Remove version from config files

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Fix RESTART
2015-10-12 15:02:50 -07:00 · 2015-10-12 14:08:24 -07:00 · 2015-10-12 13:49:24 -07:00 · 2015-10-12 11:45:58 -07:00 · 2015-10-12 10:55:36 -07:00 · 2015-10-10 13:19:41 -07:00
580 changed files with 29295 additions and 13608 deletions
--- a/Shorewall-core/INSTALL
+++ b/Shorewall-core/INSTALL
@@ -1,4 +1,4 @@
-Shoreline Firewall (Shorewall) Version 4
+Shoreline Firewall (Shorewall) Version 5
 -----         ----

 -----------------------------------------------------------------------------
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -1,16 +1,17 @@
 #!/bin/bash
 #
-#     Shorewall Packet Filtering Firewall RPM configuration program - V4.5
+#     Shorewall Packet Filtering Firewall RPM configuration program - V4.6
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2012,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
 #
+#       This program is part of Shorewall.
+#
 #	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -18,8 +19,7 @@
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 #       Usage: ./configure [ <option>=<setting> ] ...
 #
@@ -28,7 +28,7 @@
 #
 # Build updates this
 #
-VERSION=4.5.2.1
+VERSION=4.6.12

 case "$BASH_VERSION" in
    [4-9].*)
@@ -93,21 +93,44 @@ done

 vendor=${params[HOST]}

+if [ -z "$vendor" ]; then
+    if [ -f /etc/os-release ]; then
+	eval $(cat /etc/os-release | grep ^ID=)
+
+	case $ID in
+	    fedora|rhel)
+		vendor=redhat
+		;;
+	    debian|ubuntu)
+		ls -l /sbin/init |fgrep -q systemd | vendor=debian.systemd | vendor=debian.sysvinit
+		;;
+	    opensuse)
+		vendor=suse
+		;;
+	    *)
+		vendor="$ID"
+		;;
+	esac
+
+	params[HOST]="$vendor"
+    fi
+fi
+
 if [ -z "$vendor" ]; then
    case `uname` in
 	Darwin)
-	    $params[HOST]=apple
+	    params[HOST]=apple
 	    rcfile=shorewallrc.apple
 	    ;;

-	cygwin*)
-	    $params[HOST]=cygwin
+	cygwin*|CYGWIN*)
+	    params[HOST]=cygwin
 	    rcfile=shorewallrc.cygwin
 	    ;;
 	*)
 	    if [ -f /etc/debian_version ]; then
 		params[HOST]=debian
-		rcfile=shorewallrc.debian
+		rcfile=shorewallrc.debian.sysvinit
 	    elif [ -f /etc/redhat-release ]; then
 		params[HOST]=redhat
 		rcfile=shorewallrc.redhat
@@ -172,6 +195,10 @@ elif [ -n "${options[VARDIR]}" ]; then
    fi
 fi

+if [ -z "${options[SERVICEDIR]}" ]; then
+    options[SERVICEDIR]="${options[SYSTEMD]}"
+fi
+
 for on in \
    HOST \
    PREFIX \
@@ -186,7 +213,8 @@ for on in \
    INITFILE \
    AUXINITSOURCE \
    AUXINITFILE \
-    SYSTEMD \
+    SERVICEDIR \
+    SERVICEFILE \
    SYSCONFFILE \
    SYSCONFDIR \
    SPARSE \
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -2,15 +2,16 @@
 #
 #     Shorewall Packet Filtering Firewall RPM configuration program - V4.5
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2012, 2014 - Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
 #
+#       This program is part of Shorewall.
+#
 #	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -18,8 +19,7 @@
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 #       Usage: ./configure.pl <option>=<setting> ...
 #
@@ -31,7 +31,7 @@ use strict;
 # Build updates this
 #
 use constant {
-    VERSION => '4.5.2.1'
+    VERSION => '4.6.12'
 };

 my %params;
@@ -56,13 +56,37 @@ my $vendor = $params{HOST};
 my $rcfile;
 my $rcfilename;

+unless ( defined $vendor ) {
+    if ( -f '/etc/os-release' ) {
+	my $id = `cat /etc/os-release | grep ^ID=`;
+
+	chomp $id;
+
+	$id =~ s/ID=//;
+	
+	if ( $id eq 'fedora' || $id eq 'rhel' ) {
+	    $vendor = 'redhat';
+	} elsif ( $id eq 'opensuse' ) {
+	    $vendor = 'suse';
+	} elsif ( $id eq 'ubuntu' || $id eq 'debian' ) {
+	    my $init = `ls -l /sbin/init`;
+	    $vendor = $init =~ /systemd/ ? 'debian.systemd' : 'debian.sysvinit';
+	} else {
+	    $vendor = $id;
+	}
+    }
+
+    $params{HOST} = $vendor;
+    $params{HOST} =~ s/\..*//;
+}
+
 if ( defined $vendor ) {
    $rcfilename = $vendor eq 'linux' ? 'shorewallrc.default' : 'shorewallrc.' . $vendor;
    die qq("ERROR: $vendor" is not a recognized host type) unless -f $rcfilename;
 } else {
    if ( -f '/etc/debian_version' ) {
 	$vendor = 'debian';
-	$rcfilename = 'shorewallrc.debian';
+	$rcfilename = 'shorewallrc.debian.sysvinit';
    } elsif ( -f '/etc/redhat-release' ){
 	$vendor = 'redhat';
 	$rcfilename = 'shorewallrc.redhat';
@@ -78,7 +102,7 @@ if ( defined $vendor ) {
    } elsif ( `uname` =~ '^Darwin' ) {
 	$vendor = 'apple';
 	$rcfilename = 'shorewallrc.apple';
-    } elsif ( `uname` =~ '^Cygwin' ) {
+    } elsif ( `uname` =~ /^Cygwin/i ) {
 	$vendor = 'cygwin';
 	$rcfilename = 'shorewallrc.cygwin';
    } else {
@@ -95,7 +119,7 @@ my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
 if ( $vendor eq 'linux' ) {
    printf "INFO: Creating a generic Linux installation - %s %2d %04d %02d:%02d:%02d\n\n", $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
 } else {
-    printf "INFO: Creating a %s-specific installation - %s %2d %04d %02d:%02d:%02d\n\n", $vendor, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
+    printf "INFO: Creating a %s-specific installation - %s %2d %04d %02d:%02d:%02d\n\n", $params{HOST}, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
 }

 open $rcfile, '<', $rcfilename or die "Unable to open $rcfilename for input: $!";
@@ -132,6 +156,8 @@ if ( $options{VARLIB} ) {
    $options{VARDIR} = '${VARLIB}/${PRODUCT}';
 }

+$options{SERVICEDIR}=$options{SYSTEMD} unless $options{SERVICEDIR};
+
 for ( qw/ HOST
 	  PREFIX
 	  SHAREDIR
@@ -145,7 +171,8 @@ for ( qw/ HOST
 	  INITFILE
 	  AUXINITSOURCE
 	  AUXINITFILE
-	  SYSTEMD
+	  SERVICEDIR
+	  SERVICEFILE
 	  SYSCONFFILE
 	  SYSCONFDIR
 	  SPARSE
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -2,24 +2,24 @@
 #
 # Script to install Shoreline Firewall Core Modules
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+#       This program is part of Shorewall.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #

 VERSION=xxx #The Build script inserts the actual version
@@ -187,15 +187,37 @@ INSTALLD='-D'

 if [ -z "$BUILD" ]; then
    case $(uname) in
-	cygwin*)
+	cygwin*|CYGWIN*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
 	    BUILD=apple
 	    ;;
 	*)
-	    if [ -f /etc/debian_version ]; then
+	    if [ -f /etc/os-release ]; then
+		eval $(cat /etc/os-release | grep ^ID)
+
+		case $ID in
+		    fedora|rhel|centos|foobar)
+			BUILD=redhat
+			;;
+		    debian)
+			BUILD=debian
+			;;
+		    gentoo)
+			BUILD=gentoo
+			;;
+		    opensuse)
+			BUILD=suse
+			;;
+		    *)
+			BUILD="$ID"
+			;;
+		esac
+	    elif [ -f /etc/debian_version ]; then
 		BUILD=debian
+	    elif [ -f /etc/gentoo-release ]; then
+		BUILD=gentoo
 	    elif [ -f /etc/redhat-release ]; then
 		BUILD=redhat
 	    elif [ -f /etc/slackware-version ] ; then
@@ -254,7 +276,7 @@ case "$HOST" in
    apple)
 	echo "Installing Mac-specific configuration...";
 	;;
-    debian|redhat|slackware|archlinux|linux|suse)
+    debian|gentoo|redhat|slackware|archlinux|linux|suse)
 	;;
    *)
 	echo "ERROR: Unknown HOST \"$HOST\"" >&2
@@ -307,9 +329,13 @@ if [ -n "${SYSCONFDIR}" ]; then
    chmod 755 ${DESTDIR}${SYSCONFDIR}
 fi

-if [ -n "${SYSTEMD}" ]; then
-    mkdir -p ${DESTDIR}${SYSTEMD}
-    chmod 755 ${DESTDIR}${SYSTEMD}
+if [ -z "${SERVICEDIR}" ]; then
+    SERVICEDIR="$SYSTEMD"
+fi
+
+if [ -n "${SERVICEDIR}" ]; then
+    mkdir -p ${DESTDIR}${SERVICEDIR}
+    chmod 755 ${DESTDIR}${SERVICEDIR}
 fi

 mkdir -p ${DESTDIR}${SBINDIR}
@@ -325,7 +351,7 @@ if [ -n "${INITFILE}" ]; then
    if [ -n "$AUXINITSOURCE" -a -f "$AUXINITSOURCE" ]; then
 	install_file $AUXINITSOURCE ${DESTDIR}${INITDIR}/$AUXINITFILE 0544
 	[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$AUXINITFILE
-	echo  "$Product script installed in ${DESTDIR}${INITDIR}/$AUXINITFILE"
+	echo  "SysV init script $AUXINITSOURCE installed in ${DESTDIR}${INITDIR}/$AUXINITFILE"
    fi
 fi
 #
@@ -371,12 +397,13 @@ if [ -z "${DESTDIR}" ]; then

 	echo 'VARDIR=${VARLIB}/${PRODUCT}' >> $file
    fi
-
-    [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc ~/.shorewallrc
 fi

 [ $file != "${DESTDIR}${SHAREDIR}/shorewall/shorewallrc" ] && cp $file ${DESTDIR}${SHAREDIR}/shorewall/shorewallrc

+
+[ -z "${DESTDIR}" ] && [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc ~/.shorewallrc
+
 if [ ${SHAREDIR} != /usr/share ]; then
    for f in lib.*; do
 	if [ $BUILD != apple ]; then
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -1,15 +1,16 @@
 #
-# Shorewall 4.5 -- /usr/share/shorewall/lib.base
+# Shorewall 5.0 -- /usr/share/shorewall/lib.base
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 1999-2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
+#       This program is part of Shorewall.
+#
 #	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -17,8 +18,7 @@
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 # This library contains the code common to all Shorewall components except the
 # generated scripts.
@@ -75,6 +75,24 @@ elif [ -z "${VARDIR}" ]; then
    VARDIR="${VARLIB}/${PRODUCT}"
 fi

+#
+# Fatal Error
+#
+fatal_error() # $@ = Message
+{
+    echo "   ERROR: $@" >&2
+    exit 2
+}
+
+#
+# Not configured Error
+#
+not_configured_error() # $@ = Message
+{
+    echo "   ERROR: $@" >&2
+    exit 6
+}
+
 #
 # Conditionally produce message
 #
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -1,15 +1,16 @@
 #
-# Shorewall 4.5 -- /usr/share/shorewall/lib.common.
+# Shorewall 5.0 -- /usr/share/shorewall/lib.common.
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2010-2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010-2015 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
+#       This program is part of Shorewall.
+#
 #	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -17,8 +18,7 @@
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 # The purpose of this library is to hold those functions used by both the CLI and by the
 # generated firewall scripts. To avoid versioning issues, it is copied into generated
@@ -65,103 +65,41 @@ startup_error() # $* = Error Message
 	esac
    fi

+    mutex_off
    kill $$
    exit 2
 }

 #
-# Get the Shorewall version of the passed script
-#
-get_script_version() { # $1 = script
-    local temp
-    local version
-    local ifs
-    local digits
-    local verbosity
-
-    verbosity="$VERBOSITY"
-    VERBOSITY=0
-
-    temp=$( $SHOREWALL_SHELL $1 version | tail -n 1 | sed 's/-.*//' )
-
-    if [ -z "$temp" ]; then
-	version=0
-    else
-	ifs=$IFS
-	IFS=.
-	temp=$(echo $temp)
-	IFS=$ifs
-	digits=0
-
-	for temp in $temp; do
-	    version=${version}$(printf '%02d' $temp)
-	    digits=$(($digits + 1))
-	    [ $digits -eq 3 ] && break
-	done
-    fi
-
-    echo $version
-
-    VERBOSITY="$verbosity"
-}
-
-#
-# Do required exports or create the required option string and run the passed script using
+# Create the required option string and run the passed script using
 # $SHOREWALL_SHELL
 #
 run_it() {
    local script
    local options
-    local version

    export VARDIR

    script=$1
    shift

-    version=$(get_script_version $script)
-
-    if [ $version -lt 040408 ]; then
-	#
-	# Old script that doesn't understand 4.4.8 script options
-	#
-	export RESTOREFILE
-	export VERBOSITY
-	export NOROUTES=$g_noroutes
-	export PURGE=$g_purge
-	export TIMESTAMP=$g_timestamp
-	export RECOVERING=$g_recovering
-
-	case "$g_program" in
-	    *-lite)
-		#
-		# Shorewall Lite
-		#
-		export LOGFORMAT
-		export IPTABLES
-		;;
-	esac
+    if [ x$1 = xtrace -o x$1 = xdebug ]; then
+	options="$1 -"
+	shift;
    else
-	#
-	# 4.4.8 or later -- no additional exports required
-	#
-	if [ x$1 = xtrace -o x$1 = xdebug ]; then
-	    options="$1 -"
-	    shift;
-	else
-	    options='-'
-	fi
-
-	[ -n "$g_noroutes" ]   && options=${options}n
-	[ -n "$g_timestamp" ]  && options=${options}t
-	[ -n "$g_purge" ]      && options=${options}p
-	[ -n "$g_recovering" ] && options=${options}r
-
-	options="${options}V $VERBOSITY"
-
-	[ -n "$RESTOREFILE" ] && options="${options} -R $RESTOREFILE"
+	options='-'
    fi

+    [ -n "$g_noroutes" ]   && options=${options}n
+    [ -n "$g_timestamp" ]  && options=${options}t
+    [ -n "$g_purge" ]      && options=${options}p
+    [ -n "$g_recovering" ] && options=${options}r
+    [ -n "$g_counters" ]   && options=${options}c
+
+    options="${options}V $VERBOSITY"
+
+    [ -n "$RESTOREFILE" ] && options="${options} -R $RESTOREFILE"
+
    $SHOREWALL_SHELL $script $options $@
 }

@@ -171,6 +109,7 @@ run_it() {
 error_message() # $* = Error Message
 {
   echo "   $@" >&2
+   return 1
 }

 #
@@ -208,6 +147,17 @@ split() {
    IFS=$ifs
 }

+#
+# Split a comma-separated list into a space-separated list
+#
+split_list() {
+    local ifs
+    ifs=$IFS
+    IFS=,
+    echo $*
+    IFS=$ifs
+}
+
 #
 # Search a list looking for a match -- returns zero if a match found
 # 1 otherwise
@@ -272,8 +222,11 @@ shorewall6_is_started() {
 # Echos the fully-qualified name of the calling shell program
 #
 my_pathname() {
+    local pwd
+    pwd=$PWD
    cd $(dirname $0)
    echo $PWD/$(basename $0)
+    cd $pwd
 }

 #
@@ -368,7 +321,7 @@ reload_kernel_modules() {
 	moduleloader=insmod
    fi

-    [ -n "${MODULE_SUFFIX:=ko ko.gz o o.gz gz}" ]
+    [ -n "${MODULE_SUFFIX:=ko ko.gz ko.xz o o.gz o.xz gz xz}" ]

    [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
@@ -407,7 +360,7 @@ load_kernel_modules() # $1 = Yes, if we are to save moduleinfo in $VARDIR
 	moduleloader=insmod
    fi

-    [ -n "${MODULE_SUFFIX:=o gz ko o.gz ko.gz}" ]
+    [ -n "${MODULE_SUFFIX:=o gz xz ko o.gz o.xz ko.gz ko.xz}" ]

    [ -z "$MODULESDIR" ] && \
 	uname=$(uname -r) && \
@@ -546,9 +499,9 @@ in_network() # $1 = IP address, $2 = CIDR network
 #
 # Query NetFilter about the existence of a filter chain
 #
-chain_exists() # $1 = chain name
+chain_exists() # $1 = chain name, $2 = table name (optional)
 {
-    qt1 $g_tool -L $1 -n
+    qt1 $g_tool -t ${2:-filter} -L $1 -n
 }

 #
@@ -601,7 +554,7 @@ find_first_interface_address() # $1 = interface
 	#
 	# get the line of output containing the first IP address
 	#
-	addr=$(${IP:-ip} -f inet6 addr show dev $1 2> /dev/null | fgrep 'inet6 ' | fgrep -v 'scope link' | head -n1)
+	addr=$(${IP:-ip} -f inet6 addr show dev $1 2> /dev/null | grep -F 'inet6 ' | grep -vF 'scope link' | head -n1)
 	#
 	# If there wasn't one, bail out now
 	#
@@ -630,7 +583,7 @@ find_first_interface_address_if_any() # $1 = interface
 	#
 	# get the line of output containing the first IP address
 	#
-	addr=$(${IP:-ip} -f inet6 addr show dev $1 2> /dev/null | fgrep 'inet6 ' | fgrep -v 'scope link' | head -n1)
+	addr=$(${IP:-ip} -f inet6 addr show dev $1 2> /dev/null | grep -F 'inet6 ' | grep -vF 'scope link' | head -n1)
 	#
 	# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
 	# along with everything else on the line
@@ -639,6 +592,24 @@ find_first_interface_address_if_any() # $1 = interface
    fi
 }

