Remove allow_optimize() call from action.New.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Mention the requirement for a params file in the Shorewall Lite article.
2013-02-11 06:45:33 -08:00 · 2013-02-11 05:58:01 -08:00 · 2013-02-10 15:19:30 -08:00 · 2013-02-10 09:29:30 -08:00 · 2013-02-10 09:00:13 -08:00 · 2013-02-10 07:56:04 -08:00
95 changed files with 4594 additions and 1610 deletions
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #

-SHOREWALL_CAPVERSION=40509
+SHOREWALL_CAPVERSION=40512

 [ -n "${g_program:=shorewall}" ]

@@ -329,11 +329,30 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
    done
 }

+
+#
+# Try to find the arptables binary -- sets the variable 'arptables'
+#
+resolve_arptables() {
+    arptables="$ARPTABLES"
+
+    [ -n "${arptables:=arptables}" ]
+
+    case $arptables in
+	*/*)
+	    ;;
+	*)
+	    arptables=$(mywhich "$arptables")
+	    ;;
+    esac
+}
+
 #
 # Save currently running configuration
 #
 do_save() {
    local status
+    local arptables
    status=0

    if [ -f ${VARDIR}/firewall ]; then
@@ -353,6 +372,42 @@ do_save() {
 	status=1
    fi

+    case ${SAVE_ARPTABLES:=No} in
+	[Yy]es)
+	    resolve_arptables
+
+	    if [ -n "$arptables" ]; then
+	        #
+	        # 'sed' command is a hack to work around broken arptables_jf
+	        #
+		if ${arptables}-save | sed 's/-p[[:space:]]\+0\([[:digit:]]\)00\/ffff/-p 000\1\/ffff/' > ${VARDIR}/restore-$$; then
+		    if grep -q '^-A' ${VARDIR}/restore-$$; then
+			mv -f ${VARDIR}/restore-$$ ${g_restorepath}-arptables
+		    else
+			rm -f ${VARDIR}/restore-$$
+		    fi
+		fi
+	    else
+		case "$ARPTABLES" in
+		    */*)
+			error_message "ERROR: ARPTABLES=$ARPTABLES does not exist or is not executable - arptables not saved"
+			;;
+		    *)
+			error_message "ERROR: The arptables utility cannot be located - arptables not saved"
+		    ;;
+		esac
+
+		rm -f ${g_restorepath}-arptables
+	    fi
+	    ;;
+	[Nn]o)
+	    rm -f ${g_restorepath}-arptables
+	    ;;
+	*)
+	    error_message "WARNING: Invalid value ($SAVE_ARPTABLES) for SAVE_ARPTABLES"
+	    ;;
+    esac
+
    case ${SAVE_IPSETS:=No} in
 	[Yy]es)
 	    case ${IPSET:=ipset} in
@@ -683,6 +738,7 @@ show_command() {
    table_given=
    local output_filter
    output_filter=cat
+    local arptables

    show_macro() {
 	foo=`grep 'This macro' $macro | sed 's/This macro //'`
@@ -999,6 +1055,17 @@ show_command() {
 	    echo
 	    show_nfacct
 	    ;;
+	arptables)
+	    [ $# -gt 1 ] && usage 1
+	    resolve_arptables
+	    if [ -n "$arptables" -a -x $arptables ]; then
+		echo "$g_product $SHOREWALL_VERSION arptables at $g_hostname - $(date)"
+		echo
+		$arptables -L -n -v
+	    else
+		error_message "Cannot locate the arptables executable"
+	    fi
+	    ;;
 	*)
 	    case "$g_program" in
 		*-lite)
@@ -1156,6 +1223,9 @@ dump_filter() {
 do_dump_command() {
    local finished
    finished=0
+    local arptables
+
+    resolve_arptables

    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@@ -1230,6 +1300,11 @@ do_dump_command() {
    host=$(echo $g_hostname | sed 's/\..*$//')
    $g_tool -L $g_ipt_options

+    if [ -n "$arptables" -a -x "$arptables" ]; then
+	heading "ARP rules"
+	$arptables -L -n -v
+    fi
+
    heading "Log ($LOGFILE)"
    packet_log 20

@@ -2035,6 +2110,7 @@ determine_capabilities() {
    local tool
    local chain
    local chain1
+    local arptables

    if [ -z "$g_tool" ]; then
 	[ $g_family -eq 4 ] && tool=iptables || tool=ip6tables
@@ -2125,6 +2201,7 @@ determine_capabilities() {
    RPFILTER_MATCH=
    NFACCT_MATCH=
    CHECKSUM_TARGET=
+    ARPTABLESJF=
    AMANDA_HELPER=
    FTP_HELPER=
    FTP0_HELPER=
@@ -2141,6 +2218,12 @@ determine_capabilities() {
    TFTP_HELPER=
    TFTP0_HELPER=

+    resolve_arptables
+
+    if [ -n "$arptables" -a -x $arptables ]; then
+	qt $arptables -L OUT && ARPTABLESJF=Yes
+    fi
+
    chain=fooX$$

    if [ -n "$NAT_ENABLED" ]; then
@@ -2524,6 +2607,7 @@ report_capabilities_unsorted() {
    report_capability "RPFilter match" $RPFILTER_MATCH
    report_capability "NFAcct match" $NFACCT_MATCH
    report_capability "Checksum Target" $CHECKSUM_TARGET
+    report_capability "Arptables JF" $ARPTABLESJF

    report_capability "Amanda Helper" $AMANDA_HELPER
    report_capability "FTP Helper" $FTP_HELPER
@@ -2641,6 +2725,7 @@ report_capabilities_unsorted1() {
    report_capability1 RPFILTER_MATCH
    report_capability1 NFACCT_MATCH
    report_capability1 CHECKSUM_TARGET
+    report_capability1 ARPTABLESJF

    report_capability1 AMANDA_HELPER
    report_capability1 FTP_HELPER
@@ -2784,6 +2869,7 @@ forget_command() {
 	rm -f $g_restorepath
 	rm -f ${g_restorepath}-iptables
 	rm -f ${g_restorepath}-ipsets
+	rm -f ${g_restorepath}-arptables
 	echo "    $g_restorepath removed"
    elif [ -f $g_restorepath ]; then
 	echo "   $g_restorepath exists and is not a saved $g_product configuration"
@@ -3215,6 +3301,7 @@ usage() # $1 = exit status
    echo "   save [ <file name> ]"
    echo "   show [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
    echo "   show [ -f ] capabilities"
+    echo "   show arptables"
    echo "   show classifiers"
    echo "   show config"
    echo "   show connections"
--- a/Shorewall-core/shorewallrc.archlinux
+++ b/Shorewall-core/shorewallrc.archlinux
@@ -1,21 +1,21 @@
 #
-# Archlinux Shorewall 4.5 rc file
+# Arch Linux Shorewall 4.5 rc file
 #
-BUILD=archlinux
+BUILD=                                 #Default is to detect the build system
 HOST=archlinux
 PREFIX=/usr                            #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share               #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share             #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/share/shorewall   #Directory to install Shorewall Perl module directory
 CONFDIR=/etc                           #Directory where subsystem configurations are installed
-SBINDIR=/sbin                          #Directory where system administration programs are installed
+SBINDIR=/usr/sbin                      #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man                 #Directory where manpages are installed.
-INITDIR=/etc/rc.d                      #Directory where SysV init scripts are installed.
-INITFILE=$PRODUCT                      #Name of the product's installed SysV init script
-INITSOURCE=init.sh                     #Name of the distributed file to be installed as the SysV init script
+INITDIR=                               #Directory where SysV init scripts are installed.
+INITFILE=                              #Name of the product's installed SysV init script
+INITSOURCE=                            #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                             #If non-zero, annotated configuration files are installed
 SYSCONFDIR=                            #Directory where SysV init parameter files are installed
-SYSTEMD=                               #Directory where .service files are installed (systems running systemd only)
+SYSTEMD=/usr/lib/systemd/system        #Directory where .service files are installed (systems running systemd only)
 SPARSE=                                #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                        #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT              #Directory where product variable data is stored.
--- a/Shorewall-init/shorewall-init.service
+++ b/Shorewall-init/shorewall-init.service
@@ -13,8 +13,8 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-init
 StandardOutput=syslog
-ExecStart=/sbin/shorewall-init $OPTIONS start
-ExecStop=/sbin/shorewall-init $OPTIONS stop
+ExecStart=/shorewall-init $OPTIONS start
+ExecStop=/shorewall-init $OPTIONS stop

 [Install]
 WantedBy=multi-user.target
--- a/Shorewall-lite/init.archlinux.sh
+++ b/Shorewall-lite/init.archlinux.sh
@@ -1,58 +0,0 @@
-#!/bin/bash
-
-OPTIONS="-f"
-
-if [ -f /etc/sysconfig/shorewall ] ; then
-	. /etc/sysconfig/shorewall
-elif [ -f /etc/default/shorewall ] ; then
-	. /etc/default/shorewall
-fi
-
-# if you want to override options, do so in /etc/sysconfig/shorewall or
-# in /etc/default/shorewall --
-# i strongly encourage you use the latter, since /etc/sysconfig/ does not exist.
-
-. /etc/rc.conf
-. /etc/rc.d/functions
-
-DAEMON_NAME="shorewall" # of course shorewall is NOT a deamon.
-
-case "$1" in
-	start)
-		stat_busy "Starting $DAEMON_NAME"
-		/sbin/shorewall-lite $OPTIONS start &>/dev/null
-		if [ $? -gt 0 ]; then
-			stat_fail
-		else
-			add_daemon $DAEMON_NAME
-			stat_done
-		fi
-		;;
-
-
-	stop)
-		stat_busy "Stopping $DAEMON_NAME"
-		/sbin/shorewall-lite stop &>/dev/null
-		if [ $? -gt 0 ]; then
-			stat_fail
-		else
-			rm_daemon $DAEMON_NAME
-			stat_done
-		fi
-		;;
-
-	restart|reload)
-		stat_busy "Restarting $DAEMON_NAME"
-		/sbin/shorewall-lite restart &>/dev/null
-		if [ $? -gt 0  ]; then
-			stat_fail
-		else
-			stat_done
-		fi
-		;;
-
-	*)
-		echo "usage: $0 {start|stop|restart}"
-esac
-exit 0
-
--- a/Shorewall-lite/shorewall-lite.service
+++ b/Shorewall-lite/shorewall-lite.service
@@ -13,8 +13,8 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-lite
 StandardOutput=syslog
-ExecStart=/usr/sbin/shorewall-lite $OPTIONS start
-ExecStop=/usr/sbin/shorewall-lite $OPTIONS stop
+ExecStart=/sbin/shorewall-lite $OPTIONS start
+ExecStop=/sbin/shorewall-lite $OPTIONS stop

 [Install]
 WantedBy=multi-user.target
--- a/Shorewall/Macros/macro.ActiveDir
+++ b/Shorewall/Macros/macro.ActiveDir
@@ -0,0 +1,40 @@
+#
+# Shorewall version 4 - Samba 4 Macro
+#
+# /usr/share/shorewall/macro.ActiveDir
+#
+#       This macro handles ports for Samba 4 Active Directory Service
+#
+# You can comment out the ports you do not want open
+#
+# 
+###############################################################################
+#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
+#                               PORT(S) PORT(S) LIMIT   GROUP
+PARAM   -       -       tcp     389 	#LDAP services
+PARAM   -       -       udp	389  
+PARAM   -       -       tcp     636	#LDAP SSL
+PARAM   -       -       tcp     3268	#LDAP GC
+PARAM   -       -       tcp     3269	#LDAP GC SSL
+PARAM   -       -       tcp     88	#Kerberos
+PARAM   -       -       udp	88
+
+# Use macro.DNS for DNS sevice
+
+PARAM   -       -       tcp     445	#Replication, User and Computer Authentication, Group Policy, Trusts
+PARAM   -       -       udp	445
+
+# Use macro.SMTP for Mail service
+
+PARAM   -       -       tcp     135	#RPC, EPM
+PARAM   -       -       tcp     5722	#RPC, DFSR (SYSVOL)
+PARAM   -       -       udp	123	#Windows Time
+PARAM   -       -       tcp     464	#Kerberosb change/set password
+PARAM   -       -       udp	464
+PARAM   -       -       udp	138	#DFS, Group Policy
+PARAM   -       -       tcp     9389	#SOAP
+PARAM   -       -       tcp     2535	#MADCAP
+PARAM   -       -       udp	2535
+PARAM   -       -       udp     137	#NetLogon, NetBIOS Name Resolution
+PARAM   -       -       tcp	139	#DFSN, NetBIOS Session Service, NetLogon    
+  
--- a/Shorewall/Perl/Shorewall/ARP.pm
+++ b/Shorewall/Perl/Shorewall/ARP.pm
@@ -0,0 +1,314 @@
+#
+# Shorewall 4.5 -- /usr/share/shorewall/Shorewall/ARP.pm
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2013 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#  This file is responsible for Shorewall's arptables support
+#
+package Shorewall::ARP;
+require Exporter;
+
+use Shorewall::Config qw(:DEFAULT :internal);
+use Shorewall::Zones;
+use Shorewall::IPAddrs;
+use strict;
+
+our @ISA = qw(Exporter);
+our @EXPORT = ( qw( process_arprules create_arptables_load preview_arptables_load ) );
+
+our %arp_table;
+our $arp_input;
+our $arp_output;
+our $arp_forward;
+our $sourcemac;
+our $destmac;
+our $addrlen;
+our $hw;
+our @builtins;
+our $arptablesjf;
+our @map = ( qw( 0 Request Reply Request_Reverse Reply_Reverse DRARP_Request DRARP_Reply DRARP_Error InARP_Request ARP_NAK ) );
+
+
+#
+# Handles the network and mac parts of the SOURCE ($source == 1 ) and DEST ($source == 0) columns in the arprules file.
+# Returns any match(es) specified.
+#
+sub match_arp_net( $$$ ) {
+    my ( $net, $mac, $source ) = @_;
+
+    my $return = '';
+
+    if ( supplied $net ) {
+	my $invert = ( $net =~ s/^!// ) ? '! ' : '';
+	validate_net $net, 0;
+	$return = $source ? "-s ${invert}$net " : "-d ${invert}$net ";
+    }
+
+    if ( supplied $mac ) {
+	my ( $addr , $mask ) = split( '/', $mac, 2 );
+
+	my $invert = ( $addr =~ s/^!// ) ? '! ' : '';
+
+	fatal_error "Invalid MAC address ($addr)" unless $addr =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
+	if ( supplied $mask ) {
+	    fatal_error "Invalid MAC Mask ($mask)" unless $mask =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
+	    $return .= $source ? "$sourcemac $invert$addr/$mask " : "$destmac $invert$addr/mask ";
+	} else {
+	    $return .= $source ? "$sourcemac $invert$addr " : "$destmac $invert$addr ";
+	}
+    }
+
+    $return;
+}
+
+#
+# Process a rule in the arprules file
+#
+sub process_arprule() {
+    my ( $originalaction, $source, $dest, $opcode ) = split_line( 'arprules file entry', {action => 0, source => 1, dest => 2, opcode => 3 } );
+
+    my $chainref;
+    my $iifaceref;
+    my $iiface;
+    my $difaceref;
+    my $diface;
+    my $saddr;
+    my $smac;
+    my $daddr;
+    my $dmac;
+    my $rule = '';
+
+    fatal_error "ACTION must be specified" if $originalaction eq '-';
+
+    my ( $action, $newaddr ) = split( ':', $originalaction, 2 );
+
+    my %functions = ( DROP   => sub() { $rule .= "-j DROP" },
+		      ACCEPT => sub() { $rule .= "-j ACCEPT" },
+		      SNAT   => sub() { validate_address $newaddr, 0;
+					$rule .= "-j mangle --mangle-ip-s $newaddr"; },
+		      DNAT   => sub() { validate_address $newaddr, 0;
+					$rule .= "-j mangle --mangle-ip-d $newaddr"; },
+		      SMAT   => sub() { fatal_error "Invalid MAC address ($newaddr)" unless $newaddr =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
+					$rule .= "$addrlen 6 -j mangle --mangle-$hw-s $newaddr"; },
+		      DMAT   => sub() { fatal_error "Invalid MAC address ($newaddr)" unless $newaddr =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
+					$rule .= "$addrlen 6 -j mangle --mangle-$hw-d $newaddr"; },
+		      SNATC  => sub() { validate_address $newaddr, 0;
+					$rule .= "-j mangle --mangle-ip-s $newaddr --mangle-target CONTINUE"; },
+		      DNATC  => sub() { validate_address $newaddr, 0;
+					$rule .= "-j mangle --mangle-ip-d $newaddr --mangle-target CONTINUE"; },
+		      SMATC  => sub() { fatal_error "Invalid MAC address ($newaddr)" unless $newaddr =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
+					$rule .= "$addrlen 6 -j mangle --mangle-$hw-s $newaddr --mangle-target CONTINUE"; },
+		      DMATC  => sub() { fatal_error "Invalid MAC address ($newaddr)" unless $newaddr =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
+					$rule .= "$addrlen 6 -j mangle --mangle-$hw-d $newaddr --mangle-target CONTINUE"; },
+		    );
+
+    if ( supplied $newaddr ) {
+	fatal_error "The $action ACTION does not allow a new address" unless $action =~ /^(?:SNAT|DNAT|SMAT|DMAT)C?$/;
+    } else {
+	fatal_error "The $action ACTION requires a new address" if $action =~ /^(?:SNAT|DNAT|SMAT|DMAT)C?$/;
+    }
+
+    my $function = $functions{$action};
+
+    fatal_error "Unknown ACTION ($action)" unless $function;
+
+    if ( $source ne '-' ) {
+	( $iiface, $saddr, $smac ) = split /:/, $source, 3;
+
+	fatal_error "SOURCE interface missing" unless supplied $iiface; 
+
+	$iiface = ( $iifaceref = find_interface( $iiface ) )->{physical};
+
+	fatal_error "Wildcard Interfaces ( $iiface )may not be used in this context" if $iiface =~ /\+$/;
+
+	$rule .= "-i $iiface ";
+	$rule .= match_arp_net( $saddr , $smac, 1 ) if supplied( $saddr );
+	$chainref = $arp_input;
+    }
+
+    if ( $dest ne '-' ) {
+	( $diface, $daddr, $dmac ) = split /:/, $dest, 3;
+
+	fatal_error "DEST interface missing" unless supplied $diface; 
+
+	$diface = ( $difaceref = find_interface( $diface ) )->{physical};
+
+	fatal_error "A wildcard interfaces ( $diface) may not be used in this context" if $diface =~ /\+$/;
+
+	if ( $iiface ) {
+	    fatal_error "When both SOURCE and DEST are given, the interfaces must be ports on the same bridge"
+		if $iifaceref->{bridge} ne $difaceref->{bridge};
+	    $chainref = $arp_forward;
+	} else {
+	    $chainref = $arp_output;
+	}
+
+	$rule .= "-o $diface ";
+	$rule .= match_arp_net( $daddr , $dmac, 0 ) if supplied( $daddr );
+
+    }
+
+    if ( $opcode ne '-' ) {
+	my $invert = ( $opcode =~ s/^!// ) ? '! ' : '';
+	warning_message q(arptables versions through 0.3.4 ignore '!' after '--opcode') if $invert && ! $arptablesjf;
+	fatal_error "Invalid ARP OPCODE ($opcode)" unless $opcode =~ /^\d$/ && $opcode;
+	$rule .= $arptablesjf ? " --arpop ${invert}$map[$opcode] " : "--opcode ${invert}$opcode ";
+    }
+
+    $function ->();
+
+    fatal_error "Either SOURCE or DEST must be specified" unless $chainref;
+
+    push @$chainref, $rule;
+
+}
+
+#
+# Process the arprules file -- returns true if there were any arp rules
+#
+sub process_arprules() {
+    my $result = 0;
+
+    if ( $arptablesjf = have_capability 'ARPTABLESJF' ) {
+	$arp_input  = $arp_table{IN}       = [];
+	$arp_output = $arp_table{OUT}      = [];
+	$arp_forward = $arp_table{FORWARD} = [];
+	@builtins = qw( IN OUT FORWARD );
+	$sourcemac = '-z';
+	$destmac   = '-y';
+	$addrlen   = '--arhln';
+	$hw        = 'hw';
+    } else {
+	$arp_input   = $arp_table{INPUT}   = [];
+	$arp_output  = $arp_table{OUTPUT}  = [];
+	$arp_forward = $arp_table{FORWARD} = [];
+	@builtins = qw( INPUT OUTPUT FORWARD );
+	$sourcemac = '--source-mac';
+	$destmac   = '--destination-mac';
+	$addrlen   = '--h-length';
+	$hw        = 'mac';
+    }
+
+    my $fn = open_file 'arprules';
+
+    if ( $fn ) {
+	first_entry( sub() {
+			 $result = 1;
+			 progress_message2 "$doing $fn..."; }
+		   );
+	process_arprule while read_a_line( NORMAL_READ );
+    }
+
+    $result;
+}
+
+#
+# Generate the arptables_load() function
+#
+sub create_arptables_load( $ ) {
+    my $test = shift;
+
+    emit ( '#',
+	   '# Create the input to arptables-restore and pass that input to the utility',
+	   '#',
+	   'setup_arptables()',
+	   '{'
+	   );
+
+    push_indent;
+
+    save_progress_message "Preparing arptables-restore input...";
+
+    emit '';
+
+    emit "exec 3>\${VARDIR}/.arptables-input";
+
+    my $date = localtime;
+
+    unless ( $test ) {
+	emit_unindented '#';
+	emit_unindented "# Generated by Shorewall $globals{VERSION} - $date";
+	emit_unindented '#';
+    }
+
+    emit '';
+    emit 'cat >&3 << __EOF__';
+
+    emit_unindented "*filter";
+
+    emit_unindented ":$_ ACCEPT" for @builtins;
+
+    for ( @builtins ) {
+	my $rules = $arp_table{$_};
+
+	while ( my $rule = shift @$rules ) {
+	    emit_unindented "-A $_ $rule";
+	}
+    }
+
+    emit_unindented "COMMIT\n" if $arptablesjf;
+
+    emit_unindented "__EOF__";
+
+    #
+    # Now generate the actual ip[6]tables-restore command
+    #
+    emit(  'exec 3>&-',
+	   '',
+	   'progress_message2 "Running $ARPTABLES_RESTORE..."',
+	   '',
+	   'cat ${VARDIR}/.arptables-input | $ARPTABLES_RESTORE # Use this nonsensical form to appease SELinux',
+	   'if [ $? != 0 ]; then',
+	   qq(    fatal_error "arptables-restore Failed. Input is in \${VARDIR}/.arptables-input"),
+	   "fi\n",
+	   "run_ip neigh flush nud stale nud reachable\n",
+	   );    
+
+    pop_indent;
+    emit "}\n";
+}	  
+
+#
+# Preview the generated ARP rules
+#
+sub preview_arptables_load() {
+
+    my $date = localtime;
+
+    print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";
+
+    print "*filter\n";
+
+    print ":$_ ACCEPT\n" for qw( INPUT OUTPUT FORWARD );
+
+    for ( @builtins ) {
+	my $rules = $arp_table{$_};
+
+	while ( my $rule = shift @$rules ) {
+	    print "-A $rule\n";
+	}
+    }
+
+    print "COMMIT\n" if $arptablesjf;
+
+    print "\n";
+}	  
+
+1;
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -49,7 +49,6 @@ our $defaultchain;
 our $ipsecdir;
 our $defaultrestriction;
 our $restriction;
-our $accounting_commands = { COMMENT => 0, SECTION => 2 };
 our $sectionname;
 our $acctable;

@@ -142,27 +141,14 @@ sub process_section ($) {
 #
 # Accounting
 #
-sub process_accounting_rule( ) {
+sub process_accounting_rule1( $$$$$$$$$$$ ) {
+
+    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = @_;

    $acctable = $config{ACCOUNTING_TABLE};

    $jumpchainref = 0;

-    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) =
-	split_line1 'Accounting File', { action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 }, $accounting_commands;
-
-    fatal_error 'ACTION must be specified' if $action eq '-';
-
-    if ( $action eq 'COMMENT' ) {
-	process_comment;
-	return 0;
-    }
-
-    if ( $action eq 'SECTION' ) {
-	process_section( $chain );
-	return 0;
-    }
-
    $asection = LEGACY if $asection < 0;

    our $disposition = '';
@@ -415,6 +401,28 @@ sub process_accounting_rule( ) {
    return 1;
 }

+sub process_accounting_rule( ) {
+
+    my ($action, $chain, $source, $dest, $protos, $ports, $sports, $user, $mark, $ipsec, $headers ) =
+	split_line1 'Accounting File', { action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 };
+
+    my $nonempty = 0;
+
+    for my $proto ( split_list $protos, 'Protocol' ) {
+	fatal_error 'ACTION must be specified' if $action eq '-';
+
+	if ( $action eq 'SECTION' ) {
+	    process_section( $chain );
+	} else {
+	    for my $proto ( split_list $protos, 'Protocol' ) {
+		$nonempty |= process_accounting_rule1( $action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers );
+	    }
+	}
+    }
+
+    $nonempty;
+}
+
 sub setup_accounting() {

    if ( my $fn = open_file 'accounting', 1, 1 ) {
@@ -425,8 +433,6 @@ sub setup_accounting() {

 	$nonEmpty |= process_accounting_rule while read_a_line( NORMAL_READ );

-	clear_comment;
-
 	if ( $nonEmpty ) {
 	    my $tableref = $chain_table{$acctable};

--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -36,6 +36,7 @@ use Shorewall::Proc;
 use Shorewall::Proxyarp;
 use Shorewall::Raw;
 use Shorewall::Misc;
+use Shorewall::ARP;

 use strict;

@@ -50,6 +51,8 @@ our $test;

 our $family;

+our $have_arptables;
+
 #
 # Initilize the package-globals in the other modules
 #
@@ -226,6 +229,22 @@ sub generate_script_2() {

    set_chain_variables;

+    my $need_arptables = $have_arptables || $config{SAVE_ARPTABLES};
+
+    if ( my $arptables = $config{ARPTABLES} ) {
+	emit( qq(ARPTABLES="$arptables"),
+	      '[ -x "$ARPTABLES" ] || startup_error "ARPTABLES=$ARPTABLES does not exist or is not executable"',
+	    );
+    } elsif ( $need_arptables ) {
+	emit( '[ -z "$ARPTABLES" ] && ARPTABLES=$(mywhich arptables)',
+	      '[ -n "$ARPTABLES" -a -x "$ARPTABLES" ] || startup_error "Can\'t find arptables executable"' );
+    }
+
+    if ( $need_arptables ) {
+	emit( 'ARPTABLES_RESTORE=${ARPTABLES}-restore',
+	      '[ -x "$ARPTABLES_RESTORE" ] || startup_error "$ARPTABLES_RESTORE does not exist or is not executable"' );
+    }
+
    if ( $config{EXPORTPARAMS} ) {
 	append_file 'params';
    } else {
@@ -323,6 +342,7 @@ sub generate_script_3($) {
    }

    create_netfilter_load( $test );
+    create_arptables_load( $test ) if $have_arptables;
    create_chainlist_reload( $_[0] );

    emit "#\n# Start/Restart the Firewall\n#";
@@ -450,16 +470,25 @@ sub generate_script_3($) {
 	  '    if [ -f $iptables_save_file ]; then' );

    if ( $family == F_IPV4 ) {
-	emit '        cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux'
+	emit( '        cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux' );
+
+	emit( '',
+	      '        arptables_save_file=${VARDIR}/$(basename $0)-arptables',
+	      '        if [ -f $arptables_save_file ]; then',
+	      '            cat $arptables_save_file | $ARPTABLES_RESTORE',
+	      '        fi')
+	    if $config{SAVE_ARPTABLES};
+
    } else {
 	emit '        cat $iptables_save_file | $IP6TABLES_RESTORE # Use this nonsensical form to appease SELinux'
    }

