Add some decimal->hex convertions in routing rules.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Deprecate the current TPROXY implementation.
2012-05-10 11:11:15 -07:00 · 2012-05-10 11:02:08 -07:00 · 2012-05-10 07:29:59 -07:00
276 changed files with 6939 additions and 22028 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -76,11 +76,14 @@ for p in $@; do
 		    pn=HOST
 		    ;;
 		SHAREDSTATEDIR)
-		    pn=VARLIB
+		    pn=VARDIR
 		    ;;
 		DATADIR)
 		    pn=SHAREDIR
 		    ;;
+		SYSCONFDIR)
+		    pn=CONFDIR
+		    ;;
 	    esac

 	    params[${pn}]="${pv}"
@@ -129,7 +132,7 @@ if [ -z "$vendor" ]; then

    vendor=${params[HOST]}
 elif [ $vendor = linux ]; then
-    rcfile=shorewallrc.default;
+    rcfile=$shorewallrc.default;
 else
    rcfile=shorewallrc.$vendor
    if [ ! -f $rcfile ]; then
@@ -161,17 +164,6 @@ if [ $# -gt 0 ]; then
    echo '#'           >> shorewallrc
 fi

-if [ -n "${options[VARLIB]}" ]; then
-    if [ -z "${options[VARDIR]}" ]; then
-	options[VARDIR]='${VARLIB}/${PRODUCT}'
-    fi
-elif [ -n "${options[VARDIR]}" ]; then
-    if [ -z "{$options[VARLIB]}" ]; then
-	options[VARLIB]=${options[VARDIR]}
-	options[VARDIR]='${VARLIB}/${PRODUCT}'
-    fi
-fi
-
 for on in \
    HOST \
    PREFIX \
@@ -189,9 +181,7 @@ for on in \
    SYSTEMD \
    SYSCONFFILE \
    SYSCONFDIR \
-    SPARSE \
    ANNOTATED \
-    VARLIB \
    VARDIR
 do
    echo "$on=${options[${on}]}"
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -38,8 +38,9 @@ my %params;
 my %options;

 my %aliases = ( VENDOR         => 'HOST',
-		SHAREDSTATEDIR => 'VARLIB',
-		DATADIR        => 'SHAREDIR' );
+		SHAREDSTATEDIR => 'VARDIR',
+		DATADIR        => 'SHAREDIR',
+		SYSCONFDIR     => 'CONFDIR' );

 for ( @ARGV ) {
    die "ERROR: Invalid option specification ( $_ )" unless /^(?:--)?(\w+)=(.*)$/;
@@ -123,15 +124,6 @@ printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d

 print  $outfile "# Input: @ARGV\n#\n" if @ARGV;

-if ( $options{VARLIB} ) {
-    unless ( $options{VARDIR} ) {
-	$options{VARDIR} = '${VARLIB}/${PRODUCT}';
-    }
-} elsif ( $options{VARDIR} ) {
-    $options{VARLIB} = $options{VARDIR};
-    $options{VARDIR} = '${VARLIB}/${PRODUCT}';
-}
-
 for ( qw/ HOST
 	  PREFIX
 	  SHAREDIR
@@ -148,9 +140,7 @@ for ( qw/ HOST
 	  SYSTEMD
 	  SYSCONFFILE
 	  SYSCONFDIR
-	  SPARSE
 	  ANNOTATED
-	  VARLIB
 	  VARDIR / ) {

    my $val = $options{$_} || '';
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -164,18 +164,7 @@ else
    usage 1
 fi

-update=0
-
-if [ -z "${VARLIB}" ]; then
-    VARLIB=${VARDIR}
-    VARDIR="${VARLIB}/${PRODUCT}"
-    update=1
-elif [ -z "${VARDIR}" ]; then
-    VARDIR="${VARLIB}/${PRODUCT}"
-    update=2
-fi
-
-for var in SHAREDIR LIBEXECDIR PERLLIBDIR CONFDIR SBINDIR VARLIB VARDIR; do
+for var in SHAREDIR LIBEXECDIR PERLLIBDIR CONFDIR SBINDIR VARDIR; do
    require $var
 done

@@ -357,25 +346,9 @@ ln -sf lib.base ${DESTDIR}${SHAREDIR}/shorewall/functions
 echo "$VERSION" > ${DESTDIR}${SHAREDIR}/shorewall/coreversion
 chmod 644 ${DESTDIR}${SHAREDIR}/shorewall/coreversion

-if [ -z "${DESTDIR}" ]; then
-    if [ $update -ne 0 ]; then
-	echo "Updating $file - original saved in $file.bak"
+[ $file != "${SHAREDIR}/shorewall/shorewallrc" ] && cp $file ${DESTDIR}${SHAREDIR}/shorewall/shorewallrc

-	cp $file $file.bak
-
-	echo '#'                                             >> $file
-	echo "# Updated by Shorewall-core $VERSION -" `date` >> $file
-	echo '#'                                             >> $file
-
-	[ $update -eq 1 ] && sed -i 's/VARDIR/VARLIB/' $file
-
-	echo 'VARDIR=${VARLIB}/${PRODUCT}' >> $file
-    fi
-
-    [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc ~/.shorewallrc
-fi
-
-[ $file != "${DESTDIR}${SHAREDIR}/shorewall/shorewallrc" ] && cp $file ${DESTDIR}${SHAREDIR}/shorewall/shorewallrc
+[ -z "${DESTDIR}" ] && [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc ~/.shorewallrc

 if [ ${SHAREDIR} != /usr/share ]; then
    for f in lib.*; do
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -20,11 +20,15 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# This library contains the code common to all Shorewall components except the
-# generated scripts.
+# This library contains the code common to all Shorewall components.
+#
+# - It is loaded by /sbin/shorewall.
+# - It is released as part of Shorewall[6] Lite where it is used by /sbin/shorewall[6]-lite
+#   and /usr/share/shorewall[6]-lite/shorecap.
 #

-SHOREWALL_LIBVERSION=40509
+SHOREWALL_LIBVERSION=40502
+SHOREWALL_CAPVERSION=40502

 [ -n "${g_program:=shorewall}" ]

@@ -34,7 +38,11 @@ if [ -z "$g_readrc" ]; then
    #
    . /usr/share/shorewall/shorewallrc

+    g_libexec="$LIBEXECDIR"
    g_sharedir="$SHAREDIR"/$g_program
+    g_sbindir="$SBINDIR"
+    g_perllib="$PERLLIBDIR"
+    g_vardir="$VARDIR"
    g_confdir="$CONFDIR"/$g_program
    g_readrc=1
 fi
@@ -45,13 +53,13 @@ case $g_program in
    shorewall)
 	g_product="Shorewall"
 	g_family=4
-	g_tool=iptables
+	g_tool=
 	g_lite=
 	;;
    shorewall6)
 	g_product="Shorewall6"
 	g_family=6
-	g_tool=ip6tables
+	g_tool=
 	g_lite=
 	;;
    shorewall-lite)
@@ -68,12 +76,7 @@ case $g_program in
 	;;
 esac

-if [ -z "${VARLIB}" ]; then
-    VARLIB=${VARDIR}
-    VARDIR=${VARLIB}/$g_program
-elif [ -z "${VARDIR}" ]; then
-    VARDIR="${VARLIB}/${PRODUCT}"
-fi
+VARDIR=${VARDIR}/${g_program}

 #
 # Conditionally produce message
@@ -127,6 +130,71 @@ combine_list()
    echo $o
 }

+#
+# Call this function to assert mutual exclusion with Shorewall. If you invoke the
+# /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as
+# the first argument. Example "shorewall nolock refresh"
+#
+# This function uses the lockfile utility from procmail if it exists.
+# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the
+# behavior of lockfile.
+#
+mutex_on()
+{
+    local try
+    try=0
+    local lockf
+    lockf=${LOCKFILE:=${VARDIR}/lock}
+    local lockpid
+
+    MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
+
+    if [ $MUTEX_TIMEOUT -gt 0 ]; then
+
+	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
+
+	if [ -f $lockf ]; then
+	    lockpid=`cat ${lockf} 2> /dev/null`
+	    if [ -z "$lockpid" -o $lockpid = 0 ]; then
+		rm -f ${lockf}
+		error_message "WARNING: Stale lockfile ${lockf} removed"
+	    elif ! qt ps p ${lockpid}; then
+		rm -f ${lockf}
+		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
+	    fi
+	fi
+
+	if qt mywhich lockfile; then
+	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
+	    chmod u+w ${lockf}
+	    echo $$ > ${lockf}
+	    chmod u-w ${lockf}
+	else
+	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
+		sleep 1
+		try=$((${try} + 1))
+	    done
+
+	    if  [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
+	        # Create the lockfile
+		echo $$ > ${lockf}
+	    else
+		echo "Giving up on lock file ${lockf}" >&2
+	    fi
+	fi
+    fi
+}
+
+#
+# Call this function to release mutual exclusion
+#
+mutex_off()
+{
+    rm -f ${LOCKFILE:=${VARDIR}/lock}
+}
+
+[ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
+
 #
 # Validate an IP address
 #
@@ -255,8 +323,6 @@ ip_range_explicit() {
    done
 }

-[ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
-
 #
 # Netmask to VLSM
 #
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -21,21 +21,20 @@
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # This library contains the command processing code common to /sbin/shorewall[6] and
-# /sbin/shorewall[6]-lite. In Shorewall and Shorewall6, the lib.cli-std library is 
-# loaded after this one and replaces some of the functions declared here.
+# /sbin/shorewall[6]-lite.
 #

-SHOREWALL_CAPVERSION=40512
-
-[ -n "${g_program:=shorewall}" ]
-
 if [ -z "$g_readrc" ]; then
    #
    # This is modified by the installer when ${SHAREDIR} <> /usr/share
    #
    . /usr/share/shorewall/shorewallrc

+    g_libexec="$LIBEXECDIR"
    g_sharedir="$SHAREDIR"/$g_program
+    g_sbindir="$SBINDIR"
+    g_perllib="$PERLLIBDIR"
+    g_vardir="$VARDIR"
    g_confdir="$CONFDIR"/$g_program
    g_readrc=1
 fi
@@ -329,30 +328,11 @@ logwatch() # $1 = timeout -- if negative, prompt each time that
    done
 }

-
-#
-# Try to find the arptables binary -- sets the variable 'arptables'
-#
-resolve_arptables() {
-    arptables="$ARPTABLES"
-
-    [ -n "${arptables:=arptables}" ]
-
-    case $arptables in
-	*/*)
-	    ;;
-	*)
-	    arptables=$(mywhich "$arptables")
-	    ;;
-    esac
-}
-
 #
 # Save currently running configuration
 #
 do_save() {
    local status
-    local arptables
    status=0

    if [ -f ${VARDIR}/firewall ]; then
@@ -372,42 +352,6 @@ do_save() {
 	status=1
    fi

-    case ${SAVE_ARPTABLES:=No} in
-	[Yy]es)
-	    resolve_arptables
-
-	    if [ -n "$arptables" ]; then
-	        #
-	        # 'sed' command is a hack to work around broken arptables_jf
-	        #
-		if ${arptables}-save | sed 's/-p[[:space:]]\+0\([[:digit:]]\)00\/ffff/-p 000\1\/ffff/' > ${VARDIR}/restore-$$; then
-		    if grep -q '^-A' ${VARDIR}/restore-$$; then
-			mv -f ${VARDIR}/restore-$$ ${g_restorepath}-arptables
-		    else
-			rm -f ${VARDIR}/restore-$$
-		    fi
-		fi
-	    else
-		case "$ARPTABLES" in
-		    */*)
-			error_message "ERROR: ARPTABLES=$ARPTABLES does not exist or is not executable - arptables not saved"
-			;;
-		    *)
-			error_message "ERROR: The arptables utility cannot be located - arptables not saved"
-		    ;;
-		esac
-
-		rm -f ${g_restorepath}-arptables
-	    fi
-	    ;;
-	[Nn]o)
-	    rm -f ${g_restorepath}-arptables
-	    ;;
-	*)
-	    error_message "WARNING: Invalid value ($SAVE_ARPTABLES) for SAVE_ARPTABLES"
-	    ;;
-    esac
-
    case ${SAVE_IPSETS:=No} in
 	[Yy]es)
 	    case ${IPSET:=ipset} in
@@ -491,42 +435,21 @@ save_config() {
 #
 sort_routes() {
    local dest
-    local second
    local rest
-    local vlsm
-    local maxvlsm
-    local rule
+    local crvsn

-    if [ $g_family -eq 4 ]; then
-	maxvlsm=032
-    else
-	maxvlsm=128
-    fi
-
-    while read dest second rest; do
+    while read dest rest; do
 	if [ -n "$dest" ]; then
-	    rule="$dest $second $rest"
 	    case "$dest" in
 		default)
-		    echo "000 $rule"
-		    ;;
-		blackhole|local)
-		    case "$second" in
-			*/*)
-			    vlsm=${second#*/}
-			    printf "%03d %s\n" $vlsm "$rule"
-			    ;;
-			*)
-			    echo "$maxvlsm $rule"
-			    ;;
-		    esac
+		    echo "00 $dest $rest"
 		    ;;
 		*/*)
-		    vlsm=${dest#*/}
-		    printf "%03d %s\n" $vlsm "$rule"
+		    crvsn=${dest#*/}
+		    printf "%02d %s\n" $crvsn "$dest $rest"
 		    ;;
 		*)
-		    echo "$maxvlsm $rule"
+		    echo "32 $dest $rest"
 		    ;;
 	    esac
 	fi
@@ -557,7 +480,7 @@ show_routing() {
 	ip -$g_family rule list | find_tables | sort -u | while read table; do
 	    heading "Table $table:"
 	    if [ $g_family -eq 6 ]; then
-		ip -$g_family -o route list table $table | fgrep -v cache | sort_routes
+		ip -$g_family -o route list table $table | fgrep -v cache
 	    else
 		ip -4 -o route list table $table | sort_routes
 	    fi
@@ -570,33 +493,13 @@ show_routing() {
    else
 	heading "Routing Table"
 	if [ $g_family -eq 6 ]; then
-	    ip -$g_family -o route list | fgrep -v cache | sort_routes
+	    ip -$g_family -o route list | fgrep -v cache
 	else
 	    ip -4 -o route list table $table | sort_routes
 	fi
    fi
 }

