Yet more improvements to Shorewall-init

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Some improvements to the shorewall-init scripts.
2013-08-24 09:37:56 -07:00 · 2013-08-20 13:06:25 -07:00 · 2013-08-18 16:02:14 -07:00 · 2013-08-18 14:27:26 -07:00 · 2013-08-18 08:30:11 -07:00 · 2013-08-15 16:29:41 -07:00
188 changed files with 7992 additions and 2969 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -93,15 +93,38 @@ done

 vendor=${params[HOST]}

+if [ -z "$vendor" ]; then
+    if [ -f /etc/os-release ]; then
+	eval $(cat /etc/os-release | grep ^ID)
+
+	case $ID in
+	    fedora)
+		vendor=redhat
+		;;
+	    debian)
+		vendor=debian
+		;;
+	    opensuse)
+		vendor=suse
+		;;
+	    *)
+		vendor="$ID"
+		;;
+	esac
+
+	params[HOST]="$vendor"
+    fi
+fi
+
 if [ -z "$vendor" ]; then
    case `uname` in
 	Darwin)
-	    $params[HOST]=apple
+	    params[HOST]=apple
 	    rcfile=shorewallrc.apple
 	    ;;

-	cygwin*)
-	    $params[HOST]=cygwin
+	cygwin*|CYGWIN*)
+	    params[HOST]=cygwin
 	    rcfile=shorewallrc.cygwin
 	    ;;
 	*)
@@ -187,6 +210,7 @@ for on in \
    AUXINITSOURCE \
    AUXINITFILE \
    SYSTEMD \
+    SERVICEFILE \
    SYSCONFFILE \
    SYSCONFDIR \
    SPARSE \
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -56,6 +56,26 @@ my $vendor = $params{HOST};
 my $rcfile;
 my $rcfilename;

+unless ( defined $vendor ) {
+    if ( -f '/etc/os-release' ) {
+	my $id = `cat /etc/os-release | grep ^ID`;
+
+	chomp $id;
+
+	$id =~ s/ID=//;
+	
+	if ( $id eq 'fedora' ) {
+	    $vendor = 'redhat';
+	} elsif ( $id eq 'opensuse' ) {
+	    $vendor = 'suse';
+	} else {
+	    $vendor = $id;
+	}
+    }
+
+    $params{HOST} = $vendor;
+}
+
 if ( defined $vendor ) {
    $rcfilename = $vendor eq 'linux' ? 'shorewallrc.default' : 'shorewallrc.' . $vendor;
    die qq("ERROR: $vendor" is not a recognized host type) unless -f $rcfilename;
@@ -146,6 +166,7 @@ for ( qw/ HOST
 	  AUXINITSOURCE
 	  AUXINITFILE
 	  SYSTEMD
+          SERVICEFILE
 	  SYSCONFFILE
 	  SYSCONFDIR
 	  SPARSE
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -194,7 +194,24 @@ if [ -z "$BUILD" ]; then
 	    BUILD=apple
 	    ;;
 	*)
-	    if [ -f /etc/debian_version ]; then
+	    if [ -f /etc/os-release ]; then
+		eval $(cat /etc/os-release | grep ^ID)
+
+		case $ID in
+		    fedora)
+			BUILD=redhat
+			;;
+		    debian)
+			BUILD=debian
+			;;
+		    opensuse)
+			BUILD=suse
+			;;
+		    *)
+			BUILD="$ID"
+			;;
+		esac
+	    elif [ -f /etc/debian_version ]; then
 		BUILD=debian
 	    elif [ -f /etc/redhat-release ]; then
 		BUILD=redhat
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999-2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2013 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -25,7 +25,7 @@
 # loaded after this one and replaces some of the functions declared here.
 #

-SHOREWALL_CAPVERSION=40512
+SHOREWALL_CAPVERSION=40515

 [ -n "${g_program:=shorewall}" ]

@@ -277,8 +277,7 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
 	elif [ -r $LOGFILE ]; then
 	    g_logread="tac $LOGFILE"
 	else
-	    echo "LOGFILE ($LOGFILE) does not exist!" >&2
-	    exit 2
+	    fatal_error "LOGFILE ($LOGFILE) does not exist!"
 	fi
    fi

@@ -472,7 +471,10 @@ save_config() {
 		    ;;
 		*)
 		    validate_restorefile RESTOREFILE
-		    do_save && rm -f ${VARDIR}/save
+		    if do_save; then
+			rm -f ${VARDIR}/save
+			result=0
+		    fi
 		    ;;
 	    esac
 	fi
@@ -480,7 +482,7 @@ save_config() {
 	echo "$g_product isn't started" >&2
    fi

-    return 0
+    return $result

 }

@@ -670,7 +672,7 @@ version_command() {
    [ $# -gt 0 ] && usage 1

    if [ -n "$all" ]; then
-	echo "shorewall-core: $(cat $g_sharedir/coreversion)"
+	echo "shorewall-core: $(cat ${SHAREDIR}/shorewall/coreversion)"

 	for product in shorewall shorewall6 shorewall-lite shorewall6-lite shorewall-init; do
 	    if [ -f ${SHAREDIR}/$product/version ]; then
@@ -726,6 +728,104 @@ show_nfacct() {
 	echo
    fi
 }
+
+show_event() {
+    local address
+    local ttl_label
+    local ttl
+    local last_seen
+    local last
+    local oldest_pkt
+    local oldest
+    local intimes
+    local outtimes1
+    local outtimes2
+    local time
+    local count
+
+    while read address ttl_label ttl last_seen last oldest_pkt oldest intimes; do
+	case $address in
+	    *.*)
+		[ $g_family -eq 4 ] || continue
+		;;
+	    *:*)
+		[ $g_family -eq 6 ] || continue
+		;;
+	    *)
+		continue
+		;;
+	esac
+
+	outtimes1=''
+	outtimes2=''
+	count=0
+	last=$((($currenttime - $last)/1000))
+	for time in $intimes; do
+	    time=${time%,}
+	    time=$(($currenttime - $time))
+	    if [ $time -lt 10 ]; then
+		time="000$time"
+	    elif [ $time -lt 100 ]; then
+		time="00$time"
+	    elif [ $time -lt 1000 ]; then
+		time="0$time"
+	    fi
+
+	    if [ $count -lt $oldest ]; then
+		outtimes2="$outtimes2 $time"
+	    else
+		outtimes1="$outtimes1 $time"
+	    fi
+
+	    count=$(($count + 1))
+	done
+
+	outtimes1="${outtimes1}${outtimes2}"
+
+	[ -n "$outtimes1" ] && outtimes1=$(echo "$outtimes1 " | sed -r 's/([[:digit:]]{3}) /\.\1, /g') && outtimes1=${outtimes1%, }
+
+	echo "   $address : ${outtimes1}"
+    done < /proc/net/xt_recent/$1
+}
+
+show_events() {
+    local file
+    local base
+    local currenttime
+
+    if [ -f /proc/net/xt_recent/%CURRENTTIME ]; then
+	echo -127.0.0.1 > /proc/net/xt_recent/%CURRENTTIME
+	echo +127.0.0.1 > /proc/net/xt_recent/%CURRENTTIME
+	currenttime=$(cat /proc/net/xt_recent/%CURRENTTIME | cut -d ' ' -f 5 -)
+	# echo Current time: $currenttime
+	# echo
+    else
+	currenttime=0
+    fi
+
+    if [ $# -gt 0 ]; then
+	for event in $@ ; do
+	    if [ -f /proc/net/xt_recent/$event ]; then
+		echo $event:
+		show_event $event
+		echo
+	    else
+		error_message "WARNING: Event $event not found"
+	    fi
+	done
+    else
+	for file in /proc/net/xt_recent/*; do
+	    base=$(basename $file)
+
+	    if [ $base != %CURRENTTIME ]; then
+		echo $base
+		show_event $base
+		echo
+	    fi
+	done
+    fi
+}
+
 #
 # Show Command Executor
 #
@@ -914,8 +1014,7 @@ show_command() {
 		elif [ -r $LOGFILE ]; then
 		    g_logread="tac $LOGFILE"
 		else
-		    echo "LOGFILE ($LOGFILE) does not exist!" >&2
-		    exit 2
+		    fatal_error "LOGFILE ($LOGFILE) does not exist!"
 		fi
 	    fi

@@ -969,8 +1068,7 @@ show_command() {
 		done < ${VARDIR}/zones
 		echo
 	    else
-		echo "   ERROR: ${VARDIR}/zones does not exist" >&2
-		exit 1
+		fatal_error "${VARDIR}/zones does not exist"
 	    fi
 	    ;;
 	capabilities)
@@ -1066,6 +1164,19 @@ show_command() {
 		error_message "Cannot locate the arptables executable"
 	    fi
 	    ;;
+	event)
+	    [ $# -gt 1 ] || usage 1
+	    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
+	    echo
+	    shift
+	    show_events $@
+	    ;;
+	events)
+	    [ $# -gt 1 ] && usage 1
+	    echo "$g_product $SHOREWALL_VERSION events at $g_hostname - $(date)"
+	    echo
+	    show_events
+	    ;;	    
 	*)
 	    case "$g_program" in
 		*-lite)
@@ -1276,8 +1387,7 @@ do_dump_command() {
 	elif [ -r $LOGFILE ]; then
 	    g_logread="tac $LOGFILE"
 	else
-	    echo "LOGFILE ($LOGFILE) does not exist! - See http://www.shorewall.net/shorewall_logging.html" >&2
-	    exit 2
+	    fatal_error "LOGFILE ($LOGFILE) does not exist! - See http://www.shorewall.net/shorewall_logging.html"
 	fi
    fi

@@ -1361,6 +1471,9 @@ do_dump_command() {
    heading "NF Accounting"
    show_nfacct

+    heading "Events"
+    show_events
+
    if qt mywhich setkey; then
 	heading "PFKEY SPD"
 	setkey -DP
@@ -1720,8 +1833,7 @@ separate_list() {
 add_command() {
    local interface host hostlist zone ipset
    if ! product_is_started ; then
-	echo "$g_product Not Started" >&2
-	exit 2
+	fatal_error "$g_product Not Started"
    fi

    determine_ipset_version
@@ -1809,8 +1921,7 @@ add_command() {
 delete_command() {
    local interface host hostent hostlist zone ipset
    if ! product_is_started ; then
-	echo "$g_product Not Started" >&2
-	exit 2;
+	fatal_error "$g_product Not Started"
    fi

    determine_ipset_version
@@ -1995,8 +2106,7 @@ allow_command() {
 	range='--src-range'

 	if ! chain_exists dynamic; then
-	    echo "Dynamic blacklisting is not enabled in the current $g_product configuration" >&2
-	    exit 2
+	    fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
 	fi

 	[ -n "$g_nolock" ] || mutex_on
@@ -2118,8 +2228,7 @@ determine_capabilities() {
 	g_tool=$(mywhich $tool)

 	if [ -z "$g_tool" ]; then
-	    echo "   ERROR: No executable $tool binary can be found on your PATH" >&2
-	    exit 1
+	    fatal-error "No executable $tool binary can be found on your PATH"
 	fi
    fi

@@ -2139,6 +2248,7 @@ determine_capabilities() {
    OLD_CONNTRACK_MATCH=
    MULTIPORT=
    XMULTIPORT=
+    EMULTIPORT=
    POLICY_MATCH=
    PHYSDEV_MATCH=
    PHYSDEV_BRIDGE=
@@ -2202,6 +2312,10 @@ determine_capabilities() {
    NFACCT_MATCH=
    CHECKSUM_TARGET=
    ARPTABLESJF=
+    MASQUERADE_TGT=
+    UDPLITEREDIRECT=
+    NEW_TOS_MATCH=
+
    AMANDA_HELPER=
    FTP_HELPER=
    FTP0_HELPER=
@@ -2220,7 +2334,7 @@ determine_capabilities() {

    resolve_arptables

-    if [ -n "$arptables" -a -x $arptables ]; then
+    if [ -n "$arptables" -a -x "$arptables" ]; then
 	qt $arptables -L OUT && ARPTABLESJF=Yes
    fi

@@ -2230,7 +2344,11 @@ determine_capabilities() {
 	if qt $g_tool -t nat -N $chain; then
 	    if [ $g_family -eq 4 ]; then
 		qt $g_tool -t nat -A $chain -j SNAT --to-source 1.2.3.4 --persistent && PERSISTENT_SNAT=Yes
+	    else
+		qt $g_tool -t nat -A $chain -j SNAT --to-source 2001::1 --persistent && PERSISTENT_SNAT=Yes
 	    fi
+	    qt $g_tool -t nat -A $chain -j MASQUERADE && MASQUERADE_TGT=Yes
+	    qt $g_tool -t nat -A $chain -p udplite -m multiport --dport 33 -j REDIRECT --to-port 22 && UDPREDIRECT=Yes
 	    qt $g_tool -t nat -F $chain
 	    qt $g_tool -t nat -X $chain
 	fi
@@ -2239,8 +2357,7 @@ determine_capabilities() {
    qt $g_tool -F $chain
    qt $g_tool -X $chain
    if ! $g_tool -N $chain; then
-	echo "   ERROR: The command \"$g_tool -N $chain\" failed" >&2
-	exit 1
+	fatal_error "The command \"$g_tool -N $chain\" failed"
    fi

    chain1=${chain}1
@@ -2249,16 +2366,14 @@ determine_capabilities() {
    qt $g_tool -X $chain1
    if ! $g_tool -N $chain1; then
 	qt $g_tool -X $CHAIN
-	echo "   ERROR: The command \"$g_tool -N $chain1\" failed" >&2
-	exit 1
+	fatal_error "The command \"$g_tool -N $chain1\" failed"
    fi

    if ! qt $g_tool -A $chain -m state --state ESTABLISHED,RELATED -j ACCEPT &&
       ! qt $g_tool -A $chain -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT; then
 	qt $g_tool -x $chain
 	qt $g_tool -x $chain1
-	echo "   ERROR: Your kernel lacks connection tracking and/or state matching -- $g_product will not run on this system" >&2
-	exit 1
+	fatal_error "Your kernel lacks connection tracking and/or state matching -- $g_product will not run on this system"
    fi

    if [ $g_family -eq 4 ]; then
@@ -2282,7 +2397,8 @@ determine_capabilities() {
 	qt $g_tool -A $chain -p tcp -m multiport --sports 60 -m multiport --dports 99 -j ACCEPT && KLUDEFREE=Yes
    fi

-    qt $g_tool -A $chain -p tcp -m multiport --dports 21:22 -j ACCEPT           && XMULTIPORT=Yes
+    qt $g_tool -A $chain -p tcp  -m multiport --dports 21:22 -j ACCEPT           && XMULTIPORT=Yes
+    qt $g_tool -A $chain -p sctp -m multiport --dports 21,22 -j ACCEPT           && EMULTIPORT=Yes
    qt $g_tool -A $chain -m policy --pol ipsec --mode tunnel --dir in -j ACCEPT && POLICY_MATCH=Yes

    if qt $g_tool -A $chain -m physdev --physdev-out eth0 -j ACCEPT; then
@@ -2370,6 +2486,7 @@ determine_capabilities() {
 	qt $g_tool -t mangle -A $chain -j DSCP --set-dscp 0 && DSCP_TARGET=Yes
 	qt $g_tool -t mangle -A $chain -m rpfilter && RPFILTER_MATCH=Yes
 	qt $g_tool -t mangle -A $chain -j CHECKSUM --checksum-fill && CHECKSUM_TARGET=Yes
+	qt $g_tool -t mangle -A $chain -m tos --tos 0x10/0xff && NEW_TOS_MATCH=Yes

 	qt $g_tool -t mangle -F $chain
 	qt $g_tool -t mangle -X $chain
@@ -2539,7 +2656,8 @@ report_capabilities_unsorted() {
    report_capability "NAT (NAT_ENABLED)" $NAT_ENABLED
    report_capability "Packet Mangling (MANGLE_ENABLED)" $MANGLE_ENABLED
    report_capability "Multi-port Match (MULTIPORT)" $MULTIPORT
-    [ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match (XMULIPORT)" $XMULTIPORT
+    [ -n "$MULTIPORT" ]  && report_capability "Extended Multi-port Match (XMULIPORT)" $XMULTIPORT
+    [ -n "$EMULTIPORT" ] && report_capability "Enhanced Multi-port Match (EMULIPORT)" $EMULTIPORT
    report_capability "Connection Tracking Match (CONNTRACK_MATCH)" $CONNTRACK_MATCH
    if [ -n "$CONNTRACK_MATCH" ]; then
 	report_capability "Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH)" $NEW_CONNTRACK_MATCH
@@ -2593,7 +2711,7 @@ report_capabilities_unsorted() {
    report_capability "TPROXY Target (TPROXY_TARGET)" $TPROXY_TARGET
    report_capability "FLOW Classifier (FLOW_FILTER)" $FLOW_FILTER
    report_capability "fwmark route mask (FWMARK_RT_MASK)" $FWMARK_RT_MASK
-    report_capability "Mark in any table (MARK_ANYWHERE)" $MARK_ANYWHERE
+    report_capability "Mark in the filter table (MARK_ANYWHERE)" $MARK_ANYWHERE
    report_capability "Header Match (HEADER_MATCH)" $HEADER_MATCH
    report_capability "ACCOUNT Target (ACCOUNT_TARGET)" $ACCOUNT_TARGET
    report_capability "AUDIT Target (AUDIT_TARGET)" $AUDIT_TARGET
@@ -2608,6 +2726,9 @@ report_capabilities_unsorted() {
    report_capability "NFAcct match" $NFACCT_MATCH
    report_capability "Checksum Target" $CHECKSUM_TARGET
    report_capability "Arptables JF" $ARPTABLESJF
+    report_capability "MASQUERADE Target" $MASQUERADE_TGT
+    report_capability "UDPLITE Port Redirection" $UDPLITEREDIRECT
+    report_capability "New tos Match" $NEW_TOS_MATCH

    report_capability "Amanda Helper" $AMANDA_HELPER
    report_capability "FTP Helper" $FTP_HELPER
@@ -2659,6 +2780,7 @@ report_capabilities_unsorted1() {
    report_capability1 MANGLE_ENABLED
    report_capability1 MULTIPORT
    report_capability1 XMULTIPORT
+    report_capability1 EMULTIPORT
    report_capability1 CONNTRACK_MATCH
    report_capability1 NEW_CONNTRACK_MATCH
    report_capability1 OLD_CONNTRACK_MATCH
@@ -2726,6 +2848,9 @@ report_capabilities_unsorted1() {
    report_capability1 NFACCT_MATCH
    report_capability1 CHECKSUM_TARGET
    report_capability1 ARPTABLESJF
+    report_capability1 MASQUERADE_TGT
+    report_capability1 UDPLITEREDIRECT
+    report_capability1 NEW_TOS_MATCH

    report_capability1 AMANDA_HELPER
    report_capability1 FTP_HELPER
@@ -2756,10 +2881,10 @@ report_capabilities1() {

 show_status() {
    if product_is_started ; then
-	echo "$g_product is running"
+	[ $VERBOSITY -ge 1 ] && echo "$g_product is running"
 	status=0
    else
-	echo "$g_product is stopped"
+	[ $VERBOSITY -ge 1 ] && echo "$g_product is stopped"
 	status=4
    fi

@@ -2773,14 +2898,13 @@ show_status() {
    else
 	state=Unknown
    fi
-    echo "State:$state"
+    [ $VERBOSITY -ge 1 ] && echo "State:$state"
 }

 status_command() {
-    echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)"
-    echo
+    [ $VERBOSITY -ge 1 ] && echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
    show_status
-    echo
+    [ $VERBOSITY -ge 1 ] && echo
    exit $status
 }

@@ -2896,7 +3020,7 @@ ipcalc_command() {
    valid_address $address || fatal_error "Invalid IP address: $address"
    [ -z "$vlsm" ] && usage 2
    [ "x$address" = "x$vlsm" ] && usage 2
-    [ $vlsm -gt 32 ] && echo "Invalid VLSM: /$vlsm" >&2 && exit 2
+    [ $vlsm -gt 32 ] && fatal_error "Invalid VLSM: /$vlsm"

    address=$address/$vlsm

@@ -2978,12 +3102,10 @@ get_config() {
 	if [ -r $config ]; then
 	    . $config
 	else
-	    echo "Cannot read $config! (Hint: Are you root?)" >&2
-	    exit 1
+	    fatal_error "Cannot read $config! (Hint: Are you root?)"
 	fi
    else
-	echo "$config does not exist!" >&2
-	exit 2
+	fatal_error "$config does not exist!"
    fi

    ensure_config_path
@@ -2999,8 +3121,7 @@ get_config() {
    elif [ -r $LOGFILE ]; then
 	g_logread="tac $LOGFILE"
    else
-	echo "LOGFILE ($LOGFILE) does not exist!" >&2
-	exit 2
+	fatal_error "LOGFILE ($LOGFILE) does not exist!"
    fi
    #
    # See if we have a real version of "tail" -- use separate redirection so
@@ -3017,14 +3138,12 @@ get_config() {
    if [ $g_family -eq 4 ]; then
 	if [ -n "$IPTABLES" ]; then
 	    if [ ! -x "$IPTABLES" ]; then
-		echo "   ERROR: The program specified in IPTABLES does not exist or is not executable" >&2
-		exit 2
+		fatal_error "The program specified in IPTABLES does not exist or is not executable"
 	    fi
 	else
 	    IPTABLES=$(mywhich iptables 2> /dev/null)
 	    if [ -z "$IPTABLES" ] ; then
-		echo "   ERROR: Can't find iptables executable" >&2
-		exit 2
+		fatal_error "Can't find iptables executable"
 	    fi
 	fi

@@ -3032,14 +3151,12 @@ get_config() {
    else
 	if [ -n "$IP6TABLES" ]; then
 	    if [ ! -x "$IP6TABLES" ]; then
-		echo "   ERROR: The program specified in IP6TABLES does not exist or is not executable" >&2
-		exit 2
+		fatal_error "The program specified in IP6TABLES does not exist or is not executable"
 	    fi
 	else
 	    IP6TABLES=$(mywhich ip6tables 2> /dev/null)
 	    if [ -z "$IP6TABLES" ] ; then
-		echo "   ERROR: Can't find ip6tables executable" >&2
-		exit 2
+		fatal_error "Can't find ip6tables executable"
 	    fi
 	fi

@@ -3071,23 +3188,20 @@ get_config() {

    IP=$(mywhich ip 2> /dev/null)
    if [ -z "$IP" ] ; then
-	echo "   ERROR: Can't find ip executable" >&2
-	exit 2
+	fatal_error "Can't find ip executable"
    fi

    if [ -n "$IPSET" ]; then
 	case "$IPSET" in
 	    */*)
 		if [ ! -x "$IPSET" ] ; then
-		    echo "   ERROR: The program specified in IPSET ($IPSET) does not exist or is not executable" >&2
-		    exit 2
+		    fatal_error "The program specified in IPSET ($IPSET) does not exist or is not executable"
 		fi
 		;;
 	    *)
 		prog="$(mywhich $IPSET 2> /dev/null)"
 		if [ -z "$prog" ] ; then
-		    echo "   ERROR: Can't find $IPSET executable" >&2
-		    exit 2
+		    fatal_error "Can't find $IPSET executable"
 		fi
 		IPSET=$prog
 		;;
@@ -3299,27 +3413,29 @@ usage() # $1 = exit status
    echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
    echo "   restore [ -n ] [ <file name> ]"
    echo "   save [ <file name> ]"
-    echo "   show [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
-    echo "   show [ -f ] capabilities"
-    echo "   show arptables"
-    echo "   show classifiers"
-    echo "   show config"
-    echo "   show connections"
-    echo "   show filters"
-    echo "   show ip"
+    echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
+    echo "   [ show | list | ls ] [ -f ] capabilities"
+    echo "   [ show | list | ls ] arptables"
+    echo "   [ show | list | ls ] classifiers"
+    echo "   [ show | list | ls ] config"
+    echo "   [ show | list | ls ] connections"
+    echo "   [ show | list | ls ] event [ <event> ...]"
+    echo "   [ show | list | ls ] events"
+    echo "   [ show | list | ls ] filters"
+    echo "   [ show | list | ls ] ip"

    if [ $g_family -eq 4 ]; then
-	echo "   show ipa"
+	echo "   [ show | list | ls ] ipa"
    fi

-    echo "   show [ -m ] log [<regex>]"
-    echo "   show [ -x ] mangle|nat|raw|rawpost"
-    echo "   show nfacct"
-    echo "   show policies"
-    echo "   show routing"
-    echo "   show tc [ device ]"
-    echo "   show vardir"
-    echo "   show zones"
+    echo "   [ show | list | ls ] [ -m ] log [<regex>]"
+    echo "   [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost"
+    echo "   [ show | list | ls ] nfacct"
+    echo "   [ show | list | ls ] policies"
+    echo "   [ show | list | ls ] routing"
+    echo "   [ show | list | ls ] tc [ device ]"
+    echo "   [ show | list | ls ] vardir"
+    echo "   [ show | list | ls ] zones"
    echo "   start [ -f ] [ -p ] [ <directory> ]"
    echo "   stop"
    echo "   status"
@@ -3365,6 +3481,10 @@ shorewall_cli() {
    g_recovering=
    g_timestamp=
    g_shorewalldir=
+    g_haveconfig=
+    g_conditional=
+    g_file=
+    g_doing="Compiling"

    VERBOSE=
    VERBOSITY=1
@@ -3390,9 +3510,9 @@ shorewall_cli() {

 			    if [ ! -d $2 ]; then
 				if [ -e $2 ]; then
-				    echo "$2 is not a directory" >&2 && exit 2
+				    fatal_error "$2 is not a directory"
 				else
-				    echo "Directory $2 does not exist" >&2 && exit 2
+				    fatal_error "Directory $2 does not exist"
 				fi
 			    fi

@@ -3417,8 +3537,16 @@ shorewall_cli() {
 			    g_fast=Yes
 			    option=${option#f}
 			    ;;
-			v*)
-			    option=${option#v}
+			[vV]*)
+			    case $option in
+				v*)
+				    option=${option#v}
+				    ;;
+				*)
+				    option=${option#V}
+				    ;;
+			    esac
+
 			    case $option in
 				-1*)
 				    g_use_verbosity=-1
@@ -3549,10 +3677,10 @@ shorewall_cli() {
 	    if product_is_started; then
 		run_it ${VARDIR}/firewall $g_debugging $@
 	    else
-		fatal_error "Shorewall is not running"
+		fatal_error "$g_product is not running"
 	    fi
 	    ;;
-	show|list)
+	show|list|ls)
 	    get_config Yes No Yes
    	    shift
    	    show_command $@
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -65,6 +65,7 @@ startup_error() # $* = Error Message
 	esac
    fi

+    mutex_off
    kill $$
    exit 2
 }
@@ -272,8 +273,11 @@ shorewall6_is_started() {
 # Echos the fully-qualified name of the calling shell program
 #
 my_pathname() {
+    local pwd
+    pwd=$PWD
    cd $(dirname $0)
    echo $PWD/$(basename $0)
+    cd $pwd
 }

 #
@@ -676,7 +680,11 @@ find_file()
 		fi
 	    done

-	    echo ${g_confdir}/$1
+	    if [ -n "$g_shorewalldir" ]; then
+		echo ${g_shorewalldir}/$1
+	    else
+		echo ${g_confdir}/$1
+	    fi
 	    ;;
    esac
 }
--- a/Shorewall-core/shorewallrc.apple
+++ b/Shorewall-core/shorewallrc.apple
@@ -15,6 +15,7 @@ INITFILE=                              #Unused on OS X
 INITSOURCE=                            #Unused on OS X
 ANNOTATED=                             #Unused on OS X
 SYSTEMD=                               #Unused on OS X
+SERVICEFILE=                           #Unused on OS X
 SYSCONFDIR=                            #Unused on OS X
 SPARSE=Yes                             #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
 VARLIB=/var/lib                        #Unused on OS X
--- a/Shorewall-core/shorewallrc.archlinux
+++ b/Shorewall-core/shorewallrc.archlinux
@@ -16,6 +16,7 @@ INITSOURCE=                            #Name of the distributed file to be insta
 ANNOTATED=                             #If non-zero, annotated configuration files are installed
 SYSCONFDIR=                            #Directory where SysV init parameter files are installed
 SYSTEMD=/usr/lib/systemd/system        #Directory where .service files are installed (systems running systemd only)
+SERVICEFILE=                           #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SPARSE=                                #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                        #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT              #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.cygwin
+++ b/Shorewall-core/shorewallrc.cygwin
@@ -15,6 +15,7 @@ INITFILE=                             #Unused on Cygwin
 INITSOURCE=                           #Unused on Cygwin
 ANNOTATED=                            #Unused on Cygwin
 SYSTEMD=                              #Unused on Cygwin
+SERVICEFILE=                          #Unused on Cygwin
 SYSCONFDIR=                           #Unused on Cygwin
 SPARSE=Yes                            #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
 VARLIB=/var/lib                       #Unused on Cygwin
--- a/Shorewall-core/shorewallrc.debian
+++ b/Shorewall-core/shorewallrc.debian
@@ -15,6 +15,7 @@ INITFILE=$PRODUCT                       #Name of the product's installed SysV in
 INITSOURCE=init.debian.sh               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
 SYSCONFFILE=default.debian              #Name of the distributed file to be installed in $SYSCONFDIR
+SERVICEFILE=                      	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default                 #Directory where SysV init parameter files are installed
 SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes                              #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
--- a/Shorewall-core/shorewallrc.default
+++ b/Shorewall-core/shorewallrc.default
@@ -15,6 +15,7 @@ INITFILE=$PRODUCT                       #Name of the product's installed SysV in
 INITSOURCE=init.sh                      #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
 SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
+SERVICEFILE=                            #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=                            #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                             #Directory where SysV init parameter files are installed
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
--- a/Shorewall-core/shorewallrc.redhat
+++ b/Shorewall-core/shorewallrc.redhat
@@ -16,6 +16,7 @@ INITSOURCE=init.fedora.sh               #Name of the distributed file to be inst
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
 SYSTEMD=/lib/systemd/system             #Directory where .service files are installed (systems running systemd only)
 SYSCONFFILE=sysconfig                   #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT
+SERVICEFILE=                      	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter files are installed
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.slackware
+++ b/Shorewall-core/shorewallrc.slackware
@@ -16,6 +16,7 @@ AUXINITFILE=rc.firewall                    #Name of the product's installed SysV
 INITSOURCE=init.slackware.$PRODUCT.sh      #Name of the distributed file to be installed as a second SysV init script
 INITFILE=rc.$PRODUCT                       #Name of the product's installed second init script
 SYSTEMD=                                   #Name of the directory where .service files are installed (systems running systemd only)
+SERVICEFILE=                               #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=                               #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                                #Name of the directory where SysV init parameter files are installed.
 ANNOTATED=                                 #If non-empty, install annotated configuration files
--- a/Shorewall-core/shorewallrc.suse
+++ b/Shorewall-core/shorewallrc.suse
@@ -15,6 +15,7 @@ INITFILE=$PRODUCT                                     #Name of the product's Sys
 INITSOURCE=init.suse.sh                               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                                            #If non-zero, annotated configuration files are installed
 SYSTEMD=                                              #Directory where .service files are installed (systems running systemd only)
+SERVICEFILE=                      		      #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=                                          #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=/etc/sysconfig/                            #Directory where SysV init parameter files are installed
 SPARSE=                                               #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
--- a/Shorewall-init/ifupdown.debian.sh
+++ b/Shorewall-init/ifupdown.debian.sh
@@ -0,0 +1,135 @@
+#!/bin/sh
+#
+# Debian ifupdown script for Shorewall-based products
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
+#
+#       Shorewall documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
+	fi
+    fi
+}
+
+Debian_ppp() {
+    NEWPRODUCTS=
+    INTERFACE="$1"
+
+    case $0 in
+	/etc/ppp/ip-*)
+	    #
+	    # IPv4
+	    #
+	    for product in $PRODUCTS; do
+		case $product in
+		    shorewall|shorewall-lite)
+			NEWPRODUCTS="$NEWPRODUCTS $product";
+			;;
+		esac
+	    done
+	    ;;
+	/etc/ppp/ipv6-*)
+	    #
+	    # IPv6
+	    #
+	    for product in $PRODUCTS; do
+		case $product in
+		    shorewall6|shorewall6-lite)
+			NEWPRODUCTS="$NEWPRODUCTS $product";
+			;;
+		esac
+	    done
+	    ;;
+	*)
+	    exit 0
+	    ;;
+    esac
+
+    PRODUCTS="$NEWPRODUCTS"
+
+    case $0 in
+	*up/*)
+	    COMMAND=up
+	    ;;
+	*)
+	    COMMAND=down
+	    ;;
+    esac
+}
+
+IFUPDOWN=0
+PRODUCTS=
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
+if [ -f /etc/default/shorewall-init ]; then
+    . /etc/default/shorewall-init
+elif [ -f /etc/sysconfig/shorewall-init ]; then
+    . /etc/sysconfig/shorewall-init
+fi
+
+[ "$IFUPDOWN" = 1 -a -n "$PRODUCTS" ] || exit 0
+
+case $0 in
+    /etc/ppp*)
+	#
+	# Debian ppp
+	#
+	Debian_ppp
+	;;
+    *)
+        #
+        # Debian ifupdown system
+        #
+	INTERFACE="$IFACE"
+
+	if [ "$MODE" = start ]; then
+	    COMMAND=up
+	elif [ "$MODE" = stop ]; then
+	    COMMAND=down
+	else
+	    exit 0
+	fi
+	;;
+esac
+
+[ -n "$LOGFILE" ] || LOGFILE=/dev/null
+
+for PRODUCT in $PRODUCTS; do
+    setstatedir
+
+    if [ -x $VARLIB/$PRODUCT/firewall ]; then
+	  ( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
+    fi
+done
+
+exit 0
--- a/Shorewall-init/ifupdown.fedora.sh
+++ b/Shorewall-init/ifupdown.fedora.sh
@@ -0,0 +1,111 @@
+#!/bin/sh
+#
+# Redhat/Fedora/Centos/Foobar ifupdown script for Shorewall-based products
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
+#
+#       Shorewall documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+
+# Get startup options (override default)
+OPTIONS=
+
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x "$STATEDIR/firewall" ]; then
+	if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT $OPTIONS compile
+	fi
+    fi
+}
+
+IFUPDOWN=0
+PRODUCTS=
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
+if [ -f /etc/default/shorewall-init ]; then
+    . /etc/default/shorewall-init
+elif [ -f /etc/sysconfig/shorewall-init ]; then
+    . /etc/sysconfig/shorewall-init
+fi
+
+[ "$IFUPDOWN" = 1 -a -n "$PRODUCTS" ] || exit 0
+
+PHASE=''
+
+case $0 in
+    /etc/ppp*)
+	INTERFACE="$1"
+
+	case $0 in
+	    *ip-up.local)
+		COMMAND=up
+		;;
+	    *ip-down.local)
+		COMMAND=down
+		;;
+	    *)
+		exit 0
+		;;
+	esac
+	;;
+    *)
+	#
+	# RedHat ifup/down system
+	#
+	INTERFACE="$1"
+    
+	case $0 in 
+	    *ifup*)
+		COMMAND=up
+		;;
+	    *ifdown*)
+		COMMAND=down
+		;;
+	    *dispatcher.d*)
+		COMMAND="$2"
+		;;
+	    *)
+		exit 0
+		;;
+	esac
+	;;
+esac
+
+[ -n "$LOGFILE" ] || LOGFILE=/dev/null
+
+for PRODUCT in $PRODUCTS; do
+    setstatedir
+
+    if [ -x "$STATEDIR/firewall" ]; then
+	  echo "`date --rfc-3339=seconds` $0: Executing $STATEDIR/firewall $OPTIONS $COMMAND $INTERFACE" >> $LOGFILE 2>&1
+	  ( $STATEDIR/firewall $OPTIONS $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
+    fi
+done
+
+exit 0
--- a/Shorewall-init/ifupdown.suse.sh
+++ b/Shorewall-init/ifupdown.suse.sh
@@ -1,10 +1,10 @@
 #!/bin/sh
 #
-# ifupdown script for Shorewall-based products
+# SuSE ifupdown script for Shorewall-based products
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -37,7 +37,7 @@ setstatedir() {
    fi
 }

-Debian_SuSE_ppp() {
+SuSE_ppp() {
    NEWPRODUCTS=
    INTERFACE="$1"

@@ -99,105 +99,39 @@ fi

 [ "$IFUPDOWN" = 1 -a -n "$PRODUCTS" ] || exit 0

-if [ -f /etc/debian_version ]; then
-    case $0 in
-	/etc/ppp*)
-	    #
-	    # Debian ppp
-	    #
-	    Debian_SuSE_ppp
-	    ;;
-	
-	*)
-            #
-            # Debian ifupdown system
-            #
-	    INTERFACE="$IFACE"
+PHASE=''