-    emit<<'EOF';
-    else
-        fatal_error "$iptables_save_file does not exist"
-    fi
-EOF
+    emit( '    else',
+	  '       fatal_error "$iptables_save_file does not exist"',
+	  '    fi',
+	  ''
+	);
+
    push_indent;
    setup_load_distribution;
    setup_forwarding( $family , 1 );
@@ -489,6 +518,7 @@ EOF
 '    setup_netfilter'
 	);
    push_indent;
+    emit 'setup_arptables' if $have_arptables;
    setup_load_distribution;
    pop_indent;

@@ -544,8 +574,9 @@ sub compiler {
    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc                      , $shorewallrc1 , $directives ) =
       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , ''          , '/usr/share/shorewall/shorewallrc', ''            , 0 );

-    $export = 0;
-    $test   = 0;
+    $export         = 0;
+    $test           = 0;
+    $have_arptables = 0;

    sub validate_boolean( $ ) {
 	 my $val = numeric_value( shift );
@@ -754,6 +785,8 @@ sub compiler {
 	emit "}\n"; # End of setup_routing_and_traffic_shaping()
    }

+    $have_arptables = process_arprules if $family == F_IPV4;
+
    disable_script;
    #
    #                                       N E T F I L T E R
@@ -837,7 +870,7 @@ sub compiler {
 	generate_script_2;
 	#
 	#                          N E T F I L T E R   L O A D
-	#    (Produces setup_netfilter(), chainlist_reload() and define_firewall() )
+	#    (Produces setup_netfilter(), setup_arptables(), chainlist_reload() and define_firewall() )
 	#
 	generate_script_3( $chains );
 	#
@@ -850,7 +883,7 @@ sub compiler {
 	#                           S T O P _ F I R E W A L L
 	#         (Writes the stop_firewall() function to the compiled script)
 	#
-	compile_stop_firewall( $test, $export );
+	compile_stop_firewall( $test, $export , $have_arptables );
 	#
 	#                               U P D O W N
 	#               (Writes the updown() function to the compiled script)
@@ -882,7 +915,7 @@ sub compiler {

 	    optimize_level0;

-	    if ( ( my $optimize = $config{OPTIMIZE} & OPTIMIZE_MASK ) ) {
+	    if ( ( my $optimize = $config{OPTIMIZE} ) & 0x1e ) {
 		progress_message2 'Optimizing Ruleset...';
 		#
 		# Optimize Policy Chains
@@ -898,7 +931,10 @@ sub compiler {

 	    generate_script_2 if $debug;

-	    preview_netfilter_load if $preview;
+	    if ( $preview ) {
+		preview_netfilter_load;
+		preview_arptables_load if $have_arptables;
+	    }
 	}
 	#
 	# Re-initialize the chain table so that process_routestopped() has the same
@@ -908,7 +944,7 @@ sub compiler {
 	initialize_chain_table(0);

 	if ( $debug ) {
-	    compile_stop_firewall( $test, $export );
+	    compile_stop_firewall( $test, $export, $have_arptables );
 	    disable_script;
 	} else {
 	    #
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -59,6 +59,9 @@ our @EXPORT = qw(

 		 get_action_params
 		 get_action_chain
+		 get_action_chain_name
+		 get_action_logging
+		 get_action_disposition
 		 set_action_param

 		 have_capability
@@ -135,7 +138,6 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       process_comment
 				       no_comment
 				       macro_comment
-				       clear_comment
 				       push_comment
 				       pop_comment
 				       dump_mark_layout
@@ -161,6 +163,8 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       %helpers_map
 				       %helpers_enabled
 				       %helpers_aliases
+
+				       %actparms
 				       
 		                       F_IPV4
 		                       F_IPV6
@@ -200,7 +204,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script

 Exporter::export_ok_tags('internal');

-our $VERSION = '4.5_11';
+our $VERSION = '4.5_12';

 #
 # describe the current command, it's present progressive, and it's completion.
@@ -351,6 +355,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
 		 RPFILTER_MATCH  => 'RPFilter Match',
 		 NFACCT_MATCH    => 'NFAcct Match',
 		 CHECKSUM_TARGET => 'Checksum Target',
+		 ARPTABLESJF     => 'Arptables JF',
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
 		 FTP0_HELPER     => 'FTP-0 Helper',
@@ -482,6 +487,7 @@ our %compiler_params;
 # Action parameters
 #
 our %actparms;
+our $parmsmodified;

 our $currentline;            # Current config file line image
 our $currentfile;            # File handle reference
@@ -495,14 +501,13 @@ our $first_entry;            # Message to output or function to call on first no
 our $file_format;            # Format of configuration file.
 our $max_format;             # Max format value
 our $comment;                # Current COMMENT
-our @comments;
-our $comments_allowed;
-our $nocomment;
-our $warningcount;
-our $warningcount1;
-our $warningcount2;
+our $comments_allowed;       # True if [?]COMMENT is allowed in the current file
+our $nocomment;              # When true, ignore [?]COMMENT in the current file
+our $warningcount;           # Used to suppress duplicate warnings about missing COMMENT support
+our $warningcount1;          # Used to suppress duplicate warnings about COMMENT being deprecated
+our $warningcount2;          # Used to suppress duplicate warnings about FORMAT being deprecated

-our $shorewall_dir;           # Shorewall Directory; if non-empty, search here first for files.
+our $shorewall_dir;          # Shorewall Directory; if non-empty, search here first for files.

 our $debug;                  # Global debugging flag
 our $confess;                # If true, use Carp to report errors with stack trace.
@@ -515,11 +520,11 @@ our $Product;                # $product with initial cap.

 our $sillyname;              # Name of temporary filter chains for testing capabilities
 our $sillyname1;
-our $iptables;                # Path to iptables/ip6tables
-our $tc;                      # Path to tc
-our $ip;                      # Path to ip
+our $iptables;               # Path to iptables/ip6tables
+our $tc;                     # Path to tc
+our $ip;                     # Path to ip

-my $shell;                   # Type of shell that processed the params file
+our $shell;                  # Type of shell that processed the params file

 use constant { BASH    => 1,
 	       OLDBASH => 2,
@@ -540,13 +545,16 @@ our %deprecated = ( LOGRATE            => '' ,
 		    LOGBURST           => '' ,
 		    EXPORTPARAMS       => 'no',
 		    WIDE_TC_MARKS      => 'no',
-		    HIGH_ROUTE_MARKS   => 'no'
+		    HIGH_ROUTE_MARKS   => 'no',
+		    BLACKLISTNEWONLY   => 'yes',
 		  );
 #
 # Deprecated options that are eliminated via update
 #
 our %converted = ( WIDE_TC_MARKS => 1,
-		   HIGH_ROUTE_MARKS => 1 );
+		   HIGH_ROUTE_MARKS => 1,
+		   BLACKLISTNEWONLY => 1,
+		 );
 #
 # Variables involved in ?IF, ?ELSE ?ENDIF processing
 #
@@ -623,7 +631,6 @@ sub initialize( $;$$) {
    # Contents of last COMMENT line.
    #
    $comment       = '';
-    @comments      = ();
    $warningcount  = 0;
    $warningcount1 = 0;
    $warningcount2 = 0;
@@ -638,8 +645,8 @@ sub initialize( $;$$) {
 		    EXPORT     => 0,
 		    KLUDGEFREE => '',
 		    STATEMATCH => '-m state --state',
-		    VERSION    => "4.5.11-RC1",
-		    CAPVERSION => 40509 ,
+		    VERSION    => "4.5.13-Beta3",
+		    CAPVERSION => 40512 ,
 		  );
    #
    # From shorewall.conf file
@@ -668,6 +675,8 @@ sub initialize( $;$$) {
 	  STARTUP_LOG => undef,
 	  SFILTER_LOG_LEVEL => undef,
 	  RPFILTER_LOG_LEVEL => undef,
+	  INVALID_LOG_LEVEL => undef,
+	  UNTRACKED_LOG_LEVEL => undef,
 	  #
 	  # Location of Files
 	  #
@@ -716,6 +725,7 @@ sub initialize( $;$$) {
 	  DETECT_DNAT_IPADDRS => undef,
 	  MUTEX_TIMEOUT => undef,
 	  ADMINISABSENTMINDED => undef,
+	  BLACKLIST => undef,
 	  BLACKLISTNEWONLY => undef,
 	  DELAYBLACKLISTLOAD => undef,
 	  MODULE_SUFFIX => undef,
@@ -725,6 +735,7 @@ sub initialize( $;$$) {
 	  MACLIST_TABLE => undef,
 	  MACLIST_TTL => undef,
 	  SAVE_IPSETS => undef,
+	  SAVE_ARPTABLES => undef,
 	  MAPOLDACTIONS => undef,
 	  FASTACCEPT => undef,
 	  IMPLICIT_CONTINUE => undef,
@@ -765,6 +776,8 @@ sub initialize( $;$$) {
 	  AUTOHELPERS => undef,
 	  RESTORE_ROUTEMARKS => undef,
 	  IGNOREUNKNOWNVARIABLES => undef,
+	  WARNOLDCAPVERSION => undef,
+	  DEFER_DNS_RESOLUTION => undef,
 	  #
 	  # Packet Disposition
 	  #
@@ -775,6 +788,8 @@ sub initialize( $;$$) {
 	  SFILTER_DISPOSITION => undef,
 	  RPFILTER_DISPOSITION => undef,
 	  RELATED_DISPOSITION => undef,
+	  INVALID_DISPOSITION => undef,
+	  UNTRACKED_DISPOSITION => undef,
 	  #
 	  # Mark Geometry
 	  #
@@ -882,6 +897,7 @@ sub initialize( $;$$) {
 	       RPFILTER_MATCH => undef,
 	       NFACCT_MATCH => undef,
 	       CHECKSUM_TARGET => undef,
+	       ARPTABLESJF => undef,

 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
@@ -934,7 +950,8 @@ sub initialize( $;$$) {

    %compiler_params = ();

-    %actparms = ( );
+    %actparms = ( 0 => 0, loglevel => '', logtag => '', chain => '', disposition => '', caller => ''  );
+    $parmsmodified = 0;

    %helpers_enabled = (
 			amanda       => 1,
@@ -1017,12 +1034,14 @@ sub initialize( $;$$) {
 	$globals{CONFDIR}       = "$shorewallrc{CONFDIR}/shorewall";
 	$globals{PRODUCT}       = 'shorewall';
 	$config{IPTABLES}       = undef;
+	$config{ARPTABLES}      = undef;
 	$validlevels{ULOG}      = 'ULOG';
    } else {
 	$globals{SHAREDIR}      = "$shorewallrc{SHAREDIR}/shorewall6";
 	$globals{CONFDIR}       = "$shorewallrc{CONFDIR}/shorewall6";
 	$globals{PRODUCT}       = 'shorewall6';
 	$config{IP6TABLES}      = undef;
+	delete $config{ARPTABLES};
    }

    %shorewallrc1 = %shorewallrc unless $shorewallrc1;
@@ -1073,6 +1092,8 @@ sub currentlineinfo() {
    }
 }

+sub handle_first_entry();
+
 #
 # Issue a Warning Message
 #
@@ -1081,6 +1102,8 @@ sub warning_message
    my $currentlineinfo = currentlineinfo;
    our @localtime;

+    handle_first_entry if $first_entry;
+
    $| = 1; #Reset output buffering (flush any partially filled buffers).

    if ( $log ) {
@@ -1125,8 +1148,8 @@ sub cleanup() {
 	for ( my $i = @openstack - 1; $i >= 0; $i-- ) {
 	    my $istack = $openstack[$i];
 	    for ( my $j = ( @$istack - 1 ); $j >= 0; $j-- ) {
-		my $info = $istack->[$j];
-		close $info->[0];
+		my $info = $istack->[$j][0];
+		close $info if $info;
 	    }
 	}
    }
@@ -1165,6 +1188,8 @@ sub cleanup() {
 sub fatal_error	{
    my $currentlineinfo = currentlineinfo;

+    handle_first_entry if $first_entry;
+
    $| = 1; #Reset output buffering (flush any partially filled buffers).

    if ( $log ) {
@@ -1193,6 +1218,8 @@ sub fatal_error	{
 }

 sub fatal_error1 {
+    handle_first_entry if $first_entry;
+
    $| = 1;

    if ( $log ) {
@@ -1785,8 +1812,12 @@ sub split_list2( $$ ) {

 sub split_list3( $$ ) {
    my ($list, $type ) = @_;
-
-    fatal_error "Invalid $type ($list)" if $list =~ /^,|,,/;
+    #
+    # We allow omitted arguments in action invocations.
+    #
+    $list =~ s/^,/-,/;
+    $list =~ s/,$/,-/;
+    $list =~ s/,,/,-,/g;

    my @list1 = split /,/, $list;
    my @list2;
@@ -1884,7 +1915,7 @@ sub split_line1( $$;$$ ) {

    my @line = split( ' ', $columns );

-    $nopad = { COMMENT => 0 } unless $nopad;
+    $nopad = {} unless $nopad;

    my $first     = supplied $line[0] ? $line[0] : '-';
    my $npcolumns = $nopad->{$first};
@@ -1961,27 +1992,21 @@ sub no_comment() {
 # Clear the $comment variable and the comment stack
 #
 sub clear_comment() {
-    $comment  = '';
-    @comments = ();
+    $comment   = '';
+    $nocomment = 0;
 }

 #
 # Push and Pop comment stack
 #
-sub push_comment( $ ) {
-    push @comments, $comment;
-    $comment = shift;
+sub push_comment() {
+    my $return = $comment;
+    $comment   = '';
+    $return;
 }

-sub pop_comment() {
-    $comment = pop @comments;
-}
-
-#
-# Set comment
-#
-sub set_comment( $ ) {
-    $comment = shift;
+sub pop_comment( $ ) {
+    $comment = $_[0];
 }

 #
@@ -2006,17 +2031,27 @@ sub do_open_file( $ ) {
    $currentfilename   = $fname;
 }

+#
+# Arguments are:
+#
+# - file name
+# - Maximum value allowed in ?FORMAT directives
+# - ?COMMENT allowed in this file
+# - Ignore ?COMMENT in ths file
+#
 sub open_file( $;$$$ ) {
-    my $fname = find_file $_[0];
+    my ( $fname, $mf, $ca, $nc ) = @_;
+    
+    $fname = find_file $fname;

    assert( ! defined $currentfile );

    if ( -f $fname && -s _ ) {
 	$first_entry      = 0;
 	$file_format      = 1;
-	$max_format       = supplied $_[1] ? $_[1] : 1;
-	$comments_allowed = supplied $_[2] ? $_[2] : 0;
-	$nocomment        = supplied $_[3] ? $_[3] && no_comment : 0;
+	$max_format       = supplied $mf ? $mf : 1;
+	$comments_allowed = supplied $ca ? $ca : 0;
+	$nocomment        = $nc;
 	do_open_file $fname;;
    } else {
 	$ifstack = @ifstack;
@@ -2024,6 +2059,20 @@ sub open_file( $;$$$ ) {
    }
 }

+#
+# Push open-specific globals onto the include stack
+#
+sub push_include() {
+    push @includestack, [ $currentfile,
+			  $currentfilename,
+			  $currentlinenumber,
+			  $ifstack,
+			  $file_format,
+			  $max_format,
+			  $comment,
+			  $nocomment ];
+}
+
 #
 # Pop the include stack
 #
@@ -2037,11 +2086,18 @@ sub pop_include() {
    }

    if ( $arrayref ) {
-	( $currentfile, $currentfilename, $currentlinenumber, $ifstack, $file_format, $max_format, $nocomment ) = @$arrayref;
+	( $currentfile,
+	  $currentfilename,
+	  $currentlinenumber,
+	  $ifstack,
+	  $file_format,
+	  $max_format,
+	  $comment,
+	  $nocomment ) = @$arrayref;
    } else {
 	$currentfile       = undef;
 	$currentlinenumber = 'EOF';
-	$nocomment = $comment = 0;
+	clear_comment;
    }
 }

@@ -2124,7 +2180,9 @@ sub evaluate_expression( $$$ ) {
 	#                         $1      $2   $3                     -     $4
 	while ( $expression =~ m( ^(.*?) \@({)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {
 	    my ( $first, $var, $rest ) = ( $1, $3, $4);
+	    $var = numeric_value( $var ) if $var =~ /^\d/;
 	    $val = $var ? $actparms{$var} : $chain;
+	    $parmsmodified ||= $var eq 'caller';
 	    $expression = join_parts( $first, $val, $rest );
 	    directive_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
 	}
@@ -2154,7 +2212,9 @@ sub evaluate_expression( $$$ ) {

    print "EXPR=> $expression\n" if $debug;

-    unless ( $expression =~ /^\d+$/ ) {
+    if ( $expression =~ /^\d+$/ ) {
+	$val = $expression
+    } else {
 	#
 	# Not a simple one-term expression -- compile it
 	#
@@ -2240,11 +2300,23 @@ sub process_compiler_directive( $$$$ ) {
 			   unless ( $omitting ) {
 			       directive_error( "Missing SET variable", $filename, $linenumber ) unless supplied $expression;
 			       ( my $var , $expression ) = split ' ', $expression, 2;
-			       directive_error( "Invalid SET variable ($var)", $filename, $linenumber) unless $var =~ /^\$?([a-zA-Z]\w*)$/;
+			       directive_error( "Invalid SET variable ($var)", $filename, $linenumber) unless $var =~ /^(\$)?([a-zA-Z]\w*)$/ || $var =~ /^(@)(\d+|[a-zA-Z]\w*)/;
 			       directive_error( "Missing SET expression"     , $filename, $linenumber) unless supplied $expression;
-			       $variables{$1} = evaluate_expression( $expression,
-								     $filename,
-								     $linenumber );
+
+			       if ( ( $1 || '' ) eq '@' ) {
+				   $var = $2;
+				   $var = numeric_value( $var ) if $var =~ /^\d/;
+				   $var = $2 || 'chain';
+				   directive_error( "Shorewall variables may only be SET in the body of an action", $filename, $linenumber ) unless $actparms{0};
+				   my $val = $actparms{$var} = evaluate_expression ( $expression,
+										     $filename,
+										     $linenumber );
+				   $parmsmodified = 1;
+			       } else {
+				   $variables{$2} = evaluate_expression( $expression,
+									 $filename,
+									 $linenumber );
+			       }
 			   }
 		       } ,

@@ -2262,12 +2334,28 @@ sub process_compiler_directive( $$$$ ) {
 			   unless ( $omitting ) {
 			       my $var = $expression;
 			       directive_error( "Missing RESET variable", $filename, $linenumber)        unless supplied $var;
-			       directive_error( "Invalid RESET variable ($var)", $filename, $linenumber) unless $var =~ /^\$?([a-zA-Z]\w*)$/;
+			       directive_error( "Invalid RESET variable ($var)", $filename, $linenumber) unless $var =~ /^(\$)?([a-zA-Z]\w*)$/ || $var =~ /^(@)(\d+|[a-zA-Z]\w*)/;
+
+			       if ( ( $1 || '' ) eq '@' ) {
+				   $var = numeric_value( $var ) if $var =~ /^\d/;
+				   $var = $2 || 'chain';
+				   directive_error( "Shorewall variables may only be RESET in the body of an action", $filename, $linenumber ) unless $actparms{0};
+				   if ( exists $actparms{$var} ) {
+				       if ( $var =~ /^loglevel|logtag|chain|disposition|caller$/ ) {
+					   $actparms{$var} = '';
+				       } else {
+					   delete $actparms{$var}
+				       }
+				   } else {
+				       directive_warning( "Shorewall variable $2 does not exist", $filename, $linenumber );
+				   }

-			       if ( exists $variables{$1} ) {
-				   delete $variables{$1};
 			       } else {
-				   directive_warning( "Variable $1 does not exist", $filename, $linenumber );
+				   if ( exists $variables{$2} ) {
+				       delete $variables{$2};
+				   } else {
+				       directive_warning( "Shell variable $2 does not exist", $filename, $linenumber );
+				   }
 			       }
 			   }
 		       } ,
@@ -2430,7 +2518,7 @@ sub copy1( $ ) {
 			fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _;

 			if ( -s _ ) {
-			    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber, $ifstack, $file_format, $max_format, $nocomment ];
+			    push_include;
 			    $currentfile = undef;
 			    do_open_file $filename;
 			} else {
@@ -2568,7 +2656,7 @@ EOF
 #
 sub push_open( $;$$$ ) {
    my ( $file, $max , $ca, $nc ) = @_;
-    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber, $ifstack, $file_format, $max_format, $nocomment ] if $currentfile;
+    push_include;
    my @a = @includestack;
    push @openstack, \@a;
    @includestack = ();
@@ -2651,7 +2739,7 @@ sub embedded_shell( $ ) {

    $command .= q(');

-    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber, $ifstack , $file_format, $max_format, $nocomment ];
+    push_include;
    $currentfile = undef;
    open $currentfile , '-|', $command or fatal_error qq(Shell Command failed);
    $currentfilename = "SHELL\@$currentfilename:$currentlinenumber";
@@ -2713,7 +2801,7 @@ sub embedded_perl( $ ) {

 	$perlscript = undef;

-	push @includestack, [ $currentfile, $currentfilename, $currentlinenumber , $ifstack , $file_format, $max_format, $nocomment ];
+	push_include;
 	$currentfile = undef;

 	open $currentfile, '<', $perlscriptname or fatal_error "Unable to open Perl Script $perlscriptname";
@@ -2730,34 +2818,50 @@ sub embedded_perl( $ ) {
 }

 #
-# Push/pop action params
+# Push/pop acton params
 #
-sub push_action_params( $$$$ ) {
-    my @params = ( undef , split_list3( $_[1], 'parameter' ) );
-    my %oldparams = %actparms;
+sub push_action_params( $$$$$$ ) {
+    my ( $action, $chainref, $parms, $loglevel, $logtag, $caller ) = @_;
+    my @parms = ( undef , split_list3( $parms , 'parameter' ) );
+
+    $actparms{modified} = $parmsmodified;
+
+    my %oldparms = %actparms;
+
+    $parmsmodified = 0;

    %actparms = ();

-    for ( my $i = 1; $i < @params; $i++ ) {
-	my $val = $params[$i];
+    for ( my $i = 1; $i < @parms; $i++ ) {
+	my $val = $parms[$i];

 	$actparms{$i} = $val eq '-' ? '' : $val eq '--' ? '-' : $val;
    }

-    $actparms{0}          = $_[0];
-    $actparms{loglevel}   = $_[2];
-    $actparms{logtag}     = $_[3];
+    $actparms{0}           = $chainref;
+    $actparms{action}      = $action;
+    $actparms{loglevel}    = $loglevel;
+    $actparms{logtag}      = $logtag;
+    $actparms{caller}      = $caller;
+    $actparms{disposition} = '' if $chainref->{action};
    #
    # The Shorewall variable '@chain' has the non-word charaters removed
    #
-    ( $actparms{chain} = $_[0]->{name} ) =~ s/[^\w]//g;
+    ( $actparms{chain} = $chainref->{name} ) =~ s/[^\w]//g;

-    \%oldparams;
+    \%oldparms;
 }

+#
+# Pop the action parameters using the passed hash reference
+# Return true of the popped parameters were modified
+#
 sub pop_action_params( $ ) {
-    my $oldparms = shift;
-    %actparms = %$oldparms;
+    my $oldparms       = shift;
+    %actparms          = %$oldparms;
+    my $return         = $parmsmodified;
+    ( $parmsmodified ) = delete $actparms{modified};
+    $return;
 }

 sub default_action_params {
@@ -2788,10 +2892,25 @@ sub get_action_params( $ ) {
    @return;
 }

+#
+# Returns the Level and Tag for the current action chain
+#
+sub get_action_logging() {
+    @actparms{ 'loglevel', 'logtag' };
+}
+
 sub get_action_chain() {
    $actparms{0};
 }

+sub get_action_chain_name() {
+    $actparms{chain};
+}
+
+sub get_action_disposition() {
+    $actparms{disposition};
+}
+
 sub set_action_param( $$ ) {
    my $i = shift;

@@ -2815,13 +2934,14 @@ sub expand_variables( \$ ) {
 	if ( $var =~ /^\d+$/ ) {
 	    fatal_error "Action parameters (\$$var) may only be referenced within the body of an action" unless $chain;

-	    unless ( $config{IGNOREUNKNOWNVARIABLES} ) {
+	    if ( $config{IGNOREUNKNOWNVARIABLES} ) {
+		fatal_error "Invalid action parameter (\$$var)" if ( length( $var ) > 1 && $var =~ /^0/ );
+	    } else {
 		fatal_error "Undefined parameter (\$$var)" unless ( defined $actparms{$var} &&
 								    ( length( $var ) == 1 ||
 								      $var !~ /^0/ ) );
 	    }

-	    fatal_error "Invalid action parameter (\$$var)" if ( ! defined $actparms{$var} ) || ( length( $var ) > 1 && $var =~ /^0/ );
 	    $val = $var ? $actparms{$var} : $actparms{0}->{name};
 	} elsif ( exists $variables{$var} ) {
 	    $val = $variables{$var};
@@ -2875,8 +2995,11 @@ sub handle_first_entry() {
    # $first_entry can contain either a function reference or a message. If it
    # contains a reference, call the function -- otherwise issue the message
    #
-    reftype( $first_entry ) ? $first_entry->() : progress_message2( $first_entry );
+    my $entry = $first_entry;
+
    $first_entry = 0;
+
+    reftype( $entry ) ? $entry->() : progress_message2( $entry );
 }

 #
@@ -2959,6 +3082,25 @@ sub read_a_line($) {
 		#
 		$currentline =~ s/\s*$//;
 	    }
+
+	    if ( $comments_allowed && $currentline =~ /^\s*COMMENT\b/ ) {
+		process_comment unless $nocomment;
+		$currentline = '';
+		$currentlinenumber = 0;
+		next
+	    }
+
+	    if ( $max_format > 1 && $currentline =~ /^\s*FORMAT\s+(.+)/ ) {
+		format_warning;
+		my $format = $1;
+		fatal_error( "Invalid format ($format)" )                 unless $format =~ /\d+/;
+		fatal_error( "Format must be between 1 and $max_format" ) unless $format && $format <= $max_format;
+		$file_format = $format;
+		$currentline = '';
+		$currentlinenumber = 0;
+		next
+	    }
+
 	    #
 	    # Line not blank -- Handle any first-entry message/capabilities check
 	    #
@@ -2981,7 +3123,7 @@ sub read_a_line($) {
 		fatal_error "Directory ($filename) not allowed in INCLUDE" if -d _;

 		if ( -s _ ) {
-		    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber, $ifstack , $file_format, $max_format, $nocomment ];
+		    push_include;
 		    $currentfile = undef;
 		    do_open_file $filename;
 		} else {
@@ -3869,9 +4011,21 @@ sub Checksum_Target() {
    have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j CHECKSUM --checksum-fill" );
 }

+sub Arptables_JF() {
+    my $arptables = $config{ARPTABLES};
+
+    $arptables = which( 'arptables' ) unless supplied $arptables;
+
+    if ( $arptables && -f $arptables && -x _ ) {
+	$config{ARPTABLES} = $arptables;
+	qt( "$arptables -L OUT" );
+    }
+}
+
 our %detect_capability =
    ( ACCOUNT_TARGET =>\&Account_Target,
      AMANDA_HELPER => \&Amanda_Helper,
+      ARPTABLESJF => \&Arptables_JF,
      AUDIT_TARGET => \&Audit_Target,
      ADDRTYPE => \&Addrtype,
      BASIC_FILTER => \&Basic_Filter,
@@ -4315,10 +4469,10 @@ EOF
 	if ( system( "diff -q $configfile $configfile.bak > /dev/null" ) ) {
 	    progress_message3 "Configuration file $configfile updated - old file renamed $configfile.bak";
 	} else {
-	    if ( unlink "$configfile.bak" ) {
+	    if ( rename "$configfile.bak", $configfile ) {
 		progress_message3 "No update required to configuration file $configfile; $configfile.bak not saved";
 	    } else {
-		warning_message "Unable to unlink $configfile.bak";
+		warning_message "Unable to rename $configfile.bak to $configfile";
 		progress_message3 "No update required to configuration file $configfile";
 	    }

