 'weight' in the passed arguments then echo the next value
+#
+
+find_weight() {
+    while [ $# -gt 1 ]; do
+	[ "x$1" = xweight ] && echo $2 && return
+	shift
+    done
+}
+
+#
+# Find the interfaces that have a route to the passed address - the default
+# route is not used.
+#
+
+find_rt_interface() {
+    $IP -4 route list | while read addr rest; do
+	case $addr in
+	    */*)
+		in_network ${1%/*} $addr && echo $(find_device $rest)
+		;;
+	    default)
+		;;
+	    *)
+		if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then
+		    echo $(find_device $rest)
+		fi
+		;;
+	esac
+    done
+}
+
+#
+# Echo the name of the interface(s) that will be used to send to the
+# passed address
+#
+
+find_interface_by_address() {
+    local dev
+    dev="$(find_rt_interface $1)"
+    local first
+    local rest
+
+    [ -z "$dev" ] && dev=$(find_default_interface)
+
+    [ -n "$dev" ] && echo $dev
+}
+
+#
+#  echo the list of networks routed out of a given interface
+#
+get_routed_networks() # $1 = interface name, $2-n = Fatal error message
+{
+    local address
+    local rest
+
+    $IP -4 route show dev $1 2> /dev/null |
+	while read address rest; do
+	    case "$address" in
+		default)
+		    if [ $# -gt 1 ]; then
+			shift
+			fatal_error "$@"
+		    else
+			echo "WARNING: default route ignored on interface $1" >&2
+		    fi
+		    ;;
+		multicast|broadcast|prohibit|nat|throw|nexthop)
+		    ;;
+		*)
+		    [ "$address" = "${address%/*}" ] && address="${address}/32"
+		    echo $address
+		    ;;
+	    esac
+        done
+}
+
+#
+# Get the broadcast addresses associated with an interface
+#
+get_interface_bcasts() # $1 = interface
+{
+    local addresses
+    addresses=
+
+    $IP -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
+}
+
+#
+# Delete IP address
+#
+del_ip_addr() # $1 = address, $2 = interface
+{
+    [ $(find_first_interface_address_if_any $2) = $1 ] || qtnoin $IP addr del $1 dev $2
+}
+
+# Add IP Aliases
+#
+add_ip_aliases() # $* = List of addresses
+{
+    local local
+    local addresses
+    local external
+    local interface
+    local inet
+    local cidr
+    local rest
+    local val
+    local arping
+    arping=$(mywhich arping)
+
+    address_details()
+    {
+	#
+	# Folks feel uneasy if they don't see all of the same
+	# decoration on these IP addresses that they see when their
+	# distro's net config tool adds them. In an attempt to reduce
+	# the anxiety level, we have the following code which sets
+	# the VLSM and BRD from an existing address in the same network
+	#
+	# Get all of the lines that contain inet addresses with broadcast
+	#
+	$IP -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do
+	    case $cidr in
+		*/*)
+		    if in_network $external $cidr; then
+			echo "/${cidr#*/} brd $(broadcastaddress $cidr)"
+			break
+		    fi
+		    ;;
+	    esac
+	done
+    }
+
+    do_one()
+    {
+	val=$(address_details)
+
+	$IP addr add ${external}${val} dev $interface $label
+	[ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external
+	echo "$external $interface" >> $VARDIR/nat
+	[ -n "$label" ] && label="with $label"
+	progress_message "   IP Address $external added to interface $interface $label"
+    }
+
+    progress_message "Adding IP Addresses..."
+
+    while [ $# -gt 0 ]; do
+	external=$1
+	interface=$2
+	label=
+
+	if [ "$interface" != "${interface%:*}" ]; then
+	    label="${interface#*:}"
+	    interface="${interface%:*}"
+	    label="label $interface:$label"
+	fi
+
+	shift 2
+
+	list_search $external $(find_interface_addresses $interface) || do_one
+    done
+}
+
+#
+# Detect the gateway through a PPP or DHCP-configured interface
+#
+detect_dynamic_gateway() { # $1 = interface
+    local interface
+    interface=$1
+    local GATEWAYS
+    GATEWAYS=
+    local gateway
+
+    gateway=$(run_findgw_exit $1);
+
+    if [ -z "$gateway" ]; then
+	gateway=$( find_peer $($IP addr list $interface ) )
+    fi
+
+    if [ -z "$gateway" -a -f /var/lib/dhcpcd/dhcpcd-${1}.info ]; then
+	eval $(grep ^GATEWAYS=  /var/lib/dhcpcd/dhcpcd-${1}.info 2> /dev/null)
+	[ -n "$GATEWAYS" ] && GATEWAYS=${GATEWAYS%,*} && gateway=$GATEWAYS
+    fi
+
+    if [ -z "$gateway" -a -f /var/lib/dhcp/dhclient-${1}.lease ]; then
+	gateway=$(grep 'option routers' /var/lib/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done)
+    fi
+
+    [ -n "$gateway" ] && echo $gateway
+}
+
+#
+# Detect the gateway through an interface
+#
+detect_gateway() # $1 = interface
+{
+    local interface
+    interface=$1
+    local gateway
+    #
+    # First assume that this is some sort of dynamic interface
+    #
+    gateway=$( detect_dynamic_gateway $interface )
+    #
+    # Maybe there's a default route through this gateway already
+    #
+    [ -n "$gateway" ] || gateway=$(find_gateway $($IP -4 route list dev $interface | grep ^default))
+    #
+    # Last hope -- is there a load-balancing route through the interface?
+    #
+    [ -n "$gateway" ] || gateway=$(find_nexthop $interface)
+    #
+    # Be sure we found one
+    #
+    [ -n "$gateway" ] && echo $gateway
+}
+
+#
+# Disable IPV6
+#
+disable_ipv6() {
+    local foo
+    foo="$($IP -f inet6 addr list 2> /dev/null)"
+
+    if [ -n "$foo" ]; then
+	if [ -x "$IP6TABLES" ]; then
+	    $IP6TABLES -P FORWARD DROP
+	    $IP6TABLES -P INPUT DROP
+	    $IP6TABLES -P OUTPUT DROP
+	    $IP6TABLES -F
+	    $IP6TABLES -X
+	    $IP6TABLES -A OUTPUT -o lo -j ACCEPT
+	    $IP6TABLES -A INPUT -i lo -j ACCEPT
+	else
+	    error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
+	fi
+    fi
+}
+
+#
+# Add an additional gateway to the default route
+#
+add_gateway() # $1 = Delta $2 = Table Number
+{
+    local route
+    local weight
+    local delta
+    local dev
+
+    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/default //; s/[\]//g'`
+
+    if [ -z "$route" ]; then
+	run_ip route add default scope global table $2 $1
+    else
+	delta=$1
+
+	if ! echo $route | fgrep -q ' nexthop '; then
+	    route=`echo $route | sed 's/via/nexthop via/'`
+	    dev=$(find_device $route)
+	    if [ -f ${VARDIR}/${dev}_weight ]; then
+		weight=`cat ${VARDIR}/${dev}_weight`
+		route="$route weight $weight"
+	    fi
+	fi
+
+	run_ip route replace default scope global table $2 $route $delta
+    fi
+}
+
+#
+# Remove a gateway from the default route
+#
+delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
+{
+    local route
+    local gateway
+    local dev
+
+    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
+    gateway=$1
+
+    if [ -n "$route" ]; then
+	if echo $route | fgrep -q ' nexthop '; then
+	    gateway="nexthop $gateway"
+	    eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
+	    run_ip route replace table $2 $route
+	else
+	    dev=$(find_device $route)
+	    [ "$dev" = "$3" ] && run_ip route delete default table $2
+	fi
+    fi
+}
+
+#
+# Determine the MAC address of the passed IP through the passed interface
+#
+find_mac() # $1 = IP address, $2 = interface
+{
+    if interface_is_usable $2 ; then
+	qt ping -nc 1 -t 2 -I $2 $1
+
+	local result
+	result=$($IP neigh list |  awk "/^$1 / {print \$5}")
+
+	case $result in
+	    \<*\>)
+		;;
+	    *)
+		[ -n "$result" ] && echo $result