-	    if [ "$MODE" = start ]; then
+case $0 in
+    /etc/ppp*)
+        #
+	# SUSE ppp
+	#
+	SuSE_ppp
+	;;
+	
+    *)
+        #
+        # SuSE ifupdown system
+        #
+	INTERFACE="$2"
+
+	case $0 in
+	    *dispatcher.d*)
+		INTERFACE="$1"
+		COMMAND="$2"
+		;;
+	    *if-up.d*)
 		COMMAND=up
-	    elif [ "$MODE" = stop ]; then
+		;;
+	    *if-down.d*)
 		COMMAND=down
-	    else
+		;;
+	    *)
 		exit 0
-	    fi
-	    ;;
-    esac
-elif [ -f /etc/SuSE-release ]; then
-    PHASE=''
-
-    case $0 in
-	/etc/ppp*)
-	    #
-	    # SUSE ppp
-	    #
-	    Debian_SuSE_ppp
-	    ;;
-	
-	*)
-            #
-            # SuSE ifupdown system
-            #
-	    INTERFACE="$2"
-
-	    case $0 in
-		*if-up.d*)
-		    COMMAND=up
-		    ;;
-		*if-down.d*)
-		    COMMAND=down
-		    ;;
-		*)
-		    exit 0
-		    ;;
-	    esac
-	    ;;
-    esac
-else
-    #
-    # Assume RedHat/Fedora/CentOS/Foobar/...
-    #
-    PHASE=''
-
-    case $0 in
-	/etc/ppp*)
-	    INTERFACE="$1"
-
-	    case $0 in
-		*ip-up.local)
-		    COMMAND=up
-		    ;;
-		*ip-down.local)
-		    COMMAND=down
-		    ;;
-		*)
-		    exit 0
-		    ;;
-	    esac
-	    ;;
-	*)
-	    #
-	    # RedHat ifup/down system
-	    #
-	    INTERFACE="$1"
-    
-	    case $0 in 
-		*ifup*)
-		    COMMAND=up
-		    ;;
-		*ifdown*)
-		    COMMAND=down
-		    ;;
-		*dispatcher.d*)
-		    COMMAND="$2"
-		    ;;
-		*)
-		    exit 0
-		    ;;
-	    esac
-	    ;;
-    esac
-fi
+		;;
+	esac
+	;;
+esac

 [ -n "$LOGFILE" ] || LOGFILE=/dev/null

--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -50,16 +50,16 @@ echo_notdone () {
 }

 not_configured () {
-	echo "#### WARNING ####"
-	echo "the firewall won't be initialized unless it is configured"
-	if [ "$1" != "stop" ]
-	then
-		echo ""
-		echo "Please read about Debian specific customization in"
-		echo "/usr/share/doc/shorewall-init/README.Debian.gz."
-	fi
-	echo "#################"
-	exit 0
+    echo "#### WARNING ####"
+    echo "the firewall won't be initialized unless it is configured"
+    if [ "$1" != "stop" ]
+    then
+	echo ""
+	echo "Please read about Debian specific customization in"
+	echo "/usr/share/doc/shorewall-init/README.Debian.gz."
+    fi
+    echo "#################"
+    exit 0
 }

 # set the STATEDIR variable
@@ -71,10 +71,8 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}

-    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/$PRODUCT compile
-	fi
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT compile -c || echo_notdone
    fi
 }

@@ -83,18 +81,16 @@ setstatedir() {
 #
 . /usr/share/shorewall/shorewallrc

-vardir=$VARDIR
-
 # check if shorewall-init is configured or not
 if [ -f "$SYSCONFDIR/shorewall-init" ]
 then
-	. $SYSCONFDIR/shorewall-init
-	if [ -z "$PRODUCTS" ]
-	then
-		not_configured
-	fi
-else
+    . $SYSCONFDIR/shorewall-init
+    if [ -z "$PRODUCTS" ]
+    then
 	not_configured
+    fi
+else
+    not_configured
 fi

 # Initialize the firewall
@@ -103,24 +99,23 @@ shorewall_start () {
  local STATEDIR

  echo -n "Initializing \"Shorewall-based firewalls\": "
+
  for PRODUCT in $PRODUCTS; do
      setstatedir

-      if [ ! -x ${VARDIR}/$PRODUCT/firewall ]; then
-	  if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	      ${SBINDIR}/$PRODUCT compile
-	  fi
-      fi
-
-      if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
-	  #
+      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+          #
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  ( 
-	      if ! ${VARDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
-		  ${VARDIR}/$PRODUCT/firewall stop || echo_notdone
+	      if ! ${STATEDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
+		  ${STATEDIR}/$PRODUCT/firewall stop || echo_notdone
+	      else
+		  echo_notdone
 	      fi
 	  )
+      else
+	  echo echo_notdone
      fi
  done

@@ -132,20 +127,14 @@ shorewall_start () {
 # Clear the firewall
 shorewall_stop () {
  local PRODUCT
-  local VARDIR
+  local STATEDIR

  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      setstatedir

-      if [ ! -x ${VARDIR}/$PRODUCT/firewall ]; then
-	  if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	      ${SBINDIR}/$PRODUCT compile
-	  fi
-      fi
-
-      if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
-	  ${VARDIR}/$PRODUCT/firewall clear || echo_notdone
+      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+	  ${STATEDIR}/$PRODUCT/firewall clear || echo_notdone
      fi
  done

@@ -164,7 +153,7 @@ case "$1" in
  reload|force-reload)
     ;;
  *)
-     echo "Usage: /etc/init.d/shorewall-init {start|stop|reload|force-reload}"
+     echo "Usage: $0 {start|stop|reload|force-reload}"
     exit 1
 esac

--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -24,8 +24,6 @@ lockfile="/var/lock/subsys/shorewall-init"
 # Source function library.
 . /etc/rc.d/init.d/functions

-vardir=$VARDIR
-
 # Get startup options (override default)
 OPTIONS=

@@ -46,17 +44,17 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}

-    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/$PRODUCT compile
-	fi
+    if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
+	${SBINDIR}/$PRODUCT $OPTIONS compile -c
+    else
+	return 0
    fi
 }

 # Initialize the firewall
 start () {
    local PRODUCT
-    local vardir
+    local STATEDIR

    if [ -z "$PRODUCTS" ]; then
 	echo "No firewalls configured for shorewall-init"
@@ -65,23 +63,26 @@ start () {
    fi

    echo -n "Initializing \"Shorewall-based firewalls\": "
+
    for PRODUCT in $PRODUCTS; do
 	setstatedir
+	retval=$?

-	if [ ! -x ${VARDIR}/firewall ]; then
-	    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-		${SBINDIR}/$PRODUCT compile
+	if [ $retval -eq 0 ]; then
+	    if [ -x "${STATEDIR}/firewall" ]; then
+		${STATEDIR}/firewall stop 2>&1 | $logger
+		retval=${PIPESTATUS[0]}
+		[ $retval -ne 0 ] && break
+	    else
+		retval=6 #Product not configured
+		break
 	    fi
-	fi
-
-	if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
-	    ${VARDIR}/$PRODUCT/firewall stop 2>&1 | $logger
-	    retval=${PIPESTATUS[0]}
-	    [ $retval -ne 0 ] && break
+	else
+	    break
 	fi
    done

-    if [ retval -eq 0 ]; then
+    if [ $retval -eq 0 ]; then
 	touch $lockfile 
 	success
    else
@@ -94,26 +95,29 @@ start () {
 # Clear the firewall
 stop () {
    local PRODUCT
-    local vardir
+    local STATEDIR

    echo -n "Clearing \"Shorewall-based firewalls\": "
+
    for PRODUCT in $PRODUCTS; do
 	setstatedir
+	retval=$?

-	if [ ! -x ${VARDIR}/firewall ]; then
-	    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-		${SBINDIR}/$PRODUCT compile
+	if [ $retval -eq 0 ]; then
+	    if [ -x "${STATEDIR}/firewall" ]; then
+		${STATEDIR}/firewall clear 2>&1 | $logger
+		retval=${PIPESTATUS[0]}
+		[ $retval -ne 0 ] && break
+	    else
+		retval=6 #Product not configured
+		break
 	    fi
-	fi
-
-	if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
-	    ${VARDIR}/$PRODUCT/firewall clear 2>&1 | $logger
-	    retval=${PIPESTATUS[0]}
-	    [ $retval -ne 0 ] && break
+	else
+	    break
 	fi
    done

-    if [ retval -eq 0 ]; then
+    if [ $retval -eq 0 ]; then
 	rm -f $lockfile
 	success
    else
@@ -144,7 +148,7 @@ case "$1" in
 	status $prog
 	;;
  *)
-	echo "Usage: /etc/init.d/shorewall-init {start|stop|status}"
+	echo "Usage: $0 {start|stop|status}"
 	exit 1
 esac

--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -85,7 +85,7 @@ shorewall_start () {

      if [ -x ${STATEDIR}/firewall ]; then
 	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-	      ${STATEDIR}/firewall stop || echo_notdone
+	      ${STATEDIR}/firewall stop || exit 1
 	  fi
      fi
  done
@@ -100,20 +100,20 @@ shorewall_start () {
 # Clear the firewall
 shorewall_stop () {
  local PRODUCT
-  local VARDIR
+  local STATEDIR

  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      setstatedir

-      if [ ! -x ${VARDIR}/firewall ]; then
+      if [ ! -x ${STATEDIR}/firewall ]; then
 	  if [ $PRODUCT = shorewall -o $product = shorewall6 ]; then
 	      ${SBINDIR}/$PRODUCT compile
 	  fi
      fi

-      if [ -x ${VARDIR}/firewall ]; then
-	  ${VARDIR}/firewall clear || exit 1
+      if [ -x ${STATEDIR}/firewall ]; then
+	  ${STATEDIR}/firewall clear || exit 1
      fi
  done

--- a/Shorewall-init/init.suse.sh
+++ b/Shorewall-init/init.suse.sh
@@ -34,22 +34,35 @@
 #                    prior to bringing up the network.  
 ### END INIT INFO

+#Return values acc. to LSB for all commands but status:
+# 0 - success
+# 1 - generic or unspecified error
+# 2 - invalid or excess argument(s)
+# 3 - unimplemented feature (e.g. "reload")
+# 4 - insufficient privilege
+# 5 - program is not installed
+# 6 - program is not configured
+# 7 - program is not running
+
 if [ "$(id -u)" != "0" ]
 then
  echo "You must be root to start, stop or restart \"Shorewall \"."
-  exit 1
+  exit 4
 fi

 # check if shorewall-init is configured or not
 if [ -f "/etc/sysconfig/shorewall-init" ]
 then
-	. /etc/sysconfig/shorewall-init
-	if [ -z "$PRODUCTS" ]
-	then
-		exit 0
-	fi
+    . /etc/sysconfig/shorewall-init
+
+    if [ -z "$PRODUCTS" ]
+    then
+	echo "No PRODUCTS configured"
+	exit 6
+    fi
 else
-	exit 0
+    echo "/etc/sysconfig/shorewall-init not found"
+    exit 6
 fi

 #
@@ -66,10 +79,8 @@ setstatedir() {

    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}

-    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/$PRODUCT compile
-	fi
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT compile -c || exit
    fi
 }

@@ -84,16 +95,16 @@ shorewall_start () {

      if [ -x $STATEDIR/firewall ]; then
 	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-	      $STATEDIR/$PRODUCT/firewall stop || echo_notdone
+	      $STATEDIR/$PRODUCT/firewall stop || exit
 	  fi
+      else
+	  exit 6
      fi
  done

  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
      ipset -R < "$SAVE_IPSETS"
  fi
-
-  return 0
 }

 # Clear the firewall
@@ -106,7 +117,9 @@ shorewall_stop () {
      setstatedir

      if [ -x ${STATEDIR}/firewall ]; then
-	  ${STATEDIR}/firewall clear || exit 1
+	  ${STATEDIR}/firewall clear || exit
+      else
+	  exit 6
      fi
  done

@@ -116,20 +129,21 @@ shorewall_stop () {
 	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
      fi
  fi
-
-  return 0
 }

 case "$1" in
-  start)
-     shorewall_start
-     ;;
-  stop)
-     shorewall_stop
-     ;;
-  *)
-     echo "Usage: /etc/init.d/shorewall-init {start|stop}"
-     exit 1
+    start)
+	shorewall_start
+	;;
+    stop)
+	shorewall_stop
+	;;
+    reload|forced-reload)
+	;;
+    *)
+	echo "Usage: /etc/init.d/shorewall-init {start|stop}"
+	exit 1
+	;;
 esac

 exit 0
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -182,7 +182,24 @@ if [ -z "$BUILD" ]; then
 	    BUILD=apple
 	    ;;
 	*)
-	    if [ -f /etc/debian_version ]; then
+	    if [ -f /etc/os-release ]; then
+		eval $(cat /etc/os-release | grep ^ID)
+
+		case $ID in
+		    fedora)
+			BUILD=redhat
+			;;
+		    debian)
+			BUILD=debian
+			;;
+		    opensuse)
+			BUILD=suse
+			;;
+		    *)
+			BUILD="$ID"
+			;;
+		esac
+	    elif [ -f /etc/debian_version ]; then
 		BUILD=debian
 	    elif [ -f /etc/redhat-release ]; then
 		BUILD=redhat
@@ -222,7 +239,7 @@ case "$HOST" in
    debian)
 	echo "Installing Debian-specific configuration..."
 	;;
-    redhat|redhat)
+    redhat)
 	echo "Installing Redhat/Fedora-specific configuration..."
 	;;
    slackware)
@@ -233,7 +250,7 @@ case "$HOST" in
 	echo "Shorewall-init is currently not supported on Arch Linux" >&2
 	exit 1
 	;;
-    suse|suse)
+    suse)
 	echo "Installing SuSE-specific configuration..."
 	;;
    linux)
@@ -291,9 +308,10 @@ fi
 #
 if [ -n "$SYSTEMD" ]; then
    mkdir -p ${DESTDIR}${SYSTEMD}
-    run_install $OWNERSHIP -m 600 shorewall-init.service ${DESTDIR}${SYSTEMD}/shorewall-init.service
-    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/shorewall-init.service
-    echo "Service file installed as ${DESTDIR}${SYSTEMD}/shorewall-init.service"
+    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
+    run_install $OWNERSHIP -m 600 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
    if [ -n "$DESTDIR" ]; then
 	mkdir -p ${DESTDIR}${SBINDIR}
        chmod 755 ${DESTDIR}${SBINDIR}
@@ -343,6 +361,8 @@ if [ $HOST = debian ]; then

 	install_file sysconfig ${DESTDIR}/etc/default/shorewall-init 0644
    fi
+
+    IFUPDOWN=ifupdown.debian.sh
 else
    if [ -n "$DESTDIR" ]; then
 	mkdir -p ${DESTDIR}${SYSCONFDIR}
@@ -359,14 +379,16 @@ else

    if [ -d ${DESTDIR}${SYSCONFDIR} -a ! -f ${DESTDIR}${SYSCONFDIR}/shorewall-init ]; then
 	install_file sysconfig ${DESTDIR}${SYSCONFDIR}/shorewall-init 0644
-    fi 
+    fi
+
+    [ $HOST = suse ] && IFUPDOWN=ifupdown.suse.sh || IFUPDOWN=ifupdown.fedora.sh
 fi

 #
 # Install the ifupdown script
 #

-cp ifupdown.sh ifupdown
+cp $IFUPDOWN ifupdown

 [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown

@@ -391,11 +413,23 @@ case $HOST in
 	fi
 	;;
    redhat)
-	if [ -f ${DESTDIR}${SBINDIR}/ifup-local -o -f ${DESTDIR}${SBINDIR}/ifdown-local ]; then
-	    echo "WARNING: ${SBINDIR}/ifup-local and/or ${SBINDIR}/ifdown-local already exist; up/down events will not be handled"
-	elif [ -z "$DESTDIR" ]; then
-	    install_file ifupdown ${DESTDIR}${SBINDIR}/ifup-local 0544
-	    install_file ifupdown ${DESTDIR}${SBINDIR}/ifdown-local 0544
+	if [ -z "$DESTDIR" ]; then
+	    install_local=
+
+	    if [ -f ${SBINDIR}/ifup-local -o -f ${SBINDIR}/ifdown-local ]; then
+		if ! fgrep -q Shorewall-based ${SBINDIR}/ifup-local || ! fgrep -q Shorewall-based ${SBINDIR}/ifdown-local; then
+		    echo "WARNING: ${SBINDIR}/ifup-local and/or ${SBINDIR}/ifdown-local already exist; up/down events will not be handled"
+		else
+		    install_local=Yes
+		fi
+	    else
+		install_local=Yes
+	    fi
+
+	    if [ -n "$install_local" ]; then
+		install_file ifupdown ${DESTDIR}${SBINDIR}/ifup-local 0544
+		install_file ifupdown ${DESTDIR}${SBINDIR}/ifdown-local 0544
+	    fi
 	fi
 	;;
 esac
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -23,6 +23,20 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #########################################################################################
+# set the STATEDIR variable
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT compile -c || exit 1
+    fi
+}
+
 #
 # This is modified by the installer when ${SHAREDIR} <> /usr/share
 #
@@ -43,14 +57,25 @@ fi
 # Initialize the firewall
 shorewall_start () {
  local PRODUCT
-  local VARDIR
+  local STATEDIR

  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-      if [ -x ${VARDIR}/firewall ]; then
-	  if ! /sbin/$PRODUCT status > /dev/null 2>&1; then
-	      ${VARDIR}/firewall stop || exit 1
-	  fi
+      setstatedir
+
+      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+          #
+	  # Run in a sub-shell to avoid name collisions
+	  #
+	  (
+	      if ! ${STATEDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
+		  ${STATEDIR}/$PRODUCT/firewall stop || exit 1
+	      else
+		  exit 1
+	      fi
+	  )
+      else
+	  exit 1
      fi
  done

@@ -64,14 +89,14 @@ shorewall_start () {
 # Clear the firewall
 shorewall_stop () {
  local PRODUCT
-  local VARDIR
+  local STATEDIR

  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-      VARDIR=/var/lib/$PRODUCT
-      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
-      if [ -x ${VARDIR}/firewall ]; then
-	  ${VARDIR}/firewall clear || exit 1
+      setstatedir
+
+      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+	  ${STATEDIR}/$PRODUCT/firewall clear || exit 1
      fi
  done

--- a/Shorewall-init/shorewall-init.service
+++ b/Shorewall-init/shorewall-init.service
@@ -13,8 +13,8 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-init
 StandardOutput=syslog
-ExecStart=/shorewall-init $OPTIONS start
-ExecStop=/shorewall-init $OPTIONS stop
+ExecStart=/sbin/shorewall-init $OPTIONS start
+ExecStop=/sbin/shorewall-init $OPTIONS stop

 [Install]
 WantedBy=multi-user.target
--- a/Shorewall-init/sysconfig
+++ b/Shorewall-init/sysconfig
@@ -21,3 +21,6 @@ SAVE_IPSETS=""
 #
 LOGFILE=/var/log/shorewall-ifupdown.log

+# Startup options - set verbosity to 0 (minimal reporting)
+OPTIONS="-V0"
+
--- a/Shorewall-lite/configpath
+++ b/Shorewall-lite/configpath
@@ -4,4 +4,4 @@
 # /usr/share/shorewall-lite/configpath
 #

-CONFIG_PATH=/etc/shorewall-lite:/usr/share/shorewall-lite
+CONFIG_PATH=${CONFDIR}/shorewall-lite:${SHAREDIR}/shorewall-lite:${SHAREDIR}/shorewall
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -182,6 +182,8 @@ for var in SHAREDIR LIBEXECDIRDIRDIR CONFDIR SBINDIR VARLIB VARDIR; do
    require $var
 done

+[ -n "${INITFILE}" ] && require INITSOURCE && require INITDIR
+
 PATH=${SBINDIR}:/bin:/usr${SBINDIR}:/usr/bin:/usr/local/bin:/usr/local${SBINDIR}

 #
@@ -200,7 +202,24 @@ if [ -z "$BUILD" ]; then
 	    BUILD=apple
 	    ;;
 	*)
-	    if [ -f ${CONFDIR}/debian_version ]; then
+	    if [ -f /etc/os-release ]; then
+		eval $(cat /etc/os-release | grep ^ID)
+
+		case $ID in
+		    fedora)
+			BUILD=redhat
+			;;
+		    debian)
+			BUILD=debian
+			;;
+		    opensuse)
+			BUILD=suse
+			;;
+		    *)
+			BUILD="$ID"
+			;;
+		esac
+	    elif [ -f ${CONFDIR}/debian_version ]; then
 		BUILD=debian
 	    elif [ -f ${CONFDIR}/redhat-release ]; then
 		BUILD=redhat
@@ -341,24 +360,25 @@ if [ -n "$DESTDIR" ]; then
 fi

 if [ -n "$INITFILE" ]; then
+    if [ -f "${INITSOURCE}" ]; then
+	initfile="${DESTDIR}/${INITDIR}/${INITFILE}"
+	install_file ${INITSOURCE} "$initfile" 0544

-    initfile="${DESTDIR}/${INITDIR}/${INITFILE}"
-    install_file ${INITSOURCE} "$initfile" 0544
+	[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' "$initfile"

-    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' "$initfile"
-
-    echo  "$Product init script installed in $initfile"
+	echo  "$Product init script installed in $initfile"
+    fi
 fi
 #
 # Install the .service file
 #
 if [ -n "$SYSTEMD" ]; then
    mkdir -p ${DESTDIR}${SYSTEMD}
-    run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}/${SYSTEMD}/$PRODUCT.service
+    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
+    run_install $OWNERSHIP -m 600 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
-    echo "Service file installed as ${DESTDIR}/lib/systemd/system/$PRODUCT.service"
+    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
 fi
-
 #
 # Install the config file
 #
@@ -483,7 +503,7 @@ if [ -n "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
 	chmod 755 ${DESTDIR}${SYSCONFDIR}
    fi

-    run_install $OWNERSHIP -m 0644 default.debian ${DESTDIR}${SYSCONFDIR}/${PRODUCT}
+    run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT}
    echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi

--- a/Shorewall-lite/manpages/shorewall-lite.conf.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.conf.xml
@@ -141,7 +141,7 @@
          stops. Creating and removing this file allows Shorewall to work with
          your distribution's initscripts. For RedHat, this should be set to
          /var/lock/subsys/shorewall. For Debian, the value is
-          /var/state/shorewall and in LEAF it is /var/run/shorwall.</para>
+          /var/state/shorewall and in LEAF it is /var/run/shorewall.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@@ -335,7 +335,7 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>show</option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>

      <arg><option>-b</option></arg>

@@ -357,7 +357,7 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>show</option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>

      <arg><option>-f</option></arg>

@@ -371,10 +371,10 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>show</option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>

      <arg
-      choice="req"><option>classifiers|connections|config|filters|ip|ipa|zones|policies|marks</option></arg>
+      choice="req"><option>classifiers|connections|config|events|filters|ip|ipa|zones|policies|marks</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -384,7 +384,20 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>show</option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>
+
+      <arg choice="plain"><option>event</option><arg
+      choice="plain"><replaceable>event</replaceable></arg></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="opt"><option>show | list | ls </option></arg>

      <arg><option>-x</option></arg>

@@ -398,7 +411,7 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>show</option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>

      <arg choice="plain"><option>tc</option></arg>
    </cmdsynopsis>
@@ -410,7 +423,7 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>show</option></arg>
+      <arg choice="opt"><option>show | list | ls </option></arg>

      <arg><option>-m</option></arg>

@@ -492,9 +505,9 @@
    url="shorewall.conf.html">shorewall.conf</ulink>(5). Each <emphasis
    role="bold">v</emphasis> adds one to the effective verbosity and each
    <emphasis role="bold">q</emphasis> subtracts one from the effective
-    VERBOSITY. Anternately, <emphasis role="bold">v</emphasis> may be followed
+    VERBOSITY. Alternately, <emphasis role="bold">v</emphasis> may be followed
    immediately with one of -1,0,1,2 to specify a specify VERBOSITY. There may
-    be no white space between <emphasis role="bold">v</emphasis> and the
+    be no white-space between <emphasis role="bold">v</emphasis> and the
    VERBOSITY.</para>

    <para>The <emphasis>options</emphasis> may also include the letter
@@ -632,7 +645,7 @@
        <term><emphasis role="bold">forget</emphasis></term>

        <listitem>
-          <para>Deletes /var/lib/shorewall-lite/<emphasis>filenam</emphasis>e
+          <para>Deletes /var/lib/shorewall-lite/<emphasis>filename</emphasis>
          and /var/lib/shorewall-lite/save. If no
          <emphasis>filename</emphasis> is given then the file specified by
          RESTOREFILE in <ulink
@@ -690,7 +703,7 @@
          and raw table PREROUTING chains.</para>

          <para>The trace records are written to the kernel's log buffer with
-          faciility = kernel and priority = warning, and they are routed from
+          facility = kernel and priority = warning, and they are routed from
          there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
          Shorewall-lite has no control over where the messages go; consult
          your logging daemon's documentation.</para>
@@ -747,7 +760,7 @@

          <para>The <replaceable>iptables match expression</replaceable> must
          be one given in the <command>iptrace</command> command being
-          cancelled.</para>
+          canceled.</para>
        </listitem>
      </varlistentry>

@@ -875,7 +888,7 @@
              <term><emphasis role="bold">config</emphasis></term>

              <listitem>
-                <para>Dispays distribution-specific defaults.</para>
+                <para>Displays distribution-specific defaults.</para>
              </listitem>
            </varlistentry>

@@ -888,6 +901,24 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis role="bold">event</emphasis><replaceable>
+              event</replaceable></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.19. Displays the named
+                event.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">events</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.19. Displays all events.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">ip</emphasis></term>

@@ -1055,6 +1086,23 @@
    </variablelist>
  </refsect1>

+  <refsect1>
+    <title>EXIT STATUS</title>
+
+    <para>In general, when a command succeeds, status 0 is returned; when the
+    command fails, a non-zero status is returned.</para>
+
+    <para>The <command>status</command> command returns exit status as
+    follows:</para>
+
+    <para>0 - Firewall is started.</para>
+
+    <para>3 - Firewall is stopped or cleared</para>
+
+    <para>4 - Unknown state; usually means that the firewall has never been
+    started.</para>
+  </refsect1>
+
  <refsect1>
    <title>FILES</title>

--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -118,14 +118,14 @@ fi

 if [ -L ${SHAREDIR}/shorewall-lite/init ]; then
    FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall-lite/init)
-elIF [ -n "$INITFILE" ]; then
+elif [ -n "$INITFILE" ]; then
    FIREWALL=${INITDIR}/${INITFILE}
 fi

 if [ -f "$FIREWALL" ]; then
    if mywhich updaterc.d ; then
 	updaterc.d shorewall-lite remove
-    elif if mywhich insserv ; then
+    elif mywhich insserv ; then
        insserv -r $FIREWALL
    elif [ mywhich chkconfig ; then
 	chkconfig --del $(basename $FIREWALL)
--- a/Shorewall/Macros/macro.DCC
+++ b/Shorewall/Macros/macro.DCC
@@ -9,4 +9,4 @@
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	tcp	6277
+PARAM	-	-	udp	6277
--- a/Shorewall/Macros/macro.Kerberos
+++ b/Shorewall/Macros/macro.Kerberos
@@ -0,0 +1,12 @@
+#
+# Shorewall version 4 - Kerberos Macro
+#
+# /usr/share/shorewall/macro.Kerberos
+#
+#	This macro handles Kerberos traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	tcp	88
+PARAM	-	-	udp	88
--- a/Shorewall/Macros/macro.VRRP
+++ b/Shorewall/Macros/macro.VRRP
@@ -0,0 +1,11 @@
+#
+# Shorewall version 4 - VRRP Macro
+#
+# /usr/share/shorewall/macro.VRRP
+#
+#	This macro handles VRRP traffic.
+#
+###############################################################################
+#ACTION		SOURCE		DEST		PROTO
+PARAM		SOURCE		DEST:224.0.0.18	vrrp
+#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
--- a/Shorewall/Macros/macro.Xymon
+++ b/Shorewall/Macros/macro.Xymon
@@ -0,0 +1,11 @@
+#
+# Shorewall version 4 - Xymon Macro
+#
+# /usr/share/shorewall/macro.Xymon
+#
+#	This macro handles Xymon traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	tcp	1984
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -138,6 +138,14 @@ sub process_section ($) {
    $asection = $newsect;
 }

+sub split_nfacct_list( $;$ ) {
+    my ($list, $origlist ) = @_;
+
+    fatal_error( "Invalid nfacct list (" . ( $origlist ? $origlist : $list ) . ')' ) if $list =~ /^,|,$|,,$/;
+
+    split /,/, $list;
+}
+
 #
 # Accounting
 #
@@ -190,6 +198,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
    fatal_error "USER/GROUP may only be specified in the OUTPUT section" unless $user eq '-' || $asection == OUTPUT;

    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} ) . do_headers( $headers );
+    my $prerule = '';
    my $rule2 = 0;
    my $jump  = 0;

@@ -222,11 +231,19 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 	    }
 	} elsif ( $action =~ /^NFLOG/ ) {
 	    $target = validate_level $action;
-	} elsif ( $action =~ /^NFACCT\((\w+)\)$/ ) {
+	} elsif ( $action =~ /^NFACCT\((.+)\)$/ ) {
 	    require_capability 'NFACCT_MATCH', 'The NFACCT action', 's';
-	    $nfobjects{$1} = 1;
 	    $target = '';
-	    $rule .= "-m nfacct --nfacct-name $1 ";
+	    for ( my @objects = split_nfacct_list $1 ) {
+		validate_nfobject( $_, 1 );
+		if ( s/!$// ) {
+		    $prerule .= do_nfacct( $_ );
+		} else {
+		    $rule .= do_nfacct( $_ );
+		}
+	    }
+	} elsif ( $action eq 'INLINE' ) {
+	    $rule .= get_inline_matches;
 	} else {
 	    ( $action, my $cmd ) = split /:/, $action;

@@ -267,6 +284,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 		expand_rule(
 			    ensure_rules_chain ( 'accountout' ) ,
 			    OUTPUT_RESTRICT ,
+			    $prerule ,
 			    $rule ,
 			    $source ,
 			    $dest = ALLIP ,
@@ -360,6 +378,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
    expand_rule
 	$chainref ,
 	$restriction ,
+	$prerule ,
 	$rule ,
 	$source ,
 	$dest ,
@@ -385,17 +404,18 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
    }

    if ( $rule2 ) {
-	expand_rule
-	    $jumpchainref ,
-	    $restriction ,
-	    $rule ,
-	    $source ,
-	    $dest ,
-	    '' ,
-	    '' ,
-	    '' ,
-	    '' ,
-	    '' ;
+	expand_rule(
+		    $jumpchainref ,
+		    $restriction ,
+		    $prerule ,
+		    $rule ,
+		    $source ,
+		    $dest ,
+		    '' ,
+		    '' ,
+		    '' ,
+		    '' ,
+		    '' );
    }

    return 1;
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -60,7 +60,7 @@ sub initialize_package_globals( $$$ ) {
    Shorewall::Config::initialize($family, $_[1], $_[2]);
    Shorewall::Chains::initialize ($family, 1, $export );
    Shorewall::Zones::initialize ($family, $_[0]);
-    Shorewall::Nat::initialize;
+    Shorewall::Nat::initialize($family);
    Shorewall::Providers::initialize($family);
    Shorewall::Tc::initialize($family);
    Shorewall::Accounting::initialize;
@@ -511,7 +511,11 @@ EOF
    #
    emit(
 '    run_refreshed_exit',
-'    do_iptables -N shorewall',
+'    do_iptables -N shorewall' );
+
+    emit ( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
+
+    emit(
 "    set_state Started $config_dir",
 '    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
 'else',
@@ -533,8 +537,14 @@ EOF
    emit<<"EOF";
    run_start_exit
    do_iptables -N shorewall
+EOF
+
+    emit ( '    do_iptables -A shorewall -m recent --set --name %CURRENTTIME' ) if have_capability 'RECENT_MATCH';
+
+    emit<<"EOF";
    set_state Started $config_dir
-    [ \$0 = \${VARDIR}/firewall ] || cp -f \$(my_pathname) \${VARDIR}/firewall
+    my_pathname=\$(my_pathname)
+    [ \$my_pathname = \${VARDIR}/firewall ] || cp -f \$my_pathname \${VARDIR}/firewall
    run_started_exit
 fi
 EOF
@@ -741,6 +751,8 @@ sub compiler {
 	  ''
 	);

+    setup_accept_ra if $family == F_IPV6;
+
    if ( $scriptfilename || $debug ) {
 	emit 'return 0';
 	pop_indent;
@@ -793,22 +805,18 @@ sub compiler {
    #       (Produces no output to the compiled script -- rules are stored in the chain table)
    #
    process_tos;
-
-    if ( $family == F_IPV4 ) {
-	#
-	# ECN
-	#
-	setup_ecn if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
-	#
-	# Setup Masquerading/SNAT
-	#
-	setup_masq;
-	#
-	# Setup Nat
-	#
-	setup_nat;
-    }
-
+    #
+    # ECN
+    #
+    setup_ecn if $family == F_IPV4 && have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
+    #
+    # Setup Masquerading/SNAT
+    #
+    setup_masq;
+    #
+    # Setup Nat
+    #
+    setup_nat if $family == F_IPV4;
    #
    # Setup NETMAP
    #
@@ -830,6 +838,10 @@ sub compiler {
    #
    setup_tunnels;
    #
+    # Clear the current filename
+    #
+    clear_currentfilename;
+    #
    # MACLIST Filtration again
    #
    setup_mac_lists 2;
@@ -903,6 +915,10 @@ sub compiler {
 	# And generate the auxilary config file
 	#
 	enable_script, generate_aux_config if $export;
+	#
+	# Report used/required capabilities
+	#
+	report_used_capabilities;
    } else {
 	#
 	# Just checking the configuration
@@ -954,6 +970,10 @@ sub compiler {
 	    process_routestopped;
 	    process_stoppedrules;
 	}
+	#
+	# Report used/required capabilities
+	#
+	report_used_capabilities;

 	if ( $family == F_IPV4 ) {
 	    progress_message3 "Shorewall configuration verified";
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -48,6 +48,9 @@ our @EXPORT = ( qw( ALLIPv4
 		  ALLIP
 		  NILIP
 		  ALL
+		  VLSMv4
+		  VLSMv6
+		  VLSM

 		  valid_address
 		  validate_address
@@ -89,6 +92,7 @@ our @nilipv4 = ( '0.0.0.0' );
 our @nilipv6 = ( '::' );
 our $nilip;
 our @nilip;
+our $vlsm_width;
 our $valid_address;
 our $validate_address;
 our $validate_net;
@@ -110,6 +114,8 @@ use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       IPv6_LINK_ALLRTRS   => 'ff01::2' ,
 	       IPv6_SITE_ALLNODES  => 'ff02::1' ,
 	       IPv6_SITE_ALLRTRS   => 'ff02::2' ,
+	       VLSMv4              => 32,
+	       VLSMv6              => 128,
 	   };

 our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
@@ -120,7 +126,7 @@ our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
 sub vlsm_to_mask( $ ) {
    my $vlsm = $_[0];

-    in_hex8 ( ( 0xFFFFFFFF << ( 32 - $vlsm ) ) & 0xFFFFFFFF );
+    in_hex8 ( ( 0xFFFFFFFF << ( VLSMv4 - $vlsm ) ) & 0xFFFFFFFF );
 }

 sub valid_4address( $ ) {
@@ -168,7 +174,6 @@ sub resolve_4dnsname( $ ) {

    @addrs;
 } 
-    

 sub decodeaddr( $ ) {
    my $address = $_[0];
@@ -215,14 +220,14 @@ sub validate_4net( $$ ) {
    }

    if ( defined $vlsm ) {
-        fatal_error "Invalid VLSM ($vlsm)"            unless $vlsm =~ /^\d+$/ && $vlsm <= 32;
+        fatal_error "Invalid VLSM ($vlsm)"            unless $vlsm =~ /^\d+$/ && $vlsm <= VLSMv4;
 	fatal_error "Invalid Network address ($_[0])" if defined $rest;
 	fatal_error "Invalid IP address ($net)"       unless valid_4address $net;
    } else {
 	fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/' || ! defined $net;
 	my $net1 = validate_4address $net, $allow_name;
 	$net  = $net1 unless $config{DEFER_DNS_RESOLUTION};
-	$vlsm = 32;
+	$vlsm = VLSMv4;
    }

    if ( defined wantarray ) {
@@ -230,7 +235,7 @@ sub validate_4net( $$ ) {
 	    assert( ! $allow_name );
 	    ( decodeaddr( $net ) , $vlsm );
 	} elsif ( valid_4address $net ) {
-	    $vlsm == 32 ? $net : "$net/$vlsm";
+	    $vlsm == VLSMv4 ? $net : "$net/$vlsm";
 	} else {
 	    $net;
 	}
@@ -401,10 +406,11 @@ sub validate_portpair( $$ ) {
 	$what = 'port';
    }