-determine_ipset_version() {
-    local setname
-
-    if [ -z "$IPSET" -o $IPSET = ipset ]; then
-	IPSET=$(mywhich ipset)
-	[ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
-    fi
-
-    setname=fooX$$
-
-    qt ipset -X $setname # Just in case something went wrong the last time
-
-    if qt ipset -N $setname hash:ip family inet; then
-	qt ipset -X $setname
-	IPSETN="$IPSET"
-    else
-	IPSETN="$IPSET -n"
-    fi
-}
-
 #
 # 'list dynamic' command executor
 #
@@ -604,7 +507,7 @@ find_sets() {
    local junk
    local setname

-    $IPSETN -L | egrep "^Name: ${1}(_.+)?$" | while read junk setname; do echo $setname; done
+    ipset -L -n | grep "^Name: ${1}_" | while read junk setname; do echo $setname; done
 }

 list_zone() {
@@ -612,19 +515,19 @@ list_zone() {
    local sets
    local setname

-    determine_ipset_version
+    [ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located"

    if [ $g_family -eq 4 ]; then
-	sets=$($IPSETN -L | egrep "^$1(_.+)?");
+	sets=$(ipset -L -n | grep '^$1_');
     else
-	sets=$($IPSETN -L | egrep "^6_$1(_.+)?")
+	sets=$(ipset -L -n | grep "^6_$1_")
    fi

    [ -n "$sets" ] || sets=$(find_sets $1)

    for setname in $sets; do
 	echo "${setname#${1}_}:"
-	$IPSETN -L $setname | awk 'BEGIN        {prnt=0;}; \
+	ipset -L $setname -n | awk 'BEGIN        {prnt=0;}; \
                                    /^Members:/  {prnt=1; next; }; \
                                    /^Bindings:/ {prnt=0; }; \
                                                 { if (prnt == 1) print "   ", $1; };'
@@ -712,20 +615,6 @@ show_connections_filter() {
    fi
 }

-show_nfacct() {
-    if [ -n "$NFACCT" -a ! -x "$NFACCT" ]; then
-	error_message "WARNING: NFACCT=$NFACCT does not exist or is not executable"
-	NFACCT=
-    else
-	NFACCT=$(mywhich nfacct)
-	[ -n "$NFACCT" ] || echo "No NF Accounting defined (nfacct not found)"
-    fi
-
-    if [ -n "$NFACCT" ]; then
-	$NFACCT list
-	echo
-    fi
-}
 #
 # Show Command Executor
 #
@@ -736,9 +625,6 @@ show_command() {
    table=filter
    local table_given
    table_given=
-    local output_filter
-    output_filter=cat
-    local arptables

    show_macro() {
 	foo=`grep 'This macro' $macro | sed 's/This macro //'`
@@ -753,16 +639,6 @@ show_command() {
 	fi
    }

-    # eliminates rules which have not been used from ip*tables' output
-    brief_output() {
-	awk \
-	'/^Chain /  { heading1 = $0; getline heading2; printed = 0; next; };
-         /^ +0 +0 / { next; };
-         /^$/       { if ( printed == 1 ) { print $0; }; next; };
-                    { if ( printed == 0 ) { print heading1; print heading2; printed = 1 }; };
-	            { print; }';
-    }
-
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
 	case $option in
@@ -815,10 +691,6 @@ show_command() {
 			    g_routecache=Yes
 			    option=${option#c}
 			    ;;
-			b*)
-			    output_filter=brief_output
-			    option=${option#b}
-			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -836,7 +708,6 @@ show_command() {


    [ -n "$g_debugging" ] && set -x
-
    case "$1" in
 	connections)
 	    [ $# -gt 1 ] && usage 1
@@ -880,28 +751,28 @@ show_command() {
 	    echo "$g_product $SHOREWALL_VERSION NAT Table at $g_hostname - $(date)"
 	    echo
 	    show_reset
-	    $g_tool -t nat -L $g_ipt_options | $output_filter
+	    $g_tool -t nat -L $g_ipt_options
 	    ;;
 	raw)
 	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION RAW Table at $g_hostname - $(date)"
 	    echo
 	    show_reset
-	    $g_tool -t raw -L $g_ipt_options | $output_filter
+	    $g_tool -t raw -L $g_ipt_options
 	    ;;
 	rawpost)
 	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
 	    echo
 	    show_reset
-	    $g_tool -t rawpost -L $g_ipt_options | $output_filter
+	    $g_tool -t rawpost -L $g_ipt_options
 	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
 	    echo
 	    show_reset
-	    $g_tool -t mangle -L $g_ipt_options | $output_filter
+	    $g_tool -t mangle -L $g_ipt_options
 	    ;;
 	log)
 	    [ $# -gt 2 ] && usage 1
@@ -937,7 +808,7 @@ show_command() {
 	    shift

 	    if [ -z "$1" ]; then
-		$g_tool -t mangle -L -n -v | $output_filter
+		$g_tool -t mangle -L -n -v
 		echo
 	    fi

@@ -1000,15 +871,15 @@ show_command() {
 	    if [ -n "$g_filemode" ]; then
 		echo "CONFIG_PATH=$CONFIG_PATH"
 		echo "VARDIR=$VARDIR"
-		echo "LIBEXEC=${LIBEXECDIR}"
-		echo "SBINDIR=${SBINDIR}"
+		echo "LIBEXEC=$g_libexec"
+		echo "SBINDIR=$g_sbindir"
 		echo "CONFDIR=${CONFDIR}"
 		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR=${VARDIR}"
 	    else
 		echo "Default CONFIG_PATH is $CONFIG_PATH"
 		echo "Default VARDIR is /var/lib/$g_program"
-		echo "LIBEXEC is ${LIBEXECDIR}"
-		echo "SBINDIR is ${SBINDIR}"
+		echo "LIBEXEC is $g_libexec"
+		echo "SBINDIR is $g_sbindir"
 		echo "CONFDIR is ${CONFDIR}"
 		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR is ${VARDIR}"
 	    fi
@@ -1020,11 +891,11 @@ show_command() {
 	    show_reset
 	    if [ $# -gt 0 ]; then
 		for chain in $*; do
-		    $g_tool -t $table -L $chain $g_ipt_options | $output_filter
+		    $g_tool -t $table -L $chain $g_ipt_options
 		    echo
 		done
 	    else
-		$g_tool -t $table -L $g_ipt_options | $output_filter
+		$g_tool -t $table -L $g_ipt_options
 	    fi
 	    ;;
 	vardir)
@@ -1049,23 +920,6 @@ show_command() {
 	    echo
 	    [ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks;
 	    ;;
-	nfacct)
-	    [ $# -gt 1 ] && usage 1
-	    echo "$g_product $SHOREWALL_VERSION NF Accounting at $g_hostname - $(date)"
-	    echo
-	    show_nfacct
-	    ;;
-	arptables)
-	    [ $# -gt 1 ] && usage 1
-	    resolve_arptables
-	    if [ -n "$arptables" -a -x $arptables ]; then
-		echo "$g_product $SHOREWALL_VERSION arptables at $g_hostname - $(date)"
-		echo
-		$arptables -L -n -v
-	    else
-		error_message "Cannot locate the arptables executable"
-	    fi
-	    ;;
 	*)
 	    case "$g_program" in
 		*-lite)
@@ -1153,14 +1007,14 @@ show_command() {
 		echo
 		show_reset
 		for chain in $*; do
-		    $g_tool -t $table -L $chain $g_ipt_options | $output_filter
+		    $g_tool -t $table -L $chain $g_ipt_options
 		    echo
 		done
 	    else
 		echo "$g_product $SHOREWALL_VERSION $table Table at $g_hostname - $(date)"
 		echo
 		show_reset
-		$g_tool -t $table -L $g_ipt_options | $output_filter
+		$g_tool -t $table -L $g_ipt_options
 	    fi
 	    ;;
    esac
@@ -1223,9 +1077,6 @@ dump_filter() {
 do_dump_command() {
    local finished
    finished=0
-    local arptables
-
-    resolve_arptables

    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
@@ -1276,7 +1127,7 @@ do_dump_command() {
 	elif [ -r $LOGFILE ]; then
 	    g_logread="tac $LOGFILE"
 	else
-	    echo "LOGFILE ($LOGFILE) does not exist! - See http://www.shorewall.net/shorewall_logging.html" >&2
+	    echo "LOGFILE ($LOGFILE) does not exist!" >&2
 	    exit 2
 	fi
    fi
@@ -1300,11 +1151,6 @@ do_dump_command() {
    host=$(echo $g_hostname | sed 's/\..*$//')
    $g_tool -L $g_ipt_options

-    if [ -n "$arptables" -a -x "$arptables" ]; then
-	heading "ARP rules"
-	$arptables -L -n -v
-    fi
-
    heading "Log ($LOGFILE)"
    packet_log 20

@@ -1350,17 +1196,12 @@ do_dump_command() {
 	brctl show
    fi

-    show_routing
-
    if [ $g_family -eq 4 ]; then
 	heading "Per-IP Counters"

 	perip_accounting
    fi

-    heading "NF Accounting"
-    show_nfacct
-
    if qt mywhich setkey; then
 	heading "PFKEY SPD"
 	setkey -DP
@@ -1388,6 +1229,8 @@ do_dump_command() {
 	done
    fi

+    show_routing
+
    if [ $g_family -eq 4 ]; then
 	heading "ARP"
 	arp -na
@@ -1724,19 +1567,19 @@ add_command() {
 	exit 2
    fi

-    determine_ipset_version
-
-    case $1 in
-	*:*)
+    case "$IPSET" in
+	*/*)
+	    ;;
+	*)
+	    [ -n "$(mywhich $IPSET)" ] || fatal_error "The $IPSET utility cannot be located"
+	    ;;
+    esac
+    #
+    # Normalize host list
+    #
    while [ $# -gt 1 ]; do
-		if [ $g_family -eq 4 ]; then
 	interface=${1%%:*}
 	host=${1#*:}
-		else
-		    interface=${1%%|*}
-		    host=${1#*|}
-		fi
-
 	[ "$host" = "$1" ] && host=

 	if [ -z "$host" ]; then
@@ -1753,22 +1596,9 @@ add_command() {

 	shift
    done
-	    ;;
-	*)
-	    ipset=$1
-	    shift
-	    while [ $# -gt 0 ]; do
-		for h in $(separate_list $1); do
-		    hostlist="$hostlist $h"
-		done
-		shift
-	    done
-	    ;;
-    esac

    zone=$1

-    if [ -n "$zone" ]; then
    for host in $hostlist; do
 	if [ $g_family -eq 4 ]; then
 	    interface=${host%:*}
@@ -1778,8 +1608,8 @@ add_command() {
 	    ipset=6_${zone}_${interface};
 	fi

-	    if ! qt $IPSET -L $ipset; then
-		fatal_error "Zone $zone, interface $interface does not have a dynamic host list"
+	if ! qt $IPSET -L $ipset -n; then
+	    fatal_error "Zone $zone, interface $interface is does not have a dynamic host list"
 	fi

 	host=${host#*:}
@@ -1790,17 +1620,7 @@ add_command() {
 	    fatal_error "Unable to add $interface:$host to zone $zone"
 	fi
    done
-    else
-	qt $IPSET -L $ipset || fatal_error "Zone $ipset is not dynamic"

-	for host in $hostlist; do
-	    if $IPSET -A $ipset $host; then
-		echo "Host $host added to zone $ipset"
-	    else
-		fatal_error "Unable to add $host to zone $ipset"
-	    fi
-	done
-    fi
 }

 #
@@ -1813,19 +1633,20 @@ delete_command() {
 	exit 2;
    fi

-    determine_ipset_version
+    case "$IPSET" in
+	*/*)
+	    ;;
+	*)
+	    [ -n "$(mywhich $IPSET)" ] || fatal_error "The $IPSET utility cannot be located"
+	    ;;
+    esac

-    case $1 in
-	*:*)
+    #
+    # Normalize host list
+    #
    while [ $# -gt 1 ]; do
-		if [ $g_family -eq 4 ]; then
 	interface=${1%%:*}
 	host=${1#*:}
-		else
-		    interface=${1%%|*}
-		    host=${1#*|}
-		fi
-
 	[ "$host" = "$1" ] && host=

 	if [ -z "$host" ]; then
@@ -1842,54 +1663,31 @@ delete_command() {

 	shift
    done
-	    ;;
-	*)
-	    ipset=$1
-	    shift
-	    while [ $# -gt 0 ]; do
-		for h in $(separate_list $1); do
-		    hostlist="$hostlist $h"
-		done
-		shift
-	    done
-	    ;;
-    esac

    zone=$1

-    if [ -n "$zone" ]; then
-	for host in $hostlist; do
+    for hostent in $hostlist; do
 	if [ $g_family -eq 4 ]; then
-		interface=${host%:*}
+	    interface=${hostent%:*}
 	    ipset=${zone}_${interface};
 	else
-		interface=${host%%:*}
+	    interface=${hostent%%:*}
 	    ipset=6_${zone}_${interface};
 	fi

 	if ! qt $IPSET -L $ipset -n; then
-		fatal_error "Zone $zone, interface $interface does not have a dynamic host list"
+	    fatal_error "Zone $zone, interface $interface is does not have a dynamic host list"
 	fi

-	    host=${host#*:}
+	host=${hostent#*:}

 	if $IPSET -D $ipset $host; then
-		echo "Host $host deleted from zone $zone"
+	    echo "Host $hostent deleted from zone $zone"
 	else
 	    echo "   WARNING: Unable to delete host $hostent to zone $zone" >&2
 	fi
    done
-    else
-	qt $IPSET -L $ipset -n || fatal_error "Zone $ipset is not dynamic"

-	for host in $hostlist; do
-	    if $IPSET -D $ipset $host; then
-		echo "Host $host deleted from to zone $ipset"
-	    else
-		echo "   WARNING: Unable to delete host $host from zone $zone" >&2
-	    fi
-	done
-    fi
 }