+#
+#Determines if the passed interface is a loopback interface
+#
+loopback_interface() { #$1 = Interface name
+    [ "$1" = lo ] || $IP link show $1 | fgrep -q LOOPBACK
+}
+
+#
+# Find Loopback Interfaces
+#
+find_loopback_interfaces() {
+    local interfaces
+
+    [ -x "$IP" ] && interfaces=$($IP link show | fgrep LOOPBACK | sed 's/://g' | cut -d ' ' -f 2)
+
+    [ -n "$interfaces" ] && echo $interfaces || echo lo
+}
+
 #
 # Internal version of 'which'
 #
@@ -676,7 +647,11 @@ find_file()
 		fi
 	    done

-	    echo ${g_confdir}/$1
+	    if [ -n "$g_shorewalldir" ]; then
+		echo ${g_shorewalldir}/$1
+	    else
+		echo ${g_confdir}/$1
+	    fi
 	    ;;
    esac
 }
--- a/Shorewall-core/shorewallrc.apple
+++ b/Shorewall-core/shorewallrc.apple
@@ -1,5 +1,5 @@
 #
-# Apple OS X Shorewall 4.5 rc file
+# Apple OS X Shorewall 5.0 rc file
 #
 BUILD=apple
 HOST=apple
@@ -14,7 +14,8 @@ INITDIR=                               #Unused on OS X
 INITFILE=                              #Unused on OS X
 INITSOURCE=                            #Unused on OS X
 ANNOTATED=                             #Unused on OS X
-SYSTEMD=                               #Unused on OS X
+SERVICEDIR=                            #Unused on OS X
+SERVICEFILE=                           #Unused on OS X
 SYSCONFDIR=                            #Unused on OS X
 SPARSE=Yes                             #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
 VARLIB=/var/lib                        #Unused on OS X
--- a/Shorewall-core/shorewallrc.archlinux
+++ b/Shorewall-core/shorewallrc.archlinux
@@ -1,5 +1,5 @@
 #
-# Arch Linux Shorewall 4.5 rc file
+# Arch Linux Shorewall 5.0 rc file
 #
 BUILD=                                 #Default is to detect the build system
 HOST=archlinux
@@ -8,14 +8,15 @@ SHAREDIR=${PREFIX}/share               #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share             #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/share/shorewall   #Directory to install Shorewall Perl module directory
 CONFDIR=/etc                           #Directory where subsystem configurations are installed
-SBINDIR=/usr/sbin                      #Directory where system administration programs are installed
+SBINDIR=/usr/bin                       #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man                 #Directory where manpages are installed.
 INITDIR=                               #Directory where SysV init scripts are installed.
 INITFILE=                              #Name of the product's installed SysV init script
 INITSOURCE=                            #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                             #If non-zero, annotated configuration files are installed
 SYSCONFDIR=                            #Directory where SysV init parameter files are installed
-SYSTEMD=/usr/lib/systemd/system        #Directory where .service files are installed (systems running systemd only)
+SERVICEDIR=/usr/lib/systemd/system     #Directory where .service files are installed (systems running systemd only)
+SERVICEFILE=                           #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SPARSE=                                #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                        #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT              #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.cygwin
+++ b/Shorewall-core/shorewallrc.cygwin
@@ -1,5 +1,5 @@
 #
-# Cygwin Shorewall 4.5 rc file
+# Cygwin Shorewall 5.0 rc file
 #
 BUILD=cygwin
 HOST=cygwin
@@ -14,7 +14,8 @@ INITDIR=/etc/init.d                   #Unused on Cygwin
 INITFILE=                             #Unused on Cygwin
 INITSOURCE=                           #Unused on Cygwin
 ANNOTATED=                            #Unused on Cygwin
-SYSTEMD=                              #Unused on Cygwin
+SERVICEDIR=                           #Unused on Cygwin
+SERVICEFILE=                          #Unused on Cygwin
 SYSCONFDIR=                           #Unused on Cygwin
 SPARSE=Yes                            #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
 VARLIB=/var/lib                       #Unused on Cygwin
--- a/Shorewall-core/shorewallrc.debian.systemd
+++ b/Shorewall-core/shorewallrc.debian.systemd
@@ -0,0 +1,23 @@
+#
+# Debian Shorewall 4.5 rc file
+#
+BUILD=					#Default is to detect the build system
+HOST=debian
+PREFIX=/usr				#Top-level directory for shared files, libraries, etc.
+SHAREDIR=${PREFIX}/share		#Directory for arch-neutral files.
+LIBEXECDIR=${PREFIX}/share		#Directory for executable scripts.
+PERLLIBDIR=${PREFIX}/share/shorewall	#Directory to install Shorewall Perl module directory
+CONFDIR=/etc				#Directory where subsystem configurations are installed
+SBINDIR=/sbin				#Directory where system administration programs are installed
+MANDIR=${PREFIX}/share/man		#Directory where manpages are installed.
+INITDIR=				#Directory where SysV init scripts are installed.
+INITFILE=				#Name of the product's installed SysV init script
+INITSOURCE=init.debian.sh		#Name of the distributed file to be installed as the SysV init script
+ANNOTATED=				#If non-zero, annotated configuration files are installed
+SYSCONFFILE=default.debian		#Name of the distributed file to be installed in $SYSCONFDIR
+SERVICEFILE=$PRODUCT.service.debian     #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+SYSCONFDIR=/etc/default			#Directory where SysV init parameter files are installed
+SERVICEDIR=/lib/systemd/system		#Directory where .service files are installed (systems running systemd only)
+SPARSE=Yes				#If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
+VARLIB=/var/lib				#Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT		#Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.debian.sysvinit
+++ b/Shorewall-core/shorewallrc.debian.sysvinit
@@ -15,8 +15,9 @@ INITFILE=$PRODUCT                       #Name of the product's installed SysV in
 INITSOURCE=init.debian.sh               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
 SYSCONFFILE=default.debian              #Name of the distributed file to be installed in $SYSCONFDIR
+SERVICEFILE=				#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/default                 #Directory where SysV init parameter files are installed
-SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
+SERVICEDIR=				#Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes                              #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
 VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.default
+++ b/Shorewall-core/shorewallrc.default
@@ -1,5 +1,5 @@
 #
-# Default Shorewall 4.5 rc file
+# Default Shorewall 5.0 rc file
 #
 HOST=linux                              #Generic Linux
 BUILD=                                  #Default is to detect the build system
@@ -14,7 +14,8 @@ INITDIR=/etc/init.d                     #Directory where SysV init scripts are i
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.sh                      #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
-SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
+SERVICEDIR=                             #Directory where .service files are installed (systems running systemd only)
+SERVICEFILE=                            #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=                            #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                             #Directory where SysV init parameter files are installed
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
--- a/Shorewall-core/shorewallrc.redhat
+++ b/Shorewall-core/shorewallrc.redhat
@@ -1,5 +1,5 @@
 #
-# RedHat/FedoraShorewall 4.5 rc file
+# RedHat/FedoraShorewall 5.0 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=redhat
@@ -14,8 +14,9 @@ INITDIR=/etc/rc.d/init.d                #Directory where SysV init scripts are i
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.fedora.sh               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
-SYSTEMD=/lib/systemd/system             #Directory where .service files are installed (systems running systemd only)
+SERVICEDIR=/lib/systemd/system          #Directory where .service files are installed (systems running systemd only)
 SYSCONFFILE=sysconfig                   #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT
+SERVICEFILE=                      	#Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter files are installed
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                         #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.slackware
+++ b/Shorewall-core/shorewallrc.slackware
@@ -1,5 +1,5 @@
 #
-# Slackware Shorewall 4.5 rc file
+# Slackware Shorewall 5.0 rc file
 #
 BUILD=slackware
 HOST=slackware
@@ -15,7 +15,8 @@ AUXINITSOURCE=init.slackware.firewall.sh   #Name of the distributed file to be i
 AUXINITFILE=rc.firewall                    #Name of the product's installed SysV init script
 INITSOURCE=init.slackware.$PRODUCT.sh      #Name of the distributed file to be installed as a second SysV init script
 INITFILE=rc.$PRODUCT                       #Name of the product's installed second init script
-SYSTEMD=                                   #Name of the directory where .service files are installed (systems running systemd only)
+SERVICEDIR=                                #Name of the directory where .service files are installed (systems running systemd only)
+SERVICEFILE=                               #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
 SYSCONFFILE=                               #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                                #Name of the directory where SysV init parameter files are installed.
 ANNOTATED=                                 #If non-empty, install annotated configuration files
--- a/Shorewall-core/shorewallrc.suse
+++ b/Shorewall-core/shorewallrc.suse
@@ -1,5 +1,5 @@
 #
-# SuSE Shorewall 4.5 rc file
+# SuSE Shorewall 5.0 rc file
 #
 BUILD=                                                #Default is to detect the build system
 HOST=suse
@@ -8,14 +8,15 @@ CONFDIR=/etc                                          #Directory where subsystem
 SHAREDIR=${PREFIX}/share                              #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/lib                              #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/lib/perl5/vendor_perl/5.14.2     #Directory to install Shorewall Perl module directory
-SBINDIR=/sbin                                         #Directory where system administration programs are installed
+SBINDIR=/usr/sbin                                     #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man/                               #Directory where manpages are installed.
 INITDIR=/etc/init.d                                   #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                                     #Name of the product's SysV init script
 INITSOURCE=init.suse.sh                               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                                            #If non-zero, annotated configuration files are installed
-SYSTEMD=                                              #Directory where .service files are installed (systems running systemd only)
-SYSCONFFILE=                                          #Name of the distributed file to be installed in $SYSCONFDIR
+SERVICEDIR=                                           #Directory where .service files are installed (systems running systemd only)
+SERVICEFILE=                      		      #Name of the file to install in $SYSTEMD. Default is $PRODUCT.service
+SYSCONFFILE=sysconfig                                 #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=/etc/sysconfig/                            #Directory where SysV init parameter files are installed
 SPARSE=                                               #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARLIB=/var/lib                                       #Directory where persistent product data is stored.
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -2,24 +2,24 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2014 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://www.shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+#       This program is part of Shorewall.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 #    Usage:
 #
@@ -35,6 +35,12 @@ usage() # $1 = exit status
    exit $1
 }

+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
 qt()
 {
    "$@" >/dev/null 2>&1
--- a/Shorewall-core/wait4ifup
+++ b/Shorewall-core/wait4ifup
@@ -2,17 +2,18 @@
 #
 #     Shorewall interface helper utility - V4.2
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2007 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file is installed in /usr/share/shorewall/wait4ifup
 #
 #	Shorewall documentation is available at http://www.shorewall.net
 #
+#       This program is part of Shorewall.
+#
 #	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -20,8 +21,7 @@
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 #	If an error occurs while starting or restarting the firewall, the
 #	firewall is automatically stopped.
--- a/Shorewall-init/ifupdown.debian.sh
+++ b/Shorewall-init/ifupdown.debian.sh
@@ -0,0 +1,135 @@
+#!/bin/sh
+#
+# Debian ifupdown script for Shorewall-based products
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
+#
+#       Shorewall documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
+	fi
+    fi
+}
+
+Debian_ppp() {
+    NEWPRODUCTS=
+    INTERFACE="$1"
+
+    case $0 in
+	/etc/ppp/ip-*)
+	    #
+	    # IPv4
+	    #
+	    for product in $PRODUCTS; do
+		case $product in
+		    shorewall|shorewall-lite)
+			NEWPRODUCTS="$NEWPRODUCTS $product";
+			;;
+		esac
+	    done
+	    ;;
+	/etc/ppp/ipv6-*)
+	    #
+	    # IPv6
+	    #
+	    for product in $PRODUCTS; do
+		case $product in
+		    shorewall6|shorewall6-lite)
+			NEWPRODUCTS="$NEWPRODUCTS $product";
+			;;
+		esac
+	    done
+	    ;;
+	*)
+	    exit 0
+	    ;;
+    esac
+
+    PRODUCTS="$NEWPRODUCTS"
+
+    case $0 in
+	*up/*)
+	    COMMAND=up
+	    ;;
+	*)
+	    COMMAND=down
+	    ;;
+    esac
+}
+
+IFUPDOWN=0
+PRODUCTS=
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
+if [ -f /etc/default/shorewall-init ]; then
+    . /etc/default/shorewall-init
+elif [ -f /etc/sysconfig/shorewall-init ]; then
+    . /etc/sysconfig/shorewall-init
+fi
+
+[ "$IFUPDOWN" = 1 -a -n "$PRODUCTS" ] || exit 0
+
+case $0 in
+    /etc/ppp*)
+	#
+	# Debian ppp
+	#
+	Debian_ppp
+	;;
+    *)
+        #
+        # Debian ifupdown system
+        #
+	INTERFACE="$IFACE"
+
+	if [ "$MODE" = start ]; then
+	    COMMAND=up
+	elif [ "$MODE" = stop ]; then
+	    COMMAND=down
+	else
+	    exit 0
+	fi
+	;;
+esac
+
+[ -n "$LOGFILE" ] || LOGFILE=/dev/null
+
+for PRODUCT in $PRODUCTS; do
+    setstatedir
+
+    if [ -x $VARLIB/$PRODUCT/firewall ]; then
+	  ( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
+    fi
+done
+
+exit 0
--- a/Shorewall-init/ifupdown.fedora.sh
+++ b/Shorewall-init/ifupdown.fedora.sh
@@ -0,0 +1,111 @@
+#!/bin/sh
+#
+# Redhat/Fedora/Centos/Foobar ifupdown script for Shorewall-based products
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
+#
+#       Shorewall documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+
+# Get startup options (override default)
+OPTIONS=
+
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
+
+    if [ ! -x "$STATEDIR/firewall" ]; then
+	if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT $OPTIONS compile
+	fi
+    fi
+}
+
+IFUPDOWN=0
+PRODUCTS=
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
+if [ -f /etc/default/shorewall-init ]; then
+    . /etc/default/shorewall-init
+elif [ -f /etc/sysconfig/shorewall-init ]; then
+    . /etc/sysconfig/shorewall-init
+fi
+
+[ "$IFUPDOWN" = 1 -a -n "$PRODUCTS" ] || exit 0
+
+PHASE=''
+
+case $0 in
+    /etc/ppp*)
+	INTERFACE="$1"
+
+	case $0 in
+	    *ip-up.local)
+		COMMAND=up
+		;;
+	    *ip-down.local)
+		COMMAND=down
+		;;
+	    *)
+		exit 0
+		;;
+	esac
+	;;
+    *)
+	#
+	# RedHat ifup/down system
+	#
+	INTERFACE="$1"
+    
+	case $0 in 
+	    *ifup*)
+		COMMAND=up
+		;;
+	    *ifdown*)
+		COMMAND=down
+		;;
+	    *dispatcher.d*)
+		COMMAND="$2"
+		;;
+	    *)
+		exit 0
+		;;
+	esac
+	;;
+esac
+
+[ -n "$LOGFILE" ] || LOGFILE=/dev/null
+
+for PRODUCT in $PRODUCTS; do
+    setstatedir
+
+    if [ -x "$STATEDIR/firewall" ]; then
+	  echo "`date --rfc-3339=seconds` $0: Executing $STATEDIR/firewall $OPTIONS $COMMAND $INTERFACE" >> $LOGFILE 2>&1
+	  ( $STATEDIR/firewall $OPTIONS $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
+    fi
+done
+
+exit 0
--- a/Shorewall-init/ifupdown.suse.sh
+++ b/Shorewall-init/ifupdown.suse.sh
@@ -1,10 +1,10 @@
 #!/bin/sh
 #
-# ifupdown script for Shorewall-based products
+# SuSE ifupdown script for Shorewall-based products
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010,2013 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
@@ -28,7 +28,7 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi

-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

    if [ ! -x $STATEDIR/firewall ]; then
 	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
@@ -37,7 +37,7 @@ setstatedir() {
    fi
 }

-Debian_SuSE_ppp() {
+SuSE_ppp() {
    NEWPRODUCTS=
    INTERFACE="$1"

@@ -99,105 +99,39 @@ fi

 [ "$IFUPDOWN" = 1 -a -n "$PRODUCTS" ] || exit 0

-if [ -f /etc/debian_version ]; then
-    case $0 in
-	/etc/ppp*)
-	    #
-	    # Debian ppp
-	    #
-	    Debian_SuSE_ppp
-	    ;;
-	
-	*)
-            #
-            # Debian ifupdown system
-            #
-	    INTERFACE="$IFACE"
+PHASE=''

-	    if [ "$MODE" = start ]; then
+case $0 in
+    /etc/ppp*)
+        #
+	# SUSE ppp
+	#
+	SuSE_ppp
+	;;
+	
+    *)
+        #
+        # SuSE ifupdown system
+        #
+	INTERFACE="$2"
+
+	case $0 in
+	    *dispatcher.d*)
+		INTERFACE="$1"
+		COMMAND="$2"
+		;;
+	    *if-up.d*)
 		COMMAND=up
-	    elif [ "$MODE" = stop ]; then
+		;;
+	    *if-down.d*)
 		COMMAND=down
-	    else
+		;;
+	    *)
 		exit 0
-	    fi
-	    ;;
-    esac
-elif [ -f /etc/SuSE-release ]; then
-    PHASE=''
-
-    case $0 in
-	/etc/ppp*)
-	    #
-	    # SUSE ppp
-	    #
-	    Debian_SuSE_ppp
-	    ;;
-	
-	*)
-            #
-            # SuSE ifupdown system
-            #
-	    INTERFACE="$2"
-
-	    case $0 in
-		*if-up.d*)
-		    COMMAND=up
-		    ;;
-		*if-down.d*)
-		    COMMAND=down
-		    ;;
-		*)
-		    exit 0
-		    ;;
-	    esac
-	    ;;
-    esac
-else
-    #
-    # Assume RedHat/Fedora/CentOS/Foobar/...
-    #
-    PHASE=''
-
-    case $0 in
-	/etc/ppp*)
-	    INTERFACE="$1"
-
-	    case $0 in
-		*ip-up.local)
-		    COMMAND=up
-		    ;;
-		*ip-down.local)
-		    COMMAND=down
-		    ;;
-		*)
-		    exit 0
-		    ;;
-	    esac
-	    ;;
-	*)
-	    #
-	    # RedHat ifup/down system
-	    #
-	    INTERFACE="$1"
-    
-	    case $0 in 
-		*ifup*)
-		    COMMAND=up
-		    ;;
-		*ifdown*)
-		    COMMAND=down
-		    ;;
-		*dispatcher.d*)
-		    COMMAND="$2"
-		    ;;
-		*)
-		    exit 0
-		    ;;
-	    esac
-	    ;;
-    esac
-fi
+		;;
+	esac
+	;;
+esac