-    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
-	defined $protonum && ( $protonum == TCP  ||
-			       $protonum == UDP  ||
-			       $protonum == SCTP ||
+    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, UDPLITE, SCTP or DCCP" unless
+	defined $protonum && ( $protonum == TCP     ||
+			       $protonum == UDP     ||
+			       $protonum == UDPLITE ||
+			       $protonum == SCTP    ||
 			       $protonum == DCCP );
    join ':', @ports;

@@ -646,8 +652,19 @@ sub resolve_6dnsname( $ ) {
 } 

 sub validate_6net( $$ ) {
-    my ($net, $vlsm, $rest) = split( '/', $_[0], 3 );
-    my $allow_name = $_[0];
+    my ( $net, $allow_name ) = @_;
+
+    if ( $net =~ /^\[(.+)]$/ ) {
+	$net = $1;
+    } elsif ( $net =~ /^\[(.+)\]\/(\d+)$/ ) {
+	$net = join( '/', $1, $2 );
+    }
+
+    fatal_error "Invalid Network Address($net)" if $net =~ /\[/;
+
+    ($net, my $vlsm, my $rest) = split( '/', $net, 3 );
+
+    fatal_error 'Invalid Network Address(' . join( '/', $net, $vlsm, $rest ) if defined $rest;

    if ( $net =~ /\+(\[?)/ ) {
 	if ( $1 ) {
@@ -661,17 +678,16 @@ sub validate_6net( $$ ) {

    fatal_error "Invalid Network address ($_[0])" unless supplied $net;

-    $net = $1 if $net =~ /^\[(.*)\]$/;

    if ( defined $vlsm ) {
-        fatal_error "Invalid VLSM ($vlsm)"              unless $vlsm =~ /^\d+$/ && $vlsm <= 128;
+        fatal_error "Invalid VLSM ($vlsm)"              unless $vlsm =~ /^\d+$/ && $vlsm <= VLSMv6;
 	fatal_error "Invalid Network address ($_[0])"   if defined $rest;
 	fatal_error "Invalid IPv6 address ($net)"       unless valid_6address $net;
    } else {
 	fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/';
 	my $net1 = validate_6address $net, $allow_name;
 	$net  = $net1 unless $config{DEFER_DNS_RESOLUTION};
-	$vlsm = 128;
+	$vlsm = VLSMv6;
    }

    if ( defined wantarray ) {
@@ -679,7 +695,7 @@ sub validate_6net( $$ ) {
 	    assert( ! $allow_name );
 	    ( $net , $vlsm );
 	} elsif ( valid_6address ( $net ) ) {
-	    $vlsm == 32 ? $net : "$net/$vlsm";
+	    $vlsm == VLSMv6 ? $net : "$net/$vlsm";
 	} else {
 	    $net;
 	}
@@ -751,8 +767,8 @@ my %ipv6_icmp_types = ( any                          => 'any',
 			'destination-unreachable'    => 1,
 			'no-route'                   => '1/0',
 			'communication-prohibited'   => '1/1',
-			'address-unreachable'        => '1/2',
-			'port-unreachable'           => '1/3',
+			'address-unreachable'        => '1/3',
+			'port-unreachable'           => '1/4',
 			'packet-too-big'             =>  2,
 			'time-exceeded'              =>  3,
 			'ttl-exceeded'               =>  3,
@@ -801,6 +817,10 @@ sub nilip() {
    @nilip;
 }

+sub VLSM() {
+    $vlsm_width;
+}
+
 sub valid_address ( $ ) {
    $valid_address->(@_);
 }
@@ -843,6 +863,7 @@ sub initialize( $ ) {
 	@allip            = @allipv4;
 	$nilip            = NILIPv4;
 	@nilip            = @nilipv4;
+	$vlsm_width       = VLSMv4;
 	$valid_address    = \&valid_4address;
 	$validate_address = \&validate_4address;
 	$validate_net     = \&validate_4net;
@@ -854,6 +875,7 @@ sub initialize( $ ) {
 	@allip            = @allipv6;
 	$nilip            = NILIPv6;
 	@nilip            = @nilipv6;
+	$vlsm_width       = VLSMv6;
 	$valid_address    = \&valid_6address;
 	$validate_address = \&validate_6address;
 	$validate_net     = \&validate_6net;
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -118,6 +118,7 @@ sub process_tos() {
 	    expand_rule
 		$chainref ,
 		$restriction ,
+		'',
 		do_proto( $proto, $ports, $sports ) . do_test( $mark , $globals{TC_MASK} ) ,
 		$src ,
 		$dst ,
@@ -199,7 +200,7 @@ sub setup_blacklist() {
    my $zones1 = find_zones_by_option 'blacklist', 'out';
    my $chainref;
    my $chainref1;
-    my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
+    my ( $level, $disposition ) = @config{'BLACKLIST_LOG_LEVEL', 'BLACKLIST_DISPOSITION' };
    my $audit       = $disposition =~ /^A_/;
    my $target      = $disposition eq 'REJECT' ? 'reject' : $disposition;
    my $orig_target = $target;
@@ -283,6 +284,7 @@ sub setup_blacklist() {
 				expand_rule(
 					    $chainref ,
 					    NO_RESTRICT ,
+					    '' ,
 					    do_proto( $protocol , $ports, '' ) ,
 					    $networks,
 					    '',
@@ -303,6 +305,7 @@ sub setup_blacklist() {
 				expand_rule(
 					    $chainref1 ,
 					    NO_RESTRICT ,
+					    '' ,
 					    do_proto( $protocol , $ports, '' ) ,
 					    '',
 					    $networks,
@@ -379,7 +382,7 @@ sub remove_blacklist( $ ) {
 sub convert_blacklist() {
    my $zones  = find_zones_by_option 'blacklist', 'in';
    my $zones1 = find_zones_by_option 'blacklist', 'out';
-    my ( $level, $disposition ) = @config{'BLACKLIST_LOGLEVEL', 'BLACKLIST_DISPOSITION' };
+    my ( $level, $disposition ) = @config{'BLACKLIST_LOG_LEVEL', 'BLACKLIST_DISPOSITION' };
    my $audit       = $disposition =~ /^A_/;
    my $target      = $disposition eq 'REJECT' ? 'reject' : $disposition;
    my $orig_target = $target;
@@ -733,6 +736,7 @@ sub process_stoppedrules() {
 		for my $proto ( split_list $protos, 'Protocol' ) {
 		    expand_rule( $chainref ,
 				 $restriction ,
+				 '' ,
 				 do_proto( $proto, $ports, $sports ) ,
 				 $source ,
 				 $dest ,
@@ -766,7 +770,7 @@ sub add_common_rules ( $ ) {

    my @state     = state_imatch( $globals{BLACKLIST_STATES} );
    my $faststate = $config{RELATED_DISPOSITION} eq 'ACCEPT' && $config{RELATED_LOG_LEVEL} eq '' ? 'ESTABLISHED,RELATED' : 'ESTABLISHED';
-    my $level     = $config{BLACKLIST_LOGLEVEL};
+    my $level     = $config{BLACKLIST_LOG_LEVEL};
    my $rejectref = $filter_table->{reject};

    if ( $config{DYNAMIC_BLACKLIST} ) {
@@ -828,11 +832,12 @@ sub add_common_rules ( $ ) {
    }

    for $interface ( all_real_interfaces ) {
-	ensure_chain( 'filter', $_ ) for first_chains( $interface ), output_chain( $interface ), option_chains( $interface ), output_option_chain( $interface );
+	ensure_chain( 'filter', $_ )->{origin} = interface_origin( $interface )
+	    for first_chains( $interface ), output_chain( $interface ), option_chains( $interface ), output_option_chain( $interface );

 	my $interfaceref = find_interface $interface;

-	unless ( $interfaceref->{options}{ignore} & NO_SFILTER || $interfaceref->{options}{rpfilter} ) {
+	unless ( $interfaceref->{options}{ignore} & NO_SFILTER || $interfaceref->{options}{rpfilter} || $interfaceref->{physical} eq 'lo' ) {

 	    my @filters = @{$interfaceref->{filter}};

@@ -856,7 +861,7 @@ sub add_common_rules ( $ ) {

 	    for ( option_chains( $interface ) ) {
 		add_ijump( $filter_table->{$_}, j => $dynamicref, @state ) if $dynamicref;
-		add_ijump( $filter_table->{$_}, j => 'ACCEPT', state_imatch $faststate ) if $config{FASTACCEPT};
+		add_ijump( $filter_table->{$_}, j => 'ACCEPT', state_imatch $faststate )->{comment} = '' if $config{FASTACCEPT};
 	    }
 	}
    }
@@ -922,14 +927,13 @@ sub add_common_rules ( $ ) {
 	if ( supplied $config{SMURF_LOG_LEVEL} ) {
 	    my $smurfref = new_chain( 'filter', 'smurflog' );

-	    log_rule_limit( $config{SMURF_LOG_LEVEL},
-			    $smurfref,
-			    'smurfs' ,
-			    'DROP',
-			    $globals{LOGLIMIT},
-			    '',
-			    'add',
-			    '' );
+	    log_irule_limit( $config{SMURF_LOG_LEVEL},
+			     $smurfref,
+			     'smurfs' ,
+			     'DROP',
+			     $globals{LOGILIMIT},
+			     '',
+			     'add' );
 	    add_ijump( $smurfref, j => 'AUDIT', targetopts => '--type drop' ) if $smurfdest eq 'A_DROP';
 	    add_ijump( $smurfref, j => 'DROP' );

@@ -1039,7 +1043,7 @@ sub add_common_rules ( $ ) {
 		add_ijump( $filter_table->{input_chain( $interface ) } ,
 			   j => 'ACCEPT' ,
 			   p => "udp --dport $ports" ,
-			   s => NILIPv4 . '/32' );
+			   s => NILIPv4 . '/' . VLSMv4 );
 	    }
 	}
    }
@@ -1165,7 +1169,7 @@ sub setup_mac_lists( $ ) {
    my $target      = $globals{MACLIST_TARGET};
    my $level       = $config{MACLIST_LOG_LEVEL};
    my $disposition = $config{MACLIST_DISPOSITION};
-    my $audit       = $disposition =~ /^A_/;
+    my $audit       = ( $disposition =~ s/^A_// );
    my $ttl         = $config{MACLIST_TTL};

    progress_message2 "$doing MAC Filtration -- Phase $phase...";
@@ -1281,6 +1285,8 @@ sub setup_mac_lists( $ ) {
 	#
 	# Phase II
 	#
+	ensure_audit_chain( $target, $disposition, undef, $table ) if $audit;
+
 	for my $interface ( @maclist_interfaces ) {
 	    my $chainref = $chain_table{$table}{( $ttl ? macrecent_target $interface : mac_chain $interface )};
 	    my $chain    = $chainref->{name};
@@ -1328,7 +1334,7 @@ sub setup_mac_lists( $ ) {

 	    run_user_exit2( 'maclog', $chainref );

-	    log_rule_limit $level, $chainref , $chain , $disposition, '', '', 'add', '' if $level ne '';
+	    log_irule_limit $level, $chainref , $chain , $disposition, [], '', 'add' if $level ne '';
 	    add_ijump $chainref, j => $target;
 	}
    }
@@ -1392,7 +1398,7 @@ sub generate_source_rules( $$$;@ ) {
    my ( $outchainref, $z1, $z2, @matches ) = @_;
    my $chain = rules_target ( $z1, $z2 );

-    if ( $chain ) {
+    if ( $chain && $chain ne 'NONE' ) {
 	#
 	# Not a CONTINUE policy with no rules
 	#
@@ -1417,11 +1423,14 @@ sub generate_source_rules( $$$;@ ) {
 # Loopback traffic -- this is where we assemble the intra-firewall chains
 #
 sub handle_loopback_traffic() {
-    my @zones   = ( vserver_zones, firewall_zone );
-    my $natout  = $nat_table->{OUTPUT};
-    my $rawout  = $raw_table->{OUTPUT};
-    my $rulenum = 0;
+    my @zones    = ( vserver_zones, firewall_zone );
+    my $natout   = $nat_table->{OUTPUT};
+    my $rawout   = $raw_table->{OUTPUT};
+    my $rulenum  = 0;
+    my $loopback = loopback_zones;
+    my $loref    = known_interface('lo');

+    my $unmanaged;
    my $outchainref;
    my @rule;

@@ -1435,8 +1444,13 @@ sub handle_loopback_traffic() {
 	#
 	# Only the firewall -- just use the OUTPUT chain
 	#
-	$outchainref = $filter_table->{OUTPUT};
-	@rule = ( o => 'lo');
+	if ( $unmanaged = $loref && $loref->{options}{unmanaged} ) {
+	    add_ijump( $filter_table->{INPUT},  j => 'ACCEPT', i => 'lo' );
+	    add_ijump( $filter_table->{OUTPUT}, j => 'ACCEPT', o => 'lo' );
+	} else {
+	    $outchainref = $filter_table->{OUTPUT};
+	    @rule = ( o => 'lo');
+	}
    }

    for my $z1 ( @zones ) {
@@ -1449,8 +1463,9 @@ sub handle_loopback_traffic() {
 	#
 	if ( $type1 == FIREWALL ) {
 	    for my $z2 ( @zones ) {
-		my $chain = rules_target( $z1, $z2 );
+		next if $z1 eq $z2 && ( $loopback || $unmanaged );

+		my $chain = rules_target( $z1, $z2 );
 		generate_dest_rules( $outchainref, $chain, $z2, @rule ) if $chain;
 	    }
 	    #
@@ -1511,9 +1526,9 @@ sub add_interface_jumps {
    our %input_jump_added;
    our %output_jump_added;
    our %forward_jump_added;
-    my  $lo_jump_added = 0;
    my @interfaces = grep $_ ne '%vserver%', @_;
    my $dummy;
+    my $lo_jump_added = interface_zone( 'lo' ) && ! get_interface_option( 'lo', 'destonly' );
    #
    # Add Nat jumps
    #
@@ -1622,6 +1637,8 @@ sub handle_complex_zone( $$ ) {
 	    my @interfacematch;
 	    my $interfaceref = find_interface $interface;

+	    next if $interfaceref->{options}{destonly};
+
 	    if ( use_forward_chain( $interface, $sourcechainref ) ) {
 		#
 		# Use the interface forward chain
@@ -2070,7 +2087,7 @@ sub optimize1_zones( $$@ ) {
 # nat-table rules.
 #
 sub generate_matrix() {
-    my @interfaces = ( all_interfaces );
+    my @interfaces = ( managed_interfaces );
    #
    # Should this be the real PREROUTING chain?
    #
@@ -2110,6 +2127,7 @@ sub generate_matrix() {
 	my $nested           = @{$zoneref->{parents}};
 	my $parenthasnat     = 0;
 	my $parenthasnotrack = 0;
+	my $type             = $zoneref->{type};
 	#
 	# Create the zone's dnat chain
 	#
@@ -2185,6 +2203,7 @@ sub generate_matrix() {
 	    #
 	    for my $zone1 ( @dest_zones ) {
 		my $zone1ref = find_zone( $zone1 );
+		my $type1    = $zone1ref->{type};

 		next if $filter_table->{rules_chain( ${zone}, ${zone1} )}->{policy}  eq 'NONE';

@@ -2198,7 +2217,7 @@ sub generate_matrix() {
 		    next if ( $num_ifaces = scalar( keys ( %{$zoneref->{interfaces}} ) ) ) < 2 && ! $zoneref->{options}{in_out}{routeback};
 		}

-		if ( $zone1ref->{type} & BPORT ) {
+		if ( $type1 & BPORT ) {
 		    next unless $zoneref->{bridge} eq $zone1ref->{bridge};
 		}

@@ -2237,17 +2256,23 @@ sub generate_matrix() {

    add_interface_jumps @interfaces unless $interface_jumps_added;

-    my %builtins = ( mangle => [ qw/PREROUTING INPUT FORWARD POSTROUTING/ ] ,
-		     nat=>     [ qw/PREROUTING OUTPUT POSTROUTING/ ] ,
-		     filter=>  [ qw/INPUT FORWARD OUTPUT/ ] );
-
    unless ( $config{COMPLETE} ) {
+	for ( unmanaged_interfaces ) {
+	    my $physical = get_physical $_;
+	    add_ijump( $filter_table->{INPUT},  j => 'ACCEPT', i => $physical );
+	    add_ijump( $filter_table->{OUTPUT}, j => 'ACCEPT', o => $physical );
+	}
+
 	complete_standard_chain $filter_table->{INPUT}   , 'all' , firewall_zone , 'DROP';
 	complete_standard_chain $filter_table->{OUTPUT}  , firewall_zone , 'all', 'REJECT';
 	complete_standard_chain $filter_table->{FORWARD} , 'all' , 'all', 'REJECT';
    }

    if ( $config{LOGALLNEW} ) {
+	my %builtins = ( mangle => [ qw/PREROUTING INPUT FORWARD POSTROUTING/ ] ,
+			 nat=>     [ qw/PREROUTING OUTPUT POSTROUTING/ ] ,
+			 filter=>  [ qw/INPUT FORWARD OUTPUT/ ] );
+
 	for my $table ( qw/mangle nat filter/ ) {
 	    for my $chain ( @{$builtins{$table}} ) {
 		log_rule_limit
@@ -2258,7 +2283,7 @@ sub generate_matrix() {
 		    '' ,
 		    '' ,
 		    'insert' ,
-		    "$globals{STATEMATCH} NEW ";
+		    state_match('NEW');
 	    }
 	}
    }
@@ -2429,7 +2454,7 @@ EOF
    #
    # Enable automatic helper association on kernel 3.5.0 and later
    #
-    if [ -f /proc/sys/net/netfilter/nf_conntrack_helper ]; then
+    if [ $COMMAND = clear -a -f /proc/sys/net/netfilter/nf_conntrack_helper ]; then
        echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
    fi

--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -29,7 +29,7 @@ use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
 use Shorewall::Zones;
 use Shorewall::Chains qw(:DEFAULT :internal);
-use Shorewall::Providers qw( lookup_provider );
+use Shorewall::Providers qw( provider_realm );

 use strict;

@@ -44,11 +44,13 @@ our $VERSION = 'MODULEVERSION';

 our @addresses_to_add;
 our %addresses_to_add;
+our $family;

 #
 # Called by the compiler
 #
-sub initialize() {
+sub initialize($) {
+    $family = shift;
    @addresses_to_add = ();
    %addresses_to_add = ();
 }
@@ -61,7 +63,7 @@ sub process_one_masq1( $$$$$$$$$$ )
    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest ) = @_;

    my $pre_nat;
-    my $add_snat_aliases = $config{ADD_SNAT_ALIASES};
+    my $add_snat_aliases = $family == F_IPV4 && $config{ADD_SNAT_ALIASES};
    my $destnets = '';
    my $baserule = '';

@@ -72,28 +74,33 @@ sub process_one_masq1( $$$$$$$$$$ )
    #
    # Parse the remaining part of the INTERFACE column
    #
-    if ( $interfacelist =~ /^([^:]+)::([^:]*)$/ ) {
-	$add_snat_aliases = 0;
-	$destnets = $2;
-	$interfacelist = $1;
-    } elsif ( $interfacelist =~ /^([^:]+:[^:]+):([^:]+)$/ ) {
-	$destnets = $2;
-	$interfacelist = $1;
-    } elsif ( $interfacelist =~ /^([^:]+):$/ ) {
-	$add_snat_aliases = 0;
-	$interfacelist = $1;
-    } elsif ( $interfacelist =~ /^([^:]+):([^:]*)$/ ) {
-	my ( $one, $two ) = ( $1, $2 );
-	if ( $2 =~ /\./ || $2 =~ /^%/ ) {
-	    $interfacelist = $one;
-	    $destnets = $two;
+    if ( $family == F_IPV4 ) {
+	if ( $interfacelist =~ /^([^:]+)::([^:]*)$/ ) {
+	    $add_snat_aliases = 0;
+	    $destnets = $2;
+	    $interfacelist = $1;
+	} elsif ( $interfacelist =~ /^([^:]+:[^:]+):([^:]+)$/ ) {
+	    $destnets = $2;
+	    $interfacelist = $1;
+	} elsif ( $interfacelist =~ /^([^:]+):$/ ) {
+	    $add_snat_aliases = 0;
+	    $interfacelist = $1;
+	} elsif ( $interfacelist =~ /^([^:]+):([^:]*)$/ ) {
+	    my ( $one, $two ) = ( $1, $2 );
+	    if ( $2 =~ /\./ || $2 =~ /^%/ ) {
+		$interfacelist = $one;
+		$destnets = $two;
+	    }
 	}
+    } elsif ( $interfacelist =~ /^(.+?):(.+)$/ ) {
+	$interfacelist = $1;
+	$destnets      = $2;
    }
    #
    # If there is no source or destination then allow all addresses
    #
-    $networks = ALLIPv4 if $networks eq '-';
-    $destnets = ALLIPv4 if $destnets eq '-';
+    $networks = ALLIP if $networks eq '-';
+    $destnets = ALLIP if $destnets eq '-';

    #
    # Handle IPSEC options, if any
@@ -133,8 +140,11 @@ sub process_one_masq1( $$$$$$$$$$ )
 	if ( $interface =~ /(.*)[(](\w*)[)]$/ ) {
 	    $interface = $1;
 	    my $provider  = $2;
+
+	    fatal_error "Missing Provider ($fullinterface)" unless supplied $provider;
+
 	    $fullinterface =~ s/[(]\w*[)]//;
-	    my $realm = lookup_provider( $provider );
+	    my $realm = provider_realm( $provider );

 	    fatal_error "$provider is not a shared-interface provider" unless $realm;

@@ -162,6 +172,7 @@ sub process_one_masq1( $$$$$$$$$$ )
 	#
 	if ( $addresses ne '-' ) {
 	    if ( $addresses eq 'random' ) {
+		require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '') if $family == F_IPV6;
 		$randomize = '--random ';
 	    } else {
 		$addresses =~ s/:persistent$// and $persistent = ' --persistent ';
@@ -183,48 +194,129 @@ sub process_one_masq1( $$$$$$$$$$ )
 			$detectaddress = 1;
 		    }
 		} elsif ( $addresses eq 'NONAT' ) {
+		    fatal_error "'persistent' may not be specified with 'NONAT'" if $persistent;
+		    fatal_error "'random' may not be specified with 'NONAT'"     if $randomize;
 		    $target = 'RETURN';
 		    $add_snat_aliases = 0;
-		} else {
+		} elsif ( $addresses ) {
 		    my $addrlist = '';
-		    for my $addr ( split_list $addresses , 'address' ) {
+		    my @addrs = split_list $addresses, 'address';
+
+		    fatal_error "Only one IPv6 ADDRESS may be specified" if $family == F_IPV6 && @addrs > 1;
+
+		    for my $addr ( @addrs ) {
 			if ( $addr =~ /^([&%])(.+)$/ ) {
 			    my ( $type, $interface ) = ( $1, $2 );
+
+			    my $ports = '';
+
+			    if ( $interface =~ s/:(.+)$// ) {
+				validate_portpair1( $proto, $1 );
+				$ports = ":$1";
+			    }
+			    #
+			    # Address Variable
+			    #
 			    $target = 'SNAT ';
 			    if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
+				#
+				# User-defined address variable
+				#
 				$conditional = conditional_rule( $chainref, $addr );
-				$addrlist .= '--to-source ' . "\$$1 ";
-			    } elsif ( $conditional = conditional_rule( $chainref, $addr ) ) {
-				$addrlist .= '--to-source ' . get_interface_address $interface;
+				$addrlist .= '--to-source ' . "\$${1}${ports} ";
 			    } else {
-				$addrlist .= '--to-source ' . record_runtime_address( $type, $interface );
+				if ( $conditional = conditional_rule( $chainref, $addr ) ) {
+				    #
+				    # Optional Interface -- rule is conditional
+				    #
+				    $addr = get_interface_address $interface;
+				} else {
+				    #
+				    # Interface is not optional
+				    #
+				    $addr = record_runtime_address( $type, $interface );
+				}
+
+				if ( $ports ) {
+				    $addr =~ s/ $//;
+				    $addr = $family == F_IPV4 ? "${addr}${ports} " : "[$addr]$ports ";
+				}
+
+				$addrlist .= '--to-source ' . $addr;
 			    }
-			} elsif ( $addr =~ /^.*\..*\..*\./ ) {
-			    $target = 'SNAT ';
-			    my ($ipaddr, $rest) = split ':', $addr;
-			    if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
-				validate_range( $1, $2 );
+			} elsif ( $family == F_IPV4 ) {
+			    if ( $addr =~ /^.*\..*\..*\./ ) {
+				$target = 'SNAT ';
+				my ($ipaddr, $rest) = split ':', $addr;
+				if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
+				    validate_range( $1, $2 );
+				} else {
+				    validate_address $ipaddr, 0;
+				}
+				validate_portpair1( $proto, $rest ) if supplied $rest;
+				$addrlist .= "--to-source $addr ";
+				$exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
 			    } else {
-				validate_address $ipaddr, 0;
+				my $ports = $addr;
+				$ports =~ s/^://;
+				validate_portpair1( $proto, $ports );
+				$addrlist .= "--to-ports $ports ";
+				$exceptionrule = do_proto( $proto, '', '' );
 			    }
-			    $addrlist .= "--to-source $addr ";
-			    $exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
 			} else {
-			    my $ports = $addr;
-			    $ports =~ s/^://;
-			    validate_portpair1( $proto, $ports );
-			    $addrlist .= "--to-ports $ports ";
-			    $exceptionrule = do_proto( $proto, '', '' );
+			    $target = 'SNAT ';
+
+			    if ( $addr =~ /^\[/ ) {
+				#
+				# Can have ports specified
+				#
+				my $ports;
+
+				if ( $addr =~ s/:([^]:]+)$// ) {
+				    $ports = $1;
+				}
+
+				fatal_error "Invalid IPv6 Address ($addr)" unless $addr =~ /^\[(.+)\]$/;
+
+				$addr = $1;
+
+				if ( $addr =~ /^(.+)-(.+)$/ ) {
+				    fatal_error "Correct address range syntax is '[<addr1>-<addr2>]'" if $addr =~ /]-\[/;
+				    validate_range( $1, $2 );
+				} else {
+				    validate_address $addr, 0;
+				}
+
+				if ( supplied $ports ) {
+				    validate_portpair1( $proto, $ports );
+				    $exceptionrule = do_proto( $proto, '', '' );
+				    $addr = "[$addr]:$ports";
+				}
+
+				$addrlist .= "--to-source $addr ";
+			    } else {
+				if ( $addr =~ /^(.+)-(.+)$/ ) {
+				    validate_range( $1, $2 );
+				} else {
+				    validate_address $addr, 0;
+				}
+
+				$addrlist .= "--to-source $addr ";
+			    }
 			}
 		    }

 		    $target .= $addrlist;
+		} else {
+		    fatal_error( "':persistent' is not allowed in a MASQUERADE rule" ) if $persistent;
+		    require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '' )     if $family == F_IPV6;
 		}
 	    }

 	    $target .= $randomize;
 	    $target .= $persistent;
 	} else {
+	    require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '' )  if $family == F_IPV6;
 	    $add_snat_aliases = 0;
 	}
 	#
@@ -232,6 +324,7 @@ sub process_one_masq1( $$$$$$$$$$ )
 	#
 	expand_rule( $chainref ,
 		     POSTROUTE_RESTRICT ,
+		     '' ,
 		     $baserule . $rule ,
 		     $networks ,
 		     $destnets ,
@@ -239,7 +332,8 @@ sub process_one_masq1( $$$$$$$$$$ )
 		     $target ,
 		     '' ,
 		     '' ,
-		     $exceptionrule );
+		     $exceptionrule )
+	    unless unreachable_warning( 0, $chainref );

 	conditional_rule_end( $chainref ) if $detectaddress || $conditional;

@@ -288,7 +382,7 @@ sub setup_masq()
 {
    if ( my $fn = open_file( 'masq', 1, 1 ) ) {

-	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } );
+	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty masq file" , 's'; } );

 	process_one_masq while read_a_line( NORMAL_READ );
    }
@@ -521,7 +615,7 @@ sub setup_netmap() {
 #
 # Called from process_rule1 to add a rule to the NAT table
 #
-sub handle_nat_rule( $$$$$$$$$$$$ ) {
+sub handle_nat_rule( $$$$$$$$$$$$$ ) {
    my ( $dest,           # <server>[:port]
 	 $proto,          # Protocol
 	 $ports,          # Destination port list
@@ -534,6 +628,7 @@ sub handle_nat_rule( $$$$$$$$$$$$ ) {
 	 $source,         # Source Address
 	 $loglevel,       # [<level>[:<tag>]]
 	 $log_action,     # Action name to include in the log message
+	 $wildcard        # Part of a wildcard rule
       ) = @_;

    my ( $server, $serverport , $origdstports ) = ( '', '', '' );
@@ -542,13 +637,17 @@ sub handle_nat_rule( $$$$$$$$$$$$ ) {
    #
    # Isolate server port
    #
-    if ( $dest =~ /^(.*)(?::(.+))$/ ) {
+    if ( ( $family == F_IPV4 && $dest =~ /^(.*)(?::(.+))$/ ) || ( $family == F_IPV6 && $dest =~ /^\[(.*)]:(.+)$/ ) ) {
 	#
 	# Server IP and Port
 	#
 	$server = $1;      # May be empty
 	$serverport = $2;  # Not Empty due to RE

+	my ( $p ) = split( ':', $proto ); # Might be "tcp:syn"
+
+	require_capability( 'UDPLITEREDIRECT', 'UDPLITE Port Redirection', 's' ) if resolve_proto( $p ) == UDPLITE; 
+
 	$origdstports = validate_port( $proto, $ports )	if $ports && $ports ne '-' && port_count( $ports ) == 1;

 	if ( $serverport =~ /^(\d+)-(\d+)$/ ) {
@@ -597,20 +696,42 @@ sub handle_nat_rule( $$$$$$$$$$$$ ) {
 	if ( $server eq '' ) {
 	    fatal_error "A server and/or port must be specified in the DEST column in $action rules" unless $serverport;
 	} elsif ( $server =~ /^(.+)-(.+)$/ ) {
-	    validate_range( $1, $2 );
-	} else {
-	    unless ( $server eq ALLIP ) {
-		my @servers = validate_address $server, 1;
-		$server = join ',', @servers;
+	    if ( $family == F_IPV4 ) {
+		validate_range( $1, $2 );
+	    } else {
+		my ( $addr1, $addr2 ) = ( $1, $2 );
+
+		if ( $server =~ /^\[(.+)\]$/ ) {
+		    $server = $1;
+		    fatal_error "Correct address range syntax is '[<addr1>-<addr2>]'" if $server =~ /]-\[/;
+		    assert( $server =~ /^(.+)-(.+)$/ );
+		    ( $addr1, $addr2 ) = ( $1, $2 );
+		}
+
+		validate_range( $addr1, $addr2 );
+		$server = join( '-', $addr1, $addr2 );
 	    }
+	} elsif ( $server eq ALLIP || $server eq NILIP ) {
+	    fatal_error "Invalid or missing server IP address";
+	} else {
+	    $server = $1 if $family == F_IPV6 && $server =~ /^\[(.+)\]$/;
+	    fatal_error "Invalid server IP address ($server)" if $server eq ALLIP || $server eq NILIP;
+	    my @servers = validate_address $server, 1;
+	    $server = join ',', @servers;
 	}

 	if ( $action eq 'DNAT' ) {
 	    $target = $action;
 	    if ( $server ) {
 		$serverport = ":$serverport" if $serverport;
-		for my $serv ( split /,/, $server ) {
-		    $target .= " --to-destination ${serv}${serverport}";
+		if ( $family == F_IPV4 ) {
+		    for my $serv ( split /,/, $server ) {
+			$target .= " --to-destination ${serv}${serverport}";
+		    }
+		} else {
+		    for my $serv ( split /,/, $server ) {
+			$target .= " --to-destination [${serv}]${serverport}";
+		    }
 		}
 	    } else {
 		$target .= " --to-destination :$serverport";
@@ -634,11 +755,13 @@ sub handle_nat_rule( $$$$$$$$$$$$ ) {
    #
    my $firewallsource = $sourceref && ( $sourceref->{type} & ( FIREWALL | VSERVER ) );

-    expand_rule ( ensure_chain ('nat' ,
+    my $chainref = ensure_chain ('nat' ,
 				( $action_chain   ? $action_chain :
 				  $firewallsource ? 'OUTPUT' :
-				  dnat_chain $sourceref->{name} ) ) ,
+				  dnat_chain $sourceref->{name} ) );
+    expand_rule ( $chainref,
 		  $firewallsource ? OUTPUT_RESTRICT : PREROUTE_RESTRICT ,
+		  '' ,
 		  $rule ,
 		  $source ,
 		  $origdest ,
@@ -647,7 +770,8 @@ sub handle_nat_rule( $$$$$$$$$$$$ ) {
 		  $loglevel ,
 		  $log_action ,
 		  $serverport ? do_proto( $proto, '', '' ) : '',
-		);
+		)
+	unless unreachable_warning( $wildcard, $chainref );

    ( $ports, $origdstports, $server );
 }
@@ -655,8 +779,8 @@ sub handle_nat_rule( $$$$$$$$$$$$ ) {
 #
 # Called from process_rule1() to handle the nat table part of the NONAT and ACCEPT+ actions
 #
-sub handle_nonat_rule( $$$$$$$$$$ ) {
-    my ( $action, $source, $dest, $origdest, $sourceref, $inaction, $chain, $loglevel, $log_action, $rule ) = @_;
+sub handle_nonat_rule( $$$$$$$$$$$ ) {
+    my ( $action, $source, $dest, $origdest, $sourceref, $inaction, $chain, $loglevel, $log_action, $rule, $wildcard ) = @_;

    my $sourcezone = $sourceref->{name};
    #
@@ -708,6 +832,7 @@ sub handle_nonat_rule( $$$$$$$$$$ ) {
 	    #
 	    expand_rule( $chn,
 			 PREROUTE_RESTRICT,
+			 '', # Prerule
 			 '', # Rule
 			 '', # Source
 			 '', # Dest
@@ -716,7 +841,9 @@ sub handle_nonat_rule( $$$$$$$$$$ ) {
 			 $loglevel,
 			 $log_action,
 			 '',
-			 dnat_chain( $sourcezone  ) );
+			 dnat_chain( $sourcezone  ) )
+		unless unreachable_warning( $wildcard, $chn );
+
 	    $loglevel = '';
 	    $tgt = $chn->{name};
 	} else {
@@ -726,6 +853,7 @@ sub handle_nonat_rule( $$$$$$$$$$ ) {

    expand_rule( $nonat_chain ,
 		 PREROUTE_RESTRICT ,
+		 '' ,
 		 $rule ,
 		 $source ,
 		 $dest ,
@@ -734,7 +862,8 @@ sub handle_nonat_rule( $$$$$$$$$$ ) {
 		 $loglevel ,
 		 $log_action ,
 		 '',
-	       );
+	       )
+	unless unreachable_warning( $wildcard, $nonat_chain );
 }

 sub add_addresses () {
--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -38,6 +38,7 @@ our @EXPORT = qw(
 		 setup_route_filtering
 		 setup_martian_logging
 		 setup_source_routing
+		 setup_accept_ra
 		 setup_forwarding
 		 );
 our @EXPORT_OK = qw( setup_interface_proc );
@@ -214,6 +215,35 @@ sub setup_source_routing( $ ) {
    }
 }

+#
+# Source Routing
+#
+sub setup_accept_ra() {
+
+    my $interfaces = find_interfaces_by_option 'accept_ra';
+
+    if ( @$interfaces ) {
+	progress_message2 "$doing Accept Routing Advertisements...";
+
+	save_progress_message 'Setting up Accept Routing Advertisements...';
+
+	for my $interface ( @$interfaces ) {
+	    my $value = get_interface_option $interface, 'accept_ra';
+	    my $optional = interface_is_optional $interface;
+
+	    $interface = get_physical $interface;
+
+	    my $file = "/proc/sys/net/ipv6/conf/$interface/accept_ra";
+
+	    emit ( "if [ -f $file ]; then" ,
+		   "    echo $value > $file" );
+	    emit ( 'else' ,
+		   "    error_message \"WARNING: Cannot set Accept Source Routing on $interface\"" ) unless $optional;
+	    emit   "fi\n";
+	}
+    }
+}
+
 sub setup_forwarding( $$ ) {
    my ( $family, $first ) = @_;