@@ -4410,13 +4564,6 @@ sub read_capabilities() {
 	}
    }

-    if ( $capabilities{CAPVERSION} ) {
-	warning_message "Your capabilities file is out of date -- it does not contain all of the capabilities defined by $Product version $globals{VERSION}"
-	    unless $capabilities{CAPVERSION} >= $globals{CAPVERSION};
-    } else {
-	warning_message "Your capabilities file may not contain all of the capabilities defined by $Product version $globals{VERSION}";
-    }
-
    unless ( $capabilities{KERNELVERSION} ) {
 	warning_message "Your capabilities file does not contain a Kernel Version -- using 2.6.30";
 	$capabilities{KERNELVERSION} = 20630;
@@ -4715,7 +4862,10 @@ sub convert_to_directives() {
 	    opendir( my $dirhandle, $dir ) || fatal_error "Cannot open directory $dir for reading:$!";

 	    while ( my $file = readdir( $dirhandle ) ) {
-		unless ( $file eq 'capabilities' || $file =~ /\.bak$/ ) {
+		unless ( $file eq 'capabilities'       ||
+			 $file eq 'params'             ||
+			 $file =~ /^shorewall6?.conf$/ ||
+			 $file =~ /\.bak$/ ) {
 		    $file = "$dir/$file";
 		
 		    if ( -f $file && -w _ ) {
@@ -4733,8 +4883,8 @@ EOF
 			if ( $result == 0 ) {
 			    if ( system( "diff -q $file ${file}.bak > /dev/null" ) ) {
 				progress_message3 "   File $file updated - old file renamed ${file}.bak";
-			    } elsif ( ! unlink "${file}.bak" ) {
-
+			    } elsif ( ! rename "${file}.bak" , $file ) {
+				warning message "Unable to rename ${file}.bak to $file:$!";
 			    }
 			} else {
 			    warning_message ("Unable to update file ${file}.bak:$!" );
@@ -4940,7 +5090,6 @@ sub get_configuration( $$$$ ) {
    }

    default_yes_no 'ADMINISABSENTMINDED'        , '';
-    default_yes_no 'BLACKLISTNEWONLY'           , '';
    default_yes_no 'DISABLE_IPV6'               , '';

    unsupported_yes_no_warning 'DYNAMIC_ZONES';
@@ -4948,6 +5097,7 @@ sub get_configuration( $$$$ ) {
    unsupported_yes_no_warning 'RFC1918_STRICT';

    default_yes_no 'SAVE_IPSETS'                , '';
+    default_yes_no 'SAVE_ARPTABLES'             , '';
    default_yes_no 'STARTUP_ENABLED'            , 'Yes';
    default_yes_no 'DELAYBLACKLISTLOAD'         , '';
    default_yes_no 'MAPOLDACTIONS'              , 'Yes';
@@ -4958,7 +5108,47 @@ sub get_configuration( $$$$ ) {

    default_yes_no 'FASTACCEPT'                 , '';

-    fatal_error "BLACKLISTNEWONLY=No may not be specified with FASTACCEPT=Yes" if $config{FASTACCEPT} && ! $config{BLACKLISTNEWONLY};
+    if ( supplied( $val = $config{BLACKLIST} ) ) {
+	my %states;
+
+	if ( $val eq 'ALL' ) {
+	    $globals{BLACKLIST_STATES} = 'ALL';
+	} else {
+	    for ( split_list $val, 'BLACKLIST' ) {
+		fatal_error "Invalid BLACKLIST state ($_)" unless /^(?:NEW|RELATED|ESTABLISHED|INVALID|UNTRACKED)$/;
+		fatal_error "Duplicate BLACKLIST state($_)" if $states{$_};
+		$states{$_} = 1;
+	    }
+
+	    fatal_error "ESTABLISHED state may not be specified when FASTACCEPT=Yes" if $config{FASTACCEPT} && $states{ESTABLISHED};
+	    require_capability 'RAW_TABLE', 'UNTRACKED state', 's' if $states{UNTRACKED};
+	    #
+	    # Place the states in a predictable order
+	    #
+	    my @states;
+
+	    for ( qw( NEW ESTABLISHED RELATED INVALID UNTRACKED ) ) {
+		push @states, $_ if $states{$_};
+	    }
+
+	    $globals{BLACKLIST_STATES} = join ',', @states;
+	}
+    } elsif ( supplied $config{BLACKLISTNEWONLY} ) {
+	default_yes_no 'BLACKLISTNEWONLY'           , '';
+	fatal_error "BLACKLISTNEWONLY=No may not be specified with FASTACCEPT=Yes" if $config{FASTACCEPT} && ! $config{BLACKLISTNEWONLY};
+
+	if ( have_capability 'RAW_TABLE' ) {
+	    $globals{BLACKLIST_STATES} = $config{BLACKLISTNEWONLY} ? 'NEW,INVALID,UNTRACKED' : 'NEW,ESTABLISHED,INVALID,UNTRACKED';
+	} else {
+	    $globals{BLACKLIST_STATES} = $config{BLACKLISTNEWONLY} ? 'NEW,INVALID' : 'NEW,ESTABLISHED,INVALID';
+	}
+    } else {
+	if ( have_capability 'RAW_TABLE' ) {
+	    $globals{BLACKLIST_STATES} = $config{FASTACCEPT} ? 'NEW,INVALID,UNTRACKED' : 'NEW,ESTABLISHED,INVALID,UNTRACKED';
+	} else {
+	    $globals{BLACKLIST_STATES} = $config{FASTACCEPT} ? 'NEW,INVALID' : 'NEW,INVALID,ESTABLISHED';
+	}
+    }

    default_yes_no 'IMPLICIT_CONTINUE'          , '';
    default_yes_no 'HIGH_ROUTE_MARKS'           , '';
@@ -5003,6 +5193,8 @@ sub get_configuration( $$$$ ) {
    default_yes_no 'AUTOHELPERS'                , 'Yes';
    default_yes_no 'RESTORE_ROUTEMARKS'         , 'Yes';
    default_yes_no 'IGNOREUNKNOWNVARIABLES'     , 'Yes';
+    default_yes_no 'WARNOLDCAPVERSION'          , 'Yes';
+    default_yes_no 'DEFER_DNS_RESOLUTION'       , 'Yes';

    $config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset'; 

@@ -5098,6 +5290,8 @@ sub get_configuration( $$$$ ) {
    default_log_level 'TCP_FLAGS_LOG_LEVEL', '';
    default_log_level 'RFC1918_LOG_LEVEL',   '';
    default_log_level 'RELATED_LOG_LEVEL',   '';
+    default_log_level 'INVALID_LOG_LEVEL',   '';
+    default_log_level 'UNTRACKED_LOG_LEVEL', '';

    warning_message "RFC1918_LOG_LEVEL=$config{RFC1918_LOG_LEVEL} ignored. The 'norfc1918' interface/host option is no longer supported" if $config{RFC1918_LOG_LEVEL};

@@ -5148,16 +5342,56 @@ sub get_configuration( $$$$ ) {
 	    $globals{RELATED_TARGET} = 'reject';
 	} elsif ( $val eq 'A_REJECT' ) {
 	    $globals{RELATED_TARGET} = $val;
+	} elsif ( $val eq 'CONTINUE' ) {
+	    $globals{RELATED_TARGET} = '';
 	} else {
 	    fatal_error "Invalid value ($config{RELATED_DISPOSITION}) for RELATED_DISPOSITION"
 	}

-	require_capability 'AUDIT_TARGET' , "MACLIST_DISPOSITION=$val", 's' if $val =~ /^A_/;
+	require_capability 'AUDIT_TARGET' , "RELATED_DISPOSITION=$val", 's' if $val =~ /^A_/;
    } else {
 	$config{RELATED_DISPOSITION}  =
 	$globals{RELATED_TARGET}      = 'ACCEPT';
    }

+    if ( $val = $config{INVALID_DISPOSITION} ) {
+	if ( $val =~ /^(?:A_)?DROP$/ ) {
+	    $globals{INVALID_TARGET} = $val;
+	} elsif ( $val eq 'REJECT' ) {
+	    $globals{INVALID_TARGET} = 'reject';
+	} elsif ( $val eq 'A_REJECT' ) {
+	    $globals{INVALID_TARGET} = $val;
+	} elsif ( $val eq 'CONTINUE' ) {
+	    $globals{INVALID_TARGET} = '';
+	} else {
+	    fatal_error "Invalid value ($config{INVALID_DISPOSITION}) for INVALID_DISPOSITION"
+	}
+
+	require_capability 'AUDIT_TARGET' , "INVALID_DISPOSITION=$val", 's' if $val =~ /^A_/;
+    } else {
+	$config{INVALID_DISPOSITION}  = 'CONTINUE';
+	$globals{INVALID_TARGET}      = '';
+    }
+
+    if ( $val = $config{UNTRACKED_DISPOSITION} ) {
+	if ( $val =~ /^(?:A_)?(?:DROP|ACCEPT)$/ ) {
+	    $globals{UNTRACKED_TARGET} = $val;
+	} elsif ( $val eq 'REJECT' ) {
+	    $globals{UNTRACKED_TARGET} = 'reject';
+	} elsif ( $val eq 'A_REJECT' ) {
+	    $globals{UNTRACKED_TARGET} = $val;
+	} elsif ( $val eq 'CONTINUE' ) {
+	    $globals{UNTRACKED_TARGET} = '';
+	} else {
+	    fatal_error "Invalid value ($config{UNTRACKED_DISPOSITION}) for UNTRACKED_DISPOSITION"
+	}
+
+	require_capability 'AUDIT_TARGET' , "UNTRACKED_DISPOSITION=$val", 's' if $val =~ /^A_/;
+    } else {
+	$config{UNTRACKED_DISPOSITION}  = 'CONTINUE';
+	$globals{UNTRACKED_TARGET}        = '';
+    }
+
    if ( $val = $config{MACLIST_TABLE} ) {
 	if ( $val eq 'mangle' ) {
 	    fatal_error 'MACLIST_DISPOSITION=$1 is not allowed with MACLIST_TABLE=mangle' if $config{MACLIST_DISPOSITION} =~ /^((?:A)?REJECT)$/;
@@ -5175,7 +5409,6 @@ sub get_configuration( $$$$ ) {
 	$val = $config{TCP_FLAGS_DISPOSITION} = 'DROP';
    }

-
    default 'TC_ENABLED' , $family == F_IPV4 ? 'Internal' : 'no';

    $val = "\L$config{TC_ENABLED}";
@@ -5278,6 +5511,15 @@ sub get_configuration( $$$$ ) {
    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{PROVIDER_OFFSET} > 0;
    require_capability( 'MANGLE_ENABLED'  , 'Traffic Shaping' , 's'      )  if $config{TC_ENABLED};

+    if ( $config{WARNOLDCAPVERSION} ) {
+	if ( $capabilities{CAPVERSION} ) {
+	    warning_message "Your capabilities file is out of date -- it does not contain all of the capabilities defined by $Product version $globals{VERSION}"
+		unless $capabilities{CAPVERSION} >= $globals{CAPVERSION};
+	} else {
+	    warning_message "Your capabilities file may not contain all of the capabilities defined by $Product version $globals{VERSION}";
+	}
+    }
+
    add_variables %config;

    while ( my ($var, $val ) = each %renamed ) {
@@ -5448,7 +5690,7 @@ sub generate_aux_config() {

    emit "#\n# Shorewall auxiliary configuration file created by Shorewall version $globals{VERSION} - $date\n#";

-    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE) ) {
+    for my $option ( qw(VERBOSITY LOGFILE LOGFORMAT ARPTABLES IPTABLES IP6TABLES IP TC IPSET PATH SHOREWALL_SHELL SUBSYSLOCK LOCKFILE RESTOREFILE) ) {
 	conditionally_add_option $option;
    }

--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -26,7 +26,7 @@
 #
 package Shorewall::IPAddrs;
 require Exporter;
-use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 numeric_value F_IPV4 F_IPV6 :protocols );
+use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 numeric_value F_IPV4 F_IPV6 :protocols %config );
 use Socket;

 use strict;
@@ -49,6 +49,7 @@ our @EXPORT = ( qw( ALLIPv4
 		  NILIP
 		  ALL

+		  valid_address
 		  validate_address
 		  validate_net
 		  decompose_net
@@ -65,6 +66,7 @@ our @EXPORT = ( qw( ALLIPv4
 		  nilip
 		  rfc1918_networks
 		  resolve_proto
+		  resolve_dnsname
 		  proto_name
 		  validate_port
 		  validate_portpair
@@ -90,6 +92,7 @@ our @nilip;
 our $valid_address;
 our $validate_address;
 our $validate_net;
+our $resolve_dnsname;
 our $validate_range;
 our $validate_host;
 our $family;
@@ -152,6 +155,21 @@ sub validate_4address( $$ ) {
    defined wantarray ? wantarray ? @addrs : $addrs[0] : undef;
 }

+sub resolve_4dnsname( $ ) {
+    my $net = $_[0];
+    my @addrs;
+
+    fatal_error "Unknown Host ($net)" unless  @addrs = gethostbyname( $net );
+
+    shift @addrs for (1..4);
+    for ( @addrs ) {
+	$_ = ( inet_ntoa( $_ ) );
+    }
+
+    @addrs;
+} 
+    
+
 sub decodeaddr( $ ) {
    my $address = $_[0];

@@ -202,7 +220,8 @@ sub validate_4net( $$ ) {
 	fatal_error "Invalid IP address ($net)"       unless valid_4address $net;
    } else {
 	fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/' || ! defined $net;
-	validate_4address $net, $_[1];
+	my $net1 = validate_4address $net, $allow_name;
+	$net  = $net1 unless $config{DEFER_DNS_RESOLUTION};
 	$vlsm = 32;
    }

@@ -324,6 +343,7 @@ sub resolve_proto( $ ) {
 	$number = numeric_value ( $proto );
 	defined $number && $number <= 255 ? $number : undef;
    } else {
+	fatal_error "A protocol list  ($proto) is not allowed in this context" if $proto =~ /,/; 
 	#
 	# Allow 'icmp' as a synonym for 'ipv6-icmp' in IPv6 compilations
 	#
@@ -610,6 +630,21 @@ sub validate_6address( $$ ) {
    defined wantarray ? wantarray ? @addrs : $addrs[0] : undef;
 }

+sub resolve_6dnsname( $ ) {
+    my $net = $_[0];
+    my @addrs;
+    
+    require Socket6;
+    fatal_error "Unknown Host ($net)" unless (@addrs = Socket6::gethostbyname2( $net, Socket6::AF_INET6()));
+
+    shift @addrs for (1..4);
+    for ( @addrs ) {
+	$_ = Socket6::inet_ntop( Socket6::AF_INET6(), $_ );
+    }
+
+    @addrs;
+} 
+
 sub validate_6net( $$ ) {
    my ($net, $vlsm, $rest) = split( '/', $_[0], 3 );
    my $allow_name = $_[0];
@@ -634,7 +669,8 @@ sub validate_6net( $$ ) {
 	fatal_error "Invalid IPv6 address ($net)"       unless valid_6address $net;
    } else {
 	fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/';
-	validate_6address $net, $allow_name;
+	my $net1 = validate_6address $net, $allow_name;
+	$net  = $net1 unless $config{DEFER_DNS_RESOLUTION};
 	$vlsm = 128;
    }

@@ -777,6 +813,10 @@ sub validate_net ( $$ ) {
    $validate_net->(@_);
 }

+sub resolve_dnsname( $ ) {
+    $resolve_dnsname->(@_);
+}
+
 sub validate_range ($$ ) {
    $validate_range->(@_);
 }
@@ -808,6 +848,7 @@ sub initialize( $ ) {
 	$validate_net     = \&validate_4net;
 	$validate_range   = \&validate_4range;
 	$validate_host    = \&validate_4host;
+	$resolve_dnsname  = \&resolve_4dnsname;
    } else {
 	$allip            = ALLIPv6;
 	@allip            = @allipv6;
@@ -818,6 +859,7 @@ sub initialize( $ ) {
 	$validate_net     = \&validate_6net;
 	$validate_range   = \&validate_6range;
 	$validate_host    = \&validate_6host;
+	$resolve_dnsname  = \&resolve_6dnsname;
    }
 }

--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -682,8 +682,8 @@ sub process_stoppedrules() {

 	    $result = 1;

-	    my ( $target, $source, $dest, $proto, $ports, $sports ) = 
-		split_line1 'stoppedrules file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5 }, { COMMENT => 0 };
+	    my ( $target, $source, $dest, $protos, $ports, $sports ) = 
+		split_line1 'stoppedrules file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5 };

 	    fatal_error( "Invalid TARGET ($target)" ) unless $target =~ /^(?:ACCEPT|NOTRACK)$/;

@@ -730,24 +730,24 @@ sub process_stoppedrules() {
 	    unless ( $restriction == OUTPUT_RESTRICT
 		     && $target eq 'ACCEPT'
 		     && $config{ADMINISABSENTMINDED} ) {
-		expand_rule( $chainref ,
-			     $restriction ,
-			     do_proto( $proto, $ports, $sports ) ,
-			     $source ,
-			     $dest ,
-			     '' ,
-			     $target,
-			     '',
-			     $disposition,
-			     do_proto( $proto, '-', '-' ) );
+		for my $proto ( split_list $protos, 'Protocol' ) {
+		    expand_rule( $chainref ,
+				 $restriction ,
+				 do_proto( $proto, $ports, $sports ) ,
+				 $source ,
+				 $dest ,
+				 '' ,
+				 $target,
+				 '',
+				 $disposition,
+				 do_proto( $proto, '-', '-' ) );
+		}
 	    } else {
 		warning_message "Redundant OUTPUT rule ignored because ADMINISABSENTMINDED=Yes";
 	    }
 	}
    }

-    clear_comment;
-
    $result;
 }

@@ -764,7 +764,7 @@ sub add_common_rules ( $ ) {
    my $chain;
    my $dynamicref;

-    my @state     = $config{BLACKLISTNEWONLY} ? have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
+    my @state     = state_imatch( $globals{BLACKLIST_STATES} );
    my $faststate = $config{RELATED_DISPOSITION} eq 'ACCEPT' && $config{RELATED_LOG_LEVEL} eq '' ? 'ESTABLISHED,RELATED' : 'ESTABLISHED';
    my $level     = $config{BLACKLIST_LOGLEVEL};
    my $rejectref = $filter_table->{reject};
@@ -1126,7 +1126,7 @@ sub add_common_rules ( $ ) {

 	    for $interface ( @$list ) {
 		my $chainref = $filter_table->{input_option_chain $interface};
-		my $base     = uc chain_base get_physical $interface;
+		my $base     = uc var_base get_physical $interface;
 		my $optional = interface_is_optional( $interface );
 		my $variable = get_interface_gateway( $interface, ! $optional );

@@ -1216,50 +1216,44 @@ sub setup_mac_lists( $ ) {

 		my ( $original_disposition, $interface, $mac, $addresses  ) = split_line1 'maclist file', { disposition => 0, interface => 1, mac => 2, addresses => 3 };

-		if ( $original_disposition eq 'COMMENT' ) {
-		    process_comment;
-		} else {
-		    my ( $disposition, $level, $remainder) = split( /:/, $original_disposition, 3 );
+		my ( $disposition, $level, $remainder) = split( /:/, $original_disposition, 3 );

-		    fatal_error "Invalid DISPOSITION ($original_disposition)" if defined $remainder || ! $disposition;
+		fatal_error "Invalid DISPOSITION ($original_disposition)" if defined $remainder || ! $disposition;

-		    my $targetref = $maclist_targets{$disposition};
+		my $targetref = $maclist_targets{$disposition};

-		    fatal_error "Invalid DISPOSITION ($original_disposition)"              if ! $targetref || ( ( $table eq 'mangle' ) && ! $targetref->{mangle} );
-		    fatal_error "Unknown Interface ($interface)"                           unless known_interface( $interface );
-		    fatal_error "No hosts on $interface have the maclist option specified" unless $maclist_interfaces{$interface};
+		fatal_error "Invalid DISPOSITION ($original_disposition)"              if ! $targetref || ( ( $table eq 'mangle' ) && ! $targetref->{mangle} );
+		fatal_error "Unknown Interface ($interface)"                           unless known_interface( $interface );
+		fatal_error "No hosts on $interface have the maclist option specified" unless $maclist_interfaces{$interface};

-		    my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
+		my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )};

-		    $mac       = '' unless $mac && ( $mac ne '-' );
-		    $addresses = '' unless defined $addresses && ( $addresses ne '-' );
+		$mac       = '' unless $mac && ( $mac ne '-' );
+		$addresses = '' unless defined $addresses && ( $addresses ne '-' );

-		    fatal_error "You must specify a MAC address or an IP address" unless $mac || $addresses;
+		fatal_error "You must specify a MAC address or an IP address" unless $mac || $addresses;

-		    $mac = do_mac $mac if $mac;
+		$mac = do_mac $mac if $mac;

-		    if ( $addresses ) {
-			for my $address ( split ',', $addresses ) {
-			    my $source = match_source_net $address;
-			    log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}"
-				if supplied $level;
-
-			    add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT';
-			    add_jump( $chainref , $targetref->{target}, 0, "${mac}${source}" );
-			}
-		    } else {
-			log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , $mac
+		if ( $addresses ) {
+		    for my $address ( split ',', $addresses ) {
+			my $source = match_source_net $address;
+			log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}"
 			    if supplied $level;

 			add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT';
-			add_jump ( $chainref , $targetref->{target}, 0, "$mac" );
+			add_jump( $chainref , $targetref->{target}, 0, "${mac}${source}" );
 		    }
+		} else {
+		    log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , $mac
+			if supplied $level;

-		    progress_message "      Maclist entry \"$currentline\" $done";
+		    add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT';
+		    add_jump ( $chainref , $targetref->{target}, 0, "$mac" );
 		}
-	    }

-	    clear_comment;
+		progress_message "      Maclist entry \"$currentline\" $done";
+	    }
 	}
 	#
 	# Generate jumps from the input and forward chains
@@ -2325,8 +2319,8 @@ sub setup_mss( ) {
 #
 # Compile the stop_firewall() function
 #
-sub compile_stop_firewall( $$ ) {
-    my ( $test, $export ) = @_;
+sub compile_stop_firewall( $$$ ) {
+    my ( $test, $export, $have_arptables ) = @_;

    my $input   = $filter_table->{INPUT};
    my $output  = $filter_table->{OUTPUT};
@@ -2531,6 +2525,8 @@ EOF
    create_stop_load $test;

    if ( $family == F_IPV4 ) {
+	emit( '$ARPTABLES -F',
+	      '' ) if $have_arptables; 
 	if ( $config{IP_FORWARDING} eq 'on' ) {
 	    emit( 'echo 1 > /proc/sys/net/ipv4/ip_forward',
 		  'progress_message2 IPv4 Forwarding Enabled' );
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -56,17 +56,9 @@ sub initialize() {
 #
 # Process a single rule from the the masq file
 #
-sub process_one_masq( )
+sub process_one_masq1( $$$$$$$$$$ )
 {
-    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest ) =
-	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9 };
-
-    if ( $interfacelist eq 'COMMENT' ) {
-	process_comment;
-	return 1;
-    }
-
-    fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
+    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest ) = @_;

    my $pre_nat;
    my $add_snat_aliases = $config{ADD_SNAT_ALIASES};
@@ -277,6 +269,18 @@ sub process_one_masq( )

 }

+sub process_one_masq( )
+{
+    my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest ) =
+	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9 };
+
+    fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
+
+    for my $proto ( split_list $protos, 'Protocol' ) {
+	process_one_masq1( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest );
+    }
+}
+
 #
 # Process the masq file
 #
@@ -287,8 +291,6 @@ sub setup_masq()
 	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } );

 	process_one_masq while read_a_line( NORMAL_READ );
-
-	clear_comment;
    }
 }

@@ -387,26 +389,20 @@ sub setup_nat() {

 	    my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 'nat file', { external => 0, interface => 1, internal => 2, allints => 3, local => 4 };

-	    if ( $external eq 'COMMENT' ) {
-		process_comment;
-	    } else {
-		( $interfacelist, my $digit ) = split /:/, $interfacelist;
+	    ( $interfacelist, my $digit ) = split /:/, $interfacelist;

-		$digit = defined $digit ? ":$digit" : '';
+	    $digit = defined $digit ? ":$digit" : '';

-		fatal_error 'EXTERNAL must be specified' if $external eq '-';
-		fatal_error 'INTERNAL must be specified' if $interfacelist eq '-';
+	    fatal_error 'EXTERNAL must be specified' if $external eq '-';
+	    fatal_error 'INTERNAL must be specified' if $interfacelist eq '-';

-		for my $interface ( split_list $interfacelist , 'interface' ) {
-		    fatal_error "Invalid Interface List ($interfacelist)" unless supplied $interface;
-		    do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat;
-		}
-
-		progress_message "   NAT entry \"$currentline\" $done";
+	    for my $interface ( split_list $interfacelist , 'interface' ) {
+		fatal_error "Invalid Interface List ($interfacelist)" unless supplied $interface;
+		do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat;
 	    }
-	}

-	clear_comment;
+	    progress_message "   NAT entry \"$currentline\" $done";
+	}
    }
 }

@@ -518,8 +514,6 @@ sub setup_netmap() {
 		progress_message "   Network $net1 on $iface mapped to $net2 ($type)";
 	    }
 	}
-
-	clear_comment;
    }

 }
@@ -730,8 +724,6 @@ sub handle_nonat_rule( $$$$$$$$$$ ) {
 	}
    }

-    set_optflags( $nonat_chain, DONT_MOVE | DONT_OPTIMIZE ) if $tgt eq 'RETURN';
-
    expand_rule( $nonat_chain ,
 		 PREROUTE_RESTRICT ,
 		 $rule ,
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -658,7 +658,7 @@ sub add_a_provider( $$ ) {
    my $what        = $providerref->{what};
    my $label       = $pseudo ? 'Optional Interface' : 'Provider';

-    my $dev         = chain_base $physical;
+    my $dev         = var_base $physical;
    my $base        = uc $dev;
    my $realm = '';

@@ -1089,7 +1089,7 @@ sub add_a_route( ) {
    }

    fatal_error 'DEST must be specified' if $dest eq '-';
-    $dest = validate_net ( $dest, 1 );
+    $dest = validate_net ( $dest, 0 );

    validate_address ( $gateway, 1 ) if $gateway ne '-';

@@ -1282,7 +1282,7 @@ sub process_providers( $ ) {
    for ( grep interface_is_optional( $_ ) && ! $provider_interfaces{ $_ }, all_real_interfaces ) {
 	#
 	#               TABLE             NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
-	$currentline =  chain_base($_) ." 0      -    -         $_        -       -       -";
+	$currentline =  var_base($_) ." 0      -    -         $_        -       -       -";
 	#
 	$pseudoproviders += process_a_provider(1);
    }
@@ -1732,7 +1732,7 @@ sub handle_optional_interfaces( $ ) {
 	#
 	# Clear the '_IS_USABLE' variables
 	#
-	emit( join( '_', 'SW', uc chain_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @$interfaces;
+	emit( join( '_', 'SW', uc var_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @$interfaces;

 	if ( $wildcards ) {
 	    #
@@ -1752,7 +1752,7 @@ sub handle_optional_interfaces( $ ) {
 	for my $interface ( grep $provider_interfaces{$_}, @$interfaces ) {
 	    my $provider    = $provider_interfaces{$interface};
 	    my $physical    = get_physical $interface;
-	    my $base        = uc chain_base( $physical );
+	    my $base        = uc var_base( $physical );
 	    my $providerref = $providers{$provider};

 	    emit( "$physical)" ), push_indent if $wildcards;
@@ -1773,7 +1773,7 @@ sub handle_optional_interfaces( $ ) {

 	for my $interface ( grep ! $provider_interfaces{$_}, @$interfaces ) {
 	    my $physical    = get_physical $interface;
-	    my $base        = uc chain_base( $physical );
+	    my $base        = uc var_base( $physical );
 	    my $case        = $physical;
 	    my $wild        = $case =~ s/\+$/*/;