 [ -n "$LOGFILE" ] || LOGFILE=/dev/null

--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -36,6 +36,8 @@
 #                    bringing up the network
 ### END INIT INFO

+. /lib/lsb/init-functions
+
 export VERBOSITY=0

 if [ "$(id -u)" != "0" ]
@@ -50,16 +52,16 @@ echo_notdone () {
 }

 not_configured () {
-	echo "#### WARNING ####"
-	echo "the firewall won't be initialized unless it is configured"
-	if [ "$1" != "stop" ]
-	then
-		echo ""
-		echo "Please read about Debian specific customization in"
-		echo "/usr/share/doc/shorewall-init/README.Debian.gz."
-	fi
-	echo "#################"
-	exit 0
+    echo "#### WARNING ####"
+    echo "the firewall won't be initialized unless it is configured"
+    if [ "$1" != "stop" ]
+    then
+	echo ""
+	echo "Please read about Debian specific customization in"
+	echo "/usr/share/doc/shorewall-init/README.Debian.gz."
+    fi
+    echo "#################"
+    exit 0
 }

 # set the STATEDIR variable
@@ -69,12 +71,12 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi

-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/$PRODUCT compile
-	fi
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
+    else
+	return 0
    fi
 }

@@ -83,18 +85,16 @@ setstatedir() {
 #
 . /usr/share/shorewall/shorewallrc

-vardir=$VARDIR
-
 # check if shorewall-init is configured or not
 if [ -f "$SYSCONFDIR/shorewall-init" ]
 then
-	. $SYSCONFDIR/shorewall-init
-	if [ -z "$PRODUCTS" ]
-	then
-		not_configured
-	fi
-else
+    . $SYSCONFDIR/shorewall-init
+    if [ -z "$PRODUCTS" ]
+    then
 	not_configured
+    fi
+else
+    not_configured
 fi

 # Initialize the firewall
@@ -103,54 +103,68 @@ shorewall_start () {
  local STATEDIR

  echo -n "Initializing \"Shorewall-based firewalls\": "
+
  for PRODUCT in $PRODUCTS; do
-      setstatedir
-
-      if [ ! -x ${VARDIR}/$PRODUCT/firewall ]; then
-	  if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	      ${SBINDIR}/$PRODUCT compile
+      if setstatedir; then
+	  if [ -x ${STATEDIR}/firewall ]; then
+              #
+	      # Run in a sub-shell to avoid name collisions
+	      #
+	      (
+		  if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+		      ${STATEDIR}/firewall ${OPTIONS} stop
+		  fi
+	      )
 	  fi
      fi
-
-      if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
-	  #
-	  # Run in a sub-shell to avoid name collisions
-	  #
-	  ( 
-	      if ! ${VARDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
-		  ${VARDIR}/$PRODUCT/firewall stop || echo_notdone
-	      fi
-	  )
-      fi
  done

  echo "done."

+  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+
+      echo -n "Restoring ipsets: "
+
+      if ! ipset -R < "$SAVE_IPSETS"; then
+	  echo_notdone
+      fi
+
+      echo "done."
+  fi
+
  return 0
 }

 # Clear the firewall
 shorewall_stop () {
  local PRODUCT
-  local VARDIR
+  local STATEDIR

  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-      setstatedir
-
-      if [ ! -x ${VARDIR}/$PRODUCT/firewall ]; then
-	  if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	      ${SBINDIR}/$PRODUCT compile
+      if setstatedir; then
+	  if [ -x ${STATEDIR}/firewall ]; then
+	      ${STATEDIR}/firewall ${OPTIONS} clear
 	  fi
      fi
-
-      if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
-	  ${VARDIR}/$PRODUCT/firewall clear || echo_notdone
-      fi
  done

  echo "done."

+  if [ -n "$SAVE_IPSETS" ]; then
+
+      echo "Saving ipsets: "
+
+      mkdir -p $(dirname "$SAVE_IPSETS")
+      if ipset -S > "${SAVE_IPSETS}.tmp"; then
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+      else
+	  echo_notdone
+      fi
+
+      echo "done."
+  fi
+
  return 0
 }

@@ -164,7 +178,7 @@ case "$1" in
  reload|force-reload)
     ;;
  *)
-     echo "Usage: /etc/init.d/shorewall-init {start|stop|reload|force-reload}"
+     echo "Usage: $0 {start|stop|reload|force-reload}"
     exit 1
 esac

--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -24,8 +24,6 @@ lockfile="/var/lock/subsys/shorewall-init"
 # Source function library.
 . /etc/rc.d/init.d/functions

-vardir=$VARDIR
-
 # Get startup options (override default)
 OPTIONS=

@@ -44,19 +42,19 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi

-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/$PRODUCT compile
-	fi
+    if [ $PRODUCT == shorewall -o $PRODUCT == shorewall6 ]; then
+	${SBINDIR}/$PRODUCT $OPTIONS compile -c
+    else
+	return 0
    fi
 }

 # Initialize the firewall
 start () {
    local PRODUCT
-    local vardir
+    local STATEDIR

    if [ -z "$PRODUCTS" ]; then
 	echo "No firewalls configured for shorewall-init"
@@ -65,23 +63,26 @@ start () {
    fi

    echo -n "Initializing \"Shorewall-based firewalls\": "
+
    for PRODUCT in $PRODUCTS; do
 	setstatedir
+	retval=$?

-	if [ ! -x ${VARDIR}/firewall ]; then
-	    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-		${SBINDIR}/$PRODUCT compile
+	if [ $retval -eq 0 ]; then
+	    if [ -x "${STATEDIR}/firewall" ]; then
+		${STATEDIR}/firewall ${OPTIONS} stop 2>&1 | $logger
+		retval=${PIPESTATUS[0]}
+		[ $retval -ne 0 ] && break
+	    else
+		retval=6 #Product not configured
+		break
 	    fi
-	fi
-
-	if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
-	    ${VARDIR}/$PRODUCT/firewall stop 2>&1 | $logger
-	    retval=${PIPESTATUS[0]}
-	    [ $retval -ne 0 ] && break
+	else
+	    break
 	fi
    done

-    if [ retval -eq 0 ]; then
+    if [ $retval -eq 0 ]; then
 	touch $lockfile 
 	success
    else
@@ -94,26 +95,29 @@ start () {
 # Clear the firewall
 stop () {
    local PRODUCT
-    local vardir
+    local STATEDIR

    echo -n "Clearing \"Shorewall-based firewalls\": "
+
    for PRODUCT in $PRODUCTS; do
 	setstatedir
+	retval=$?

-	if [ ! -x ${VARDIR}/firewall ]; then
-	    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-		${SBINDIR}/$PRODUCT compile
+	if [ $retval -eq 0 ]; then
+	    if [ -x "${STATEDIR}/firewall" ]; then
+		${STATEDIR}/firewall ${OPTIONS} clear 2>&1 | $logger
+		retval=${PIPESTATUS[0]}
+		[ $retval -ne 0 ] && break
+	    else
+		retval=6 #Product not configured
+		break
 	    fi
-	fi
-
-	if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
-	    ${VARDIR}/$PRODUCT/firewall clear 2>&1 | $logger
-	    retval=${PIPESTATUS[0]}
-	    [ $retval -ne 0 ] && break
+	else
+	    break
 	fi
    done

-    if [ retval -eq 0 ]; then
+    if [ $retval -eq 0 ]; then
 	rm -f $lockfile
 	success
    else
@@ -144,7 +148,7 @@ case "$1" in
 	status $prog
 	;;
  *)
-	echo "Usage: /etc/init.d/shorewall-init {start|stop|status}"
+	echo "Usage: $0 {start|stop|status}"
 	exit 1
 esac

--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -1,22 +1,24 @@
 #! /bin/bash
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2010,2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010,2012-2014 - Tom Eastep (teastep@shorewall.net)
 #
 #       On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#       Complete documentation is available at http://shorewall.net
+#       This program is part of Shorewall.
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 #       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
@@ -65,12 +67,12 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi

-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/$PRODUCT compile $STATEDIR/firewall
-	fi
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile $STATEDIR/firewall
+    else
+	return 0
    fi
 }

@@ -81,11 +83,11 @@ shorewall_start () {

  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-      setstatedir
-
-      if [ -x ${STATEDIR}/firewall ]; then
-	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-	      ${STATEDIR}/firewall stop || echo_notdone
+      if setstatedir; then
+	  if [ -x ${STATEDIR}/firewall ]; then
+	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+		  ${STATEDIR}/firewall ${OPTIONS} stop
+	      fi
 	  fi
      fi
  done
@@ -100,21 +102,15 @@ shorewall_start () {
 # Clear the firewall
 shorewall_stop () {
  local PRODUCT
-  local VARDIR
+  local STATEDIR

  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-      setstatedir
-
-      if [ ! -x ${VARDIR}/firewall ]; then
-	  if [ $PRODUCT = shorewall -o $product = shorewall6 ]; then
-	      ${SBINDIR}/$PRODUCT compile
+      if setstatedir; then
+	  if [ -x ${STATEDIR}/firewall ]; then
+	      ${STATEDIR}/firewall ${OPTIONS} clear
 	  fi
      fi
-
-      if [ -x ${VARDIR}/firewall ]; then
-	  ${VARDIR}/firewall clear || exit 1
-      fi
  done

  if [ -n "$SAVE_IPSETS" ]; then
--- a/Shorewall-init/init.suse.sh
+++ b/Shorewall-init/init.suse.sh
@@ -1,5 +1,5 @@
 #! /bin/bash
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
@@ -34,22 +34,35 @@
 #                    prior to bringing up the network.  
 ### END INIT INFO

+#Return values acc. to LSB for all commands but status:
+# 0 - success
+# 1 - generic or unspecified error
+# 2 - invalid or excess argument(s)
+# 3 - unimplemented feature
+# 4 - insufficient privilege
+# 5 - program is not installed
+# 6 - program is not configured
+# 7 - program is not running
+
 if [ "$(id -u)" != "0" ]
 then
  echo "You must be root to start, stop or restart \"Shorewall \"."
-  exit 1
+  exit 4
 fi

 # check if shorewall-init is configured or not
 if [ -f "/etc/sysconfig/shorewall-init" ]
 then
-	. /etc/sysconfig/shorewall-init
-	if [ -z "$PRODUCTS" ]
-	then
-		exit 0
-	fi
+    . /etc/sysconfig/shorewall-init
+
+    if [ -z "$PRODUCTS" ]
+    then
+	echo "No PRODUCTS configured"
+	exit 6
+    fi
 else
-	exit 0
+    echo "/etc/sysconfig/shorewall-init not found"
+    exit 6
 fi

 #
@@ -64,12 +77,12 @@ setstatedir() {
 	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
    fi

-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}

-    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/$PRODUCT compile
-	fi
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
+    else
+	return 0
    fi
 }

@@ -80,11 +93,11 @@ shorewall_start () {

  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-      setstatedir
-
-      if [ -x $STATEDIR/firewall ]; then
-	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-	      $STATEDIR/$PRODUCT/firewall stop || echo_notdone
+      if setstatedir; then
+	  if [ -x $STATEDIR/firewall ]; then
+	      if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+		  $STATEDIR/$PRODUCT/firewall ${OPTIONS} stop
+	      fi
 	  fi
      fi
  done
@@ -92,8 +105,6 @@ shorewall_start () {
  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
      ipset -R < "$SAVE_IPSETS"
  fi
-
-  return 0
 }

 # Clear the firewall
@@ -103,10 +114,10 @@ shorewall_stop () {

  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-      setstatedir
-
-      if [ -x ${STATEDIR}/firewall ]; then
-	  ${STATEDIR}/firewall clear || exit 1
+      if setstatedir; then
+	  if [ -x ${STATEDIR}/firewall ]; then
+	      ${STATEDIR}/firewall ${OPTIONS} clear
+	  fi
      fi
  done

@@ -116,20 +127,21 @@ shorewall_stop () {
 	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
      fi
  fi
-
-  return 0
 }

 case "$1" in
-  start)
-     shorewall_start
-     ;;
-  stop)
-     shorewall_stop
-     ;;
-  *)
-     echo "Usage: /etc/init.d/shorewall-init {start|stop}"
-     exit 1
+    start)
+	shorewall_start
+	;;
+    stop)
+	shorewall_stop
+	;;
+    reload|forced-reload)
+	;;
+    *)
+	echo "Usage: /etc/init.d/shorewall-init {start|stop}"
+	exit 1
+	;;
 esac

 exit 0
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -2,21 +2,25 @@
 #
 # Script to install Shoreline Firewall Init
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-20114 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+#       This program is part of Shorewall.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 #       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
@@ -31,6 +35,7 @@ usage() # $1 = exit status
    echo "usage: $ME [ <configuration-file> ]"
    echo "       $ME -v"
    echo "       $ME -h"
+    echo "       $ME -n"
    exit $1
 }

@@ -59,7 +64,6 @@ mywhich() {

    for dir in $(split $PATH); do
 	if [ -x $dir/$1 ]; then
-	    echo $dir/$1
 	    return 0
 	fi
    done
@@ -99,10 +103,15 @@ PRODUCT=shorewall-init
 #
 # Parse the run line
 #
+T='-T'
+
 finished=0
+configure=1

 while [ $finished -eq 0 ] ; do
-    case "$1" in
+    option="$1"
+
+    case "$option" in
 	-*)
 	    option=${option#-}

@@ -115,6 +124,10 @@ while [ $finished -eq 0 ] ; do
 			echo "Shorewall-init Firewall Installer Version $VERSION"
 			exit 0
 			;;
+		    n*)
+			configure=0
+			option=${option#n}
+			;;
 		    *)
 			usage 1
 			;;
@@ -171,8 +184,12 @@ for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARLIB VARDIR; do
    require $var
 done

+[ -n "$SANDBOX" ] && configure=0
+
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

+[ $configure -eq 1 ] && ETC=/etc || ETC="${CONFDIR}"
+
 if [ -z "$BUILD" ]; then
    case $(uname) in
 	cygwin*)
@@ -182,8 +199,29 @@ if [ -z "$BUILD" ]; then
 	    BUILD=apple
 	    ;;
 	*)
-	    if [ -f /etc/debian_version ]; then
+	    if [ -f /etc/os-release ]; then
+		eval $(cat /etc/os-release | grep ^ID=)
+
+		case $ID in
+		    fedora|rhel|centos|foobar)
+			BUILD=redhat
+			;;
+		    debian|ubuntu)
+			BUILD=debian
+			;;
+		    opensuse)
+			BUILD=suse
+			;;
+		    *)
+			BUILD="$ID"
+			;;
+		esac
+	    elif [ -f /etc/debian_version ]; then
 		BUILD=debian
+	    elif [ -f /etc/ubuntu_version ]; then
+		BUILD=debian
+	    elif [ -f /etc/gentoo-release ]; then
+		BUILD=gentoo
 	    elif [ -f /etc/redhat-release ]; then
 		BUILD=redhat
 	    elif [ -f /etc/SuSE-release ]; then
@@ -206,7 +244,7 @@ case $BUILD in
    apple)
 	T=
 	;;
-    debian|redhat|suse|slackware|archlinux)
+    debian|gentoo|redhat|suse|slackware|archlinux)
 	;;
    *)
 	[ -n "$BUILD" ] && echo "ERROR: Unknown BUILD environment ($BUILD)" >&2 || echo "ERROR: Unknown BUILD environment"
@@ -222,7 +260,10 @@ case "$HOST" in
    debian)
 	echo "Installing Debian-specific configuration..."
 	;;
-    redhat|redhat)
+    gentoo)
+	echo "Installing Gentoo-specific configuration..."
+	;;
+    redhat)
 	echo "Installing Redhat/Fedora-specific configuration..."
 	;;
    slackware)
@@ -233,11 +274,12 @@ case "$HOST" in
 	echo "Shorewall-init is currently not supported on Arch Linux" >&2
 	exit 1
 	;;
-    suse|suse)
+    suse)
 	echo "Installing SuSE-specific configuration..."
 	;;
    linux)
 	echo "ERROR: Shorewall-init is not supported on this system" >&2
+	exit 1
 	;;
    *)
 	echo "ERROR: Unsupported HOST distribution: \"$HOST\"" >&2
@@ -276,6 +318,7 @@ fi
 # Install the Firewall Script
 #
 if [ -n "$INITFILE" ]; then
+    mkdir -p ${DESTDIR}${INITDIR}
    install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$INITFILE
    
@@ -283,22 +326,28 @@ if [ -n "$INITFILE" ]; then
 	install_file $INITSOURCE ${DESTDIR}${INITDIR}/$AUXINITFILE 0544
    fi

-    echo  "Shorewall-init script installed in ${DESTDIR}${INITDIR}/$INITFILE"
+    echo  "SysV init script $INITSOURCE installed in ${DESTDIR}${INITDIR}/$INITFILE"
 fi

 #
 # Install the .service file
 #
-if [ -n "$SYSTEMD" ]; then
-    mkdir -p ${DESTDIR}${SYSTEMD}
-    run_install $OWNERSHIP -m 600 shorewall-init.service ${DESTDIR}${SYSTEMD}/shorewall-init.service
-    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/shorewall-init.service
-    echo "Service file installed as ${DESTDIR}${SYSTEMD}/shorewall-init.service"
-    if [ -n "$DESTDIR" ]; then
+if [ -z "${SERVICEDIR}" ]; then
+    SERVICEDIR="$SYSTEMD"
+fi
+
+if [ -n "$SERVICEDIR" ]; then
+    mkdir -p ${DESTDIR}${SERVICEDIR}
+    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
+    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
+    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
+    if [ -n "$DESTDIR" -o $configure -eq 0 ]; then
 	mkdir -p ${DESTDIR}${SBINDIR}
        chmod 755 ${DESTDIR}${SBINDIR}
    fi
    run_install $OWNERSHIP -m 700 shorewall-init ${DESTDIR}${SBINDIR}/shorewall-init
+    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall-init
    echo "CLI installed as ${DESTDIR}${SBINDIR}/shorewall-init"
 fi