@@ -297,10 +327,16 @@ sub setup_interface_proc( $ ) {
 	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/accept_source_route";
    }

-    if ( interface_has_option( $interface, 'sourceroute' , $value ) ) {
-	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/accept_source_route";
+    if ( interface_has_option( $interface, 'forward' , $value ) ) {
+	push @emitted, "echo $value > /proc/sys/net/ipv6/conf/$physical/forwarding";
    }

+    if ( interface_has_option( $interface, 'accept_ra' , $value ) ) {
+	push @emitted, "if [ -f /proc/sys/net/ipv6/conf/$physical/accept_ra ]; then";
+	push @emitted, "    echo $value > /proc/sys/net/ipv6/conf/$physical/accept_ra";
+	push @emitted, 'fi';
+    }
+	
    if ( @emitted ) {
 	emit( 'if [ $COMMAND = enable ]; then' );
 	push_indent;
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -43,7 +43,7 @@ our @EXPORT = qw( process_providers
 		  setup_load_distribution
 		  have_providers
 	       );
-our @EXPORT_OK = qw( initialize lookup_provider );
+our @EXPORT_OK = qw( initialize provider_realm );
 our $VERSION = '4.4_24';

 use constant { LOCAL_TABLE   => 255,
@@ -104,13 +104,16 @@ sub initialize( $ ) {
    $first_fallback_route   = 1;
    $maxload                = 0;
    $tproxies               = 0;
-
-    %providers  = ( local   => { number => LOCAL_TABLE   , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
-		    main    => { number => MAIN_TABLE    , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
-		    default => { number => DEFAULT_TABLE , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
-		    balance => { number => BALANCE_TABLE , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
-		    unspec  => { number => UNSPEC_TABLE  , mark => 0 , optional => 0 ,routes => [], rules => [] } );
+    #
+    # The 'id' member is initialized in process_providers(), after the .conf file has been processed
+    #
+    %providers  = ( local   => { provider => 'local',   number => LOCAL_TABLE   , mark => 0 , optional => 0 ,routes => [], rules => [] , routedests => {} } ,
+		    main    => { provider => 'main',    number => MAIN_TABLE    , mark => 0 , optional => 0 ,routes => [], rules => [] , routedests => {} } ,
+		    default => { provider => 'default', number => DEFAULT_TABLE , mark => 0 , optional => 0 ,routes => [], rules => [] , routedests => {} } ,
+		    balance => { provider => 'balance', number => BALANCE_TABLE , mark => 0 , optional => 0 ,routes => [], rules => [] , routedests => {} } ,
+		    unspec  => { provider => 'unspec',  number => UNSPEC_TABLE  , mark => 0 , optional => 0 ,routes => [], rules => [] , routedests => {} } );
    @providers = ();
+
 }

 #
@@ -217,14 +220,34 @@ sub copy_table( $$$ ) {
 	 );
 }

-sub copy_and_edit_table( $$$$ ) {
-    my ( $duplicate, $number, $copy, $realm) = @_;
+sub copy_and_edit_table( $$$$$ ) {
+    my ( $duplicate, $number, $id, $copy, $realm) = @_;

    my $filter = $family == F_IPV6 ? q(fgrep -v ' cache ' | sed 's/ via :: / /' | ) : '';
+    my %copied;
+    my @copy;
+    my @bup_copy;
+    my $bup_copy;
+    #
+    # Remove duplicates
+    #
+    for ( split ',', $copy ) {
+	unless ( $copied{$_} ) {
+	    if ( known_interface($_) ) {
+		push @copy, $_;    
+	    } elsif ( $_ =~ /^(?:blackhole|unreachable|prohibit)$/ ) {
+		push @bup_copy, $_;
+            } else {
+		fatal_error "Unknown interface ($_)";
+            }
+	    $copied{$_} = 1;
+	}
+    }
+    $bup_copy = join( '|' , @bup_copy );
    #
    # Map physical names in $copy to logical names
    #
-    $copy = join( '|' , map( physical_name($_) , split( ',' , $copy ) ) );
+    $copy = join( '|' , map( physical_name($_) , @copy ) );
    #
    # Shell and iptables use a different wildcard character
    #
@@ -240,8 +263,13 @@ sub copy_and_edit_table( $$$$ ) {

    emit (  '    case $net in',
 	    '        default)',
-	    '            ;;',
-	    '        *)',
+	    '            ;;' );
+    if ( $bup_copy ) {
+      emit ("        $bup_copy)",
+	    "            run_ip route add table $id \$net \$route $realm",
+	    '            ;;' );
+    }
+    emit (  '        *)',
 	    '            case $(find_device $route) in',
 	    "                $copy)" );
    if ( $family == F_IPV4 ) {
@@ -249,12 +277,12 @@ sub copy_and_edit_table( $$$$ ) {
 		'                        255.255.255.255*)',
 		'                            ;;',
 		'                        *)',
-		"                            run_ip route add table $number \$net \$route $realm",
+		"                            run_ip route add table $id \$net \$route $realm",
 		'                            ;;',
 		'                    esac',
 	     );
    } else {
-	emit (  "                    run_ip route add table $number \$net \$route $realm" );
+	emit (  "                    run_ip route add table $id \$net \$route $realm" );
    }

    emit (  '                    ;;',
@@ -338,8 +366,8 @@ sub balance_fallback_route( $$$$ ) {
    }
 }

-sub start_provider( $$$$ ) {
-    my ($what, $table, $number, $test ) = @_;
+sub start_provider( $$$$$ ) {
+    my ($what, $table, $number, $id, $test ) = @_;

    emit "\n#\n# Add $what $table ($number)\n#";

@@ -353,15 +381,34 @@ sub start_provider( $$$$ ) {
    emit $test;
    push_indent;

-
    if ( $number ) {
-	emit "qt ip -$family route flush table $number";
-	emit "echo \"qt \$IP -$family route flush table $number\" > \${VARDIR}/undo_${table}_routing";
+	emit "qt ip -$family route flush table $id";
+	emit "echo \"\$IP -$family route flush table $id > /dev/null 2>&1\" > \${VARDIR}/undo_${table}_routing";
    } else {
 	emit( "> \${VARDIR}/undo_${table}_routing" );
    }
 }

+#
+# Look up a provider and return it's number. If unknown provider, 0 is returned
+#
+sub lookup_provider( $ ) {
+    my $provider    = $_[0];
+    my $providerref = $providers{ $provider };
+
+    unless ( $providerref ) {
+	my $provider_number = numeric_value $provider;
+
+	if ( defined $provider_number ) {
+	    for ( values %providers ) {
+		$providerref = $_, last if $_->{number} == $provider_number;
+	    }
+	}
+    }
+
+    $providerref ? $providerref->{number} : 0;
+}
+
 #
 # Process a record in the providers file
 #
@@ -395,6 +442,7 @@ sub process_a_provider( $ ) {
    ( $interface, my $address ) = split /:/, $interface;

    my $shared = 0;
+    my $noautosrc = 0;

    if ( defined $address ) {
 	validate_address $address, 0;
@@ -483,6 +531,10 @@ sub process_a_provider( $ ) {
 	    } elsif ( $option =~ /^load=(0?\.\d{1,8})/ ) {
 		$load = $1;
 		require_capability 'STATISTIC_MATCH', "load=$load", 's';
+	    } elsif ( $option eq 'autosrc' ) {
+		$noautosrc = 0;
+	    } elsif ( $option eq 'noautosrc' ) {
+		$noautosrc = 1;
 	    } else {
 		fatal_error "Invalid option ($option)";
 	    }
@@ -497,6 +549,8 @@ sub process_a_provider( $ ) {
 	$maxload += $load;
    }

+    fatal_error "A provider interface must have at least one associated zone" unless $tproxy || %{interface_zones($interface)};
+
    if ( $local ) {
 	fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'none';
 	fatal_error "'track' not valid with 'local'"           if $track;
@@ -555,13 +609,16 @@ sub process_a_provider( $ ) {

    if ( $duplicate ne '-' ) {
 	fatal_error "The DUPLICATE column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
+	my $p = lookup_provider( $duplicate );
+	warning_message "Unknown routing table ($duplicate)" unless $p && ( $p == MAIN_TABLE || $p < BALANCE_TABLE );
    } elsif ( $copy ne '-' ) {
 	fatal_error "The COPY column must be empty when USE_DEFAULT_RT=Yes" if $config{USE_DEFAULT_RT};
-	fatal_error 'A non-empty COPY column requires that a routing table be specified in the DUPLICATE column';
+	fatal_error 'A non-empty COPY column requires that a routing table be specified in the DUPLICATE column' unless $copy eq 'none';
    }

    $providers{$table} = { provider    => $table,
 			   number      => $number ,
+			   id          => $config{USE_RT_NAMES} ? $table : $number,
 			   rawmark     => $mark ,
 			   mark        => $val ? in_hex($val) : $val ,
 			   interface   => $interface ,
@@ -575,6 +632,7 @@ sub process_a_provider( $ ) {
 			   balance     => $balance ,
 			   pref        => $pref ,
 			   mtu         => $mtu ,
+			   noautosrc   => $noautosrc ,
 			   track       => $track ,
 			   loose       => $loose ,
 			   duplicate   => $duplicate ,
@@ -586,6 +644,7 @@ sub process_a_provider( $ ) {
 			   what        => $what ,
 			   rules       => [] ,
 			   routes      => [] ,
+			   routedests  => {} ,
 			 };

    $provider_interfaces{$interface} = $table unless $shared;
@@ -635,6 +694,7 @@ sub add_a_provider( $$ ) {

    my $table       = $providerref->{provider};
    my $number      = $providerref->{number};
+    my $id          = $providerref->{id};
    my $mark        = $providerref->{rawmark};
    my $interface   = $providerref->{interface};
    my $physical    = $providerref->{physical};
@@ -647,6 +707,7 @@ sub add_a_provider( $$ ) {
    my $balance     = $providerref->{balance};
    my $pref        = $providerref->{pref};
    my $mtu         = $providerref->{mtu};
+    my $noautosrc   = $providerref->{noautosrc};
    my $track       = $providerref->{track};
    my $loose       = $providerref->{loose};
    my $duplicate   = $providerref->{duplicate};
@@ -665,24 +726,24 @@ sub add_a_provider( $$ ) {
    if ( $shared ) {
 	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
 	$realm = "realm $number";
-	start_provider( $label , $table, $number, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
+	start_provider( $label , $table, $number, $id, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
    } elsif ( $pseudo ) {
-	start_provider( $label , $table, $number, qq(if [ -n "\$SW_${base}_IS_USABLE" ]; then) );
+	start_provider( $label , $table, $number, $id, qq(if [ -n "\$SW_${base}_IS_USABLE" ]; then) );
    } else {
 	if ( $optional ) {
-	    start_provider( $label, $table , $number, qq(if [ -n "\$SW_${base}_IS_USABLE" ]; then) );
+	    start_provider( $label, $table , $number, $id, qq(if [ -n "\$SW_${base}_IS_USABLE" ]; then) );
 	} elsif ( $gatewaycase eq 'detect' ) {
-	    start_provider( $label, $table, $number, qq(if interface_is_usable $physical && [ -n "$gateway" ]; then) );
+	    start_provider( $label, $table, $number, $id, qq(if interface_is_usable $physical && [ -n "$gateway" ]; then) );
 	} else {
-	    start_provider( $label, $table, $number, "if interface_is_usable $physical; then" );
+	    start_provider( $label, $table, $number, $id, "if interface_is_usable $physical; then" );
 	}
 	$provider_interfaces{$interface} = $table;

 	if ( $gatewaycase eq 'none' ) {
 	    if ( $tproxy ) {
-		emit 'run_ip route add local ' . ALLIP . " dev $physical table $number";
+		emit 'run_ip route add local ' . ALLIP . " dev $physical table $id";
 	    } else {
-		emit "run_ip route add default dev $physical table $number";
+		emit "run_ip route add default dev $physical table $id";
 	    }
 	}
    }
@@ -712,12 +773,12 @@ CEOF

    if ( $mark ne '-' ) {
 	my $hexmark = in_hex( $mark );
-	my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex( $globals{ $tproxy && ! $local ? 'TPROXY_MARK' : 'PROVIDER_MASK' } ) : '';
+	my $mask = have_capability( 'FWMARK_RT_MASK' ) ? '/' . in_hex( $globals{ $tproxy && ! $local ? 'TPROXY_MARK' : 'PROVIDER_MASK' } ) : '';

 	emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $config{DELETE_THEN_ADD};

-	emit ( "run_ip rule add fwmark ${hexmark}${mask} pref $pref table $number",
-	       "echo \"qt \$IP -$family rule del fwmark ${hexmark}${mask}\" >> \${VARDIR}/undo_${table}_routing"
+	emit ( "run_ip rule add fwmark ${hexmark}${mask} pref $pref table $id",
+	       "echo \"\$IP -$family rule del fwmark ${hexmark}${mask} > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing"
 	     );
    }

@@ -731,7 +792,7 @@ CEOF
 		$copy = "$interface,$copy";
 	    }

-	    copy_and_edit_table( $duplicate, $number ,$copy , $realm);
+	    copy_and_edit_table( $duplicate, $number, $id, $copy, $realm);
 	}
    }

@@ -739,14 +800,14 @@ CEOF
 	$address = get_interface_address $interface unless $address;
 	if ( $family == F_IPV4 ) {
 	    emit "run_ip route replace $gateway src $address dev $physical ${mtu}";
-	    emit "run_ip route replace $gateway src $address dev $physical ${mtu}table $number $realm";
+	    emit "run_ip route replace $gateway src $address dev $physical ${mtu}table $id $realm";
 	} else {
 	    emit "qt \$IP -6 route add $gateway src $address dev $physical ${mtu}";
-	    emit "qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $number $realm";
-	    emit "run_ip route add $gateway src $address dev $physical ${mtu}table $number $realm";
+	    emit "qt \$IP -6 route del $gateway src $address dev $physical ${mtu}table $id $realm";
+	    emit "run_ip route add $gateway src $address dev $physical ${mtu}table $id $realm";
 	}

-	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $number $realm";
+	emit "run_ip route add default via $gateway src $address dev $physical ${mtu}table $id $realm";
    }

    if ( $balance ) {
@@ -754,20 +815,21 @@ CEOF
    } elsif ( $default > 0 ) {
 	balance_fallback_route( $default , $gateway, $physical, $realm );
    } elsif ( $default ) {
+	my $id = $providers{default}->{id};
 	emit '';
 	if ( $gateway ) {
 	    if ( $family == F_IPV4 ) {
-		emit qq(run_ip route replace $gateway/32 dev $physical table ) . DEFAULT_TABLE;
-		emit qq(run_ip route replace default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
+		emit qq(run_ip route replace $gateway/32 dev $physical table $id);
+		emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
 	    } else {
-		emit qq(qt \$IP -6 route del default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
-		emit qq(run_ip route add default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
+		emit qq(qt \$IP -6 route del default via $gateway src $address dev $physical table $id metric $number);
+		emit qq(run_ip route add default via $gateway src $address dev $physical table $id metric $number);
 	    }
-	    emit qq(echo "qt \$IP -$family route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_${table}_routing);
-	    emit qq(echo "qt \$IP -4  route del $gateway/32 dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_${table}_routing) if $family == F_IPV4;
+	    emit qq(echo "\$IP -$family route del default via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
+	    emit qq(echo "\$IP -4 route del $gateway/32 dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing) if $family == F_IPV4;
 	} else {
-	    emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $physical metric $number);
-	    emit qq(echo "qt \$IP -$family route del default dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_${table}_routing);
+	    emit qq(run_ip route add default table $id dev $physical metric $number);
+	    emit qq(echo "\$IP -$family route del default dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${table}_routing);
 	}

 	$metrics = 1;
@@ -775,7 +837,7 @@ CEOF

    emit( qq(\n) ,
 	  qq(if ! \$IP -6 rule ls | egrep -q "32767:[[:space:]]+from all lookup (default|253)"; then) ,
-	  qq(    qt \$IP -6 rule add from all table ) . DEFAULT_TABLE . qq( prio 32767\n) ,
+	  qq(    qt \$IP -6 rule add from all table $providers{default}->{id} prio 32767\n) ,
 	  qq(fi) ) if $family == F_IPV6;

    unless ( $tproxy ) {
@@ -788,18 +850,20 @@ CEOF
 		       'done'
 		     );
 	    }
-	} elsif ( $shared ) {
-	    emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
-	    emit( "run_ip rule add from $address pref 20000 table $number" ,
-		  "echo \"qt \$IP -$family rule del from $address\" >> \${VARDIR}/undo_${table}_routing" );
-	} elsif ( ! $pseudo ) {
-	    emit  ( "find_interface_addresses $physical | while read address; do" );
-	    emit  ( "    qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
-	    emit  ( "    run_ip rule add from \$address pref 20000 table $number",
-		    "    echo \"qt \$IP -$family rule del from \$address\" >> \${VARDIR}/undo_${table}_routing",
-		    '    rulenum=$(($rulenum + 1))',
-		    'done'
-		  );
+	} elsif ( ! $noautosrc ) {
+	    if ( $shared ) {
+		emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
+		emit( "run_ip rule add from $address pref 20000 table $id" ,
+		      "echo \"\$IP -$family rule del from $address > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing" );
+	    } elsif ( ! $pseudo ) {
+		emit  ( "find_interface_addresses $physical | while read address; do" );
+		emit  ( "    qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
+		emit  ( "    run_ip rule add from \$address pref 20000 table $id",
+			"    echo \"\$IP -$family rule del from \$address > /dev/null 2>&1\" >> \${VARDIR}/undo_${table}_routing",
+			'    rulenum=$(($rulenum + 1))',
+			'done'
+		      );
+	    }
 	}
    }

@@ -826,7 +890,7 @@ CEOF
 	push_indent;

 	if ( $balance || $default > 0 ) {
-	    $tbl    = $default ? DEFAULT_TABLE : $config{USE_DEFAULT_RT} ? BALANCE_TABLE : MAIN_TABLE;
+	    $tbl    = $providers{$default ? 'default' : $config{USE_DEFAULT_RT} ? 'balance' : 'main'}->{id};
 	    $weight = $balance ? $balance : $default;

 	    if ( $family == F_IPV4 ) {
@@ -867,7 +931,6 @@ CEOF

 	emit "fi\n";
    } else {
-	emit( qq(echo 0 > \${VARDIR}/${physical}.status) );
 	emit( qq(progress_message "Provider $table ($number) Started") );
    }

@@ -919,7 +982,7 @@ CEOF
 	push_indent;

 	if ( $balance || $default > 0 ) {
-	    $tbl    = $default ? DEFAULT_TABLE : $config{USE_DEFAULT_RT} ? BALANCE_TABLE : MAIN_TABLE;
+	    $tbl    = $providers{$default ? 'default' : $config{USE_DEFAULT_RT} ? 'balance' : 'main'}->{id};
 	    $weight = $balance ? $balance : $default;

 	    my $via;
@@ -1000,6 +1063,7 @@ sub add_an_rtrule( ) {
    my $providerref = $providers{$provider};

    my $number = $providerref->{number};
+    my $id     = $providerref->{id};

    fatal_error "You may not add rules for the $provider provider" if $number == LOCAL_TABLE || $number == UNSPEC_TABLE;
    fatal_error "You must specify either the source or destination in a rtrules entry" if $source eq '-' && $dest eq '-';
@@ -1054,11 +1118,11 @@ sub add_an_rtrule( ) {

    fatal_error "Invalid priority ($priority)" unless $priority && $priority =~ /^\d{1,5}$/;

-    $priority = "priority $priority";
+    $priority = "pref $priority";

    push @{$providerref->{rules}}, "qt \$IP -$family rule del $source ${dest}${mark} $priority" if $config{DELETE_THEN_ADD};
-    push @{$providerref->{rules}}, "run_ip rule add $source ${dest}${mark} $priority table $number";
-    push @{$providerref->{rules}}, "echo \"qt \$IP -$family rule del $source ${dest}${mark} $priority\" >> \${VARDIR}/undo_${provider}_routing";
+    push @{$providerref->{rules}}, "run_ip rule add $source ${dest}${mark} $priority table $id";
+    push @{$providerref->{rules}}, "echo \"\$IP -$family rule del $source ${dest}${mark} $priority > /dev/null 2>&1\" >> \${VARDIR}/undo_${provider}_routing";

    progress_message "   Routing rule \"$currentline\" $done";
 }
@@ -1091,40 +1155,66 @@ sub add_a_route( ) {
    fatal_error 'DEST must be specified' if $dest eq '-';
    $dest = validate_net ( $dest, 0 );

-    validate_address ( $gateway, 1 ) if $gateway ne '-';
+    my $null;
+
+    if ( $gateway =~ /^(?:blackhole|unreachable|prohibit)$/ ) {
+	fatal_error q('$gateway' routes may not specify a DEVICE) unless $device eq '-';
+	$null = $gateway;
+    } else {
+	validate_address ( $gateway, 1 ) if $gateway ne '-';
+    }

    my $providerref = $providers{$provider};
    my $number = $providerref->{number};
+    my $id     = $providerref->{id};
    my $physical = $device eq '-' ? $providers{$provider}{physical} : physical_name( $device );
    my $routes = $providerref->{routes};
+    my $routedests = $providerref->{routedests};

    fatal_error "You may not add routes to the $provider table" if $number == LOCAL_TABLE || $number == UNSPEC_TABLE;

+    $dest .= join( '', '/', VLSM ) unless $dest =~ '/';
+
+    if ( $routedests->{$dest} ) {
+	fatal_error "Duplicate DEST ($dest) in table ($provider)";
+    } else {
+	$routedests->{$dest} = 1;
+    }
+
    if ( $gateway ne '-' ) {
 	if ( $device ne '-' ) {
-	    push @$routes, qq(run_ip route add $dest via $gateway dev $physical table $number);
-	    emit qq(echo "qt \$IP -$family route del $dest via $gateway dev $physical table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
+	    push @$routes, qq(run_ip route add $dest via $gateway dev $physical table $id);
+	    push @$routes, q(echo "$IP ) . qq(-$family route del $dest via $gateway dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
+	} elsif ( $null ) {
+	    push @$routes, qq(run_ip route add $null $dest table $id);
+	    push @$routes, q(echo "$IP ) . qq(-$family route del $null $dest table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	} else {
-	    push @$routes, qq(run_ip route add $dest via $gateway table $number);
-	    emit qq(echo "\$IP -$family route del $dest via $gateway table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
+	    push @$routes, qq(run_ip route add $dest via $gateway table $id);
+	    push @$routes, q(echo "$IP ) . qq(-$family route del $dest via $gateway table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	}
    } else {
 	fatal_error "You must specify a device for this route" unless $physical;
-	push @$routes, qq(run_ip route add $dest dev $physical table $number);
-	emit qq(echo "\$IP -$family route del $dest dev $physical table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
+	push @$routes, qq(run_ip route add $dest dev $physical table $id);
+	push @$routes, q(echo "$IP ) . qq(-$family route del $dest dev $physical table $id > /dev/null 2>&1" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
    }

    progress_message "   Route \"$currentline\" $done";
 }

 sub setup_null_routing() {
+    my $type = $config{NULL_ROUTE_RFC1918};
+
    save_progress_message "Null Routing the RFC 1918 subnets";
    emit "> \${VARDIR}/undo_rfc1918_routing\n";
    for ( rfc1918_networks ) {
-	emit( qq(if ! \$IP -4 route ls | grep -q '^$_.* dev '; then),
-	      qq(    run_ip route replace blackhole $_),
-	      qq(    echo "qt \$IP -4 route del blackhole $_" >> \${VARDIR}/undo_rfc1918_routing),
-	      qq(fi\n) );
+	if ( $providers{main}{routedests}{$_} ) {
+	    warning_message "No NULL_ROUTE_RFC1918 route added for $_; there is already a route to that network defined in the routes file";
+	} else {
+	    emit( qq(if ! \$IP -4 route ls | grep -q '^$_.* dev '; then),
+		  qq(    run_ip route replace $type $_),
+		  qq(    echo "\$IP -4 route del $type $_ > /dev/null 2>&1" >> \${VARDIR}/undo_rfc1918_routing),
+		  qq(fi\n) );
+	}
    }
 }

@@ -1135,12 +1225,28 @@ sub start_providers() {
 	    'undo_routing' );

    unless ( $config{KEEP_RT_TABLES} ) {
-	emit  (
-	       '#',
-	       '# Save current routing table database so that it can be restored later',
-	       '#',
-	       'cp /etc/iproute2/rt_tables ${VARDIR}/' );
+	emit( "\n#\n# Update the routing table database\n#",
+	      'if [ -w /etc/iproute2/rt_tables ]; then',
+	      '    cat > /etc/iproute2/rt_tables <<EOF' );

+	emit_unindented join( "\n",
+			      '#',
+			      '# reserved values',
+			      '#',
+			      LOCAL_TABLE   . "\tlocal",
+			      MAIN_TABLE    . "\tmain",
+			      $config{USE_DEFAULT_RT} ? ( DEFAULT_TABLE . "\tdefault\n" . BALANCE_TABLE . "\tbalance" ) : DEFAULT_TABLE . "\tdefault",
+			      "0\tunspec",
+			      '#',
+			      '# local',
+			      '#' );
+	for ( @providers ) {
+	    emit_unindented "$providers{$_}{number}\t$_" unless $providers{$_}{pseudo};
+	}
+
+	emit_unindented "EOF\n";
+
+	emit "fi\n";
    }

    emit  ( '#',
@@ -1165,17 +1271,20 @@ sub start_providers() {
 }

 sub finish_providers() {
-    my $table = MAIN_TABLE;
+    my $main    = $providers{main}->{id};
+    my $table   = $main;
+    my $balance = $providers{balance}->{id};
+    my $default = $providers{default}->{id};

    if ( $config{USE_DEFAULT_RT} ) {
-	emit ( 'run_ip rule add from ' . ALLIP . ' table ' . MAIN_TABLE .    ' pref 999',
-	       'run_ip rule add from ' . ALLIP . ' table ' . BALANCE_TABLE . ' pref 32765',
-	       "\$IP -$family rule del from " . ALLIP . ' table ' . MAIN_TABLE . ' pref 32766',
-	       qq(echo "qt \$IP -$family rule add from ) . ALLIP . ' table ' . MAIN_TABLE .    ' pref 32766" >> ${VARDIR}/undo_main_routing',
-	       qq(echo "qt \$IP -$family rule del from ) . ALLIP . ' table ' . MAIN_TABLE .    ' pref 999" >> ${VARDIR}/undo_main_routing',
-	       qq(echo "qt \$IP -$family rule del from ) . ALLIP . ' table ' . BALANCE_TABLE . ' pref 32765" >> ${VARDIR}/undo_balance_routing',
+	emit ( 'run_ip rule add from ' . ALLIP . " table $main pref 999",
+	       'run_ip rule add from ' . ALLIP . " table $balance pref 32765",
+	       "\$IP -$family rule del from " . ALLIP . " table $main pref 32766",
+	       qq(echo "\$IP -$family rule add from ) . ALLIP . qq( table $main pref 32766 > /dev/null 2>&1")    . ' >> ${VARDIR}/undo_main_routing',
+	       qq(echo "\$IP -$family rule del from ) . ALLIP . qq( table $main pref 999 > /dev/null 2>&1")      . ' >> ${VARDIR}/undo_main_routing',
+	       qq(echo "\$IP -$family rule del from ) . ALLIP . qq( table $balance pref 32765 > /dev/null 2>&1") . ' >> ${VARDIR}/undo_balance_routing',
 	       '' );
-	$table = BALANCE_TABLE;
+	$table = $providers{balance}->{id};
    }

    if ( $balancing ) {
@@ -1188,7 +1297,7 @@ sub finish_providers() {
 	}

 	if ( $config{USE_DEFAULT_RT} ) {
-	    emit  ( "    while qt \$IP -$family route del default table " . MAIN_TABLE . '; do',
+	    emit  ( "    while qt \$IP -$family route del default table $main; do",
 		    '        true',
 		    '    done',
 		    ''
@@ -1215,17 +1324,17 @@ sub finish_providers() {
 	       '#',
 	       '# And delete any routes in the \'balance\' table',
 	       '#',
-	       "qt \$IP -$family route del default table " . BALANCE_TABLE,
+	       "qt \$IP -$family route del default table $balance",
 	       '' );
    }

    if ( $fallback ) {
 	emit  ( 'if [ -n "$FALLBACK_ROUTE" ]; then' );
 	if ( $family == F_IPV4 ) {
-	    emit( "    run_ip route replace default scope global table " . DEFAULT_TABLE . " \$FALLBACK_ROUTE" );
+	    emit( "    run_ip route replace default scope global table $default \$FALLBACK_ROUTE" );
 	} else {
-	    emit( "    qt \$IP -6 route del default scope global table " . DEFAULT_TABLE . " \$FALLBACK_ROUTE" );
-	    emit( "    run_ip route add default scope global table " . DEFAULT_TABLE . " \$FALLBACK_ROUTE" );
+	    emit( "    qt \$IP -6 route del default scope global table $default \$FALLBACK_ROUTE" );
+	    emit( "    run_ip route add default scope global table $default \$FALLBACK_ROUTE" );
 	}

 	emit( "    progress_message \"Fallback route '\$(echo \$FALLBACK_ROUTE | sed 's/\$\\s*//')' Added\"",
@@ -1233,35 +1342,14 @@ sub finish_providers() {
 	      '    #',
 	      '    # We don\'t have any \'fallback\' providers so we delete any default routes in the default table',
 	      '    #',
-	      '    delete_default_routes ' . DEFAULT_TABLE,
+	      "    delete_default_routes $default",
 	      'fi',
 	      '' );
    } elsif ( $config{USE_DEFAULT_RT} ) {
-	emit( 'delete_default_routes ' . DEFAULT_TABLE,
+	emit( "delete_default_routes $default",
 	      ''
 	    );
    }
-
-    unless ( $config{KEEP_RT_TABLES} ) {
-	emit( 'if [ -w /etc/iproute2/rt_tables ]; then',
-	      '    cat > /etc/iproute2/rt_tables <<EOF' );
-
-	emit_unindented join( "\n",
-			      '#',
-			      '# reserved values',
-			      '#',
-			      LOCAL_TABLE   . "\tlocal",
-			      MAIN_TABLE    . "\tmain",
-			      $config{USE_DEFAULT_RT} ? ( DEFAULT_TABLE . "\tdefault\n" . BALANCE_TABLE . "\tbalance" ) : DEFAULT_TABLE . "\tdefault",
-			      "0\tunspec",
-			      '#',
-			      '# local',
-			      '#' );
-	emit_unindented "$providers{$_}{number}\t$_" for @providers;
-	emit_unindented "EOF\n";
-
-	emit "fi\n";
-    }
 }

 sub process_providers( $ ) {
@@ -1269,6 +1357,18 @@ sub process_providers( $ ) {

    our $providers = 0;
    our $pseudoproviders = 0;
+    #
+    # We defer initialization of the 'id' member until now so that the setting of USE_RT_NAMES will have been established.
+    #
+    unless ( $config{USE_RT_NAMES} ) {
+	for ( values %providers ) {
+	    $_->{id} = $_->{number};
+	}
+    } else {
+	for ( values %providers ) {
+	    $_->{id} = $_->{provider};
+	}
+    }

    $lastmark = 0;

@@ -1309,18 +1409,16 @@ sub process_providers( $ ) {
 	}
    }

-    if ( $providers || $pseudoproviders ) {
-	my $fn = open_file 'routes';
+    my $fn = open_file 'routes';

-	if ( $fn ) {
-	    first_entry "$doing $fn...";
-	    emit '';
-	    add_a_route while read_a_line( NORMAL_READ );
-	}
-
-	add_a_provider( $providers{$_}, $tcdevices ) for @providers;
+    if ( $fn ) {
+	first_entry "$doing $fn...";
+	emit '';
+	add_a_route while read_a_line( NORMAL_READ );
    }

+    add_a_provider( $providers{$_}, $tcdevices ) for @providers;
+
    emit << 'EOF';;

 #
@@ -1436,6 +1534,8 @@ sub setup_providers() {

 	start_providers;

+	setup_null_routing if $config{NULL_ROUTE_RFC1918};
+
 	emit '';

 	emit "start_$providers{$_}->{what}_$_" for @providers;
@@ -1444,7 +1544,6 @@ sub setup_providers() {

 	finish_providers;

-	setup_null_routing if $config{NULL_ROUTE_RFC1918};
 	emit "\nrun_ip route flush cache";

 	pop_indent;
@@ -1459,8 +1558,23 @@ sub setup_providers() {
 	emit "\nundo_routing";
 	emit "restore_default_route $config{USE_DEFAULT_RT}";

+	my $standard_routes = @{$providers{main}{routes}} || @{$providers{default}{routes}};
+
 	if ( $config{NULL_ROUTE_RFC1918} ) {
 	    setup_null_routing;
+	    emit "\nrun_ip route flush cache" unless $standard_routes;
+	}
+
+	if ( $standard_routes ) {
+	    for my $provider ( qw/main default/ ) {
+		emit '';
+		emit qq(> \${VARDIR}/undo_${provider}_routing );
+		emit '';
+		emit $_ for @{$providers{$provider}{routes}};
+		emit '';
+		emit $_ for @{$providers{$provider}{rules}};
+	    }
+
 	    emit "\nrun_ip route flush cache";
 	}

@@ -1693,7 +1807,11 @@ sub compile_updown() {
 	);
 }

-sub lookup_provider( $ ) {
+#
+# Lookup the passed provider. Raise a fatal error if provider is unknown. 
+# Return the provider's realm if it is a shared provider; otherwise, return zero
+#
+sub provider_realm( $ ) {
    my $provider    = $_[0];
    my $providerref = $providers{ $provider };

@@ -1871,20 +1989,22 @@ sub handle_stickiness( $ ) {

 		for my $chainref ( $stickyref, $setstickyref ) {
 		    if ( $chainref->{name} eq 'sticky' ) {
-			$rule1 = clone_rule( $_ );
+			$rule1 = clone_irule( $_ );

 			set_rule_target( $rule1, 'MARK',   "--set-mark $mark" );
-			set_rule_option( $rule1, 'recent', "--name $list --update --seconds 300" );
+			set_rule_option( $rule1, 'recent', "--name $list --update --seconds 300 --reap" );

-			$rule2 = clone_rule( $_ );
+			$rule2 = clone_irule( $_ );

 			clear_rule_target( $rule2 );
-			set_rule_option( $rule2, 'mark', "--mark 0/$mask -m recent --name $list --remove" );
+			set_rule_option( $rule2, 'mark',   "--mark 0\/$mask" );
+			set_rule_option( $rule2, 'recent', "--name $list --remove" );
 		    } else {
-			$rule1 = clone_rule( $_ );
+			$rule1 = clone_irule( $_ );

 			clear_rule_target( $rule1 );
-			set_rule_option( $rule1, 'mark', "--mark $mark\/$mask -m recent --name $list --set" );
+			set_rule_option( $rule1, 'mark',   "--mark $mark\/$mask" );
+			set_rule_option( $rule1, 'recent', "--name $list --set" );

 			$rule2 = '';
 		    }
@@ -1904,32 +2024,22 @@ sub handle_stickiness( $ ) {

 		for my $chainref ( $stickoref, $setstickoref ) {
 		    if ( $chainref->{name} eq 'sticko' ) {
-			$rule1 = {};
-
-			while ( my ( $key, $value ) = each %$_ ) {
-			    $rule1->{$key} = $value;
-			}
+			$rule1 = clone_irule $_;

 			set_rule_target( $rule1, 'MARK',   "--set-mark $mark" );
-			set_rule_option( $rule1, 'recent', " --name $list --rdest --update --seconds 300" );
+			set_rule_option( $rule1, 'recent', " --name $list --rdest --update --seconds 300 --reap" );

-			$rule2 = {};
-
-			while ( my ( $key, $value ) = each %$_ ) {
-			    $rule2->{$key} = $value;
-			}
+			$rule2 = clone_irule $_;

 			clear_rule_target( $rule2 );
-			set_rule_option  ( $rule2, 'mark', "--mark 0\/$mask -m recent --name $list --rdest --remove" );
+			set_rule_option  ( $rule2, 'mark',   "--mark 0\/$mask" );
+			set_rule_option  ( $rule2, 'recent', "--name $list --rdest --remove" );
 		    } else {
-			$rule1 = {};
-
-			while ( my ( $key, $value ) = each %$_ ) {
-			    $rule1->{$key} = $value;
-			}
+			$rule1 = clone_irule $_;

 			clear_rule_target( $rule1 );
-			set_rule_option  ( $rule1, 'mark', "--mark $mark -m recent --name $list --rdest --set" );
+			set_rule_option  ( $rule1, 'mark',   "--mark $mark" );
+			set_rule_option  ( $rule1, 'recent', "--name $list --rdest --set" );