@@ -1861,7 +1861,7 @@ sub handle_stickiness( $ ) {

 	for my $providerref ( @routemarked_providers ) {
 	    my $interface = $providerref->{physical};
-	    my $base      = uc chain_base $interface;
+	    my $base      = uc var_base $interface;
 	    my $mark      = $providerref->{mark};

 	    for ( grep rule_target($_) eq 'sticky', @{$tcpreref->{rules}} ) {
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -227,70 +227,55 @@ sub setup_conntrack() {

 	if ( $fn ) {

-	    my $action = 'NOTRACK';
+	    my $action;

 	    my $empty = 1;

 	    first_entry( "$doing $fn..." );

 	    while ( read_a_line( NORMAL_READ ) ) {
-		my ( $source, $dest, $proto, $ports, $sports, $user, $switch );
+		my ( $source, $dest, $protos, $ports, $sports, $user, $switch );

 		if ( $file_format == 1 ) {
-		    ( $source, $dest, $proto, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 };
-
-		    if ( $source eq 'FORMAT' ) {
-			process_format( $dest );
-			next;
-		    }
+		    ( $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 };
+		    $action = 'NOTRACK';
 		} else {
-		    ( $action, $source, $dest, $proto, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 }, { COMMENT => 0, FORMAT => 2 };
-
-		    if ( $action eq 'FORMAT' ) {
-			process_format( $source );
-			$action = 'NOTRACK';
-			next;
-		    }
-		}
-
-		if ( $action eq 'COMMENT' ) {
-		    process_comment;
-		    next;
+		    ( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 };
 		}

 		$empty = 0;

-		if ( $file_format < 3 ) {
-		    if ( $source =~ /^all(-)?(:(.+))?$/ ) {
-			fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-';
-			for my $zone ( $1 ? off_firewall_zones : all_zones ) {
-			    process_conntrack_rule( undef ,
-						    undef,
-						    $action,
-						    $zone . ( $2 || ''),
-						    $dest,
-						    $proto,
-						    $ports,
-						    $sports,
-						    $user ,
-						    $switch );
+		for my $proto ( split_list $protos, 'Protocol' ) {
+		    if ( $file_format < 3 ) {
+			if ( $source =~ /^all(-)?(:(.+))?$/ ) {
+			    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-';
+			    for my $zone ( $1 ? off_firewall_zones : all_zones ) {
+				process_conntrack_rule( undef ,
+							undef,
+							$action,
+							$zone . ( $2 || ''),
+							$dest,
+							$proto,
+							$ports,
+							$sports,
+							$user ,
+							$switch );
+			    }
+			} else {
+			    process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
 			}
+		    } elsif ( $action =~ s/:O$// ) {
+			process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+		    } elsif ( $action =~ s/:OP// || $action =~ s/:PO// ) {
+			process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+			process_conntrack_rule( $raw_table->{OUTPUT},     undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
 		    } else {
-			process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+			$action =~ s/:P//;
+			process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
 		    }
-		} elsif ( $action =~ s/:O$// ) {
-		    process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
-		} elsif ( $action =~ s/:OP// || $action =~ s/:PO// ) {
-		    process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
-		    process_conntrack_rule( $raw_table->{OUTPUT},     undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
-		} else {
-		    $action =~ s/:P//;
-		    process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
-		}		    
+		}
 	    }

-	    clear_comment;
-
 	    if ( $name eq 'notrack') {
 		if ( $empty ) {
 		    if ( unlink( $fn ) ) {
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
 #
 #     Traffic Control is from tc4shorewall Version 0.5
 #     (c) 2005 Arne Bernin <arne@ucbering.de>
@@ -204,36 +204,13 @@ sub initialize( $ ) {
    $divertref = 0;
 }

-sub process_tc_rule( ) {
-    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
-    if ( $family == F_IPV4 ) {
-	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) =
-	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13, state => 14 }, { COMMENT => 0, FORMAT => 2 } , 15;
-	$headers = '-';
-    } else {
-	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) =
-	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 , state => 15 },  { COMMENT => 0, FORMAT => 2 }, 16;
-    }
+sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
+    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ) = @_;

    our %tccmd;

    fatal_error 'MARK must be specified' if $originalmark eq '-';

-    if ( $originalmark eq 'COMMENT' ) {
-	process_comment;
-	return;
-    }
-
-    if ( $originalmark eq 'FORMAT' ) {
-	format_warning;
-	if ( $source =~ /^([12])$/ ) {
-	    $file_format = $1;
-	    return;
-	}
-
-	fatal_error "Invalid FORMAT ($source)";
-    }
-
    my ( $mark, $designator, $remainder ) = split( /:/, $originalmark, 3 );

    fatal_error "Invalid MARK ($originalmark)" unless supplied $mark;
@@ -708,6 +685,22 @@ sub process_tc_rule( ) {

 }

+sub process_tc_rule( ) {
+    my ( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
+    if ( $family == F_IPV4 ) {
+	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) =
+	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13, state => 14 }, {}, 15;
+	$headers = '-';
+    } else {
+	( $originalmark, $source, $dest, $protos, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) =
+	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 , state => 15 }, {}, 16;
+    }
+
+    for my $proto (split_list( $protos, 'Protocol' ) ) {
+	process_tc_rule1( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
+    }
+}
+
 sub rate_to_kbit( $ ) {
    my $rate = $_[0];

@@ -838,7 +831,7 @@ sub process_simple_device() {
    fatal_error "Unknown interface( $device )" unless known_interface $device;

    my $physical = physical_name $device;
-    my $dev      = chain_base( $physical );
+    my $dev      = var_base( $physical );

    push @tcdevices, $device;

@@ -1144,6 +1137,17 @@ my %validredoptions = ( min         => RED_INTEGER,
 			ecn         => RED_NONE,
 		      );

+use constant { CODEL_INTEGER => 1, CODEL_INTERVAL => 2, CODEL_NONE => 3 };
+
+my %validcodeloptions = ( flows       => CODEL_INTEGER,
+			  target      => CODEL_INTERVAL,
+			  interval    => CODEL_INTERVAL,
+			  limit       => CODEL_INTEGER,
+			  ecn         => CODEL_NONE,
+			  noecn       => CODEL_NONE,
+			  quantum     => CODEL_INTEGER
+			);
+
 sub validate_filter_priority( $$ ) {
    my ( $priority, $kind ) = @_;

@@ -1318,6 +1322,7 @@ sub validate_tc_class( ) {
    fatal_error "RATE ($rate) exceeds CEIL ($ceil)" if $rate && $ceil && $rate > $ceil;

    my ( $red, %redopts ) = ( 0, ( avpkt => 1000 ) );
+    my ( $codel, %codelopts ) = ( 0, ( ) );

    unless ( $options eq '-' ) {
 	for my $option ( split_list1 "\L$options", 'option' ) {
@@ -1367,8 +1372,9 @@ sub validate_tc_class( ) {
 		fatal_error "The 'flow' option is not allowed with 'red'"   if $tcref->{red};
 		$tcref->{flow} = process_flow $1;
 	    } elsif ( $option eq 'pfifo' ) {
-		fatal_error "The 'pfifo' option is not allowed with 'flow='" if $tcref->{flow};
-		fatal_error "The 'pfifo' option is not allowed with 'red='"  if $tcref->{red};
+		fatal_error "The 'pfifo' option is not allowed with 'flow='"      if $tcref->{flow};
+		fatal_error "The 'pfifo' option is not allowed with 'red='"       if $tcref->{red};
+		fatal_error "The 'pfifo' option is not allowed with 'fq_codel='"  if $tcref->{fq_codel};
 		$tcref->{pfifo} = 1;
 	    } elsif ( $option =~ /^occurs=(\d+)$/ ) {
 		my $val = $1;
@@ -1390,8 +1396,9 @@ sub validate_tc_class( ) {
 		fatal_error "Invalid limit ($1)" if $1 < 3 || $1 > 128;
 		$tcref->{limit} = $1;
 	    } elsif ( $option =~ s/^red=// ) {
-		fatal_error "The 'red=' option is not allowed with 'flow='" if $tcref->{flow};
-		fatal_error "The 'red=' option is not allowed with 'pfifo'" if $tcref->{pfifo};
+		fatal_error "The 'red=' option is not allowed with 'flow='"       if $tcref->{flow};
+		fatal_error "The 'red=' option is not allowed with 'pfifo'"       if $tcref->{pfifo};
+		fatal_error "The 'pfifo' option is not allowed with 'fq_codel='"  if $tcref->{fq_codel};
 		$tcref->{red} = 1;
 		my $opttype;

@@ -1440,6 +1447,61 @@ sub validate_tc_class( ) {
 		fatal_error "The 'limit' red option must be at least 2 * 'max'" unless $redopts{limit} >= 2 * $redopts{min};
 		$redopts{ecn} = 1 if exists $redopts{ecn};
 		$tcref->{redopts} = \%redopts;
+	    } elsif ( $option =~ /^fq_codel(?:=.+)?$/ ) {
+		fatal_error "The 'fq_codel' option is not allowed with 'red='"       if $tcref->{red};
+		fatal_error "The 'fq_codel' option is not allowed with 'pfifo'"      if $tcref->{pfifo};
+		$tcref->{fq_codel} = 1;
+		my $opttype;
+
+		$option =~ s/fq_codel=?//;
+
+		for my $codelopt ( split_list( $option , q('fq_codel' option list) ) ) {
+		    #
+		    #              $1  ------      $2 --------------
+		    #                 |      |        |    $3 ---- | 
+		    #                 |      |        |       |  | |
+		    if ( $codelopt =~ /^([a-z]+) (?:= ((?:\d+)(ms)?))?$/x )
+			    {
+			fatal_error "Invalid CODEL option ($1)" unless $opttype = $validcodeloptions{$1};
+			if ( $2 ) {
+			    #
+			    # '=<value>' supplied
+			    #
+			    fatal_error "The $1 option does not take a value" if $opttype == CODEL_NONE;
+			    if ( $3 ) {
+				#
+				# Rate
+				#
+				fatal_error "The $1 option requires an integer value"  if $opttype == CODEL_INTEGER;
+			    } else {
+				#
+				# Interval value
+				#
+				fatal_error "The $1 option requires an interval value" if $opttype == CODEL_INTERVAL;
+			    }
+			} else {
+			    #
+			    # No value supplied
+			    #
+			    fatal_error "The $1 option requires a value" unless $opttype == CODEL_NONE;
+			}
+
+			$codelopts{$1} = $2;
+		    } else {
+			fatal_error "Invalid fq_codel option specification ($codelopt)";
+		    }
+		}
+
+		if ( exists $codelopts{ecn} ) {
+		    fatal_error "The 'ecn' and 'noecn' fq_codel options are mutually exclusive" if exists $codelopts{noecn};
+		    $codelopts{ecn} = 1;
+		} elsif ( exists $codelopts{noecn} ) {
+		    $codelopts{noecn} = 1;
+		} else {
+		    $codelopts{ecn} = 1;
+		}
+		    
+		$tcref->{codelopts} = \%codelopts;
 	    } else {
 		fatal_error "Unknown option ($option)";
 	    }
@@ -1458,19 +1520,21 @@ sub validate_tc_class( ) {
    while ( --$occurs ) {
 	fatal_error "Duplicate class number ($classnumber)" if $tcclasses{$device}{++$classnumber};

-	$tcclasses{$device}{$classnumber} =  { tos      => [] ,
-					       rate     => $tcref->{rate} ,
-					       ceiling  => $tcref->{ceiling} ,
-					       priority => $tcref->{priority} ,
-					       mark     => 0 ,
-					       markprio => $markprio ,
-					       flow     => $tcref->{flow} ,
-					       pfifo    => $tcref->{pfifo},
-					       occurs   => 0,
-					       parent   => $parentclass,
-					       limit    => $tcref->{limit},
-					       red      => $tcref->{red},
-					       redopts  => $tcref->{redopts},
+	$tcclasses{$device}{$classnumber} =  { tos       => [] ,
+					       rate      => $tcref->{rate} ,
+					       ceiling   => $tcref->{ceiling} ,
+					       priority  => $tcref->{priority} ,
+					       mark      => 0 ,
+					       markprio  => $markprio ,
+					       flow      => $tcref->{flow} ,
+					       pfifo     => $tcref->{pfifo},
+					       occurs    => 0,
+					       parent    => $parentclass,
+					       limit     => $tcref->{limit},
+					       red       => $tcref->{red},
+					       redopts   => $tcref->{redopts},
+					       fq_codel  => $tcref->{fq_codel},
+					       codelopts => $tcref->{codelopts},
 					     };
 	push @tcclasses, "$device:$classnumber";
    };
@@ -1483,11 +1547,9 @@ my %validlengths = ( 32 => '0xffe0', 64 => '0xffc0', 128 => '0xff80', 256 => '0x
 #
 # Process a record from the tcfilters file
 #
-sub process_tc_filter() {
+sub process_tc_filter1( $$$$$$$$$ ) {

-    my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length, $priority ) = split_line 'tcfilters file', { class => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, tos => 6, length => 7 , priority => 8 };
-
-    fatal_error 'CLASS must be specified' if $devclass eq '-';
+    my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length, $priority ) = @_;

    my ($device, $class, $rest ) = split /:/, $devclass, 3;

@@ -1758,6 +1820,18 @@ sub process_tc_filter() {

 }

+sub process_tc_filter() {
+
+    my ( $devclass, $source, $dest , $protos, $portlist , $sportlist, $tos, $length, $priority )
+	= split_line 'tcfilters file', { class => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, tos => 6, length => 7 , priority => 8 };
+
+    fatal_error 'CLASS must be specified' if $devclass eq '-';
+
+    for my $proto ( split_list $protos, 'Protocol' ) {
+	process_tc_filter1( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length, $priority );
+    }
+}
+
 #
 # Process the tcfilter file storing the compiled filters in the %tcdevices table
 #
@@ -1798,21 +1872,8 @@ sub process_tcfilters() {
 #
 # Process a tcpri record
 #
-sub process_tc_priority() {
-    my ( $band, $proto, $ports , $address, $interface, $helper ) = split_line1 'tcpri', { band => 0, proto => 1, port => 2, address => 3, interface => 4, helper => 5 };
-
-    fatal_error 'BAND must be specified' if $band eq '-';
-
-    if ( $band eq 'COMMENT' ) {
-	process_comment;
-	return;
-    }
-
-    fatal_error "Invalid tcpri entry" if ( $proto     eq '-' &&
-					   $ports     eq '-' &&
-					   $address   eq '-' &&
-					   $interface eq '-' &&
-					   $helper    eq '-' );
+sub process_tc_priority1( $$$$$$ ) {
+    my ( $band, $proto, $ports , $address, $interface, $helper ) = @_;

    my $val = numeric_value $band;

@@ -1860,6 +1921,26 @@ sub process_tc_priority() {
    }
 }

+sub process_tc_priority() {
+    my ( $band, $protos, $ports , $address, $interface, $helper ) = split_line1 'tcpri', { band => 0, proto => 1, port => 2, address => 3, interface => 4, helper => 5 };
+
+    fatal_error 'BAND must be specified' if $band eq '-';
+
+    fatal_error "Invalid tcpri entry" if ( $protos    eq '-' &&
+					   $ports     eq '-' &&
+					   $address   eq '-' &&
+					   $interface eq '-' &&
+					   $helper    eq '-' );
+
+    my $val = numeric_value $band;
+
+    fatal_error "Invalid PRIORITY ($band)" unless $val && $val <= 3;
+
+    for my $proto ( split_list $protos, 'Protocol' ) {
+	process_tc_priority1( $band, $proto, $ports , $address, $interface, $helper );
+    }
+}
+
 #
 # Process tcinterfaces
 #
@@ -1889,8 +1970,6 @@ sub process_tcpri() {

 	process_tc_priority while read_a_line( NORMAL_READ );

-	clear_comment;
-
 	if ( $ipp2p ) {
 	    insert_irule( $mangle_table->{tcpost} ,
 			  j => 'CONNMARK --restore-mark --ctmask ' . in_hex( $globals{TC_MASK} ) ,
@@ -1954,7 +2033,7 @@ sub process_traffic_shaping() {

 	unless ( $config{TC_ENABLED} eq 'Shared' ) {

-	    my $dev = chain_base( $device );
+	    my $dev = var_base( $device );

 	    emit( '',
 		  '#',
@@ -2085,8 +2164,25 @@ sub process_traffic_shaping() {
 			}

 			emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: red${options}" );
+		    } elsif ( $tcref->{fq_codel} ) {
+			1 while $devnums[++$sfq];
+			$sfqinhex = in_hexp( $sfq);

-		    } elsif ( $tcref->{leaf} && ! $tcref->{pfifo} ) {
+			my ( $options, $codelopts ) = ( '', $tcref->{codelopts} );
+
+			while ( my ( $option, $type ) = each %validcodeloptions ) {
+			    if ( my $value = $codelopts->{$option} ) {
+				if ( $type == CODEL_NONE ) {
+				    $options = join( ' ', $options, $option );
+				} else {
+				    $options = join( ' ', $options, $option, $value );
+				}
+			    }
+			}
+
+			emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: fq_codel${options}" );
+			
+		    } elsif ( ! $tcref->{pfifo} ) {
 			1 while $devnums[++$sfq];

 			$sfqinhex = in_hexp( $sfq);
@@ -2192,7 +2288,7 @@ sub setup_traffic_shaping() {

    for my $device ( @tcdevices ) {
 	my $interfaceref = known_interface( $device );
-	my $dev          = chain_base( $interfaceref ? $interfaceref->{physical} : $device );
+	my $dev          = var_base( $interfaceref ? $interfaceref->{physical} : $device );

 	emit "setup_${dev}_tc";
    }
@@ -2201,16 +2297,8 @@ sub setup_traffic_shaping() {
 #
 # Process a record in the secmarks file
 #
-sub process_secmark_rule() {
-    my ( $secmark, $chainin, $source, $dest, $proto, $dport, $sport, $user, $mark ) =
-	split_line1( 'Secmarks file' , { secmark => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8 } );
-
-    fatal_error 'SECMARK must be specified' if $secmark eq '-';
-
-    if ( $secmark eq 'COMMENT' ) {
-	process_comment;
-	return;
-    }
+sub process_secmark_rule1( $$$$$$$$$ ) {
+    my ( $secmark, $chainin, $source, $dest, $proto, $dport, $sport, $user, $mark ) = @_;

    my %chns = ( T => 'tcpost'  ,
 		 P => 'tcpre'   ,
@@ -2270,6 +2358,20 @@ sub process_secmark_rule() {

 }

+#
+# Process a record in the secmarks file
+#
+sub process_secmark_rule() {
+    my ( $secmark, $chainin, $source, $dest, $protos, $dport, $sport, $user, $mark ) =
+	split_line1( 'Secmarks file' , { secmark => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8 } );
+
+    fatal_error 'SECMARK must be specified' if $secmark eq '-';
+
+    for my $proto ( split_list( $protos, 'Protocol' ) ) {
+	process_secmark_rule1( $secmark, $chainin, $source, $dest, $proto, $dport, $sport, $user, $mark );
+    }
+}
+
 #
 # Process the tcrules file and setup traffic shaping
 #
@@ -2419,8 +2521,6 @@ sub setup_tc() {

 	    process_tc_rule while read_a_line( NORMAL_READ );

-	    clear_comment;
-
 	}

 	if ( my $fn = open_file( 'secmarks', 1, 1 ) ) {
@@ -2429,7 +2529,6 @@ sub setup_tc() {

 	    process_secmark_rule while read_a_line( NORMAL_READ );

-	    clear_comment;
 	}

 	handle_stickiness( $sticky );
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -291,19 +291,13 @@ sub setup_tunnels() {

 	while ( read_a_line( NORMAL_READ ) ) {

-	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateways => 2, gateway_zone => 3 , gateway_zones => 3 }, undef, 4;
+	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateways => 2, gateway_zone => 3 , gateway_zones => 3 }, {}, 4;

 	    fatal_error 'TYPE must be specified' if $kind eq '-';

-	    if ( $kind eq 'COMMENT' ) {
-		process_comment;
-	    } else {
-		fatal_error 'ZONE must be specified' if $zone eq '-';
-		setup_one_tunnel $kind, $zone, $gateway, $gatewayzones;
-	    }
+	    fatal_error 'ZONE must be specified' if $zone eq '-';
+	    setup_one_tunnel $kind, $zone, $gateway, $gatewayzones;
 	}
-
-	clear_comment;
    }
 }

--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -62,7 +62,7 @@ our @EXPORT = ( qw( NOTHING
 		    off_firewall_zones
 		    non_firewall_zones
 		    single_interface
-		    chain_base
+		    var_base
 		    validate_interfaces_file
 		    all_interfaces
 		    all_real_interfaces
@@ -173,7 +173,7 @@ our %reservedName = ( all => 1,
 #                                     zone        => <zone name>
 #                                     multizone   => undef|1   #More than one zone interfaces through this interface
 #                                     nets        => <number of nets in interface/hosts records referring to this interface>
-#                                     bridge      => <bridge name>
+#                                     bridge      => <bridge name> # Same as ->{name} if not a bridge port.
 #                                     ports       => <number of port on this bridge>
 #                                     ipsec       => undef|1 # Has an ipsec host group
 #                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
@@ -897,9 +897,9 @@ sub is_a_bridge( $ ) {
 #
 # Transform the passed interface name into a legal shell variable name.
 #
-sub chain_base($) {
-    my $chain = $_[0];
-    my $name  = $basemap{$chain};
+sub var_base($) {
+    my $var = $_[0];
+    my $name  = $basemap{$var};
    #
    # Return existing mapping, if any
    #
@@ -907,31 +907,31 @@ sub chain_base($) {
    #
    # Remember initial value
    #
-    my $key = $chain;
+    my $key = $var;
    #
    # Handle VLANs and wildcards
    #
-    $chain =~ s/\+$//;
-    $chain =~ tr/./_/;
+    $var =~ s/\+$/_plus/;
+    $var =~ tr/./_/;

-    if ( $chain eq '' || $chain =~ /^[0-9]/ || $chain =~ /[^\w]/ ) {
+    if ( $var eq '' || $var =~ /^[0-9]/ || $var =~ /[^\w]/ ) {
 	#
 	# Must map. Remove all illegal characters
 	#
-	$chain =~ s/[^\w]//g;
+	$var =~ s/[^\w]//g;
 	#
 	# Prefix with if_ if it begins with a digit
 	#
-	$chain = join( '' , 'if_', $chain ) if $chain =~ /^[0-9]/;
+	$var = join( '' , 'if_', $var ) if $var =~ /^[0-9]/;
 	#
 	# Create a new unique name
 	#
-	1 while $mapbase{$name = join ( '_', $chain, ++$baseseq )};
+	1 while $mapbase{$name = join ( '_', $var, ++$baseseq )};
    } else {
 	#
 	# We'll store the identity mapping if it is unique
 	#
-	$chain = join( '_', $key , ++$baseseq ) while $mapbase{$name = $chain};
+	$var = join( '_', $key , ++$baseseq ) while $mapbase{$name = $var};
    }
    #
    # Store the reverse mapping
@@ -946,9 +946,9 @@ sub chain_base($) {
 #
 # This is a slightly relaxed version of the above that allows '-' in the generated name.
 #
-sub chain_base1($) {
-    my $chain = $_[0];
-    my $name  = $basemap1{$chain};
+sub var_base1($) {
+    my $var = $_[0];
+    my $name  = $basemap1{$var};
    #
    # Return existing mapping, if any
    #
@@ -956,31 +956,31 @@ sub chain_base1($) {
    #
    # Remember initial value
    #
-    my $key = $chain;
+    my $key = $var;
    #
    # Handle VLANs and wildcards
    #
-    $chain =~ s/\+$//;
-    $chain =~ tr/./_/;
+    $var =~ s/\+$//;
+    $var =~ tr/./_/;

-    if ( $chain eq '' || $chain =~ /^[0-9]/ || $chain =~ /[^-\w]/ ) {
+    if ( $var eq '' || $var =~ /^[0-9]/ || $var =~ /[^-\w]/ ) {
 	#
 	# Must map. Remove all illegal characters
 	#
-	$chain =~ s/[^\w]//g;
+	$var =~ s/[^\w]//g;
 	#
 	# Prefix with if_ if it begins with a digit
 	#
-	$chain = join( '' , 'if_', $chain ) if $chain =~ /^[0-9]/;
+	$var = join( '' , 'if_', $var ) if $var =~ /^[0-9]/;
 	#
 	# Create a new unique name
 	#
-	1 while $mapbase1{$name = join ( '_', $chain, ++$baseseq )};
+	1 while $mapbase1{$name = join ( '_', $var, ++$baseseq )};
    } else {
 	#
 	# We'll store the identity mapping if it is unique
 	#
-	$chain = join( '_', $key , ++$baseseq ) while $mapbase1{$name = $chain};
+	$var = join( '_', $key , ++$baseseq ) while $mapbase1{$name = $var};
    }
    #
    # Store the reverse mapping
@@ -1004,22 +1004,12 @@ sub process_interface( $$ ) {
    my $bridge = '';

    if ( $file_format == 1 ) {
-	($zone, $originalinterface, $bcasts, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 }, { COMMENT => 0, FORMAT => 2 };
+	($zone, $originalinterface, $bcasts, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 };
    } else {
-	($zone, $originalinterface, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, options => 2 }, { COMMENT => 0, FORMAT => 2 };
+	($zone, $originalinterface, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, options => 2 };
 	$bcasts = '-';
    }

-    if ( $zone eq 'FORMAT' ) {
-	format_warning;
-	if ( $originalinterface =~ /^([12])$/ ) {
-	    $file_format = $1;
-	    return;
-	}
-
-	fatal_error "Invalid FORMAT ($originalinterface)";
-    }
-
    if ( $zone eq '-' ) {
 	$zone = '';
    } else {
@@ -1210,7 +1200,7 @@ sub process_interface( $$ ) {
 		    $hostoptions{broadcast} = 1;
 		} elsif ( $option eq 'sfilter' ) {
 		    $filterref = [ split_list $value, 'address' ];
-		    $_ = validate_net( $_, 1) for @{$filterref}
+		    validate_net( $_, 0) for @{$filterref}
 		} else {
 		    assert(0);
 		}
@@ -1252,7 +1242,7 @@ sub process_interface( $$ ) {

 	if ( $netsref eq 'dynamic' ) {
 	    my $ipset = $family == F_IPV4 ? "${zone}" : "6_${zone}";
-	    $ipset = join( '_', $ipset, chain_base1( $physical ) ) unless $zoneref->{options}{in_out}{dynamic_shared};	    
+	    $ipset = join( '_', $ipset, var_base1( $physical ) ) unless $zoneref->{options}{in_out}{dynamic_shared};	    
 	    $netsref = [ "+$ipset" ];
 	    $ipsets{$ipset} = 1;
 	}
@@ -1287,7 +1277,7 @@ sub process_interface( $$ ) {
 						       options    => \%options ,
 						       zone       => '',
 						       physical   => $physical ,
-						       base       => chain_base( $physical ),
+						       base       => var_base( $physical ),
 						       zones      => {},
 						     };

@@ -1411,7 +1401,7 @@ sub known_interface($)
 						   name     => $i ,
 						   number   => $interfaceref->{number} ,
 						   physical => $physical ,
-						   base     => chain_base( $physical ) ,
+						   base     => var_base( $physical ) ,
 						 };
 	    }
 	}
@@ -1758,7 +1748,7 @@ sub verify_required_interfaces( $ ) {
 	    my $physical = get_physical $interface;

 	    if ( $physical =~ /\+$/ ) {
-		my $base = uc chain_base $physical;
+		my $base = uc var_base $physical;

 		$physical =~ s/\+$/*/;

@@ -1905,7 +1895,7 @@ sub process_host( ) {
 	my $set = $family == F_IPV4 ? "${zone}" : "6_${zone}";
 	
 	unless ( $zoneref->{options}{in_out}{dynamic_shared} ) {
-	    my $physical = chain_base1( physical_name $interface );
+	    my $physical = var_base1( physical_name $interface );
 	    $set = join( '_', $set, $physical );
 	}