@@ -332,41 +381,55 @@ fi

 if [ $HOST = debian ]; then
    if [ -n "${DESTDIR}" ]; then
-	mkdir -p ${DESTDIR}/etc/network/if-up.d/
-	mkdir -p ${DESTDIR}/etc/network/if-down.d/
+	mkdir -p ${DESTDIR}${ETC}/network/if-up.d/
+	mkdir -p ${DESTDIR}${ETC}/network/if-down.d/
+	mkdir -p ${DESTDIR}${ETC}/network/if-post-down.d/
+    elif [ $configure -eq 0 ]; then
+	mkdir -p ${DESTDIR}${CONFDIR}/network/if-up.d/
+	mkdir -p ${DESTDIR}${CONFDIR}/network/if-down.d/
+	mkdir -p ${DESTDIR}${CONFDIR}/network/if-post-down.d/
    fi

-    if [ ! -f ${DESTDIR}/etc/default/shorewall-init ]; then
+    if [ ! -f ${DESTDIR}${CONFDIR}/default/shorewall-init ]; then
 	if [ -n "${DESTDIR}" ]; then
-	    mkdir ${DESTDIR}/etc/default
+	    mkdir ${DESTDIR}${ETC}/default
 	fi

-	install_file sysconfig ${DESTDIR}/etc/default/shorewall-init 0644
+	[ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/default
+	install_file sysconfig ${DESTDIR}${ETC}/default/shorewall-init 0644
    fi
+
+    IFUPDOWN=ifupdown.debian.sh
 else
    if [ -n "$DESTDIR" ]; then
 	mkdir -p ${DESTDIR}${SYSCONFDIR}

 	if [ -z "$RPM" ]; then
 	    if [ $HOST = suse ]; then
-		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d
-		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d
+		mkdir -p ${DESTDIR}${ETC}/sysconfig/network/if-up.d
+		mkdir -p ${DESTDIR}${ETC}/sysconfig/network/if-down.d
+	    elif [ $HOST = gentoo ]; then
+		# Gentoo does not support if-{up,down}.d
+		/bin/true
 	    else
-		mkdir -p ${DESTDIR}/etc/NetworkManager/dispatcher.d
+		mkdir -p ${DESTDIR}/${ETC}/NetworkManager/dispatcher.d
 	    fi
 	fi
    fi

-    if [ -d ${DESTDIR}${SYSCONFDIR} -a ! -f ${DESTDIR}${SYSCONFDIR}/shorewall-init ]; then
-	install_file sysconfig ${DESTDIR}${SYSCONFDIR}/shorewall-init 0644
-    fi 
+    if [ -n "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
+	run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/$PRODUCT
+	echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
+    fi
+
+    [ $HOST = suse ] && IFUPDOWN=ifupdown.suse.sh || IFUPDOWN=ifupdown.fedora.sh
 fi

 #
 # Install the ifupdown script
 #

-cp ifupdown.sh ifupdown
+cp $IFUPDOWN ifupdown

 [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown

@@ -375,40 +438,80 @@ mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
 install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544

 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    install_file ifupdown ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
+    [ $configure -eq 1 ] || mkdir -p ${DESTDIR}${CONFDIR}/NetworkManager/dispatcher.d/
+    install_file ifupdown ${DESTDIR}${ETC}/NetworkManager/dispatcher.d/01-shorewall 0544
 fi

 case $HOST in
    debian)
-	install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
-	install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544
-	install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
+	if [ $configure -eq 1 ]; then
+	    install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
+	    install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544
+	    install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
+	else
+	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-up.d/shorewall 0544
+	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-down.d/shorewall 0544
+	    install_file ifupdown ${DESTDIR}${CONFDIR}/network/if-post-down.d/shorewall 0544
+	fi
 	;;
    suse)
 	if [ -z "$RPM" ]; then
+	    if [ $configure -eq 0 ]; then
+		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-up.d/
+		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d/
+	    fi
+
 	    install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-up.d/shorewall 0544
 	    install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-down.d/shorewall 0544
 	fi
 	;;
    redhat)
-	if [ -f ${DESTDIR}${SBINDIR}/ifup-local -o -f ${DESTDIR}${SBINDIR}/ifdown-local ]; then
-	    echo "WARNING: ${SBINDIR}/ifup-local and/or ${SBINDIR}/ifdown-local already exist; up/down events will not be handled"
-	elif [ -z "$DESTDIR" ]; then
-	    install_file ifupdown ${DESTDIR}${SBINDIR}/ifup-local 0544
-	    install_file ifupdown ${DESTDIR}${SBINDIR}/ifdown-local 0544
+	if [ -z "$DESTDIR" ]; then
+	    install_local=
+
+	    if [ -f ${SBINDIR}/ifup-local -o -f ${SBINDIR}/ifdown-local ]; then
+		if ! grep -qF Shorewall-based ${SBINDIR}/ifup-local || ! grep -qF Shorewall-based ${SBINDIR}/ifdown-local; then
+		    echo "WARNING: ${SBINDIR}/ifup-local and/or ${SBINDIR}/ifdown-local already exist; up/down events will not be handled"
+		else
+		    install_local=Yes
+		fi
+	    else
+		install_local=Yes
+	    fi
+
+	    if [ -n "$install_local" ]; then
+		install_file ifupdown ${DESTDIR}${SBINDIR}/ifup-local 0544
+		install_file ifupdown ${DESTDIR}${SBINDIR}/ifdown-local 0544
+	    fi
 	fi
 	;;
 esac

 if [ -z "$DESTDIR" ]; then
-    if [ -n "$first_install" ]; then
+    if [ $configure -eq 1 -a -n "$first_install" ]; then
 	if [ $HOST = debian ]; then
-	    
-	    update-rc.d shorewall-init enable
-
-	    echo "Shorewall Init will start automatically at boot"
+	    if mywhich insserv; then
+		if insserv ${INITDIR}/shorewall-init; then
+		    echo "Shorewall Init will start automatically at boot"
+		else
+		    cant_autostart
+		fi
+	    elif mywhich update-rc.d ; then
+		if update-rc.d $PRODUCT enable; then
+		    echo "$PRODUCT will start automatically at boot"
+		    echo "Set startup=1 in ${CONFDIR}/default/$PRODUCT to enable"
+		else
+		    cant_autostart
+		fi
+	    else
+		cant_autostart
+	    fi
+	elif [ $HOST = gentoo ]; then
+	    # On Gentoo, a service must be enabled manually by the user,
+	    # not by the installer
+	    /bin/true
 	else
-	    if [ -n "$SYSTEMD" ]; then
+	    if [ -n "$SERVICEDIR" ]; then
 		if systemctl enable shorewall-init.service; then
 		    echo "Shorewall Init will start automatically at boot"
 		fi
@@ -437,7 +540,7 @@ if [ -z "$DESTDIR" ]; then
 	fi
    fi
 else
-    if [ -n "$first_install" ]; then
+    if [ $configure -eq 1 -a -n "$first_install" ]; then
 	if [ $HOST = debian ]; then
 	    if [ -n "${DESTDIR}" ]; then
 		mkdir -p ${DESTDIR}/etc/rcS.d
@@ -466,7 +569,7 @@ if [ -f ${DESTDIR}/etc/ppp ]; then
 	    for file in ip-up.local ip-down.local; do
 		FILE=${DESTDIR}/etc/ppp/$file
 		if [ -f $FILE ]; then
-		    if fgrep -q Shorewall-based $FILE ; then
+		    if grep -qF Shorewall-based $FILE ; then
 			cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown $FILE
 		    else
 			echo "$FILE already exists -- ppp devices will not be handled"
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -1,28 +1,45 @@
-#! /bin/bash
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#!/bin/bash
+#	The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V5.0
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#	(c) 2012-2014 - Tom Eastep (teastep@shorewall.net)
 #
-#     (c) 2012 - Tom Eastep (teastep@shorewall.net)
+#	On most distributions, this file should be called
+#	/etc/init.d/shorewall.
 #
-#       On most distributions, this file should be called /etc/init.d/shorewall.
+#	Complete documentation is available at http://shorewall.net
 #
-#       Complete documentation is available at http://shorewall.net
+#	This program is part of Shorewall.
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by
+#	the Free Software Foundation, either version 2 of the license or,
+#	at your option, any later version.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
-#########################################################################################
+###############################################################################
+# set the STATEDIR variable
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARLIB}/${PRODUCT}
+
+    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	${SBINDIR}/$PRODUCT ${OPTIONS} compile -c
+    else
+	return 0
+    fi
+}
+
 #
 # This is modified by the installer when ${SHAREDIR} <> /usr/share
 #
@@ -32,69 +49,76 @@
 if [ -f "$SYSCONFDIR/shorewall-init" ]; then
    . $SYSCONFDIR/shorewall-init
    if [ -z "$PRODUCTS" ]; then
-        echo "ERROR: No products configured" >&2
+	echo "ERROR: No products configured" >&2
 	exit 1
    fi
 else
-    echo "ERROR: /etc/sysconfig/shorewall-init not found" >&2
+    echo "ERROR: ${SYSCONFDIR}/shorewall-init not found" >&2
    exit 1
 fi

 # Initialize the firewall
 shorewall_start () {
-  local PRODUCT
-  local VARDIR
+    local PRODUCT
+    local STATEDIR

-  echo -n "Initializing \"Shorewall-based firewalls\": "
-  for PRODUCT in $PRODUCTS; do
-      if [ -x ${VARDIR}/firewall ]; then
-	  if ! /sbin/$PRODUCT status > /dev/null 2>&1; then
-	      ${VARDIR}/firewall stop || exit 1
-	  fi
-      fi
-  done
+    echo -n "Initializing \"Shorewall-based firewalls\": "
+    for PRODUCT in $PRODUCTS; do
+	if setstatedir; then
+	    if [ -x ${STATEDIR}/firewall ]; then
+		#
+		# Run in a sub-shell to avoid name collisions
+		#
+		(
+		    if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
+			${STATEDIR}/firewall ${OPTIONS} stop
+		    fi
+		)
+	    fi
+	fi
+    done

-  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
-      ipset -R < "$SAVE_IPSETS"
-  fi
+    if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+	ipset -R < "$SAVE_IPSETS"
+    fi

-  return 0
+    return 0
 }

 # Clear the firewall
 shorewall_stop () {
-  local PRODUCT
-  local VARDIR
+    local PRODUCT
+    local STATEDIR

-  echo -n "Clearing \"Shorewall-based firewalls\": "
-  for PRODUCT in $PRODUCTS; do
-      VARDIR=/var/lib/$PRODUCT
-      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
-      if [ -x ${VARDIR}/firewall ]; then
-	  ${VARDIR}/firewall clear || exit 1
-      fi
-  done
+    echo -n "Clearing \"Shorewall-based firewalls\": "
+    for PRODUCT in $PRODUCTS; do
+	if setstatedir; then
+	    if [ -x ${STATEDIR}/firewall ]; then
+		${STATEDIR}/firewall ${OPTIONS} clear
+	    fi
+	fi
+    done

-  if [ -n "$SAVE_IPSETS" ]; then
-      mkdir -p $(dirname "$SAVE_IPSETS")
-      if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
-      fi
-  fi
+    if [ -n "$SAVE_IPSETS" ]; then
+	mkdir -p $(dirname "$SAVE_IPSETS")
+	if ipset -S > "${SAVE_IPSETS}.tmp"; then
+	    grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+	fi
+    fi

-  return 0
+    return 0
 }

 case "$1" in
-  start)
-     shorewall_start
-     ;;
-  stop)
-     shorewall_stop
-     ;;
-  *)
-     echo "Usage: $0 {start|stop}"
-     exit 1
+    start)
+	shorewall_start
+	;;
+    stop)
+	shorewall_stop
+	;;
+    *)
+	echo "Usage: $0 {start|stop}"
+	exit 1
 esac

 exit 0
--- a/Shorewall-init/shorewall-init.service
+++ b/Shorewall-init/shorewall-init.service
@@ -1,11 +1,10 @@
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
-#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
-Description=Shorewall IPv4 firewall
-After=syslog.target
+Description=Shorewall firewall (bootup security)
 Before=network.target

 [Service]
@@ -13,8 +12,8 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-init
 StandardOutput=syslog
-ExecStart=/shorewall-init $OPTIONS start
-ExecStop=/shorewall-init $OPTIONS stop
+ExecStart=/sbin/shorewall-init start
+ExecStop=/sbin/shorewall-init stop

 [Install]
-WantedBy=multi-user.target
+WantedBy=basic.target
--- a/Shorewall-init/shorewall-init.service.214
+++ b/Shorewall-init/shorewall-init.service.214
@@ -0,0 +1,20 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
+#
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#
+[Unit]
+Description=Shorewall firewall (bootup security)
+Before=network-pre.target
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/sysconfig/shorewall-init
+StandardOutput=syslog
+ExecStart=/sbin/shorewall-init start
+ExecStop=/sbin/shorewall-init stop
+
+[Install]
+WantedBy=basic.target
--- a/Shorewall-init/shorewall-init.service.214.debian
+++ b/Shorewall-init/shorewall-init.service.214.debian
@@ -0,0 +1,21 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
+#
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#     Copyright 2015 Tom Eastep <teastep@shorewall.net>
+#
+[Unit]
+Description=Shorewall firewall (bootup security)
+Before=network-pre.target
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/default/shorewall-init
+StandardOutput=syslog
+ExecStart=/sbin/shorewall-init start
+ExecStop=/sbin/shorewall-init stop
+
+[Install]
+WantedBy=basic.target
--- a/Shorewall-init/shorewall-init.service.debian
+++ b/Shorewall-init/shorewall-init.service.debian
@@ -0,0 +1,20 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
+#
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#     Copyright 2015 Tom Eastep <teastep@shorewall.net>
+#
+[Unit]
+Description=Shorewall firewall (bootup security)
+Before=network.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/default/shorewall-init
+StandardOutput=syslog
+ExecStart=/sbin/shorewall-init start
+ExecStop=/sbin/shorewall-init stop
+
+[Install]
+WantedBy=basic.target
--- a/Shorewall-init/sysconfig
+++ b/Shorewall-init/sysconfig
@@ -21,3 +21,6 @@ SAVE_IPSETS=""
 #
 LOGFILE=/var/log/shorewall-ifupdown.log

+# Startup options - set verbosity to 0 (minimal reporting)
+OPTIONS="-V0"
+
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -1,25 +1,25 @@
-\#!/bin/sh
+#!/bin/sh
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2014 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+#       This program is part of Shorewall.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 #    Usage:
 #
@@ -35,6 +35,12 @@ usage() # $1 = exit status
    exit $1
 }

+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
 qt()
 {
    "$@" >/dev/null 2>&1
@@ -69,6 +75,42 @@ remove_file() # $1 = file to restore
    fi
 }

+finished=0
+configure=1
+
+while [ $finished -eq 0 ]; do
+    option=$1
+
+    case "$option" in
+	-*)
+	    option=${option#-}
+
+	    while [ -n "$option" ]; do
+		case $option in
+		    h)
+			usage 0
+			;;
+		    v)
+			echo "$Product Firewall Installer Version $VERSION"
+			exit 0
+			;;
+		    n*)
+			configure=0
+			option=${option#n}
+			;;
+		    *)
+			usage 1
+			;;
+		esac
+	    done
+
+	    shift
+	    ;;
+	*)
+	    finished=1
+	    ;;
+    esac
+done
 #
 # Read the RC file
 #
@@ -114,22 +156,29 @@ fi

 echo "Uninstalling Shorewall Init $VERSION"

+[ -n "$SANDBOX" ] && configure=0
+
 INITSCRIPT=${CONFDIR}/init.d/shorewall-init

 if [ -f "$INITSCRIPT" ]; then
-    if mywhich updaterc.d ; then
-	updaterc.d shorewall-init remove
-    elif mywhich insserv ; then
-        insserv -r $INITSCRIPT
-    elif mywhich chkconfig ; then
-	chkconfig --del $(basename $INITSCRIPT)
-    elif mywhich systemctl ; then
-	systemctl disable shorewall-init
+    if [ $configure -eq 1 ]; then
+	if mywhich updaterc.d ; then
+	    updaterc.d shorewall-init remove
+	elif mywhich insserv ; then
+            insserv -r $INITSCRIPT
+	elif mywhich chkconfig ; then
+	    chkconfig --del $(basename $INITSCRIPT)
+	fi
    fi

    remove_file $INITSCRIPT
 fi

+if [ -n "$SYSTEMD" ]; then
+    [ $configure -eq 1 ] && systemctl disable shorewall-init.service
+    rm -f $SYSTEMD/shorewall-init.service
+fi
+
 [ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
 [ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local

@@ -140,6 +189,7 @@ remove_file ${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall

 remove_file ${CONFDIR}/network/if-up.d/shorewall
 remove_file ${CONFDIR}/network/if-down.d/shorewall
+remove_file ${CONFDIR}/network/if-post-down.d/shorewall

 remove_file ${CONFDIR}/sysconfig/network/if-up.d/shorewall
 remove_file ${CONFDIR}/sysconfig/network/if-down.d/shorewall
@@ -152,14 +202,15 @@ if [ -d ${CONFDIR}/ppp ]; then
    done

    for file in if-up.local if-down.local; do
-	if fgrep -q Shorewall-based ${CONFDIR}/ppp/$FILE; then
+	if grep -qF Shorewall-based ${CONFDIR}/ppp/$FILE; then
 	    remove_file ${CONFDIR}/ppp/$FILE
 	fi
    done
 fi

+rm -f  ${SBINDIR}/shorewall-init
 rm -rf ${SHAREDIR}/shorewall-init
-rm -rf ${LIBEXEC}/shorewall-init
+rm -rf ${LIBEXECDIR}/shorewall-init

 echo "Shorewall Init Uninstalled"