 			$rule2 = '';
 		    }
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -143,6 +143,7 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {

    expand_rule( $chainref ,
 		 $restriction ,
+		 '',
 		 $rule,
 		 $source ,
 		 $dest ,
@@ -185,6 +186,7 @@ sub handle_helper_rule( $$$$$$$$$$$ ) {
 	    #
 	    expand_rule( ensure_raw_chain( $actionchain ) ,
 			 PREROUTE_RESTRICT ,
+			 '',
 			 $rule ,
 			 $source ,
 			 $dest ,
@@ -198,6 +200,7 @@ sub handle_helper_rule( $$$$$$$$$$$ ) {
 			 ( $sourceref->{type} == FIREWALL || $sourceref->{type} == VSERVER ?
 			   OUTPUT_RESTRICT :
 			   PREROUTE_RESTRICT ) ,
+			 '' ,
 			 $rule ,
 			 $source ,
 			 $dest ,
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -207,7 +207,106 @@ sub initialize( $ ) {
 sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state ) = @_;

-    our %tccmd;
+our  %tccmd;
+
+    unless ( %tccmd ) {
+	%tccmd = ( SAVE =>     { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
+				 target    => 'CONNMARK --save-mark --mask' ,
+				 mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK,
+				 mask      => in_hex( $globals{TC_MASK} ) ,
+				 connmark  => 1
+			       } ,
+		   RESTORE =>  { match     => sub ( $ ) { $_[0] eq 'RESTORE' },
+				 target    => 'CONNMARK --restore-mark --mask' ,
+				 mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK ,
+				 mask      => in_hex( $globals{TC_MASK} ) ,
+				 connmark  => 1
+			       } ,
+		   CONTINUE => { match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
+				 target    => 'RETURN' ,
+				 mark      => NOMARK ,
+				 mask      => '' ,
+				 connmark  => 0
+			       } ,
+		   SAME =>     { match     => sub ( $ ) { $_[0] eq 'SAME' },
+				 target    => 'sticky' ,
+				 mark      => NOMARK ,
+				 mask      => '' ,
+				 connmark  => 0
+			       } ,
+		   IPMARK =>   { match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
+				 target    => 'IPMARK' ,
+				 mark      => NOMARK,
+				 mask      => '',
+				 connmark  => 0
+			       } ,
+		   '|' =>      { match     => sub ( $ ) { $_[0] =~ '\|.*'} ,
+				 target    => 'MARK --or-mark' ,
+				 mark      => HIGHMARK ,
+				 mask      => ''
+			       } ,
+		   '&' =>      { match     => sub ( $ ) { $_[0] =~ '&.*' },
+				 target    => 'MARK --and-mark' ,
+				 mark      => HIGHMARK ,
+				 mask      => '' ,
+				 connmark  => 0
+			       } ,
+		   TPROXY =>   { match     => sub ( $ ) { $_[0] =~ /^TPROXY/ },
+				 target    => 'TPROXY',
+				 mark      => HIGHMARK,
+				 mask      => '',
+				 connmark  => ''
+			       },
+		   DIVERT =>   { match     => sub( $ ) { $_[0] =~ /^DIVERT/ },
+				 target    => 'DIVERT',
+				 mark      => HIGHMARK,
+				 mask      => '',
+				 connmark  => ''
+			       },
+		   TTL =>      { match     => sub( $ ) { $_[0] =~ /^TTL/ },
+				 target    => 'TTL',
+				 mark      => NOMARK,
+				 mask      => '',
+				 connmark  => 0
+			       },
+		   HL =>       { match     => sub( $ ) { $_[0] =~ /^HL/ },
+				 target    => 'HL',
+				 mark      => NOMARK,
+				 mask      => '',
+				 connmark  => 0
+			       },
+		   IMQ =>      { match     => sub( $ ) { $_[0] =~ /^IMQ\(\d+\)$/ },
+				 target    => 'IMQ',
+				 mark      => NOMARK,
+				 mask      => '',
+				 connmark  => 0
+			       },
+		   DSCP =>     { match     => sub( $ ) { $_[0] =~ /^DSCP\(\w+\)$/ },
+				 target    => 'DSCP',
+				 mark      => NOMARK,
+				 mask      => '',
+				 connmark  => 0
+			       },
+		   TOS =>      { match     => sub( $ ) { $_[0] =~ /^TOS\(.+\)$/ },
+				 target    => 'TOS',
+				 mark      => NOMARK,
+				 mask      => '',
+				 connmark  => 0
+			       },
+		   CHECKSUM => { match     => sub( $ ) { $_[0] eq 'CHECKSUM' },
+				 target    => 'CHECKSUM' ,
+				 mark      => NOMARK,
+				 mask      => '',
+				 connmark  => 0,
+			       },
+		   INLINE   => { match     => sub( $ ) { $_[0] eq 'INLINE' },
+				 target    => 'INLINE',
+				 mark      => NOMARK,
+				 mask      => '',
+				 connmark  => 0,
+			       }
+		 );
+    }

    fatal_error 'MARK must be specified' if $originalmark eq '-';

@@ -359,7 +458,7 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 						  if ( $ip =~ /^\[(.+)\]$/ || $ip =~ /^<(.+)>$/ ) {
 						      $ip = $1;
 						  } elsif ( $ip =~ /^\[(.+)\]\/(\d+)$/ ) {
-						      $ip = join( $1, $2 );
+						      $ip = join( '/', $1, $2 );
 						  }
 					      }

@@ -447,6 +546,20 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 		                        {  require_capability 'CHECKSUM_TARGET', 'The CHECKSUM action', 's';
 					   $target .= ' --checksum-fill';
 				       },
+		       INLINE   => sub()
+		                       {
+					   assert ( $cmd eq 'INLINE' );
+					   $matches = get_inline_matches;
+
+					   if ( $matches =~ /^(.*\s+)-j\s+(.+) $/ ) {
+					       $matches = $1;
+					       $target  = $2;
+					   } else {
+					       $target = '';
+					   }
+
+					   $cmd = '';
+				       }
 		     );

    if ( $source ) {
@@ -634,6 +747,7 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {

 	    expand_rule( $chainref,
 			 $restrictions{$chain} | $restriction,
+			 '' ,
 			 $match .
 			 do_user( $user ) .
 			 do_test( $testval, $globals{TC_MASK} ) .
@@ -656,6 +770,7 @@ sub process_tc_rule1( $$$$$$$$$$$$$$$$ ) {
 	}
    } elsif ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
 					  $restrictions{$chain} | $restriction,
+					  '',
 					  do_proto( $proto, $ports, $sports) . $matches .
 					  do_user( $user ) .
 					  do_test( $testval, $globals{TC_MASK} ) .
@@ -2026,6 +2141,7 @@ sub process_traffic_shaping() {
 	my $defmark = in_hexp ( $devref->{default} || 0 );
 	my $devnum  = in_hexp $devref->{number};
 	my $r2q     = int calculate_r2q $devref->{out_bandwidth};
+	my $qdisc   = $devref->{qdisc};

 	fatal_error "No default class defined for device $devname" unless defined $devref->{default};

@@ -2048,10 +2164,11 @@ sub process_traffic_shaping() {
 	    push_indent;

 	    emit ( "qt \$TC qdisc del dev $device root",
-		   "qt \$TC qdisc del dev $device ingress",
-		   "${dev}_mtu=\$(get_device_mtu $device)",
+		   "qt \$TC qdisc del dev $device ingress" );
+
+	    emit ( "${dev}_mtu=\$(get_device_mtu $device)",
 		   "${dev}_mtu1=\$(get_device_mtu1 $device)"
-		 );
+		 ) if $qdisc eq 'htb';

 	    my $stab;

@@ -2064,7 +2181,7 @@ sub process_traffic_shaping() {
 		$stab = '';
 	    }

-	    if ( $devref->{qdisc} eq 'htb' ) {
+	    if ( $qdisc eq 'htb' ) {
 		emit ( "run_tc qdisc add dev $device ${stab}root handle $devnum: htb default $defmark r2q $r2q" ,
 		       "run_tc class add dev $device parent $devnum: classid $devnum:1 htb rate $devref->{out_bandwidth} \$${dev}_mtu1" );
 	    } else {
@@ -2118,15 +2235,15 @@ sub process_traffic_shaping() {
 		my $rawrate  = $tcref->{rate};
 		my $rate     = "${rawrate}kbit";
 		my $lsceil   = $tcref->{lsceil};
-		my $quantum  = calculate_quantum $rate, calculate_r2q( $devref->{out_bandwidth} );
+		my $quantum;

 		$classids{$classid}=$devname;

 		my $parent   = in_hexp $tcref->{parent};

-		emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum" );
-
 		if ( $devref->{qdisc} eq 'htb' ) {
+		    $quantum  = calculate_quantum $rate, calculate_r2q( $devref->{out_bandwidth} );
+		    emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum" );
 		    emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum" );
 		} else {
 		    my $dmax = $tcref->{dmax};
@@ -2186,7 +2303,7 @@ sub process_traffic_shaping() {
 			1 while $devnums[++$sfq];

 			$sfqinhex = in_hexp( $sfq);
-			if ( $devref->{qdisc} eq 'htb' ) {
+			if ( $qdisc eq 'htb' ) {
 			    emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq quantum \$quantum limit $tcref->{limit} perturb 10" );
 			} else {
 			    emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq limit $tcref->{limit} perturb 10" );
@@ -2329,7 +2446,7 @@ sub process_secmark_rule1( $$$$$$$$$ ) {
    if ( ( $state ||= '' ) ne '' ) {
 	my $state1;
 	fatal_error "Invalid STATE ( $state )" unless $state1 = $state{$state};
-	$state = "$globals{STATEMATCH} $state1 ";
+	$state = state_match( $state1 );
    }

    my $target = $secmark eq 'SAVE'    ? 'CONNSECMARK --save' :
@@ -2342,6 +2459,7 @@ sub process_secmark_rule1( $$$$$$$$$ ) {

    expand_rule( ensure_mangle_chain( $chain1 ) ,
 		 $restrictions{$chain1} ,
+		 '' ,
 		 $state .
 		 do_proto( $proto, $dport, $sport ) .
 		 do_user( $user ) .
@@ -2406,7 +2524,7 @@ sub setup_tc() {
 	add_ijump $mangle_table->{OUTPUT} ,     j => 'tcout', @mark_part;

 	if ( have_capability( 'MANGLE_FORWARD' ) ) {
-	    my $mask = have_capability 'EXMARK' ? have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : '' : '';
+	    my $mask = have_capability( 'EXMARK' ) ? have_capability( 'FWMARK_RT_MASK' ) ? '/' . in_hex $globals{PROVIDER_MASK} : '' : '';

 	    add_ijump $mangle_table->{FORWARD},      j => "MARK --set-mark 0${mask}" if $config{FORWARD_CLEAR_MARK};
 	    add_ijump $mangle_table->{FORWARD} ,     j => 'tcfor';
@@ -2424,96 +2542,6 @@ sub setup_tc() {
    }

    if ( $config{MANGLE_ENABLED} ) {
-	our  %tccmd = ( SAVE =>     { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
-				      target    => 'CONNMARK --save-mark --mask' ,
-				      mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK,
-				      mask      => in_hex( $globals{TC_MASK} ) ,
-				      connmark  => 1
-				    } ,
-			RESTORE =>  { match     => sub ( $ ) { $_[0] eq 'RESTORE' },
-				      target    => 'CONNMARK --restore-mark --mask' ,
-				      mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK ,
-				      mask      => in_hex( $globals{TC_MASK} ) ,
-				      connmark  => 1
-				    } ,
-			CONTINUE => { match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
-				      target    => 'RETURN' ,
-				      mark      => NOMARK ,
-				      mask      => '' ,
-				      connmark  => 0
-				    } ,
-			SAME =>     { match     => sub ( $ ) { $_[0] eq 'SAME' },
-				      target    => 'sticky' ,
-				      mark      => NOMARK ,
-				      mask      => '' ,
-				      connmark  => 0
-				    } ,
-			IPMARK =>   { match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
-				      target    => 'IPMARK' ,
-				      mark      => NOMARK,
-				      mask      => '',
-				      connmark  => 0
-				    } ,
-			'|' =>      { match     => sub ( $ ) { $_[0] =~ '\|.*'} ,
-				      target    => 'MARK --or-mark' ,
-				      mark      => HIGHMARK ,
-				      mask      => ''
-				    } ,
-			'&' =>      { match     => sub ( $ ) { $_[0] =~ '&.*' },
-				      target    => 'MARK --and-mark' ,
-				      mark      => HIGHMARK ,
-				      mask      => '' ,
-				      connmark  => 0
-				    } ,
-			TPROXY =>   { match     => sub ( $ ) { $_[0] =~ /^TPROXY/ },
-				      target    => 'TPROXY',
-				      mark      => HIGHMARK,
-				      mask      => '',
-				      connmark  => ''
-				    },
-			DIVERT =>   { match     => sub( $ ) { $_[0] =~ /^DIVERT/ },
-				      target    => 'DIVERT',
-				      mark      => HIGHMARK,
-				      mask      => '',
-				      connmark  => ''
-				    },
-			TTL =>      { match     => sub( $ ) { $_[0] =~ /^TTL/ },
-				      target    => 'TTL',
-				      mark      => NOMARK,
-				      mask      => '',
-				      connmark  => 0
-			            },
-			HL =>       { match     => sub( $ ) { $_[0] =~ /^HL/ },
-				      target    => 'HL',
-				      mark      => NOMARK,
-				      mask      => '',
-				      connmark  => 0
-			            },
-			IMQ =>      { match     => sub( $ ) { $_[0] =~ /^IMQ\(\d+\)$/ },
-				      target    => 'IMQ',
-				      mark      => NOMARK,
-				      mask      => '',
-				      connmark  => 0
-			            },
-			DSCP =>     { match     => sub( $ ) { $_[0] =~ /^DSCP\(\w+\)$/ },
-				      target    => 'DSCP',
-				      mark      => NOMARK,
-				      mask      => '',
-				      connmark  => 0
-				    },
-			TOS =>      { match     => sub( $ ) { $_[0] =~ /^TOS\(.+\)$/ },
-				      target    => 'TOS',
-				      mark      => NOMARK,
-				      mask      => '',
-				      connmark  => 0
-				    },
-			CHECKSUM => { match     => sub( $ ) { $_[0] eq 'CHECKSUM' },
-				      target    => 'CHECKSUM' ,
-				      mark      => NOMARK,
-				      mask      => '',
-				      connmark  => 0,
-				    }
-		      );

 	if ( my $fn = open_file( 'tcrules' , 2, 1 ) ) {

--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -38,6 +38,8 @@ our @EXPORT = ( qw( NOTHING
 		    IPSECMODE
 		    FIREWALL
 		    VSERVER
+		    LOOPBACK
+		    LOCAL
 		    IP
 		    BPORT
 		    IPSEC
@@ -50,6 +52,8 @@ our @EXPORT = ( qw( NOTHING
 		    dump_zone_contents
 		    find_zone
 		    firewall_zone
+		    loopback_zones
+		    local_zones
 		    defined_zone
 		    zone_type
 		    zone_interfaces
@@ -68,7 +72,10 @@ our @EXPORT = ( qw( NOTHING
 		    all_real_interfaces
 		    all_plain_interfaces
 		    all_bridges
+		    managed_interfaces
+		    unmanaged_interfaces
 		    interface_number
+		    interface_origin
 		    find_interface
 		    known_interface
 		    get_physical
@@ -84,6 +91,7 @@ our @EXPORT = ( qw( NOTHING
 		    interface_has_option
 		    set_interface_option
 		    set_interface_provider
+		    interface_zone
 		    interface_zones
 		    verify_required_interfaces
 		    validate_hosts_file
@@ -152,6 +160,8 @@ our @zones;
 our %zones;
 our %zonetypes;
 our $firewall_zone;
+our @loopback_zones;
+our @local_zones;

 our %reservedName = ( all => 1,
 		      any => 1,
@@ -211,7 +221,10 @@ use constant { FIREWALL => 1,
 	       IP       => 2,
 	       BPORT    => 4,
 	       IPSEC    => 8,
-	       VSERVER  => 16 };
+	       VSERVER  => 16,
+	       LOOPBACK => 32,
+	       LOCAL    => 64,
+	   };

 use constant { SIMPLE_IF_OPTION   => 1,
 	       BINARY_IF_OPTION   => 2,
@@ -234,9 +247,28 @@ use constant { NO_UPDOWN   => 1,

 our %validinterfaceoptions;

-our %defaultinterfaceoptions = ( routefilter => 1 , wait => 60 );
+our %prohibitunmanaged = (
+			  blacklist      => 1,
+			  bridge         => 1,
+			  destonly       => 1,
+			  detectnets     => 1,
+			  dhcp           => 1,
+			  maclist        => 1,
+			  nets           => 1,
+			  norfc1918      => 1,
+			  nosmurfs       => 1,
+			  optional       => 1,
+			  routeback      => 1,
+			  rpfilter       => 1,
+			  sfilter        => 1,
+			  tcpflags       => 1,
+			  upnp           => 1,
+			  upnpclient     => 1,
+			 );

-our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN );
+our %defaultinterfaceoptions = ( routefilter => 1 , wait => 60, accept_ra => 1 , ignore => 3, routeback => 1 );
+
+our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN | NO_SFILTER, accept_ra => 2 );

 our %validhostoptions;

@@ -277,6 +309,8 @@ sub initialize( $$ ) {
    ( $family , $upgrade ) = @_;
    @zones = ();
    %zones = ();
+    @loopback_zones = ();
+    @local_zones = ();
    $firewall_zone = '';
    $have_ipsec = undef;

@@ -298,6 +332,7 @@ sub initialize( $$ ) {
 				  arp_ignore  => ENUM_IF_OPTION,
 				  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  bridge      => SIMPLE_IF_OPTION,
+				  destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  detectnets  => OBSOLETE_IF_OPTION,
 				  dhcp        => SIMPLE_IF_OPTION,
 				  ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
@@ -309,7 +344,7 @@ sub initialize( $$ ) {
 				  optional    => SIMPLE_IF_OPTION,
 				  proxyarp    => BINARY_IF_OPTION,
 				  required    => SIMPLE_IF_OPTION,
-				  routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
+				  routeback   => BINARY_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
 				  routefilter => NUMERIC_IF_OPTION ,
 				  rpfilter    => SIMPLE_IF_OPTION,
 				  sfilter     => IPLIST_IF_OPTION,
@@ -319,6 +354,7 @@ sub initialize( $$ ) {
 				  upnpclient  => SIMPLE_IF_OPTION,
 				  mss         => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				  physical    => STRING_IF_OPTION  + IF_OPTION_HOST,
+				  unmanaged   => SIMPLE_IF_OPTION,
 				  wait        => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				 );
 	%validhostoptions = (
@@ -332,10 +368,19 @@ sub initialize( $$ ) {
 			     sourceonly => 1,
 			     mss => 1,
 			    );
-	%zonetypes = ( 1 => 'firewall', 2 => 'ipv4', 4 => 'bport4', 8 => 'ipsec4', 16 => 'vserver' );
+
+	%zonetypes = ( 1   => 'firewall',
+		       2   => 'ipv4',
+		       4   => 'bport4',
+		       8   => 'ipsec4',
+		       16  => 'vserver',
+		       32  => 'loopback',
+		       64  => 'local' );
    } else {
-	%validinterfaceoptions = (  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
+	%validinterfaceoptions = (  accept_ra   => NUMERIC_IF_OPTION,
+				    blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
+				    destonly    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				    maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -344,7 +389,7 @@ sub initialize( $$ ) {
 				    optional    => SIMPLE_IF_OPTION,
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
-				    routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
+				    routeback   => BINARY_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
 				    rpfilter    => SIMPLE_IF_OPTION,
 				    sfilter     => IPLIST_IF_OPTION,
 				    sourceroute => BINARY_IF_OPTION,
@@ -352,6 +397,7 @@ sub initialize( $$ ) {
 				    mss         => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				    forward     => BINARY_IF_OPTION,
 				    physical    => STRING_IF_OPTION + IF_OPTION_HOST,
+				    unmanaged   => SIMPLE_IF_OPTION,
 				    wait        => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				 );
 	%validhostoptions = (
@@ -361,7 +407,14 @@ sub initialize( $$ ) {
 			     tcpflags => 1,
 			     mss => 1,
 			    );
-	%zonetypes = ( 1 => 'firewall', 2 => 'ipv6', 4 => 'bport6', 8 => 'ipsec4', 16 => 'vserver' );
+
+	%zonetypes = ( 1   => 'firewall',
+		       2   => 'ipv6',
+		       4   => 'bport6',
+		       8   => 'ipsec4',
+		       16  => 'vserver',
+		       32  => 'loopback',
+		       64  => 'local' );
    }
 }

@@ -379,6 +432,8 @@ sub parse_zone_option_list($$\$$)
    my $fmt;

    if ( $list ne '-' ) {
+	fatal_error "The 'loopback' zone may not have $column OPTIONS" if $zonetype == LOOPBACK;
+
 	for my $e ( split_list $list, 'option' ) {
 	    my $val    = undef;
 	    my $invert = '';
@@ -486,6 +541,13 @@ sub process_zone( \$ ) {
    } elsif ( $type eq '-' ) {
 	$type = IP;
 	$$ip = 1;
+    } elsif ( $type eq 'local' ) {
+	push @local_zones, $zone;
+	$type = LOCAL;
+	$$ip  = 1;
+    } elsif ( $type eq 'loopback' ) {
+	push @loopback_zones, $zone;
+	$type = LOOPBACK;
    } else {
 	fatal_error "Invalid zone type ($type)";
    }
@@ -498,6 +560,8 @@ sub process_zone( \$ ) {

 	fatal_error 'Subzones of a Vserver zone not allowed' if $ptype & VSERVER;
 	fatal_error 'Subzones of firewall zone not allowed'  if $ptype & FIREWALL;
+	fatal_error 'Loopback zones may only be subzones of other loopback zones' if ( $type | $ptype ) & LOOPBACK && $type != $ptype;
+	fatal_error 'Local zones may only be subzones of other local zones'       if ( $type | $ptype ) & LOCAL    && $type != $ptype;

 	set_super( $zones{$p} ) if $type & IPSEC && ! ( $ptype & IPSEC );

@@ -563,6 +627,8 @@ sub process_zone( \$ ) {
 #
 # Parse the zones file.
 #
+sub vserver_zones();
+
 sub determine_zones()
 {
    my @z;
@@ -581,6 +647,7 @@ sub determine_zones()

    fatal_error "No firewall zone defined" unless $firewall_zone;
    fatal_error "No IP zones defined" unless $ip;
+    fatal_error "Loopback zones and vserver zones are mutually exclusive" if @loopback_zones && vserver_zones;
    #
    # Topological sort to place sub-zones before all of their parents
    #
@@ -742,8 +809,12 @@ sub add_group_to_zone($$$$$)
    my $zoneref  = $zones{$zone};
    my $zonetype = $zoneref->{type};

-
+    $interfaceref = $interfaces{$interface};
    $zoneref->{interfaces}{$interface} = 1;
+    $zoneref->{destonly} ||= $interfaceref->{options}{destonly};
+    $options->{destonly} ||= $interfaceref->{options}{destonly};
+
+    $interfaceref->{zones}{$zone} = 1;

    my @newnetworks;
    my @exclusions = ();
@@ -752,10 +823,6 @@ sub add_group_to_zone($$$$$)
    my $allip    = 0;

    for my $host ( @$networks ) {
-	$interfaceref = $interfaces{$interface};
-
-	$interfaceref->{zones}{$zone} = 1;
-
 	$interfaceref->{nets}++;

 	fatal_error "Invalid Host List" unless supplied $host;
@@ -887,11 +954,19 @@ sub firewall_zone() {
    $firewall_zone;
 }

+sub loopback_zones() {
+    @loopback_zones;
+}
+
+sub local_zones() {
+    @local_zones;
+}
+
 #
 # Determine if the passed physical device is a bridge
 #
 sub is_a_bridge( $ ) {
-    which 'brctl' && qt( "brctl show | tail -n+2 | grep -q '^$_[0]\[\[:space:\]\]'" );
+    which 'brctl' && system( "brctl show < /dev/null | tail -n+2 | grep -q '^$_[0]\[\[:space:\]\]' > /dev/null" ) == 0;
 }

 #
@@ -1144,7 +1219,7 @@ sub process_interface( $$ ) {
 	    } elsif ( $type == BINARY_IF_OPTION ) {
 		$value = 1 unless defined $value;
 		fatal_error "Option value for '$option' must be 0 or 1" unless ( $value eq '0' || $value eq '1' );
-		fatal_error "The '$option' option may not be used with a wild-card interface name" if $wildcard;
+		fatal_error "The '$option' option may not be used with a wild-card interface name" if $wildcard && ! $type && IF_OPTION_WILDOK;
 		$options{$option} = $value;
 		$hostoptions{$option} = $value if $hostopt;
 	    } elsif ( $type == ENUM_IF_OPTION ) {
@@ -1209,6 +1284,7 @@ sub process_interface( $$ ) {

 		if ( $option eq 'physical' ) {
 		    fatal_error "Invalid Physical interface name ($value)" unless $value && $value !~ /%/;
+		    fatal_error "Virtual interfaces ($value) are not supported" if $value =~ /:\d+$/;

 		    fatal_error "Duplicate physical interface name ($value)" if ( $physical{$value} && ! $port );

@@ -1250,10 +1326,10 @@ sub process_interface( $$ ) {
 	if ( $options{bridge} ) {
 	    require_capability( 'PHYSDEV_MATCH', 'The "bridge" option', 's');
 	    fatal_error "Bridges may not have wildcard names" if $wildcard;
-	    $hostoptions{routeback} = $options{routeback} = 1;
+	    $hostoptions{routeback} = $options{routeback} = 1 unless supplied $options{routeback};
 	}

-	$hostoptions{routeback} = $options{routeback} = is_a_bridge( $physical ) unless $export || $options{routeback};
+	$hostoptions{routeback} = $options{routeback} = is_a_bridge( $physical ) unless $export || supplied $options{routeback} || $options{unmanaged};

 	$hostoptionsref = \%hostoptions;
    } else {
@@ -1267,6 +1343,14 @@ sub process_interface( $$ ) {
 	$options{ignore} ||= 0;
    }

+    if ( $options{unmanaged} ) {
+	fatal_error "The 'lo' interface may not be unmanaged when there are vserver zones" if $physical eq 'lo' && vserver_zones;
+
+	while ( my ( $option, $value ) = each( %options ) ) {
+	    fatal_error "The $option option may not be specified with 'unmanaged'" if $prohibitunmanaged{$option};
+	}
+    }
+
    $physical{$physical} = $interfaces{$interface} = { name       => $interface ,
 						       bridge     => $bridge ,
 						       filter     => $filterref ,
@@ -1279,9 +1363,42 @@ sub process_interface( $$ ) {
 						       physical   => $physical ,
 						       base       => var_base( $physical ),
 						       zones      => {},
+						       origin     => shortlineinfo(''),
 						     };

    if ( $zone ) {
+	fatal_error "Unmanaged interfaces may not be associated with a zone" if $options{unmanaged};
+
+	if ( $physical eq 'lo' ) {
+	    fatal_error "Only a loopback zone may be assigned to 'lo'" unless $zoneref->{type} == LOOPBACK;
+	    fatal_error "Invalid definition of 'lo'"                   if $bridge ne $interface;
+	    
+	    for ( qw/arp_filter
+		     arp_ignore
+		     blacklist
+		     bridge
+		     detectnets
+		     dhcp
+		     maclist
+		     logmartians
+		     norfc1918
+		     nosmurts
+		     proxyarp
+		     routeback
+		     routefilter
+		     rpfilter
+		     sfilter
+		     sourceroute
+		     upnp
+		     upnpclient
+		     mss
+		    / ) {
+		fatal_error "The 'lo' interface may not specify the '$_' option" if supplied $options{$_};
+	    }
+	} else {
+	    fatal_error "A loopback zone may only be assigned to 'lo'" if $zoneref->{type} == LOOPBACK;
+	}
+
 	$netsref ||= [ allip ];
 	add_group_to_zone( $zone, $zoneref->{type}, $interface, $netsref, $hostoptionsref );
 	add_group_to_zone( $zone,
@@ -1402,12 +1519,13 @@ sub known_interface($)
 						   number   => $interfaceref->{number} ,
 						   physical => $physical ,
 						   base     => var_base( $physical ) ,
+						   zones    => $interfaceref->{zones} ,
 						 };
 	    }
 	}
    }

-    0;
+    $physical{$interface} || 0;
 }

 #
@@ -1417,6 +1535,13 @@ sub interface_number( $ ) {
    $interfaces{$_[0]}{number} || 256;
 }

+#
+# Return interface origin
+#
+sub interface_origin( $ ) {
+    $interfaces{$_[0]}->{origin};
+}
+
 #
 # Return the interfaces list
 #
@@ -1425,10 +1550,10 @@ sub all_interfaces() {
 }

 #
-# Return all non-vserver interfaces
+# Return all managed non-vserver interfaces
 #
 sub all_real_interfaces() {
-    grep $_ ne '%vserver%', @interfaces;
+    grep $_ ne '%vserver%' && ! $interfaces{$_}{options}{unmanaged}, @interfaces;
 }

 #
@@ -1438,6 +1563,20 @@ sub all_bridges() {
    grep ( $interfaces{$_}{options}{bridge} , @interfaces );
 }

+#
+# Return a list of managed interfaces
+#
+sub managed_interfaces() {
+    grep (! $interfaces{$_}{options}{unmanaged} , @interfaces );
+}
+
+#
+# Return a list of unmanaged interfaces (skip 'lo' since it is implicitly unmanaged when there are no loopback zones).
+#
+sub unmanaged_interfaces() {
+    grep ( $interfaces{$_}{options}{unmanaged} && $_ ne 'lo', @interfaces );
+}
+
 #
 # Return a reference to the interfaces table entry for an interface
 #
@@ -1496,9 +1635,19 @@ sub source_port_to_bridge( $ ) {
 # Returns a hash reference for the zones interface through the interface
 #
 sub interface_zones( $ ) {
-    my $interfaceref = $interfaces{(shift)};
+    my $interfaceref = known_interface( $_[0] );

-    $interfaceref->{zones};
+    fatal_error "Unknown interface(@_)" unless $interfaceref;
+    $interfaceref->{zones} || {};
+}
+
+#
+# Returns the 'zone' member of the passed interface, if any
+#
+sub interface_zone( $ ) {
+    my $interfaceref = known_interface( $_[0] );
+
+    $interfaceref ? $interfaceref->{zone} : '';
 }

 #
@@ -1820,6 +1969,13 @@ sub process_host( ) {
 	$hosts = $2;

 	fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
+	fatal_error "Unmanaged interfaces may not be associated with a zone" if $interfaceref->{unmanaged};
+
+	if ( $interfaceref->{name} eq 'lo' ) {
+	    fatal_error "Only a loopback zone may be associated with the loopback interface (lo)" if $type != LOOPBACK;
+	} else {
+	    fatal_error "Loopback zones may only be associated with the loopback interface (lo)" if $type == LOOPBACK;
+	}
    } else {
 	fatal_error "Invalid HOST(S) column contents: $hosts"
    }
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -49,7 +49,9 @@ use Getopt::Long;

 sub usage( $ ) {

-    print STDERR 'usage: compiler.pl [ <option> ... ] [ <filename> ]
+    print STDERR << '_EOF_';
+
+usage: compiler.pl [ <option> ... ] [ <filename> ]

  options are:
    [ --export ]
@@ -71,7 +73,8 @@ sub usage( $ ) {
    [ --shorewallrc=<pathname> ]
    [ --shorewallrc1=<pathname> ]
    [ --config_path=<path-list> ]
-';
+
+_EOF_

    exit shift @_;
 }
--- a/Shorewall/Perl/lib.core
+++ b/Shorewall/Perl/lib.core
@@ -419,6 +419,7 @@ fatal_error()

    stop_firewall
    [ -n "$TEMPFILE" ] && rm -f $TEMPFILE
+    mutex_off
    exit 2
 }

--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -24,7 +24,7 @@ usage() {
    echo "Options are:"
    echo
    echo "   -v and -q        Standard Shorewall verbosity controls"
-    echo "   -n               Don't unpdate routing configuration"
+    echo "   -n               Don't update routing configuration"
    echo "   -p               Purge Conntrack Table"
    echo "   -t               Timestamp progress Messages"
    echo "   -V <verbosity>   Set verbosity explicitly"
@@ -321,13 +321,12 @@ case "$COMMAND" in
 	;;
    status)
 	[ $# -ne 1 ] && usage 2
-	echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)"
-	echo
+	[ $VERBOSITY -ge 1 ] && echo "$g_product-$SHOREWALL_VERSION Status at $(hostname) - $(date)" &&	echo
 	if product_is_started; then
-	    echo "$g_product is running"
+	    [ $VERBOSITY -ge 1 ] && echo "$g_product is running"
 	    status=0
 	else
-	    echo "$g_product is stopped"
+	    [ $VERBOSITY -ge 1 ] && echo "$g_product is stopped"
 	    status=4
 	fi

@@ -341,8 +340,7 @@ case "$COMMAND" in
 	else
 	    state=Unknown
 	fi
-	echo "State:$state"
-	echo
+	[ $VERBOSITY -ge 1 ] && echo "State:$state" && echo
 	;;
    up|down)
 	[ $# -eq 1 ] && exit 0
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -21,7 +21,7 @@ VERBOSITY=1
 #		                L O G G I N G
 ###############################################################################

-BLACKLIST_LOGLEVEL=
+BLACKLIST_LOG_LEVEL=

 INVALID_LOG_LEVEL=

@@ -130,6 +130,8 @@ AUTOMAKE=No

 BLACKLIST="NEW,INVALID,UNTRACKED"

+CHAIN_SCRIPTS=No
+
 CLAMPMSS=No

 CLEAR_TC=Yes
@@ -188,7 +190,7 @@ MUTEX_TIMEOUT=60

 NULL_ROUTE_RFC1918=No

-OPTIMIZE=31
+OPTIMIZE=All

 OPTIMIZE_ACCOUNTING=No

@@ -214,10 +216,14 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"

 TRACK_PROVIDERS=Yes

+TRACK_RULES=No
+
 USE_DEFAULT_RT=No

 USE_PHYSICAL_NAMES=No

+USE_RT_NAMES=No
+
 WARNOLDCAPVERSION=Yes

 ZONE2ZONE=2
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -32,7 +32,7 @@ VERBOSITY=1
 #		                L O G G I N G
 ###############################################################################

-BLACKLIST_LOGLEVEL=
+BLACKLIST_LOG_LEVEL=

 INVALID_LOG_LEVEL=

@@ -141,6 +141,8 @@ AUTOMAKE=No

 BLACKLIST="NEW,INVALID,UNTRACKED"

+CHAIN_SCRIPTS=No
+
 CLAMPMSS=No

 CLEAR_TC=Yes
@@ -199,7 +201,7 @@ MUTEX_TIMEOUT=60

 NULL_ROUTE_RFC1918=No

-OPTIMIZE=31
+OPTIMIZE=All

 OPTIMIZE_ACCOUNTING=No

@@ -225,10 +227,14 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"

 TRACK_PROVIDERS=Yes

+TRACK_RULES=No
+
 USE_DEFAULT_RT=No

 USE_PHYSICAL_NAMES=No

+USE_RT_NAMES=No
+
 WARNOLDCAPVERSION=Yes

 ZONE2ZONE=2
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -30,7 +30,7 @@ VERBOSITY=1
 #		                L O G G I N G
 ###############################################################################

-BLACKLIST_LOGLEVEL=
+BLACKLIST_LOG_LEVEL=

 INVALID_LOG_LEVEL=

@@ -139,6 +139,8 @@ AUTOMAKE=No

 BLACKLIST="NEW,INVALID,UNTRACKED"

+CHAIN_SCRIPTS=No
+
 CLAMPMSS=Yes

 CLEAR_TC=Yes
@@ -197,7 +199,7 @@ MUTEX_TIMEOUT=60

 NULL_ROUTE_RFC1918=No

-OPTIMIZE=31
+OPTIMIZE=All

 OPTIMIZE_ACCOUNTING=No

@@ -223,10 +225,14 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"

 TRACK_PROVIDERS=Yes

+TRACK_RULES=No
+
 USE_DEFAULT_RT=No

 USE_PHYSICAL_NAMES=No

+USE_RT_NAMES=No
+
 WARNOLDCAPVERSION=Yes

 ZONE2ZONE=2
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -33,7 +33,7 @@ VERBOSITY=1
 #		                L O G G I N G
 ###############################################################################