--- a/Shorewall/Perl/lib.core
+++ b/Shorewall/Perl/lib.core
@@ -216,8 +216,8 @@ get_routed_networks() # $1 = interface name, $2-n = Fatal error message
 delete_tc1()
 {
    clear_one_tc() {
-        $TC qdisc del dev $1 root 2> /dev/null
-        $TC qdisc del dev $1 ingress 2> /dev/null
+        $TC qdisc del dev ${1%@*} root 2> /dev/null
+        $TC qdisc del dev ${1%@*} ingress 2> /dev/null

    }

@@ -1324,4 +1324,4 @@ clear_firewall() {
    logger -p kern.info "$g_product Cleared"
 }

-?endif
+?endif # IPv6-specific functions.
--- a/Shorewall/Samples/Universal/rules
+++ b/Shorewall/Samples/Universal/rules
@@ -12,6 +12,8 @@
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
+#SECTION INVALID
+#SECTION UNTRACKED
 SECTION NEW
 Invalid(DROP)	net		$FW		tcp
 SSH(ACCEPT)	net		$FW
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -23,6 +23,8 @@ VERBOSITY=1

 BLACKLIST_LOGLEVEL=

+INVALID_LOG_LEVEL=
+
 LOG_MARTIANS=Yes

 LOG_VERBOSITY=2
@@ -51,10 +53,14 @@ STARTUP_LOG=/var/log/shorewall-init.log

 TCP_FLAGS_LOG_LEVEL=info

+UNTRACKED_LOG_LEVEL=
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

+ARPTABLES=
+
 CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall

 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -122,7 +128,7 @@ AUTOHELPERS=Yes

 AUTOMAKE=No

-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"

 CLAMPMSS=No

@@ -130,6 +136,8 @@ CLEAR_TC=Yes

 COMPLETE=Yes

+DEFER_DNS_RESOLUTION=Yes
+
 DISABLE_IPV6=No

 DELETE_THEN_ADD=Yes
@@ -194,6 +202,8 @@ RETAIN_ALIASES=No

 ROUTE_FILTER=No

+SAVE_ARPTABLES=No
+
 SAVE_IPSETS=No

 TC_ENABLED=Internal
@@ -208,6 +218,8 @@ USE_DEFAULT_RT=No

 USE_PHYSICAL_NAMES=No

+WARNOLDCAPVERSION=Yes
+
 ZONE2ZONE=2

 ###############################################################################
@@ -216,6 +228,8 @@ ZONE2ZONE=2

 BLACKLIST_DISPOSITION=DROP

+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT

 RELATED_DISPOSITION=ACCEPT
@@ -228,6 +242,8 @@ SFILTER_DISPOSITION=DROP

 TCP_FLAGS_DISPOSITION=DROP

+UNTRACKED_DISPOSITION=CONTINUE
+
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################
--- a/Shorewall/Samples/one-interface/rules
+++ b/Shorewall/Samples/one-interface/rules
@@ -16,6 +16,8 @@
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
+#SECTION INVALID
+#SECTION UNTRACKED
 SECTION NEW

 # Drop packets in the INVALID state
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -34,6 +34,8 @@ VERBOSITY=1

 BLACKLIST_LOGLEVEL=

+INVALID_LOG_LEVEL=
+
 LOG_MARTIANS=Yes

 LOG_VERBOSITY=2
@@ -62,10 +64,14 @@ STARTUP_LOG=/var/log/shorewall-init.log

 TCP_FLAGS_LOG_LEVEL=info

+UNTRACKED_LOG_LEVEL=
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

+ARPTABLES=
+
 CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall

 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -133,7 +139,7 @@ AUTOHELPERS=Yes

 AUTOMAKE=No

-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"

 CLAMPMSS=No

@@ -141,6 +147,8 @@ CLEAR_TC=Yes

 COMPLETE=No

+DEFER_DNS_RESOLUTION=Yes
+
 DISABLE_IPV6=No

 DELETE_THEN_ADD=Yes
@@ -205,6 +213,8 @@ RETAIN_ALIASES=No

 ROUTE_FILTER=No

+SAVE_ARPTABLES=No
+
 SAVE_IPSETS=No

 TC_ENABLED=Internal
@@ -219,6 +229,8 @@ USE_DEFAULT_RT=No

 USE_PHYSICAL_NAMES=No

+WARNOLDCAPVERSION=Yes
+
 ZONE2ZONE=2

 ###############################################################################
@@ -227,6 +239,8 @@ ZONE2ZONE=2

 BLACKLIST_DISPOSITION=DROP

+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT

 RELATED_DISPOSITION=ACCEPT
@@ -239,6 +253,8 @@ SFILTER_DISPOSITION=DROP

 TCP_FLAGS_DISPOSITION=DROP

+UNTRACKED_DISPOSITION=CONTINUE
+
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################
--- a/Shorewall/Samples/three-interfaces/rules
+++ b/Shorewall/Samples/three-interfaces/rules
@@ -16,6 +16,8 @@
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
+#SECTION INVALID
+#SECTION UNTRACKED
 SECTION NEW

 #       Don't allow connection pickup from the net
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -32,6 +32,8 @@ VERBOSITY=1

 BLACKLIST_LOGLEVEL=

+INVALID_LOG_LEVEL=
+
 LOG_MARTIANS=Yes

 LOG_VERBOSITY=2
@@ -60,10 +62,14 @@ STARTUP_LOG=/var/log/shorewall-init.log

 TCP_FLAGS_LOG_LEVEL=info

+UNTRACKED_LOG_LEVEL=
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

+ARPTABLES=
+
 CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall

 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -131,7 +137,7 @@ AUTOHELPERS=Yes

 AUTOMAKE=No

-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"

 CLAMPMSS=Yes

@@ -139,6 +145,8 @@ CLEAR_TC=Yes

 COMPLETE=No

+DEFER_DNS_RESOLUTION=Yes
+
 DISABLE_IPV6=No

 DELETE_THEN_ADD=Yes
@@ -203,6 +211,8 @@ RETAIN_ALIASES=No

 ROUTE_FILTER=No

+SAVE_ARPTABLES=No
+
 SAVE_IPSETS=No

 TC_ENABLED=Internal
@@ -217,6 +227,8 @@ USE_DEFAULT_RT=No

 USE_PHYSICAL_NAMES=No

+WARNOLDCAPVERSION=Yes
+
 ZONE2ZONE=2

 ###############################################################################
@@ -225,6 +237,8 @@ ZONE2ZONE=2

 BLACKLIST_DISPOSITION=DROP

+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT

 RELATED_DISPOSITION=ACCEPT
@@ -237,6 +251,8 @@ SFILTER_DISPOSITION=DROP

 TCP_FLAGS_DISPOSITION=DROP

+UNTRACKED_DISPOSITION=CONTINUE
+
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################
--- a/Shorewall/Samples/two-interfaces/rules
+++ b/Shorewall/Samples/two-interfaces/rules
@@ -16,6 +16,8 @@
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
+#SECTION INVALID
+#SECTION UNTRACKED
 SECTION NEW

 #       Don't allow connection pickup from the net
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -35,6 +35,8 @@ VERBOSITY=1

 BLACKLIST_LOGLEVEL=

+INVALID_LOG_LEVEL=
+
 LOG_MARTIANS=Yes

 LOG_VERBOSITY=2
@@ -63,10 +65,14 @@ STARTUP_LOG=/var/log/shorewall-init.log

 TCP_FLAGS_LOG_LEVEL=info

+UNTRACKED_LOG_LEVEL=
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

+ARPTABLES=
+
 CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall

 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -134,7 +140,7 @@ AUTOHELPERS=Yes

 AUTOMAKE=No

-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"

 CLAMPMSS=Yes

@@ -142,6 +148,8 @@ CLEAR_TC=Yes

 COMPLETE=No

+DEFER_DNS_RESOLUTION=Yes
+
 DISABLE_IPV6=No

 DELETE_THEN_ADD=Yes
@@ -206,6 +214,8 @@ RETAIN_ALIASES=No

 ROUTE_FILTER=No

+SAVE_ARPTABLES=No
+
 SAVE_IPSETS=No

 TC_ENABLED=Internal
@@ -220,6 +230,8 @@ USE_DEFAULT_RT=No

 USE_PHYSICAL_NAMES=No

+WARNOLDCAPVERSION=Yes
+
 ZONE2ZONE=2

 ###############################################################################
@@ -228,6 +240,8 @@ ZONE2ZONE=2

 BLACKLIST_DISPOSITION=DROP

+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT

 RELATED_DISPOSITION=ACCEPT
@@ -240,6 +254,8 @@ SFILTER_DISPOSITION=DROP

 TCP_FLAGS_DISPOSITION=DROP

+UNTRACKED_DISPOSITION=CONTINUE
+
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################
--- a/Shorewall/action.Established
+++ b/Shorewall/action.Established
@@ -0,0 +1,49 @@
+#
+# Shorewall 4 - Established Action
+#
+#    /usr/share/shorewall/action.Established
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   Established[([<action>])]
+#
+#       Default action is ACCEPT
+#
+##########################################################################################
+?FORMAT 2
+
+DEFAULTS ACCEPT
+
+?BEGIN PERL;
+
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my ( $action ) = get_action_params( 1 );
+
+if ( my $check = check_state( 'ESTABLISHED' ) ) {
+    perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} ESTABLISHED" : '', 'ESTABLISHED' );
+}
+
+1;
+
+?END PERL;
--- a/Shorewall/action.Invalid
+++ b/Shorewall/action.Invalid
@@ -5,7 +5,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -22,7 +22,7 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   Invalid[([<action>|-[,{audit|-}])]
+#   Invalid[([<action>])]
 #
 #       Default action is DROP
 #
@@ -36,21 +36,18 @@ DEFAULTS DROP,-
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
+use Shorewall::Rules;

 my ( $action, $audit ) = get_action_params( 2 );

-fatal_error "Invalid parameter ($audit) to action Invalid"   if supplied $audit && $audit ne 'audit';
-fatal_error "Invalid parameter ($action) to action Invalid"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
+if ( supplied $audit ) {
+     fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
+     $action = "A_$action";
+}

-my $chainref         = get_action_chain;
-
-my ( $level, $tag )  = get_action_logging;
-my $target           = require_audit ( $action , $audit );
-
-log_rule_limit $level, $chainref, 'Invalid' , $action, '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
-add_jump $chainref , $target, 0, "$globals{STATEMATCH} INVALID ";
-
-allow_optimize( $chainref );
+if ( my $check = check_state( 'INVALID' ) ) {
+    perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} INVALID" : '' , 'INVALID' );
+}

 1;

--- a/Shorewall/action.New
+++ b/Shorewall/action.New
@@ -0,0 +1,49 @@
+#
+# Shorewall 4 - New Action
+#
+#    /usr/share/shorewall/action.New
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   Untracked[([<action>])]
+#
+#       Default action is ACCEPT
+#
+##########################################################################################
+?FORMAT 2
+
+DEFAULTS ACCEPT
+
+?BEGIN PERL;
+
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my ( $action ) = get_action_params( 1 );
+
+if ( my $check = check_state( 'NEW' ) ) {
+    perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} NEW" : '' , 'NEW' );
+}
+
+1;
+
+?END PERL;
--- a/Shorewall/action.NotSyn
+++ b/Shorewall/action.NotSyn
@@ -22,7 +22,7 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   NotSyn[([<action>|-[,{audit|-}])]
+#   NotSyn[([<action>])]
 #
 #       Default action is DROP
 #
@@ -33,24 +33,20 @@ DEFAULTS DROP,-

 ?BEGIN PERL;

+use strict;
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
+use Shorewall::Rules;

 my ( $action, $audit ) = get_action_params( 2 );

-fatal_error "Invalid parameter ($audit) to action NotSyn"   if supplied $audit && $audit ne 'audit';
-fatal_error "Invalid parameter ($action) to action NotSyn"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
+if ( supplied $audit ) {
+     fatal_error "Invalid parameter ($audit) to action NotSyn" if $audit ne 'audit';
+     $action = "A_$action";
+}    

-my $chainref         = get_action_chain;
-
-my ( $level, $tag )  = get_action_logging;
-my $target           = require_audit ( $action , $audit );
-
-log_rule_limit $level, $chainref, 'NotSyn' , $action, '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
-add_jump $chainref , $target, 0, '-p 6 ! --syn ';
-
-allow_optimize( $chainref );
+perl_action_tcp_helper( $action, '-p 6 ! --syn' );

 1;

--- a/Shorewall/action.RST
+++ b/Shorewall/action.RST
@@ -22,7 +22,7 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   RST[([<action>|-[,{audit|-}])]
+#   RST[([<action>])]
 #
 #       Default action is DROP
 #
@@ -35,21 +35,16 @@ DEFAULTS DROP,-

 use Shorewall::Config;
 use Shorewall::Chains;
+use Shorewall::Rules;

 my ( $action, $audit ) = get_action_params( 2 );

-fatal_error "Invalid parameter ($audit) to action RST"   if supplied $audit && $audit ne 'audit';
-fatal_error "Invalid parameter ($action) to action RST"  unless $action =~ /^(?:ACCEPT|DROP)$/;
+if ( supplied $audit ) {
+     fatal_error "Invalid parameter ($audit) to action RST" if $audit ne 'audit';
+     $action = "A_$action";
+}    

-my $chainref         = get_action_chain;
-
-my ( $level, $tag )  = get_action_logging;
-my $target           = require_audit ( $action , $audit );
-
-log_rule_limit $level, $chainref, 'RST' , $action, '', $tag, 'add', '-p 6 --tcp-flags RST RST ' if $level ne '';
-add_jump $chainref , $target, 0, '-p 6 --tcp-flags RST RST ';
-
-allow_optimize( $chainref );
+perl_action_tcp_helper( $action, '-p 6 --tcp-flags RST RST' );

 1;

--- a/Shorewall/action.Related
+++ b/Shorewall/action.Related
@@ -0,0 +1,50 @@
+#
+# Shorewall 4 - Related Action
+#
+#    /usr/share/shorewall/action.Related
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   Related[([<action>])]
+#
+#       Default action is DROP
+#
+##########################################################################################
+?FORMAT 2
+
+DEFAULTS DROP
+
+?BEGIN PERL;
+
+use strict;
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my ( $action ) = get_action_params( 1 );
+
+if ( my $check = check_state( 'RELATED' ) ) {
+    perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} RELATED" : '', 'RELATED' );
+}
+
+1;
+
+?END PERL;
--- a/Shorewall/action.TCPFlags
+++ b/Shorewall/action.TCPFlags
@@ -11,49 +11,28 @@
 #################################################################################
 ?FORMAT 2

-DEFAULTS DROP,-
+DEFAULTS -

 ?BEGIN PERL;
 use strict;
 use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
 use Shorewall::Chains;
+use Shorewall::Rules;

-my ( $disposition, $audit ) = get_action_params( 2 );
+my $action = 'DROP';

-my $chainref        = get_action_chain;
+my ( $audit ) = get_action_params( 1 );

-my ( $level, $tag ) = get_action_logging;
+if ( supplied $audit ) {
+     fatal_error "Invalid parameter ($audit) to action TCPFlags" if $audit ne 'audit';
+     $action = "A_DROP";
+}    

-fatal_error q(The first argument to 'TCPFlags' must be ACCEPT, REJECT, or DROP) unless $disposition =~ /^(ACCEPT|REJECT|DROP)$/;
-
-if ( $level ne '-' || $audit ne '-' ) {
-    my $logchainref = ensure_filter_chain newlogchain( $chainref->{table} ), 0;
-
-    log_rule_limit( $level,
-		    $logchainref,
-		    $chainref->{name},
-		    $disposition,
-		    '',
-		    $tag,
-		    'add',
-		    '' ) if $level;
-
-    if ( supplied $audit ) {
-	fatal_error "Invalid argument ($audit) to TCPFlags" if $audit ne 'audit';
-	require_capability 'AUDIT_TARGET', q(Passing 'audit' to the TCPFlags action), 's';
-	add_ijump( $logchainref, j => 'AUDIT --type ' . lc $disposition );
-    }
-
-    add_ijump( $logchainref, g => $disposition );
-
-    $disposition = $logchainref;
-}
-
-add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL FIN,URG,PSH';
-add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL NONE';
-add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,RST SYN,RST';
-add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,FIN SYN,FIN';
-add_ijump $chainref , g => $disposition, p => 'tcp --syn --sport 0';
+perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL FIN,URG,PSH' );
+perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL NONE' );
+perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,RST SYN,RST' );
+perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,FIN SYN,FIN' );
+perl_action_tcp_helper( $action, '-p tcp --syn --sport 0' );

 ?END PERL;

--- a/Shorewall/action.Untracked
+++ b/Shorewall/action.Untracked
@@ -0,0 +1,49 @@
+#
+# Shorewall 4 - Untracked Action
+#
+#    /usr/share/shorewall/action.Untracked
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   Untracked[([<action>])]
+#
+#       Default action is DROP
+#
+##########################################################################################
+?FORMAT 2
+
+DEFAULTS DROP
+
+?BEGIN PERL;
+
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my ( $action ) = get_action_params( 1 );
+
+if ( my $check = check_state( 'UNTRACKED' ) ) {
+    perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} UNTRACKED" : '' , 'UNTRACKED' );
+}
+
+1;
+
+?END PERL;
--- a/Shorewall/action.allowInvalid
+++ b/Shorewall/action.allowInvalid
@@ -0,0 +1,53 @@
+#
+# Shorewall 4 - allowInvalid Action
+#
+#    /usr/share/shorewall/action.allowInvalid
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   allowInvalid[([audit])]
+#
+##########################################################################################
+?FORMAT 2
+
+DEFAULTS -
+
+?BEGIN PERL;
+
+use strict;
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my $action = 'ACCEPT';
+
+my ( $audit ) = get_action_params( 1 );
+
+if ( supplied $audit ) {
+     fatal_error "Invalid parameter ($audit) to action allowInvalid" if $audit ne 'audit';
+     $action = "A_ACCEPT";
+}    
+
+perl_action_helper( "Invalid($action)", '' );
+
+1;
+
+?END PERL;
--- a/Shorewall/action.dropInvalid
+++ b/Shorewall/action.dropInvalid
@@ -0,0 +1,53 @@
+#
+# Shorewall 4 - dropInvalid Action
+#
+#    /usr/share/shorewall/action.dropInvalid
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   dropInvalid[([audit])]
+#
+##########################################################################################
+?FORMAT 2
+
+DEFAULTS -
+
+?BEGIN PERL;
+
+use strict;
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my $action = 'DROP';
+
+my ( $audit ) = get_action_params( 1 );
+
+if ( supplied $audit ) {
+     fatal_error "Invalid parameter ($audit) to action dropInvalid" if $audit ne 'audit';
+     $action = "A_DROP";
+}    
+
+perl_action_helper( "Invalid($action)", '' );
+
+1;
+
+?END PERL;
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -15,19 +15,11 @@
 #    dropBcast		# Silently Drop Broadcast/multicast
 #    dropNotSyn		# Silently Drop Non-syn TCP packets
 #    rejNotSyn		# Silently Reject Non-syn TCP packets
-#    dropInvalid	# Silently Drop packets that are in the INVALID
-#			# conntrack state.
-#    allowInvalid	# Accept packets that are in the INVALID
-#			# conntrack state.
 #    allowoutUPnP	# Allow traffic from local command 'upnpd' (does not
 #                       # work with kernel 2.6.14 and later).
 #    allowinUPnP	# Allow UPnP inbound (to firewall) traffic
 #    forwardUPnP	# Allow traffic that upnpd has redirected from
 #			# 'upnp' interfaces.
-#    drop1918src        # Drop packets with an RFC 1918 source address
-#    drop1918dst        # Drop packets with an RFC 1918 original dest address
-#    rej1918src         # Reject packets with an RFC 1918 source address
-#    rej1918dst         # Reject packets with an RFC 1918 original dest address
 #    Limit              # Limit the rate of connections from each individual
 #                       # IP address
 #
@@ -35,11 +27,17 @@
 #ACTION
 A_Drop 		                # Audited Default Action for DROP policy
 A_Reject	                # Audited Default action for REJECT policy
-Broadcast  noinline             # Handles Broadcast/Multicast/Anycast
+allowInvalid inline		# Accepts packets in the INVALID conntrack state
+Broadcast    noinline           # Handles Broadcast/Multicast/Anycast
 Drop		                # Default Action for DROP policy
-DropSmurfs noinline             # Drop smurf packets
-Invalid    noinline             # Handles packets in the INVALID conntrack state
-NotSyn     noinline             # Handles TCP packets which do not have SYN=1 and ACK=0
+dropInvalid  inline		# Drops packets in the INVALID conntrack state
+DropSmurfs   noinline           # Drop smurf packets
+Established  inline		# Handles packets in the ESTABLISHED state
+Invalid      inline             # Handles packets in the INVALID conntrack state
+New	     inline             # Handles packets in the NEW conntrack state
+NotSyn       inline             # Handles TCP packets which do not have SYN=1 and ACK=0
 Reject                          # Default Action for REJECT policy
-RST	   noinline             # Handle packets with RST set
-TCPFlags   noinline             # Handle bad flag combinations.
+Related      inline             # Handles packets in the RELATED conntrack state
+RST	     inline             # Handle packets with RST set
+TCPFlags    			# Handle bad flag combinations.
+Untracked    inline             # Handles packets in the UNTRACKED conntrack state
--- a/Shorewall/configfiles/arprules
+++ b/Shorewall/configfiles/arprules
@@ -0,0 +1,8 @@
+#
+# Shorewall version 4 - arprules File
+#
+# For information about entries in this file, type "man shorewall-arprules"
+#
+##############################################################################################################
+#ACTION				SOURCE				DEST				ARP
+#												OPCODE
--- a/Shorewall/configfiles/rules
+++ b/Shorewall/configfiles/rules
@@ -12,4 +12,6 @@
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
+#SECTION INVALID
+#SECTION UNTRACKED
 SECTION NEW
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -23,6 +23,8 @@ VERBOSITY=1

 BLACKLIST_LOGLEVEL=

+INVALID_LOG_LEVEL=
+
 LOG_MARTIANS=Yes

 LOG_VERBOSITY=2
@@ -51,10 +53,14 @@ STARTUP_LOG=/var/log/shorewall-init.log

 TCP_FLAGS_LOG_LEVEL=info

+UNTRACKED_LOG_LEVEL=
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

+ARPTABLES=
+
 CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"

 GEOIPDIR=/usr/share/xt_geoip/LE
@@ -122,7 +128,7 @@ AUTOHELPERS=Yes

 AUTOMAKE=No

-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"

 CLAMPMSS=No

@@ -130,6 +136,8 @@ CLEAR_TC=Yes

 COMPLETE=No

+DEFER_DNS_RESOLUTION=Yes
+
 DELETE_THEN_ADD=Yes

 DETECT_DNAT_IPADDRS=No
@@ -194,6 +202,8 @@ RETAIN_ALIASES=No

 ROUTE_FILTER=No

+SAVE_ARPTABLES=No
+
 SAVE_IPSETS=No

 TC_ENABLED=Internal
@@ -208,6 +218,8 @@ USE_DEFAULT_RT=No

 USE_PHYSICAL_NAMES=No

+WARNOLDCAPVERSION=Yes
+
 ZONE2ZONE=2

 ###############################################################################
@@ -216,6 +228,8 @@ ZONE2ZONE=2

 BLACKLIST_DISPOSITION=DROP

+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT

 RELATED_DISPOSITION=ACCEPT
@@ -228,6 +242,8 @@ SFILTER_DISPOSITION=DROP

 TCP_FLAGS_DISPOSITION=DROP

+UNTRACKED_DISPOSITION=CONTINUE
+
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################
--- a/Shorewall/configfiles/tcinterfaces
+++ b/Shorewall/configfiles/tcinterfaces
@@ -7,4 +7,4 @@
 # information.
 #
 ###############################################################################
-#INTERFACE	TYPE		IN-BANDWIDTH
+#INTERFACE	TYPE		IN-BANDWIDTH		OUT-BANDWIDTH
--- a/Shorewall/init.archlinux.sh
+++ b/Shorewall/init.archlinux.sh
@@ -1,60 +0,0 @@
-#!/bin/bash
-
-OPTIONS="-f"
-
-if [ -f /etc/sysconfig/shorewall ] ; then
-	. /etc/sysconfig/shorewall
-elif [ -f /etc/default/shorewall ] ; then
-	. /etc/default/shorewall
-fi
-
-# if you want to override options, do so in /etc/sysconfig/shorewall or
-# in /etc/default/shorewall --
-# i strongly encourage you use the latter, since /etc/sysconfig/ does not exist.
-
-. /etc/rc.conf
-. /etc/rc.d/functions
-
-DAEMON_NAME="shorewall" # of course shorewall is NOT a deamon.
-
-export SHOREWALL_INIT_SCRIPT=1
-
-case "$1" in
-	start)
-		stat_busy "Starting $DAEMON_NAME"
-		/sbin/shorewall $OPTIONS start &>/dev/null
-		if [ $? -gt 0 ]; then
-			stat_fail
-		else
-			add_daemon $DAEMON_NAME
-			stat_done
-		fi
-		;;
-
-
-	stop)
-		stat_busy "Stopping $DAEMON_NAME"
-		/sbin/shorewall stop &>/dev/null
-		if [ $? -gt 0 ]; then
-			stat_fail
-		else
-			rm_daemon $DAEMON_NAME
-			stat_done
-		fi
-		;;
-
-	restart|reload)
-		stat_busy "Restarting $DAEMON_NAME"
-		/sbin/shorewall restart &>/dev/null
-		if [ $? -gt 0  ]; then
-			stat_fail
-		else
-			stat_done
-		fi
-		;;
-
-	*)
-		echo "usage: $0 {start|stop|restart}"
-esac
-exit 0
-
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -641,6 +641,19 @@ if [ -f masq ]; then
 	echo "Masquerade file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/masq"
    fi
 fi
+
+if [ -f arprules ]; then
+    #
+    # Install the ARP rules file
+    #
+    run_install $OWNERSHIP -m 0644 arprules           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
+    run_install $OWNERSHIP -m 0644 arprules.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
+
+    if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/arprules ]; then
+	run_install $OWNERSHIP -m 0600 arprules${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/arprules
+	echo "ARP rules file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/arprules"
+    fi
+fi
 #
 # Install the Conntrack file
 #
--- a/Shorewall/manpages/shorewall-accounting.xml
+++ b/Shorewall/manpages/shorewall-accounting.xml
@@ -349,7 +349,9 @@
        <listitem>
          <para>The name of a <emphasis>chain</emphasis>. If specified as
          <emphasis role="bold">-</emphasis> the <emphasis
-          role="bold">accounting</emphasis> chain is assumed. This is the
+          role="bold">accounting</emphasis> chain is assumed when the file is
+          un-sectioned. When the file is sectioned, the default is one of
+          accountin, accountout, etc. depending on the section. This is the
          chain where the accounting rule is added. The
          <emphasis>chain</emphasis> will be created if it doesn't already
          exist. The <emphasis>chain</emphasis> may not exceed 29 characters
@@ -370,7 +372,8 @@
          <para>The name of an <replaceable>interface</replaceable>, an
          <replaceable>address</replaceable> (host or net) or an
          <replaceable>interface</replaceable> name followed by ":" and a host
-          or net <replaceable>address</replaceable>.</para>
+          or net <replaceable>address</replaceable>. An ipset name is also
+          accepted as an <replaceable>address</replaceable>.</para>
        </listitem>
      </varlistentry>

@@ -392,12 +395,12 @@
      <varlistentry>
        <term><emphasis role="bold">PROTOCOL (proto)</emphasis> - {<emphasis
        role="bold">-</emphasis>|<emphasis
-        role="bold">any</emphasis>|<emphasis
+        role="bold">{any</emphasis>|<emphasis
        role="bold">all</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis
        role="bold">ipp2p</emphasis>[<emphasis
        role="bold">:</emphasis>{<emphasis
        role="bold">udp</emphasis>|<emphasis
-        role="bold">all</emphasis>}]}</term>
+        role="bold">all</emphasis>}]}[,...]}</term>