+		;;
+	esac
+    fi
+}
+
+#
+# Clear Proxy Arp
+#
+delete_proxyarp() {
+    if [ -f ${VARDIR}/proxyarp ]; then
+	while read address interface external haveroute; do
+	    qtnoin $IP -4 neigh del proxy $address dev $external
+	    [ -z "${haveroute}${g_noroutes}" ] && qtnoin $IP -4 route del $address/32 dev $interface
+	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
+	    [ -f $f ] && echo 0 > $f
+	done < ${VARDIR}/proxyarp
+
+	rm -f ${VARDIR}/proxyarp
+    fi
+}
+
+#
+# Remove all Shorewall-added rules
+#
+clear_firewall() {
+    stop_firewall
+
+    setpolicy INPUT ACCEPT
+    setpolicy FORWARD ACCEPT
+    setpolicy OUTPUT ACCEPT
+
+    run_iptables -F
+    qt $IPTABLES -t raw -F
+
+    echo 1 > /proc/sys/net/ipv4/ip_forward
+
+    if [ -n "$DISABLE_IPV6" ]; then
+	if [ -x $IP6TABLES ]; then
+    	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
+	    $IP6TABLES -P OUTPUT  ACCEPT 2> /dev/null
+	    $IP6TABLES -P FORWARD ACCEPT 2> /dev/null
+	fi
+    fi
+
+    run_clear_exit
+
+    set_state "Cleared"
+
+    logger -p kern.info "$g_product Cleared"
+}
+
+#
+# Get a list of all configured broadcast addresses on the system
+#
+get_all_bcasts()
+{
+    $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
+}
+
+?ELSE
+#################################################################################
+#                        IPv6-specific Functions
+#################################################################################
+#
+# Get all interface addresses with VLSMs
+#
+
+find_interface_full_addresses() # $1 = interface
+{
+    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
+}
+
+#
+# Normalize an IPv6 Address by compressing out consecutive zero elements
+#
+normalize_address() # $1 = valid IPv6 Address
+{
+    local address
+    address=$1
+    local j
+
+    while true; do
+	case $address in
+	    ::*)
+		address=0$address
+		;;
+	    *::*)
+		list_count $(split $address)
+
+		j=$?
+
+		if [ $j -eq 7 ]; then
+		    address=${address%::*}:0:${address#*::}
+		elif [ $j -eq 8 ]; then
+		    $address=${address%::*}:${address#*::}
+		    break 2
+		else
+		    address=${address%::*}:0::${address#*::}
+		fi
+		;;
+	    *)
+		echo $address
+		break 2
+		;;
+	esac
+    done
+}
+
+#
+# Reads correctly-formed and fully-qualified host and subnet addresses from STDIN. For each
+# that defines a /120 or larger network, it sends to STDOUT:
+#
+#    The corresponding subnet-router anycast address (all host address bits are zero)
+#    The corresponding anycast addresses defined by RFC 2526 (the last 128 addresses in the subnet)
+#
+convert_to_anycast() {
+    local address
+    local badress
+    local vlsm
+    local host
+    local o
+    local m
+    m=
+    local z
+    z=65535
+    local l
+
+    while read address; do
+	case $address in
+	    2*|3*)
+		vlsm=${address#*/}
+		vlsm=${vlsm:=128}
+
+		if [ $vlsm -le 120 ]; then
+	            #
+	            # Defines a viable subnet -- first get the subnet-router anycast address
+	            #
+		    host=$((128 - $vlsm))
+
+		    address=$(normalize_address ${address%/*})
+
+		    while [ $host -ge 16 ]; do
+			address=${address%:*}
+			host=$(($host - 16))
+		    done
+
+		    if [ $host -gt 0 ]; then
+			#
+			# VLSM is not a multiple of 16
+			#
+			host=$((16 - $host))
+			o=$((0x${address##*:}))
+			m=0
+			while [ $host -gt 0 ]; do
+			    m=$((($m >> 1) | 0x8000))
+			    z=$(($z >> 1))
+			    host=$(($host - 1))
+			done
+
+			o=$(($o & $m))
+
+			badress=${address%:*}
+
+			address=$badress:$(printf %04x $o)
+
+			z=$(($o | $z))
+
+			if [ $vlsm -gt 112 ]; then
+			    z=$(($z & 0xff80))
+			fi
+
+			badress=$badress:$(printf %04x $z)
+		    else
+			badress=$address
+		    fi
+		    #
+		    # Note: at this point $address and $badress are the same except possibly for
+		    #       the contents of the last half-word
+		    #
+		    list_count $(split $address)
+
+		    l=$?
+		    #
+		    # Now generate the anycast addresses defined by RFC 2526
+		    #
+		    if [ $l -lt 8 ]; then
+			#
+			# The subnet-router address
+			#
+			echo $address::
+
+		    	while [ $l -lt 8 ]; do
+			    badress=$badress:ffff
+			    l=$(($l + 1 ))
+			done
+		    else
+			#
+			# The subnet-router address
+			#
+			echo $address
+		    fi
+		    #
+		    # And the RFC 2526 addresses
+		    #
+		    echo $badress/121
+		fi
+		;;
+	esac
+    done
+}
+
+#
+# Generate a list of anycast addresses for a given interface
+#
+
+get_interface_acasts() # $1 = interface
+{
+    local addresses
+    addresses=
+
+    find_interface_full_addresses $1 | convert_to_anycast | sort -u
+}
+
+#
+# Get a list of all configured anycast addresses on the system
+#
+get_all_acasts()
+{
+    find_interface_full_addresses | convert_to_anycast | sort -u
+}
+
+#
+# Detect the gateway through an interface
+#
+detect_gateway() # $1 = interface
+{
+    local interface
+    interface=$1
+    #
+    # First assume that this is some sort of point-to-point interface
+    #
+    gateway=$( find_peer $($IP -6 addr list $interface ) )
+    #
+    # Maybe there's a default route through this gateway already
+    #
+    [ -n "$gateway" ] || gateway=$(find_gateway $($IP -6 route list dev $interface | grep '^default'))
+    #
+    # Last hope -- is there a load-balancing route through the interface?
+    #
+    [ -n "$gateway" ] || gateway=$(find_nexthop $interface)
+    #
+    # Be sure we found one
+    #
+    [ -n "$gateway" ] && echo $gateway
+}
+
+#
+# Add an additional gateway to the default route
+#
+add_gateway() # $1 = Delta $2 = Table Number
+{
+    local route
+    local weight
+    local delta
+    local dev
+
+    run_ip route add default scope global table $2 $1
+}
+
+#
+# Remove a gateway from the default route
+#
+delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
+{
+    local route
+    local gateway
+    local dev
+
+    route=`$IP -6 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
+    gateway=$1
+
+    dev=$(find_device $route)
+    [ "$dev" = "$3" ] && run_ip route delete default table $2
+}
+
+#
+# Clear Proxy NDP
+#
+delete_proxyndp() {
+    if [ -f ${VARDIR}/proxyndp ]; then
+	while read address interface external haveroute; do
+	    qt $IP -6 neigh del proxy $address dev $external
+	    [ -z "${haveroute}${g_noroutes}" ] && qt $IP -6 route del $address/128 dev $interface
+	    f=/proc/sys/net/ipv6/conf/$interface/proxy_ndp
+	    [ -f $f ] && echo 0 > $f
+	done < ${VARDIR}/proxyndp
+
+	rm -f ${VARDIR}/proxyndp
+    fi
+}
+
+#
+# Remove all Shorewall-added rules
+#
+clear_firewall() {
+    stop_firewall
+
+    setpolicy INPUT ACCEPT
+    setpolicy FORWARD ACCEPT
+    setpolicy OUTPUT ACCEPT
+
+    run_iptables -F
+    qt $IP6TABLES -t raw -F
+
+    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+
+    run_clear_exit
+
+    set_state "Cleared"
+
+    logger -p kern.info "$g_product Cleared"
+}
+
+?ENDIF
--- a/Shorewall/manpages/shorewall-accounting.xml
+++ b/Shorewall/manpages/shorewall-accounting.xml
@@ -57,6 +57,17 @@
    of them may be omitted). The first non-commentary record in the accounting
    file must be a section header when sectioning is used.</para>