 #
@@ -2110,7 +1908,6 @@ determine_capabilities() {
    local tool
    local chain
    local chain1
-    local arptables

    if [ -z "$g_tool" ]; then
 	[ $g_family -eq 4 ] && tool=iptables || tool=ip6tables
@@ -2197,32 +1994,6 @@ determine_capabilities() {
    IMQ_TARGET=
    DSCP_MATCH=
    DSCP_TARGET=
-    GEOIP_MATCH=
-    RPFILTER_MATCH=
-    NFACCT_MATCH=
-    CHECKSUM_TARGET=
-    ARPTABLESJF=
-    AMANDA_HELPER=
-    FTP_HELPER=
-    FTP0_HELPER=
-    IRC_HELPER=
-    IRC0_HELPER=
-    NETBIOS_NS_HELPER=
-    H323_HELPER=
-    PPTP_HELPER=
-    SANE_HELPER=
-    SANE0_HELPER=
-    SIP_HELPER=
-    SIP0_HELPER=
-    SNMP_HELPER=
-    TFTP_HELPER=
-    TFTP0_HELPER=
-
-    resolve_arptables
-
-    if [ -n "$arptables" -a -x $arptables ]; then
-	qt $arptables -L OUT && ARPTABLESJF=Yes
-    fi

    chain=fooX$$

@@ -2335,19 +2106,6 @@ determine_capabilities() {

    qt $g_tool -A $chain -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes

-    if [ -n "$NFACCT" -a ! -x "$NFACCT" ]; then
-	error_message "WARNING: NFACCT=$NFACCT does not exist or is not executable"
-	NFACCT=
-    else
-	NFACCT=$(mywhich nfacct)
-    fi
-
-    if [ -n "$NFACCT" ] && qt $NFACCT add $chain; then
-	qt $g_tool -A $chain -m nfacct --nfacct-name $chain && NFACCT_MATCH=Yes
-	qt $g_tool -D $chain -m nfacct --nfacct-name $chain
-	qt $NFACCT del $chain
-    fi
-
    if [ -n "$MANGLE_ENABLED" ]; then
 	qt $g_tool -t mangle -N $chain

@@ -2368,8 +2126,6 @@ determine_capabilities() {
 	qt $g_tool -t mangle -A $chain -j IMQ --todev 0 && IMQ_TARGET=Yes
 	qt $g_tool -t mangle -A $chain -m dscp --dscp 0 && DSCP_MATCH=Yes
 	qt $g_tool -t mangle -A $chain -j DSCP --set-dscp 0 && DSCP_TARGET=Yes
-	qt $g_tool -t mangle -A $chain -m rpfilter && RPFILTER_MATCH=Yes
-	qt $g_tool -t mangle -A $chain -j CHECKSUM --checksum-fill && CHECKSUM_TARGET=Yes

 	qt $g_tool -t mangle -F $chain
 	qt $g_tool -t mangle -X $chain
@@ -2381,30 +2137,9 @@ determine_capabilities() {
    qt $g_tool -t rawpost -L -n && RAWPOST_TABLE=Yes

    if [ -n "$RAW_TABLE" ]; then
-	qt $g_tool -t raw -F $chain
-	qt $g_tool -t raw -X $chain
 	qt $g_tool -t raw -N $chain
-	
-	if qt $g_tool -t raw -A $chain -j CT --notrack; then
-	    CT_TARGET=Yes;
-
-	    qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda     && AMANDA_HELPER=Yes
-	    qt $g_tool -t raw -A $chain -p tcp --dport 21    -j CT --helper ftp        && FTP_HELPER=Yes
-	    qt $g_tool -t raw -A $chain -p tcp --dport 21    -j CT --helper ftp-0      && FTP0_HELPER=Yes
-	    qt $g_tool -t raw -A $chain -p udp --dport 1719  -j CT --helper RAS        && H323_HELPER=Yes
-	    qt $g_tool -t raw -A $chain -p tcp --dport 6667  -j CT --helper irc        && IRC_HELPER=Yes
-	    qt $g_tool -t raw -A $chain -p tcp --dport 6667  -j CT --helper irc-0      && IRC0_HELPER=Yes
-	    qt $g_tool -t raw -A $chain -p udp --dport 137   -j CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes
-	    qt $g_tool -t raw -A $chain -p tcp --dport 1729  -j CT --helper pptp       && PPTP_HELPER=Yes
-	    qt $g_tool -t raw -A $chain -p tcp --dport 6566  -j CT --helper sane       && SANE_HELPER=Yes
-	    qt $g_tool -t raw -A $chain -p tcp --dport 6566  -j CT --helper sane-0     && SANE0_HELPER=Yes
-	    qt $g_tool -t raw -A $chain -p udp --dport 5060  -j CT --helper sip        && SIP_HELPER=Yes
-	    qt $g_tool -t raw -A $chain -p udp --dport 5060  -j CT --helper sip-0      && SIP0_HELPER=Yes
-	    qt $g_tool -t raw -A $chain -p udp --dport 161   -j CT --helper snmp       && SNMP_HELPER=Yes
-	    qt $g_tool -t raw -A $chain -p udp --dport 69    -j CT --helper tftp       && TFTP_HELPER=Yes
-	    qt $g_tool -t raw -A $chain -p udp --dport 69    -j CT --helper tftp-0     && TFTP0_HELPER=Yes
-	fi
-
+	qt $g_tool -t raw -A $chain -j CT --notrack && CT_TARGET=Yes
+	qt $g_tool -t raw -N $chain
 	qt $g_tool -t raw -F $chain
 	qt $g_tool -t raw -X $chain
    fi
@@ -2424,10 +2159,10 @@ determine_capabilities() {

 	    if [ -n "$have_ipset" ]; then
 		if qt $g_tool -A $chain -m set --match-set $chain src -j ACCEPT; then
-		    qt $g_tool -F $chain
+		    qt $g_tool -D $chain -m set --match-set $chain src -j ACCEPT
 		    IPSET_MATCH=Yes
 		elif qt $g_tool -A $chain -m set --set $chain src -j ACCEPT; then
-		    qt $g_tool -F $chain
+		    qt $g_tool -D $chain -m set --set $chain src -j ACCEPT
 		    IPSET_MATCH=Yes
 		    OLD_IPSET_MATCH=Yes
 		fi
@@ -2436,10 +2171,10 @@ determine_capabilities() {
 	elif qt ipset -N $chain hash:ip family inet6; then
 	    IPSET_V5=Yes
 	    if qt $g_tool -A $chain -m set --match-set $chain src -j ACCEPT; then
-		qt $g_tool -F $chain
+		qt $g_tool -D $chain -m set --match-set $chain src -j ACCEPT
 		IPSET_MATCH=Yes
 	    elif qt $g_tool -A $chain -m set --set $chain src -j ACCEPT; then
-		qt $g_tool -F $chain
+		qt $g_tool -D $chain -m set --set $chain src -j ACCEPT
 		IPSET_MATCH=Yes
 		OLD_IPSET_MATCH=Yes
 	    fi
@@ -2457,28 +2192,7 @@ determine_capabilities() {
    fi
    qt $g_tool -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
    qt $g_tool -A $chain -m realm --realm 4 && REALM_MATCH=Yes
-
-    #
-    # -m helper doesn't verify the existence of the specified helper :-(
-    #
-    if qt $g_tool -A $chain -p tcp --dport 21 -m helper --helper ftp; then
-	HELPER_MATCH=Yes
-
-	if [ -z "$CT_TARGET" ]; then
-	    AMANDA_HELPER=Yes
-	    FTP_HELPER=Yes
-	    FTP_HELPER=Yes
-	    H323_HELPER=Yes
-	    IRC_HELPER=Yes
-	    NS_HELPER=Yes
-	    PPTP_HELPER=Yes
-	    SANE_HELPER=Yes
-	    SIP_HELPER=Yes
-	    SNMP_HELPER=Yes
-	    TFTP_HELPER=Yes
-	fi
-    fi
-
+    qt $g_tool -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
    qt $g_tool -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes
    qt $g_tool -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
    qt $g_tool -A $chain -g $chain1 && GOTO_TARGET=Yes
@@ -2488,7 +2202,6 @@ determine_capabilities() {
    qt $g_tool -A $chain -j NFLOG && NFLOG_TARGET=Yes
    qt $g_tool -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
    qt $g_tool -A $chain -m statistic --mode nth --every 2 --packet 1 && STATISTIC_MATCH=Yes
-    qt $g_tool -A $chain -m geoip --src-cc US && GEOIP_MATCH=Yes

    if [ $g_family -eq 4 ]; then
 	qt $g_tool -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes
@@ -2498,9 +2211,7 @@ determine_capabilities() {
    fi

    qt $g_tool -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes
-
    qt $g_tool -A $chain -m condition --condition foo && CONDITION_MATCH=Yes
-
    qt $g_tool -S INPUT && IPTABLES_S=Yes
    qt $g_tool -F $chain
    qt $g_tool -X $chain
@@ -2525,7 +2236,7 @@ determine_capabilities() {
    esac
 }

-report_capabilities_unsorted() {
+report_capabilities() {
    report_capability() # $1 = Capability Description , $2 Capability Setting (if any)
    {
 	local setting
@@ -2536,6 +2247,8 @@ report_capabilities_unsorted() {
 	echo "  " $1: $setting
    }

+    if [ $VERBOSITY -gt 1 ]; then
+	echo "$g_product has detected the following iptables/netfilter capabilities:"
 	report_capability "NAT (NAT_ENABLED)" $NAT_ENABLED
 	report_capability "Packet Mangling (MANGLE_ENABLED)" $MANGLE_ENABLED
 	report_capability "Multi-port Match (MULTIPORT)" $MULTIPORT
@@ -2603,27 +2316,6 @@ report_capabilities_unsorted() {
 	report_capability "IMQ Target (IMQ_TARGET)" $IMQ_TARGET
 	report_capability "DSCP Match (DSCP_MATCH)" $DSCP_MATCH
 	report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET
-    report_capability "Geo IP match" $GEOIP_MATCH
-    report_capability "RPFilter match" $RPFILTER_MATCH
-    report_capability "NFAcct match" $NFACCT_MATCH
-    report_capability "Checksum Target" $CHECKSUM_TARGET
-    report_capability "Arptables JF" $ARPTABLESJF
-
-    report_capability "Amanda Helper" $AMANDA_HELPER
-    report_capability "FTP Helper" $FTP_HELPER
-    report_capability "FTP-0 Helper" $FTP0_HELPER
-    report_capability "IRC Helper" $IRC_HELPER
-    report_capability "IRC-0 Helper" $IRC0_HELPER
-    report_capability "Netbios_ns Helper" $NETBIOS_NS_HELPER
-    report_capability "H323 Helper" $H323_HELPER
-    report_capability "PPTP Helper" $PPTP_HELPER
-    report_capability "SANE Helper" $SANE_HELPER
-    report_capability "SANE-0 Helper" $SANE0_HELPER
-    report_capability "SIP Helper" $SIP_HELPER
-    report_capability "SIP-0 Helper" $SIP0_HELPER
-    report_capability "SNMP Helper" $SNMP_HELPER
-    report_capability "TFTP Helper" $TFTP_HELPER
-    report_capability "TFTP-0 Helper" $TFTP0_HELPER

 	if [ $g_family -eq 4 ]; then
 	    report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
@@ -2633,28 +2325,21 @@ report_capabilities_unsorted() {

 	report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
 	report_capability "CT Target (CT_TARGET)" $CT_TARGET
-
-    echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
-    echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
-}
-
-report_capabilities() {
-
-    if [ $VERBOSITY -gt 1 ]; then
-	echo "$g_product has detected the following iptables/netfilter capabilities:"
-	report_capabilities_unsorted | sort
    fi

    [ -n "$PKTTYPE" ] || USEPKTTYPE=

 }

-report_capabilities_unsorted1() {
+report_capabilities1() {
    report_capability1() # $1 = Capability
    {
 	eval echo $1=\$$1
    }

+    echo "#"
+    echo "# $g_product $SHOREWALL_VERSION detected the following iptables/netfilter capabilities - $(date)"
+    echo "#"
    report_capability1 NAT_ENABLED
    report_capability1 MANGLE_ENABLED
    report_capability1 MULTIPORT
@@ -2721,39 +2406,11 @@ report_capabilities_unsorted1() {
    report_capability1 IMQ_TARGET
    report_capability1 DSCP_MATCH
    report_capability1 DSCP_TARGET
-    report_capability1 GEOIP_MATCH
-    report_capability1 RPFILTER_MATCH
-    report_capability1 NFACCT_MATCH
-    report_capability1 CHECKSUM_TARGET
-    report_capability1 ARPTABLESJF
-
-    report_capability1 AMANDA_HELPER
-    report_capability1 FTP_HELPER
-    report_capability1 FTP0_HELPER
-    report_capability1 IRC_HELPER
-    report_capability1 IRC0_HELPER
-    report_capability1 NETBIOS_NS_HELPER
-    report_capability1 H323_HELPER
-    report_capability1 PPTP_HELPER
-    report_capability1 SANE_HELPER
-    report_capability1 SANE0_HELPER
-    report_capability1 SIP_HELPER
-    report_capability1 SIP0_HELPER
-    report_capability1 SNMP_HELPER
-    report_capability1 TFTP_HELPER
-    report_capability1 TFTP0_HELPER

    echo CAPVERSION=$SHOREWALL_CAPVERSION
    echo KERNELVERSION=$KERNELVERSION
 }

-report_capabilities1() {
-    echo "#"
-    echo "# $g_product $SHOREWALL_VERSION detected the following iptables/netfilter capabilities - $(date)"
-    echo "#"
-    report_capabilities_unsorted1 | sort
-}
-
 show_status() {
    if product_is_started ; then
 	echo "$g_product is running"
@@ -2869,7 +2526,6 @@ forget_command() {
 	rm -f $g_restorepath
 	rm -f ${g_restorepath}-iptables
 	rm -f ${g_restorepath}-ipsets
-	rm -f ${g_restorepath}-arptables
 	echo "    $g_restorepath removed"
    elif [ -f $g_restorepath ]; then
 	echo "   $g_restorepath exists and is not a saved $g_product configuration"
@@ -3075,27 +2731,7 @@ get_config() {
 	exit 2
    fi

-    if [ -n "$IPSET" ]; then
-	case "$IPSET" in
-	    */*)
-		if [ ! -x "$IPSET" ] ; then
-		    echo "   ERROR: The program specified in IPSET ($IPSET) does not exist or is not executable" >&2
-		    exit 2
-		fi
-		;;
-	    *)
-		prog="$(mywhich $IPSET 2> /dev/null)"
-		if [ -z "$prog" ] ; then
-		    echo "   ERROR: Can't find $IPSET executable" >&2
-		    exit 2
-		fi
-		IPSET=$prog
-		;;
-	esac
-    else
-	IPSET=''
-    fi
-
+    IPSET=ipset
    TC=tc