-BLACKLIST_LOGLEVEL=
+BLACKLIST_LOG_LEVEL=

 INVALID_LOG_LEVEL=

@@ -142,6 +142,8 @@ AUTOMAKE=No

 BLACKLIST="NEW,INVALID,UNTRACKED"

+CHAIN_SCRIPTS=No
+
 CLAMPMSS=Yes

 CLEAR_TC=Yes
@@ -200,7 +202,7 @@ MUTEX_TIMEOUT=60

 NULL_ROUTE_RFC1918=No

-OPTIMIZE=31
+OPTIMIZE=All

 OPTIMIZE_ACCOUNTING=No

@@ -226,10 +228,14 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"

 TRACK_PROVIDERS=Yes

+TRACK_RULES=No
+
 USE_DEFAULT_RT=No

 USE_PHYSICAL_NAMES=No

+USE_RT_NAMES=No
+
 WARNOLDCAPVERSION=Yes

 ZONE2ZONE=2
--- a/Shorewall/action.A_Drop
+++ b/Shorewall/action.A_Drop
@@ -24,9 +24,9 @@
 #
 COUNT
 #
-# Reject 'auth'
+# Silently DROP 'auth'
 #
-Auth(A_REJECT)
+Auth(A_DROP)
 #
 # Don't log broadcasts
 #
--- a/Shorewall/action.A_Reject
+++ b/Shorewall/action.A_Reject
@@ -20,10 +20,6 @@
 #
 COUNT
 #
-# Don't log 'auth' -- REJECT
-#
-Auth(A_REJECT)
-#
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
--- a/Shorewall/action.AutoBL
+++ b/Shorewall/action.AutoBL
@@ -0,0 +1,59 @@
+#
+# Shorewall version 4 - Auto Blacklist Action
+#
+# Parameters are:
+#
+#    Event          - Name of the event to associate with this blacklist
+#    Interval
+#    Count          - Interval and number of Packets to trigger blacklisting
+#                     Default is 60 seconds and 5 packets.
+#    Successive     - If a matching packet arrives within this many
+#                     seconds of the preceding one, it should be logged
+#                     and dealt with according to the Disposition and
+#                     Log Level parameters below. Default is 2 seconds.
+#    Blacklist time - Number of seconds to blacklist
+#                     Default is 300 (5 minutes)
+#    Disposition    - Disposition of blacklisted packets
+#                     Default is DROP
+#    Log Level      - Level to Log Rejects
+#                     Default is info (6)
+#
+?format 2
+DEFAULTS -,60,5,2,300,DROP,info
+
+?begin perl
+my ( $event, $interval, $count, $successive, $bltime, $disposition, $level ) = get_action_params(7);
+
+fatal_error "The event name parameter to AutoBL is required"            unless supplied $event;
+fatal_error "Invalid interval ($interval) passed to AutoBL"             unless $interval =~ /^\d+$/ && $interval;
+fatal_error "Invalid successive interval ($succesive) passed to AutoBL" unless $successive =~ /^\d+$/;
+fatal_error "Invalid packet count ($count) passed to AutoBL"            unless $count =~ /^\d+$/ && $count;
+fatal_error "Invalid blacklist time ($bltime) passed to AutoBL"         unless $bltime =~ /^\d+$/ && $bltime;
+validate_level( $level );
+
+?end perl
+###############################################################################
+#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
+#
+# Silently reject the client if blacklisted
+#
+IfEvent(${1}_BL,$6,$5,1,src,check:reap)
+#
+# Blacklist if M attempts in the last N seconds
+#
+IfEvent($1,AutoBLL($1,$6,$7),$2,$3,src,check:reap)
+#
+# Log and reject if the client has tried to connect
+# in the last N seconds
+#
+?if $4
+IfEvent($1,$6:$7,$4,1,-,update,Added)
+?endif
+#
+# Un-blacklist the client
+#
+ResetEvent(${1}_BL,LOG:$7,-,Removed)
+#
+# Set the event and accept the connection
+#
+SetEvent($1,ACCEPT,src)
--- a/Shorewall/action.AutoBLL
+++ b/Shorewall/action.AutoBLL
@@ -0,0 +1,20 @@
+#
+# Shorewall version 4 - Auto Blacklisting Logger Action
+#
+# Arguments are
+#
+#    Event:       Name of the blacklisted event
+#    Disposition: What to do with packets
+#    Level:       Log level and optional tag for logging.
+###############################################################################
+#TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
+#
+# Log the Reject
+#
+?if "$3" ne 'none'
+LOG:$3
+?endif
+#
+# And set the AutoBL Event for the SOURCE IP address
+#
+SetEvent(${1}_BL,$2,src)
--- a/Shorewall/action.Broadcast
+++ b/Shorewall/action.Broadcast
@@ -27,11 +27,11 @@
 #       Default action is DROP
 #
 ##########################################################################################
-?FORMAT 2
+?format 2

 DEFAULTS DROP,-

-?BEGIN PERL;
+?begin perl;

 use Shorewall::IPAddrs;
 use Shorewall::Config;
@@ -71,4 +71,4 @@ add_jump $chainref, $target, 0, '-d 224.0.0.0/4 ';

 1;

-?END PERL;
+?end perl;
--- a/Shorewall/action.Drop
+++ b/Shorewall/action.Drop
@@ -9,18 +9,15 @@
 #	of the action is:
 #
 #	a) Avoid logging lots of useless cruft.
-#	b) Ensure that 'auth' requests are rejected, even if the policy is
-#	   DROP. Otherwise, you may experience problems establishing
-#	   connections with servers that use auth.
-#	c) Ensure that certain ICMP packets that are necessary for successful
+#	b) Ensure that certain ICMP packets that are necessary for successful
 #	   internet operation are always ACCEPTed.
 #
 #  The action accepts five optional parameters:
 #
 #	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
 #           actions.
-#       2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
-#           depending on the setting of the first parameter.
+#       2 - Action to take with Auth requests. Default is to do nothing special
+#	    with them.
 #	3 - Action to take with SMB requests. Default is DROP or A_DROP,
 #           depending on the setting of the first parameter.
 #       4 - Action to take with required ICMP packets. Default is ACCEPT or
@@ -31,19 +28,18 @@
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
-?FORMAT 2
+?format 2
 #
 # The following magic provides different defaults for @2 thru @5, when @1 is
 # 'audit'.
 #
-?BEGIN PERL;
+?begin perl;
 use Shorewall::Config;

 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );

 if ( defined $p1 ) {
    if ( $p1 eq 'audit' ) {
-	set_action_param( 2, 'A_REJECT')   unless supplied $p2;
 	set_action_param( 3, 'A_DROP')     unless supplied $p3;
 	set_action_param( 4, 'A_ACCEPT' )  unless supplied $p4;
 	set_action_param( 5, 'A_DROP' )    unless supplied $p5;
@@ -54,9 +50,9 @@ if ( defined $p1 ) {

 1;

-?END PERL;
+?end perl;

-DEFAULTS -,REJECT,DROP,ACCEPT,DROP
+DEFAULTS -,-,DROP,ACCEPT,DROP

 #TARGET		SOURCE	DEST	PROTO	DPORT	SPORT
 #
@@ -64,9 +60,11 @@ DEFAULTS -,REJECT,DROP,ACCEPT,DROP
 #
 COUNT
 #
-# Reject 'auth'
+# Special Handling for Auth
 #
+?if @2 ne '-'
 Auth(@2)
+?endif
 #
 # Don't log broadcasts
 #
--- a/Shorewall/action.DropSmurfs
+++ b/Shorewall/action.DropSmurfs
@@ -9,11 +9,11 @@
 #          audit = Audit dropped packets.
 #
 #################################################################################
-?FORMAT 2
+?format 2

 DEFAULTS -

-?BEGIN PERL;
+?begin perl;
 use strict;
 use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
 use Shorewall::IPAddrs qw( IPv6_MULTICAST );
@@ -79,7 +79,7 @@ if ( $family == F_IPV4 ) {
    add_ijump( $chainref, g => $target, s => IPv6_MULTICAST );
 }

-?END PERL;
+?end perl;



--- a/Shorewall/action.Established
+++ b/Shorewall/action.Established
@@ -27,22 +27,23 @@
 #       Default action is ACCEPT
 #
 ##########################################################################################
-?FORMAT 2
+?format 2

 DEFAULTS ACCEPT

-?BEGIN PERL;
+?begin perl;

 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
+use Shorewall::Rules;

 my ( $action ) = get_action_params( 1 );

-if ( my $state = check_state( 'ESTABLISHED' ) ) {
-    perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} ESTABLISHED" : '' );
+if ( my $check = check_state( 'ESTABLISHED' ) ) {
+    perl_action_helper( $action, $check == 1 ? state_match('ESTABLISHED') : '', 'ESTABLISHED' );
 }

 1;

-?END PERL;
+?end perl;
--- a/Shorewall/action.IfEvent
+++ b/Shorewall/action.IfEvent
@@ -0,0 +1,138 @@
+#
+# Shorewall version 4 - Perform an Action based on a Event
+#
+# /etc/shorewall/action.IfEvent
+#
+# Parameters:
+#    Event:        Must start with a letter and be composed of letters, digits, '-', and '_'.
+#    Action:       Anything that can appear in the ACTION column of a rule.
+#    Duration:     Duration in seconds over which the event is to be tested.
+#    Hit Count:    Number of packets seen within the duration -- default is 1
+#    Src or Dest:  'src' (default) or 'dst'. Determines if the event is associated with the source
+#                  address (src) or destination address (dst)
+#    Command:      'check' (default) 'reset', or 'update'. If 'reset', the event will be reset before
+#                  the Action is taken. If 'update', the timestamp associated with the event will
+#                  be updated and the action taken if the time limit/hitcount are matched.
+#                  If '-', the action will be taken if the limit/hitcount are matched but the
+#                  event's timestamp will not be updated.
+#
+#                  If a duration is specified, then 'checkreap' and 'updatereap' may also
+#                  be used. These are like 'check' and 'update' respectively, but they also
+#                  remove any event entries for the IP address that are older than <duration>
+#                  seconds.
+#    Disposition:  Disposition for any event generated.
+#
+# For additional information, see http://www.shorewall.net/Events.html
+#
+#######################################################################################################
+#                                         DO NOT REMOVE THE FOLLOWING LINE
+?format 2
+#################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
+#							PORT	PORT(S)		DEST		LIMIT		GROUP
+
+DEFAULTS -,ACCEPT,-,1,src,check,-
+
+?begin perl
+
+use Shorewall::Config qw(:DEFAULT :internal);
+use Shorewall::Chains;
+use Shorewall::Rules;
+use strict;
+
+my ( $event, $action, $duration, $hitcount, $destination, $command, $disposition ) = get_action_params( 7 );
+
+fatal_error "An event name is required"           unless supplied $event;
+fatal_error "Invalid event name ($event)"         unless $event =~ /^[a-zA-z][-\w]*$/;
+
+if ( supplied $duration ) {
+    fatal_error "Invalid time limit ($duration)"  unless $duration =~ /^\d+$/;
+    $duration = "--seconds $duration ";
+} else {
+    $duration = '';
+}
+
+fatal_error "Invalid hit count ($hitcount)"       unless $hitcount =~ /^\d+$/;
+fatal_error "Invalid Src or Dest ($destination)"  unless $destination =~ /^(?:src|dst)$/;
+
+my $srcdst = $destination eq 'src'? '--rsource' : '--rdest';
+
+our $commands_defined;
+
+#
+# Can't 'use constant' here
+#
+my ( $UPDATE_CMD, $CHECK_CMD, $RESET_CMD, $REAP_OPT, $TTL_OPT ) = ( 1, 2, 4, 8, 16 );
+
+my %command = ( check =>  $CHECK_CMD,
+		update => $UPDATE_CMD,
+		reset  => $RESET_CMD
+	      );
+
+my %commandopts = ( 
+		    reap   => $REAP_OPT,
+		    ttl    => $TTL_OPT
+		  );
+
+my @command = split(':', $command);
+
+$command = $command{shift @command} || 0;
+
+fatal_error "Command must be 'check', 'update' or 'reset" unless $command & ( $CHECK_CMD | $UPDATE_CMD | $RESET_CMD); 
+
+for ( @command ) {
+    fatal_error "Invalid command option ($_)" unless $commandopts{$_};
+    if ( $command & $commandopts{$_} ) {
+	warning_message "Duplicate command ($_)";
+    } else {
+	$command |= $commandopts{$_};
+    }
+}
+
+my $duplicate;
+
+set_action_disposition( $disposition) if supplied $disposition;
+set_action_name_to_caller;
+
+require_capability 'RECENT_MATCH', 'Use of events', 's';
+
+if ( $command & $REAP_OPT ) {
+    fatal_error "${command}reap requires a time limit" if ! $duration;
+    $duration .= '--reap ';
+}
+
+$duration .= '--rttl ' if $command & $TTL_OPT;
+
+if ( $command & $RESET_CMD ) {
+    require_capability 'MARK_ANYWHERE', '"reset"', 's';
+
+    print "Resetting....\n";
+    
+    my $mark = $globals{EVENT_MARK};
+    #
+    # The event mark bit must be within 32 bits
+    #
+    fatal_error "The mark layout does not permit resetting of events" unless $mark & 0xffffffff;
+    #
+    # Reset the event mark bit
+    #
+    perl_action_helper( 'INLINE', '-j MARK --and-mark '. in_hex( (~ $mark ) & 0xffffffff ) );
+
+    $mark = in_hex $mark;
+    #
+    # Mark the packet if event is armed
+    #
+    perl_action_helper( 'INLINE', "-m recent --rcheck ${duration}--hitcount $hitcount --name $event $srcdst -j MARK --or-mark $mark" );
+    #
+    # if the event is armed, remove it and perform the action
+    #
+    perl_action_helper( $action , "-m mark --mark $mark/$mark -m recent --remove --name $event" );
+} elsif ( $command & $UPDATE_CMD ) {
+    perl_action_helper( $action, "-m recent --update ${duration}--hitcount $hitcount --name $event $srcdst" );
+} else {
+    perl_action_helper( $action, "-m recent --rcheck ${duration}--hitcount $hitcount --name $event $srcdst" );
+}
+
+1;
+
+?end perl
--- a/Shorewall/action.Invalid
+++ b/Shorewall/action.Invalid
@@ -27,11 +27,11 @@
 #       Default action is DROP
 #
 ##########################################################################################
-?FORMAT 2
+?format 2

 DEFAULTS DROP,-

-?BEGIN PERL;
+?begin perl;

 use Shorewall::IPAddrs;
 use Shorewall::Config;
@@ -46,9 +46,9 @@ if ( supplied $audit ) {
 }

 if ( my $check = check_state( 'INVALID' ) ) {
-    perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} INVALID" : '' );
+    perl_action_helper( $action, $check == 1 ? state_match( 'INVALID' ) : '' , 'INVALID' );
 }

 1;

-?END PERL;
+?end perl;
--- a/Shorewall/action.New
+++ b/Shorewall/action.New
@@ -24,31 +24,26 @@
 #
 #   Untracked[([<action>])]
 #
-#       Default action is DROP
+#       Default action is ACCEPT
 #
 ##########################################################################################
-?FORMAT 2
+?format 2

 DEFAULTS ACCEPT

-?BEGIN PERL;
+?begin perl;

 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
+use Shorewall::Rules;

 my ( $action ) = get_action_params( 1 );

-my ( $level, $tag ) = get_action_logging;
-
-$action = join( ':', $action, $level, $tag ) if "${level}${tag}";
-
 if ( my $check = check_state( 'NEW' ) ) {
-    perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} NEW" : '' );
+    perl_action_helper( $action, $check == 1 ? state_match( 'NEW' ) : '' , 'NEW' );
 }

-allow_optimize( get_action_chain );
-
 1;

-?END PERL;
+?end perl;
--- a/Shorewall/action.NotSyn
+++ b/Shorewall/action.NotSyn
@@ -27,11 +27,11 @@
 #       Default action is DROP
 #
 ##########################################################################################
-?FORMAT 2
+?format 2

 DEFAULTS DROP,-

-?BEGIN PERL;
+?begin perl;

 use strict;
 use Shorewall::IPAddrs;
@@ -50,4 +50,4 @@ perl_action_tcp_helper( $action, '-p 6 ! --syn' );

 1;

-?END PERL;
+?end perl;
--- a/Shorewall/action.RST
+++ b/Shorewall/action.RST
@@ -27,11 +27,11 @@
 #       Default action is DROP
 #
 ##########################################################################################
-?FORMAT 2
+?format 2

 DEFAULTS DROP,-

-?BEGIN PERL;
+?begin perl;

 use Shorewall::Config;
 use Shorewall::Chains;
@@ -48,4 +48,4 @@ perl_action_tcp_helper( $action, '-p 6 --tcp-flags RST RST' );

 1;

-?END PERL;
+?end perl;
--- a/Shorewall/action.Reject
+++ b/Shorewall/action.Reject
@@ -16,8 +16,8 @@
 #
 #	1 - 'audit' or '-'. Default is '-' which means don't audit in builtin
 #           actions.
-#       2 - Action to take with Auth requests. Default is REJECT or A_REJECT,
-#           depending on the setting of the first parameter.
+#       2 - Action to take with Auth requests. Default is to do nothing
+#	    special with them.
 #	3 - Action to take with SMB requests. Default is REJECT or A_REJECT,
 #           depending on the setting of the first parameter.
 #       4 - Action to take with required ICMP packets. Default is ACCEPT or
@@ -27,19 +27,18 @@
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
-?FORMAT 2
+?format 2
 #
 # The following magic provides different defaults for @2 thru @5, when @1 is
 # 'audit'.
 #
-?BEGIN PERL;
+?begin perl;
 use Shorewall::Config;

 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );

 if ( defined $p1 ) {
    if ( $p1 eq 'audit' ) {
-	set_action_param( 2, 'A_REJECT')  unless supplied $p2;
 	set_action_param( 3, 'A_REJECT')  unless supplied $p3;
 	set_action_param( 4, 'A_ACCEPT' ) unless supplied $p4;
 	set_action_param( 5, 'A_DROP' )   unless supplied $p5;
@@ -50,9 +49,9 @@ if ( defined $p1 ) {

 1;

-?END PERL;
+?end perl;

-DEFAULTS -,REJECT,REJECT,ACCEPT,DROP
+DEFAULTS -,-,REJECT,ACCEPT,DROP

 #TARGET		SOURCE	DEST	PROTO
 #
@@ -60,9 +59,11 @@ DEFAULTS -,REJECT,REJECT,ACCEPT,DROP
 #
 COUNT
 #
-# Don't log 'auth' -- REJECT
+# Special handling for Auth
 #
+?if @2 ne '-'
 Auth(@2)
+?endif
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
--- a/Shorewall/action.Related
+++ b/Shorewall/action.Related
@@ -27,23 +27,24 @@
 #       Default action is DROP
 #
 ##########################################################################################
-?FORMAT 2
+?format 2

 DEFAULTS DROP

-?BEGIN PERL;
+?begin perl;

 use strict;
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
+use Shorewall::Rules;

 my ( $action ) = get_action_params( 1 );

-if ( my $state = check_state( 'RELATED' ) ) {
-    perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} RELATED" : '' );
+if ( my $check = check_state( 'RELATED' ) ) {
+    perl_action_helper( $action, $check == 1 ? state_match( 'RELATED' ) : '', 'RELATED' );
 }

 1;

-?END PERL;
+?end perl;
--- a/Shorewall/action.ResetEvent
+++ b/Shorewall/action.ResetEvent
@@ -0,0 +1,51 @@
+#
+# Shorewall version 4 - Reset an Event
+#
+# /etc/shorewall/action.ResetEvent
+#
+# Parameters:
+#    Event:       Must start with a letter and be composed of letters, digits, '-', and '_'.
+#    Action:      Action to perform after setting the event. Default is ACCEPT
+#    Src or Dest: 'src' (default) or 'dst'. Determines if the event is associated with the source
+#                 address (src) or destination address (dst)
+#    Disposition: Disposition for any rule generated.
+#
+# For additional information, see http://www.shorewall.net/Events.html
+#
+#######################################################################################################
+#                                         DO NOT REMOVE THE FOLLOWING LINE
+?format 2
+#################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
+#							PORT	PORT(S)		DEST		LIMIT		GROUP
+
+DEFAULTS -,ACCEPT,src,-
+
+?begin perl
+
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+use strict;
+
+my ( $event, $action, $destination, $disposition ) = get_action_params( 4 );
+
+require_capability 'RECENT_MATCH', 'Use of events', 's';
+require_capability 'MARK_ANYWHERE', 'Use of events', 's';
+
+fatal_error "An event name is required"          unless supplied $event;
+fatal_error "Invalid event name ($event)"        unless $event =~ /^[a-zA-z][-\w]*$/;
+fatal_error "Invalid Src or Dest ($destination)" unless $destination =~ /^(?:src|dst)$/;
+
+set_action_disposition( $disposition) if supplied $disposition;
+set_action_name_to_caller;
+
+if ( $destination eq 'dst' ) {
+    perl_action_helper( $action, "-m recent --name $event --remove --rdest" );
+} else {
+    perl_action_helper( $action, "-m recent --name $event --remove --rsource" );
+}
+
+1;
+
+?end perl
--- a/Shorewall/action.SetEvent
+++ b/Shorewall/action.SetEvent
@@ -0,0 +1,51 @@
+#
+# Shorewall version 4 - Set an Event
+#
+# /etc/shorewall/action.SetEvent
+#
+# Parameters:
+#    Event:       Must start with a letter and be composed of letters, digits, '-', and '_'.
+#    Action:      Action to perform after setting the event. Default is ACCEPT
+#    Src or Dest: 'src' (default) or 'dst'. Determines if the event is associated with the source
+#                 address (src) or destination address (dst)
+#    Disposition: Disposition for any event generated.
+#
+# For additional information, see http://www.shorewall.net/Events.html
+#
+#######################################################################################################
+#                                         DO NOT REMOVE THE FOLLOWING LINE
+?format 2
+#################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
+#							PORT	PORT(S)		DEST		LIMIT		GROUP
+
+DEFAULTS -,ACCEPT,src
+
+?begin perl
+
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+use strict;
+
+my ( $event, $action, $destination, $disposition ) = get_action_params( 4 );
+
+require_capability 'RECENT_MATCH', 'Use of events', 's';
+require_capability 'MARK_ANYWHERE', 'Use of events', 's';
+
+fatal_error "An event name is required"          unless supplied $event;
+fatal_error "Invalid event name ($event)"        unless $event =~ /^[a-zA-z][-\w]*$/;
+fatal_error "Invalid Src or Dest ($destination)" unless $destination =~ /^(?:src|dst)$/;
+
+set_action_disposition( $disposition) if supplied $disposition;
+set_action_name_to_caller;
+
+if ( $destination eq 'dst' ) {
+    perl_action_helper( $action, "-m recent --name $event --set --rdest" );
+} else {
+    perl_action_helper( $action, "-m recent --name $event --set --rsource" );
+}
+
+1;
+
+?end perl
--- a/Shorewall/action.TCPFlags
+++ b/Shorewall/action.TCPFlags
@@ -9,31 +9,32 @@
 #          audit = Audit dropped packets.
 #
 #################################################################################
-?FORMAT 2
+?format 2

-DEFAULTS DROP,-
+DEFAULTS -

-?BEGIN PERL;
+?begin perl;
 use strict;
 use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
 use Shorewall::Chains;
 use Shorewall::Rules;

-my ( $action, $audit ) = get_action_params( 2 );
+my $action = 'DROP';

-my $chainref        = get_action_chain;
+my ( $audit ) = get_action_params( 1 );

 if ( supplied $audit ) {
     fatal_error "Invalid parameter ($audit) to action TCPFlags" if $audit ne 'audit';
-     $action = "A_$action";
+     $action = "A_DROP";
 }    

 perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL FIN,URG,PSH' );
+perl_action_tcp_helper( $action, '-p tcp --tcp-flags ALL NONE' );
 perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,RST SYN,RST' );
 perl_action_tcp_helper( $action, '-p tcp --tcp-flags SYN,FIN SYN,FIN' );
 perl_action_tcp_helper( $action, '-p tcp --syn --sport 0' );

-?END PERL;
+?end perl;



--- a/Shorewall/action.Untracked
+++ b/Shorewall/action.Untracked
@@ -27,29 +27,23 @@
 #       Default action is DROP
 #
 ##########################################################################################
-?FORMAT 2
+?format 2

-DEFAULTS DROP,-
+DEFAULTS DROP

-?BEGIN PERL;
+?begin perl;

 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
-use Shorewall::Rules qw( process_rule1 );
+use Shorewall::Rules;

 my ( $action ) = get_action_params( 1 );

-my ( $level, $tag ) = get_action_logging;
-
-$action = join( ':', $action, $level, $tag ) if "${level}${tag}";
-
-if ( my $check = check_state( 'UNTRACKED' ) {
-    perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} UNTRACKED" : '' );
+if ( my $check = check_state( 'UNTRACKED' ) ) {
+    perl_action_helper( $action, $check == 1 ? state_match( 'UNTRACKED' ) : '' , 'UNTRACKED' );
 }

-allow_optimize( get_action_chain );
-
 1;

-?END PERL;
+?end perl;
--- a/Shorewall/action.allowInvalid
+++ b/Shorewall/action.allowInvalid
@@ -0,0 +1,53 @@
+#
+# Shorewall 4 - allowInvalid Action
+#
+#    /usr/share/shorewall/action.allowInvalid
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   allowInvalid[([audit])]
+#
+##########################################################################################
+?format 2
+
+DEFAULTS -
+
+?begin perl;
+
+use strict;
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my $action = 'ACCEPT';
+
+my ( $audit ) = get_action_params( 1 );
+
+if ( supplied $audit ) {
+     fatal_error "Invalid parameter ($audit) to action allowInvalid" if $audit ne 'audit';
+     $action = "A_ACCEPT";
+}    
+
+perl_action_helper( "Invalid($action)", '' );
+
+1;
+
+?end perl;
--- a/Shorewall/action.dropInvalid
+++ b/Shorewall/action.dropInvalid
@@ -0,0 +1,53 @@
+#
+# Shorewall 4 - dropInvalid Action
+#
+#    /usr/share/shorewall/action.dropInvalid
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   dropInvalid[([audit])]
+#
+##########################################################################################
+?format 2
+
+DEFAULTS -
+
+?begin perl;
+
+use strict;
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+use Shorewall::Rules;
+
+my $action = 'DROP';
+
+my ( $audit ) = get_action_params( 1 );
+
+if ( supplied $audit ) {
+     fatal_error "Invalid parameter ($audit) to action dropInvalid" if $audit ne 'audit';
+     $action = "A_DROP";
+}    
+
+perl_action_helper( "Invalid($action)", '' );
+
+1;
+
+?end perl;
--- a/Shorewall/action.template
+++ b/Shorewall/action.template
@@ -20,7 +20,7 @@
 #
 #######################################################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
-?FORMAT 2
+?format 2
 #################################################################################################################################################################################################
 #ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -15,19 +15,11 @@
 #    dropBcast		# Silently Drop Broadcast/multicast
 #    dropNotSyn		# Silently Drop Non-syn TCP packets
 #    rejNotSyn		# Silently Reject Non-syn TCP packets
-#    dropInvalid	# Silently Drop packets that are in the INVALID
-#			# conntrack state.
-#    allowInvalid	# Accept packets that are in the INVALID
-#			# conntrack state.
 #    allowoutUPnP	# Allow traffic from local command 'upnpd' (does not
 #                       # work with kernel 2.6.14 and later).
 #    allowinUPnP	# Allow UPnP inbound (to firewall) traffic
 #    forwardUPnP	# Allow traffic that upnpd has redirected from
 #			# 'upnp' interfaces.
-#    drop1918src        # Drop packets with an RFC 1918 source address
-#    drop1918dst        # Drop packets with an RFC 1918 original dest address
-#    rej1918src         # Reject packets with an RFC 1918 source address
-#    rej1918dst         # Reject packets with an RFC 1918 original dest address
 #    Limit              # Limit the rate of connections from each individual
 #                       # IP address
 #
@@ -35,15 +27,22 @@
 #ACTION
 A_Drop 		                # Audited Default Action for DROP policy
 A_Reject	                # Audited Default action for REJECT policy
-Broadcast   noinline            # Handles Broadcast/Multicast/Anycast
+allowInvalid inline		# Accepts packets in the INVALID conntrack state
+AutoBL       noinline           # Auto-blacklist IPs that exceed thesholds
+AutoBLL      noinline           # Helper for AutoBL
+Broadcast    noinline           # Handles Broadcast/Multicast/Anycast
 Drop		                # Default Action for DROP policy
-DropSmurfs  noinline            # Drop smurf packets
-Established inline		# Handles packets in the ESTABLISHED state
-Invalid     inline              # Handles packets in the INVALID conntrack state
-New	    inline              # Handles packets in the NEW conntrack state
-NotSyn      inline              # Handles TCP packets which do not have SYN=1 and ACK=0
+dropInvalid  inline		# Drops packets in the INVALID conntrack state
+DropSmurfs   noinline           # Drop smurf packets
+Established  inline		# Handles packets in the ESTABLISHED state
+IfEvent      noinline           # Perform an action based on an event
+Invalid      inline             # Handles packets in the INVALID conntrack state
+New	     inline             # Handles packets in the NEW conntrack state
+NotSyn       inline             # Handles TCP packets which do not have SYN=1 and ACK=0
 Reject                          # Default Action for REJECT policy
-Related     inline              # Handles packets in the RELATED conntrack state
-RST	    inline              # Handle packets with RST set
+Related      inline             # Handles packets in the RELATED conntrack state
+ResetEvent   inline		# Reset an Event
+RST	     inline             # Handle packets with RST set
+SetEvent     inline		# Initialize an event
 TCPFlags    			# Handle bad flag combinations.
-Untracked   inline              # Handles packets in the UNTRACKED conntrack state
+Untracked    inline             # Handles packets in the UNTRACKED conntrack state
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -21,7 +21,7 @@ VERBOSITY=1
 #		                L O G G I N G
 ###############################################################################

-BLACKLIST_LOGLEVEL=
+BLACKLIST_LOG_LEVEL=

 INVALID_LOG_LEVEL=

@@ -130,6 +130,8 @@ AUTOMAKE=No

 BLACKLIST="NEW,INVALID,UNTRACKED"

+CHAIN_SCRIPTS=Yes
+
 CLAMPMSS=No

 CLEAR_TC=Yes
@@ -214,10 +216,14 @@ TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"

 TRACK_PROVIDERS=No

+TRACK_RULES=No
+
 USE_DEFAULT_RT=No

 USE_PHYSICAL_NAMES=No

+USE_RT_NAMES=No
+
 WARNOLDCAPVERSION=Yes

 ZONE2ZONE=2
--- a/Shorewall/configpath
+++ b/Shorewall/configpath
@@ -3,11 +3,4 @@
 #
 # /usr/share/shorewall/configpath
 #
-# Note to maintainers.
-#
-#	The CONFDIR variable is normally set to /etc/shorewall but when
-#	the command is "compile -e" then CONFDIR is set to
-#	/usr/share/shorewall/configfiles/. This prevents 'compile -e'
-#	from trying to use configuration information from /etc/shorewall.
-
-CONFIG_PATH=${CONFDIR}:${SHAREDIR}/shorewall
+CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
--- a/Shorewall/helpers
+++ b/Shorewall/helpers
@@ -32,11 +32,6 @@ loadmodule ip_nat_pptp
 loadmodule ip_nat_sip
 loadmodule ip_nat_snmp_basic
 loadmodule ip_nat_tftp
-loadmodule ip_set
-loadmodule ip_set_iphash
-loadmodule ip_set_ipmap
-loadmodule ip_set_macipmap
-loadmodule ip_set_portmap
 #
 # 2.6.20+ helpers
 #
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -102,9 +102,6 @@ require()

 cd "$(dirname $0)"

-#
-# Load packager's settings if any
-#
 if [ -f shorewall ]; then
    PRODUCT=shorewall
    Product=Shorewall
@@ -215,7 +212,24 @@ if [ -z "$BUILD" ]; then
 	    BUILD=apple
 	    ;;
 	*)
-	    if [ -f /etc/debian_version ]; then
+	    if [ -f /etc/os-release ]; then
+		eval $(cat /etc/os-release | grep ^ID)
+
+		case $ID in
+		    fedora)
+			BUILD=redhat
+			;;
+		    debian)
+			BUILD=debian
+			;;
+		    opensuse)
+			BUILD=suse
+			;;
+		    *)
+			BUILD="$ID"
+			;;
+		esac
+	    elif [ -f /etc/debian_version ]; then
 		BUILD=debian
 	    elif [ -f /etc/redhat-release ]; then
 		BUILD=redhat
@@ -365,9 +379,12 @@ echo "$PRODUCT control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
 #
 if [ -n "$INITFILE" ]; then
    if [ -f "${INITSOURCE}" ]; then
-	install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
-	[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$INITFILE
-	echo  "$Product script installed in ${DESTDIR}${INITDIR}/$INITFILE"
+	initfile="${DESTDIR}/${INITDIR}/${INITFILE}"
+	install_file $INITSOURCE "$initfile" 0544
+
+	[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' "$initfile"
+
+	echo  "$Product script installed in $initfile"
    fi
 fi

@@ -394,9 +411,10 @@ fi
 #
 if [ -n "$SYSTEMD" ]; then
    mkdir -p ${DESTDIR}${SYSTEMD}
-    run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
+    run_install $OWNERSHIP -m 600 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
-    echo "Service file installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
+    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
 fi

 #
@@ -742,16 +760,6 @@ if [ -f findgw ]; then
    fi
 fi

-#
-# Delete the Routes file
-#
-delete_file ${DESTDIR}${CONFDIR}/$PRODUCT/routes
-#
-# Delete the tcstart file
-#
-
-delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/tcstart
-
 #
 # Delete the Limits Files
 #
@@ -989,6 +997,17 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/actions ]; then
    echo "Actions file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/actions"
 fi

+#
+# Install the Routes file
+#
+run_install $OWNERSHIP -m 0644 routes           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
+run_install $OWNERSHIP -m 0644 routes.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
+
+if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/routes ]; then
+    run_install $OWNERSHIP -m 0644 routes${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/routes
+    echo "Routes file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/routes"
+fi
+
 cd ..