+    <warning>
+      <para>If sections are not used, the Shorewall rules compiler cannot
+      detect certain violations of netfilter restrictions. These violations
+      can result in run-time errors such as the following:</para>
+
+      <blockquote>
+        <para><emphasis role="bold">iptables-restore v1.4.13: Can't use -o
+        with INPUT</emphasis></para>
+      </blockquote>
+    </warning>
+
    <para>Beginning with Shorewall 4.4.20, the ACCOUNTING_TABLE setting was
    added to shorewall.conf and shorewall6.conf. That setting determines the
    Netfilter table (filter or mangle) where the accounting rules are added.
--- a/Shorewall/manpages/shorewall-blrules.xml
+++ b/Shorewall/manpages/shorewall-blrules.xml
@@ -60,7 +60,31 @@

          <variablelist>
            <varlistentry>
-              <term>blacklog</term>
+              <term><emphasis role="bold">BLACKLIST</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.3. This is actually a macro that
+                expands as follows:</para>
+
+                <itemizedlist>
+                  <listitem>
+                    <para>If BLACKLIST_LOGLEVEL is specified in <ulink
+                    url="shorewall.conf.html">shorewall.conf</ulink>(5), then
+                    the macro expands to <emphasis
+                    role="bold">blacklog</emphasis>.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>Otherwise it expands to the action specified for
+                    BLACKLIST_DISPOSITION in <ulink
+                    url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+                  </listitem>
+                </itemizedlist>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">blacklog</emphasis></term>

              <listitem>
                <para>May only be used if BLACKLIST_LOGLEVEL is specified in
--- a/Shorewall/manpages/shorewall-hosts.xml
+++ b/Shorewall/manpages/shorewall-hosts.xml
@@ -118,32 +118,6 @@
          must have no embedded white space.</para>

          <variablelist>
-            <varlistentry>
-              <term><emphasis role="bold">maclist</emphasis></term>
-
-              <listitem>
-                <para>Connection requests from these hosts are compared
-                against the contents of <ulink
-                url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
-                this option is specified, the interface must be an ethernet
-                NIC or equivalent and must be up before Shorewall is
-                started.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">routeback</emphasis></term>
-
-              <listitem>
-                <para>Shorewall should set up the infrastructure to pass
-                packets from this/these address(es) back to themselves. This
-                is necessary if hosts in this group use the services of a
-                transparent proxy that is a member of the group or if DNAT is
-                used to send requests originating from this group to a server
-                in the group.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis role="bold">blacklist</emphasis></term>

@@ -154,48 +128,6 @@
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term><emphasis role="bold">tcpflags</emphasis></term>
-
-              <listitem>
-                <para>Packets arriving from these hosts are checked for
-                certain illegal combinations of TCP flags. Packets found to
-                have such a combination of flags are handled according to the
-                setting of TCP_FLAGS_DISPOSITION after having been logged
-                according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">nosmurfs</emphasis></term>
-
-              <listitem>
-                <para>This option only makes sense for ports on a
-                bridge.</para>
-
-                <para>Filter packets for smurfs (packets with a broadcast
-                address as the source).</para>
-
-                <para>Smurfs will be optionally logged based on the setting of
-                SMURF_LOG_LEVEL in <ulink
-                url="shorewall.conf.html">shorewall.conf</ulink>(5). After
-                logging, the packets are dropped.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">ipsec</emphasis></term>
-
-              <listitem>
-                <para>The zone is accessed via a kernel 2.6 ipsec SA. Note
-                that if the zone named in the ZONE column is specified as an
-                IPSEC zone in the <ulink
-                url="shorewall-zones.html">shorewall-zones</ulink>(5) file
-                then you do NOT need to specify the 'ipsec' option
-                here.</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis role="bold">broadcast</emphasis></term>

@@ -229,6 +161,86 @@
                net(s).</para>
              </listitem>
            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">ipsec</emphasis></term>
+
+              <listitem>
+                <para>The zone is accessed via a kernel 2.6 ipsec SA. Note
+                that if the zone named in the ZONE column is specified as an
+                IPSEC zone in the <ulink
+                url="shorewall-zones.html">shorewall-zones</ulink>(5) file
+                then you do NOT need to specify the 'ipsec' option
+                here.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">maclist</emphasis></term>
+
+              <listitem>
+                <para>Connection requests from these hosts are compared
+                against the contents of <ulink
+                url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
+                this option is specified, the interface must be an ethernet
+                NIC or equivalent and must be up before Shorewall is
+                started.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">mss</emphasis>=<replaceable>mss</replaceable></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.2. When present, causes the TCP
+                mss for new connections to/from the hosts given in the HOST(S)
+                column to be clamped at the specified
+                <replaceable>mss</replaceable>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">nosmurfs</emphasis></term>
+
+              <listitem>
+                <para>This option only makes sense for ports on a
+                bridge.</para>
+
+                <para>Filter packets for smurfs (packets with a broadcast
+                address as the source).</para>
+
+                <para>Smurfs will be optionally logged based on the setting of
+                SMURF_LOG_LEVEL in <ulink
+                url="shorewall.conf.html">shorewall.conf</ulink>(5). After
+                logging, the packets are dropped.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">routeback</emphasis></term>
+
+              <listitem>
+                <para>Shorewall should set up the infrastructure to pass
+                packets from this/these address(es) back to themselves. This
+                is necessary if hosts in this group use the services of a
+                transparent proxy that is a member of the group or if DNAT is
+                used to send requests originating from this group to a server
+                in the group.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">tcpflags</emphasis></term>
+
+              <listitem>
+                <para>Packets arriving from these hosts are checked for
+                certain illegal combinations of TCP flags. Packets found to
+                have such a combination of flags are handled according to the
+                setting of TCP_FLAGS_DISPOSITION after having been logged
+                according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
+              </listitem>
+            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -27,6 +27,34 @@
    interfaces to Shorewall. The order of entries in this file is not
    significant in determining zone composition.</para>

+    <para>Beginning with Shorewall 4.5.3, the interfaces file supports two
+    different formats:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>FORMAT 1 (default - deprecated)</term>
+
+        <listitem>
+          <para>There is a BROADCAST column which can be used to specify the
+          broadcast address associated with the interface.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>FORMAT 2</term>
+
+        <listitem>
+          <para>The BROADCAST column is omitted.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>The format is specified by a line as follows:</para>
+
+    <blockquote>
+      <para><emphasis role="bold">FORMAT {1|2}</emphasis></para>
+    </blockquote>
+
    <para>The columns in the file are as follows.</para>

    <variablelist>
@@ -128,6 +156,8 @@ loc     eth2            -</programlisting>
        role="bold">detect</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...}</term>

        <listitem>
+          <para>Only available if FORMAT 1.</para>
+
          <para>If you use the special value <emphasis
          role="bold">detect</emphasis>, Shorewall will detect the broadcast
          address(es) for you if your iptables and kernel include Address Type
@@ -172,7 +202,7 @@ loc     eth2            -</programlisting>
                changed; the value assigned to the setting will be the value
                specified (if any) or 1 if no value is given.</para>

-                <para></para>
+                <para/>

                <note>
                  <para>This option does not work with a wild-card
@@ -206,7 +236,7 @@ loc     eth2            -</programlisting>

                <para>8 - do not reply for all local addresses</para>

-                <para></para>
+                <para/>

                <note>
                  <para>This option does not work with a wild-card
@@ -214,7 +244,7 @@ loc     eth2            -</programlisting>
                  the INTERFACE column.</para>
                </note>

-                <para></para>
+                <para/>

                <warning>
                  <para>Do not specify <emphasis
@@ -355,7 +385,7 @@ loc     eth2            -</programlisting>
        1
        teastep@lists:~$ </programlisting>

-                <para></para>
+                <para/>

                <note>
                  <para>This option does not work with a wild-card
@@ -629,7 +659,7 @@ loc     eth2            -</programlisting>
                changed; the value assigned to the setting will be the value
                specified (if any) or 1 if no value is given.</para>