--- a/Shorewall-lite/configpath
+++ b/Shorewall-lite/configpath
@@ -1,7 +1,7 @@
 #
-# Shorewall Lite version 4.1 - Default Config Path
+# Shorewall Lite version 5 - Default Config Path
 #
 # /usr/share/shorewall-lite/configpath
 #

-CONFIG_PATH=/etc/shorewall-lite:/usr/share/shorewall-lite
+CONFIG_PATH=${CONFDIR}/shorewall-lite:${SHAREDIR}/shorewall-lite:${SHAREDIR}/shorewall
--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@@ -11,7 +11,7 @@
 #                    /etc/shorewall-lite
 ### END INIT INFO

-
+. /lib/lsb/init-functions

 SRWL=/sbin/shorewall-lite
 SRWL_OPTS="-tvv"
--- a/Shorewall-lite/init.fedora.sh
+++ b/Shorewall-lite/init.fedora.sh
@@ -39,7 +39,7 @@ fi

 start() {
    echo -n $"Starting Shorewall: "
-    $shorewall $OPTIONS start 2>&1 | $logger
+    $shorewall $OPTIONS start $STARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
 	touch $lockfile
@@ -69,7 +69,7 @@ restart() {
 # Note that we don't simply stop and start since shorewall has a built in
 # restart which stops the firewall if running and then starts it.
    echo -n $"Restarting Shorewall: "
-    $shorewall $OPTIONS restart 2>&1 | $logger
+    $shorewall $OPTIONS restart $RESTARTOPTIONS 2>&1 | $logger
    retval=${PIPESTATUS[0]}
    if [[ $retval == 0 ]]; then
 	touch $lockfile
--- a/Shorewall-lite/init.sh
+++ b/Shorewall-lite/init.sh
@@ -3,17 +3,18 @@ RCDLINKS="2,S41 3,S41 6,K41"
 #
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
 #	Complete documentation is available at http://shorewall.net
 #
+#       This program is part of Shorewall.
+#
 #	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -21,8 +22,7 @@ RCDLINKS="2,S41 3,S41 6,K41"
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 #	If an error occurs while starting or restarting the firewall, the
 #	firewall is automatically stopped.
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -2,24 +2,24 @@
 #
 # Script to install Shoreline Firewall Lite
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+#       This program is part of Shorewall.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #

 VERSION=xxx #The Build script inserts the actual version
@@ -30,6 +30,7 @@ usage() # $1 = exit status
    echo "usage: $ME [ <configuration-file> ]"
    echo "       $ME -v"
    echo "       $ME -h"
+    echo "       $ME -n"
    exit $1
 }

@@ -113,9 +114,13 @@ fi
 # Parse the run line
 #
 finished=0
+configure=1

 while [ $finished -eq 0 ] ; do
-    case "$1" in
+
+    option=$1
+
+    case "$option" in
 	-*)
 	    option=${option#-}

@@ -128,6 +133,10 @@ while [ $finished -eq 0 ] ; do
 			echo "$Product Firewall Installer Version $VERSION"
 			exit 0
 			;;
+		    n*)
+			configure=0
+			option=${option#n}
+			;;
 		    *)
 			usage 1
 			;;
@@ -182,8 +191,12 @@ for var in SHAREDIR LIBEXECDIRDIRDIR CONFDIR SBINDIR VARLIB VARDIR; do
    require $var
 done

+[ -n "${INITFILE}" ] && require INITSOURCE && require INITDIR
+
 PATH=${SBINDIR}:/bin:/usr${SBINDIR}:/usr/bin:/usr/local/bin:/usr/local${SBINDIR}

+[ -n "$SANDBOX" ] && configure=0
+
 #
 # Determine where to install the firewall script
 #
@@ -193,15 +206,37 @@ T='-T'

 if [ -z "$BUILD" ]; then
    case $(uname) in
-	cygwin*)
+	cygwin*|CYGWIN*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
 	    BUILD=apple
 	    ;;
 	*)
-	    if [ -f ${CONFDIR}/debian_version ]; then
+	    if [ -f /etc/os-release ]; then
+		eval $(cat /etc/os-release | grep ^ID)
+
+		case $ID in
+		    fedora|rhel|centos|foobar)
+			BUILD=redhat
+			;;
+		    debian)
+			BUILD=debian
+			;;
+		    gentoo)
+			BUILD=gentoo
+			;;
+		    opensuse)
+			BUILD=suse
+			;;
+		    *)
+			BUILD="$ID"
+			;;
+		esac
+	    elif [ -f ${CONFDIR}/debian_version ]; then
 		BUILD=debian
+	    elif [ -f /etc/gentoo-release ]; then
+		BUILD=gentoo
 	    elif [ -f ${CONFDIR}/redhat-release ]; then
 		BUILD=redhat
 	    elif [ -f ${CONFDIR}/SuSE-release ]; then
@@ -218,7 +253,7 @@ if [ -z "$BUILD" ]; then
 fi

 case $BUILD in
-    cygwin*)
+    cygwin*|CYGWIN*)
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;
@@ -250,6 +285,9 @@ case "$HOST" in
    debian)
 	echo "Installing Debian-specific configuration..."
 	;;
+    gentoo)
+	echo "Installing Gentoo-specific configuration..."
+	;;
    redhat)
 	echo "Installing Redhat/Fedora-specific configuration..."
 	;;
@@ -281,7 +319,7 @@ if [ -n "$DESTDIR" ]; then
    install -d $OWNERSHIP -m 755 ${DESTDIR}/${SBINDIR}
    install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
 else
-    if [ ! -f /usr/share/shorewall/coreversion ]; then
+    if [ ! -f ${SHAREDIR}/shorewall/coreversion ]; then
 	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
 	exit 1
    fi
@@ -293,7 +331,7 @@ echo "Installing $Product Version $VERSION"
 # Check for ${CONFDIR}/$PRODUCT
 #
 if [ -z "$DESTDIR" -a -d ${CONFDIR}/$PRODUCT ]; then
-    if [ ! -f /usr/share/shorewall/coreversion ]; then
+    if [ ! -f ${SHAREDIR}/shorewall/coreversion ]; then
 	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
 	exit 1
    fi
@@ -319,6 +357,7 @@ fi
 delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules

 install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0544
+[ -n "${INITFILE}" ] && install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}

 echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"

@@ -331,7 +370,7 @@ mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${VARDIR}

 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
-chmod 755 ${DESTDIR}/usr/share/$PRODUCT
+chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT

 if [ -n "$DESTDIR" ]; then
    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
@@ -341,24 +380,29 @@ if [ -n "$DESTDIR" ]; then
 fi

 if [ -n "$INITFILE" ]; then
+    if [ -f "${INITSOURCE}" ]; then
+	initfile="${DESTDIR}${INITDIR}/${INITFILE}"
+	install_file ${INITSOURCE} "$initfile" 0544

-    initfile="${DESTDIR}/${INITDIR}/${INITFILE}"
-    install_file ${INITSOURCE} "$initfile" 0544
+	[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' "$initfile"

-    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' "$initfile"
-
-    echo  "$Product init script installed in $initfile"
+	echo  "SysV init script $INITSOURCE installed in $initfile"
+    fi
 fi
 #
 # Install the .service file
 #
-if [ -n "$SYSTEMD" ]; then
-    mkdir -p ${DESTDIR}${SYSTEMD}
-    run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}/${SYSTEMD}/$PRODUCT.service
-    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
-    echo "Service file installed as ${DESTDIR}/lib/systemd/system/$PRODUCT.service"
+if [ -z "${SERVICEDIR}" ]; then
+    SERVICEDIR="$SYSTEMD"
 fi

+if [ -n "$SERVICEDIR" ]; then
+    mkdir -p ${DESTDIR}${SERVICEDIR}
+    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
+    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SERVICEDIR}/$PRODUCT.service
+    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SERVICEDIR}/$PRODUCT.service"
+fi
 #
 # Install the config file
 #
@@ -369,6 +413,9 @@ fi

 if [ $HOST = archlinux ] ; then
   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
+elif [ $HOST = gentoo ]; then
+    # Adjust SUBSYSLOCK path (see https://bugs.gentoo.org/show_bug.cgi?id=459316)
+    perl -p -w -i -e "s|^SUBSYSLOCK=.*|SUBSYSLOCK=/run/lock/$PRODUCT|;" ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
 fi

 #
@@ -435,18 +482,18 @@ done
 if [ -d manpages ]; then
    cd manpages

-    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${SHAREDIR}/man/man5/ ${DESTDIR}${SHAREDIR}/man/man8/
+    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/

    for f in *.5; do
 	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${SHAREDIR}/man/man5/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}${SHAREDIR}/man/man5/$f.gz"
+	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz
+	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
    done

    for f in *.8; do
 	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${SHAREDIR}/man/man8/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}${SHAREDIR}/man/man8/$f.gz"
+	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz
+	echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
    done

    cd ..
@@ -468,7 +515,7 @@ chmod 644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
 # Remove and create the symbolic link to the init script
 #

-if [ -z "$DESTDIR" ]; then
+if [ -z "${DESTDIR}" -a -n "${INITFILE}" ]; then
    rm -f ${SHAREDIR}/$PRODUCT/init
    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/$PRODUCT/init
 fi
@@ -477,13 +524,16 @@ delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.common
 delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.cli
 delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/wait4ifup

-if [ -n "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
+#
+# Note -- not all packages will have the SYSCONFFILE so we need to check for its existance here
+#
+if [ -n "$SYSCONFFILE" -a -f "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
    if [ ${DESTDIR} ]; then
 	mkdir -p ${DESTDIR}${SYSCONFDIR}
 	chmod 755 ${DESTDIR}${SYSCONFDIR}
    fi

-    run_install $OWNERSHIP -m 0644 default.debian ${DESTDIR}${SYSCONFDIR}/${PRODUCT}
+    run_install $OWNERSHIP -m 0644 ${SYSCONFFILE} ${DESTDIR}${SYSCONFDIR}/${PRODUCT}
    echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi

@@ -492,21 +542,21 @@ if [ ${SHAREDIR} != /usr/share ]; then
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SBINDIR}/$PRODUCT
 fi

-if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
-    if mywhich update-rc.d ; then
-	echo "$PRODUCT will start automatically at boot"
-	echo "Set startup=1 in ${SYSCONFDIR}/$PRODUCT to enable"
-	touch /var/log/$PRODUCT-init.log
-	perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' ${CONFDIR}/${PRODUCT}/${PRODUCT}.conf
-	update-rc.d $PRODUCT enable defaults
-    elif [ -n "$SYSTEMD" ]; then
+if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
+    if [ -n "$SERVICEDIR" ]; then
 	if systemctl enable ${PRODUCT}.service; then
 	    echo "$Product will start automatically at boot"
 	fi
    elif mywhich insserv; then
 	if insserv ${INITDIR}/${INITFILE} ; then
 	    echo "$PRODUCT will start automatically at boot"
-	    echo "Set STARTUP_ENABLED=Yes in ${CONFDIR}/$PRODUCT/${PRODUCT}.conf to enable"
+	    if [ $HOST = debian ]; then
+		echo "Set startup=1 in ${CONFDIR}/default/$PRODUCT to enable"
+		touch /var/log/$PRODUCT-init.log
+		perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' ${CONFDIR}/$PRODUCT/$PRODUCT.conf
+	    else
+		echo "Set STARTUP_ENABLED=Yes in ${CONFDIR}/$PRODUCT/$PRODUCT.conf to enable"
+	    fi
 	else
 	    cant_autostart
 	fi
@@ -518,10 +568,22 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
 	else
 	    cant_autostart
 	fi
+    elif mywhich update-rc.d ; then
+	echo "$PRODUCT will start automatically at boot"
+	echo "Set startup=1 in ${CONFDIR}/default/$PRODUCT to enable"
+	touch /var/log/$PRODUCT-init.log
+	perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' ${CONFDIR}/$PRODUCT/$PRODUCT.conf
+	update-rc.d $PRODUCT enable
    elif mywhich rc-update ; then
 	if rc-update add $PRODUCT default; then
 	    echo "$PRODUCT will start automatically at boot"
-	    echo "Set STARTUP_ENABLED=Yes in ${CONFDIR}/$PRODUCT/$PRODUCT.conf to enable"
+	    if [ $HOST = debian ]; then
+		echo "Set startup=1 in ${CONFDIR}/default/$PRODUCT to enable"
+		touch /var/log/$PRODUCT-init.log
+		perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' ${CONFDIR}/$PRODUCT/$PRODUCT.conf
+	    else
+		echo "Set STARTUP_ENABLED=Yes in ${CONFDIR}/$PRODUCT/$PRODUCT.conf to enable"
+	    fi
 	else
 	    cant_autostart
 	fi
--- a/Shorewall-lite/lib.base
+++ b/Shorewall-lite/lib.base
@@ -1,15 +1,16 @@
 #
 # Shorewall 4.4 -- /usr/share/shorewall-lite/lib.base
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
-#	This program is free software; you can redisribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
+#       This program is part of Shorewall.
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -17,8 +18,7 @@
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 # This library contains the code common to all Shorewall components.

--- a/Shorewall-lite/manpages/shorewall-lite-vardir.xml
+++ b/Shorewall-lite/manpages/shorewall-lite-vardir.xml
@@ -6,6 +6,8 @@
    <refentrytitle>shorewall-lite-vardir</refentrytitle>

    <manvolnum>5</manvolnum>
+
+    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>

  <refnamediv>
@@ -54,7 +56,7 @@
        /opt/var/lib/shorewall-lite/.</para>
      </blockquote>

-      <para> When VARDIR is set in /etc/shorewall-lite/vardir, Shorewall Lite
+      <para>When VARDIR is set in /etc/shorewall-lite/vardir, Shorewall Lite
      will save its state in the <replaceable>directory</replaceable>
      specified.</para>
    </note>
--- a/Shorewall-lite/manpages/shorewall-lite.conf.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.conf.xml
@@ -6,6 +6,8 @@
    <refentrytitle>shorewall-lite.conf</refentrytitle>

    <manvolnum>5</manvolnum>
+
+    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>

  <refnamediv>
@@ -141,7 +143,7 @@
          stops. Creating and removing this file allows Shorewall to work with
          your distribution's initscripts. For RedHat, this should be set to
          /var/lock/subsys/shorewall. For Debian, the value is
-          /var/state/shorewall and in LEAF it is /var/run/shorwall.</para>
+          /var/state/shorewall and in LEAF it is /var/run/shorewall.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@@ -6,6 +6,8 @@
    <refentrytitle>shorewall-lite</refentrytitle>

    <manvolnum>8</manvolnum>
+
+    <refmiscinfo>Administrative Commands</refmiscinfo>
  </refmeta>

  <refnamediv>
@@ -45,6 +47,19 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>allow</option></arg>
+
+      <arg choice="plain"><replaceable>address</replaceable></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall-lite</command>

@@ -57,6 +72,21 @@
      choice="plain"><option>clear</option><arg><option>-f</option></arg></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>close</option><arg choice="req">
+      <replaceable>open-number</replaceable> |
+      <replaceable>source</replaceable><replaceable>dest</replaceable><arg><replaceable>protocol</replaceable><arg>
+      <replaceable>port</replaceable> </arg></arg></arg><replaceable>
+      </replaceable></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall-lite</command>

@@ -114,6 +144,8 @@
      <arg><option>-l</option></arg>

      <arg><option>-m</option></arg>
+
+      <arg><option>-c</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -261,6 +293,29 @@
      expression</replaceable></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg choice="plain"><option>open</option><replaceable>
+      source</replaceable><replaceable> dest</replaceable><arg>
+      <replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
+      </arg> </arg></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>reenable</option></arg>
+
+      <arg choice="plain">{ <replaceable>interface</replaceable> |
+      <replaceable>provider</replaceable> }</arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall-lite</command>

@@ -274,6 +329,21 @@
      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>reload</option></arg>
+
+      <arg><option>-n</option></arg>
+
+      <arg><option>-p</option><arg><option>-C</option></arg></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall-lite</command>

@@ -297,9 +367,7 @@

      <arg><option>-n</option></arg>

-      <arg><option>-p</option></arg>
-
-      <arg><replaceable>directory</replaceable></arg>
+      <arg><option>-p</option><arg><option>-C</option></arg></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -312,6 +380,8 @@

      <arg choice="plain"><option>restore</option></arg>

+      <arg><option>-C</option></arg>
+
      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>

@@ -323,11 +393,38 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>save</option></arg>
+      <arg choice="plain"><option>run</option></arg>
+
+      <arg choice="plain">function</arg>
+
+      <arg><replaceable>parameter ...</replaceable></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg
+      choice="plain"><option>save</option><arg><option>-C</option></arg></arg>

      <arg choice="opt"><replaceable>filename</replaceable></arg>
    </cmdsynopsis>

+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg
+      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="plain"><option>savesets</option></arg>
+    </cmdsynopsis>
+
    <cmdsynopsis>
      <command>shorewall-lite</command>

@@ -335,7 +432,7 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>show</option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg><option>-b</option></arg>

@@ -357,7 +454,21 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>show</option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
+
+      <arg><option>-x</option></arg>
+
+      <arg choice="plain"><option>{bl|blacklists}</option></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg><option>-f</option></arg>

@@ -371,10 +482,10 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>show</option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg
-      choice="req"><option>classifiers|connections|config|filters|ip|ipa|zones|policies|marks</option></arg>
+      choice="req"><option>classifiers|connections|config|events|filters|ip|ipa|zones|policies|marks</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -384,11 +495,38 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>show</option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>
+
+      <arg choice="plain"><option>event</option><arg
+      choice="plain"><replaceable>event</replaceable></arg></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="req"><option>show | list | ls </option></arg>
+
+      <arg><option>-c</option></arg>
+
+      <arg choice="plain"><option>routing</option></arg>
+    </cmdsynopsis>
+
+    <cmdsynopsis>
+      <command>shorewall-lite</command>
+
+      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
+
+      <arg>-<replaceable>options</replaceable></arg>
+
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg><option>-x</option></arg>

-      <arg choice="req"><option>mangle|nat|routing|raw|rawpost</option></arg>
+      <arg choice="req"><option>mangle|nat|raw|rawpost</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -398,7 +536,7 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>show</option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg choice="plain"><option>tc</option></arg>
    </cmdsynopsis>
@@ -410,7 +548,7 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>show</option></arg>
+      <arg choice="req"><option>show | list | ls </option></arg>