 #
@@ -1130,7 +1149,7 @@ if [ -n "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
 	chmod 755 ${DESTDIR}${SYSCONFDIR}
    fi

-    run_install $OWNERSHIP -m 0644 default.debian ${DESTDIR}${SYSCONFDIR}/$PRODUCT
+    run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT
    echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi

--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999-2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2013 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -35,25 +35,32 @@ get_config() {
    ensure_config_path

    if [ "$1" = Yes ]; then
-	params=$(find_file params)
+	if [ "$(id -u)" -eq 0 ]; then 
+	    params=$(find_file params)
+	else
+	    params="$g_shorewalldir/params"
+	fi

 	if [ -f $params ]; then
 	    . $params
 	fi
    fi

-    config=$(find_file $g_program.conf)
+    if [ "$(id -u)" -eq 0 ]; then
+	config=$(find_file $g_program.conf)
+    else
+	[ -n "$g_shorewalldir" ] || fatal_error "Ordinary users may not $COMMAND the $CONFDIR/$g_program configuration"
+	config="$g_shorewalldir/$g_program.conf"
+    fi

    if [ -f $config ]; then
 	if [ -r $config ]; then
 	    . $config
 	else
-	    echo "Cannot read $config! (Hint: Are you root?)" >&2
-	    exit 1
+	    fatal_error "Cannot read $config! (Hint: Are you root?)"
 	fi
    else
-	echo "$config does not exist!" >&2
-	exit 2
+	fatal_error "$config does not exist!"
    fi

    ensure_config_path
@@ -69,8 +76,7 @@ get_config() {
 		elif [ -r $LOGFILE ]; then
 		    g_logread="tac $LOGFILE"
 		else
-		    echo "LOGFILE ($LOGFILE) does not exist!" >&2
-		    exit 2
+		    fatal_error "LOGFILE ($LOGFILE) does not exist!"
 		fi
 	    fi
 	fi
@@ -78,14 +84,12 @@ get_config() {
 	if [ $g_family -eq 4 ]; then
 	    if [ -n "$IPTABLES" ]; then
 		if [ ! -x "$IPTABLES" ]; then
-		    echo "   ERROR: The program specified in IPTABLES does not exist or is not executable" >&2
-		    exit 2
+		    fatal_error "The program specified in IPTABLES does not exist or is not executable"
 		fi
 	    else
 		IPTABLES=$(mywhich iptables 2> /dev/null)
 		if [ -z "$IPTABLES" ] ; then
-		    echo "   ERROR: Can't find iptables executable" >&2
-		    exit 2
+		    fatal_error "Can't find iptables executable"
 		fi
 	    fi

@@ -93,14 +97,12 @@ get_config() {
 	else
 	    if [ -n "$IP6TABLES" ]; then
 		if [ ! -x "$IP6TABLES" ]; then
-		    echo "   ERROR: The program specified in IP6TABLES does not exist or is not executable" >&2
-		    exit 2
+		    fatal_error "The program specified in IP6TABLES does not exist or is not executable"
 		fi
 	    else
 		IP6TABLES=$(mywhich ip6tables 2> /dev/null)
 		if [ -z "$IP6TABLES" ] ; then
-		    echo "   ERROR: Can't find ip6tables executable" >&2
-		    exit 2
+		    fatal_error "Can't find ip6tables executable"
 		fi
 	    fi

@@ -111,15 +113,13 @@ get_config() {
 	    case "$IP" in
 		*/*)
 		    if [ ! -x "$IP" ] ; then
-			echo "   ERROR: The program specified in IP ($IP) does not exist or is not executable" >&2
-			exit 2
+			fatal_error "The program specified in IP ($IP) does not exist or is not executable"
 		    fi
 		    ;;
 		*)
 		    prog="$(mywhich $IP 2> /dev/null)"
 		    if [ -z "$prog" ] ; then
-			echo "   ERROR: Can't find $IP executable" >&2
-			exit 2
+			fatal_error "Can't find $IP executable"
 		    fi
 		    IP=$prog
 		    ;;
@@ -132,8 +132,7 @@ get_config() {
 	    case "$IPSET" in
 		*/*)
 		    if [ ! -x "$IPSET" ] ; then
-			echo "   ERROR: The program specified in IPSET ($IPSET) does not exist or is not executable" >&2
-			exit 2
+			fatal_error "The program specified in IPSET ($IPSET) does not exist or is not executable"
 		    fi
 		    ;;
 		ipset)
@@ -145,8 +144,7 @@ get_config() {
 		*)
 		    prog="$(mywhich $IPSET 2> /dev/null)"
 		    if [ -z "$prog" ] ; then
-			echo "   ERROR: Can't find $IPSET executable" >&2
-			exit 2
+			fatal_error "Can't find $IPSET executable"
 		    fi
 		    IPSET=$prog
 		    ;;
@@ -159,15 +157,13 @@ get_config() {
 	    case "$TC" in
 		*/*)
 		    if [ ! -x "$TC" ] ; then
-			echo "   ERROR: The program specified in TC ($TC) does not exist or is not executable" >&2
-			exit 2
+			fatal_error "The program specified in TC ($TC) does not exist or is not executable"
 		    fi
 		    ;;
 		*)
 		    prog="$(mywhich $TC 2> /dev/null)"
 		    if [ -z "$prog" ] ; then
-			echo "   ERROR: Can't find $TC executable" >&2
-			exit 2
+			fatal_error "Can't find $TC executable"
 		    fi
 		    TC=$prog
 		    ;;
@@ -185,14 +181,13 @@ get_config() {
 	if [ "$2" = Yes ]; then
 	    case $STARTUP_ENABLED in
 		No|no|NO)
-		    echo "   ERROR: $g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${g_confdir}/${g_program}.conf" >&2
-		    exit 2
+		    fatal_error "$g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${g_confdir}/${g_program}.conf"
 		    ;;
 		Yes|yes|YES)
 		    ;;
 		*)
 		    if [ -n "$STARTUP_ENABLED" ]; then
-			echo "   ERROR: Invalid Value for STARTUP_ENABLED: $STARTUP_ENABLED" >&2
+			fatal_error "Invalid Value for STARTUP_ENABLED: $STARTUP_ENABLED"
 			exit 2
 		    fi
 		    ;;
@@ -206,8 +201,7 @@ get_config() {
 		echo "   WARNING: SHOREWALL_COMPILER=shell ignored. Shorewall-shell support has been removed in this release" >&2
 		;;
 	    *)
-		echo "   ERROR: Invalid value ($SHOREWALL_COMPILER) for SHOREWALL_COMPILER" >&2
-		exit 2
+		fatal_error "Invalid value ($SHOREWALL_COMPILER) for SHOREWALL_COMPILER"
 		;;
 	esac

@@ -229,8 +223,7 @@ get_config() {
 		    0|1|2)
 			;;
 		    *)
-		        echo "  ERROR: Invalid LOG_VERBOSITY ($LOG_VERBOSITY)" >&2
-			exit 2;
+		        fatal_error "Invalid LOG_VERBOSITY ($LOG_VERBOSITY)"
 			;;
 		esac
 	    else
@@ -257,8 +250,7 @@ get_config() {
 	    ;;
 	*)
 	    if [ -n "$VERBOSITY" ]; then
-		echo "   ERROR: Invalid VERBOSITY setting ($VERBOSITY)" >&2
-		exit 2
+		fatal_error "Invalid VERBOSITY setting ($VERBOSITY)"
 	    else
 		VERBOSITY=2
 	    fi
@@ -286,8 +278,7 @@ get_config() {
 	    ;;
 	*)
 	    if [ -n "$MANGLE_ENABLED" ]; then
-		echo "   ERROR: Invalid MANGLE_ENABLED setting ($MANGLE_ENABLED)" >&2
-		exit 2
+		fatal_error "Invalid MANGLE_ENABLED setting ($MANGLE_ENABLED)"
 	    fi
 	    ;;
    esac
@@ -300,8 +291,7 @@ get_config() {
 	    ;;
 	*)
 	    if [ -n "$AUTOMAKE" ]; then
-		echo "   ERROR: Invalid AUTOMAKE setting ($AUTOMAKE)" >&2
-		exit 1
+		fatal_error "Invalid AUTOMAKE setting ($AUTOMAKE)"
 	    fi
 	    ;;
    esac
@@ -314,8 +304,7 @@ get_config() {
 	    ;;
 	*)
 	    if [ -n "$LOAD_HELPERS_ONLY" ]; then
-		echo "   ERROR: Invalid LOAD_HELPERS_ONLY setting ($LOAD_HELPERS_ONLY)" >&2
-		exit 1
+		fatal_error "Invalid LOAD_HELPERS_ONLY setting ($LOAD_HELPERS_ONLY)"
 	    fi
 	    ;;
    esac
@@ -328,8 +317,7 @@ get_config() {
 	    ;;
 	*)
 	    if [ -n "$LEGACY_FASTSTART" ]; then
-		echo "   ERROR: Invalid LEGACY_FASTSTART setting ($LEGACY_FASTSTART)" >&2
-		exit 1
+		fatal_error "Invalid LEGACY_FASTSTART setting ($LEGACY_FASTSTART)"
 	    fi

 	    LEGACY_FASTSTART=Yes
@@ -349,7 +337,7 @@ uptodate() {
    ifs="$IFS"
    IFS=':'

-    for dir in $CONFIG_PATH; do
+    for dir in $g_shorewalldir $CONFIG_PATH; do
 	if [ -n "$(find ${dir} -newer $1)" ]; then
 	    IFS="$ifs"
 	    return 1;
@@ -373,18 +361,20 @@ compiler() {

    if [ $(id -u) -ne 0 ]; then
 	if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = /etc/$g_program ]; then
-	    startup_error "Ordinary users may not compile the /etc/$g_program configuration"
+	    startup_error "Ordinary users may not $COMMAND the $CONFDIR/$g_program configuration"
 	fi
    fi
    #
    # We've now set g_shorewalldir so recalculate CONFIG_PATH
    #
-    ensure_config_path
+    [ -n "$g_haveconfig" ] || ensure_config_path
    #
    # Get the config from $g_shorewalldir
    #
    get_config Yes

+    [ -n "$g_doing" ] && progress_message3 "$g_doing..."
+
    case $COMMAND in
 	*start|try|refresh)
 	    ;;
@@ -405,12 +395,17 @@ compiler() {
    shift

    shorewallrc=${g_basedir}/shorewallrc
-    
+
    if [ -n "$g_export" ]; then
 	shorewallrc1=$(find_file shorewallrc)
 	[ -f "$shorewallrc1" ] || fatal_error "Compiling for export requires a shorewallrc file"
    fi

+    if [ -n "$g_conditional" ] && uptodate $g_file; then
+	echo "$g_file is up to date -- no compilation required"
+	return 0
+    fi
+
    options="--verbose=$VERBOSITY --family=$g_family --config_path=$CONFIG_PATH --shorewallrc=${shorewallrc}"
    [ -n "$shorewallrc1" ] && options="$options --shorewallrc1=${shorewallrc1}"
    [ -n "$STARTUP_LOG" ] && options="$options --log=$STARTUP_LOG"
@@ -478,8 +473,6 @@ start_command() {
 	    rc=$?
 	    [ -n "$nolock" ] || mutex_off
 	else
-	    progress_message3 "Compiling..."
-
 	    if compiler $g_debugging $nolock compile ${VARDIR}/.start; then
 		run_postcompile ${VARDIR}/.start
 		[ -n "$nolock" ] || mutex_on
@@ -556,9 +549,9 @@ start_command() {

 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
-		    echo "$1 is not a directory" >&2 && exit 2
+		    fatal_error "$1 is not a directory"
 		else
-		    echo "Directory $1 does not exist" >&2 && exit 2
+		    fatal_error "Directory $1 does not exist"
 		fi
 	    fi

@@ -641,6 +634,10 @@ compile_command() {
 			    g_debug=Yes;
 			    option=${option#d}
 			    ;;
+			c*)
+			    g_conditional=Yes;
+			    option=${option#c}
+			    ;;
 			T*)
 			    g_confess=Yes
 			    option=${option#T}
@@ -661,38 +658,38 @@ compile_command() {
 	esac
    done

-    file=
+    g_file=

    case $# in
 	0)
-	    [ -n "$g_export" ] && file=firewall || file=${VARDIR}/firewall
+	    [ -n "$g_export" ] && g_file=firewall || g_file=${VARDIR}/firewall
 	    ;;
 	1)
-	    file=$1
-	    [ -d $file ] && echo "   ERROR: $file is a directory" >&2 && exit 2;
+	    g_file=$1
+	    [ -d $g_file ] && fatal_error "$g_file is a directory"
 	    ;;
 	2)
 	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2

 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
-		    echo "$1 is not a directory" >&2 && exit 2
+		    fatal_error "$1 is not a directory"
 		else
-		    echo "Directory $1 does not exist" >&2 && exit 2
+		    fatal_error "Directory $1 does not exist"
 		fi
 	    fi

 	    g_shorewalldir=$(resolve_file $1)
-	    file=$2
+	    g_file=$2
 	    ;;
 	*)
 	    usage 1
 	    ;;
    esac

-    [ "x$file" = x- ] || progress_message3 "Compiling..."
+    [ "x$g_file" = x- ] && g_doing=''

-    compiler $g_debugging compile $file && run_postcompile $file
+    compiler $g_debugging compile $g_file && run_postcompile $g_file
 }

 #
@@ -756,9 +753,9 @@ check_command() {

 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
-		    echo "$1 is not a directory" >&2 && exit 2
+		    fatal_error "$1 is not a directory"
 		else
-		    echo "Directory $1 does not exist" >&2 && exit 2
+		    fatal_error "Directory $1 does not exist"
 		fi
 	    fi

@@ -769,7 +766,7 @@ check_command() {
 	    ;;
    esac

-    progress_message3 "Checking..."
+    g_doing="Checking"

    compiler $g_debugging $nolock check
 }
@@ -848,9 +845,9 @@ update_command() {

 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
-		    echo "$1 is not a directory" >&2 && exit 2
+		    fatal_error "$1 is not a directory"
 		else
-		    echo "Directory $1 does not exist" >&2 && exit 2
+		    fatal_error "Directory $1 does not exist"
 		fi
 	    fi

@@ -861,7 +858,7 @@ update_command() {
 	    ;;
    esac

-    progress_message3 "Updating..."
+    g_doing="Updating..."

    compiler $g_debugging $nolock check
 }
@@ -934,9 +931,9 @@ restart_command() {

 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
-		    echo "$1 is not a directory" >&2 && exit 2
+		    fatal_error "$1 is not a directory"
 		else
-		    echo "Directory $1 does not exist" >&2 && exit 2
+		    fatal_error "Directory $1 does not exist"
 		fi
 	    fi

@@ -956,8 +953,6 @@ restart_command() {
    fi

    if [ -z "$g_fast" ]; then
-	progress_message3 "Compiling..."
-
 	if compiler $g_debugging $nolock compile ${VARDIR}/.restart; then
 	    run_postcompile ${VARDIR}/.restart
 	    [ -n "$nolock" ] || mutex_on
@@ -1016,7 +1011,7 @@ refresh_command() {
 				option=
 				shift
 			    else
-				fatal_error "ERROR: the -D option requires a directory name"
+				fatal_error "The -D option requires a directory name"
 			    fi
 			    ;;
 			*)
@@ -1048,8 +1043,6 @@ refresh_command() {

    [ -n "$STARTUP_ENABLED" ] || fatal_error "Startup is disabled"

-    progress_message3 "Compiling..."
-
    if compiler $g_debugging $nolock compile ${VARDIR}/.refresh; then
 	run_postcompile ${VARDIR}/.refresh
 	[ -n "$nolock" ] || mutex_on
@@ -1124,9 +1117,9 @@ safe_commands() {

 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
-		    echo "$1 is not a directory" >&2 && exit 2
+		    fatal_error "$1 is not a directory"
 		else
-		    echo "Directory $1 does not exist" >&2 && exit 2
+		    fatal_error "Directory $1 does not exist"
 		fi
 	    fi

@@ -1159,8 +1152,6 @@ safe_commands() {
 	command="restart"
    fi

-    progress_message3 "Compiling..."
-
    if ! compiler $g_debugging nolock compile ${VARDIR}/.$command; then
 	status=$?
 	exit $status
@@ -1221,9 +1212,9 @@ try_command() {

 	if [ ! -d $1 ]; then
 	    if [ -e $1 ]; then
-		echo "$1 is not a directory" >&2 && exit 2
+		fatal_error "$1 is not a directory"
 	    else
-		echo "Directory $1 does not exist" >&2 && exit 2
+		fatal_error "Directory $1 does not exist"
 	    fi
 	fi

@@ -1292,8 +1283,6 @@ try_command() {
 	command="restart"
    fi

-    progress_message3 "Compiling..."
-
    if ! compiler $g_debugging $nolock compile ${VARDIR}/.$command; then
 	status=$?
 	exit $status
@@ -1360,20 +1349,21 @@ reload_command() # $* = original arguments less the command.
    local saveit
    saveit=
    local result
-    local directory
    local system
    local getcaps
    getcaps=
    local root
    root=root
    local libexec
-    libexec=/usr/share
+    libexec=${LIBEXECDIR}
    local confdir
-    confdir=/etc
+    confdir=${CONFDIR}
    local sbindir
-    sbindir=/sbin
+    sbindir=${SBINDIR}
+    local sharedir
+    sharedir=${SHAREDIR}

-    litedir=/var/lib/${g_program}-lite
+    litedir=${VARLIB}/${g_program}-lite

    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@@ -1420,11 +1410,11 @@ reload_command() # $* = original arguments less the command.

    case $# in
 	1)
-	    directory="."
+	    g_shorewalldir="."
 	    system=$1
 	    ;;
 	2)
-	    directory=$1
+	    g_shorewalldir=$1
 	    system=$2
 	    ;;
 	*)
@@ -1432,46 +1422,33 @@ reload_command() # $* = original arguments less the command.
 	    ;;
    esac

-    temp=$(rsh_command ${g_program}-lite show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')
-
-    [ -n "$temp" ] && litedir="$temp"
-
-    temp=$(rsh_command ${g_program}-lite show config 2> /dev/null | grep ^LIBEXEC | sed 's/LIBEXEC is //')
-
-    if [ -n "$temp" ]; then
-	case $temp in
-	    /*)
-		libexec="$temp"
-		;;
-	    *)
-		libexec=/usr/$temp
-		;;
-	esac
+    if [ -f $g_shorewalldir/shorewallrc ]; then
+	. $g_shorewalldir/shorewallrc
+	sbindir="$SBINDIR"
+	confdir="$CONFDIR"
+	libexec="$LIBEXECDIR"
+	. $sharedir/shorewall/shorewallrc
+    else
+	error_message "   WARNING: $g_shorewalldir/shorewallrc does not exist; using settings from $SHAREDIR/shorewall" >&2
    fi

-    temp=$(rsh_command ${g_program}-lite show config 2> /dev/null | grep ^SBINDIR | sed 's/SBINDIR is //')
-
-    [ -n "$temp" ] && sbindir="$temp"
-
-    temp=$(rsh_command ${g_program}-lite show config 2> /dev/null | grep ^CONFDIR | sed 's/CONFDIR is //')
-
-    [ -n "$temp" ] && confdir="$temp"
-
-    if [ -z "$getcaps" ]; then
-	g_shorewalldir=$(resolve_file $directory)
-	ensure_config_path
-	capabilities=$(find_file capabilities)
-	[ -f $capabilities ] || getcaps=Yes
-    fi
-
-    if [ -f $directory/${g_program}.conf ]; then
-	if [ -f $directory/params ]; then
-	    . $directory/params
+    if [ -f $g_shorewalldir/${g_program}.conf ]; then
+	if [ -f $g_shorewalldir/params ]; then
+	    . $g_shorewalldir/params
 	fi

-	. $directory/$g_program.conf
-
 	ensure_config_path
+
+	get_config No
+
+	g_haveconfig=Yes
+    else
+	fatal_error "$g_shorewalldir/$g_program.conf does not exist"
+    fi
+
+    if [ -z "$getcaps" ]; then
+	capabilities=$(find_file capabilities)
+	[ -f $capabilities ] || getcaps=Yes
    fi

    if [ -n "$getcaps" ]; then
@@ -1479,21 +1456,21 @@ reload_command() # $* = original arguments less the command.

 	progress_message "Getting Capabilities on system $system..."
 	if [ $g_family -eq 4 ]; then
-	    if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $directory/capabilities; then
+	    if ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IPTABLES=$IPTABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall-lite/shorecap" > $g_shorewalldir/capabilities; then
 	        fatal_error "Capturing capabilities on system $system failed"
 	    fi
-	elif ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IP6TABLES=$IP6TABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall6-lite/shorecap" > $directory/capabilities; then
+	elif ! rsh_command "MODULESDIR=$MODULESDIR MODULE_SUFFIX=\"$MODULE_SUFFIX\" IP6TABLES=$IP6TABLES DONT_LOAD=\"$DONT_LOAD\" $libexec/shorewall6-lite/shorecap" > $g_shorewalldir/capabilities; then
 	    fatal_error "Capturing capabilities on system $system failed"
 	fi
    fi

-    file=$(resolve_file $directory/firewall)
+    file=$(resolve_file $g_shorewalldir/firewall)

-    [ -n "$g_timestamp" ] && timestamp='-t' || timestamp=
+    g_export=Yes

-    if $g_program $g_debugging $verbose $timestamp compile -e $directory $directory/firewall && \
+    if compiler $g_debugging compiler $g_shorewalldir/firewall && \
 	progress_message3 "Copying $file and ${file}.conf to ${system}:${litedir}..." && \
-	rcp_command "$directory/firewall $directory/firewall.conf" ${litedir}
+	rcp_command "$g_shorewalldir/firewall $g_shorewalldir/firewall.conf" ${litedir}
    then
 	save=$(find_file save);

@@ -1527,7 +1504,6 @@ export_command() # $* = original arguments less the command.
    file=
    local finished
    finished=0
-    local directory
    local target

    while [ $finished -eq 0 -a $# -gt 0 ]; do
@@ -1557,11 +1533,11 @@ export_command() # $* = original arguments less the command.

    case $# in
 	1)
-	    directory="."
+	    g_shorewalldir="."
 	    target=$1
 	    ;;
 	2)
-	    directory=$1
+	    g_shorewalldir=$1
 	    target=$2
 	    ;;
 	*)
@@ -1577,11 +1553,13 @@ export_command() # $* = original arguments less the command.
 	    ;;
    esac

-    file=$(resolve_file $directory/firewall)
+    file=$(resolve_file $g_shorewalldir/firewall)

-    if $g_program $g_debugging $verbose compile -e $directory $directory/firewall && \
+    g_export=Yes
+
+    if compiler $g_debugging compile $g_shorewalldir/firewall && \
 	echo "Copying $file and ${file}.conf to ${target#*@}..." && \
-	scp $directory/firewall $directory/firewall.conf $target
+	scp $g_shorewalldir/firewall $g_shorewalldir/firewall.conf $target
    then
 	save=$(find_file save);

@@ -1600,9 +1578,9 @@ usage() # $1 = exit status
    echo "where <command> is one of:"
    echo "   add <interface>[:<host-list>] ... <zone>"
    echo "   allow <address> ..."
-    echo "   check [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ <directory> ]"
+    echo "   [ check | ck ] [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ <directory> ]"
    echo "   clear"
-    echo "   compile [ -e ] [ -p ] [ -t ] [ -d ] [ -T ] [ <directory name> ] [ <path name> ]"
+    echo "   [ compile | co ] [ -e ] [ -p ] [ -t ] [ -c ] [ -d ] [ -T ] [ <directory name> ] [ <path name> ]"
    echo "   delete <interface>[:<host-list>] ... <zone>"
    echo "   disable <interface>"
    echo "   drop <address> ..."
@@ -1619,7 +1597,12 @@ usage() # $1 = exit status
 	echo "   iprange <address>-<address>"
    fi

-    echo "   iptrace <iptables match expression>"
+    if [ $g_family -eq 4 ]; then
+	echo "   iptrace <iptables match expression>"
+    else
+	echo "   iptrace <ip6tables match expression>"
+    fi
+
    echo "   load [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ <directory> ] <system>"
    echo "   logdrop <address> ..."
    echo "   logreject <address> ..."
@@ -1640,31 +1623,31 @@ usage() # $1 = exit status
    echo "   safe-restart [ -t <timeout> ] [ <directory> ]"
    echo "   safe-start [ -t <timeout> ] [ <directory> ]"
    echo "   save [ <file name> ]"
-    echo "   show [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [<chain> [ <chain> ... ]"
-    echo "   show actions"
-    echo "   show [ -f ] capabilities"
-    echo "   show classifiers"
-    echo "   show config"
-    echo "   show connections"
-    echo "   show dynamic <zone>"
-    echo "   show filters"
-    echo "   show ip"
+    echo "   [ show | list | ls ] [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [<chain> [ <chain> ... ]"
+    echo "   [ show | list | ls ] actions"
+    echo "   [ show | list | ls ] [ -f ] capabilities"
+    echo "   [ show | list | ls ] classifiers"
+    echo "   [ show | list | ls ] config"
+    echo "   [ show | list | ls ] connections"
+    echo "   [ show | list | ls ] dynamic <zone>"
+    echo "   [ show | list | ls ] filters"
+    echo "   [ show | list | ls ] ip"

    if [ $g_family -eq 4 ]; then
-	echo "   show ipa"
+	echo "   [ show | list | ls ] ipa"
    fi

-    echo "   show [ -m ] log [<regex>]"
-    echo "   show macro <macro>"
-    echo "   show macros"
-    echo "   show marks"
-    echo "   show [ -x ] mangle|nat|raw|rawpost|routing"
-    echo "   show nfacct"
-    echo "   show policies"
-    echo "   show routing"
-    echo "   show tc [ device ]"
-    echo "   show vardir"
-    echo "   show zones"
+    echo "   [ show | list | ls ] [ -m ] log [<regex>]"
+    echo "   [ show | list | ls ] macro <macro>"
+    echo "   [ show | list | ls ] macros"
+    echo "   [ show | list | ls ] marks"
+    echo "   [ show | list | ls ] [ -x ] mangle|nat|raw|rawpost|routing"
+    echo "   [ show | list | ls ] nfacct"
+    echo "   [ show | list | ls ] policies"
+    echo "   [ show | list | ls ] routing"
+    echo "   [ show | list | ls ] tc [ device ]"
+    echo "   [ show | list | ls ] vardir"
+    echo "   [ show | list | ls ] zones"
    echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ <directory> ]"
    echo "   status"
    echo "   stop"
@@ -1678,7 +1661,7 @@ usage() # $1 = exit status
 compiler_command() {

    case $COMMAND in
-	compile)
+	compile|co)
 	    shift
 	    compile_command $@
 	    ;;
@@ -1687,22 +1670,19 @@ compiler_command() {
 	    shift
 	    refresh_command $@
 	    ;;
-	check)
+	check|ck)
 	    shift
 	    check_command $@
 	    ;;
 	update)
-	    get_config Yes
 	    shift
 	    update_command $@
 	    ;;
 	load|reload)
-	    get_config Yes
 	    shift
 	    reload_command $@
 	    ;;
 	export)
-	    get_config Yes
 	    shift
 	    export_command $@
 	    ;;
--- a/Shorewall/manpages/shorewall-accounting.xml
+++ b/Shorewall/manpages/shorewall-accounting.xml
@@ -136,7 +136,7 @@
          </listitem>

          <listitem>
-            <para><emphasis role="bold">accounout</emphasis> in the <emphasis
+            <para><emphasis role="bold">accountout</emphasis> in the <emphasis
            role="bold">OUTPUT</emphasis> section</para>
          </listitem>

@@ -215,9 +215,12 @@

              <listitem>
                <para>Where <emphasis>chain</emphasis> is the name of a chain;
-                Shorewall will create the chain automatically if it doesn't
-                already exist. Causes a jump to that chain to be added to the
-                chain specified in the CHAIN column. If <emphasis
+                shorewall will create the chain automatically if it doesn't
+                already exist. If a second chain is mentioned in the CHAIN
+                column, then a jump from this second chain to
+                <replaceable>chain</replaceable> is created. If no chain is
+                named in the CHAIN column, then a jump from the default chain
+                to <replaceable>chain</replaceable> is created. If <emphasis
                role="bold">:COUNT</emphasis> is included, a counting rule
                matching this entry will be added to
                <emphasis>chain</emphasis>. The <emphasis>chain</emphasis> may
@@ -263,8 +266,8 @@
                    <term><replaceable>network</replaceable></term>

                    <listitem>
-                      <para>is an IPv4 networ<emphasis
-                      role="bold">k</emphasis> in CIDR notation (e.g.,
+                      <para>is an IPv4 <emphasis
+                      role="bold">network</emphasis> in CIDR notation (e.g.,
                      192.168.1.0/24). The network can be as large as a /8
                      (class A).</para>
                    </listitem>
@@ -293,9 +296,20 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis role="bold">INLINE</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.16. Allows free form iptables
+                matches to be specified following a ';'. In the generated
+                iptables rule(s), the free form matches will follow any
+                matches that are generated by the column contents.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis
-              role="bold">NFACCT</emphasis>(<replaceable>object</replaceable>)</term>
+              role="bold">NFACCT</emphasis>({<replaceable>object</replaceable>[!]}[,...])</term>

              <listitem>
                <para>Added in Shorewall 4.5.7. Provides a form of accounting
@@ -307,6 +321,20 @@
                <replaceable>object</replaceable>; all packets that match any
                of the rules increment the packet and bytes count of the
                object.</para>
+
+                <para>Prior to Shorewall 4.5.16, only one
+                <replaceable>object</replaceable> could be specified.
+                Beginning with Shorewall 4.5.16, an arbitrary number of
+                objects may be given.</para>
+
+                <para>With Shorewall 4.5.16 or later, an nfacct
+                <replaceable>object</replaceable> in the list may optionally
+                be followed by <emphasis role="bold">!</emphasis> to indicate
+                that the nfacct <replaceable>object</replaceable> will be
+                incremented unconditionally for each packet. When <emphasis
+                role="bold">!</emphasis> is omitted, the
+                <replaceable>object</replaceable> will be incremented only if
+                all of the matches in the rule succeed.</para>
              </listitem>
            </varlistentry>

@@ -316,7 +344,7 @@

              <listitem>
                <para>Causes each matching packet to be sent via the currently
-                loaded logging backend (usually nfnetlink_log) where it is
+                loaded logging back-end (usually nfnetlink_log) where it is
                available to accounting daemons through a netlink
                socket.</para>
              </listitem>
@@ -427,7 +455,7 @@
          (136).</para>

          <para>You may place a comma-separated list of port names or numbers
-          in this column if your kernel and iptables include multiport match
+          in this column if your kernel and iptables include multi-port match
          support.</para>

          <para>If the PROTOCOL is <emphasis role="bold">ipp2p</emphasis> then
@@ -450,8 +478,15 @@
          UDP (17), DCCP (33), SCTP (132) or UDPLITE (136).</para>

          <para>You may place a comma-separated list of port numbers in this
-          column if your kernel and iptables include multiport match
+          column if your kernel and iptables include multi-port match
          support.</para>
+
+          <para>Beginning with Shorewall 4.5.15, you may place '=' in this
+          column, provided that the DEST PORT(S) column is non-empty. This
+          causes the rule to match when either the source port or the
+          destination port in a packet matches one of the ports specified in
+          DEST PORTS(S). Use of '=' requires multi-port match in your iptables
+          and kernel.</para>
        </listitem>
      </varlistentry>

@@ -573,7 +608,7 @@
        <listitem>
          <para>The option-list consists of a comma-separated list of options
          from the following list. Only packets that will be encrypted or have
-          been de-crypted via an SA that matches these options will have their
+          been decrypted via an SA that matches these options will have their
          source address changed.</para>

          <variablelist>
@@ -667,8 +702,8 @@

              <listitem>
                <para>When used by itself, causes all traffic that will be
-                encrypted/encapsulated or has been decrypted/un-encapsulted to
-                match the rule.</para>
+                encrypted/encapsulated or has been decrypted/un-encapsulated
+                to match the rule.</para>
              </listitem>
            </varlistentry>

@@ -678,8 +713,8 @@

              <listitem>
                <para>When used by itself, causes all traffic that will not be
-                encrypted/encapsulated or has been decrypted/un-encapsulted to
-                match the rule.</para>
+                encrypted/encapsulated or has been decrypted/un-encapsulated
+                to match the rule.</para>
              </listitem>
            </varlistentry>

@@ -735,8 +770,8 @@
    role="bold">ACTION</emphasis> and <emphasis role="bold">CHAIN</emphasis>,
    the values <emphasis role="bold">-</emphasis>, <emphasis
    role="bold">any</emphasis> and <emphasis role="bold">all</emphasis> may be
-    used as wildcards. Omitted trailing columns are also treated as
-    wildcard.</para>
+    used as wildcard'gs. Omitted trailing columns are also treated as
+    wildcard'g.</para>
  </refsect1>

  <refsect1>
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -50,6 +50,18 @@
          <para>Added in Shorewall 4.5.10. Available options are:</para>

          <variablelist>
+            <varlistentry>
+              <term>builtin</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.16. Defines the action as a rule
+                target that is supported by your iptables but is not directly
+                supported by Shorewall. The action may be used as the rule
+                target in an INLINE rule in <ulink
+                url="shorewall-rules.html">shorewall-rules</ulink>(5).</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term>inline</term>

--- a/Shorewall/manpages/shorewall-arprules.xml
+++ b/Shorewall/manpages/shorewall-arprules.xml
@@ -23,13 +23,13 @@
  <refsect1>
    <title>Description</title>

-    <para>This file was added in Shorwall 4.5.12 and is used to describe
+    <para>This file was added in Shorewall 4.5.12 and is used to describe
    low-level rules managed by arptables (8). These rules only affect Address
    Resolution Protocol (ARP), Reverse Address Resolution Protocol (RARP) and
    Dynamic Reverse Address Resolution Protocol (DRARP) frames.</para>

    <para>The columns in the file are as shown below. MAC addresses are
-    specified normally (6 hexidecimal numbers separated by colons).</para>
+    specified normally (6 hexadecimal numbers separated by colons).</para>

    <variablelist>
      <varlistentry>
@@ -186,7 +186,7 @@
              <term><replaceable>macmask</replaceable></term>

              <listitem>
-                <para>Mask for MAC address; must be specified as 6 hexidecimal
+                <para>Mask for MAC address; must be specified as 6 hexadecimal
                numbers separated by colons.</para>
              </listitem>
            </varlistentry>
@@ -249,7 +249,7 @@
              <term><replaceable>macmask</replaceable></term>

              <listitem>
-                <para>Mask for MAC address; must be specified as 6 hexidecimal
+                <para>Mask for MAC address; must be specified as 6 hexadecimal
                numbers separated by colons.</para>
              </listitem>
            </varlistentry>
@@ -352,7 +352,7 @@
          </variablelist>

          <para>When '!' is specified, the test is inverted and the rule
-          matches frames which do not match the specifed
+          matches frames which do not match the specified
          <replaceable>opcode</replaceable>.</para>
        </listitem>
      </varlistentry>
@@ -362,7 +362,7 @@
  <refsect1>
    <title>Example</title>

-    <para>The eth1 interface has both a pubiic IP address and a private
+    <para>The eth1 interface has both a public IP address and a private
    address (10.1.10.11/24). When sending ARP requests to 10.1.10.0/24, use
    the private address as the IP source:</para>

--- a/Shorewall/manpages/shorewall-blrules.xml
+++ b/Shorewall/manpages/shorewall-blrules.xml
@@ -34,12 +34,12 @@

    <para>The format of rules in this file is the same as the format of rules
    in <ulink url="shorewall-rules.html">shorewall-rules (5)</ulink>. The
-    differece in the two files lies in the ACTION (first) column.</para>
+    difference in the two files lies in the ACTION (first) column.</para>

    <variablelist>
      <varlistentry>
        <term><emphasis role="bold">ACTION- {<emphasis
-        role="bold">ACCEPT</emphasis>|CONTINUE|DROP|A_DROP|REJECT|A_REJECT|<emphasis
+        role="bold">ACCEPT</emphasis>|BLACKLIST|blacklog|CONTINUE|DROP|A_DROP|REJECT|A_REJECT|<emphasis
        role="bold">WHITELIST</emphasis>|<emphasis
        role="bold">LOG</emphasis>|<emphasis
        role="bold">QUEUE</emphasis>|<emphasis
@@ -164,7 +164,7 @@
              role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>

              <listitem>
-                <para>queues matching packets to a backend logging daemon via
+                <para>queues matching packets to a back end logging daemon via
                a netlink socket then continues to the next rule. See <ulink
                url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
              </listitem>
@@ -320,7 +320,7 @@

    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-hosts(5), shorewall-interfaces(5), shorewall-maclist(5),
-    shoewall6-netmap(5),shorewall-params(5), shorewall-policy(5),
+    shorewall6-netmap(5),shorewall-params(5), shorewall-policy(5),
    shorewall-providers(5), shorewall-rtrules(5), shorewall-routestopped(5),
    shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@@ -384,6 +384,13 @@
          ranges of the form
          <replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
          if your kernel and iptables include port range support.</para>
+
+          <para>Beginning with Shorewall 4.5.15, you may place '=' in this
+          column, provided that the DEST PORT(S) column is non-empty. This
+          causes the rule to match when either the source port or the
+          destination port in a packet matches one of the ports specified in
+          DEST PORTS(S). Use of '=' requires multi-port match in your iptables
+          and kernel.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-exclusion.xml
+++ b/Shorewall/manpages/shorewall-exclusion.xml
@@ -31,14 +31,14 @@
    <title>Description</title>

    <para>The first form of exclusion is used when you wish to exclude one or
-    more addresses from a definition. An exclaimation point is followed by a
+    more addresses from a definition. An exclamation point is followed by a
    comma-separated list of addresses. The addresses may be single host
    addresses (e.g., 192.168.1.4) or they may be network addresses in CIDR
    format (e.g., 192.168.1.0/24). If your kernel and iptables include iprange
    support, you may also specify ranges of ip addresses of the form
    <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis></para>

-    <para>No embedded whitespace is allowed.</para>
+    <para>No embedded white-space is allowed.</para>

    <para>Exclusion can appear after a list of addresses and/or address
    ranges. In that case, the final list of address is formed by taking the
--- a/Shorewall/manpages/shorewall-hosts.xml
+++ b/Shorewall/manpages/shorewall-hosts.xml
@@ -115,7 +115,7 @@
        <listitem>
          <para>A comma-separated list of options from the following list. The
          order in which you list the options is not significant but the list
-          must have no embedded white space.</para>
+          must have no embedded white-space.</para>

          <variablelist>
            <varlistentry>
@@ -182,7 +182,7 @@
                <para>Connection requests from these hosts are compared
                against the contents of <ulink
                url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
-                this option is specified, the interface must be an ethernet
+                this option is specified, the interface must be an Ethernet
                NIC or equivalent and must be up before Shorewall is
                started.</para>
              </listitem>
--- a/Shorewall/manpages/shorewall-init.xml
+++ b/Shorewall/manpages/shorewall-init.xml
@@ -143,7 +143,7 @@
      </listitem>
    </itemizedlist>