-                <para></para>
+                <para/>

                <note>
                  <para>This option does not work with a wild-card
@@ -705,11 +735,14 @@ loc     eth2            -</programlisting>
          connected to your local network and that your local subnet is
          192.168.1.0/24. The interface gets its IP address via DHCP from
          subnet 206.191.149.192/27. You have a DMZ with subnet 192.168.2.0/24
-          using eth2.</para>
+          using eth2. Your iptables and/or kernel do not support "Address Type
+          Match" and you prefer to specify broadcast addresses explicitly
+          rather than having Shorewall detect them.</para>

          <para>Your entries for this setup would look like:</para>

-          <programlisting>#ZONE   INTERFACE BROADCAST        OPTIONS
+          <programlisting>FORMAT 1
+#ZONE   INTERFACE BROADCAST        OPTIONS
 net     eth0      206.191.149.223  dhcp
 loc     eth1      192.168.1.255
 dmz     eth2      192.168.2.255</programlisting>
@@ -723,10 +756,11 @@ dmz     eth2      192.168.2.255</programlisting>
          <para>The same configuration without specifying broadcast addresses
          is:</para>

-          <programlisting>#ZONE   INTERFACE BROADCAST        OPTIONS
-net     eth0      detect           dhcp
-loc     eth1      detect
-dmz     eth2      detect</programlisting>
+          <programlisting>FORMAT 2
+#ZONE   INTERFACE OPTIONS
+net     eth0      dhcp
+loc     eth1      
+dmz     eth2</programlisting>
        </listitem>
      </varlistentry>

@@ -737,7 +771,8 @@ dmz     eth2      detect</programlisting>
          <para>You have a simple dial-in system with no ethernet
          connections.</para>

-          <programlisting>#ZONE   INTERFACE BROADCAST        OPTIONS
+          <programlisting>FORMAT 2
+#ZONE   INTERFACE OPTIONS
 net     ppp0      -</programlisting>
        </listitem>
      </varlistentry>
@@ -749,8 +784,9 @@ net     ppp0      -</programlisting>
          <para>You have a bridge with no IP address and you want to allow
          traffic through the bridge.</para>

-          <programlisting>#ZONE   INTERFACE BROADCAST        OPTIONS
-       br0       -                routeback</programlisting>
+          <programlisting>FORMAT 2
+#ZONE   INTERFACE OPTIONS
+-       br0       routeback</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
@@ -772,10 +808,9 @@ net     ppp0      -</programlisting>
    shorewall-blacklist(5), shorewall-hosts(5), shorewall-maclist(5),
    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-proxyarp(5), shorewall-rtrules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
-    shorewall-zones(5)</para>
+    shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5),
+    shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
+    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-params.xml
+++ b/Shorewall/manpages/shorewall-params.xml
@@ -23,7 +23,11 @@
  <refsect1>
    <title>Description</title>

-    <para>Assign any shell variables that you need in this file.</para>
+    <para>Assign any shell variables that you need in this file. The file is
+    always processed by <filename>/bin/sh</filename> or by the shell specified
+    through SHOREWALL_SHELL in <ulink
+    url="shorewall.conf.html">shorewall.conf</ulink> (5) so the full range of
+    shell capabilities may be used.</para>

    <para>It is suggested that variable names begin with an upper case letter
    to distinguish them from variables used internally within the Shorewall
@@ -128,12 +132,13 @@ net     eth0            130.252.100.255 routefilter,norfc1918</programlisting>
    url="http://www.shorewall.net/configuration_file_basics.htm#Variables?">http://www.shorewall.net/configuration_file_basics.htm#Variables</ulink></para>

    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
-    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
-    shorewall-netmap(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-proxyarp(5), shorewall-rtrules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-policy(5),
+    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@@ -87,8 +87,7 @@
          being zero). Otherwise, the value must be between 1 and 255. Each
          provider must be assigned a unique mark value. This column may be
          omitted if you don't use packet marking to direct connections to a
-          particular provider and you don't specify <option>track</option> in
-          the OPTIONS column.</para>
+          particular provider.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -226,7 +226,7 @@
              <listitem>
                <para>like DROP but exempts the rule from being suppressed by
                OPTIMIZE=1 in <ulink
-                url="shorewall.conf.html">shorewall.conf</ulink>(5). </para>
+                url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
              </listitem>
            </varlistentry>

@@ -782,7 +782,7 @@
            </orderedlist></para>

          <blockquote>
-            <para></para>
+            <para/>

            <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
            role="bold">+]|[-</emphasis>] is specified, the server may be
@@ -1230,8 +1230,18 @@
              <term>localtz</term>

              <listitem>
-                <para>Times are expressed in Local Civil Time
-                (default).</para>
+                <para>Deprecated by the Netfilter team in favor of <emphasis
+                role="bold">kerneltz</emphasis>. Times are expressed in Local
+                Civil Time (default).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>kerneltz</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.2. Times are expressed in Local
+                Kernel Time (requires iptables 1.4.12 or later).</para>
              </listitem>
            </varlistentry>

@@ -1548,9 +1558,9 @@
    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-proxyarp(5), shorewall-rtrules(5),
-    shorewall-routestopped(5), shorewall.conf(5), shorewall-secmarks(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5),
+    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
+    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-tcrules.xml
+++ b/Shorewall/manpages/shorewall-tcrules.xml
@@ -44,7 +44,7 @@

    <variablelist>
      <varlistentry>
-        <term><emphasis role="bold">MARK/CLASSIFY</emphasis> (mark) -
+        <term><emphasis role="bold">ACTION</emphasis> (mark) -
        <replaceable>mark</replaceable></term>

        <listitem>
@@ -271,8 +271,8 @@
              target allows you to work around that problem. SAME may be used
              in the PREROUTING and OUTPUT chains. When used in PREROUTING, it
              causes matching connections from an individual local system to
-              all use the same provider. For example: <programlisting>#MARK/            SOURCE         DEST         PROTO      DEST
-#CLASSIFY                                                PORT(S)
+              all use the same provider. For example: <programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
+#                                                        PORT(S)
 SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
              If a host in 192.168.1.0/24 attempts a connection on TCP port 80
              or 443 and it has sent a packet on either of those ports in the
@@ -282,8 +282,8 @@ SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>

              <para>When used in the OUTPUT chain, it causes all matching
              connections to an individual remote system to all use the same
-              provider. For example:<programlisting>#MARK/            SOURCE         DEST         PROTO      DEST
-#CLASSIFY                                                PORT(S)
+              provider. For example:<programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
+#                                                        PORT(S)
 SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
              If the firewall attempts a connection on TCP port 80 or 443 and
              it has sent a packet on either of those ports in the last five
@@ -407,39 +407,6 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
              classes will have a value &gt; 256.</para>
            </listitem>

-            <listitem>
-              <para><emphasis
-              role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[/<replaceable>mask</replaceable>][,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])</para>
-
-              <para>Transparently redirects a packet without altering the IP
-              header. Requires a local provider to be defined in <ulink
-              url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
-
-              <para>There are three parameters to TPROXY - only the first
-              (mark) is required:</para>
-
-              <itemizedlist>
-                <listitem>
-                  <para><replaceable>mark</replaceable> - the MARK value
-                  corresponding to the local provider in <ulink
-                  url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
-                </listitem>
-
-                <listitem>
-                  <para><replaceable>port</replaceable> - the port on which
-                  the proxy server is listening. If omitted, the original
-                  destination port.</para>
-                </listitem>
-
-                <listitem>
-                  <para><replaceable>address</replaceable> - a local (to the
-                  firewall) IP address on which the proxy server is listening.
-                  If omitted, the IP address of the interface on which the
-                  request arrives.</para>
-                </listitem>
-              </itemizedlist>
-            </listitem>
-
            <listitem>
              <para><emphasis role="bold">TTL</emphasis>([<emphasis
              role="bold">-</emphasis>|<emphasis
@@ -569,7 +536,7 @@ Normal-Service       =&gt; 0x00</programlisting>
                  <term>T</term>