      <arg><option>-m</option></arg>

@@ -430,6 +568,10 @@
      <arg><option>-n</option></arg>

      <arg><option>-p</option></arg>
+
+      <arg><option>-f</option></arg>
+
+      <arg><option>-C</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -450,7 +592,8 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>status</option></arg>
+      <arg choice="plain"><arg
+      choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -481,8 +624,9 @@

    <para>The nolock <option>option</option> prevents the command from
    attempting to acquire the Shorewall-lite lockfile. It is useful if you
-    need to include <command>shorewall</command> commands in
-    <filename>/etc/shorewall/started</filename>.</para>
+    need to include <command>shorewall</command> commands in the
+    <filename>started</filename> <ulink
+    url="../shorewall_extension_scripts.html">extension script</ulink>.</para>

    <para>The <emphasis>options</emphasis> control the amount of output that
    the command produces. They consist of a sequence of the letters <emphasis
@@ -492,9 +636,9 @@
    url="shorewall.conf.html">shorewall.conf</ulink>(5). Each <emphasis
    role="bold">v</emphasis> adds one to the effective verbosity and each
    <emphasis role="bold">q</emphasis> subtracts one from the effective
-    VERBOSITY. Anternately, <emphasis role="bold">v</emphasis> may be followed
-    immediately with one of -1,0,1,2 to specify a specify VERBOSITY. There may
-    be no white space between <emphasis role="bold">v</emphasis> and the
+    VERBOSITY. Alternately, <emphasis role="bold">v</emphasis> may be followed
+    immediately with one of -1,0,1,2 to specify VERBOSITY. There may be no
+    white-space between <emphasis role="bold">v</emphasis> and the
    VERBOSITY.</para>

    <para>The <emphasis>options</emphasis> may also include the letter
@@ -509,7 +653,10 @@

    <variablelist>
      <varlistentry>
-        <term><emphasis role="bold">add</emphasis></term>
+        <term><emphasis role="bold">add </emphasis>{
+        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
+        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
+        <replaceable>host-list</replaceable> }</term>

        <listitem>
          <para>Adds a list of hosts or subnets to a dynamic zone usually used
@@ -534,7 +681,8 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">allow</emphasis></term>
+        <term><emphasis role="bold">allow
+        </emphasis><replaceable>address</replaceable></term>

        <listitem>
          <para>Re-enables receipt of packets from hosts previously
@@ -546,7 +694,25 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">clear</emphasis></term>
+        <term><emphasis role="bold">call <replaceable>function</replaceable> [
+        <replaceable>parameter</replaceable> ... ]</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.10. Allows you to call a function in
+          one of the Shorewall libraries or in your compiled script. function
+          must name the shell function to be called. The listed parameters are
+          passed to the function.</para>
+
+          <para>The function is first searched for in
+          <filename>lib.base</filename>, <filename>lib.common</filename> and
+          <filename>lib.cli</filename>. If it is not found, the call command
+          is passed to the generated script to be executed.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">clear
+        </emphasis>[-<option>f</option>]</term>

        <listitem>
          <para>Clear will remove all rules and chains installed by
@@ -557,13 +723,38 @@
          <para>If <option>-f</option> is given, the command will be processed
          by the compiled script that executed the last successful <emphasis
          role="bold">start</emphasis>, <emphasis
+          role="bold">reload</emphasis>, <emphasis
          role="bold">restart</emphasis> or <emphasis
          role="bold">refresh</emphasis> command if that script exists.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">delete</emphasis></term>
+        <term><emphasis role="bold">close</emphasis> {
+        <replaceable>open-number</replaceable> |
+        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
+        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
+        ] ] }</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.8. This command closes a temporary open
+          created by the <command>open</command> command. In the first form,
+          an <replaceable>open-number</replaceable> specifies the open to be
+          closed. Open numbers are displayed in the <emphasis
+          role="bold">num</emphasis> column of the output of the
+          <command>shorewall-lite show opens </command>command.</para>
+
+          <para>When the second form of the command is used, the parameters
+          must match those given in the earlier <command>open</command>
+          command.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">delete </emphasis>{
+        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
+        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
+        <replaceable>host-list</replaceable> }</term>

        <listitem>
          <para>The delete command reverses the effect of an earlier <emphasis
@@ -578,7 +769,9 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">disable</emphasis></term>
+        <term><emphasis role="bold">disable </emphasis>{
+        <replaceable>interface</replaceable> |
+        <replaceable>provider</replaceable> }</term>

        <listitem>
          <para>Added in Shorewall 4.4.26. Disables the optional provider
@@ -590,7 +783,8 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">drop</emphasis></term>
+        <term><emphasis role="bold">drop
+        </emphasis><replaceable>address</replaceable></term>

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -599,7 +793,9 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">dump</emphasis></term>
+        <term><emphasis role="bold">dump </emphasis>[-<option>x</option>]
+        [-<option>l</option>] [-<option>m</option>]
+        [-<option>c</option>]</term>

        <listitem>
          <para>Produces a verbose report about the firewall configuration for
@@ -613,11 +809,16 @@

          <para>The <emphasis role="bold">-l</emphasis> option causes the rule
          number for each Netfilter rule to be displayed.</para>
+
+          <para>The <option>-c</option> option causes the route cache to be
+          dumped in addition to the other routing information.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">enable</emphasis></term>
+        <term><emphasis role="bold">enable </emphasis>{
+        <replaceable>interface</replaceable> |
+        <replaceable>provider</replaceable> }</term>

        <listitem>
          <para>Added in Shorewall 4.4.26. Enables the optional provider
@@ -629,10 +830,11 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">forget</emphasis></term>
+        <term><emphasis role="bold">forget </emphasis>[
+        <replaceable>filename</replaceable> ]</term>

        <listitem>
-          <para>Deletes /var/lib/shorewall-lite/<emphasis>filenam</emphasis>e
+          <para>Deletes /var/lib/shorewall-lite/<emphasis>filename</emphasis>
          and /var/lib/shorewall-lite/save. If no
          <emphasis>filename</emphasis> is given then the file specified by
          RESTOREFILE in <ulink
@@ -650,7 +852,8 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">hits</emphasis></term>
+        <term><emphasis role="bold">hits </emphasis>
+        [-<option>t</option>]</term>

        <listitem>
          <para>Generates several reports from Shorewall-lite log messages in
@@ -660,7 +863,8 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">ipcalc</emphasis></term>
+        <term><emphasis role="bold">ipcalc </emphasis>{ address mask |
+        address/vlsm }</term>

        <listitem>
          <para>Ipcalc displays the network address, broadcast address,
@@ -670,7 +874,8 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">iprange</emphasis></term>
+        <term><emphasis role="bold">iprange
+        </emphasis><replaceable>address1</replaceable>-<replaceable>address2</replaceable></term>

        <listitem>
          <para>Iprange decomposes the specified range of IP addresses into
@@ -679,7 +884,8 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">iptrace</emphasis></term>
+        <term><emphasis role="bold">iptrace </emphasis><replaceable>iptables
+        match expression</replaceable></term>

        <listitem>
          <para>This is a low-level debugging command that causes iptables
@@ -690,7 +896,7 @@
          and raw table PREROUTING chains.</para>

          <para>The trace records are written to the kernel's log buffer with
-          faciility = kernel and priority = warning, and they are routed from
+          facility = kernel and priority = warning, and they are routed from
          there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
          Shorewall-lite has no control over where the messages go; consult
          your logging daemon's documentation.</para>
@@ -698,7 +904,17 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">logdrop</emphasis></term>
+        <term><emphasis role="bold">list</emphasis></term>
+
+        <listitem>
+          <para><command>list</command> is a synonym for
+          <command>show</command> -- please see below.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">logdrop
+        </emphasis><replaceable>address</replaceable></term>

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -709,7 +925,8 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">logwatch</emphasis></term>
+        <term><emphasis role="bold">logwatch </emphasis>[-<option>m</option>]
+        [<replaceable>refresh-interval</replaceable>]</term>

        <listitem>
          <para>Monitors the log file specified by the LOGFILE option in
@@ -728,7 +945,8 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">logreject</emphasis></term>
+        <term><emphasis role="bold">logreject
+        </emphasis><replaceable>address</replaceable></term>

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
@@ -739,7 +957,17 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">noiptrace</emphasis></term>
+        <term><emphasis role="bold">ls</emphasis></term>
+
+        <listitem>
+          <para><command>ls</command> is a synonym for <command>show</command>
+          -- please see below.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">noiptrace </emphasis><replaceable>iptables
+        match expression</replaceable></term>

        <listitem>
          <para>This is a low-level debugging command that cancels a trace
@@ -747,26 +975,83 @@

          <para>The <replaceable>iptables match expression</replaceable> must
          be one given in the <command>iptrace</command> command being
-          cancelled.</para>
+          canceled.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">reset</emphasis></term>
+        <term><emphasis role="bold">open</emphasis>
+        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
+        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
+        ] ]</term>

        <listitem>
-          <para>All the packet and byte counters in the firewall are
-          reset.</para>
+          <para>Added in Shorewall 4.6.8. This command requires that the
+          firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
+          <ulink url="/manpages/shorewall.conf.html">shorewall.conf
+          (5)</ulink>. The effect of the command is to temporarily open the
+          firewall for connections matching the parameters.</para>
+
+          <para>The <replaceable>source</replaceable> and
+          <replaceable>dest</replaceable> parameters may each be specified as
+          <emphasis role="bold">all</emphasis> if you don't wish to restrict
+          the connection source or destination respectively. Otherwise, each
+          must contain a host or network address or a valid DNS name.</para>
+
+          <para>The <replaceable>protocol</replaceable> may be specified
+          either as a number or as a name listed in /etc/protocols. The
+          <replaceable>port</replaceable> may be specified numerically or as a
+          name listed in /etc/services.</para>
+
+          <para>To reverse the effect of a successful <command>open</command>
+          command, use the <command>close</command> command with the same
+          parameters or simply restart the firewall.</para>
+
+          <para>Example: To open the firewall for SSH connections to address
+          192.168.1.1, the command would be:</para>
+
+          <programlisting>    shorewall-lite open all 192.168.1.1 tcp 22</programlisting>
+
+          <para>To reverse that command, use:</para>
+
+          <screen>    shorewall-lite close all 192.168.1.1 tcp 22</screen>
        </listitem>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">restart</emphasis></term>
+        <term><emphasis role="bold">reenable</emphasis>{
+        <replaceable>interface</replaceable> |
+        <replaceable>provider</replaceable> }</term>

        <listitem>
-          <para>Restart is similar to <emphasis role="bold">shorewall-lite
-          start</emphasis> except that it assumes that the firewall is already
-          started. Existing connections are maintained.</para>
+          <para>Added in Shorewall 4.6.9. This is equivalent to a
+          <command>disable</command> command followed by an
+          <command>enable</command> command on the specified
+          <replaceable>interface</replaceable> or
+          <replaceable>provider</replaceable>.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">reject</emphasis><replaceable>
+        address</replaceable></term>
+
+        <listitem>
+          <para>Causes traffic from the listed <emphasis>address</emphasis>es
+          to be silently rejected.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">reload </emphasis>[-n] [-p]
+        [-<option>C</option>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 5.0.0, <emphasis
+          role="bold">reload</emphasis> is similar to <emphasis
+          role="bold">shorewall-lite start</emphasis> except that it assumes
+          that the firewall is already started. Existing connections are
+          maintained.</para>

          <para>The <option>-n</option> option causes Shorewall-lite to avoid
          updating the routing table(s).</para>
@@ -774,11 +1059,56 @@
          <para>The <option>-p</option> option causes the connection tracking
          table to be flushed; the <command>conntrack</command> utility must
          be installed to use this option.</para>
+
+          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
+          If the specified (or implicit) firewall script is the one that
+          generated the current running configuration, then the running
+          netfilter configuration will be reloaded as is so as to preserve the
+          iptables packet and byte counters.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">restore</emphasis></term>
+        <term><emphasis role="bold">reset [<replaceable>chain</replaceable>,
+        ...]</emphasis><acronym/></term>
+
+        <listitem>
+          <para>Resets the packet and byte counters in the specified
+          <replaceable>chain</replaceable>(s). If no
+          <replaceable>chain</replaceable> is specified, all the packet and
+          byte counters in the firewall are reset.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">restart </emphasis>[-n] [-p]
+        [-<option>C</option>]</term>
+
+        <listitem>
+          <para>Beginning with Shorewall 5.0.0, this command performs a true
+          restart. The firewall is completely stopped as if a
+          <command>stop</command> command had been issued then it is started
+          again.</para>
+
+          <para>The <option>-n</option> option causes Shorewall-lite to avoid
+          updating the routing table(s).</para>
+
+          <para>The <option>-p</option> option causes the connection tracking
+          table to be flushed; the <command>conntrack</command> utility must
+          be installed to use this option.</para>
+
+          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
+          If the specified (or implicit) firewall script is the one that
+          generated the current running configuration, then the running
+          netfilter configuration will be reloaded as is so as to preserve the
+          iptables packet and byte counters.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">restore </emphasis>[-<option>n</option>]
+        [-<option>p</option>] [-<option>C</option>] [
+        <replaceable>filename</replaceable> ]</term>

        <listitem>
          <para>Restore Shorewall-lite to a state saved using the <emphasis
@@ -789,11 +1119,52 @@
          <emphasis>filename</emphasis> is given then Shorewall-lite will be
          restored from the file specified by the RESTOREFILE option in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+
+          <caution>
+            <para>If your iptables ruleset depends on variables that are
+            detected at run-time, either in your params file or by
+            Shorewall-generated code, <command>restore</command> will use the
+            values that were current when the ruleset was saved, which may be
+            different from the current values.</para>
+          </caution>
+
+          <para>The <option>-n</option> option causes Shorewall to avoid
+          updating the routing table(s).</para>
+
+          <para>The <option>-p</option> option, added in Shorewall 4.6.5,
+          causes the connection tracking table to be flushed; the
+          <command>conntrack</command> utility must be installed to use this
+          option.</para>
+
+          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
+          If the <option>-C</option> option was specified during <emphasis
+          role="bold">shorewall save</emphasis>, then the counters saved by
+          that operation will be restored.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">save</emphasis></term>
+        <term><emphasis role="bold">run
+        </emphasis><replaceable>command</replaceable> [
+        <replaceable>parameter</replaceable> ... ]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.6.3. Executes
+          <replaceable>command</replaceable> in the context of the generated
+          script passing the supplied <replaceable>parameter</replaceable>s.
+          Normally, the <replaceable>command</replaceable> will be a function
+          declared in <filename>lib.private</filename>.</para>
+
+          <para>Before executing the <replaceable>command</replaceable>, the
+          script will detect the configuration, setting all SW_* variables and
+          will run your <filename>init</filename> extension script with
+          $COMMAND = 'run'.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">save </emphasis>[-<option>C</option>] [
+        <replaceable>filename</replaceable> ]</term>

        <listitem>
          <para>The dynamic blacklist is stored in
@@ -803,6 +1174,24 @@
          <emphasis>filename</emphasis> is not given then the state is saved
          in the file specified by the RESTOREFILE option in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+
+          <para>The <option>-C</option> option, added in Shorewall 4.6.5,
+          causes the iptables packet and byte counters to be saved along with
+          the chains and rules.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">savesets</emphasis></term>
+
+        <listitem>
+          <para>Added in shorewall 4.6.8. Performs the same action as the
+          <command>stop</command> command with respect to saving ipsets (see
+          the SAVE_IPSETS option in <ulink
+          url="/manpages/shorewall.conf.html">shorewall.conf</ulink> (5)).
+          This command may be used to proactively save your ipset contents in
+          the event that a system failure occurs prior to issuing a
+          <command>stop</command> command.</para>
        </listitem>
      </varlistentry>

@@ -815,7 +1204,22 @@

          <variablelist>
            <varlistentry>
-              <term><emphasis role="bold">capabilities</emphasis></term>
+              <term><emphasis role="bold">bl|blacklists
+              </emphasis>[-<option>x</option>]</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
+                along with any chains produced by entries in
+                shorewall-blrules(5).The <emphasis role="bold">-x</emphasis>
+                option is passed directly through to iptables and causes
+                actual packet and byte counts to be displayed. Without this
+                option, those counts are abbreviated.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>[-<option>f</option>] <emphasis
+              role="bold">capabilities</emphasis></term>

              <listitem>
                <para>Displays your kernel/iptables capabilities. The
@@ -826,8 +1230,10 @@
            </varlistentry>

            <varlistentry>
-              <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>...
-              ]</term>
+              <term>[-<option>b</option>] [-<option>x</option>]
+              [-<option>l</option>] [-<option>t</option>
+              {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>|<option>rawpost</option>}]
+              [ <emphasis>chain</emphasis>... ]</term>

              <listitem>
                <para>The rules in each <emphasis>chain</emphasis> are
@@ -875,16 +1281,42 @@
              <term><emphasis role="bold">config</emphasis></term>

              <listitem>
-                <para>Dispays distribution-specific defaults.</para>
+                <para>Displays distribution-specific defaults.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">connections</emphasis></term>
+              <term><emphasis role="bold">connections
+              [<replaceable>filter_parameter</replaceable>
+              ...]</emphasis></term>

              <listitem>
                <para>Displays the IP connections currently being tracked by
                the firewall.</para>
+
+                <para>If the <command>conntrack</command> utility is
+                installed, beginning with Shorewall 4.6.11 the set of
+                connections displayed can be limited by including conntrack
+                filter parameters (-p , -s, --dport, etc). See conntrack(8)
+                for details.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">event</emphasis><replaceable>
+              event</replaceable></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.19. Displays the named
+                event.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">events</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.19. Displays all events.</para>
              </listitem>
            </varlistentry>

@@ -908,7 +1340,8 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">log</emphasis></term>
+              <term>[-<option>m</option>] <emphasis
+              role="bold">log</emphasis></term>