-    <para>On a laptop with both ethernet and wireless interfaces, you will
+    <para>On a laptop with both Ethernet and wireless interfaces, you will
    want to make both interfaces optional and set the REQUIRE_INTERFACE option
    to Yes in <ulink url="shorewall.conf.html">shorewall.conf </ulink>(5) or
    <ulink url="../Manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -150,6 +150,11 @@ loc     eth2            -</programlisting>

            <member>wait</member>
          </simplelist>
+
+          <para>Beginning with Shorewall 4.5.17, if you specify a zone for the
+          'lo' interface, then that zone must be defined as type
+          <option>local</option> in <ulink
+          url="shorewall6-zones.html">shorewall6-zones</ulink>(5).</para>
        </listitem>
      </varlistentry>

@@ -187,7 +192,7 @@ loc     eth2            -</programlisting>
        <listitem>
          <para>A comma-separated list of options from the following list. The
          order in which you list the options is not significant but the list
-          should have no embedded white space.</para>
+          should have no embedded white-space.</para>

          <variablelist>
            <varlistentry>
@@ -283,7 +288,7 @@ loc     eth2            -</programlisting>

                    <blockquote>
                      <para><emphasis role="bold">WARNING: The 'blacklist'
-                      option is ignored on mult-zone
+                      option is ignored on multi-zone
                      interfaces</emphasis></para>
                    </blockquote>
                  </listitem>
@@ -301,6 +306,15 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis role="bold">destonly</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.17. Causes the compiler to omit
+                rules to handle traffic from this interface.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">dhcp</emphasis></term>

@@ -420,7 +434,7 @@ loc     eth2            -</programlisting>
                <para>Connection requests from this interface are compared
                against the contents of <ulink
                url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
-                this option is specified, the interface must be an ethernet
+                this option is specified, the interface must be an Ethernet
                NIC and must be up before Shorewall is started.</para>
              </listitem>
            </varlistentry>
@@ -562,7 +576,7 @@ loc     eth2            -</programlisting>
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">routeback</emphasis></term>
+              <term><emphasis role="bold">routeback[={0|1}]</emphasis></term>

              <listitem>
                <para>If specified, indicates that Shorewall should include
@@ -577,6 +591,12 @@ loc     eth2            -</programlisting>
                <option>sfilter</option> (see below) or
                <option>routefilter</option> on all interfaces (see
                below).</para>
+
+                <para>Beginning with Shorewall 4.5.18, you may specify this
+                option to explicitly reset (e.g., <emphasis
+                role="bold">routeback=0</emphasis>). This can be used to
+                override Shorewall's default setting for bridge devices which
+                is <emphasis role="bold">routeback=1</emphasis>.</para>
              </listitem>
            </varlistentry>

@@ -604,10 +624,27 @@ loc     eth2            -</programlisting>
                  the INTERFACE column.</para>
                </note>

-                <para>This option can also be enabled globally in the <ulink
+                <para>This option can also be enabled globally via the
+                ROUTE_FILTER option in the <ulink
                url="shorewall.conf.html">shorewall.conf</ulink>(5)
                file.</para>

+                <important>
+                  <para>If ROUTE_FILTER=Yes in <ulink
+                  url="shorewall.conf.html">shorewall.conf</ulink>(5), or if
+                  your distribution sets net.ipv4.conf.all.rp_filter=1 in
+                  <filename>/etc/sysctl.conf</filename>, then setting
+                  <emphasis role="bold">routefilter</emphasis>=0 in an
+                  <replaceable>interface</replaceable> entry will not disable
+                  route filtering on that
+                  <replaceable>interface</replaceable>! The effective setting
+                  for an <replaceable>interface</replaceable> is the maximum
+                  of the contents of
+                  <filename>/proc/sys/net/ipv4/conf/all/rp_filter</filename>
+                  and the routefilter setting specified in this file
+                  (/proc/sys/net/ipv4/conf/<replaceable>interface</replaceable>/rp_filter).</para>
+                </important>
+
                <note>
                  <para>There are certain cases where
                  <option>routefilter</option> cannot be used on an
@@ -675,10 +712,9 @@ loc     eth2            -</programlisting>
              <listitem>
                <para>If this option is not specified for an interface, then
                source-routed packets will not be accepted from that interface
-                (sets
-                /proc/sys/net/ipv4/conf/<emphasis>interface</emphasis>/accept_source_route
-                to 1). Only set this option if you know what you are doing.
-                This might represent a security risk and is usually
+                unless it has been explicitly enabled via sysconf. Only set
+                this option to 1 (enable source routing) if you know what you
+                are doing. This might represent a security risk and is usually
                unneeded.</para>

                <para>Only those interfaces with the
@@ -686,8 +722,6 @@ loc     eth2            -</programlisting>
                changed; the value assigned to the setting will be the value
                specified (if any) or 1 if no value is given.</para>

-                <para></para>
-
                <note>
                  <para>This option does not work with a wild-card
                  <replaceable>interface</replaceable> name (e.g., eth0.+) in
@@ -708,6 +742,55 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term>unmanaged</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.18. Causes all traffic between
+                the firewall and hosts on the interface to be accepted. When
+                this option is given:</para>
+
+                <itemizedlist>
+                  <listitem>
+                    <para>The ZONE column must contain '-'.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>Only the following other options are allowed with
+                    <emphasis role="bold">unmanaged</emphasis>:</para>
+
+                    <simplelist>
+                      <member><emphasis
+                      role="bold">arp_filter</emphasis></member>
+
+                      <member><emphasis
+                      role="bold">arp_ignore</emphasis></member>
+
+                      <member><emphasis role="bold">ignore</emphasis></member>
+
+                      <member><emphasis
+                      role="bold">routefilter</emphasis></member>
+
+                      <member><emphasis
+                      role="bold">optional</emphasis></member>
+
+                      <member><emphasis
+                      role="bold">physical</emphasis></member>
+
+                      <member><emphasis
+                      role="bold">routefilter</emphasis></member>
+
+                      <member><emphasis
+                      role="bold">sourceroute</emphasis></member>
+
+                      <member><emphasis
+                      role="bold">proxyndp</emphasis></member>
+                    </simplelist>
+                  </listitem>
+                </itemizedlist>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">upnp</emphasis></term>

@@ -795,7 +878,7 @@ dmz     eth2</programlisting>
        <term>Example 3:</term>

        <listitem>
-          <para>You have a simple dial-in system with no ethernet
+          <para>You have a simple dial-in system with no Ethernet
          connections.</para>

          <programlisting>FORMAT 2
--- a/Shorewall/manpages/shorewall-ipsets.xml
+++ b/Shorewall/manpages/shorewall-ipsets.xml
@@ -42,12 +42,13 @@

    <para>Whether the set is matched against the packet source or destination
    is determined by which column the set name appears (SOURCE or DEST). For
-    those set types that specify a tupple, two alternative syntaxes are
+    those set types that specify a tuple, two alternative syntaxes are
    available:</para>

    <simplelist>
      <member>[<replaceable>number</replaceable>] - Indicates that 'src' or
-      'dst' should repleated number times. Example: myset[2].</member>
+        'dst' should be repeated <replaceable>number</replaceable> times.
+        Example: myset[2].</member>

      <member>[<replaceable>flag</replaceable>,...] where
      <replaceable>flag</replaceable> is <option>src</option> or
@@ -62,7 +63,7 @@
      </listitem>
    </itemizedlist>

-    <para>In a DEST column, the following paris are equivalent:</para>
+    <para>In a DEST column, the following pairs are equivalent:</para>

    <itemizedlist>
      <listitem>
@@ -77,6 +78,20 @@

    <para>For information about set lists and exclusion, see <ulink
    url="shorewall-exclusion.html">shorewall-exclusion</ulink> (5).</para>
+
+    <para>Beginning with Shorewall 4.5.16, you can increment one or more
+    nfacct objects each time a packet matches an ipset. You do that by listing
+    the objects separated by commas within parentheses.</para>
+
+    <para>Example:</para>
+
+    <simplelist>
+      <member>+myset[src](myobject)</member>
+    </simplelist>
+
+    <para>In that example, when the source address of a packet matches the
+    <emphasis role="bold">myset</emphasis> ipset, the <emphasis
+    role="bold">myobject</emphasis> nfacct counter will be incremented.</para>
  </refsect1>

  <refsect1>
--- a/Shorewall/manpages/shorewall-maclist.xml
+++ b/Shorewall/manpages/shorewall-maclist.xml
@@ -68,7 +68,7 @@
        <listitem>
          <para>MAC <emphasis>address</emphasis> of the host -- you do not
          need to use the Shorewall format for MAC addresses here. If
-          <emphasis role="bold">IP ADDRESSESES</emphasis> is supplied then
+          <emphasis role="bold">IP ADDRESSES</emphasis> is supplied then
          <emphasis role="bold">MAC</emphasis> can be supplied as a dash
          (<emphasis role="bold">-</emphasis>)</para>
        </listitem>
--- a/Shorewall/manpages/shorewall-masq.xml
+++ b/Shorewall/manpages/shorewall-masq.xml
@@ -60,7 +60,7 @@
          added with that name (e.g., eth0:0). This will allow the alias to be
          displayed with ifconfig. <emphasis role="bold">That is the only use
          for the alias name; it may not appear in any other place in your
-          Shorewall configuratio</emphasis>n.</para>
+          Shorewall configuration.</emphasis></para>

          <para>Each interface must match an entry in <ulink
          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5).
@@ -80,7 +80,7 @@

          <programlisting>        eth0(Avvanta)</programlisting>

-          <para>In that case, you will want to specify the interfaces's
+          <para>In that case, you will want to specify the interface's
          address for that provider in the ADDRESS column.</para>

          <para>The interface may be qualified by adding the character ":"
@@ -506,7 +506,7 @@
          <para>Switch settings are retained over <command>shorewall
          restart</command>.</para>

-          <para>Beginning with Shoreawll 4.5.10, when the
+          <para>Beginning with Shorewall 4.5.10, when the
          <replaceable>switch-name</replaceable> is followed by
          <option>=0</option> or <option>=1</option>, then the switch is
          initialized to off or on respectively by the
--- a/Shorewall/manpages/shorewall-nat.xml
+++ b/Shorewall/manpages/shorewall-nat.xml
@@ -79,7 +79,7 @@
          want Shorewall to add the alias with this name (e.g., "eth0:0").
          That allows you to see the alias with ifconfig. <emphasis
          role="bold">That is the only thing that this name is good for -- you
-          cannot use it anwhere else in your Shorewall configuration.
+          cannot use it anywhere else in your Shorewall configuration.
          </emphasis></para>

          <para>Each interface must match an entry in <ulink
--- a/Shorewall/manpages/shorewall-netmap.xml
+++ b/Shorewall/manpages/shorewall-netmap.xml
@@ -119,7 +119,7 @@

        <listitem>
          <para>Added in Shorewall 4.4.11. If specified, qualifies INTERFACE.
-          It specifies a SOURCE network for DNAT rules and a DESTINATON
+          It specifies a SOURCE network for DNAT rules and a DESTINATION
          network for SNAT rules.</para>
        </listitem>
      </varlistentry>
@@ -145,7 +145,7 @@
          range</emphasis>s; if the protocol is <emphasis
          role="bold">icmp</emphasis>, this column is interpreted as the
          destination icmp-type(s). ICMP types may be specified as a numeric
-          type, a numberic type and code separated by a slash (e.g., 3/4), or
+          type, a numeric type and code separated by a slash (e.g., 3/4), or
          a typename. See <ulink
          url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.</para>

--- a/Shorewall/manpages/shorewall-policy.xml
+++ b/Shorewall/manpages/shorewall-policy.xml
@@ -42,8 +42,9 @@
      <para>For $FW and for all of the zones defined in /etc/shorewall/zones,
      the POLICY for connections from the zone to itself is ACCEPT (with no
      logging or TCP connection rate limiting) but may be overridden by an
-      entry in this file. The overriding entry must be explicit (cannot use
-      "all" in the SOURCE or DEST).</para>
+      entry in this file. The overriding entry must be explicit (specifying
+      the zone name in both SOURCE and DEST) or it must use "all+" (Shorewall
+      4.5.17 or later).</para>

      <para>Similarly, if you have IMPLICIT_CONTINUE=Yes in shorewall.conf,
      then the implicit policy to/from any sub-zone is CONTINUE. These
@@ -59,26 +60,39 @@
      <varlistentry>
        <term><emphasis role="bold">SOURCE</emphasis> -
        <emphasis>zone</emphasis>|<emphasis
-        role="bold">$FW</emphasis>|<emphasis role="bold">all</emphasis></term>
+        role="bold">$FW</emphasis>|<emphasis
+        role="bold">all</emphasis>|<emphasis
+        role="bold">all+</emphasis></term>

        <listitem>
          <para>Source zone. Must be the name of a zone defined in <ulink
-          url="shorewall-zones.html">shorewall-zones</ulink>(5), $FW or
-          "all".</para>
+          url="shorewall-zones.html">shorewall-zones</ulink>(5), $FW, "all" or
+          "all+".</para>
+
+          <para>Support for "all+" was added in Shorewall 4.5.17. "all" does
+          not override the implicit intra-zone ACCEPT policy while "all+"
+          does. </para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">DEST</emphasis> -
        <emphasis>zone</emphasis>|<emphasis
-        role="bold">$FW</emphasis>|<emphasis role="bold">all</emphasis></term>
+        role="bold">$FW</emphasis>|<emphasis
+        role="bold">all</emphasis>|<emphasis
+        role="bold">all+</emphasis></term>

        <listitem>
          <para>Destination zone. Must be the name of a zone defined in <ulink
-          url="shorewall-zones.html">shorewall-zones</ulink>(5), $FW or "all".
-          If the DEST is a bport zone, then the SOURCE must be "all", another
-          bport zone associated with the same bridge, or it must be an ipv4
-          zone that is associated with only the same bridge.</para>
+          url="shorewall-zones.html">shorewall-zones</ulink>(5), $FW, "all" or
+          "all+". If the DEST is a bport zone, then the SOURCE must be "all",
+          "all+", another bport zone associated with the same bridge, or it
+          must be an ipv4 zone that is associated with only the same
+          bridge.</para>
+
+          <para>Support for "all+" was added in Shorewall 4.5.17. "all" does
+          not override the implicit intra-zone ACCEPT policy while "all+"
+          does. </para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@@ -148,9 +148,21 @@
        <listitem>
          <para>A comma-separated list selected from the following. The order
          of the options is not significant but the list may contain no
-          embedded whitespace.</para>
+          embedded white-space.</para>

          <variablelist>
+            <varlistentry>
+              <term>autosrc</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.17. Causes a host route to the
+                provider's gateway router to be added to the provider's
+                routing table. This is the default behavior unless overridden
+                by a following <emphasis role="bold">noautosrc</emphasis>
+                option.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">track</emphasis></term>

@@ -200,6 +212,17 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term>noautosrc</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.17. Prevents the addition of a
+                host route to the provider's gateway router from being added
+                to the provider's routing table. This option must be used with
+                caution as it can cause start and restart failures.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">notrack</emphasis></term>

@@ -300,6 +323,13 @@
          Only copy routes through INTERFACE and through interfaces listed
          here. If you only wish to copy routes through INTERFACE, enter
          <option>none</option> in this column.</para>
+
+          <para>Beginning with Shorewall 4.5.17, blackhole, unreachable and
+          prohibit routes are no longer copied by default but may be copied by
+          including <emphasis role="bold">blackhole</emphasis>,<emphasis
+          role="bold">unreachable</emphasis> and <emphasis
+          role="bold">prohibit</emphasis> respectively in the COPY
+          list.</para>
        </listitem>
      </varlistentry>
    </variablelist>
--- a/Shorewall/manpages/shorewall-routes.xml
+++ b/Shorewall/manpages/shorewall-routes.xml
@@ -34,8 +34,10 @@

        <listitem>
          <para>The name or number of a provider defined in <ulink
-          url="shorewall-providers.html">shorewall-providers</ulink>
-          (5).</para>
+          url="shorewall-providers.html">shorewall-providers</ulink> (5).
+          Beginning with Shorewall 4.5.14, you may also enter
+          <option>main</option> in this column to add routes to the main
+          routing table.</para>
        </listitem>
      </varlistentry>

@@ -53,6 +55,15 @@
        <listitem>
          <para>If specified, gives the IP address of the gateway to the
          DEST.</para>
+
+          <para>Beginning with Shorewall 4.5.14, you may specify
+          <option>blackhole</option> in this column to create a
+          <firstterm>blackhole</firstterm> route.</para>
+
+          <para>Beginning with Shorewall 4.5.15, you may specify
+          <option>prohibit</option> or <option>unreachable</option> in this
+          column to create a <firstterm>prohibit</firstterm> or
+          <firstterm>unreachable</firstterm> route respectively.</para>
        </listitem>
      </varlistentry>

@@ -62,8 +73,10 @@
        <listitem>
          <para>Specifies the device route. If neither DEVICE nor GATEWAY is
          given, then the INTERFACE specified for the PROVIDER in <ulink
-          url="shorewall-providers.html">shorewall-providers</ulink>
-          (5).</para>
+          url="shorewall-providers.html">shorewall-providers</ulink> (5). This
+          column must be omitted if <option>blackhole</option>,
+          <option>prohibit</option> or <option>unreachable</option> is
+          specified in the GATEWAY column.</para>
        </listitem>
      </varlistentry>
    </variablelist>
--- a/Shorewall/manpages/shorewall-routestopped.xml
+++ b/Shorewall/manpages/shorewall-routestopped.xml
@@ -73,7 +73,7 @@
        <listitem>
          <para>Optional. A comma-separated list of options. The order of the
          options is not important but the list can contain no embedded
-          whitespace. The currently-supported options are:</para>
+          white-space. The currently-supported options are:</para>

          <variablelist>
            <varlistentry>
@@ -121,7 +121,7 @@
              <term>notrack</term>

              <listitem>
-                <para>The traffic will be exempted from conntection
+                <para>The traffic will be exempted from connection
                tracking.</para>
              </listitem>
            </varlistentry>
@@ -161,6 +161,13 @@
          include port ranges of the form
          <replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
          if your kernel and iptables include port range support.</para>
+
+          <para>Beginning with Shorewall 4.5.15, you may place '=' in this
+          column, provided that the DEST PORT(S) column is non-empty. This
+          causes the rule to match when either the source port or the
+          destination port in a packet matches one of the ports specified in
+          DEST PORTS(S). Use of '=' requires multi-port match in your iptables
+          and kernel.</para>
        </listitem>
      </varlistentry>
    </variablelist>
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -24,7 +24,7 @@
    <title>Description</title>

    <para>Entries in this file govern connection establishment by defining
-    exceptions to the policies layed out in <ulink
+    exceptions to the policies laid out in <ulink
    url="shorewall-policy.html">shorewall-policy</ulink>(5). By default,
    subsequent requests and responses are automatically allowed using
    connection tracking. For any particular (source,dest) pair of zones, the
@@ -146,7 +146,7 @@
      role="bold">RELATED</emphasis> sections must be empty.</para>

      <para>An except is made if you are running Shorewall 4.4.27 or later and
-      you have specified a non-defualt value for RELATED_DISPOSITION or
+      you have specified a non-default value for RELATED_DISPOSITION or
      RELATED_LOG_LEVEL. In that case, you may have rules in the RELATED
      section of this file.</para>
    </warning>
@@ -243,7 +243,7 @@
                <para>Added in Shorewall 4.4.12. Causes addresses and/or port
                numbers to be added to the named
                <replaceable>ipset</replaceable>. The
-                <replaceable>flags</replaceable> specify the address or tupple
+                <replaceable>flags</replaceable> specify the address or tuple
                to be added to the set and must match the type of ipset
                involved. For example, for an iphash ipset, either the SOURCE
                or DESTINATION address can be added using
@@ -360,10 +360,10 @@
              <listitem>
                <para>Added in Shorewall 4.4.12. Causes an entry to be deleted
                from the named <replaceable>ipset</replaceable>. The
-                <replaceable>flags</replaceable> specify the address or tupple
+                <replaceable>flags</replaceable> specify the address or tuple
                to be deleted from the set and must match the type of ipset
                involved. For example, for an iphash ipset, either the SOURCE
-                or DESTINATION address can be deletec using
+                or DESTINATION address can be deleted using
                <replaceable>flags</replaceable> <emphasis
                role="bold">src</emphasis> or <emphasis
                role="bold">dst</emphasis> respectively (see the -D command in
@@ -427,6 +427,47 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis
+              role="bold">INLINE</emphasis>[(<replaceable>action</replaceable>)]</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.16. This action allows you to
+                construct most of the rule yourself using iptables syntax. The
+                part that you specify must follow a semicolon (';') and is
+                completely free-form. If the target of the rule (the part
+                following 'j') is something that Shorewall supports in the
+                ACTION column, then you may enclose it in parentheses (e.g.,
+                INLINE(ACCEPT)). Otherwise, you can include it after the
+                semicolon. In this case, you must declare the target as a
+                builtin action in <ulink
+                url="shorewall-actions.html">shorewall-actions</ulink>(5).</para>
+
+                <para>Some considerations when using INLINE:</para>
+
+                <itemizedlist>
+                  <listitem>
+                    <para>The <option>p</option>, <option>s</option>,
+                    <option>d</option>, <option>i</option>,
+                    <option>o</option>, <option>policy</option>, and state
+                    match (<option>state</option> or <option>conntrack
+                    --ctstate</option>) matches will always appear in the
+                    front of the rule in that order.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>When multiple matches are specified, the compiler
+                    will keep them in the order in which they appear
+                    (excluding the above listed ones), but they will not
+                    necessarily be at the end of the generated rule. For
+                    example, if addresses are specified in the SOURCE and/or
+                    DEST columns, their generated matches will appear after
+                    those specified using ';'.</para>
+                  </listitem>
+                </itemizedlist>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis
              role="bold">LOG:<replaceable>level</replaceable></emphasis></term>
@@ -467,7 +508,7 @@

              <listitem>
                <para>Added in Shorewall 4.5.9.3. Queues matching packets to a
-                backend logging daemon via a netlink socket then continues to
+                back end logging daemon via a netlink socket then continues to
                the next rule. See <ulink
                url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>

@@ -580,7 +621,7 @@

              <listitem>
                <para>Added in Shorewall 4.5.10. Queues matching packets to a
-                backend logging daemon via a netlink socket then continues to
+                back end logging daemon via a netlink socket then continues to
                the next rule. See <ulink
                url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>

@@ -665,7 +706,7 @@
          <para>Beginning with Shorewall 4.4.13, you may use a
          <replaceable>zone-list </replaceable>which consists of a
          comma-separated list of zones declared in <ulink
-          url="shorewall-zones.html">shorewall-zones</ulink> (5). Ths
+          url="shorewall-zones.html">shorewall-zones</ulink> (5). This
          <replaceable>zone-list</replaceable> may be optionally followed by
          "+" to indicate that the rule is to apply to intra-zone traffic as
          well as inter-zone traffic.</para>
@@ -721,8 +762,8 @@
          bindings to be matched.</para>

          <para>Beginning with Shorewall 4.4.17, the primary IP address of a
-          firewall interface can be specified by an apersand ('&amp;')
-          followed by the logican name of the interface as found in the
+          firewall interface can be specified by an ampersand ('&amp;')
+          followed by the logical name of the interface as found in the
          INTERFACE column of <ulink
          url="shorewall-interfaces.html">shorewall-interfaces</ulink>
          (5).</para>
@@ -839,7 +880,7 @@
          <para>Beginning with Shorewall 4.4.13, you may use a
          <replaceable>zone-list </replaceable>which consists of a
          comma-separated list of zones declared in <ulink
-          url="shorewall-zones.html">shorewall-zones</ulink> (5). Ths
+          url="shorewall-zones.html">shorewall-zones</ulink> (5). This
          <replaceable>zone-list</replaceable> may be optionally followed by
          "+" to indicate that the rule is to apply to intra-zone traffic as
          well as inter-zone traffic.</para>
@@ -893,88 +934,79 @@
              </listitem>
            </orderedlist></para>

-          <blockquote>
-            <para/>
+          <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
+          role="bold">+]|[-</emphasis>] is specified, the server may be
+          further restricted to a particular network, host or interface by
+          appending ":" and the network, host or interface. See <emphasis
+          role="bold">SOURCE</emphasis> above.</para>

-            <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
-            role="bold">+]|[-</emphasis>] is specified, the server may be
-            further restricted to a particular network, host or interface by
-            appending ":" and the network, host or interface. See <emphasis
-            role="bold">SOURCE</emphasis> above.</para>
+          <para>You may exclude certain hosts from the set already defined
+          through use of an <emphasis>exclusion</emphasis> (see <ulink
+          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>

-            <para>You may exclude certain hosts from the set already defined
-            through use of an <emphasis>exclusion</emphasis> (see <ulink
-            url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
+          <para>Restriction: MAC addresses are not allowed (this is a
+          Netfilter restriction).</para>

-            <para>Restrictions:</para>
+          <para>Like in the <emphasis role="bold">SOURCE</emphasis> column,
+          you may specify a range of IP addresses using the syntax
+          <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
+          When the <emphasis role="bold">ACTION</emphasis> is <emphasis
+          role="bold">DNAT</emphasis> or <emphasis
+          role="bold">DNAT-</emphasis>, the connections will be assigned to
+          addresses in the range in a round-robin fashion.</para>

-            <para>1. MAC addresses are not allowed (this is a Netfilter
-            restriction).</para>
+          <para>If you kernel and iptables have ipset match support then you
+          may give the name of an ipset prefaced by "+". The ipset name may be
+          optionally followed by a number from 1 to 6 enclosed in square
+          brackets ([]) to indicate the number of levels of destination
+          bindings to be matched. Only one of the <emphasis
+          role="bold">SOURCE</emphasis> and <emphasis
+          role="bold">DEST</emphasis> columns may specify an ipset
+          name.</para>

-            <para>2. You may not specify both an interface and an
-            address.</para>
+          <para>Beginning with Shorewall 4.4.17, the primary IP address of a
+          firewall interface can be specified by an ampersand ('&amp;')
+          followed by the logical name of the interface as found in the
+          INTERFACE column of <ulink
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>
+          (5).</para>

-            <para>Like in the <emphasis role="bold">SOURCE</emphasis> column,
-            you may specify a range of IP addresses using the syntax
-            <emphasis>lowaddress</emphasis>-<emphasis>highaddress</emphasis>.
-            When the <emphasis role="bold">ACTION</emphasis> is <emphasis
-            role="bold">DNAT</emphasis> or <emphasis
-            role="bold">DNAT-</emphasis>, the connections will be assigned to
-            addresses in the range in a round-robin fashion.</para>
+          <para>The <replaceable>port</replaceable> that the server is
+          listening on may be included and separated from the server's IP
+          address by ":". If omitted, the firewall will not modify the
+          destination port. A destination port may only be included if the
+          <emphasis role="bold">ACTION</emphasis> is <emphasis
+          role="bold">DNAT</emphasis> or <emphasis
+          role="bold">REDIRECT</emphasis>.</para>

-            <para>If you kernel and iptables have ipset match support then you
-            may give the name of an ipset prefaced by "+". The ipset name may
-            be optionally followed by a number from 1 to 6 enclosed in square
-            brackets ([]) to indicate the number of levels of destination
-            bindings to be matched. Only one of the <emphasis
-            role="bold">SOURCE</emphasis> and <emphasis
-            role="bold">DEST</emphasis> columns may specify an ipset
-            name.</para>
+          <variablelist>
+            <varlistentry>
+              <term>Example:</term>

-            <para>Beginning with Shorewall 4.4.17, the primary IP address of a
-            firewall interface can be specified by an apersand ('&amp;')
-            followed by the logical name of the interface as found in the
-            INTERFACE column of <ulink
-            url="shorewall-interfaces.html">shorewall-interfaces</ulink>
-            (5).</para>
+              <listitem>
+                <para><emphasis role="bold">loc:192.168.1.3:3128</emphasis>
+                specifies a local server at IP address 192.168.1.3 and
+                listening on port 3128.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>

-            <para>The <replaceable>port</replaceable> that the server is
-            listening on may be included and separated from the server's IP
-            address by ":". If omitted, the firewall will not modifiy the
-            destination port. A destination port may only be included if the
-            <emphasis role="bold">ACTION</emphasis> is <emphasis
-            role="bold">DNAT</emphasis> or <emphasis
-            role="bold">REDIRECT</emphasis>.</para>
+          <para>The <emphasis>port</emphasis> may be specified as a service
+          name. You may specify a port range in the form
+          <emphasis>lowport-highport</emphasis> to cause connections to be
+          assigned to ports in the range in round-robin fashion. When a port
+          range is specified, <emphasis>lowport</emphasis> and
+          <emphasis>highport</emphasis> must be given as integers; service
+          names are not permitted. Additionally, the port range may be
+          optionally followed by <emphasis role="bold">:random</emphasis>
+          which causes assignment to ports in the list to be random.</para>

-            <variablelist>
-              <varlistentry>
-                <term>Example:</term>
-
-                <listitem>
-                  <para><emphasis role="bold">loc:192.168.1.3:3128</emphasis>
-                  specifies a local server at IP address 192.168.1.3 and
-                  listening on port 3128.</para>
-                </listitem>
-              </varlistentry>
-            </variablelist>
-
-            <para>The <emphasis>port</emphasis> may be specified as a service
-            name. You may specify a port range in the form
-            <emphasis>lowport-highport</emphasis> to cause connections to be
-            assigned to ports in the range in round-robin fashion. When a port
-            range is specified, <emphasis>lowport</emphasis> and
-            <emphasis>highport</emphasis> must be given as integers; service
-            names are not permitted. Additionally, the port range may be
-            optionally followed by <emphasis role="bold">:random</emphasis>
-            which causes assignment to ports in the list to be random.</para>
-
-            <para>If the <emphasis role="bold">ACTION</emphasis> is <emphasis
-            role="bold">REDIRECT</emphasis> or <emphasis
-            role="bold">REDIRECT-</emphasis>, this column needs only to
-            contain the port number on the firewall that the request should be
-            redirected to. That is equivalent to specifying
-            <option>$FW</option>::<replaceable>port</replaceable>.</para>
-          </blockquote>
+          <para>If the <emphasis role="bold">ACTION</emphasis> is <emphasis
+          role="bold">REDIRECT</emphasis> or <emphasis
+          role="bold">REDIRECT-</emphasis>, this column needs only to contain
+          the port number on the firewall that the request should be
+          redirected to. That is equivalent to specifying
+          <option>$FW</option>::<replaceable>port</replaceable>.</para>
        </listitem>
      </varlistentry>

@@ -1011,11 +1043,11 @@
          names (from services(5)), port numbers or port ranges; if the
          protocol is <emphasis role="bold">icmp</emphasis>, this column is
          interpreted as the destination icmp-type(s). ICMP types may be
-          specified as a numeric type, a numberic type and code separated by a
+          specified as a numeric type, a numeric type and code separated by a
          slash (e.g., 3/4), or a typename. See <ulink
          url="http://www.shorewall.net/configuration_file_basics.htm#ICMP">http://www.shorewall.net/configuration_file_basics.htm#ICMP</ulink>.
          Note that prior to Shorewall 4.4.19, only a single ICMP type may be
-          listsed.</para>
+          listed.</para>

          <para>If the protocol is <emphasis role="bold">ipp2p</emphasis>,
          this column is interpreted as an ipp2p option without the leading
@@ -1039,7 +1071,7 @@
          <para>1. There are 15 or less ports listed.</para>

          <para>2. No port ranges are included or your kernel and iptables
-          contain extended multiport match support.</para>
+          contain extended multi-port match support.</para>
        </listitem>
      </varlistentry>

@@ -1054,6 +1086,13 @@
          port is acceptable. Specified as a comma- separated list of port
          names, port numbers or port ranges.</para>

+          <para>Beginning with Shorewall 4.5.15, you may place '=' in this
+          column, provided that the DEST PORT(S) column is non-empty. This
+          causes the rule to match when either the source port or the
+          destination port in a packet matches one of the ports specified in
+          DEST PORTS(S). Use of '=' requires multi-port match in your iptables
+          and kernel.</para>
+
          <warning>
            <para>Unless you really understand IP, you should leave this
            column empty or place a dash (<emphasis role="bold">-</emphasis>)
@@ -1061,20 +1100,18 @@
            wrong.</para>
          </warning>

-          <blockquote>
-            <para>If you don't want to restrict client ports but need to
-            specify an <emphasis role="bold">ORIGINAL DEST</emphasis> in the
-            next column, then place "-" in this column.</para>
+          <para>If you don't want to restrict client ports but need to specify
+          an <emphasis role="bold">ORIGINAL DEST</emphasis> in the next
+          column, then place "-" in this column.</para>

-            <para>If your kernel contains multi-port match support, then only
-            a single Netfilter rule will be generated if in this list and the
-            <emphasis role="bold">DEST PORT(S)</emphasis> list above:</para>
+          <para>If your kernel contains multi-port match support, then only a
+          single Netfilter rule will be generated if in this list and the
+          <emphasis role="bold">DEST PORT(S)</emphasis> list above:</para>

-            <para>1. There are 15 or less ports listed.</para>
+          <para>1. There are 15 or less ports listed.</para>

-            <para>2. No port ranges are included or your kernel and iptables
-            contain extended multiport match support.</para>
-          </blockquote>
+          <para>2. No port ranges are included or your kernel and iptables
+          contain extended multi-port match support.</para>
        </listitem>
      </varlistentry>

@@ -1102,7 +1139,7 @@
          not match any of the addresses listed.</para>

          <para>Beginning with Shorewall 4.4.17, the primary IP address of a
-          firewall interface can be specified by an apersand ('&amp;')
+          firewall interface can be specified by an ampersand ('&amp;')
          followed by the logical name of the interface as found in the
          INTERFACE column of <ulink
          url="shorewall-interfaces.html">shorewall-interfaces</ulink>
@@ -1150,7 +1187,7 @@
          interval (<emphasis role="bold">sec</emphasis> or <emphasis
          role="bold">min</emphasis>) and <emphasis>burst</emphasis> is the
          largest burst permitted. If no <emphasis>burst</emphasis> is given,
-          a value of 5 is assumed. There may be no no whitespace embedded in
+          a value of 5 is assumed. There may be no no white-space embedded in
          the specification.</para>

          <para>Example: <emphasis role="bold">10/sec:20</emphasis></para>
@@ -1301,7 +1338,7 @@

      <varlistentry>
        <term><emphasis role="bold">TIME</emphasis> -
-        <emphasis>timeelement</emphasis>[&amp;<emphasis>timelement</emphasis>...]</term>
+        <emphasis>timeelement</emphasis>[&amp;<emphasis>timeelement</emphasis>...]</term>

        <listitem>
          <para>May be used to limit the rule to a particular time period each
@@ -1445,7 +1482,7 @@
          <para>Switch settings are retained over <command>shorewall
          restart</command>.</para>

-          <para>Beginning with Shoreawll 4.5.10, when the
+          <para>Beginning with Shorewall 4.5.10, when the
          <replaceable>switch-name</replaceable> is followed by
          <option>=0</option> or <option>=1</option>, then the switch is
          initialized to off or on respectively by the
@@ -1670,7 +1707,7 @@
        <term>Example 10:</term>

        <listitem>
-          <para>Add the tupple (source IP, dest port, dest IP) of an incoming
+          <para>Add the tuple (source IP, dest port, dest IP) of an incoming
          SSH connection to the ipset S:</para>

          <programlisting>        #ACTION                       SOURCE           DEST           PROTO       DEST
@@ -1717,6 +1754,30 @@
        DROP                          net:^A1,A2       fw             tcp         25</programlisting>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term>Example 14:</term>
+
+        <listitem>
+          <para>You want to generate your own rule involving iptables targets
+          and matches not supported by Shorewall.</para>
+
+          <programlisting>        #ACTION                       SOURCE           DEST           PROTO       DEST
+        #                                                                         PORT(S)
+        INLINE                        $FW              net ; -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3</programlisting>
+
+          <para>The above will generate the following iptables-restore
+          input:</para>
+
+          <programlisting>        -A fw2net -p 6 -m mickey-mouse --name test -m set --match-set set1 src -m mickey-mouse --name test2 -j SECCTX --name test3</programlisting>
+
+          <para>Note that SECCTX must be defined as a builtin action in <ulink
+          url="shorewall-actions.html">shorewall-actions</ulink>(5):</para>
+
+          <programlisting>        #ACTION            OPTIONS
+        SECCTX             builtin</programlisting>
+        </listitem>
+      </varlistentry>
    </variablelist>
  </refsect1>

@@ -1739,7 +1800,7 @@
    url="http://www.shorewall.net/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink></para>

    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorweall-blrules(5), shorewall-hosts(5),
+    shorewall-blacklist(5), shorewall-blrules(5), shorewall-hosts(5),
    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
--- a/Show More
+++ b/Show More