                  <listitem>
-                    <para>POSTROUTING chain (default).</para>
+                    <para>POSTROUTING chain.</para>
                  </listitem>
                </varlistentry>
              </variablelist>
@@ -600,7 +567,7 @@ Normal-Service       =&gt; 0x00</programlisting>
              MAC addresses. <emphasis role="bold">This form will not match
              traffic that originates on the firewall itself unless either
              &lt;major&gt;&lt;minor&gt; or the :T chain qualifier is used in
-              the MARK column.</emphasis></para>
+              the ACTION column.</emphasis></para>

              <para>Examples:<simplelist>
                  <member>0.0.0.0/0</member>
@@ -622,7 +589,7 @@ Normal-Service       =&gt; 0x00</programlisting>
              <para>$FW optionally followed by a colon (":") and a
              comma-separated list of host or network IP addresses. Matches
              packets originating on the firewall. May not be used with a
-              chain qualifier (:P, :F, etc.) in the MARK column.</para>
+              chain qualifier (:P, :F, etc.) in the ACTION column.</para>
            </listitem>
          </orderedlist>

@@ -938,8 +905,8 @@ Normal-Service       =&gt; 0x00</programlisting>
          original connection was made on.</para>

          <para>Example: Mark all FTP data connections with mark
-          4:<programlisting>#MARK/    SOURCE    DEST      PROTO   PORT(S)    SOURCE  USER TEST LENGTH TOS CONNBYTES HELPER
-#CLASSIFY                                        PORT(S)
+          4:<programlisting>#ACTION   SOURCE    DEST      PROTO   PORT(S)    SOURCE  USER TEST LENGTH TOS CONNBYTES HELPER
+#                                                PORT(S)
 4:T       0.0.0.0/0 0.0.0.0/0 TCP     -          -       -    -    -      -   -         ftp</programlisting></para>
        </listitem>
      </varlistentry>
@@ -1017,8 +984,8 @@ Normal-Service       =&gt; 0x00</programlisting>

          <para>We assume packet/connection mark 0 means unclassified.</para>

-          <programlisting>       #MARK/     SOURCE    DEST         PROTO   PORT(S)       SOURCE  USER    TEST
-       #CLASSIFY                                               PORT(S)
+          <programlisting>       #ACTION    SOURCE    DEST         PROTO   PORT(S)       SOURCE  USER    TEST
+       #                                                       PORT(S)
       1:T        0.0.0.0/0 0.0.0.0/0    icmp    echo-request
       1:T        0.0.0.0/0 0.0.0.0/0    icmp    echo-reply
       RESTORE:T  0.0.0.0/0 0.0.0.0/0    all     -             -       -       0
--- a/Shorewall/manpages/shorewall-tunnels.xml
+++ b/Shorewall/manpages/shorewall-tunnels.xml
@@ -125,8 +125,9 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">GATEWAY</emphasis> -
-        <emphasis>address-or-range</emphasis></term>
+        <term><emphasis role="bold">GATEWAY</emphasis>S -
+        <emphasis>address-or-range</emphasis> <emphasis role="bold">[ , ...
+        ]</emphasis></term>

        <listitem>
          <para>The IP address of the remote tunnel gateway. If the remote
@@ -134,6 +135,11 @@
          as <emphasis role="bold">0.0.0.0/0</emphasis>. May be specified as a
          network address and if your kernel and iptables include iprange
          match support then IP address ranges are also allowed.</para>
+
+          <para>Beginning with Shorewall 4.5.3, a list of addresses or ranges
+          may be given. Exclusion (<ulink
+          url="shorewall-exclusion.html">shorewall-exclusion</ulink> (5) ) is
+          not supported.</para>
        </listitem>
      </varlistentry>

@@ -148,7 +154,7 @@
          comma-separated list of the names of the zones that the host might
          be in. This column only applies to IPSEC tunnels where it enables
          ISAKMP traffic to flow through the tunnel to the remote
-          gateway.</para>
+          gateway(s).</para>
        </listitem>
      </varlistentry>
    </variablelist>
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -96,7 +96,7 @@
        role="bold">none</emphasis>}</term>

        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>

@@ -106,7 +106,7 @@
        role="bold">none</emphasis>}</term>

        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>

@@ -116,7 +116,7 @@
        role="bold">none</emphasis>}</term>

        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>

@@ -126,7 +126,7 @@
        role="bold">none</emphasis>}</term>

        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>

@@ -482,7 +482,7 @@
          </itemizedlist>

          <blockquote>
-            <para></para>
+            <para/>

            <para>If CONFIG_PATH is not given or if it is set to the empty
            value then the contents of /usr/share/shorewall/configpath are
@@ -814,7 +814,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
            </varlistentry>
          </variablelist>

-          <para></para>
+          <para/>

          <blockquote>
            <para>If this variable is not set or is given an empty value
@@ -848,6 +848,29 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">IPSET_WARNINGS=</emphasis>{<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.2. Default is Yes. When set, causes the
+          rules compiler to issue a warning when:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>The compiler is being run by root and an ipset specified
+              in the configuration does not exists. Only one warning is issued
+              for each missing ipset.</para>
+            </listitem>
+
+            <listitem>
+              <para>When [src] is specified in a destination column and when
+              [dst] is specified in a source column.</para>
+            </listitem>
+          </itemizedlist>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis
        role="bold">IPTABLES=</emphasis>[<emphasis>pathname</emphasis>]</term>
@@ -915,6 +938,19 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis
+        role="bold">LOCKFILE</emphasis>=[<emphasis>pathname</emphasis>]</term>
+
+        <listitem>
+          <para>Specifies the name of the Shorewall lock file, used to prevent
+          simultaneous state-changing commands. If not specified,
+          ${VARDIR}/shorewall/lock is assumed (${VARDIR} is normally /var/lib
+          but can be changed when Shorewall-core is installed -- see the
+          output of <command>shorewall show vardir</command>).</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">LOG_MARTIANS=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis
@@ -988,7 +1024,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
            </listitem>
          </itemizedlist>

-          <para></para>
+          <para/>

          <blockquote>
            <para>For example, using the default LOGFORMAT, the log prefix for
@@ -1005,7 +1041,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
              control your firewall after you enable this option.</para>
            </important>

-            <para></para>
+            <para/>

            <caution>
              <para>Do not use this option if the resulting log messages will
@@ -1641,7 +1677,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        role="bold">"</emphasis></term>

        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>

@@ -2092,14 +2128,14 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
          tcrules. This was done so that tcrules could reset the packet mark
          to zero, thus allowing the packet to be routed using the 'main'
          routing table. Using the main table allowed dynamic routes (such as
-          those added for VPNs) to be effective. The rtrules file was
-          created to provide a better alternative to clearing the packet mark.
-          As a consequence, passing these packets to PREROUTING complicates
-          things without providing any real benefit. Beginning with Shorewall
-          4.4.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving
-          through 'tracked' interfaces will not be passed to the PREROUTING
-          rules. Since TRACK_PROVIDERS was just introduced in 4.4.3, this
-          change should be transparent to most, if not all, users.</para>
+          those added for VPNs) to be effective. The rtrules file was created
+          to provide a better alternative to clearing the packet mark. As a
+          consequence, passing these packets to PREROUTING complicates things
+          without providing any real benefit. Beginning with Shorewall 4.4.6,
+          when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving through
+          'tracked' interfaces will not be passed to the PREROUTING rules.
+          Since TRACK_PROVIDERS was just introduced in 4.4.3, this change
+          should be transparent to most, if not all, users.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall.xml
+++ b/Shorewall/manpages/shorewall.xml
@@ -283,6 +283,8 @@

      <arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>

+      <arg><option>-T</option></arg>
+
      <arg><replaceable>directory</replaceable></arg>

      <arg choice="plain"><replaceable>system</replaceable></arg>
@@ -349,7 +351,9 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>refresh</option><arg
+      <arg
+      choice="plain"><option>refresh</option><arg><option>-n</option></arg><arg><option>-d</option></arg><arg><option>-T</option></arg><arg>-<option>D</option>
+      <replaceable>directory</replaceable> </arg><arg
      rep="repeat"><replaceable>chain</replaceable></arg></arg>
    </cmdsynopsis>