 }
@@ -3299,24 +2935,16 @@ usage() # $1 = exit status
    echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
    echo "   restore [ -n ] [ <file name> ]"
    echo "   save [ <file name> ]"
-    echo "   show [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
+    echo "   show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
    echo "   show [ -f ] capabilities"
-    echo "   show arptables"
    echo "   show classifiers"
    echo "   show config"
    echo "   show connections"
    echo "   show filters"
    echo "   show ip"
-
-    if [ $g_family -eq 4 ]; then
-	echo "   show ipa"
-    fi
-
    echo "   show [ -m ] log [<regex>]"
-    echo "   show [ -x ] mangle|nat|raw|rawpost"
-    echo "   show nfacct"
+    echo "   show [ -x ] mangle|nat|raw|rawpost|routing"
    echo "   show policies"
-    echo "   show routing"
    echo "   show tc [ device ]"
    echo "   show vardir"
    echo "   show zones"
@@ -3367,7 +2995,7 @@ shorewall_cli() {
    g_shorewalldir=

    VERBOSE=
-    VERBOSITY=1
+    VERBOSITY=

    [ -n "$g_lite" ] || . ${g_basedir}/lib.cli-std

--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -84,7 +84,7 @@ get_script_version() { # $1 = script

    temp=$( $SHOREWALL_SHELL $1 version | tail -n 1 | sed 's/-.*//' )

-    if [ -z "$temp" ]; then
+    if [ $? -ne 0 ]; then
 	version=0
    else
 	ifs=$IFS
@@ -717,69 +717,3 @@ truncate() # $1 = length
 {
    cut -b -${1}
 }
-
-#
-# Call this function to assert mutual exclusion with Shorewall. If you invoke the
-# /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as
-# the first argument. Example "shorewall nolock refresh"
-#
-# This function uses the lockfile utility from procmail if it exists.
-# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the
-# behavior of lockfile.
-#
-mutex_on()
-{
-    local try
-    try=0
-    local lockf
-    lockf=${LOCKFILE:=${VARDIR}/lock}
-    local lockpid
-
-    MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
-
-    if [ $MUTEX_TIMEOUT -gt 0 ]; then
-
-	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
-
-	if [ -f $lockf ]; then
-	    lockpid=`cat ${lockf} 2> /dev/null`
-	    if [ -z "$lockpid" -o $lockpid = 0 ]; then
-		rm -f ${lockf}
-		error_message "WARNING: Stale lockfile ${lockf} removed"
-	    elif [ $lockpid -eq $$ ]; then
-                return 0
-	    elif ! qt ps p ${lockpid}; then
-		rm -f ${lockf}
-		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
-	    fi
-	fi
-
-	if qt mywhich lockfile; then
-	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
-	    chmod u+w ${lockf}
-	    echo $$ > ${lockf}
-	    chmod u-w ${lockf}
-	else
-	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
-		sleep 1
-		try=$((${try} + 1))
-	    done
-
-	    if  [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
-	        # Create the lockfile
-		echo $$ > ${lockf}
-	    else
-		echo "Giving up on lock file ${lockf}" >&2
-	    fi
-	fi
-    fi
-}
-
-#
-# Call this function to release mutual exclusion
-#
-mutex_off()
-{
-    rm -f ${LOCKFILE:=${VARDIR}/lock}
-}
-
--- a/Shorewall-core/shorewallrc.apple
+++ b/Shorewall-core/shorewallrc.apple
@@ -17,4 +17,4 @@ ANNOTATED=                             #Unused on OS X
 SYSTEMD=                               #Unused on OS X
 SYSCONFDIR=                            #Unused on OS X
 SPARSE=Yes                             #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
-VARLIB=/var/lib                        #Unused on OS X
+VARDIR=/var/lib                        #Unused on OS X
--- a/Shorewall-core/shorewallrc.archlinux
+++ b/Shorewall-core/shorewallrc.archlinux
@@ -1,21 +1,20 @@
 #
-# Arch Linux Shorewall 4.5 rc file
+# Archlinux Shorewall 4.5 rc file
 #
-BUILD=                                 #Default is to detect the build system
+BUILD=archlinux
 HOST=archlinux
 PREFIX=/usr                            #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share               #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share             #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/share/shorewall   #Directory to install Shorewall Perl module directory
 CONFDIR=/etc                           #Directory where subsystem configurations are installed
-SBINDIR=/usr/sbin                      #Directory where system administration programs are installed
+SBINDIR=/sbin                          #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man                 #Directory where manpages are installed.
-INITDIR=                               #Directory where SysV init scripts are installed.
-INITFILE=                              #Name of the product's installed SysV init script
-INITSOURCE=                            #Name of the distributed file to be installed as the SysV init script
+INITDIR=/etc/rc.d                      #Directory where SysV init scripts are installed.
+INITFILE=$PRODUCT                      #Name of the product's installed SysV init script
+INITSOURCE=init.sh                     #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                             #If non-zero, annotated configuration files are installed
 SYSCONFDIR=                            #Directory where SysV init parameter files are installed
-SYSTEMD=/usr/lib/systemd/system        #Directory where .service files are installed (systems running systemd only)
+SYSTEMD=                               #Directory where .service files are installed (systems running systemd only)
 SPARSE=                                #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARLIB=/var/lib                        #Directory where product variable data is stored.
-VARDIR=${VARLIB}/$PRODUCT              #Directory where product variable data is stored.
+VARDIR=/var/lib                        #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.cygwin
+++ b/Shorewall-core/shorewallrc.cygwin
@@ -17,4 +17,4 @@ ANNOTATED=                            #Unused on Cygwin
 SYSTEMD=                              #Unused on Cygwin
 SYSCONFDIR=                           #Unused on Cygwin
 SPARSE=Yes                            #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
-VARLIB=/var/lib                       #Unused on Cygwin
+VARDIR=/var/lib                       #Unused on Cygwin
--- a/Shorewall-core/shorewallrc.debian
+++ b/Shorewall-core/shorewallrc.debian
@@ -18,5 +18,4 @@ SYSCONFFILE=default.debian              #Name of the distributed file to be inst
 SYSCONFDIR=/etc/default                 #Directory where SysV init parameter files are installed
 SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes                              #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARLIB=/var/lib                         #Directory where product variable data is stored.
-VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
+VARDIR=/var/lib                         #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.default
+++ b/Shorewall-core/shorewallrc.default
@@ -10,7 +10,7 @@ PERLLIBDIR=${PREFIX}/share/shorewall    #Directory to install Shorewall Perl mod
 CONFDIR=/etc                            #Directory where subsystem configurations are installed
 SBINDIR=/sbin                           #Directory where system administration programs are installed
 MANDIR=${PREFIX}/man                    #Directory where manpages are installed.
-INITDIR=/etc/init.d                     #Directory where SysV init scripts are installed.
+INITDIR=etc/init.d                      #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.sh                      #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
@@ -18,5 +18,4 @@ SYSTEMD=                                #Directory where .service files are inst
 SYSCONFFILE=                            #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                             #Directory where SysV init parameter files are installed
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARLIB=/var/lib                         #Directory where product variable data is stored.
-VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
+VARDIR=/var/lib                         #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.redhat
+++ b/Shorewall-core/shorewallrc.redhat
@@ -18,5 +18,4 @@ SYSTEMD=/lib/systemd/system             #Directory where .service files are inst
 SYSCONFFILE=sysconfig                   #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT
 SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter files are installed
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARLIB=/var/lib                         #Directory where product variable data is stored.
-VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
+VARDIR=/var/lib                         #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.slackware
+++ b/Shorewall-core/shorewallrc.slackware
@@ -19,5 +19,4 @@ SYSTEMD=                                   #Name of the directory where .service
 SYSCONFFILE=                               #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                                #Name of the directory where SysV init parameter files are installed.
 ANNOTATED=                                 #If non-empty, install annotated configuration files
-VARLIB=/var/lib                            #Directory where product variable data is stored.
-VARDIR=${VARLIB}/$PRODUCT                  #Directory where product variable data is stored.
+VARDIR=/var/lib                            #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.suse
+++ b/Shorewall-core/shorewallrc.suse
@@ -12,11 +12,10 @@ SBINDIR=/sbin                                         #Directory where system ad
 MANDIR=${SHAREDIR}/man/                               #Directory where manpages are installed.
 INITDIR=/etc/init.d                                   #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                                     #Name of the product's SysV init script
-INITSOURCE=init.suse.sh                               #Name of the distributed file to be installed as the SysV init script
+INITSOURCE=init.sh                                    #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                                            #If non-zero, annotated configuration files are installed
 SYSTEMD=                                              #Directory where .service files are installed (systems running systemd only)
 SYSCONFFILE=                                          #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=/etc/sysconfig/                            #Directory where SysV init parameter files are installed
 SPARSE=                                               #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARLIB=/var/lib                                       #Directory where persistent product data is stored.
-VARDIR=${VARLIB}/$PRODUCT                             #Directory where product variable data is stored.
+VARDIR=/var/lib                                       #Directory where persistent product data is stored.
--- a/Shorewall-init/ifupdown.sh
+++ b/Shorewall-init/ifupdown.sh
@@ -22,21 +22,6 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-setstatedir() {
-    local statedir
-    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
-	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
-    fi
-
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
-
-    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/$PRODUCT compile
-	fi
-    fi
-}
-
 Debian_SuSE_ppp() {
    NEWPRODUCTS=
    INTERFACE="$1"
@@ -121,11 +106,15 @@ if [ -f /etc/debian_version ]; then
 	    else
 		exit 0
 	    fi
+
+	    case "$PHASE" in
+		pre-*)
+		    exit 0
+		    ;;
+	    esac
 	    ;;
    esac
 elif [ -f /etc/SuSE-release ]; then
-    PHASE=''
-
    case $0 in
 	/etc/ppp*)
 	    #
@@ -157,8 +146,6 @@ else
    #
    # Assume RedHat/Fedora/CentOS/Foobar/...
    #
-    PHASE=''
-
    case $0 in
 	/etc/ppp*)
 	    INTERFACE="$1"
@@ -199,14 +186,20 @@ else
    esac
 fi

-[ -n "$LOGFILE" ] || LOGFILE=/dev/null
-
 for PRODUCT in $PRODUCTS; do
-    setstatedir
-
-    if [ -x $VARLIB/$PRODUCT/firewall ]; then
-	  ( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
+    #
+    # For backward compatibility, lib.base appends the product name to VARDIR
+    # Save it here and restore it below
+    #
+    save_vardir=${VARDIR}
+    if [ -x $VARDIR/$PRODUCT/firewall ]; then
+	  ( . ${SHAREDIR}/shorewall/lib.base
+	    mutex_on
+	    ${VARDIR}/firewall -V0 $COMMAND $INTERFACE || echo_notdone
+	    mutex_off
+	  )
    fi
+    VARDIR=${save_vardir}
 done

 exit 0
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -62,29 +62,11 @@ not_configured () {
 	exit 0
 }

-# set the STATEDIR variable
-setstatedir() {
-    local statedir
-    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
-	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
-    fi
-
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
-
-    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/$PRODUCT compile
-	fi
-    fi
-}
-
 #
 # The installer may alter this
 #
 . /usr/share/shorewall/shorewallrc

-vardir=$VARDIR
-
 # check if shorewall-init is configured or not
 if [ -f "$SYSCONFDIR/shorewall-init" ]
 then
@@ -99,27 +81,27 @@ fi

 # Initialize the firewall
 shorewall_start () {
-  local PRODUCT
-  local STATEDIR
+  local product
+  local VARDIR

  echo -n "Initializing \"Shorewall-based firewalls\": "
-  for PRODUCT in $PRODUCTS; do
-      setstatedir
-
-      if [ ! -x ${VARDIR}/$PRODUCT/firewall ]; then
-	  if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	      ${SBINDIR}/$PRODUCT compile
-	  fi
-      fi
-
-      if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
+  for product in $PRODUCTS; do
+      VARDIR=/var/lib/$product
+      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
+      if [ -x ${VARDIR}/firewall ]; then
 	  #
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  ( 
-	      if ! ${VARDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
-		  ${VARDIR}/$PRODUCT/firewall stop || echo_notdone
+	      . /usr/share/$product/lib.base
+	      #
+	      # Get mutex so the firewall state is stable
+	      #
+	      mutex_on
+	      if ! ${VARDIR}/firewall status > /dev/null 2>&1; then
+		  ${VARDIR}/firewall stop || echo_notdone
 	      fi
+	      mutex_off
 	  )
      fi
  done
@@ -131,21 +113,19 @@ shorewall_start () {

 # Clear the firewall
 shorewall_stop () {
-  local PRODUCT
+  local product
  local VARDIR

  echo -n "Clearing \"Shorewall-based firewalls\": "
-  for PRODUCT in $PRODUCTS; do
-      setstatedir
-
-      if [ ! -x ${VARDIR}/$PRODUCT/firewall ]; then
-	  if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	      ${SBINDIR}/$PRODUCT compile
-	  fi
-      fi
-
-      if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
-	  ${VARDIR}/$PRODUCT/firewall clear || echo_notdone
+  for product in $PRODUCTS; do
+      VARDIR=/var/lib/$product
+      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
+      if [ -x ${VARDIR}/firewall ]; then
+	  ( . /usr/share/$product/lib.base
+	    mutex_on
+	    ${VARDIR}/firewall clear || echo_notdone
+	    mutex_off
+	  )
      fi
  done

--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -14,8 +14,13 @@
 #                    prior to bringing up the network.  
 ### END INIT INFO
 #determine where the files were installed
-
-. /usr/share/shorewall/shorewallrc
+if [ -f ~/.shorewallrc ]; then
+    . ~/.shorewallrc || exit 1
+else
+    SBINDIR=/sbin
+    SYSCONFDIR=/etc/default
+    VARDIR=/var/lib
+fi

 prog="shorewall-init"
 logger="logger -i -t $prog"
@@ -24,8 +29,6 @@ lockfile="/var/lock/subsys/shorewall-init"
 # Source function library.
 . /etc/rc.d/init.d/functions