              <listitem>
                <para>Displays the last 20 Shorewall-lite messages from the
@@ -920,6 +1353,20 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term>[-<option>x</option>] <emphasis
+              role="bold">mangle</emphasis></term>
+
+              <listitem>
+                <para>Displays the Netfilter mangle table using the command
+                <emphasis role="bold">iptables -t mangle -L -n -v</emphasis>.
+                The <emphasis role="bold">-x</emphasis> option is passed
+                directly through to iptables and causes actual packet and byte
+                counts to be displayed. Without this option, those counts are
+                abbreviated.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">marks</emphasis></term>

@@ -943,6 +1390,16 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis role="bold">opens</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.8. Displays the iptables rules in
+                the 'dynamic' chain created through use of the <command>open
+                </command>command..</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">policies</emphasis></term>

@@ -959,7 +1416,9 @@
              <term><emphasis role="bold">routing</emphasis></term>

              <listitem>
-                <para>Displays the system's IPv4 routing configuration.</para>
+                <para>Displays the system's IPv4 routing configuration. The -c
+                option causes the route cache to be displayed in addition to
+                the other routing information.</para>
              </listitem>
            </varlistentry>

@@ -998,7 +1457,9 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">start</emphasis></term>
+        <term><emphasis role="bold">start</emphasis> [-<option>p</option>]
+        [-<option>n</option>] [<option>-f</option>]
+        [-<option>C</option>]</term>

        <listitem>
          <para>Start Shorewall Lite. Existing connections through
@@ -1009,6 +1470,22 @@
          <para>The <option>-p</option> option causes the connection tracking
          table to be flushed; the <command>conntrack</command> utility must
          be installed to use this option.</para>
+
+          <para>The <option>-n</option> option prevents the firewall script
+          from modifying the current routing configuration.</para>
+
+          <para>The <option>-f</option> option was added in Shorewall 4.6.5.
+          If the RESTOREFILE named in <ulink
+          url="shorewall.conf.html">shorewall.conf</ulink>(5) exists, is
+          executable and is not older than the current filewall script, then
+          that saved configuration is restored.</para>
+
+          <para>The <option>-C</option> option was added in Shorewall 4.6.5
+          and is only meaningful when the <option>-f</option> option is also
+          specified. If the previously-saved configuration is restored, and if
+          the <option>-C</option> option was also specified in the <emphasis
+          role="bold">save</emphasis> command, then the packet and byte
+          counters will be restored.</para>
        </listitem>
      </varlistentry>

@@ -1040,6 +1517,10 @@
        <listitem>
          <para>Produces a short report about the state of the
          Shorewall-configured firewall.</para>
+
+          <para>The <option>-i </option>option was added in Shorewall 4.6.2
+          and causes the status of each optional or provider interface to be
+          displayed.</para>
        </listitem>
      </varlistentry>

@@ -1055,6 +1536,23 @@
    </variablelist>
  </refsect1>

+  <refsect1>
+    <title>EXIT STATUS</title>
+
+    <para>In general, when a command succeeds, status 0 is returned; when the
+    command fails, a non-zero status is returned.</para>
+
+    <para>The <command>status</command> command returns exit status as
+    follows:</para>
+
+    <para>0 - Firewall is started.</para>
+
+    <para>3 - Firewall is stopped or cleared</para>
+
+    <para>4 - Unknown state; usually means that the firewall has never been
+    started.</para>
+  </refsect1>
+
  <refsect1>
    <title>FILES</title>

--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -2,17 +2,18 @@
 #
 #     Shorewall Lite Packet Filtering Firewall Capabilities Detector
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2006,2007,2008,2009,2010,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file should be placed in /sbin/shorewall.
 #
 #	Shorewall documentation is available at http://shorewall.sourceforge.net
 #
+#       This program is part of Shorewall.
+#
 #	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -20,9 +21,7 @@
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 #   This program may be used to create a /etc/shorewall/capabilities file for
 #   use in compiling Shorewall firewalls on another system.
@@ -39,7 +38,7 @@
 #
 #        IPTABLES - iptables
 #        MODULESDIR - /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
-#        MODULE_SUFFIX - "o gz ko o.gz ko.gz"
+#        MODULE_SUFFIX - "o gz xz ko o.gz o.xz ko.gz ko.xz"
 #
 #    Shorewall need not be installed on the target system to run shorecap. If the '-e' flag is
 #    used during firewall compilation, then the generated firewall program will likewise not
--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -2,16 +2,17 @@
 #
 #     Shorewall Lite Packet Filtering Firewall Control Program - V4.5
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011 -
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014 -
 #         Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
 #
+#       This program is part of Shorewall.
+#
 #	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -19,8 +20,7 @@
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 #       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
--- a/Shorewall-lite/shorewall-lite.conf
+++ b/Shorewall-lite/shorewall-lite.conf
@@ -1,5 +1,5 @@
 ###############################################################################
-#  /etc/shorewall-lite/shorewall-lite.conf Version 4 - Change the following
+#  /etc/shorewall-lite/shorewall-lite.conf Version 5 - Change the following
 #  variables to override the values in the shorewall.conf file used to
 #  compile /var/lib/shorewall-lite/firewall. Those values may be found in
 #  /var/lib/shorewall-lite/firewall.conf.
--- a/Shorewall-lite/shorewall-lite.service
+++ b/Shorewall-lite/shorewall-lite.service
@@ -1,20 +1,21 @@
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
 #
-#     Copyright 2011 Jonathan Underwood (jonathan.underwood@gmail.com)
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
 #
 [Unit]
 Description=Shorewall IPv4 firewall (lite)
-After=syslog.target
-After=network.target
+Wants=network-online.target
+After=network-online.target
+Conflicts=iptables.service firewalld.service

 [Service]
 Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-lite
 StandardOutput=syslog
-ExecStart=/sbin/shorewall-lite $OPTIONS start
+ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
 ExecStop=/sbin/shorewall-lite $OPTIONS stop

 [Install]
-WantedBy=multi-user.target
+WantedBy=basic.target
--- a/Shorewall-lite/shorewall-lite.service.214
+++ b/Shorewall-lite/shorewall-lite.service.214
@@ -0,0 +1,21 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
+#
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#
+[Unit]
+Description=Shorewall IPv4 firewall (lite)
+Wants=network-online.target
+After=network-online.target
+Conflicts=iptables.service firewalld.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/sysconfig/shorewall-lite
+StandardOutput=syslog
+ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
+ExecStop=/sbin/shorewall-lite $OPTIONS stop
+
+[Install]
+WantedBy=basic.target
--- a/Shorewall-lite/shorewall-lite.service.debian
+++ b/Shorewall-lite/shorewall-lite.service.debian
@@ -0,0 +1,23 @@
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall
+#
+#     Copyright 2011 Jonathan Underwood <jonathan.underwood@gmail.com>
+#     Copyright 2015 Tom Eastep <teastep@shorewall.net>
+#
+[Unit]
+Description=Shorewall IPv4 firewall (lite)
+Wants=network-online.target
+After=network-online.target
+Conflicts=iptables.service firewalld.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+EnvironmentFile=-/etc/default/shorewall-lite
+StandardOutput=syslog
+ExecStart=/sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
+ExecStop=/sbin/shorewall-lite $OPTIONS stop
+ExecReload=/sbin/shorewall-lite $OPTIONS reload $RELOADOPTIONS
+
+[Install]
+WantedBy=basic.target
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -2,24 +2,24 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
+#       This program is part of Shorewall.
 #
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of the GNU General Public License as published by the
+#       Free Software Foundation, either version 2 of the license or, at your
+#       option, any later version.
 #
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 #    Usage:
 #
@@ -27,14 +27,25 @@
 #       shown below. Simply run this script to remove Shorewall Firewall

 VERSION=xxx  #The Build script inserts the actual version
+PRODUCT=shorewall-lite

 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <shorewallrc file> ]"
+    echo "usage: $ME [ <option> ] [ <shorewallrc file> ]"
+    echo "where <option> is one of"
+    echo "  -h"
+    echo "  -v"
+    echo "  -n"
    exit $1
 }

+fatal_error()
+{
+    echo "   ERROR: $@" >&2
+    exit 1
+}
+
 qt()
 {
    "$@" >/dev/null 2>&1
@@ -69,6 +80,42 @@ remove_file() # $1 = file to restore
    fi
 }

+finished=0
+configure=1
+
+while [ $finished -eq 0 ]; do
+    option=$1
+
+    case "$option" in
+	-*)
+	    option=${option#-}
+
+	    while [ -n "$option" ]; do
+		case $option in
+		    h)
+			usage 0
+			;;
+		    v)
+			echo "$Product Firewall Installer Version $VERSION"
+			exit 0
+			;;
+		    n*)
+			configure=0
+			option=${option#n}
+			;;
+		    *)
+			usage 1
+			;;
+		esac
+	    done
+
+	    shift
+	    ;;
+	*)
+	    finished=1
+	    ;;
+    esac
+done
 #
 # Read the RC file
 #
@@ -112,39 +159,49 @@ fi

 echo "Uninstalling Shorewall Lite $VERSION"

-if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall ]; then
-   shorewall-lite clear
+[ -n "$SANDBOX" ] && configure=0
+
+if [ $configure -eq 1 ]; then
+    if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall ]; then
+	shorewall-lite clear
+    fi
 fi

 if [ -L ${SHAREDIR}/shorewall-lite/init ]; then
    FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall-lite/init)
-elIF [ -n "$INITFILE" ]; then
+elif [ -n "$INITFILE" ]; then
    FIREWALL=${INITDIR}/${INITFILE}
 fi

 if [ -f "$FIREWALL" ]; then
-    if mywhich updaterc.d ; then
-	updaterc.d shorewall-lite remove
-    elif if mywhich insserv ; then
-        insserv -r $FIREWALL
-    elif [ mywhich chkconfig ; then
-	chkconfig --del $(basename $FIREWALL)
-    elif mywhich systemctl ; then
-	systemctl disable shorewall-lite
+    if [ $configure -eq 1 ]; then
+	if mywhich updaterc.d ; then
+	    updaterc.d shorewall-lite remove
+	elif mywhich insserv ; then
+            insserv -r $FIREWALL
+	elif mywhich chkconfig ; then
+	    chkconfig --del $(basename $FIREWALL)
+	fi
    fi

    remove_file $FIREWALL
 fi

+if [ -n "$SYSTEMD" ]; then
+    [ $configure -eq 1 ] && systemctl disable ${PRODUCT}
+    rm -f $SYSTEMD/shorewall-lite.service
+fi
+
 rm -f ${SBINDIR}/shorewall-lite

-rm -rf ${SBINDIR}/shorewall-lite
+rm -rf ${CONFDIR}/shorewall-lite
 rm -rf ${VARDIR}/shorewall-lite
 rm -rf ${SHAREDIR}/shorewall-lite
-rm -rf ${LIBEXEC}/shorewall-lite
+rm -rf ${LIBEXECDIR}/shorewall-lite
 rm -f  ${CONFDIR}/logrotate.d/shorewall-lite
-[ -n "$SYSTEMD" ] && rm -f  ${SYSTEMD}/shorewall-lite.service
+
+rm -f ${MANDIR}/man5/shorewall-lite*
+rm -f ${MANDIR}/man8/shorewall-lite*

 echo "Shorewall Lite Uninstalled"

-
--- a/Shorewall/INSTALL
+++ b/Shorewall/INSTALL
@@ -1,4 +1,4 @@
-Shoreline Firewall (Shorewall) Version 4
+Shoreline Firewall (Shorewall) Version 5
 -----         ----

 -----------------------------------------------------------------------------
--- a/Shorewall/Macros/macro.AMQP
+++ b/Shorewall/Macros/macro.AMQP
@@ -0,0 +1,12 @@
+#
+# Shorewall version 5 - AMQP Macro
+#
+# /usr/share/shorewall/macro.AMQP
+#
+#	This macro handles AMQP traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	5672
+PARAM	-	-	udp	5672
--- a/Shorewall/Macros/macro.A_AllowICMPs
+++ b/Shorewall/Macros/macro.A_AllowICMPs
@@ -1,13 +1,13 @@
 #
-# Shorewall version 4 - Audited AllowICMPs Macro
+# Shorewall version 5 - Audited AllowICMPs Macro
 #
-# /usr/share/shorewall/macro.AAllowICMPs
+# /usr/share/shorewall/macro.A_AllowICMPs
 #
 #	This macro A_ACCEPTs needed ICMP types
 #
 ###############################################################################
-#ACTION		SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#					PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION		SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#					PORT(S)	PORT(S)	DEST	LIMIT	GROUP

 ?COMMENT Needed ICMP types

--- a/Shorewall/Macros/macro.A_DropDNSrep
+++ b/Shorewall/Macros/macro.A_DropDNSrep
@@ -1,13 +1,13 @@
 #
-# Shorewall version 4 - Audited DropDNSrep Macro
+# Shorewall version 5 - Audited DropDNSrep Macro
 #
-# /usr/share/shorewall/macro.ADropDNSrep
+# /usr/share/shorewall/macro.A_DropDNSrep
 #
 #	This macro silently audites and drops DNS UDP replies
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP

 ?COMMENT Late DNS Replies

--- a/Shorewall/Macros/macro.A_DropUPnP
+++ b/Shorewall/Macros/macro.A_DropUPnP
@@ -1,13 +1,13 @@
 #
-# Shorewall version 4 - ADropUPnP Macro
+# Shorewall version 5 - ADropUPnP Macro
 #
-# /usr/share/shorewall/macro.ADropUPnP
+# /usr/share/shorewall/macro.A_DropUPnP
 #
 #	This macro silently drops UPnP probes on UDP port 1900
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP

 ?COMMENT UPnP

--- a/Shorewall/Macros/macro.ActiveDir
+++ b/Shorewall/Macros/macro.ActiveDir
@@ -1,5 +1,5 @@
 #
-# Shorewall version 4 - Samba 4 Macro
+# Shorewall version 5 - Samba 4 Macro
 #
 # /usr/share/shorewall/macro.ActiveDir
 #
@@ -7,10 +7,10 @@
 #
 # You can comment out the ports you do not want open
 #
-# 
+#
 ###############################################################################
-#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
-#                               PORT(S) PORT(S) LIMIT   GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM   -       -       tcp     389 	#LDAP services
 PARAM   -       -       udp	389  
 PARAM   -       -       tcp     636	#LDAP SSL
--- a/Shorewall/Macros/macro.AllowICMPs
+++ b/Shorewall/Macros/macro.AllowICMPs
@@ -1,13 +1,13 @@
 #
-# Shorewall version 4 - AllowICMPs Macro
+# Shorewall version 5 - AllowICMPs Macro
 #
 # /usr/share/shorewall/macro.AllowICMPs
 #
 #	This macro ACCEPTs needed ICMP types
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP

 ?COMMENT Needed ICMP types

--- a/Shorewall/Macros/macro.Amanda
+++ b/Shorewall/Macros/macro.Amanda
@@ -1,5 +1,5 @@
 #
-# Shorewall version 4 - Amanda Macro
+# Shorewall version 5 - Amanda Macro
 #
 # /usr/share/shorewall/macro.Amanda
 #
@@ -8,12 +8,11 @@
 #	files from those nodes.
 #
 ###############################################################################
-?FORMAT 2
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP

 ?if ( __CT_TARGET && ! $AUTOHELPERS && __AMANDA_HELPER )
- PARAM	-	-	udp	10080 ; helper=amanda
+ PARAM	-	-	udp	10080 { helper=amanda }
 ?else
 PARAM	-	-	udp	10080
 ?endif
--- a/Shorewall/Macros/macro.Auth
+++ b/Shorewall/Macros/macro.Auth
@@ -1,11 +1,11 @@
 #
-# Shorewall version 4 - Auth Macro
+# Shorewall version 5 - Auth Macro
 #
 # /usr/share/shorewall/macro.Auth
 #
 #	This macro handles Auth (identd) traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	113
--- a/Shorewall/Macros/macro.BGP
+++ b/Shorewall/Macros/macro.BGP
@@ -1,11 +1,11 @@
 #
-# Shorewall version 4 - BGP Macro
+# Shorewall version 5 - BGP Macro
 #
 # /usr/share/shorewall/macro.BGP
 #
 #	This macro handles BGP4 traffic.
 #
 ###############################################################################
-#ACTION SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S) PORT(S) LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	179	# BGP4
--- a/Shorewall/Macros/macro.BLACKLIST
+++ b/Shorewall/Macros/macro.BLACKLIST
@@ -1,13 +1,13 @@
 #
-# Shorewall version 4 - blacklist Macro
+# Shorewall version 5 - blacklist Macro
 #
 # /usr/share/shorewall/macro.blacklist
 #
 #	This macro handles blacklisting using BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?if $BLACKLIST_LOGLEVEL
 blacklog
 ?else
--- a/Shorewall/Macros/macro.BitTorrent
+++ b/Shorewall/Macros/macro.BitTorrent
@@ -1,5 +1,5 @@
 #
-# Shorewall version 4 - BitTorrent Macro
+# Shorewall version 5 - BitTorrent Macro
 #
 # /usr/share/shorewall/macro.BitTorrent
 #
@@ -7,9 +7,10 @@
 #
 #	If you are running BitTorrent 3.2 or later, you should use the
 #	BitTorrent32 macro.
+#
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	6881:6889
 #
 # It may also be necessary to allow UDP traffic:
--- a/Shorewall/Macros/macro.BitTorrent32
+++ b/Shorewall/Macros/macro.BitTorrent32
@@ -1,13 +1,13 @@
 #
-# Shorewall version 4 - BitTorrent 3.2 Macro
+# Shorewall version 5 - BitTorrent 3.2 Macro
 #
 # /usr/share/shorewall/macro.BitTorrent32
 #
 #	This macro handles BitTorrent traffic for BitTorrent 3.2 and later.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	6881:6999
 #
 # It may also be necessary to allow UDP traffic:
--- a/Shorewall/Macros/macro.CVS
+++ b/Shorewall/Macros/macro.CVS
@@ -1,11 +1,11 @@
 #
-# Shorewall version 4 - CVS Macro
+# Shorewall version 5 - CVS Macro
 #
 # /usr/share/shorewall/macro.CVS
 #
 #	This macro handles connections to the CVS pserver.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	2401
--- a/Shorewall/Macros/macro.Citrix
+++ b/Shorewall/Macros/macro.Citrix
@@ -1,14 +1,14 @@
 #
-# Shorewall version 4 - Citrix/ICA Macro
+# Shorewall version 5 - Citrix/ICA Macro
 #
 # /usr/share/shorewall/macro.Citrix
 #
 #	This macro handles Citrix/ICA traffic (ICA, ICA Browser, CGP a.k.a.
 #	ICA Session Reliability)
 #
-####################################################################################
-#ACTION SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S) PORT(S) LIMIT	GROUP
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	1494	# ICA
 PARAM	-	-	udp	1604	# ICA Browser
 PARAM	-	-	tcp	2598	# CGP Session Reliabilty
--- a/Shorewall/Macros/macro.DAAP
+++ b/Shorewall/Macros/macro.DAAP
@@ -1,5 +1,5 @@
 #
-# Shorewall version 4 - DAAP Macro
+# Shorewall version 5 - DAAP Macro
 #
 # /usr/share/shorewall/macro.DAAP
 #
@@ -7,7 +7,7 @@
 #	The protocol is used by iTunes, Rythmbox and other similar daemons.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	3689
 PARAM	-	-	udp	3689
--- a/Shorewall/Macros/macro.DCC
+++ b/Shorewall/Macros/macro.DCC
@@ -1,5 +1,5 @@
 #
-# Shorewall version 4 - DCC Macro
+# Shorewall version 5 - DCC Macro
 #
 # /usr/share/shorewall/macro.DCC
 #
@@ -7,6 +7,6 @@
 #	DCC is a distributed spam filtering mechanism.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	tcp	6277
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	udp	6277
--- a/Shorewall/Macros/macro.DHCPfwd
+++ b/Shorewall/Macros/macro.DHCPfwd
@@ -1,12 +1,12 @@
 #
-# Shorewall version 4 - DHCPfwd Macro
+# Shorewall version 5 - DHCPfwd Macro
 #
 # /usr/share/shorewall/macro.DHCPfwd
 #
 #	This macro (bidirectional) handles forwarded DHCP traffic
 #
 ###############################################################################
-#ACTION SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S) PORT(S) LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	udp	67:68	67:68	# DHCP
 PARAM	DEST	SOURCE	udp	67:68	67:68	# DHCP
--- a/Shorewall/Macros/macro.DNS
+++ b/Shorewall/Macros/macro.DNS
@@ -1,12 +1,12 @@
 #
-# Shorewall version 4 - DNS Macro
+# Shorewall version 5 - DNS Macro
 #
 # /usr/share/shorewall/macro.DNS
 #
 #	This macro handles DNS traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	udp	53
 PARAM	-	-	tcp	53
--- a/Shorewall/Macros/macro.Distcc
+++ b/Shorewall/Macros/macro.Distcc
@@ -1,11 +1,11 @@
 #
-# Shorewall version 4 - Distcc Macro
+# Shorewall version 5 - Distcc Macro
 #
 # /usr/share/shorewall/macro.Distcc
 #
 #	This macro handles connections to the Distributed Compiler service.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	3632
--- a/Shorewall/Macros/macro.Drop
+++ b/Shorewall/Macros/macro.Drop
@@ -1,5 +1,5 @@
 #
-# Shorewall version 4 - Drop Macro
+# Shorewall version 5 - Drop Macro
 #
 # /usr/share/shorewall/macro.Drop
 #
@@ -11,12 +11,12 @@
 #		Drop	net	all
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 #
-# Don't log 'auth' REJECT
+# Don't log 'auth' DROP
 #
-REJECT	-	-	tcp	113
+DROP	-	-	tcp	113
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
--- a/Shorewall/Macros/macro.DropDNSrep
+++ b/Shorewall/Macros/macro.DropDNSrep
@@ -1,13 +1,13 @@
 #
-# Shorewall version 4 - DropDNSrep Macro
+# Shorewall version 5 - DropDNSrep Macro
 #
 # /usr/share/shorewall/macro.DropDNSrep
 #
 #	This macro silently drops DNS UDP replies
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP

 ?COMMENT Late DNS Replies

--- a/Shorewall/Macros/macro.DropUPnP
+++ b/Shorewall/Macros/macro.DropUPnP
@@ -1,13 +1,13 @@
 #
-# Shorewall version 4 - DropUPnP Macro
+# Shorewall version 5 - DropUPnP Macro
 #
 # /usr/share/shorewall/macro.DropUPnP
 #
 #	This macro silently drops UPnP probes on UDP port 1900
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP

 ?COMMENT UPnP

--- a/Shorewall/Macros/macro.Edonkey
+++ b/Shorewall/Macros/macro.Edonkey
@@ -1,5 +1,5 @@
 #
-# Shorewall version 4 - Edonkey Macro
+# Shorewall version 5 - Edonkey Macro
 #
 # /usr/share/shorewall/macro.Edonkey
 #
@@ -28,7 +28,7 @@
 #	applications such as aMule WebServer or aMuleCMD.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	4662
 PARAM	-	-	udp	4665
--- a/Shorewall/Macros/macro.FTP
+++ b/Shorewall/Macros/macro.FTP
@@ -1,16 +1,15 @@
 #
-# Shorewall version 4 - FTP Macro
+# Shorewall version 5 - FTP Macro
 #
 # /usr/share/shorewall/macro.FTP
 #
 #	This macro handles FTP traffic.
 #
 ###############################################################################
-?FORMAT 2
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER  )
- PARAM	-	-	tcp	21 ; helper=ftp
+ PARAM	-	-	tcp	21 { helper=ftp }
 ?else
 PARAM	-	-	tcp	21
 ?endif
--- a/Shorewall/Macros/macro.Finger
+++ b/Shorewall/Macros/macro.Finger
@@ -1,5 +1,5 @@
 #
-# Shorewall version 4 - Finger Macro
+# Shorewall version 5 - Finger Macro
 #
 # /usr/share/shorewall/macro.Finger
 #
@@ -7,6 +7,6 @@
 #	your finger information to internet.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	79
--- a/Shorewall/Macros/macro.GNUnet
+++ b/Shorewall/Macros/macro.GNUnet
@@ -1,13 +1,13 @@
 #
-# Shorewall version 4 - GNUnet Macro
+# Shorewall version 5 - GNUnet Macro
 #
 # /usr/share/shorewall/macro.GNUnet
 #
 #	This macro handles GNUnet (secure peer-to-peer networking) traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	2086
 PARAM	-	-	udp	2086
 PARAM	-	-	tcp	1080
--- a/Shorewall/Macros/macro.GRE
+++ b/Shorewall/Macros/macro.GRE
@@ -1,5 +1,5 @@
 #
-# Shorewall version 4 - GRE Macro
+# Shorewall version 5 - GRE Macro
 #
 # /usr/share/shorewall/macro.GRE
 #
@@ -7,7 +7,7 @@
 #	traffic (RFC 1701)
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	47	# GRE
 PARAM	DEST	SOURCE	47	# GRE
--- a/Shorewall/Macros/macro.Git
+++ b/Shorewall/Macros/macro.Git
@@ -1,11 +1,11 @@
 #
-# Shorewall version 4 - Git Macro
+# Shorewall version 5 - Git Macro
 #
 # /usr/share/shorewall/macro.Git
 #
 #	This macro handles Git traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	9418
--- a/Shorewall/Macros/macro.Gnutella
+++ b/Shorewall/Macros/macro.Gnutella
@@ -1,12 +1,12 @@
 #
-# Shorewall version 4 - Gnutella Macro
+# Shorewall version 5 - Gnutella Macro
 #
 # /usr/share/shorewall/macro.Gnutella
 #
 #	This macro handles Gnutella traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	6346
 PARAM	-	-	udp	6346
--- a/Shorewall/Macros/macro.Goto-Meeting
+++ b/Shorewall/Macros/macro.Goto-Meeting
@@ -0,0 +1,12 @@
+#
+# Shorewall version 5 - Citrix/Goto Meeting macro
+#
+# /usr/share/shorewall/macro.Goto-Meeting
+#          by Eric Teeter
+#       This macro handles Citrix/Goto Meeting
+#       Assumes that ports 80 and 443 are already open
+#       If needed, use the macros that open Http and Https to reduce redundancy
+####################################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM      -    -       tcp     8200    # Goto Meeting only needed (TCP outbound)
--- a/Shorewall/Macros/macro.HKP
+++ b/Shorewall/Macros/macro.HKP
@@ -1,11 +1,11 @@
 #
-# Shorewall version 4 - HKP Macro
+# Shorewall version 5 - HKP Macro
 #
 # /usr/share/shorewall/macro.HKP
 #
 #	This macro handles OpenPGP HTTP keyserver protocol traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	11371
--- a/Shorewall/Macros/macro.HTTP
+++ b/Shorewall/Macros/macro.HTTP
@@ -1,11 +1,11 @@
 #
-# Shorewall version 4 - HTTP Macro
+# Shorewall version 5 - HTTP Macro
 #
 # /usr/share/shorewall/macro.HTTP
 #
 #	This macro handles plaintext HTTP (WWW) traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	80
--- a/Shorewall/Macros/macro.HTTPS
+++ b/Shorewall/Macros/macro.HTTPS
@@ -1,11 +1,11 @@
 #
-# Shorewall version 4 - HTTPS Macro
+# Shorewall version 5 - HTTPS Macro
 #
 # /usr/share/shorewall/macro.HTTPS
 #
 #	This macro handles HTTPS (WWW over SSL) traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	443
--- a/Shorewall/Macros/macro.ICPV2
+++ b/Shorewall/Macros/macro.ICPV2
@@ -1,11 +1,11 @@
 #
-# Shorewall version 4 - ICPV2 Macro
+# Shorewall version 5 - ICPV2 Macro
 #
 # /usr/share/shorewall/macro.ICPV2
 #
 #	This macro handles Internet Cache Protocol V2 (Squid) traffic
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	udp	3130
--- a/Shorewall/Macros/macro.ICQ
+++ b/Shorewall/Macros/macro.ICQ
@@ -1,11 +1,11 @@
 #
-# Shorewall version 4 - ICQ Macro
+# Shorewall version 5 - ICQ Macro
 #
 # /usr/share/shorewall/macro.ICQ
 #
 #	This macro handles ICQ, now called AOL Instant Messenger (or AIM).
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	5190
--- a/Shorewall/Macros/macro.ILO
+++ b/Shorewall/Macros/macro.ILO
@@ -0,0 +1,21 @@
+#
+# Shorewall version 5 - ILO Macro
+#
+# /usr/share/shorewall/macro.ILO
+#
+#	This macro handles console redirection with HP ILO 2+,
+#	Use this macro to open access to your ILO interface from management
+#	workstations.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	3002		# Raw serial data
+PARAM	-	-	tcp	9300		# Shared Remote Console
+PARAM	-	-	tcp	17988		# Virtual Media
+PARAM	-	-	tcp	17990		# Console Replay
+HTTP
+HTTPS
+RDP
+SSH
+Telnet						# Remote Console/Telnet
--- a/Shorewall/Macros/macro.IMAP
+++ b/Shorewall/Macros/macro.IMAP
@@ -1,5 +1,5 @@
 #
-# Shorewall version 4 - IMAP Macro
+# Shorewall version 5 - IMAP Macro
 #
 # /usr/share/shorewall/macro.IMAP
 #
@@ -7,6 +7,6 @@
 #	see macro.IMAPS.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	143
--- a/Shorewall/Macros/macro.IMAPS
+++ b/Shorewall/Macros/macro.IMAPS
@@ -1,5 +1,5 @@
 #
-# Shorewall version 4 - IMAPS Macro
+# Shorewall version 5 - IMAPS Macro
 #
 # /usr/share/shorewall/macro.IMAPS
 #
@@ -7,6 +7,6 @@
 #	(not recommended), see macro.IMAP.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	993
--- a/Shorewall/Macros/macro.IPIP
+++ b/Shorewall/Macros/macro.IPIP
@@ -1,12 +1,12 @@
 #
-# Shorewall version 4 - IPIP Macro
+# Shorewall version 5 - IPIP Macro
 #
 # /usr/share/shorewall/macro.IPIP
 #
 #	This macro (bidirectional) handles IPIP capsulation traffic
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	94	# IPIP
 PARAM	DEST	SOURCE	94	# IPIP
--- a/Shorewall/Macros/macro.IPMI
+++ b/Shorewall/Macros/macro.IPMI
@@ -0,0 +1,24 @@
+#
+# Shorewall version 5 - IPMI Macro
+#
+# /usr/share/shorewall/macro.IPMI
+#
+#	This macro handles IPMI console redirection with Asus (AMI),
+#	Dell DRAC5+ (Avocent), and Supermicro (Aten or AMI).
+#	Use this macro to open access to your IPMI interface from management
+#	workstations.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	623		# RMCP
+PARAM	-	-	tcp	3668,3669	# Virtual Media, Secure (Dell)
+PARAM	-	-	tcp	5120,5123	# CD, floppy (Asus, Aten)
+PARAM	-	-	tcp	5900,5901	# Remote Console (Aten, Dell)
+PARAM	-	-	tcp	7578		# Remote Console (AMI)
+PARAM	-	-	udp	623		# RMCP
+HTTP
+HTTPS
+SNMP
+SSH						# Serial over Lan
+Telnet
--- a/Shorewall/Macros/macro.IPP
+++ b/Shorewall/Macros/macro.IPP
@@ -6,6 +6,6 @@
 #	This macro handles Internet Printing Protocol (IPP).
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	631
--- a/Shorewall/Macros/macro.IPPbrd
+++ b/Shorewall/Macros/macro.IPPbrd
@@ -1,12 +1,13 @@
 #
-# Shorewall version 4 - IPP Broadcast Macro
+# Shorewall version 5 - IPP Broadcast Macro
 #
 # /usr/share/shorewall/macro.IPPbrd
 #
 #	This macro handles Internet Printing Protocol (IPP) broadcasts.
 #       If you also need to handle TCP 631 connections in the opposite
 #       direction, use the IPPserver Macro
+#
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	udp	631
--- a/Shorewall/Macros/macro.IPPserver
+++ b/Shorewall/Macros/macro.IPPserver
@@ -1,5 +1,5 @@
 #
-# Shorewall version 4 - IPPserver Macro
+# Shorewall version 5 - IPPserver Macro
 #
 # /usr/share/shorewall/macro.IPPserver
 #
@@ -23,7 +23,7 @@
 #		IPPserver/ACCEPT $FW loc
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	SOURCE	DEST	tcp	631
 PARAM	DEST	SOURCE	udp	631
--- a/Shorewall/Macros/macro.IPsec
+++ b/Shorewall/Macros/macro.IPsec
@@ -1,13 +1,13 @@
 #
-# Shorewall version 4 - IPsec Macro
+# Shorewall version 5 - IPsec Macro
 #
 # /usr/share/shorewall/macro.IPsec
 #
 #	This macro (bidirectional) handles IPsec traffic
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	udp	500	500	# IKE
 PARAM	-	-	50			# ESP
 PARAM	DEST	SOURCE	udp	500	500	# IKE
--- a/Shorewall/Macros/macro.IPsecah
+++ b/Shorewall/Macros/macro.IPsecah
@@ -1,5 +1,5 @@
 #
-# Shorewall version 4 - IPsecah Macro
+# Shorewall version 5 - IPsecah Macro
 #
 # /usr/share/shorewall/macro.IPsecah
 #
@@ -7,8 +7,8 @@
 #       This is insecure. You should use ESP with encryption for security.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	udp	500	500	# IKE
 PARAM	-	-	51			# AH
 PARAM	DEST	SOURCE	udp	500	500	# IKE
--- a/Shorewall/Macros/macro.IPsecnat
+++ b/Shorewall/Macros/macro.IPsecnat
@@ -1,13 +1,13 @@
 #
-# Shorewall version 4 - IPsecnat Macro
+# Shorewall version 5 - IPsecnat Macro
 #
 # /usr/share/shorewall/macro.IPsecnat
 #
 #	This macro (bidirectional) handles IPsec traffic and Nat-Traversal
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	udp	500	# IKE
 PARAM	-	-	udp	4500	# NAT-T
 PARAM	-	-	50		# ESP
--- a/Shorewall/Macros/macro.IRC
+++ b/Shorewall/Macros/macro.IRC
@@ -1,17 +1,16 @@
 #
-# Shorewall version 4 IRC Macro
+# Shorewall version 5 IRC Macro
 #
 # /usr/share/shorewall/macro.IRC
 #
 #	This macro handles IRC traffic (Internet Relay Chat).
 #
 ###############################################################################
-?FORMAT 2
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP

 ?if ( __CT_TARGET && ! $AUTOHELPERS && __IRC_HELPER  )
- PARAM	-	-	tcp	6667 ; helper=irc
+ PARAM	-	-	tcp	6667 { helper=irc }
 ?else
 PARAM	-	-	tcp	6667
 ?endif
--- a/Shorewall/Macros/macro.JAP
+++ b/Shorewall/Macros/macro.JAP
@@ -1,5 +1,5 @@
 #
-# Shorewall version 4 - JAP Macro
+# Shorewall version 5 - JAP Macro
 #
 # /usr/share/shorewall/macro.JAP
 #
@@ -8,8 +8,8 @@
 #	to browse anonymously!
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	8080 # HTTP port
 PARAM	-	-	tcp	6544 # HTTP port
 PARAM	-	-	tcp	6543 # InfoService port
--- a/Shorewall/Macros/macro.Jabber
+++ b/Shorewall/Macros/macro.Jabber
@@ -0,0 +1,11 @@
+#
+# Shorewall version 5 - Jabber Macro
+#
+# /usr/share/shorewall/macro.Jabber
+#
+#	This macro accepts Jabber traffic.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+PARAM	-	-	tcp	5222
--- a/Shorewall/Macros/macro.JabberPlain
+++ b/Shorewall/Macros/macro.JabberPlain
@@ -1,11 +1,12 @@
 #
-# Shorewall version 3.4 - JabberPlain Macro
+# Shorewall version 5 - JabberPlain Macro
 #
 # /usr/share/shorewall/macro.JabberPlain
 #
-#	This macro accepts Jabber traffic (plaintext).
+#	This macro accepts Jabber traffic (plaintext). This macro is
+#	deprecated - use of macro.Jabber instead is recommended.
 #
 ###############################################################################
-#TARGET	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	tcp	5222
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
+Jabber
--- a/Show More
+++ b/Show More