        <listitem>
          <para>A <emphasis>protocol-name</emphasis> (from protocols(5)), a
@@ -405,6 +408,9 @@
          role="bold">ipp2p</emphasis>, <emphasis
          role="bold">ipp2p:udp</emphasis> or <emphasis
          role="bold">ipp2p:all</emphasis></para>
+
+          <para>Beginning with Shorewall 4.5.12, this column can accept a
+          comma-separated list of protocols.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -71,11 +71,11 @@

                    <member>DropSmurfs</member>

-                    <member>Invalid</member>
+                    <member>Invalid (Prior to Shorewall 4.5.13)</member>

-                    <member>NotSyn</member>
+                    <member>NotSyn (Prior to Shorewall 4.5.13)</member>

-                    <member>RST</member>
+                    <member>RST (Prior to Shorewall 4.5.13)</member>

                    <member>TCPFlags</member>
                  </simplelist>
--- a/Shorewall/manpages/shorewall-arprules.xml
+++ b/Shorewall/manpages/shorewall-arprules.xml
@@ -0,0 +1,378 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall-arprules</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>arprules</refname>
+
+    <refpurpose>Shorewall ARP rules file</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall/arprules</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>This file was added in Shorwall 4.5.12 and is used to describe
+    low-level rules managed by arptables (8). These rules only affect Address
+    Resolution Protocol (ARP), Reverse Address Resolution Protocol (RARP) and
+    Dynamic Reverse Address Resolution Protocol (DRARP) frames.</para>
+
+    <para>The columns in the file are as shown below. MAC addresses are
+    specified normally (6 hexidecimal numbers separated by colons).</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">ACTION</emphasis></term>
+
+        <listitem>
+          <para>Describes the action to take when a frame matches the criteria
+          in the other columns. Possible values are:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term><emphasis role="bold">ACCEPT</emphasis></term>
+
+              <listitem>
+                <para>This is the default action if no rules matches a frame;
+                it lets the frame go through.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">DROP</emphasis></term>
+
+              <listitem>
+                <para>Causes the frame to be dropped.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">SNAT:</emphasis><replaceable>ip-address</replaceable></term>
+
+              <listitem>
+                <para>Modifies the source IP address to the specified
+                <replaceable>ip-address</replaceable>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">DNAT:</emphasis><replaceable>ip-address</replaceable></term>
+
+              <listitem>
+                <para>Modifies the destination IP address to the specified
+                <replaceable>ip-address</replaceable>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">SMAT:</emphasis><replaceable>mac-address</replaceable></term>
+
+              <listitem>
+                <para>Modifies the source MAC address to the specified
+                <replaceable>mac-address</replaceable>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">DMAT:</emphasis><replaceable>mac-address</replaceable></term>
+
+              <listitem>
+                <para>Modifies the destination MAC address to the specified
+                <replaceable>mac-address</replaceable>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">SNATC:</emphasis><replaceable>ip-address</replaceable></term>
+
+              <listitem>
+                <para>Like SNAT except that the frame is then passed to the
+                next rule.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">DNATC:</emphasis><replaceable>ip-address</replaceable></term>
+
+              <listitem>
+                <para>Like DNAT except that the frame is then passed to the
+                next rule.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">SMATC:</emphasis><replaceable>mac-address</replaceable></term>
+
+              <listitem>
+                <para>Like SMAT except that the frame is then passed to the
+                next rule.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">DMATC:</emphasis><replaceable>mac-address</replaceable></term>
+
+              <listitem>
+                <para>Like DMAT except that the frame is then passed to the
+                next rule.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">SOURCE</emphasis> - <emphasis
+        role="bold">[<replaceable>interface</replaceable>[:[!]<replaceable>ipaddress</replaceable>[/ip<replaceable>mask</replaceable>][:[!]<replaceable>macaddress</replaceable>[/<replaceable>macmask</replaceable>]]]]</emphasis></term>
+
+        <listitem>
+          <para>Where</para>
+
+          <variablelist>
+            <varlistentry>
+              <term><replaceable>interface</replaceable></term>
+
+              <listitem>
+                <para>Is an interface defined in
+                shorewall-interfaces(5).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>ipaddress</replaceable></term>
+
+              <listitem>
+                <para>is an IPv4 address. DNS names are not allowed.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>ipmask</replaceable></term>
+
+              <listitem>
+                <para>specifies a mask to be applied to
+                <replaceable>ipaddress</replaceable>.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>macaddress</replaceable></term>
+
+              <listitem>
+                <para>The source MAC address.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>macmask</replaceable></term>
+
+              <listitem>
+                <para>Mask for MAC address; must be specified as 6 hexidecimal
+                numbers separated by colons.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+
+          <para>When '!' is specified, the test is inverted.</para>
+
+          <para>If not specified, matches only frames originating on the
+          firewall itself.</para>
+
+          <caution>
+            <para>Either SOURCE or DEST must be specified.</para>
+          </caution>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">DEST</emphasis> - <emphasis
+        role="bold">[<replaceable>interface</replaceable>[:[!]<replaceable>ipaddress</replaceable>[/ip<replaceable>mask</replaceable>][:[!]<replaceable>macaddress</replaceable>[/<replaceable>macmask</replaceable>]]]]</emphasis></term>
+
+        <listitem>
+          <para>Where</para>
+
+          <variablelist>
+            <varlistentry>
+              <term><replaceable>interface</replaceable></term>
+
+              <listitem>
+                <para>Is an interface defined in
+                shorewall-interfaces(5).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>ipaddress</replaceable></term>
+
+              <listitem>
+                <para>is an IPv4 address. DNS Names are not allowed.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>ipmask</replaceable></term>
+
+              <listitem>
+                <para>specifies a mask to be applied to frame
+                addresses.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>macaddress</replaceable></term>
+
+              <listitem>
+                <para>The destination MAC address.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><replaceable>macmask</replaceable></term>
+
+              <listitem>
+                <para>Mask for MAC address; must be specified as 6 hexidecimal
+                numbers separated by colons.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+
+          <para>When '!' is specified, the test is inverted and the rule
+          matches frames which do not match the specified address/mask.</para>
+
+          <para>If not specified, matches only frames originating on the
+          firewall itself.</para>
+
+          <para>If both SOURCE and DEST are specified, then both interfaces
+          must be bridge ports on the same bridge.</para>
+
+          <caution>
+            <para>Either SOURCE or DEST must be specified.</para>
+          </caution>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>ARP OPCODE - [[!]<replaceable>opcode</replaceable>]</term>
+
+        <listitem>
+          <para>Optional. Describes the type of frame. Possible
+          <replaceable>opcode</replaceable> values are:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>1</term>
+
+              <listitem>
+                <para>ARP Request</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>2</term>
+
+              <listitem>
+                <para>ARP Reply</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>3</term>
+
+              <listitem>
+                <para>RARP Request</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>4</term>
+
+              <listitem>
+                <para>RARP Reply</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>5</term>
+
+              <listitem>
+                <para>Dynamic RARP Request</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>6</term>
+
+              <listitem>
+                <para>Dynamic RARP Reply</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>7</term>
+
+              <listitem>
+                <para>Dynamic RARP Error</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>8</term>
+
+              <listitem>
+                <para>InARP Request</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>9</term>
+
+              <listitem>
+                <para>ARP NAK</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+
+          <para>When '!' is specified, the test is inverted and the rule
+          matches frames which do not match the specifed
+          <replaceable>opcode</replaceable>.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+  </refsect1>
+
+  <refsect1>
+    <title>Example</title>
+
+    <para>The eth1 interface has both a pubiic IP address and a private
+    address (10.1.10.11/24). When sending ARP requests to 10.1.10.0/24, use
+    the private address as the IP source:</para>
+
+    <programlisting>#ACTION                SOURCE                  DEST                ARP OPCODE
+SNAT:10.1.10.11        -                       eth1:10.1.10.0/24   1</programlisting>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall/arprules</para>
+  </refsect1>
+</refentry>
--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@@ -176,10 +176,10 @@
                </varlistentry>

                <varlistentry>
-                  <term/>
+                  <term></term>

                  <listitem>
-                    <para/>
+                    <para></para>
                  </listitem>
                </varlistentry>

@@ -348,11 +348,18 @@

      <varlistentry>
        <term>PROTO ‒
-        <replaceable>protocol-name-or-number</replaceable></term>
+        <replaceable>protocol-name-or-number</replaceable>[,...]</term>

        <listitem>
          <para>A protocol name from <filename>/etc/protocols</filename> or a
          protocol number.</para>
+
+          <para>Beginning with Shorewall 4.5.12, this column is labeled
+          <emphasis role="bold">PROTOS</emphasis> and can accept a
+          comma-separated list of protocols. Either <emphasis
+          role="bold">proto</emphasis> or <emphasis
+          role="bold">protos</emphasis> is accepted in the alternate input
+          format.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-masq.xml
+++ b/Shorewall/manpages/shorewall-masq.xml
@@ -219,12 +219,15 @@

      <varlistentry>
        <term><emphasis role="bold">PROTO</emphasis> (Optional) - {<emphasis
-        role="bold">-</emphasis>|[!]<emphasis>protocol-name</emphasis>|[!]<emphasis>protocol-number</emphasis>}</term>
+        role="bold">-</emphasis>|[!]{<emphasis>protocol-name</emphasis>|<emphasis>protocol-number</emphasis>}[,...]}</term>

        <listitem>
          <para>If you wish to restrict this entry to a particular protocol
          then enter the protocol name (from protocols(5)) or number
          here.</para>
+
+          <para>Beginning with Shorewall 4.5.12, this column can accept a
+          comma-separated list of protocols.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -81,8 +81,41 @@
          <para>The only ACTIONs allowed in this section are ACCEPT, DROP,
          REJECT, LOG and QUEUE</para>

-          <para>There is an implicit ACCEPT rule inserted at the end of this
-          section.</para>
+          <para>There is an implicit rule added at the end of this section
+          that invokes the RELATED_DISPOSITION (<ulink
+          url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">INVALID</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.13. Packets in the INVALID state are
+          processed by rules in this section.</para>
+
+          <para>The only Actions allowed in this section are ACCEPT, DROP,
+          REJECT, LOG and QUEUE.</para>
+
+          <para>There is an implicit rule added at the end of this section
+          that invokes the INVALID_DISPOSITION (<ulink
+          url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">UNTRACKED</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.13. Packets in the UNTRACKED state are
+          processed by rules in this section.</para>
+
+          <para>The only Actions allowed in this section are ACCEPT, DROP,
+          REJECT, LOG and QUEUE.</para>
+
+          <para>There is an implicit rule added at the end of this section
+          that invokes the UNTRACKED_DISPOSITION (<ulink
+          url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-secmarks.xml
+++ b/Shorewall/manpages/shorewall-secmarks.xml
@@ -227,11 +227,14 @@
        role="bold">ipp2p</emphasis>|<emphasis
        role="bold">ipp2p:udp</emphasis>|<emphasis
        role="bold">ipp2p:all</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis
-        role="bold">all}</emphasis></term>
+        role="bold">all}[,...]</emphasis></term>

        <listitem>
          <para>Protocol - <emphasis role="bold">ipp2p</emphasis> requires
          ipp2p match support in your kernel and iptables.</para>
+
+          <para>Beginning with Shorewall 4.5.12, this column can accept a
+          comma-separated list of protocols.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-stoppedrules.xml
+++ b/Shorewall/manpages/shorewall-stoppedrules.xml
@@ -92,10 +92,13 @@

      <varlistentry>
        <term>PROTO (Optional) ‒
-        <replaceable>protocol-name-or-number</replaceable></term>
+        <replaceable>protocol-name-or-number</replaceable>[,...]</term>

        <listitem>
          <para>Protocol.</para>
+
+          <para>Beginning with Shorewall 4.5.12, this column can accept a
+          comma-separated list of protocols.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-tcclasses.xml
+++ b/Shorewall/manpages/shorewall-tcclasses.xml
@@ -501,7 +501,8 @@
                Detection) queuing discipline rather than SFQ. See tc-red (8)
                for additional information.</para>

-                <para>Allowable redoptions are:</para>
+                <para>Allowable <replaceable>redoptions</replaceable>
+                are:</para>

                <variablelist>
                  <varlistentry>
@@ -598,8 +599,96 @@
                      dropping a packet. If this parameter is specified,
                      packets which indicate that their hosts honor ECN will
                      only be marked and not dropped, unless the queue size
-                      hits <replaceable>limit</replaceable> bytes. Needs a tc
-                      binary with RED support compiled in. Recommended.</para>
+                      hits <replaceable>limit</replaceable> bytes.
+                      Recommended.</para>
+                    </listitem>
+                  </varlistentry>
+                </variablelist>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>fq_codel[=(<replaceable>codeloption</replaceable>=<replaceable>value</replaceable>,
+              ...)]</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.12. When specified for a leaf
+                class, causes the class to use the FQ_CODEL (Fair-queuing
+                Controlled Delay) queuing discipline rather than SFQ. See
+                tc-fq_codel (8) for additional information.</para>
+
+                <para>Allowable <replaceable>codeloptions</replaceable>
+                are:</para>
+
+                <variablelist>
+                  <varlistentry>
+                    <term>limit</term>
+
+                    <listitem>
+                      <para>hard limit on the real queue size. When this limit
+                      is reached, incoming packets are dropped. If the value
+                      is lowered, packets are dropped so that the new limit is
+                      met. Default is 1000 packets.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>flows</term>
+
+                    <listitem>
+                      <para>is the number of flows into which the incoming
+                      packets are classified. Due to the stochastic nature of
+                      hashing, multiple flows may end up being hashed into the
+                      same slot. Newer flows have priority over older ones.
+                      This parameter can be set only at load time since memory
+                      has to be allocated for the hash table. Default value is
+                      1024.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>target</term>
+
+                    <listitem>
+                      <para>is the acceptable minimum standing/persistent
+                      queue delay. This minimum delay is identified by
+                      tracking the local minimum queue delay that packets
+                      experience. Default and recommended value is 5ms.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>interval</term>
+
+                    <listitem>
+                      <para>is used to ensure that the measured minimum delay
+                      does not become too stale. The minimum delay must be
+                      experienced in the last epoch of length interval. It
+                      should be set on the order of the worst-case RTT through
+                      the bottleneck to give endpoints sufficient time to
+                      react. Default value is 100ms.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>quantum</term>
+
+                    <listitem>
+                      <para>is the number of bytes used as 'deficit' in the
+                      fair queuing algorithm. Default is set to 1514 bytes
+                      which corresponds to the Ethernet MTU plus the hardware
+                      header length of 14 bytes.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>ecn | noecn</term>
+
+                    <listitem>
+                      <para>can be used to mark packets instead of dropping
+                      them. If ecn has been enabled, noecn can be used to turn
+                      it off and vice-a-versa. By default, ecn is
+                      enabled.</para>
                    </listitem>
                  </varlistentry>
                </variablelist>
--- a/Shorewall/manpages/shorewall-tcfilters.xml
+++ b/Shorewall/manpages/shorewall-tcfilters.xml
@@ -105,11 +105,14 @@

      <varlistentry>
        <term><emphasis role="bold">PROTO</emphasis> - {<emphasis
-        role="bold">-</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis
-        role="bold">all}</emphasis></term>
+        role="bold">-</emphasis>|{<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis
+        role="bold">all}[,...]}</emphasis></term>

        <listitem>
          <para>Protocol.</para>
+
+          <para>Beginning with Shorewall 4.5.12, this column can accept a
+          comma-separated list of protocols.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-tcpri.xml
+++ b/Shorewall/manpages/shorewall-tcpri.xml
@@ -72,11 +72,14 @@

      <varlistentry>
        <term><emphasis role="bold">PROTO</emphasis> -
-        <replaceable>protocol</replaceable></term>
+        <replaceable>protocol</replaceable>[,...]</term>

        <listitem>
          <para>Optional. The name or number of an IPv4
          <replaceable>protocol</replaceable>.</para>
+
+          <para>Beginning with Shorewall 4.5.12, this column can accept a
+          comma-separated list of protocols.</para>
        </listitem>
      </varlistentry>

@@ -155,10 +158,9 @@
    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-proxyarp(5), shorewall-rtrules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
-    shorewall-zones(5)</para>
+    shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5),
+    shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
+    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-tcrules.xml
+++ b/Shorewall/manpages/shorewall-tcrules.xml
@@ -877,15 +877,18 @@ Normal-Service       =&gt; 0x00</programlisting>
      <varlistentry>
        <term><emphasis role="bold">PROTO</emphasis> - {<emphasis
        role="bold">-</emphasis>|<emphasis
-        role="bold">tcp:syn</emphasis>|<emphasis
+        role="bold">{tcp:syn</emphasis>|<emphasis
        role="bold">ipp2p</emphasis>|<emphasis
        role="bold">ipp2p:udp</emphasis>|<emphasis
        role="bold">ipp2p:all</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis
-        role="bold">all}</emphasis></term>
+        role="bold">all}[,...]}</emphasis></term>

        <listitem>
          <para>Protocol - <emphasis role="bold">ipp2p</emphasis> requires
          ipp2p match support in your kernel and iptables.</para>
+
+          <para>Beginning with Shorewall 4.5.12, this column can accept a
+          comma-separated list of protocols.</para>
        </listitem>
      </varlistentry>

@@ -1048,10 +1051,10 @@ Normal-Service       =&gt; 0x00</programlisting>
        role="bold">:</emphasis>[<emphasis>max</emphasis>]]</term>

        <listitem>
-          <para>Optional - packet Length. This field, if present allow you to
-          match the length of a packet against a specific value or range of
-          values. You must have iptables length support for this to work. A
-          range is specified in the form
+          <para>Optional - packet payload length. This field, if present allow
+          you to match the length of a packet payload (Layer 4 data ) against
+          a specific value or range of values. You must have iptables length
+          support for this to work. A range is specified in the form
          <emphasis>min</emphasis>:<emphasis>max</emphasis> where either
          <emphasis>min</emphasis> or <emphasis>max</emphasis> (but not both)
          may be omitted. If <emphasis>min</emphasis> is omitted, then 0 is
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -282,15 +282,18 @@

      <varlistentry>
        <term><emphasis
-        role="bold">IGNOREUNKNOWNVARIABLES=</emphasis>[<emphasis
-        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+        role="bold">ARPTABLES=</emphasis>[<emphasis>pathname</emphasis>]</term>

        <listitem>
-          <para>Added in Shorewall 4.5.11. Normally, if an unknown shell
-          variable is encountered in a configuration file (except in ?IF and
-          ?ELSIF directives), the compiler raises a fatal error. If
-          IGNOREUNKNOWNVARIABLES is set to 'Yes', then such variables simply
-          expand to an empty string. Default is 'No'.</para>
+          <para>Added in Shorewall 4.5.12. This parameter names the arptables
+          executable to be used by Shorewall. If not specified or if specified
+          as a null value, then the arptables executable located using the
+          PATH option is used.</para>
+
+          <para>Regardless of how the arptables utility is located (specified
+          via arptables= or located via PATH), Shorewall uses the
+          arptables-restore and arptables-save utilities from that same
+          directory.</para>
        </listitem>
      </varlistentry>

@@ -369,6 +372,28 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">BLACKLIST=</emphasis>[{<emphasis
+        role="bold">ALL</emphasis>|<emphasis
+        role="bold"><replaceable>state</replaceable>[,...]</emphasis>}]</term>
+
+        <listitem>
+          <para>where state is one of NEW, ESTABLISHED, RELATED, INVALID,or
+          UNTRACKED.</para>
+
+          <para>Added in Shorewall 4.5.13 to replace the BLACKLISTNEWONLY
+          option below. Specifies the connection tracking states that are to
+          be subject to blacklist screening. If neither BLACKLIST nor
+          BLACKLISTNEWONLY are specified then the states subject to
+          blacklisting are NEW,ESTABLISHED,INVALID,UNTRACKED.</para>
+
+          <para>ALL sends all packets through the blacklist chains.</para>
+
+          <para>Note: The ESTABLISHED state may not be specified if FASTACCEPT
+          is specified.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis
        role="bold">BLACKLIST_DISPOSITION=</emphasis>[<emphasis
@@ -419,12 +444,16 @@
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>

        <listitem>
+          <para>Deprecated in Shorewall 4.5.13 in favor of BLACKLIST
+          above.</para>
+
          <para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
          role="bold">yes</emphasis>, blacklists are only consulted for new
-          connections. That includes entries in the <ulink
-          url="???">shorewall-blrules</ulink> (5) file and in the BLACKLIST
-          section of <ulink url="shorewall-rules.html">shorewall-rules</ulink>
-          (5).</para>
+          connections and for packets in the INVALID connection state (such as
+          TCP SYN,ACK when there has been no corresponding SYN). That includes
+          entries in the <ulink url="???">shorewall-blrules</ulink> (5) file
+          and in the BLACKLIST section of <ulink
+          url="shorewall-rules.html">shorewall-rules</ulink> (5).</para>

          <para>When set to <emphasis role="bold">No</emphasis> or <emphasis
          role="bold">no</emphasis>, blacklists are consulted for every packet
@@ -536,19 +565,31 @@
            </listitem>
          </itemizedlist>

-          <blockquote>
-            <para></para>
+          <para>If CONFIG_PATH is not given or if it is set to the empty value
+          then the contents of /usr/share/shorewall/configpath are used. As
+          released from shorewall.net, that file sets the CONFIG_PATH to
+          /etc/shorewall:/usr/share/shorewall but your particular distribution
+          may set it differently. See the output of shorewall show config for
+          the default on your system.</para>
+        </listitem>
+      </varlistentry>

-            <para>If CONFIG_PATH is not given or if it is set to the empty
-            value then the contents of /usr/share/shorewall/configpath are
-            used. As released from shorewall.net, that file sets the
-            CONFIG_PATH to /etc/shorewall:/usr/share/shorewall but your
-            particular distribution may set it differently. See the output of
-            shorewall show config for the default on your system.</para>
+      <varlistentry>
+        <term><emphasis role="bold">DEFER_DNS_RESOLUTION=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>

-            <para>Note that the setting in /usr/share/shorewall/configpath is
-            always used to locate shorewall.conf.</para>
-          </blockquote>
+        <listitem>
+          <para>Added in Shorewall 4.5.12. When set to 'Yes' (the default),
+          DNS names are validated in the compiler and then passed on to the
+          generated script where they are resolved by iptables-restore. This
+          is an advantage if you use AUTOMAKE=Yes and the IP address
+          associated with the DNS name is subject to change. When
+          DEFER_DNS_RESOLUTION=No, DNS names are converted into IP addresses
+          by the compiler. This has the advantage that when AUTOMAKE=Yes, the
+          <command>start</command> and <command>restart</command> commands
+          will succeed even if no DNS server is reachable (assuming that the
+          configuration hasn't changed since the compiled script was last
+          generated).</para>
        </listitem>
      </varlistentry>

@@ -592,6 +633,25 @@
          Shorewall will take no action with respect to allowing or
          disallowing IPv6 traffic. If not specified or empty,
          “DISABLE_IPV6=No” is assumed.</para>
+
+          <para>It is important to note that changing DISABLE_IPV6=Yes to
+          DISABLE_IPV6=No does <emphasis>not</emphasis> enable IPV6. The
+          recommended approach for enabling IPv6 on your system is:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>Install, configure and start <ulink
+              url="../IPv6Support.html">Shorewall6</ulink>.</para>
+            </listitem>
+
+            <listitem>
+              <para>Change DISABLE_IPV6=Yes to DISABLE_IPV6=No</para>
+            </listitem>
+
+            <listitem>
+              <para>Restart Shorewall</para>
+            </listitem>
+          </itemizedlist>
        </listitem>
      </varlistentry>

@@ -866,6 +926,21 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis
+        role="bold">IGNOREUNKNOWNVARIABLES=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.11. Normally, if an unknown shell
+          variable is encountered in a configuration file (except in ?IF and
+          ?ELSIF directives), the compiler raises a fatal error. If
+          IGNOREUNKNOWNVARIABLES is set to <emphasis
+          role="bold">Yes</emphasis>, then such variables simply expand to an
+          empty string. Default is <emphasis role="bold">No</emphasis>.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">IMPLICIT_CONTINUE=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@@ -892,6 +967,34 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis
+        role="bold">INVALID_DISPOSITION=[A_DROP|A_REJECT|DROP|REJECT|CONTINUE]</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
+          INVALID packets through the NEW section of <ulink
+          url="shorewall-rules.html">shorewall-rules</ulink> (5). When a
+          packet in INVALID state fails to match any rule in the INVALID
+          section, the packet is disposed of based on this setting. The
+          default value is CONTINUE for compatibility with earlier
+          versions.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis
+        role="bold">INVALID_LOG_LEVEL=</emphasis><emphasis>log-level</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.13. Packets in the INVALID state that
+          do not match any rule in the INVALID section of <ulink
+          url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) are
+          logged at this level. The default value is empty which means no
+          logging is performed.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis
        role="bold">IP</emphasis>=[<emphasis>pathname</emphasis>]</term>
@@ -1011,7 +1114,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
          the iptables executable located using the PATH option is
          used.</para>

-          <para>Regardless of how the IPTABLES utility is located (specified
+          <para>Regardless of how the iptables utility is located (specified
          via IPTABLES= or located via PATH), Shorewall uses the
          iptables-restore and iptables-save utilities from that same
          directory.</para>
@@ -1301,6 +1404,33 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
          names may be used with log tags if you set LOGTAGONLY=Yes. With
          LOGTAGONLY=Yes, if a log tag is specified then the tag is included
          in the log prefix in place of the chain name.</para>
+
+          <para>Beginning with Shorewall 4.5.12, when LOGTAGONLY=Yes, you have
+          more control over the generated log prefix. Beginning with that
+          release, the tag is interpreted as a <replaceable>chain
+          name</replaceable> and a <replaceable>disposition</replaceable>
+          separated by a comma. So this rule:</para>
+
+          <programlisting>#ACTION                                SOURCE         DEST
+LOG:info:foo,bar                 net                   fw</programlisting>
+
+          <para>would generate the following log prefix when using the default
+          LOGFORMAT setting:</para>
+
+          <simplelist>
+            <member>Shorewall:foo:bar:</member>
+          </simplelist>
+
+          <para>Similarly,</para>
+
+          <programlisting>#ACTION                               SOURCE            DEST
+LOG:info:,bar                        net                    fw</programlisting>
+
+          <para>would generate</para>
+
+          <simplelist>
+            <member>Shorewall:net2fw:bar:</member>
+          </simplelist>
        </listitem>
      </varlistentry>

@@ -1894,18 +2024,17 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'

      <varlistentry>
        <term><emphasis
-        role="bold">RELATED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT]</emphasis></term>
+        role="bold">RELATED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT|CONTINUE]</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.4.27. Shorewall has traditionally
          ACCEPTed RELATED packets that don't match any rule in the RELATED
-          section of <ulink
-          url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5).
-          Concern about the safety of this practice resulted in the addition
-          of this option. When a packet in RELATED state fails to match any
-          rule in the RELATED section, the packet is disposed of based on this
-          setting. The default value is ACCEPT for compatibility with earlier
-          versions.</para>
+          section of <ulink url="shorewall-rules.html">shorewall-rules</ulink>
+          (5). Concern about the safety of this practice resulted in the
+          addition of this option. When a packet in RELATED state fails to
+          match any rule in the RELATED section, the packet is disposed of
+          based on this setting. The default value is ACCEPT for compatibility
+          with earlier versions.</para>
        </listitem>
      </varlistentry>

@@ -1916,9 +2045,9 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        <listitem>
          <para>Added in Shorewall 4.4.27. Packets in the related state that
          do not match any rule in the RELATED section of <ulink
-          url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) are
-          logged at this level. The default value is empty which means no
-          logging is performed.</para>
+          url="shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
+          this level. The default value is empty which means no logging is
+          performed.</para>
        </listitem>
      </varlistentry>