-vardir=$VARDIR
-
 # Get startup options (override default)
 OPTIONS=

@@ -37,25 +40,9 @@ else
    exit 6
 fi

-# set the STATEDIR variable
-setstatedir() {
-    local statedir
-    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
-	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
-    fi
-
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
-
-    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/$PRODUCT compile
-	fi
-    fi
-}
-
 # Initialize the firewall
 start () {
-    local PRODUCT
+    local product
    local vardir

    if [ -z "$PRODUCTS" ]; then
@@ -65,19 +52,11 @@ start () {
    fi

    echo -n "Initializing \"Shorewall-based firewalls\": "
-    for PRODUCT in $PRODUCTS; do
-	setstatedir
-
-	if [ ! -x ${VARDIR}/firewall ]; then
-	    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-		${SBINDIR}/$PRODUCT compile
-	    fi
-	fi
-
-	if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
-	    ${VARDIR}/$PRODUCT/firewall stop 2>&1 | $logger
+    for product in $PRODUCTS; do
+	if [ -x ${VARDIR}/$product/firewall ]; then
+	    ${VARDIR}/$product/firewall stop 2>&1 | $logger
 	    retval=${PIPESTATUS[0]}
-	    [ $retval -ne 0 ] && break
+	    [ retval -ne 0 ] && break
 	fi
    done

@@ -93,23 +72,15 @@ start () {

 # Clear the firewall
 stop () {
-    local PRODUCT
+    local product
    local vardir

    echo -n "Clearing \"Shorewall-based firewalls\": "
-    for PRODUCT in $PRODUCTS; do
-	setstatedir
-
-	if [ ! -x ${VARDIR}/firewall ]; then
-	    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-		${SBINDIR}/$PRODUCT compile
-	    fi
-	fi
-
-	if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
-	    ${VARDIR}/$PRODUCT/firewall clear 2>&1 | $logger
+    for product in $PRODUCTS; do
+	if [ -x ${VARDIR}/$product/firewall ]; then
+	    ${VARDIR}/$product/firewall clear 2>&1 | $logger
 	    retval=${PIPESTATUS[0]}
-	    [ $retval -ne 0 ] && break
+	    [ retval -ne 0 ] && break
 	fi
    done

@@ -136,7 +107,11 @@ case "$1" in
 	status_q || exit 0
 	$1
 	;;
-    restart|reload|force-reload|condrestart|try-restart)
+    restart|reload|force-reload)
+	echo "Not implemented"
+	exit 3
+	;;
+    condrestart|try-restart)
 	echo "Not implemented"
 	exit 3
        ;;
@@ -144,7 +119,7 @@ case "$1" in
 	status $prog
 	;;
  *)
-	echo "Usage: /etc/init.d/shorewall-init {start|stop|status}"
+	echo "Usage: /etc/init.d/shorewall-init {start|stop}"
 	exit 1
 esac

--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -58,34 +58,16 @@ fi
 #
 . /usr/share/shorewall/shorewallrc

-# Locate the current PRODUCT's statedir
-setstatedir() {
-    local statedir
-    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
-	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
-    fi
-
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
-
-    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/$PRODUCT compile $STATEDIR/firewall
-	fi
-    fi
-}
-
 # Initialize the firewall
 shorewall_start () {
  local PRODUCT
-  local STATEDIR
+  local VARDIR

  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-      setstatedir
-
-      if [ -x ${STATEDIR}/firewall ]; then
+      if [ -x ${VARDIR}/firewall ]; then
 	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-	      ${STATEDIR}/firewall stop || echo_notdone
+	      ${VARDIR}/firewall stop || echo_notdone
 	  fi
      fi
  done
@@ -104,14 +86,6 @@ shorewall_stop () {

  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-      setstatedir
-
-      if [ ! -x ${VARDIR}/firewall ]; then
-	  if [ $PRODUCT = shorewall -o $product = shorewall6 ]; then
-	      ${SBINDIR}/$PRODUCT compile
-	  fi
-      fi
-
      if [ -x ${VARDIR}/firewall ]; then
 	  ${VARDIR}/firewall clear || exit 1
      fi
--- a/Shorewall-init/init.suse.sh
+++ b/Shorewall-init/init.suse.sh
@@ -1,135 +0,0 @@
-#! /bin/bash
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2010,2012 - Tom Eastep (teastep@shorewall.net)
-#
-#       On most distributions, this file should be called /etc/init.d/shorewall.
-#
-#       Complete documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-#
-### BEGIN INIT INFO
-# Provides: shorewall-init
-# Required-Start: $local_fs
-# Required-Stop:  $local_fs
-# Default-Start:  2 3 5
-# Default-Stop:   0 1 6
-# Short-Description: Initialize the firewall at boot time
-# Description:       Place the firewall in a safe state at boot time
-#                    prior to bringing up the network.  
-### END INIT INFO
-
-if [ "$(id -u)" != "0" ]
-then
-  echo "You must be root to start, stop or restart \"Shorewall \"."
-  exit 1
-fi
-
-# check if shorewall-init is configured or not
-if [ -f "/etc/sysconfig/shorewall-init" ]
-then
-	. /etc/sysconfig/shorewall-init
-	if [ -z "$PRODUCTS" ]
-	then
-		exit 0
-	fi
-else
-	exit 0
-fi
-
-#
-# The installer may alter this
-#
-. /usr/share/shorewall/shorewallrc
-
-# set the STATEDIR variable
-setstatedir() {
-    local statedir
-    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
-	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
-    fi
-
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
-
-    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/$PRODUCT compile
-	fi
-    fi
-}
-
-# Initialize the firewall
-shorewall_start () {
-  local PRODUCT
-  local STATEDIR
-
-  echo -n "Initializing \"Shorewall-based firewalls\": "
-  for PRODUCT in $PRODUCTS; do
-      setstatedir
-
-      if [ -x $STATEDIR/firewall ]; then
-	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-	      $STATEDIR/$PRODUCT/firewall stop || echo_notdone
-	  fi
-      fi
-  done
-
-  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
-      ipset -R < "$SAVE_IPSETS"
-  fi
-
-  return 0
-}
-
-# Clear the firewall
-shorewall_stop () {
-  local PRODUCT
-  local STATEDIR
-
-  echo -n "Clearing \"Shorewall-based firewalls\": "
-  for PRODUCT in $PRODUCTS; do
-      setstatedir
-
-      if [ -x ${STATEDIR}/firewall ]; then
-	  ${STATEDIR}/firewall clear || exit 1
-      fi
-  done
-
-  if [ -n "$SAVE_IPSETS" ]; then
-      mkdir -p $(dirname "$SAVE_IPSETS")
-      if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
-      fi
-  fi
-
-  return 0
-}
-
-case "$1" in
-  start)
-     shorewall_start
-     ;;
-  stop)
-     shorewall_stop
-     ;;
-  *)
-     echo "Usage: /etc/init.d/shorewall-init {start|stop}"
-     exit 1
-esac
-
-exit 0
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -160,14 +160,7 @@ else
    usage 1
 fi

-if [ -z "${VARLIB}" ]; then
-    VARLIB=${VARDIR}
-    VARDIR=${VARLIB}/${PRODUCT}
-elif [ -z "${VARDIR}" ]; then
-    VARDIR=${VARLIB}/${PRODUCT}
-fi
-
-for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARLIB VARDIR; do
+for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARDIR; do
    require $var
 done

@@ -267,11 +260,6 @@ else
    first_install="Yes"
 fi

-if [ -n "$DESTDIR" ]; then
-    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
-    chmod 755 ${DESTDIR}${CONFDIR}/logrotate.d
-fi
-
 #
 # Install the Firewall Script
 #
@@ -292,7 +280,6 @@ fi
 if [ -n "$SYSTEMD" ]; then
    mkdir -p ${DESTDIR}${SYSTEMD}
    run_install $OWNERSHIP -m 600 shorewall-init.service ${DESTDIR}${SYSTEMD}/shorewall-init.service
-    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/shorewall-init.service
    echo "Service file installed as ${DESTDIR}${SYSTEMD}/shorewall-init.service"
    if [ -n "$DESTDIR" ]; then
 	mkdir -p ${DESTDIR}${SBINDIR}
@@ -305,35 +292,27 @@ fi
 #
 # Create /usr/share/shorewall-init if needed
 #
-mkdir -p ${DESTDIR}${SHAREDIR}/shorewall-init
-chmod 755 ${DESTDIR}${SHAREDIR}/shorewall-init
-
-#
-# Install logrotate file
-#
-if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT
-    echo "Logrotate file installed as ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT"
-fi
+mkdir -p ${DESTDIR}/usr/share/shorewall-init
+chmod 755 ${DESTDIR}/usr/share/shorewall-init

 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/${SHAREDIR}/shorewall-init/version
-chmod 644 ${DESTDIR}${SHAREDIR}/shorewall-init/version
+echo "$VERSION" > ${DESTDIR}/usr/share/shorewall-init/version
+chmod 644 ${DESTDIR}/usr/share/shorewall-init/version

 #
 # Remove and create the symbolic link to the init script
 #
 if [ -z "$DESTDIR" ]; then
-    rm -f ${SHAREDIR}/shorewall-init/init
+    rm -f /usr/share/shorewall-init/init
    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/shorewall-init/init
 fi

 if [ $HOST = debian ]; then
    if [ -n "${DESTDIR}" ]; then
 	mkdir -p ${DESTDIR}/etc/network/if-up.d/
-	mkdir -p ${DESTDIR}/etc/network/if-down.d/
+	mkdir -p ${DESTDIR}/etc/network/if-post-down.d/
    fi

    if [ ! -f ${DESTDIR}/etc/default/shorewall-init ]; then
@@ -368,7 +347,7 @@ fi

 cp ifupdown.sh ifupdown

-[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown
+d[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown

 mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init

@@ -381,7 +360,6 @@ fi
 case $HOST in
    debian)
 	install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
-	install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544
 	install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
 	;;
    suse)
@@ -404,12 +382,12 @@ if [ -z "$DESTDIR" ]; then
    if [ -n "$first_install" ]; then
 	if [ $HOST = debian ]; then
 	    
-	    update-rc.d shorewall-init enable
+	    update-rc.d shorewall-init defaults

 	    echo "Shorewall Init will start automatically at boot"
 	else
 	    if [ -n "$SYSTEMD" ]; then
-		if systemctl enable shorewall-init.service; then
+		if systemctl enable shorewall-init; then
 		    echo "Shorewall Init will start automatically at boot"
 		fi
 	    elif [ -x ${SBINDIR}/insserv -o -x /usr${SBINDIR}/insserv ]; then
--- a/Shorewall-init/logrotate
+++ b/Shorewall-init/logrotate
@@ -1,5 +0,0 @@
-/var/log/shorewall-ifupdown.log {
-  missingok
-  notifempty
-  create 0600 root root
-}
--- a/Shorewall-init/shorewall-init.service
+++ b/Shorewall-init/shorewall-init.service
@@ -13,8 +13,8 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-init
 StandardOutput=syslog
-ExecStart=/shorewall-init $OPTIONS start
-ExecStop=/shorewall-init $OPTIONS stop
+ExecStart=/sbin/shorewall-init $OPTIONS start
+ExecStop=/sbin/shorewall-init $OPTIONS stop

 [Install]
 WantedBy=multi-user.target
--- a/Shorewall-init/sysconfig
+++ b/Shorewall-init/sysconfig
@@ -16,8 +16,3 @@ IFUPDOWN=0
 # during 'start' and will save them there during 'stop'.
 #
 SAVE_IPSETS=""
-#
-# Where Up/Down events get logged
-#
-LOGFILE=/var/log/shorewall-ifupdown.log
-
--- a/Shorewall-lite/init.archlinux.sh
+++ b/Shorewall-lite/init.archlinux.sh
@@ -0,0 +1,58 @@
+#!/bin/bash
+
+OPTIONS="-f"
+
+if [ -f /etc/sysconfig/shorewall ] ; then
+	. /etc/sysconfig/shorewall
+elif [ -f /etc/default/shorewall ] ; then
+	. /etc/default/shorewall
+fi
+
+# if you want to override options, do so in /etc/sysconfig/shorewall or
+# in /etc/default/shorewall --
+# i strongly encourage you use the latter, since /etc/sysconfig/ does not exist.
+
+. /etc/rc.conf
+. /etc/rc.d/functions
+
+DAEMON_NAME="shorewall" # of course shorewall is NOT a deamon.
+
+case "$1" in
+	start)
+		stat_busy "Starting $DAEMON_NAME"
+		/sbin/shorewall-lite $OPTIONS start &>/dev/null
+		if [ $? -gt 0 ]; then
+			stat_fail
+		else
+			add_daemon $DAEMON_NAME
+			stat_done
+		fi
+		;;
+
+
+	stop)
+		stat_busy "Stopping $DAEMON_NAME"
+		/sbin/shorewall-lite stop &>/dev/null
+		if [ $? -gt 0 ]; then
+			stat_fail
+		else
+			rm_daemon $DAEMON_NAME
+			stat_done
+		fi
+		;;
+
+	restart|reload)
+		stat_busy "Restarting $DAEMON_NAME"
+		/sbin/shorewall-lite restart &>/dev/null
+		if [ $? -gt 0  ]; then
+			stat_fail
+		else
+			stat_done
+		fi
+		;;
+
+	*)
+		echo "usage: $0 {start|stop|restart}"
+esac
+exit 0
+
--- a/Shorewall-lite/init.fedora.sh
+++ b/Shorewall-lite/init.fedora.sh
--- a/Shorewall-lite/init.suse.sh
+++ b/Shorewall-lite/init.suse.sh
@@ -1,92 +0,0 @@
-#!/bin/sh
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012 - Tom Eastep (teastep@shorewall.net)
-#
-#	On most distributions, this file should be called /etc/init.d/shorewall.
-#
-#	Complete documentation is available at http://shorewall.net
-#
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-#	If an error occurs while starting or restarting the firewall, the
-#	firewall is automatically stopped.
-#
-#	Commands are:
-#
-#	   shorewall start			  Starts the firewall
-#	   shorewall restart			  Restarts the firewall
-#	   shorewall reload			  Reload the firewall
-#						  (same as restart)
-#	   shorewall stop			  Stops the firewall
-#	   shorewall status			  Displays firewall status
-#
-
-
-### BEGIN INIT INFO
-# Provides:	  shorewall-lite
-# Required-Start: $network $remote_fs
-# Required-Stop:  
-# Default-Start:  2 3 5
-# Default-Stop:	  0 1 6
-# Description:	  starts and stops the shorewall firewall
-# Short-Description: Packet filtering firewall
-### END INIT INFO
-
-################################################################################
-# Give Usage Information						       #
-################################################################################
-usage() {
-    echo "Usage: $0 start|stop|reload|restart|status"
-    exit 1
-}
-
-################################################################################
-# Get startup options (override default)
-################################################################################
-OPTIONS=
-
-#
-# The installer may alter this
-#
-. /usr/share/shorewall/shorewallrc
-
-if [ -f ${SYSCONFDIR}/shorewall-lite ]; then
-    . ${SYSCONFDIR}/shorewall-lite
-fi
-
-SHOREWALL_INIT_SCRIPT=1
-
-################################################################################
-# E X E C U T I O N    B E G I N S   H E R E				       #
-################################################################################
-command="$1"
-
-case "$command" in
-    start)
-	exec ${SBINDIR}/shorewall-lite $OPTIONS start $STARTOPTIONS
-	;;
-    restart|reload)
-	exec ${SBINDIR}/shorewall-lite $OPTIONS restart $RESTARTOPTIONS
-	;;
-    status|stop)
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $@
-	;;
-    *)
-	usage
-	;;
-esac
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -171,14 +171,7 @@ else
    usage 1
 fi