@@ -381,6 +385,8 @@

      <arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>

+      <arg><option>-T</option></arg>
+
      <arg><replaceable>directory</replaceable></arg>

      <arg choice="plain"><replaceable>system</replaceable></arg>
@@ -415,6 +421,8 @@

      <arg><option>-c</option></arg>

+      <arg><option>-T</option></arg>
+
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>

@@ -599,6 +607,8 @@

      <arg><option>-c</option></arg>

+      <arg><option>-T</option></arg>
+
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>

@@ -1038,6 +1048,10 @@
          <para>If <option>-r</option> is included, it specifies that the root
          user on <replaceable>system</replaceable> is named
          <replaceable>root-user-name</replaceable> rather than "root".</para>
+
+          <para>The <option>-T</option> option was added in Shorewall 4.5.3
+          and causes a Perl stack trace to be included with each
+          compiler-generated error and warning message.</para>
        </listitem>
      </varlistentry>

@@ -1113,6 +1127,20 @@
          list or until an entry in the list names another table. Built-in
          chains such as FORWARD may not be refreshed.</para>

+          <para>The <option>-n</option> option was added in Shorewall 4.5.3
+          causes Shorewall to avoid updating the routing table(s).</para>
+
+          <para>The <option>-d </option>option was added in Shorewall 4.5.3
+          causes the compiler to run under the Perl debugger.</para>
+
+          <para>The <option>-T</option> option was added in Shorewall 4.5.3
+          and causes a Perl stack trace to be included with each
+          compiler-generated error and warning message.</para>
+
+          <para>The -<option>D</option> option was added in Shorewall 4.5.3
+          and causes Shorewall to look in the given
+          <emphasis>directory</emphasis> first for configuration files.</para>
+
          <para>Example:<programlisting><command>shorewall refresh net2fw nat:net_dnat</command> #Refresh the 'net2loc' chain in the filter table and the 'net_dnat' chain in the nat table</programlisting></para>

          <para>The <emphasis role="bold">refresh</emphasis> command has
@@ -1166,6 +1194,10 @@
          <para>If <option>-r</option> is included, it specifies that the root
          user on <replaceable>system</replaceable> is named
          <replaceable>root-user-name</replaceable> rather than "root".</para>
+
+          <para>The <option>-T</option> option was added in Shorewall 4.5.3
+          and causes a Perl stack trace to be included with each
+          compiler-generated error and warning message.</para>
        </listitem>
      </varlistentry>

@@ -1210,6 +1242,10 @@
          url="shorewall.conf.html">shorewall.conf</ulink>(5). When both
          <option>-f</option> and <option>-c</option>are present, the result
          is determined by the option that appears last.</para>
+
+          <para>The <option>-T</option> option was added in Shorewall 4.5.3
+          and causes a Perl stack trace to be included with each
+          compiler-generated error and warning message.</para>
        </listitem>
      </varlistentry>

@@ -1541,6 +1577,10 @@
          url="shorewall.conf.html">shorewall.conf</ulink>(5). When both
          <option>-f</option> and <option>-c</option>are present, the result
          is determined by the option that appears last.</para>
+
+          <para>The <option>-T</option> option was added in Shorewall 4.5.3
+          and causes a Perl stack trace to be included with each
+          compiler-generated error and warning message.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall/modules
+++ b/Shorewall/modules
@@ -16,24 +16,24 @@
 #
 # Essential Modules
 #
-INCLUDE modules.essential
+?INCLUDE modules.essential
 #
 # Other xtables modules
 #
-INCLUDE modules.xtables
+?INCLUDE modules.xtables
 #
 # Helpers
 #
-INCLUDE helpers
+?INCLUDE helpers
 #
 # Ipset
 #
-INCLUDE modules.ipset
+?INCLUDE modules.ipset
 #
 # Traffic Shaping
 #
-INCLUDE modules.tc
+?INCLUDE modules.tc
 #
 # Extensions
 #
-INCLUDE modules.extensions
+?INCLUDE modules.extensions
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@@ -27,6 +27,19 @@
 ################################################################################################
 g_program=shorewall

-. /usr/share/shorewall/lib.cli
+#
+# This is modified by the installer when ${SHAREDIR} != /usr/share
+#
+. /usr/share/shorewall/shorewallrc
+
+g_libexec="$LIBEXECDIR"
+g_sharedir="$SHAREDIR"/shorewall
+g_sbindir="$SBINDIR"
+g_perllib="$PERLLIBDIR"
+g_vardir="$VARDIR"
+g_confdir="$CONFDIR"/shorewall
+g_readrc=1
+
+. $g_sharedir/lib.cli

 shorewall_cli $@
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -31,7 +31,7 @@ VERSION=xxx #The Build script inserts the actual version
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME"
+    echo "usage: $ME [ <shorewallrc file> ]"
    exit $1
 }

@@ -40,16 +40,25 @@ qt()
    "$@" >/dev/null 2>&1
 }

-restore_file() # $1 = file to restore
-{
-    if [ -f ${1}-shorewall.bkout ]; then
-	if (mv -f ${1}-shorewall.bkout $1); then
-	    echo
-	    echo "$1 restored"
-        else
-	    exit 1
-        fi
-    fi
+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    return 0
+	fi
+    done
+
+    return 2
 }

 remove_file() # $1 = file to restore
@@ -60,8 +69,34 @@ remove_file() # $1 = file to restore
    fi
 }

-if [ -f /usr/share/shorewall/version ]; then
-    INSTALLED_VERSION="$(cat /usr/share/shorewall/version)"
+if [ $# -eq 0 ]; then
+    if [ -f ./shorewallrc ]; then
+	. ./shorewallrc
+    elif [ -f ~/.shorewallrc ]; then
+	. ~/.shorewallrc || exit 1
+	file=./.shorewallrc
+    elif [ -f /usr/share/shorewall/shorewallrc ]; then
+	. /usr/share/shorewall/shorewallrc
+    else
+	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
+    fi
+elif [ $# -eq 1 ]; then
+    file=$1
+    case $file in
+	/*|.*)
+	    ;;
+	*)
+	    file=./$file
+	    ;;
+    esac
+
+    . $file
+else
+    usage 1
+fi
+
+if [ -f ${SHAREDIR}/shorewall/version ]; then
+    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall/version)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
 	echo "WARNING: Shorewall Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
@@ -72,62 +107,33 @@ else
    VERSION=""
 fi

-[ -n "${LIBEXEC:=/usr/share}" ]
-[ -n "${PERLLIB:=/usr/share/shorewall}" ]

 echo "Uninstalling shorewall $VERSION"

-if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall-lite ]; then
-   /sbin/shorewall clear
+if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall-lite ]; then
+   shorewall clear
 fi

-if [ -L /usr/share/shorewall/init ]; then
-    FIREWALL=$(readlink -m -q /usr/share/shorewall/init)
-else
-    FIREWALL=/etc/init.d/shorewall
-fi
+rm -f ${SBINDIR}/shorewall