@@ -2057,6 +2186,19 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">SAVE_ARPTABLES=</emphasis>{<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.12. If SAVE_ARPTABLES=Yes, then the
+          current arptables contents will be saved by <emphasis
+          role="bold">shorewall save</emphasis> command and restored by
+          <emphasis role="bold">shorewall restore</emphasis> command. Default
+          value is No.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">SAVE_IPSETS=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@@ -2349,6 +2491,34 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis
+        role="bold">UNTRACKED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT|CONTINUE]</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
+          UNTRACKED packets through the NEW section of <ulink
+          url="shorewall-rules.html">shorewall-rules</ulink> (5). When a
+          packet in UNTRACKED state fails to match any rule in the UNTRACKED
+          section, the packet is disposed of based on this setting. The
+          default value is CONTINUE for compatibility with earlier
+          versions.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis
+        role="bold">UNTRACKED_LOG_LEVEL=</emphasis><emphasis>log-level</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.13. Packets in the UNTRACKED state that
+          do not match any rule in the UNTRACKED section of <ulink
+          url="shorewall-rules.html">shorewall-rules</ulink> (5) are logged at
+          this level. The default value is empty which means no logging is
+          performed.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">USE_DEFAULT_RT=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@@ -2454,6 +2624,20 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">WARNOLDCAPVERSION=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.12. When set to <emphasis
+          role="bold">Yes</emphasis> (the default), the compiler issues a
+          warning when it finds a capabilities file that doesn't specify all
+          of the capabilities supported by the compiler. When
+          WARNOLDCAPVERSION is set to <emphasis role="bold">No</emphasis>, no
+          warning is issued.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">WIDE_TC_MARKS=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
--- a/Shorewall/modules.tc
+++ b/Shorewall/modules.tc
@@ -19,6 +19,7 @@ loadmodule sch_hfsc
 loadmodule sch_htb
 loadmodule sch_prio
 loadmodule sch_tbf
+loadmodule sch_fq_codel
 loadmodule cls_u32
 loadmodule cls_fw
 loadmodule cls_flow
--- a/Shorewall/modules.xtables
+++ b/Shorewall/modules.xtables
@@ -36,15 +36,18 @@ loadmodule xt_NFQUEUE
 loadmodule xt_owner
 loadmodule xt_physdev
 loadmodule xt_pkttype
+loadmodule xt_policy
+loadmodule xt_sctp
 loadmodule xt_tcpmss
+loadmodule xt_TCPMSS
+loadmodule xt_time
 loadmodule xt_IPMARK
 loadmodule xt_TPROXY
 #
 # From xtables-addons
 #
-xt_condition
-xt_geoip
-xt_ipp2p
-xt_LOGMARK
-xt_RAWNAT
-
+loadmodule xt_condition
+loadmodule xt_geoip
+loadmodule xt_ipp2p
+loadmodule xt_LOGMARK
+loadmodule xt_RAWNAT
--- a/Shorewall/shorewall.service
+++ b/Shorewall/shorewall.service
@@ -13,8 +13,8 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall
 StandardOutput=syslog
-ExecStart=/usr/sbin/shorewall $OPTIONS start
-ExecStop=/usr/sbin/shorewall $OPTIONS stop
+ExecStart=/sbin/shorewall $OPTIONS start
+ExecStop=/sbin/shorewall $OPTIONS stop

 [Install]
 WantedBy=multi-user.target
--- a/Shorewall6-lite/init.archlinux.sh
+++ b/Shorewall6-lite/init.archlinux.sh
@@ -1,58 +0,0 @@
-#!/bin/bash
-
-OPTIONS=""
-
-if [ -f /etc/sysconfig/shorewall6 ] ; then
-	. /etc/sysconfig/shorewall6
-elif [ -f /etc/default/shorewall6 ] ; then
-	. /etc/default/shorewall6
-fi
-
-# if you want to override options, do so in /etc/sysconfig/shorewall6 or
-# in /etc/default/shorewall6 --
-# i strongly encourage you use the latter, since /etc/sysconfig/ does not exist.
-
-. /etc/rc.conf
-. /etc/rc.d/functions
-
-DAEMON_NAME="shorewall6" # of course shorewall6 is NOT a deamon.
-
-case "$1" in
-	start)
-		stat_busy "Starting $DAEMON_NAME"
-		/sbin/shorewall6-lite $OPTIONS start &>/dev/null
-		if [ $? -gt 0 ]; then
-			stat_fail
-		else
-			add_daemon $DAEMON_NAME
-			stat_done
-		fi
-		;;
-
-
-	stop)
-		stat_busy "Stopping $DAEMON_NAME"
-		/sbin/shorewall6-lite stop &>/dev/null
-		if [ $? -gt 0 ]; then
-			stat_fail
-		else
-			rm_daemon $DAEMON_NAME
-			stat_done
-		fi
-		;;
-
-	restart|reload)
-		stat_busy "Restarting $DAEMON_NAME"
-		/sbin/shorewall6-lite restart &>/dev/null
-		if [ $? -gt 0  ]; then
-			stat_fail
-		else
-			stat_done
-		fi
-		;;
-
-	*)
-		echo "usage: $0 {start|stop|restart}"
-esac
-exit 0
-
--- a/Shorewall6-lite/shorewall6-lite.service
+++ b/Shorewall6-lite/shorewall6-lite.service
@@ -13,8 +13,8 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall6-lite
 StandardOutput=syslog
-ExecStart=/usr/sbin/shorewall6-lite $OPTIONS start
-ExecStop=/usr/sbin/shorewall6-lite $OPTIONS stop
+ExecStart=/sbin/shorewall6-lite $OPTIONS start
+ExecStop=/sbin/shorewall6-lite $OPTIONS stop

 [Install]
 WantedBy=multi-user.target
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -24,6 +24,8 @@ VERBOSITY=1

 BLACKLIST_LOGLEVEL=

+INVALID_LOG_LEVEL=
+
 LOG_VERBOSITY=2

 LOGALLNEW=
@@ -50,6 +52,8 @@ STARTUP_LOG=/var/log/shorewall6-init.log

 TCP_FLAGS_LOG_LEVEL=info

+UNTRACKED_LOG_LEVEL=
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
@@ -117,7 +121,7 @@ AUTOHELPERS=Yes

 AUTOMAKE=No

-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"

 CLAMPMSS=No

@@ -125,6 +129,8 @@ CLEAR_TC=Yes

 COMPLETE=Yes

+DEFER_DNS_RESOLUTION=Yes
+
 DELETE_THEN_ADD=Yes

 DONT_LOAD=
@@ -185,6 +191,8 @@ USE_DEFAULT_RT=No

 USE_PHYSICAL_NAMES=No

+WARNOLDCAPVERSION=Yes
+
 ZONE2ZONE=2

 ###############################################################################
@@ -193,6 +201,8 @@ ZONE2ZONE=2

 BLACKLIST_DISPOSITION=DROP

+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT

 RELATED_DISPOSITION=ACCEPT
@@ -205,6 +215,8 @@ SMURF_DISPOSITION=DROP

 TCP_FLAGS_DISPOSITION=DROP

+UNTRACKED_DISPOSITION=CONTINUE
+
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -24,6 +24,8 @@ VERBOSITY=1

 BLACKLIST_LOGLEVEL=

+INVALID_LOG_LEVEL=
+
 LOG_VERBOSITY=2

 LOGALLNEW=
@@ -50,6 +52,8 @@ STARTUP_LOG=/var/log/shorewall6-init.log

 TCP_FLAGS_LOG_LEVEL=info

+UNTRACKED_LOG_LEVEL=
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
@@ -117,7 +121,7 @@ AUTOHELPERS=Yes

 AUTOMAKE=No

-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"

 CLAMPMSS=No

@@ -125,6 +129,8 @@ CLEAR_TC=Yes

 COMPLETE=No

+DEFER_DNS_RESOLUTION=Yes
+
 DELETE_THEN_ADD=Yes

 DONT_LOAD=
@@ -185,6 +191,8 @@ USE_DEFAULT_RT=No

 USE_PHYSICAL_NAMES=No

+WARNOLDCAPVERSION=Yes
+
 ZONE2ZONE=2

 ###############################################################################
@@ -193,6 +201,8 @@ ZONE2ZONE=2

 BLACKLIST_DISPOSITION=DROP

+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT

 RELATED_DISPOSITION=ACCEPT
@@ -205,6 +215,8 @@ SMURF_DISPOSITION=DROP

 TCP_FLAGS_DISPOSITION=DROP

+UNTRACKED_DISPOSITION=CONTINUE
+
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -24,6 +24,8 @@ VERBOSITY=1

 BLACKLIST_LOGLEVEL=

+INVALID_LOG_LEVEL=
+
 LOG_VERBOSITY=2

 LOGALLNEW=
@@ -50,6 +52,8 @@ STARTUP_LOG=/var/log/shorewall6-init.log

 TCP_FLAGS_LOG_LEVEL=info

+UNTRACKED_LOG_LEVEL=
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
@@ -117,7 +121,7 @@ AUTOHELPERS=Yes

 AUTOMAKE=No

-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"

 CLAMPMSS=No

@@ -125,6 +129,8 @@ CLEAR_TC=Yes

 COMPLETE=No

+DEFER_DNS_RESOLUTION=Yes
+
 DELETE_THEN_ADD=Yes

 DONT_LOAD=
@@ -185,6 +191,8 @@ USE_DEFAULT_RT=No

 USE_PHYSICAL_NAMES=No

+WARNOLDCAPVERSION=Yes
+
 ZONE2ZONE=2

 ###############################################################################
@@ -193,6 +201,8 @@ ZONE2ZONE=2

 BLACKLIST_DISPOSITION=DROP

+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT

 RELATED_DISPOSITION=ACCEPT
@@ -205,6 +215,8 @@ SMURF_DISPOSITION=DROP

 TCP_FLAGS_DISPOSITION=DROP

+UNTRACKED_DISPOSITION=CONTINUE
+
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -24,6 +24,8 @@ VERBOSITY=1

 BLACKLIST_LOGLEVEL=

+INVALID_LOG_LEVEL=
+
 LOG_VERBOSITY=2

 LOGALLNEW=
@@ -50,6 +52,8 @@ STARTUP_LOG=/var/log/shorewall6-init.log

 TCP_FLAGS_LOG_LEVEL=info

+UNTRACKED_LOG_LEVEL=
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
@@ -117,7 +121,7 @@ AUTOHELPERS=Yes

 AUTOMAKE=No

-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"

 CLAMPMSS=No

@@ -125,6 +129,8 @@ CLEAR_TC=Yes

 COMPLETE=No

+DEFER_DNS_RESOLUTION=Yes
+
 DELETE_THEN_ADD=Yes

 DONT_LOAD=
@@ -185,6 +191,8 @@ USE_DEFAULT_RT=No

 USE_PHYSICAL_NAMES=No

+WARNOLDCAPVERSION=Yes
+
 ZONE2ZONE=2

 ###############################################################################
@@ -193,6 +201,8 @@ ZONE2ZONE=2

 BLACKLIST_DISPOSITION=DROP

+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT

 RELATED_DISPOSITION=ACCEPT
@@ -205,6 +215,8 @@ SMURF_DISPOSITION=DROP

 TCP_FLAGS_DISPOSITION=DROP

+UNTRACKED_DISPOSITION=CONTINUE
+
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################
--- a/Shorewall6/actions.std
+++ b/Shorewall6/actions.std
@@ -12,10 +12,6 @@
 #    dropBcasts         # Silently Drop multicast and anycast packets
 #    dropNotSyn		# Silently Drop Non-syn TCP packets
 #    rejNotSyn		# Silently Reject Non-syn TCP packets
-#    dropInvalid	# Silently Drop packets that are in the INVALID
-#			# conntrack state.
-#    allowInvalid	# Accept packets that are in the INVALID
-#			# conntrack state.
 #
 ###############################################################################
 #ACTION
@@ -23,11 +19,17 @@ A_Drop	                        # Audited Default Action for DROP policy
 A_Reject	                # Audited Default Action for REJECT policy
 A_AllowICMPs	                # Audited Accept needed ICMP6 types
 AllowICMPs   	                # Accept needed ICMP6 types
-Broadcast  noinline      	# Handles Broadcast/Multicast/Anycast
+allowInvalid inline		# Accepts packets in the INVALID conntrack state
+Broadcast    noinline      	# Handles Broadcast/Multicast/Anycast
 Drop		        	# Default Action for DROP policy
-DropSmurfs noinline     	# Handles packets with a broadcast source address
-Invalid	   noinline		# Handles packets in the INVALID conntrack state
-NotSyn	   noinline 		# Handles TCP packets that do not have SYN=1 and ACK=0
+dropInvalid  inline		# Drops packets in the INVALID conntrack state
+DropSmurfs   noinline     	# Handles packets with a broadcast source address
+Established  inline		# Handles packets in the ESTABLISHED state
+Invalid	     inline		# Handles packets in the INVALID conntrack state
+New	     inline             # Handles packets in the NEW conntrack state
+NotSyn	     inline 		# Handles TCP packets that do not have SYN=1 and ACK=0
 Reject		        	# Default Action for REJECT policy
-TCPFlags   noinline		# Handles bad flags combinations
-
+Related      inline             # Handles packets in the RELATED conntrack state
+RST	     inline             # Handle packets with RST set
+TCPFlags    			# Handles bad flags combinations
+Untracked    inline             # Handles packets in the UNTRACKED conntrack state
--- a/Shorewall6/configfiles/rules
+++ b/Shorewall6/configfiles/rules
@@ -12,4 +12,6 @@
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
+#SECTION INVALID
+#SECTION UNTRACKED
 SECTION NEW
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -24,6 +24,8 @@ VERBOSITY=1

 BLACKLIST_LOGLEVEL=

+INVALID_LOG_LEVEL=
+
 LOG_VERBOSITY=2

 LOGALLNEW=
@@ -50,6 +52,8 @@ STARTUP_LOG=/var/log/shorewall6-init.log

 TCP_FLAGS_LOG_LEVEL=info

+UNTRACKED_LOG_LEVEL=
+
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
@@ -117,7 +121,7 @@ AUTOHELPERS=Yes

 AUTOMAKE=No

-BLACKLISTNEWONLY=Yes
+BLACKLIST="NEW,INVALID,UNTRACKED"

 CLAMPMSS=No

@@ -125,6 +129,8 @@ CLEAR_TC=No

 COMPLETE=No

+DEFER_DNS_RESOLUTION=Yes
+
 DELETE_THEN_ADD=Yes

 DONT_LOAD=
@@ -185,6 +191,8 @@ USE_DEFAULT_RT=No

 USE_PHYSICAL_NAMES=No

+WARNOLDCAPVERSION=Yes
+
 ZONE2ZONE=2

 ###############################################################################
@@ -193,6 +201,8 @@ ZONE2ZONE=2

 BLACKLIST_DISPOSITION=DROP

+INVALID_DISPOSITION=CONTINUE
+
 MACLIST_DISPOSITION=REJECT

 RELATED_DISPOSITION=ACCEPT
@@ -205,6 +215,8 @@ SMURF_DISPOSITION=DROP

 TCP_FLAGS_DISPOSITION=DROP

+UNTRACKED_DISPOSITION=CONTINUE
+
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################
--- a/Shorewall6/configfiles/tcinterfaces
+++ b/Shorewall6/configfiles/tcinterfaces
@@ -7,5 +7,5 @@
 # information.
 #
 ###############################################################################
-#INTERFACE		TYPE	IN-BANDWIDTH
+#INTERFACE		TYPE	IN-BANDWIDTH		OUT-INTERFACE

--- a/Shorewall6/init.archlinux.sh
+++ b/Shorewall6/init.archlinux.sh
@@ -1,60 +0,0 @@
-#!/bin/bash
-
-OPTIONS="-f"
-
-if [ -f /etc/sysconfig/shorewall6 ] ; then
-	. /etc/sysconfig/shorewall6
-elif [ -f /etc/default/shorewall6 ] ; then
-	. /etc/default/shorewall6
-fi
-
-# if you want to override options, do so in /etc/sysconfig/shorewall6 or
-# in /etc/default/shorewall6 --
-# i strongly encourage you use the latter, since /etc/sysconfig/ does not exist.
-
-. /etc/rc.conf
-. /etc/rc.d/functions
-
-DAEMON_NAME="shorewall6" # of course shorewall6 is NOT a deamon.
-
-export SHOREWALL_INIT_SCRIPT=1
-
-case "$1" in
-	start)
-		stat_busy "Starting $DAEMON_NAME"
-		/sbin/shorewall6 $OPTIONS start &>/dev/null
-		if [ $? -gt 0 ]; then
-			stat_fail
-		else
-			add_daemon $DAEMON_NAME
-			stat_done
-		fi
-		;;
-
-
-	stop)
-		stat_busy "Stopping $DAEMON_NAME"
-		/sbin/shorewall6 stop &>/dev/null
-		if [ $? -gt 0 ]; then
-			stat_fail
-		else
-			rm_daemon $DAEMON_NAME
-			stat_done
-		fi
-		;;
-
-	restart|reload)
-		stat_busy "Restarting $DAEMON_NAME"
-		/sbin/shorewall6 restart &>/dev/null
-		if [ $? -gt 0  ]; then
-			stat_fail
-		else
-			stat_done
-		fi
-		;;
-
-	*)
-		echo "usage: $0 {start|stop|restart}"
-esac
-exit 0
-
--- a/Shorewall6/manpages/shorewall6-accounting.xml
+++ b/Shorewall6/manpages/shorewall6-accounting.xml
@@ -291,7 +291,9 @@
        <listitem>
          <para>The name of a <emphasis>chain</emphasis>. If specified as
          <emphasis role="bold">-</emphasis> the <emphasis
-          role="bold">accounting</emphasis> chain is assumed. This is the
+          role="bold">accounting</emphasis> chain is assumed when the file is
+          un-sectioned. When the file is sectioned, the default is one of
+          accountin, accountout, etc. depending on the section. This is the
          chain where the accounting rule is added. The
          <emphasis>chain</emphasis> will be created if it doesn't already
          exist. The <emphasis>chain</emphasis> may not exceed 29 characters
@@ -312,7 +314,8 @@
          <para>The name of an <replaceable>interface</replaceable>, an
          <replaceable>address</replaceable> (host or net) or an
          <replaceable>interface</replaceable> name followed by ":" and a host
-          or net <replaceable>address</replaceable>.</para>
+          or net <replaceable>address</replaceable>. An ipset name is also
+          accepted as an <replaceable>address</replaceable>.</para>
        </listitem>
      </varlistentry>

@@ -346,6 +349,9 @@
          role="bold">ipp2p</emphasis>, <emphasis
          role="bold">ipp2p:udp</emphasis> or <emphasis
          role="bold">ipp2p:all</emphasis></para>
+
+          <para>Beginning with Shorewall 4.5.12, this column can accept a
+          comma-separated list of protocols.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall6/manpages/shorewall6-actions.xml
+++ b/Shorewall6/manpages/shorewall6-actions.xml
@@ -71,11 +71,11 @@

                    <member>DropSmurfs</member>

-                    <member>Invalid</member>
+                    <member>Invalid (Prior to Shorewall 4.5.13)</member>

-                    <member>NotSyn</member>
+                    <member>NotSyn (Prior to Shorewall 4.5.13)</member>

-                    <member>RST</member>
+                    <member>RST (Prior to Shorewall 4.5.13)</member>

                    <member>TCPFlags</member>
                  </simplelist>
--- a/Shorewall6/manpages/shorewall6-conntrack.xml
+++ b/Shorewall6/manpages/shorewall6-conntrack.xml
@@ -244,11 +244,14 @@

      <varlistentry>
        <term>PROTO ‒
-        <replaceable>protocol-name-or-number</replaceable></term>
+        <replaceable>protocol-name-or-number</replaceable>[,...]</term>

        <listitem>
          <para>A protocol name from <filename>/etc/protocols</filename> or a
          protocol number.</para>
+
+          <para>Beginning with Shorewall 4.5.12, this column can accept a
+          comma-separated list of protocols.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -74,8 +74,41 @@
          <para>The only ACTIONs allowed in this section are ACCEPT, DROP,
          REJECT, LOG and QUEUE</para>

-          <para>There is an implicit ACCEPT rule inserted at the end of this
-          section.</para>
+          <para>There is an implicit rule added at the end of this section
+          that invokes the RELATED_DISPOSITION (<ulink
+          url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">INVALID</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.13. Packets in the INVALID state are
+          processed by rules in this section.</para>
+
+          <para>The only Actions allowed in this section are ACCEPT, DROP,
+          REJECT, LOG and QUEUE.</para>
+
+          <para>There is an implicit rule added at the end of this section
+          that invokes the INVALID_DISPOSITION (<ulink
+          url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">UNTRACKED</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.13. Packets in the UNTRACKED state are
+          processed by rules in this section.</para>
+
+          <para>The only Actions allowed in this section are ACCEPT, DROP,
+          REJECT, LOG and QUEUE.</para>
+
+          <para>There is an implicit rule added at the end of this section
+          that invokes the UNTRACKED_DISPOSITION (<ulink
+          url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
        </listitem>
      </varlistentry>

--- a/Shorewall6/manpages/shorewall6-secmarks.xml
+++ b/Shorewall6/manpages/shorewall6-secmarks.xml
@@ -226,6 +226,9 @@
        <listitem>
          <para>Protocol - <emphasis role="bold">ipp2p</emphasis> requires
          ipp2p match support in your kernel and iptables.</para>
+
+          <para>Beginning with Shorewall 4.5.12, this column can accept a
+          comma-separated list of protocols.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall6/manpages/shorewall6-stoppedrules.xml
+++ b/Shorewall6/manpages/shorewall6-stoppedrules.xml
@@ -92,10 +92,13 @@

      <varlistentry>
        <term>PROTO (Optional) ‒
-        <replaceable>protocol-name-or-number</replaceable></term>
+        <replaceable>protocol-name-or-number</replaceable>[,...]</term>

        <listitem>
          <para>Protocol.</para>
+
+          <para>Beginning with Shorewall 4.5.12, this column can accept a
+          comma-separated list of protocols.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall6/manpages/shorewall6-tcclasses.xml
+++ b/Shorewall6/manpages/shorewall6-tcclasses.xml
@@ -557,6 +557,95 @@
                </variablelist>
              </listitem>
            </varlistentry>
+
+            <varlistentry>
+              <term>fq_codel[=(<replaceable>codeloption</replaceable>=<replaceable>value</replaceable>,
+              ...)]</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.12. When specified for a leaf
+                class, causes the class to use the FQ_CODEL
+                (<firstterm>Fair-queuing Controlled-Delay</firstterm>) queuing
+                discipline rather than SFQ. See tc-fq_codel (8) for additional
+                information.</para>
+
+                <para>Allowable <replaceable>codeloptions</replaceable>
+                are:</para>
+
+                <variablelist>
+                  <varlistentry>
+                    <term>limit</term>
+
+                    <listitem>
+                      <para>hard limit on the real queue size. When this limit
+                      is reached, incoming packets are dropped. If the value
+                      is lowered, packets are dropped so that the new limit is
+                      met. Default is 1000 packets.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>flows</term>
+
+                    <listitem>
+                      <para>is the number of flows into which the incoming
+                      packets are classified. Due to the stochastic nature of
+                      hashing, multiple flows may end up being hashed into the
+                      same slot. Newer flows have priority over older ones.
+                      This parameter can be set only at load time since memory
+                      has to be allocated for the hash table. Default value is
+                      1024.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>target</term>
+
+                    <listitem>
+                      <para>is the acceptable minimum standing/persistent
+                      queue delay. This minimum delay is identified by
+                      tracking the local minimum queue delay that packets
+                      experience. Default and recommended value is 5ms.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>interval</term>
+
+                    <listitem>
+                      <para>is used to ensure that the measured minimum delay
+                      does not become too stale. The minimum delay must be
+                      experienced in the last epoch of length interval. It
+                      should be set on the order of the worst-case RTT through
+                      the bottleneck to give endpoints sufficient time to
+                      react. Default value is 100ms.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>quantum</term>
+
+                    <listitem>
+                      <para>is the number of bytes used as 'deficit' in the
+                      fair queuing algorithm. Default is set to 1514 bytes
+                      which corresponds to the Ethernet MTU plus the hardware
+                      header length of 14 bytes.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>ecn | noecn</term>
+
+                    <listitem>
+                      <para>can be used to mark packets instead of dropping
+                      them. If ecn has been enabled, noecn can be used to turn
+                      it off and vice-a-versa. By default, ecn is
+                      enabled.</para>
+                    </listitem>
+                  </varlistentry>
+                </variablelist>
+              </listitem>
+            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
--- a/Shorewall6/manpages/shorewall6-tcfilters.xml
+++ b/Shorewall6/manpages/shorewall6-tcfilters.xml
@@ -101,11 +101,14 @@

      <varlistentry>
        <term><emphasis role="bold">PROTO</emphasis> - {<emphasis
-        role="bold">-</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis
-        role="bold">all}</emphasis></term>
+        role="bold">-</emphasis>|{<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis
+        role="bold">all}</emphasis>[,...]}</term>

        <listitem>
          <para>Protocol.</para>
+
+          <para>Beginning with Shorewall 4.5.12, this column can accept a
+          comma-separated list of protocols.</para>
        </listitem>
      </varlistentry>

@@ -317,6 +320,6 @@
    <para><ulink
    url="http://shorewall.net/PacketMarking.html">http://shorewall.net/PacketMarking.html</ulink></para>

-    <para/>
+    <para></para>
  </refsect1>
 </refentry>
--- a/Shorewall6/manpages/shorewall6-tcpri.xml
+++ b/Shorewall6/manpages/shorewall6-tcpri.xml
@@ -72,11 +72,14 @@

      <varlistentry>
        <term><emphasis role="bold">PROTO</emphasis> -
-        <replaceable>protocol</replaceable></term>
+        <replaceable>protocol</replaceable>[,...]</term>

        <listitem>
          <para>Optional. The name or number of an IPv4
          <replaceable>protocol</replaceable>.</para>
+
+          <para>Beginning with Shorewall 4.5.12, this column can accept a
+          comma-separated list of protocols.</para>
        </listitem>
      </varlistentry>

@@ -149,10 +152,10 @@

    <para>PRIO(8), shorewall6(8), shorewall6-accounting(5),
    shorewall6-actions(5), shorewall6-blacklist(5), shorewall6-hosts(5),
-    shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
-    shorewall6-providers(5), shorewall6-rtrules(5),
-    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
-    shorewall6-tcinterfaces(5), shorewall6-tos(5), shorewall6-tunnels(5),
-    shorewall6-zones(5)</para>
+    shorewall6-maclist(5), shoewall6-netmap(5),shorewall6-params(5),
+    shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+    shorewall6-secmarks(5), shorewall6-tcinterfaces(5), shorewall6-tos(5),
+    shorewall6-tunnels(5), shorewall6-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall6/manpages/shorewall6-tcrules.xml
+++ b/Shorewall6/manpages/shorewall6-tcrules.xml
@@ -753,15 +753,18 @@ Normal-Service       =&gt; 0x00</programlisting>
      <varlistentry>
        <term><emphasis role="bold">PROTO</emphasis> - {<emphasis
        role="bold">-</emphasis>|<emphasis
-        role="bold">tcp:syn</emphasis>|<emphasis
+        role="bold">{tcp:syn</emphasis>|<emphasis
        role="bold">ipp2p</emphasis>|<emphasis
        role="bold">ipp2p:udp</emphasis>|<emphasis
        role="bold">ipp2p:all</emphasis>|<emphasis>protocol-number</emphasis>|<emphasis>protocol-name</emphasis>|<emphasis
-        role="bold">all}</emphasis></term>
+        role="bold">all}[,...]}</emphasis></term>

        <listitem>
          <para>Protocol - <emphasis role="bold">ipp2p</emphasis> requires
          ipp2p match support in your kernel and ip6tables.</para>
+
+          <para>Beginning with Shorewall 4.5.12, this column can accept a
+          comma-separated list of protocols.</para>
        </listitem>
      </varlistentry>

@@ -910,10 +913,10 @@ Normal-Service       =&gt; 0x00</programlisting>
        role="bold">:</emphasis>[<emphasis>max</emphasis>]]</term>