-if [ -z "${VARLIB}" ]; then
-    VARLIB=${VARDIR}
-    VARDIR=${VARLIB}/${PRODUCT}
-elif [ -z "${VARDIR}" ]; then
-    VARDIR=${VARLIB}/${PRODUCT}
-fi
-
-for var in SHAREDIR LIBEXECDIRDIRDIR CONFDIR SBINDIR VARLIB VARDIR; do
+for var in SHAREDIR LIBEXECDIRDIRDIR CONFDIR SBINDIR VARDIR; do
    require $var
 done

@@ -189,6 +182,7 @@ PATH=${SBINDIR}:/bin:/usr${SBINDIR}:/usr/bin:/usr/local/bin:/usr/local${SBINDIR}
 #
 cygwin=
 INSTALLD='-D'
+INITFILE=$PRODUCT
 T='-T'

 if [ -z "$BUILD" ]; then
@@ -259,10 +253,7 @@ case "$HOST" in
    archlinux)
 	echo "Installing ArchLinux-specific configuration..."
 	;;
-    suse)
-	echo "Installing Suse-specific configuration..."
-	;;
-    linux)
+    linux|suse)
 	;;
    *)
 	echo "ERROR: Unknown HOST \"$HOST\"" >&2
@@ -280,11 +271,21 @@ if [ -n "$DESTDIR" ]; then

    install -d $OWNERSHIP -m 755 ${DESTDIR}/${SBINDIR}
    install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
+
+    if [ -n "$SYSTEMD" ]; then
+	mkdir -p ${DESTDIR}/lib/systemd/system
+	INITFILE=
+    fi
 else
    if [ ! -f /usr/share/shorewall/coreversion ]; then
 	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
 	exit 1
    fi
+
+    if [ -f /lib/systemd/system ]; then
+	SYSTEMD=Yes
+	INITFILE=
+    fi
 fi

 echo "Installing $Product Version $VERSION"
@@ -302,8 +303,8 @@ if [ -z "$DESTDIR" -a -d ${CONFDIR}/$PRODUCT ]; then
 	mv -f ${CONFDIR}/$PRODUCT/shorewall.conf ${CONFDIR}/$PRODUCT/$PRODUCT.conf
 else
    rm -rf ${DESTDIR}${CONFDIR}/$PRODUCT
-    rm -rf ${DESTDIR}${SHAREDIR}/$PRODUCT
-    rm -rf ${DESTDIR}${VARDIR}
+    rm -rf ${DESTDIR}/usr/share/$PRODUCT
+    rm -rf ${DESTDIR}/var/lib/$PRODUCT
    [ "$LIBEXECDIR" = /usr/share ] || rm -rf ${DESTDIR}/usr/share/$PRODUCT/wait4ifup ${DESTDIR}/usr/share/$PRODUCT/shorecap
 fi

@@ -326,9 +327,9 @@ echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
 # Create ${CONFDIR}/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
 #
 mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
-mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT
+mkdir -p ${DESTDIR}/usr/share/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
-mkdir -p ${DESTDIR}${VARDIR}
+mkdir -p ${DESTDIR}/var/lib/$PRODUCT

 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
 chmod 755 ${DESTDIR}/usr/share/$PRODUCT
@@ -353,9 +354,7 @@ fi
 # Install the .service file
 #
 if [ -n "$SYSTEMD" ]; then
-    mkdir -p ${DESTDIR}${SYSTEMD}
    run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}/${SYSTEMD}/$PRODUCT.service
-    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
    echo "Service file installed as ${DESTDIR}/lib/systemd/system/$PRODUCT.service"
 fi

@@ -404,7 +403,6 @@ echo "Common functions linked through ${DESTDIR}${SHAREDIR}/$PRODUCT/functions"
 #

 install_file shorecap ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap 0755
-[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${LIBEXECDIR}/$PRODUCT/shorecap

 echo
 echo "Capability file builder installed in ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap"
@@ -500,7 +498,7 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
 	perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' ${CONFDIR}/${PRODUCT}/${PRODUCT}.conf
 	update-rc.d $PRODUCT enable defaults
    elif [ -n "$SYSTEMD" ]; then
-	if systemctl enable ${PRODUCT}.service; then
+	if systemctl enable $PRODUCT; then
 	    echo "$Product will start automatically at boot"
 	fi
    elif mywhich insserv; then
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@@ -337,8 +337,6 @@

      <arg choice="plain"><option>show</option></arg>

-      <arg><option>-b</option></arg>
-
      <arg><option>-x</option></arg>

      <arg><option>-l</option></arg>
@@ -843,12 +841,6 @@
                Netfilter table to display. The default is <emphasis
                role="bold">filter</emphasis>.</para>

-                <para>The <emphasis role="bold">-b</emphasis> ('brief') option
-                causes rules which have not been used (i.e. which have zero
-                packet and byte counts) to be omitted from the output. Chains
-                with no rules displayed are also omitted from the
-                output.</para>
-
                <para>The <emphasis role="bold">-l</emphasis> option causes
                the rule number for each Netfilter rule to be
                displayed.</para>
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -45,19 +45,17 @@
 #    used during firewall compilation, then the generated firewall program will likewise not
 #    require Shorewall to be installed.

-
+SHAREDIR=/usr/share/shorewall-lite
+VARDIR=/var/lib/shorewall-lite
+CONFDIR=/etc/shorewall-lite
 g_program=shorewall-lite
+g_product="Shorewall Lite"
+g_family=4
+g_base=shorewall
+g_basedir=/usr/share/shorewall-lite

-#
-# This is modified by the installer when ${SHAREDIR} != /usr/share
-#
-. /usr/share/shorewall/shorewallrc
-
-g_sharedir="$SHAREDIR"/shorewall-lite
-g_confdir="$CONFDIR"/shorewall-lite
-g_readrc=1
-
-. ${SHAREDIR}/shorewall/lib.cli
+. /usr/share/shorewall-lite/lib.base
+. /usr/share/shorewall/lib.cli
 . /usr/share/shorewall-lite/configpath

 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -25,15 +25,17 @@
 #       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
 ################################################################################################
-PRODUCT=shorewall-lite
+g_program=shorewall-lite

 #
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc

-g_program=$PRODUCT
+g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR"/shorewall-lite
+g_sbindir="$SBINDIR"
+g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall-lite
 g_readrc=1

--- a/Shorewall/Macros/macro.A_AllowICMPs
+++ b/Shorewall/Macros/macro.A_AllowICMPs
@@ -9,7 +9,7 @@
 #ACTION		SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #					PORT(S)	PORT(S)	LIMIT	GROUP

-?COMMENT Needed ICMP types
+COMMENT Needed ICMP types

 A_ACCEPT       -	-	icmp	fragmentation-needed
 A_ACCEPT       -	-	icmp	time-exceeded
--- a/Shorewall/Macros/macro.A_DropDNSrep
+++ b/Shorewall/Macros/macro.A_DropDNSrep
@@ -9,6 +9,6 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP

-?COMMENT Late DNS Replies
+COMMENT Late DNS Replies

 A_DROP	-	-	udp	-	53
--- a/Shorewall/Macros/macro.A_DropUPnP
+++ b/Shorewall/Macros/macro.A_DropUPnP
@@ -9,6 +9,6 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP

-?COMMENT UPnP
+COMMENT UPnP

 A_DROP	-	-	udp	1900
--- a/Shorewall/Macros/macro.ActiveDir
+++ b/Shorewall/Macros/macro.ActiveDir
@@ -1,40 +0,0 @@
-#
-# Shorewall version 4 - Samba 4 Macro
-#
-# /usr/share/shorewall/macro.ActiveDir
-#
-#       This macro handles ports for Samba 4 Active Directory Service
-#
-# You can comment out the ports you do not want open
-#
-# 
-###############################################################################
-#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
-#                               PORT(S) PORT(S) LIMIT   GROUP
-PARAM   -       -       tcp     389 	#LDAP services
-PARAM   -       -       udp	389  
-PARAM   -       -       tcp     636	#LDAP SSL
-PARAM   -       -       tcp     3268	#LDAP GC
-PARAM   -       -       tcp     3269	#LDAP GC SSL
-PARAM   -       -       tcp     88	#Kerberos
-PARAM   -       -       udp	88
-
-# Use macro.DNS for DNS sevice
-
-PARAM   -       -       tcp     445	#Replication, User and Computer Authentication, Group Policy, Trusts
-PARAM   -       -       udp	445
-
-# Use macro.SMTP for Mail service
-
-PARAM   -       -       tcp     135	#RPC, EPM
-PARAM   -       -       tcp     5722	#RPC, DFSR (SYSVOL)
-PARAM   -       -       udp	123	#Windows Time
-PARAM   -       -       tcp     464	#Kerberosb change/set password
-PARAM   -       -       udp	464
-PARAM   -       -       udp	138	#DFS, Group Policy
-PARAM   -       -       tcp     9389	#SOAP
-PARAM   -       -       tcp     2535	#MADCAP
-PARAM   -       -       udp	2535
-PARAM   -       -       udp     137	#NetLogon, NetBIOS Name Resolution
-PARAM   -       -       tcp	139	#DFSN, NetBIOS Session Service, NetLogon    
-  
--- a/Shorewall/Macros/macro.AllowICMPs
+++ b/Shorewall/Macros/macro.AllowICMPs
@@ -9,7 +9,7 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP

-?COMMENT Needed ICMP types
+COMMENT Needed ICMP types

 DEFAULT ACCEPT
 PARAM	-	-	icmp	fragmentation-needed
--- a/Shorewall/Macros/macro.Amanda
+++ b/Shorewall/Macros/macro.Amanda
@@ -8,16 +8,9 @@
 #	files from those nodes.
 #
 ###############################################################################
-?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-
-?if ( __CT_TARGET && ! $AUTOHELPERS && __AMANDA_HELPER )
- PARAM	-	-	udp	10080 ; helper=amanda
-?else
 PARAM	-	-	udp	10080
-?endif
-
 PARAM	-	-	tcp	10080
 #
 # You may also need this rule.  With AMANDA 2.4.4 on Linux kernel 2.6,
--- a/Shorewall/Macros/macro.BLACKLIST
+++ b/Shorewall/Macros/macro.BLACKLIST
@@ -8,8 +8,8 @@
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-?if $BLACKLIST_LOGLEVEL
+?IF $BLACKLIST_LOGLEVEL
 blacklog
-?else
+?ELSE
 $BLACKLIST_DISPOSITION
-?endif
+?ENDIF
--- a/Shorewall/Macros/macro.DropDNSrep
+++ b/Shorewall/Macros/macro.DropDNSrep
@@ -9,7 +9,7 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP

-?COMMENT Late DNS Replies
+COMMENT Late DNS Replies

 DEFAULT DROP
 PARAM	-	-	udp	-	53
--- a/Shorewall/Macros/macro.DropUPnP
+++ b/Shorewall/Macros/macro.DropUPnP
@@ -9,7 +9,7 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP

-?COMMENT UPnP
+COMMENT UPnP

 DEFAULT DROP
 PARAM	-	-	udp	1900
--- a/Shorewall/Macros/macro.FTP
+++ b/Shorewall/Macros/macro.FTP
@@ -6,11 +6,6 @@
 #	This macro handles FTP traffic.
 #
 ###############################################################################
-?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER  )
- PARAM	-	-	tcp	21 ; helper=ftp
-?else
 PARAM	-	-	tcp	21
-?endif
--- a/Shorewall/Macros/macro.IRC
+++ b/Shorewall/Macros/macro.IRC
@@ -6,12 +6,6 @@
 #	This macro handles IRC traffic (Internet Relay Chat).
 #
 ###############################################################################
-?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-
-?if ( __CT_TARGET && ! $AUTOHELPERS && __IRC_HELPER  )
- PARAM	-	-	tcp	6667 ; helper=irc
-?else
 PARAM	-	-	tcp	6667
-?endif
--- a/Shorewall/Macros/macro.MSSQL
+++ b/Shorewall/Macros/macro.MSSQL
@@ -1,11 +0,0 @@
-#
-# Shorewall version 4 - MSSQL Macro
-#
-# /usr/share/shorewall/macro.MSSQL
-#
-#	This macro handles MSSQL (Microsoft SQL Server)
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	tcp	1433
--- a/Shorewall/Macros/macro.PPtP
+++ b/Shorewall/Macros/macro.PPtP
@@ -6,14 +6,8 @@
 #	This macro handles PPTP traffic.
 #
 ###############################################################################
-?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	47
 PARAM	DEST	SOURCE	47
-
-?if ( __CT_TARGET && ! $AUTOHELPERS && __PPTP_HELPER )
- PARAM	-	-	tcp	1723 ; helper=pptp
-?else
 PARAM	-	-	tcp	1723
-?endif
--- a/Shorewall/Macros/macro.Puppet
+++ b/Shorewall/Macros/macro.Puppet
@@ -1,12 +0,0 @@
-#
-# Shorewall version 4 - Puppet Macro
-#
-# /usr/share/shorewall/macro.Puppet
-#
-#	This macro handles client-to-server for the Puppet configuration
-#	management system.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	tcp	8140
--- a/Shorewall/Macros/macro.Rfc1918
+++ b/Shorewall/Macros/macro.Rfc1918
@@ -7,7 +7,7 @@
 #############################################################################################
 #ACTION		SOURCE		DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
 #						PORT(S)	PORT(S)	DEST		LIMIT	GROUP
-?FORMAT 2
+FORMAT 2
 PARAM		SOURCE:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 \
 				DEST	-	-	-	-	-	-
 PARAM		SOURCE		DEST	-	-	-	10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
--- a/Shorewall/Macros/macro.SANE
+++ b/Shorewall/Macros/macro.SANE
@@ -6,16 +6,9 @@
 #	This macro handles SANE network scanning.
 #
 ###############################################################################
-?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-
-?if ( __CT_TARGET && ! $AUTOHELPERS && __SANE_HELPER )
- PARAM	-	-	tcp	6566 ; helper=sane
-?else
 PARAM	-	-	tcp	6566
-?endif
-
 #
 # Kernels 2.6.23+ has nf_conntrack_sane module which will handle
 # sane data connection.
--- a/Shorewall/Macros/macro.SIP
+++ b/Shorewall/Macros/macro.SIP
@@ -1,17 +0,0 @@
-#
-# Shorewall version 4 - SIP Macro
-#
-# /usr/share/shorewall/macro.SIP
-#
-#	This macro handles SIP traffic.
-#
-###############################################################################
-?FORMAT 2
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-
-?if ( __CT_TARGET && ! $AUTOHELPERS && __SIP_HELPER  )
- PARAM	-	-	udp	5060 ; helper=sip
-?else
- PARAM	-	-	udp	5060
-?endif
--- a/Shorewall/Macros/macro.SMB
+++ b/Shorewall/Macros/macro.SMB
@@ -10,17 +10,9 @@
 #	between hosts you fully trust.
 #
 ###############################################################################
-?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	135,445
-
-?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM	-	-	udp	137 ; helper=netbios-ns
- PARAM	-	-	udp	138:139
-?else
 PARAM	-	-	udp	137:139
-?endif
-
 PARAM	-	-	udp	1024:	137
 PARAM	-	-	tcp	135,139,445
--- a/Shorewall/Macros/macro.SMBBI
+++ b/Shorewall/Macros/macro.SMBBI
@@ -10,28 +10,13 @@
 #	allow SMB traffic between hosts you fully trust.
 #
 ###############################################################################
-?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	135,445
-
-?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM	-	-	udp	137 ; helper=netbios-ns
- PARAM	-	-	udp	138:139
-?else
 PARAM	-	-	udp	137:139
-?endif
-
 PARAM	-	-	udp	1024:	137
 PARAM	-	-	tcp	135,139,445
 PARAM	DEST	SOURCE	udp	135,445
-
-?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM	DEST	SOURCE	udp	137 ; helper=netbios-ns
- PARAM	DEST	SOURCE	udp	138:139
-?else
 PARAM	DEST	SOURCE	udp	137:139
-?endif
-
 PARAM	DEST	SOURCE	udp	1024:	137
 PARAM	DEST	SOURCE	tcp	135,139,445
--- a/Shorewall/Macros/macro.SNMP
+++ b/Shorewall/Macros/macro.SNMP
@@ -3,17 +3,10 @@
 #
 # /usr/share/shorewall/macro.SNMP
 #
-#	This macro handles SNMP traffic.
-#
-#       Note: To allow SNMP Traps, use the SNMPTrap macro
+#	This macro handles SNMP traffic (including traps).
 #
 ###############################################################################
-?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-
-?if ( __CT_TARGET && ! $AUTOHELPERS && __SNMP_HELPER )
- PARAM	-	-  	udp     161 ; helper=snmp
-?else
- PARAM	-	-	udp	161
-?endif
+PARAM	-	-	udp	161:162
+PARAM	-	-	tcp	161
--- a/Shorewall/Macros/macro.SNMPTrap
+++ b/Shorewall/Macros/macro.SNMPTrap
@@ -1,12 +0,0 @@
-#
-# Shorewall version 4 - SNMP Trap Macro
-#
-# /usr/share/shorewall/macro.SNMP
-#
-#	This macro handles SNMP traps.
-#
-###############################################################################
-?FORMAT 2
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	udp	162
--- a/Shorewall/Macros/macro.TFTP
+++ b/Shorewall/Macros/macro.TFTP
@@ -8,12 +8,6 @@
 #	Internet.
 #
 ###############################################################################
-?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-
-?if ( __CT_TARGET && ! $AUTOHELPERS && __TFTP_HELPER )
- PARAM	-	-	udp	69 ; helper=tftp
-?else
 PARAM	-	-	udp	69
-?endif
--- a/Shorewall/Macros/macro.Teredo
+++ b/Shorewall/Macros/macro.Teredo
@@ -1,11 +0,0 @@
-#
-# Shorewall version 4 - Teredo Macro
-#
-# /usr/share/shorewall/macro.Teredo
-#
-#	This macro handles Teredo IPv6 over UDP tunneling traffic
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	udp	3544
--- a/Shorewall/Macros/macro.mDNS
+++ b/Shorewall/Macros/macro.mDNS
@@ -1,11 +1,9 @@
 #
-# Shorewall version 4 - Multicast DNS Macro -- this macro assumes that only
-#                       the DEST zone sends mDNS queries. If both zones send
-#                       queries, use the mDNSbi macro.
+# Shorewall version 4 - Multicast DNS Macro
 #
 # /usr/share/shorewall/macro.mDNS
 #
-#	This macro handles multicast DNS traffic
+#	This macro handles multicast DNS traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST			PROTO	DEST	SOURCE	RATE	USER/
--- a/Shorewall/Macros/macro.mDNSbi
+++ b/Shorewall/Macros/macro.mDNSbi
@@ -1,16 +0,0 @@
-#
-# Shorewall version 4 - Bi-directional Multicast DNS Macro.
-#
-# /usr/share/shorewall/macro.mDNSbi
-#
-#	This macro handles multicast DNS traffic
-#
-###############################################################################
-#ACTION	SOURCE	DEST			PROTO	DEST	SOURCE	RATE	USER/
-#						PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	224.0.0.251		udp	5353
-PARAM	-	-			udp	32768:	5353
-PARAM	-	224.0.0.251		2
-PARAM	DEST	SOURCE:224.0.0.251	udp	5353
-PARAM	DEST	SOURCE			udp	32768:	5353
-PARAM	DEST	SOURCE:224.0.0.251	2
--- a/Shorewall/Macros/macro.template
+++ b/Shorewall/Macros/macro.template
@@ -71,17 +71,9 @@
 #	Remaining		Any value in the rules file REPLACES the value
 #	columns			given in the macro file.
 #
-# Multiple parameters may be passed to a macro. Within this file, $1 refers to the first parameter,
-# $2 to the second an so on. $1 is a synonym for PARAM but may be used anywhere in the file whereas
-# PARAM may only be used in the ACTION column.
-#
-# You can specify default values for parameters by using DEFAULT or DEFAULTS entry:
-#
-#      DEFAULTS  <default for $1>,<default for $2>,...
-#
 #######################################################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
-?FORMAT 2
-#################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
+FORMAT 2
+####################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
--- a/Shorewall/Perl/Shorewall/ARP.pm
+++ b/Shorewall/Perl/Shorewall/ARP.pm
@@ -1,314 +0,0 @@
-#
-# Shorewall 4.5 -- /usr/share/shorewall/Shorewall/ARP.pm
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2013 - Tom Eastep (teastep@shorewall.net)
-#
-#       Complete documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-#  This file is responsible for Shorewall's arptables support
-#
-package Shorewall::ARP;
-require Exporter;
-
-use Shorewall::Config qw(:DEFAULT :internal);
-use Shorewall::Zones;
-use Shorewall::IPAddrs;
-use strict;
-
-our @ISA = qw(Exporter);
-our @EXPORT = ( qw( process_arprules create_arptables_load preview_arptables_load ) );
-
-our %arp_table;
-our $arp_input;
-our $arp_output;
-our $arp_forward;
-our $sourcemac;
-our $destmac;
-our $addrlen;
-our $hw;
-our @builtins;
-our $arptablesjf;
-our @map = ( qw( 0 Request Reply Request_Reverse Reply_Reverse DRARP_Request DRARP_Reply DRARP_Error InARP_Request ARP_NAK ) );
-
-
-#
-# Handles the network and mac parts of the SOURCE ($source == 1 ) and DEST ($source == 0) columns in the arprules file.
-# Returns any match(es) specified.
-#
-sub match_arp_net( $$$ ) {
-    my ( $net, $mac, $source ) = @_;
-
-    my $return = '';
-
-    if ( supplied $net ) {
-	my $invert = ( $net =~ s/^!// ) ? '! ' : '';
-	validate_net $net, 0;
-	$return = $source ? "-s ${invert}$net " : "-d ${invert}$net ";
-    }
-
-    if ( supplied $mac ) {
-	my ( $addr , $mask ) = split( '/', $mac, 2 );
-
-	my $invert = ( $addr =~ s/^!// ) ? '! ' : '';
-
-	fatal_error "Invalid MAC address ($addr)" unless $addr =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
-	if ( supplied $mask ) {
-	    fatal_error "Invalid MAC Mask ($mask)" unless $mask =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
-	    $return .= $source ? "$sourcemac $invert$addr/$mask " : "$destmac $invert$addr/mask ";
-	} else {
-	    $return .= $source ? "$sourcemac $invert$addr " : "$destmac $invert$addr ";
-	}
-    }
-
-    $return;
-}
-
-#
-# Process a rule in the arprules file
-#
-sub process_arprule() {
-    my ( $originalaction, $source, $dest, $opcode ) = split_line( 'arprules file entry', {action => 0, source => 1, dest => 2, opcode => 3 } );
-
-    my $chainref;
-    my $iifaceref;
-    my $iiface;
-    my $difaceref;
-    my $diface;
-    my $saddr;
-    my $smac;
-    my $daddr;
-    my $dmac;
-    my $rule = '';
-
-    fatal_error "ACTION must be specified" if $originalaction eq '-';
-
-    my ( $action, $newaddr ) = split( ':', $originalaction, 2 );
-
-    my %functions = ( DROP   => sub() { $rule .= "-j DROP" },
-		      ACCEPT => sub() { $rule .= "-j ACCEPT" },
-		      SNAT   => sub() { validate_address $newaddr, 0;
-					$rule .= "-j mangle --mangle-ip-s $newaddr"; },
-		      DNAT   => sub() { validate_address $newaddr, 0;
-					$rule .= "-j mangle --mangle-ip-d $newaddr"; },
-		      SMAT   => sub() { fatal_error "Invalid MAC address ($newaddr)" unless $newaddr =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
-					$rule .= "$addrlen 6 -j mangle --mangle-$hw-s $newaddr"; },
-		      DMAT   => sub() { fatal_error "Invalid MAC address ($newaddr)" unless $newaddr =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
-					$rule .= "$addrlen 6 -j mangle --mangle-$hw-d $newaddr"; },
-		      SNATC  => sub() { validate_address $newaddr, 0;
-					$rule .= "-j mangle --mangle-ip-s $newaddr --mangle-target CONTINUE"; },
-		      DNATC  => sub() { validate_address $newaddr, 0;
-					$rule .= "-j mangle --mangle-ip-d $newaddr --mangle-target CONTINUE"; },
-		      SMATC  => sub() { fatal_error "Invalid MAC address ($newaddr)" unless $newaddr =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
-					$rule .= "$addrlen 6 -j mangle --mangle-$hw-s $newaddr --mangle-target CONTINUE"; },
-		      DMATC  => sub() { fatal_error "Invalid MAC address ($newaddr)" unless $newaddr =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
-					$rule .= "$addrlen 6 -j mangle --mangle-$hw-d $newaddr --mangle-target CONTINUE"; },
-		    );
-
-    if ( supplied $newaddr ) {
-	fatal_error "The $action ACTION does not allow a new address" unless $action =~ /^(?:SNAT|DNAT|SMAT|DMAT)C?$/;
-    } else {
-	fatal_error "The $action ACTION requires a new address" if $action =~ /^(?:SNAT|DNAT|SMAT|DMAT)C?$/;
-    }
-
-    my $function = $functions{$action};
-
-    fatal_error "Unknown ACTION ($action)" unless $function;
-
-    if ( $source ne '-' ) {
-	( $iiface, $saddr, $smac ) = split /:/, $source, 3;
-
-	fatal_error "SOURCE interface missing" unless supplied $iiface; 
-
-	$iiface = ( $iifaceref = find_interface( $iiface ) )->{physical};
-
-	fatal_error "Wildcard Interfaces ( $iiface )may not be used in this context" if $iiface =~ /\+$/;
-
-	$rule .= "-i $iiface ";
-	$rule .= match_arp_net( $saddr , $smac, 1 ) if supplied( $saddr );
-	$chainref = $arp_input;
-    }
-
-    if ( $dest ne '-' ) {
-	( $diface, $daddr, $dmac ) = split /:/, $dest, 3;
-
-	fatal_error "DEST interface missing" unless supplied $diface; 
-
-	$diface = ( $difaceref = find_interface( $diface ) )->{physical};
-
-	fatal_error "A wildcard interfaces ( $diface) may not be used in this context" if $diface =~ /\+$/;
-
-	if ( $iiface ) {
-	    fatal_error "When both SOURCE and DEST are given, the interfaces must be ports on the same bridge"
-		if $iifaceref->{bridge} ne $difaceref->{bridge};
-	    $chainref = $arp_forward;
-	} else {
-	    $chainref = $arp_output;
-	}
-
-	$rule .= "-o $diface ";
-	$rule .= match_arp_net( $daddr , $dmac, 0 ) if supplied( $daddr );
-
-    }
-
-    if ( $opcode ne '-' ) {
-	my $invert = ( $opcode =~ s/^!// ) ? '! ' : '';
-	warning_message q(arptables versions through 0.3.4 ignore '!' after '--opcode') if $invert && ! $arptablesjf;
-	fatal_error "Invalid ARP OPCODE ($opcode)" unless $opcode =~ /^\d$/ && $opcode;
-	$rule .= $arptablesjf ? " --arpop ${invert}$map[$opcode] " : "--opcode ${invert}$opcode ";
-    }
-
-    $function ->();
-
-    fatal_error "Either SOURCE or DEST must be specified" unless $chainref;
-
-    push @$chainref, $rule;
-
-}
-
-#
-# Process the arprules file -- returns true if there were any arp rules
-#
-sub process_arprules() {
-    my $result = 0;
-
-    if ( $arptablesjf = have_capability 'ARPTABLESJF' ) {
-	$arp_input  = $arp_table{IN}       = [];
-	$arp_output = $arp_table{OUT}      = [];
-	$arp_forward = $arp_table{FORWARD} = [];
-	@builtins = qw( IN OUT FORWARD );
-	$sourcemac = '-z';
-	$destmac   = '-y';
-	$addrlen   = '--arhln';
-	$hw        = 'hw';
-    } else {
-	$arp_input   = $arp_table{INPUT}   = [];
-	$arp_output  = $arp_table{OUTPUT}  = [];
-	$arp_forward = $arp_table{FORWARD} = [];
-	@builtins = qw( INPUT OUTPUT FORWARD );
-	$sourcemac = '--source-mac';
-	$destmac   = '--destination-mac';
-	$addrlen   = '--h-length';
-	$hw        = 'mac';
-    }
-
-    my $fn = open_file 'arprules';
-
-    if ( $fn ) {
-	first_entry( sub() {
-			 $result = 1;
-			 progress_message2 "$doing $fn..."; }
-		   );
-	process_arprule while read_a_line( NORMAL_READ );
-    }
-
-    $result;
-}
-
-#
-# Generate the arptables_load() function
-#
-sub create_arptables_load( $ ) {
-    my $test = shift;
-
-    emit ( '#',
-	   '# Create the input to arptables-restore and pass that input to the utility',
-	   '#',
-	   'setup_arptables()',
-	   '{'
-	   );
-
-    push_indent;
-
-    save_progress_message "Preparing arptables-restore input...";
-
-    emit '';
-
-    emit "exec 3>\${VARDIR}/.arptables-input";
-
-    my $date = localtime;
-
-    unless ( $test ) {
-	emit_unindented '#';
-	emit_unindented "# Generated by Shorewall $globals{VERSION} - $date";
-	emit_unindented '#';
-    }
-
-    emit '';
-    emit 'cat >&3 << __EOF__';
-
-    emit_unindented "*filter";
-
-    emit_unindented ":$_ ACCEPT" for @builtins;
-
-    for ( @builtins ) {
-	my $rules = $arp_table{$_};
-
-	while ( my $rule = shift @$rules ) {
-	    emit_unindented "-A $_ $rule";
-	}
-    }
-
-    emit_unindented "COMMIT\n" if $arptablesjf;
-
-    emit_unindented "__EOF__";
-
-    #
-    # Now generate the actual ip[6]tables-restore command
-    #
-    emit(  'exec 3>&-',
-	   '',
-	   'progress_message2 "Running $ARPTABLES_RESTORE..."',
-	   '',
-	   'cat ${VARDIR}/.arptables-input | $ARPTABLES_RESTORE # Use this nonsensical form to appease SELinux',
-	   'if [ $? != 0 ]; then',
-	   qq(    fatal_error "arptables-restore Failed. Input is in \${VARDIR}/.arptables-input"),
-	   "fi\n",
-	   "run_ip neigh flush nud stale nud reachable\n",
-	   );    
-
-    pop_indent;
-    emit "}\n";
-}	  
-
-#
-# Preview the generated ARP rules
-#
-sub preview_arptables_load() {
-
-    my $date = localtime;
-
-    print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";
-
-    print "*filter\n";
-
-    print ":$_ ACCEPT\n" for qw( INPUT OUTPUT FORWARD );
-
-    for ( @builtins ) {
-	my $rules = $arp_table{$_};
-
-	while ( my $rule = shift @$rules ) {
-	    print "-A $rule\n";
-	}
-    }
-
-    print "COMMIT\n" if $arptablesjf;
-
-    print "\n";
-}	  
-
-1;
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -40,17 +40,17 @@ our $VERSION = 'MODULEVERSION';
 #
 # Per-IP accounting tables. Each entry contains the associated network.
 #
-our %tables;
+my %tables;