-if [ -n "$FIREWALL" ]; then
-    if [ -x /usr/sbin/updaterc.d ]; then
-	updaterc.d shorewall remove
-    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
-        insserv -r $FIREWALL
-    elif [ -x /sbin/systemctl ]; then
-	systemctl disable shorewall
-    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
-	chkconfig --del $(basename $FIREWALL)
-    else
-	rm -f /etc/rc*.d/*$(basename $FIREWALL)
-    fi
-
-    remove_file $FIREWALL
-    rm -f ${FIREWALL}-*.bkout
-fi
-
-rm -f /sbin/shorewall
-rm -f /sbin/shorewall-*.bkout
-
-rm -rf /usr/share/shorewall/version
-rm -rf /etc/shorewall
-rm -rf /etc/shorewall-*.bkout
-rm -rf /var/lib/shorewall
-rm -rf /var/lib/shorewall-*.bkout
+rm -rf ${SHAREDIR}/shorewall/version
+rm -rf ${CONFDIR}/shorewall
+rm -rf ${VARDIR}/shorewall
 rm -rf ${PERLLIB}/Shorewall/*
 rm -rf ${LIBEXEC}/shorewall
-rm -rf /usr/share/shorewall/configfiles/
-rm -rf /usr/share/shorewall/Samples/
-rm -rf /usr/share/shorewall/Shorewall/
-rm -f  /usr/share/shorewall/lib.cli-std
-rm -f  /usr/share/shorewall/lib.core
-rm -f  /usr/share/shorewall/compiler.pl
-rm -f  /usr/share/shorewall/prog.*
-rm -f  /usr/share/shorewall/module*
-rm -f  /usr/share/shorewall/helpers
-rm -f  /usr/share/shorewall/action*
-rm -f  /usr/share/shorewall/init
-rm -rf /usr/share/shorewall-*.bkout
+rm -rf ${SHAREDIR}/shorewall/configfiles/
+rm -rf ${SHAREDIR}/shorewall/Samples/
+rm -rf ${SHAREDIR}/shorewall/Shorewall/
+rm -f  ${SHAREDIR}/shorewall/lib.cli-std
+rm -f  ${SHAREDIR}/shorewall/lib.core
+rm -f  ${SHAREDIR}/shorewall/compiler.pl
+rm -f  ${SHAREDIR}/shorewall/prog.*
+rm -f  ${SHAREDIR}/shorewall/module*
+rm -f  ${SHAREDIR}/shorewall/helpers
+rm -f  ${SHAREDIR}/shorewall/action*
+rm -f  ${SHAREDIR}/shorewall/init

-for f in /usr/share/man/man5/shorewall* /usr/share/man/man8/shorewall*; do
+for f in ${MANDIR}/man5/shorewall* ${MANDIR}/man8/shorewall*; do
    case $f in
 	shorewall6*|shorewall-lite*)
 	    ;;
@@ -137,8 +143,10 @@ for f in /usr/share/man/man5/shorewall* /usr/share/man/man8/shorewall*; do
    esac
 done

-rm -f  /etc/logrotate.d/shorewall
-rm -f  /lib/systemd/system/shorewall.service
+rm -f  ${CONFDIR}/logrotate.d/shorewall
+
+if [ -n "$SYSTEMD" ]; THEN
+rm -f  ${SYSTEMD}/shorewall.service

 echo "Shorewall Uninstalled"

--- a/Shorewall6-lite/Makefile
+++ b/Shorewall6-lite/Makefile
@@ -3,9 +3,9 @@ VARDIR=$(shell /sbin/shorewall6-lite show vardir)
 SHAREDIR=/usr/share/shorewall6-lite
 RESTOREFILE?=.restore

-all: $(VARDIR)/${RESTOREFILE}
+all: $(VARDIR)/$(RESTOREFILE)

-$(VARDIR)/${RESTOREFILE}: $(VARDIR)/firewall
+$(VARDIR)/$(RESTOREFILE): $(VARDIR)/firewall
 	@/sbin/shorewall6-lite -q save >/dev/null; \
 	if \
 	    /sbin/shorewall6-lite -q restart >/dev/null 2>&1; \
--- a/Shorewall6-lite/init.debian.sh
+++ b/Shorewall6-lite/init.debian.sh
@@ -78,6 +78,11 @@ else
 	not_configured
 fi

+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
 # start the firewall
 shorewall6_start () {
  echo -n "Starting \"Shorewall6 Lite firewall\": "
--- a/Shorewall6-lite/init.fedora.sh
+++ b/Shorewall6-lite/init.fedora.sh
@@ -20,16 +20,21 @@
 # Source function library.
 . /etc/rc.d/init.d/functions

+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
 prog="shorewall6-lite"
-shorewall="/sbin/$prog"
+shorewall="${SBINDIR}/$prog"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/$prog"

 # Get startup options (override default)
 OPTIONS=

-if [ -f /etc/sysconfig/$prog ]; then
-    . /etc/sysconfig/$prog
+if [ -f ${SYSCONFDIR}/$prog ]; then
+    . ${SYSCONFDIR}/$prog
 fi

 start() {
--- a/Shorewall6-lite/init.sh
+++ b/Shorewall6-lite/init.sh
@@ -1,11 +1,11 @@
 #!/bin/sh
 RCDLINKS="2,S41 3,S41 6,K41"
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.1
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
@@ -61,11 +61,11 @@ usage() {
 # Get startup options (override default)
 ################################################################################
 OPTIONS=
-if [ -f /etc/sysconfig/shorewall6-lite ]; then
-    . /etc/sysconfig/shorewall6-lite
-elif [ -f /etc/default/shorewall6-lite ] ; then
-    . /etc/default/shorewall6-lite
-fi
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc

 export SHOREWALL_INIT_SCRIPT=1

@@ -76,13 +76,13 @@ command="$1"

 case "$command" in
    start)
-	exec /sbin/shorewall6-lite $OPTIONS start $STARTOPTIONS
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS start $STARTOPTIONS
 	;;
    restart|reload)
-	exec /sbin/shorewall6-lite $OPTIONS restart $RESTARTOPTIONS
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS restart $RESTARTOPTIONS
 	;;
    status|stop)
-	exec /sbin/shorewall6-lite $OPTIONS $command $@
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $@
 	;;
    *)
 	usage
--- a/Shorewall6-lite/manpages/shorewall6-lite-vardir.xml
+++ b/Shorewall6-lite/manpages/shorewall6-lite-vardir.xml
@@ -36,6 +36,29 @@
    directory. If you add this file, you should copy the files from
    <filename>/var/lib/shorewall6-lite</filename> to the new directory before
    performing a <command>shorewall6-lite restart</command>.</para>
+
+    <note>
+      <para>Beginning with Shorewall 4.5.2, use of this file is deprecated in
+      favor of specifying VARDIR in the <filename>shorewallrc</filename> file
+      used during installation of Shorewall Core. While the name of the
+      variable remains VARDIR, the meaning is slightly different. When set in
+      shorewallrc, Shorewall6 Lite will create a directory under the specified
+      path name to hold state information.</para>
+
+      <para>Example:</para>
+
+      <blockquote>
+        <para>VARDIR=<filename>/opt/var/lib/</filename></para>
+
+        <para>The state directory for Shorewall Lite will be
+        <filename>/opt/var/lib/shorewall6-lite</filename>.</para>
+      </blockquote>
+
+      <para>When VARDIR is set in
+      <filename>/etc/shorewall6-lite/vardir</filename>, Shorewall Lite will
+      save its state in the <replaceable>directory</replaceable>
+      specified.</para>
+    </note>
  </refsect1>

  <refsect1>
--- a/Shorewall6-lite/shorewall6-lite
+++ b/Shorewall6-lite/shorewall6-lite
@@ -27,6 +27,18 @@
 ################################################################################################
 g_program=shorewall6-lite

-. /usr/share/shorewall/lib.cli
+#
+# This is modified by the installer when ${SHAREDIR} != /usr/share
+#
+. /usr/share/shorewall/shorewallrc
+
+g_libexec="$LIBEXECDIR"
+g_sharedir="$SHAREDIR"/shorewall6-lite
+g_sbindir="$SBINDIR"
+g_vardir="$VARDIR"
+g_confdir="$CONFDIR"/shorewall6-lite
+g_readrc=1
+
+. ${SHAREDIR}/shorewall/lib.cli

 shorewall_cli $@
--- a/Shorewall6-lite/uninstall.sh
+++ b/Shorewall6-lite/uninstall.sh
@@ -31,7 +31,7 @@ VERSION=xxx  #The Build script inserts the actual version
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME"
+    echo "usage: $ME [ <shorewallrc file> ]"
    exit $1
 }

@@ -40,6 +40,27 @@ qt()
    "$@" >/dev/null 2>&1
 }

+split() {
+    local ifs
+    ifs=$IFS
+    IFS=:
+    set -- $1
+    echo $*
+    IFS=$ifs
+}
+
+mywhich() {
+    local dir
+
+    for dir in $(split $PATH); do
+	if [ -x $dir/$1 ]; then
+	    return 0
+	fi
+    done
+
+    return 2
+}
+
 remove_file() # $1 = file to restore
 {
    if [ -f $1 -o -L $1 ] ; then
@@ -48,8 +69,37 @@ remove_file() # $1 = file to restore
    fi
 }