        <listitem>
-          <para>Optional packet Length. This field, if present allow you to
-          match the length of a packet against a specific value or range of
-          values. You must have ip6tables length support for this to work. A
-          range is specified in the form
+          <para>Optional - packet payload length. This field, if present allow
+          you to match the length of a packet payload (Layer 4 data ) against
+          a specific value or range of values. You must have iptables length
+          support for this to work. A range is specified in the form
          <emphasis>min</emphasis>:<emphasis>max</emphasis> where either
          <emphasis>min</emphasis> or <emphasis>max</emphasis> (but not both)
          may be omitted. If <emphasis>min</emphasis> is omitted, then 0 is
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -226,8 +226,9 @@
          <para>Added in Shorewall 4.5.11. Normally, if an unknown shell
          variable is encountered in a configuration file (except in ?IF and
          ?ELSIF directives), the compiler raises a fatal error. If
-          IGNOREUNKNOWNVARIABLES is set to 'Yes', then such variables simply
-          expand to an empty string. Default is 'No'.</para>
+          IGNOREUNKNOWNVARIABLES is set to <emphasis
+          role="bold">Yes</emphasis>, then such variables simply expand to an
+          empty string. Default is <emphasis role="bold">No</emphasis>.</para>
        </listitem>
      </varlistentry>

@@ -308,6 +309,26 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">BLACKLIST=</emphasis>[{<emphasis
+        role="bold">ALL</emphasis>|<emphasis
+        role="bold"><replaceable>state</replaceable>[,...]</emphasis>}]</term>
+
+        <listitem>
+          <para>where state is one of NEW, ESTABLISHED, RELATED, INVALID,or
+          UNTRACKED.</para>
+
+          <para>Added in Shorewall 4.5.13 to replace the BLACKLISTNEWONLY
+          option below. Specifies the connection tracking states that are to
+          be subject to blacklist screening. If neither BLACKLIST nor
+          BLACKLISTNEWONLY are specified then the states subject to
+          blacklisting are NEW,ESTABLISHED,INVALID,UNTRACKED.</para>
+
+          <para>Note: The ESTABLISHED state may not be specified if FASTACCEPT
+          is specified.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis
        role="bold">BLACKLIST_DISPOSITION=</emphasis>[<emphasis
@@ -353,11 +374,18 @@
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>

        <listitem>
+          <para>Deprecated in Shorewall 4.5.13 in favor of BLACKLIST
+          above.</para>
+
          <para>When set to <emphasis role="bold">Yes</emphasis> or <emphasis
          role="bold">yes</emphasis>, blacklists are only consulted for new
-          connections. This includes entries in the <ulink
-          url="???">shorewall-blrules</ulink> (5) file and in the BLACKLIST
-          section of <ulink
+          connections, for packets in the INVALID connection state (such as a
+          TCP SYN,ACK when there has been no corresponding SYN), and for
+          packets that are UNTRACKED due to entries in <ulink
+          url="shorewall6-conntrack.html">shorewall6-conntrack</ulink>(5).
+          This includes entries in the <ulink
+          url="shorewall6-blrules.html">shorewall6-blrules</ulink> (5) file
+          and in the BLACKLIST section of <ulink
          url="shorewall6-rules.html">shorewall6-rules</ulink> (5).</para>

          <para>When set to <emphasis role="bold">No</emphasis> or <emphasis
@@ -477,19 +505,31 @@
            </listitem>
          </itemizedlist>

-          <blockquote>
-            <para>If CONFIG_PATH is not given or if it is set to the empty
-            value then the contents of /usr/share/shorewall6/configpath are
-            used. As released from shorewall.net, that file sets the
-            CONFIG_PATH to
-            /etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall but
-            your particular distribution may set it differently. See the
-            output of shorewall6 show config for the default on your
-            system.</para>
+          <para>If CONFIG_PATH is not given or if it is set to the empty value
+          then the contents of /usr/share/shorewall6/configpath are used. As
+          released from shorewall.net, that file sets the CONFIG_PATH to
+          /etc/shorewall6:/usr/share/shorewall6:/usr/share/shorewall but your
+          particular distribution may set it differently. See the output of
+          shorewall6 show config for the default on your system.</para>
+        </listitem>
+      </varlistentry>

-            <para>Note that the setting in /usr/share/shorewall6/configpath is
-            always used to locate shorewall6.conf.</para>
-          </blockquote>
+      <varlistentry>
+        <term><emphasis role="bold">DEFER_DNS_RESOLUTION=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.12. When set to 'Yes' (the default),
+          DNS names are validated in the compiler and then passed on to the
+          generated script where they are resolved by ip6tables-restore. This
+          is an advantage if you use AUTOMAKE=Yes and the IP address
+          associated with the DNS name is subject to change. When
+          DEFER_DNS_RESOLUTION=No, DNS names are converted into IP addresses
+          by the compiler. This has the advantage that when AUTOMAKE=Yes the
+          <command>start</command> and <command>restart</command> commands
+          will succeed even if no DNS server is reachable (assuming that the
+          configuration hasn't changed since the compiled script was last
+          generated).</para>
        </listitem>
      </varlistentry>

@@ -801,6 +841,34 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis
+        role="bold">INVALID_DISPOSITION=[A_DROP|A_REJECT|DROP|REJECT|CONTINUE]</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
+          INVALID packets through the NEW section of <ulink
+          url="shorewall6-rules.html">shorewall-rules</ulink> (5). When a
+          packet in INVALID state fails to match any rule in the INVALID
+          section, the packet is disposed of based on this setting. The
+          default value is CONTINUE for compatibility with earlier
+          versions.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis
+        role="bold">INVALID_LOG_LEVEL=</emphasis><emphasis>log-level</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.13. Packets in the INVALID state that
+          do not match any rule in the INVALID section of <ulink
+          url="manpages/shorewall6-rules.html">shorewall-rules</ulink> (5) are
+          logged at this level. The default value is empty which means no
+          logging is performed.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis
        role="bold">IP</emphasis>=[<emphasis>pathname</emphasis>]</term>
@@ -1166,6 +1234,33 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
          names may be used with log tags if you set LOGTAGONLY=Yes. With
          LOGTAGONLY=Yes, if a log tag is specified then the tag is included
          in the log prefix in place of the chain name.</para>
+
+          <para>Beginning with Shorewall 4.5.12, when LOGTAGONLY=Yes, you have
+          more control over the generated log prefix. Beginning with that
+          release, the tag is interpreted as a <replaceable>chain
+          name</replaceable> and a <replaceable>disposition</replaceable>
+          separated by a comma. So this rule:</para>
+
+          <programlisting>#ACTION                                SOURCE         DEST
+LOG:info:foo,bar                 net                   fw</programlisting>
+
+          <para>would generate the following log prefix when using the default
+          LOGFORMAT setting:</para>
+
+          <simplelist>
+            <member>Shorewall:foo:bar:</member>
+          </simplelist>
+
+          <para>Similarly,</para>
+
+          <programlisting>#ACTION                               SOURCE            DEST
+LOG:info:,bar                        net                    fw</programlisting>
+
+          <para>would generate</para>
+
+          <simplelist>
+            <member>Shorewall:net2fw:bar:</member>
+          </simplelist>
        </listitem>
      </varlistentry>

@@ -1695,16 +1790,16 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'

      <varlistentry>
        <term><emphasis
-        role="bold">RELATED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT]</emphasis></term>
+        role="bold">RELATED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT|CONTINUE]</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.4.27. Shorewall has traditionally
          ACCEPTed RELATED packets that don't match any rule in the RELATED
          section of <ulink
-          url="manpages6/shorewall6-rules.html">shorewall6-rules</ulink> (5).
-          Concern about the safety of this practice resulted in the addition
-          of this option. When a packet in RELATED state fails to match any
-          rule in the RELATED section, the packet is disposed of based on this
+          url="shorewall6-rules.html">shorewall6-rules</ulink> (5). Concern
+          about the safety of this practice resulted in the addition of this
+          option. When a packet in RELATED state fails to match any rule in
+          the RELATED section, the packet is disposed of based on this
          setting. The default value is ACCEPT for compatibility with earlier
          versions.</para>
        </listitem>
@@ -2069,6 +2164,34 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis
+        role="bold">UNTRACKED_DISPOSITION=[ACCEPT|A_ACCEPT|A_DROP|A_REJECT|DROP|REJECT|CONTINUE]</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.13. Shorewall has traditionally passed
+          UNTRACKED packets through the NEW section of <ulink
+          url="shorewall6-rules.html">shorewall6-rules</ulink> (5). When a
+          packet in UNTRACKED state fails to match any rule in the UNTRACKED
+          section, the packet is disposed of based on this setting. The
+          default value is CONTINUE for compatibility with earlier
+          versions.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis
+        role="bold">UNTRACKED_LOG_LEVEL=</emphasis><emphasis>log-level</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.13. Packets in the UNTRACKED state that
+          do not match any rule in the UNTRACKED section of <ulink
+          url="manpages/shorewall-rules.html">shorewall-rules</ulink> (5) are
+          logged at this level. The default value is empty which means no
+          logging is performed.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">USE_DEFAULT_RT=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@@ -2170,6 +2293,20 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">WARNOLDCAPVERSION=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.12. When set to <emphasis
+          role="bold">Yes</emphasis> (the default), the compiler issues a
+          warning when it finds a capabilities file that doesn't specify all
+          of the capabilities supported by the compiler. When
+          WARNOLDCAPVERSION is set to <emphasis role="bold">No</emphasis>, no
+          warning is issued.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">WIDE_TC_MARKS=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
--- a/Shorewall6/modules.tc
+++ b/Shorewall6/modules.tc
@@ -19,6 +19,7 @@ loadmodule sch_htb
 loadmodule sch_hfsc
 loadmodule sch_prio
 loadmodule sch_tbf
+loadmodule sch_fq_codel
 loadmodule cls_u32
 loadmodule cls_fw
 loadmodule cls_flow
--- a/Shorewall6/modules.xtables
+++ b/Shorewall6/modules.xtables
@@ -13,6 +13,7 @@
 #  copy.
 #
 ###############################################################################
+loadmodule xt_AUDIT
 loadmodule xt_CLASSIFY
 loadmodule xt_connmark
 loadmodule xt_CONNMARK
@@ -29,6 +30,7 @@ loadmodule xt_mac
 loadmodule xt_mark
 loadmodule xt_MARK
 loadmodule xt_multiport
+loadmodule xt_NFLOG
 loadmodule xt_NFQUEUE
 loadmodule xt_owner
 loadmodule xt_physdev
@@ -43,8 +45,8 @@ loadmodule xt_TPROXY
 #
 # From xtables-addons
 #
-xt_condition
-xt_geoip
-xt_ipp2p
-xt_LOGMARK
-xt_RAWNAT
+loadmodule xt_condition
+loadmodule xt_geoip
+loadmodule xt_ipp2p
+loadmodule xt_LOGMARK
+loadmodule xt_RAWNAT
--- a/Shorewall6/shorewall6.service
+++ b/Shorewall6/shorewall6.service
@@ -13,8 +13,8 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall6
 StandardOutput=syslog
-ExecStart=/usr/sbin/shorewall6 $OPTIONS start
-ExecStop=/usr/sbin/shorewall6 $OPTIONS stop
+ExecStart=/sbin/shorewall6 $OPTIONS start
+ExecStop=/sbin/shorewall6 $OPTIONS stop

 [Install]
 WantedBy=multi-user.target
--- a/docs/Actions.xml
+++ b/docs/Actions.xml
@@ -30,6 +30,8 @@

      <year>2012</year>

+      <year>2013</year>
+
      <holder>Thomas M. Eastep</holder>
    </copyright>

@@ -392,6 +394,13 @@ REDIRECT       net     -       tcp     80      -       1.2.3.4</programlisting>

      <para>In the above example, $2 would expand to nothing.</para>

+      <para>Beginning with Shorewall 4.5.13, completely omitting a arameter is
+      equivalent to passing '-'.</para>
+
+      <para>Example: ACTION(REDIRECT,,info)</para>
+
+      <para>This example behaves the same as the one shown above.</para>
+
      <para>If you want to make '-' a parameter value, use '--' (e.g.,
      ACTION(REDIRECT,--.info)).</para>

@@ -405,10 +414,6 @@ REDIRECT       net     -       tcp     80      -       1.2.3.4</programlisting>
      for the second parameter and so on. You can specify an empty default
      using '-' (e.g. DEFAULTS DROP,-,audit).</para>

-      <para>The DEFAULTS directive also determines the maximum number of
-      parameters that an action may have. If more parameters are passed than
-      have default values, an error message is issued.</para>
-
      <para>For additional information about actions, see the <ulink
      url="configuration_file_basics.htm#ActionVariables">Action Variables
      section</ulink> of the Configuration Basics article.</para>
@@ -684,7 +689,7 @@ bar:debug</programlisting>

    <para>The Shorewall compiler provides a set of services that are available
    to Perl code embedded in an action file. These services are not available
-    in in-line actions.</para>
+    in in-line actions when running Shorewall 4.5.12 or earlier.</para>

    <variablelist>
      <varlistentry>
@@ -744,7 +749,9 @@ bar:debug</programlisting>
        [, <replaceable>$expandports</replaceable> ] )</term>

        <listitem>
-          <para>This function adds a rule to a chain. Arguments are:</para>
+          <para>This function adds a rule to a chain. As of Shoreall 4.5.13,
+          it is deprecated in favor of Shorewall::Rules::perl_action_helper().
+          Arguments are:</para>

          <variablelist>
            <varlistentry>
@@ -774,6 +781,11 @@ bar:debug</programlisting>
              </listitem>
            </varlistentry>
          </variablelist>
+
+          <warning>
+            <para>Do not call this function in a inline action. Use
+            perl_action_helper() instead (see below).</para>
+          </warning>
        </listitem>
      </varlistentry>

@@ -788,8 +800,9 @@ bar:debug</programlisting>
        <replaceable>$matches</replaceable> )</term>

        <listitem>
-          <para>This function adds a logging rule to a chain. Arguments
-          are:</para>
+          <para>This function adds a logging rule to a chain. As of Shoreall
+          4.5.13, it is deprecated in favor of
+          Shorewall::Rules::perl_action_helper(). Arguments are:</para>

          <variablelist>
            <varlistentry>
@@ -875,7 +888,7 @@ bar:debug</programlisting>

      <varlistentry>
        <term>Shorewall::Chains::allow::optimize(
-        <replaceable>chainref</replaceable> )</term>
+        <replaceable>$chainref</replaceable> )</term>

        <listitem>
          <para>This allows the passed action chain to be optimized away
@@ -884,6 +897,47 @@ bar:debug</programlisting>
          from get_action_chain() described above.</para>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term>Shorewall::Rules::perl_action_helper( $target, $matches )</term>
+
+        <listitem>
+          <para>This function adds a rule to the current chain. For a regular
+          action, the chain will be an action chain; for an inline action, the
+          chain is determined by the invoking rule.</para>
+
+          <para>To use this function, you must include:</para>
+
+          <simplelist>
+            <member><emphasis role="bold">use
+            Shorewall::Rules;</emphasis></member>
+          </simplelist>
+
+          <para>Arguments are:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>$target</term>
+
+              <listitem>
+                <para>The target of the rule. Legal values are anything that
+                can appear in the TARGET column of in an action body and may
+                include log level, tag, and parameters.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>$matches</term>
+
+              <listitem>
+                <para>ip[6]tables matches to be included in the rule. When
+                called in an inline action, these matches are augmented by
+                matches generated by the invoking rule.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
    </variablelist>

    <para>For an example of using these services, look at the standard action
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -247,7 +247,7 @@ DNAT    net:<emphasis>address</emphasis>   loc:<emphasis>local-IP-address</empha
        <itemizedlist>
          <listitem>
            <para>You are trying to test from inside your firewall (no, that
-            won't work -- see <xref linkend="faq2"/>).</para>
+            won't work -- see <xref linkend="faq2" />).</para>
          </listitem>

          <listitem>
@@ -2204,6 +2204,35 @@ gateway:~# </programlisting>
      tool when you installed Shorewall. Look for a service called 'iptables'
      that is being started after Shorewall and disable it.</para>
    </section>
+
+    <section id="faq101">
+      <title>(FAQ 101) How can I speed up 'shorewall start' and 'shorewall
+      restart' on my slow hardware?</title>
+
+      <para><emphasis role="bold">Answer</emphasis>: There are several steps
+      that you can take:</para>
+
+      <orderedlist>
+        <listitem>
+          <para>If your kernel supports module autoloading (and distribution
+          default kernels almost always do), then set LOAD_HELPERS_ONLY=Yes in
+          shorewall.conf.</para>
+        </listitem>
+
+        <listitem>
+          <para>Set AUTOMAKE=Yes in shorewall.conf. This will avoid the
+          compilation phase in cases where the configuration has not changed
+          since the last time that the configuration was compiled.</para>
+        </listitem>
+
+        <listitem>
+          <para>Don't set optimization option 8. For example, if you currently
+          set OPTIMIZE=31, then change that to OPTIMIZE=23. Optimization
+          option 8 combines identical chains which can result in a smaller
+          ruleset, but it slows down the compilation of large rulesets.</para>
+        </listitem>
+      </orderedlist>
+    </section>
  </section>

  <section id="MultiISP">
@@ -2922,7 +2951,7 @@ Shorewall has detected the following iptables/netfilter capabilities:
   Persistent SNAT: Available
 gateway:~# </programlisting>

-      <para/>
+      <para></para>
    </section>

    <section id="faq19">
--- a/docs/IPv6Support.xml
+++ b/docs/IPv6Support.xml
@@ -467,11 +467,14 @@ ACCEPT         net:wlan0:[2002:ce7c:92b4::3]     tcp                         22<

        <listitem>
          <para>The Linux IPv6 stack does not support balancing (multi-hop)
-          routes. Hence, neither the <option>balance</option> option in <ulink
+          routes. Thehe <option>balance</option> and <option>fallback</option>
+          options in <ulink
          url="manpages6/shorewall6-providers.html">shorewall6-providers</ulink>(5)
-          nor USE_DEFAULT_RT=Yes in <ulink
-          url="manpages6/shorewall.conf.html">shorewall6.conf</ulink>(5) is
-          supported.</para>
+          and USE_DEFAULT_RT=Yes in <ulink
+          url="manpages6/shorewall.conf.html">shorewall6.conf</ulink>(5) are
+          supported, but at most one provider can have the
+          <option>balance</option> option and at most one provider can have
+          the <option>fallback</option> option.</para>
        </listitem>
      </varlistentry>

@@ -499,7 +502,7 @@ ACCEPT         net:wlan0:[2002:ce7c:92b4::3]     tcp                         22<
            </listitem>
          </itemizedlist>

-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>

--- a/docs/Manpages.xml
+++ b/docs/Manpages.xml
@@ -26,6 +26,12 @@

      <year>2010</year>

+      <year>2011</year>
+
+      <year>2012</year>
+
+      <year>2013</year>
+
      <holder>Thomas M. Eastep</holder>
    </copyright>

@@ -66,6 +72,9 @@
        <member><ulink url="manpages/shorewall-actions.html">actions</ulink> -
        Declare user-defined actions.</member>

+        <member><ulink url="manpages/shorewall-arprules.html">arprules</ulink>
+        - (Added in Shorewall 4.5.12) Define arpfilter rules.</member>
+
        <member><ulink
        url="manpages/shorewall-blacklist.html">blacklist</ulink> - Static
        blacklisting.</member>
--- a/docs/Shorewall-Lite.xml
+++ b/docs/Shorewall-Lite.xml
@@ -221,6 +221,13 @@
                  on the firewall system is
                  "/etc/shorewall-lite:/usr/share/shorewall-lite".</para>
                </listitem>
+
+                <listitem>
+                  <para>The export directory should contain a
+                  <filename>params</filename> file, even if it is empty.
+                  Otherwise, <filename>/sbin/shorewall</filename> will attempt
+                  to read<filename> /etc/shorewall/params</filename>.</para>
+                </listitem>
              </itemizedlist>
            </listitem>

--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -18,7 +18,7 @@
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>

    <copyright>
-      <year>2001-2012</year>
+      <year>2001-2013</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -142,10 +142,16 @@
        </listitem>

        <listitem>
-          <para><filename>/etc/shorewall/blacklist</filename> - lists
+          <para><filename>/etc/shorewall/blacklist</filename> - Deprecated in
+          favor of <filename>/etc/shorewall/blrules</filename>. Lists
          blacklisted IP/subnet/MAC addresses.</para>
        </listitem>

+        <listitem>
+          <para><filename>/etc/shorewall/blrules</filename> — Added in
+          Shorewall 4.5.0. Define blacklisting and whitelisting.</para>
+        </listitem>
+
        <listitem>
          <para><filename>/etc/shorewall/init</filename> - commands that you
          wish to execute at the beginning of a <quote>shorewall start</quote>
@@ -258,6 +264,11 @@
          start/restart when LOAD_HELPERS_ONLY=Yes in
          <filename>shorewall.conf</filename>.</para>
        </listitem>
+
+        <listitem>
+          <para><filename>/usr/share/arprules</filename> — Added in Shorewall
+          4.5.12. Allows specification of arptables rules.</para>
+        </listitem>
      </itemizedlist></para>

    <para><emphasis role="bold">If you need to change a file in
@@ -297,6 +308,12 @@
      <programlisting># This is a comment
 ACCEPT  net     $FW      tcp     www     #This is an end-of-line comment</programlisting>
    </example>
+
+    <important>
+      <para>If a comment ends with a backslash ("\"), the next line will also
+      be treated as a comment. See <link linkend="Continuation">Line
+      Continuation</link> below.</para>
+    </important>
  </section>

  <section id="Names">
@@ -516,6 +533,19 @@ ACCEPT      net:\
      continuation line does not end with a comma or colon, the leading white
      space in the last line is not ignored.</para>
    </example>
+
+    <important>
+      <para>A trailing backslash is not ignored in a comment. So the continued
+      rule above can be commented out with a single '#' as follows:</para>
+
+      <programlisting>#ACTION     SOURCE          DEST            PROTO           DEST
+#                                                           PORT(S)
+<emphasis role="bold">#</emphasis>ACCEPT     net:\
+            206.124.146.177,\
+            206.124.146.178,\
+            206.124.146.180\
+                            dmz             tcp             873</programlisting>
+    </important>
  </section>

  <section id="Pairs">
@@ -1454,7 +1484,8 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
        <listitem>
          <para>The <replaceable>variable</replaceable> can be specified
          either with or without a leading '$' to allow using both Perl and
-          Shell variable representation.</para>
+          Shell variable representation. The ${...} form (e.g. ${foo}) is not
+          allowed.</para>

          <para>The <replaceable>value</replaceable> is a Perl-compatible
          expression.</para>
@@ -1487,6 +1518,11 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
    <para>Action variables are read-only and cannot be ?SET (although you can
    change their values <ulink url="Actions.html#Embedded">using embedded
    Perl</ulink>).</para>
+
+    <para>Beginning with Shorewall 4.5.13, <link
+    linkend="ShorewallVariables">Shorewall Variables</link> may be set. When
+    setting a Shorewall Variable, the <replaceable>variable</replaceable> must
+    include the leading '@' and the @{...} form is not allowed.</para>
  </section>

  <section id="AddressVariables">
@@ -1772,6 +1808,10 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
    alias @chain), Shorewall variables may only be used within an action
    body.</para>

+    <para>Prior to Shorewall 4.5.13, Shorewall variables are read-only.
+    Beginning with Shorewall 4.5.13, their values may be altered using the
+    ?SET directive.</para>
+
    <para>The Shorewall variables are:</para>

    <variablelist>
@@ -1812,7 +1852,22 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting
          invoked.</para>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term>@disposition (@{disposition})</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.13. When a non-inlined action is
+          entered, this variable is set to the empty value. When an inline
+          action is entered, the variable's value is unchanged.</para>
+        </listitem>
+      </varlistentry>
    </variablelist>
+
+    <para>Beginning with Shorewall 4.5.13, the values of @chain and
+    @disposition are used to generated the --log-prefix in logging rules. When
+    either is empty, the historical value is used to generate the
+    --log-prefix.</para>
  </section>

  <section id="Conditional">
--- a/docs/traffic_shaping.xml
+++ b/docs/traffic_shaping.xml
@@ -24,7 +24,7 @@
    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>

    <copyright>
-      <year>2001-2009</year>
+      <year>2001-2013</year>

      <holder>Thomas M. Eastep</holder>
    </copyright>
@@ -223,10 +223,10 @@
    <para>This screen shot shows how I configured QoS in a 2.6.16
    Kernel:</para>

-    <graphic align="center" fileref="images/traffic_shaping2.6.png"/>
+    <graphic align="center" fileref="images/traffic_shaping2.6.png" />

    <para>And here's my recommendation for a 2.6.21 kernel:<graphic
-    align="center" fileref="images/traffic_shaping2.6.21.png"/></para>
+    align="center" fileref="images/traffic_shaping2.6.21.png" /></para>
  </section>

  <section id="Shorewall">
@@ -497,7 +497,7 @@
      </itemizedlist>

      <example id="Example0">
-        <title/>
+        <title></title>

        <para>Suppose you are using PPP over Ethernet (DSL) and ppp0 is the
        interface for this. The device has an outgoing bandwidth of 500kbit
@@ -804,6 +804,19 @@ ppp0           6000kbit         500kbit</programlisting>
              (5) for a description of the allowable
              <replaceable>redoptions</replaceable>.</para>
            </listitem>
+
+            <listitem>
+              <para>fq_codel[=(<replaceable>codeloption</replaceable>,...)] -
+              Added in Shorewall 4.5.12. When specified on a leaf class,
+              causes the class to use the FQ CODEL (<firstterm>Fair-queuing
+              Controlled-delay</firstterm>) queuing discipline rather than
+              SFQ. See tc-fq_codel (8) for additional information.</para>
+
+              <para>See <ulink
+              url="manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>
+              (5) for a description of the allowable
+              <replaceable>codloptions</replaceable>.</para>
+            </listitem>
          </itemizedlist>
        </listitem>
      </itemizedlist>
@@ -1241,7 +1254,7 @@ ppp0           6000kbit         500kbit</programlisting>
      </itemizedlist>

      <example id="Example1">
-        <title/>
+        <title></title>

        <para>All packets arriving on eth1 should be marked with 1. All
        packets arriving on eth2 and eth3 should be marked with 2. All packets
@@ -1255,7 +1268,7 @@ ppp0           6000kbit         500kbit</programlisting>
      </example>

      <example id="Example2">
-        <title/>
+        <title></title>

        <para>All GRE (protocol 47) packets destined for 155.186.235.151
        should be marked with 12.</para>
@@ -1265,7 +1278,7 @@ ppp0           6000kbit         500kbit</programlisting>
      </example>

      <example id="Example3">
-        <title/>
+        <title></title>

        <para>All SSH request packets originating in 192.168.1.0/24 and
        destined for 155.186.235.151 should be marked with 22.</para>
@@ -1275,7 +1288,7 @@ ppp0           6000kbit         500kbit</programlisting>
      </example>

      <example id="Example4">
-        <title/>
+        <title></title>

        <para>All SSH packets packets going out of the first device in in
        /etc/shorewall/tcdevices should be assigned to the class with mark
@@ -1288,7 +1301,7 @@ ppp0           6000kbit         500kbit</programlisting>
      </example>

      <example id="Example5">
-        <title/>
+        <title></title>

        <para>Mark all ICMP echo traffic with packet mark 1. Mark all peer to
        peer traffic with packet mark 4.</para>
@@ -1321,7 +1334,7 @@ SAVE     0.0.0.0/0      0.0.0.0/0       all        -             -        -
      </example>

      <example>
-        <title/>
+        <title></title>

        <para>Mark all forwarded VOIP connections with connection mark 1 and
        ensure that all VOIP packets also receive that mark (assumes that
--- a/docs/upgrade_issues.xml
+++ b/docs/upgrade_issues.xml
@@ -33,9 +33,11 @@

      <year>2012</year>

+      <year>2013</year>
+
      <holder>Thomas M. Eastep</holder>

-      <holder/>
+      <holder></holder>
    </copyright>

    <legalnotice>
@@ -163,7 +165,7 @@
          <para>?ENDIF.</para>
        </blockquote>

-        <para/>
+        <para></para>
      </listitem>

      <listitem>