-if [ -f /usr/share/shorewall6-lite/version ]; then
-    INSTALLED_VERSION="$(cat /usr/share/shorewall6-lite/version)"
+#
+# Read the RC file
+#
+if [ $# -eq 0 ]; then
+    if [ -f ./shorewallrc ]; then
+	. ./shorewallrc
+    elif [ -f ~/.shorewallrc ]; then
+	. ~/.shorewallrc || exit 1
+	file=./.shorewallrc
+    elif [ -f /usr/share/shorewall/shorewallrc ]; then
+	. /usr/share/shorewall/shorewallrc
+    else
+	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
+    fi
+elif [ $# -eq 1 ]; then
+    file=$1
+    case $file in
+	/*|.*)
+	    ;;
+	*)
+	    file=./$file
+	    ;;
+    esac
+
+    . $file
+else
+    usage 1
+fi
+
+if [ -f ${SHAREDIR}/shorewall6-lite/version ]; then
+    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall6-lite/version)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
 	echo "WARNING: Shorewall Lite Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
@@ -60,49 +110,39 @@ else
    VERSION=""
 fi

-[ -n "${LIBEXEC:=/usr/share}" ]
-
 echo "Uninstalling Shorewall Lite $VERSION"

-if qt ip6tables -L shorewall -n && [ ! -f /sbin/shorewall6 ]; then
-   /sbin/shorewall6-lite clear
+if qt ip6tables -L shorewall -n && [ ! -f ${SBINDIR)/shorewall6 ]; then
+   ${SBINDIR}/shorewall6-lite clear
 fi

-if [ -L /usr/share/shorewall6-lite/init ]; then
-    FIREWALL=$(readlink -m -q /usr/share/shorewall6-lite/init)
-else
-    FIREWALL=/etc/init.d/shorewall6-lite
+if [ -l ${SHAREDIR}/shorewall6-lite/init ]; then
+    FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall6-lite/init)
+elif [ -n "$INITFILE" ]; then
+    FIREWALL=${INITDIR}/${INITFILE}
 fi

-if [ -n "$FIREWALL" ]; then
-    if [ -x /usr/sbin/updaterc.d ]; then
+if [ -f "$FIREWALL" ]; then
+    if mywhich updaterc.d ; then
 	updaterc.d shorewall6-lite remove
-    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+    elif mywhich insserv ; then
        insserv -r $FIREWALL
-    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
+    elif mywhich chkconfig ; then
 	chkconfig --del $(basename $FIREWALL)
-    elif [ -x /sbin/systemctl ]; then
+    elif mywhich systemctl ; then
 	systemctl disable shorewall6-lite
-    else
-	rm -f /etc/rc*.d/*$(basename $FIREWALL)
    fi

    remove_file $FIREWALL
-    rm -f ${FIREWALL}-*.bkout
 fi

-rm -f /sbin/shorewall6-lite
-rm -f /sbin/shorewall6-lite-*.bkout
-
-rm -rf /etc/shorewall6-lite
-rm -rf /etc/shorewall6-lite-*.bkout
-rm -rf /var/lib/shorewall6-lite
-rm -rf /var/lib/shorewall6-lite-*.bkout
-rm -rf /usr/share/shorewall6-lite
+rm -f ${SBINDIR}/shorewall6-lite
+rm -rf ${CONFDIR}/shorewall6-lite
+rm -rf ${VARDIR}/shorewall6-lite
+rm -rf ${SHAREDIR}/shorewall6-lite
 rm -rf ${LIBEXEC}/shorewall6-lite
-rm -rf /usr/share/shorewall6-lite-*.bkout
-rm -f  /etc/logrotate.d/shorewall6-lite
-rm -f  /lib/systemd/system/shorewall6-lite.service
+rm -f  ${CONFDIR}/logrotate.d/shorewall6-lite
+[ -n "$SYSTEMD" ] && rm -f  ${SYSTEMD}/shorewall6-lite.service

 echo "Shorewall6 Lite Uninstalled"

--- a/Shorewall6/Makefile
+++ b/Shorewall6/Makefile
@@ -3,9 +3,9 @@ VARDIR=$(shell /sbin/shorewall6 show vardir)
 CONFDIR=/etc/shorewall6
 RESTOREFILE?=firewall

-all: $(VARDIR)/${RESTOREFILE}
+all: $(VARDIR)/$(RESTOREFILE)

-$(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
+$(VARDIR)/$(RESTOREFILE): $(CONFDIR)/*
 	@/sbin/shorewall6 -q save >/dev/null; \
 	if \
 	    /sbin/shorewall6 -q restart >/dev/null 2>&1; \
--- a/Shorewall6/Samples6/LICENSE
+++ b/Shorewall6/Samples6/LICENSE
@@ -55,7 +55,7 @@ modified by someone else and passed on, the recipients should know
 that what they have is not the original version, so that the original
 author's reputation will not be affected by problems that might be
 introduced by others.
-
+
  Finally, software patents pose a constant threat to the existence of
 any free program.  We wish to make sure that a company cannot
 effectively restrict the users of a free program by obtaining a
@@ -111,7 +111,7 @@ modification follow.  Pay close attention to the difference between a
 "work based on the library" and a "work that uses the library".  The
 former contains code derived from the library, whereas the latter must
 be combined with the library in order to run.
-
+
 		  GNU LESSER GENERAL PUBLIC LICENSE
   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

@@ -158,7 +158,7 @@ Library.
  You may charge a fee for the physical act of transferring a copy,
 and you may at your option offer warranty protection in exchange for a
 fee.
-
+
  2. You may modify your copy or copies of the Library or any portion
 of it, thus forming a work based on the Library, and copy and
 distribute such modifications or work under the terms of Section 1
@@ -216,7 +216,7 @@ instead of to this License.  (If a newer version than version 2 of the
 ordinary GNU General Public License has appeared, then you can specify
 that version instead if you wish.)  Do not make any other change in
 these notices.
-
+
  Once this change is made in a given copy, it is irreversible for
 that copy, so the ordinary GNU General Public License applies to all
 subsequent copies and derivative works made from that copy.
@@ -267,7 +267,7 @@ Library will still fall under Section 6.)
 distribute the object code for the work under the terms of Section 6.
 Any executables containing that work also fall under Section 6,
 whether or not they are linked directly with the Library itself.
-
+
  6. As an exception to the Sections above, you may also combine or
 link a "work that uses the Library" with the Library to produce a
 work containing portions of the Library, and distribute that work
@@ -329,7 +329,7 @@ restrictions of other proprietary libraries that do not normally
 accompany the operating system.  Such a contradiction means you cannot
 use both them and the Library together in an executable that you
 distribute.
-
+
  7. You may place library facilities that are a work based on the
 Library side-by-side in a single library together with other library
 facilities not covered by this License, and distribute such a combined
@@ -370,7 +370,7 @@ subject to these terms and conditions.  You may not impose any further
 restrictions on the recipients' exercise of the rights granted herein.
 You are not responsible for enforcing compliance by third parties with
 this License.
-
+
  11. If, as a consequence of a court judgment or allegation of patent
 infringement or for any other reason (not limited to patent issues),
 conditions are imposed on you (whether by court order, agreement or
@@ -422,7 +422,7 @@ conditions either of that version or of any later version published by
 the Free Software Foundation.  If the Library does not specify a
 license version number, you may choose any version ever published by
 the Free Software Foundation.
-
+
  14. If you wish to incorporate parts of the Library into other free
 programs whose distribution conditions are incompatible with these,
 write to the author to ask for permission.  For software which is
@@ -456,7 +456,7 @@ SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
 DAMAGES.

 		     END OF TERMS AND CONDITIONS
-
+
           How to Apply These Terms to Your New Libraries

  If you develop a new library, and you want it to be of the greatest
--- a/Show More
+++ b/Show More