-our $jumpchainref;
-our %accountingjumps;
-our $asection;
-our $defaultchain;
-our $ipsecdir;
-our $defaultrestriction;
-our $restriction;
-our $sectionname;
-our $acctable;
+my $jumpchainref;
+my %accountingjumps;
+my $asection;
+my $defaultchain;
+my $defaultrestriction;
+my $restriction;
+my $accounting_commands = { COMMENT => 0, SECTION => 2 };
+my $sectionname;
+my $acctable;

 #
 # Sections in the Accounting File
@@ -92,7 +92,6 @@ sub initialize() {
    # These are the legacy values
    #
    $defaultchain       = 'accounting';
-    $ipsecdir           = '';
    $defaultrestriction = NO_RESTRICT;
    $sectionname        = '';
 }
@@ -112,25 +111,20 @@ sub process_section ($) {

    if ( $sectionname eq 'INPUT' ) {
 	$defaultchain = 'accountin';
-	$ipsecdir     = 'in';
 	$defaultrestriction = INPUT_RESTRICT;
    } elsif ( $sectionname eq 'OUTPUT' ) {
 	$defaultchain = 'accountout';
-	$ipsecdir     = 'out';
 	$defaultrestriction = OUTPUT_RESTRICT;
    } elsif ( $sectionname eq 'FORWARD' ) {
 	$defaultchain = 'accountfwd';
-	$ipsecdir     = '';
 	$defaultrestriction = NO_RESTRICT;
     } else {
 	 fatal_error "The $sectionname SECTION is not allowed when ACCOUNTING_TABLE=filter" unless $acctable eq 'mangle';
 	 if ( $sectionname eq 'PREROUTING' ) {
 	     $defaultchain = 'accountpre';
-	     $ipsecdir     = 'in';
 	     $defaultrestriction = PREROUTE_RESTRICT;
 	 } else {
 	     $defaultchain = 'accountpost';
-	     $ipsecdir     = 'out';
 	     $defaultrestriction = POSTROUTE_RESTRICT;
 	 }
     }
@@ -141,14 +135,27 @@ sub process_section ($) {
 #
 # Accounting
 #
-sub process_accounting_rule1( $$$$$$$$$$$ ) {
-
-    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = @_;
+sub process_accounting_rule( ) {

    $acctable = $config{ACCOUNTING_TABLE};

    $jumpchainref = 0;

+    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) =
+	split_line1 'Accounting File', { action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 }, $accounting_commands;
+
+    fatal_error 'ACTION must be specified' if $action eq '-';
+
+    if ( $action eq 'COMMENT' ) {
+	process_comment;
+	return 0;
+    }
+
+    if ( $action eq 'SECTION' ) {
+	process_section( $chain );
+	return 0;
+    }
+
    $asection = LEGACY if $asection < 0;

    our $disposition = '';
@@ -222,11 +229,6 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 	    }
 	} elsif ( $action =~ /^NFLOG/ ) {
 	    $target = validate_level $action;
-	} elsif ( $action =~ /^NFACCT\((\w+)\)$/ ) {
-	    require_capability 'NFACCT_MATCH', 'The NFACCT action', 's';
-	    $nfobjects{$1} = 1;
-	    $target = '';
-	    $rule .= "-m nfacct --nfacct-name $1 ";
 	} else {
 	    ( $action, my $cmd ) = split /:/, $action;

@@ -283,21 +285,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
    }

    my $chainref = $chain_table{$config{ACCOUNTING_TABLE}}{$chain};
-    my $dir = $ipsecdir;
-
-    if ( $asection && $ipsec ne '-' ) {
-	if ( $ipsecdir ) {
-	    fatal_error "Invalid IPSEC ($ipsec)" if $ipsec =~ /^(?:in|out)\b/;
-	} else {
-	    if ( $ipsec =~ s/^(?:(in|out)\b)// ) {
-		$dir = $1;
-	    } else {
-		fatal_error q(IPSEC rules in the $asection section require that the value begin with 'in' or 'out');
-	    }
-	}
-
-	$rule .= do_ipsec( $dir, $ipsec );
-    }
+    my $dir;

    if ( ! $chainref ) {
 	if ( reserved_chain_name( $chain ) ) {
@@ -309,7 +297,6 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 	    $chainref = ensure_accounting_chain $chain, 0 , $restriction;
 	}

-	unless ( $asection ) {
 	$dir      = ipsec_chain_name( $chain );

 	if ( $ipsec ne '-' ) {
@@ -323,11 +310,9 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 	    warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );
 	    $chainref->{ipsec} = $dir;
 	}
-	}
    } else {
 	fatal_error "$chain is not an accounting chain" unless $chainref->{accounting};

-	unless ( $asection ) {
 	if ( $ipsec ne '-' ) {
 	    $dir = $chainref->{ipsec};
 	    fatal_error "Adding an IPSEC rule into a non-IPSEC chain is not allowed" unless $dir;
@@ -336,7 +321,6 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 	    $restriction |= $chainref->{restriction};
 	}
    }
-    }

    set_optflags( $chainref, DONT_OPTIMIZE ) if $target eq 'RETURN';

@@ -382,6 +366,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 	} else {
 	    $jumpchainref->{ipsec} = $chainref->{ipsec};
 	}
+
    }

    if ( $rule2 ) {
@@ -401,31 +386,9 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
    return 1;
 }

-sub process_accounting_rule( ) {
-
-    my ($action, $chain, $source, $dest, $protos, $ports, $sports, $user, $mark, $ipsec, $headers ) =
-	split_line1 'Accounting File', { action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 };
-
-    my $nonempty = 0;
-
-    for my $proto ( split_list $protos, 'Protocol' ) {
-	fatal_error 'ACTION must be specified' if $action eq '-';
-
-	if ( $action eq 'SECTION' ) {
-	    process_section( $chain );
-	} else {
-	    for my $proto ( split_list $protos, 'Protocol' ) {
-		$nonempty |= process_accounting_rule1( $action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers );
-	    }
-	}
-    }
-
-    $nonempty;
-}
-
 sub setup_accounting() {

-    if ( my $fn = open_file 'accounting', 1, 1 ) {
+    if ( my $fn = open_file 'accounting' ) {

 	first_entry "$doing $fn...";

@@ -433,6 +396,8 @@ sub setup_accounting() {

 	$nonEmpty |= process_accounting_rule while read_a_line( NORMAL_READ );

+	clear_comment;
+
 	if ( $nonEmpty ) {
 	    my $tableref = $chain_table{$acctable};

--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -34,9 +34,9 @@ use Shorewall::Accounting;
 use Shorewall::Rules;
 use Shorewall::Proc;
 use Shorewall::Proxyarp;
+use Shorewall::IPAddrs;
 use Shorewall::Raw;
 use Shorewall::Misc;
-use Shorewall::ARP;

 use strict;

@@ -45,19 +45,17 @@ our @EXPORT = qw( compiler );
 our @EXPORT_OK = qw( $export );
 our $VERSION = 'MODULEVERSION';

-our $export;
+my $export;

-our $test;
+my $test;

-our $family;
-
-our $have_arptables;
+my $family;

 #
 # Initilize the package-globals in the other modules
 #
-sub initialize_package_globals( $$$ ) {
-    Shorewall::Config::initialize($family, $_[1], $_[2]);
+sub initialize_package_globals( $$ ) {
+    Shorewall::Config::initialize($family, $_[1]);
    Shorewall::Chains::initialize ($family, 1, $export );
    Shorewall::Zones::initialize ($family, $_[0]);
    Shorewall::Nat::initialize;
@@ -160,7 +158,7 @@ sub generate_script_2() {

    push_indent;

-    if ( $shorewallrc1{TEMPDIR} ) {
+    if ( $shorewallrc{TEMPDIR} ) {
 	emit( '',
 	      qq(TMPDIR="$shorewallrc{TEMPDIR}") ,
 	      q(export TMPDIR) );
@@ -170,14 +168,14 @@ sub generate_script_2() {
 	emit( 'g_family=4' );

 	if ( $export ) {
-	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall-lite),
+	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall-lite),
 		   'g_product="Shorewall Lite"',
 		   'g_program=shorewall-lite',
 		   'g_basedir=/usr/share/shorewall-lite',
-		   qq(CONFIG_PATH="$shorewallrc1{CONFDIR}/shorewall-lite:$shorewallrc1{SHAREDIR}/shorewall-lite") ,
+		   qq(CONFIG_PATH="$shorewallrc{CONFDIR}/shorewall-lite:$shorewallrc{SHAREDIR}/shorewall-lite") ,
 		 );
 	} else {
-	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall),
+	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall),
 		   'g_product=Shorewall',
 		   'g_program=shorewall',
 		   'g_basedir=/usr/share/shorewall',
@@ -188,14 +186,14 @@ sub generate_script_2() {
 	emit( 'g_family=6' );

 	if ( $export ) {
-	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall6-lite),
+	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall6-lite),
 		   'g_product="Shorewall6 Lite"',
 		   'g_program=shorewall6-lite',
 		   'g_basedir=/usr/share/shorewall6',
-		   qq(CONFIG_PATH="$shorewallrc1{CONFDIR}/shorewall6-lite:$shorewallrc{SHAREDIR}/shorewall6-lite") ,
+		   qq(CONFIG_PATH="$shorewallrc{CONFDIR}/shorewall6-lite:$shorewallrc{SHAREDIR}/shorewall6-lite") ,
 		 );
 	} else {
-	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall6),
+	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall6),
 		   'g_product=Shorewall6',
 		   'g_program=shorewall6',
 		   'g_basedir=/usr/share/shorewall',
@@ -205,8 +203,20 @@ sub generate_script_2() {
    }

    emit( '[ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir' );
-    emit ( qq([ -n "\${VARDIR:=$shorewallrc1{VARDIR}}" ]) );
-    emit ( qq([ -n "\${VARLIB:=$shorewallrc1{VARLIB}}" ]) );
+
+    if ( $family == F_IPV4 ) {
+	if ( $export ) {
+	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall-lite}" ]' );
+	} else {
+	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall}" ]' );
+	}
+    } else {
+	if ( $export ) {
+	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall6-lite}" ]' );
+	} else {
+	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall6}" ]' );
+	}
+    }

    emit 'TEMPFILE=';

@@ -229,22 +239,6 @@ sub generate_script_2() {

    set_chain_variables;

-    my $need_arptables = $have_arptables || $config{SAVE_ARPTABLES};
-
-    if ( my $arptables = $config{ARPTABLES} ) {
-	emit( qq(ARPTABLES="$arptables"),
-	      '[ -x "$ARPTABLES" ] || startup_error "ARPTABLES=$ARPTABLES does not exist or is not executable"',
-	    );
-    } elsif ( $need_arptables ) {
-	emit( '[ -z "$ARPTABLES" ] && ARPTABLES=$(mywhich arptables)',
-	      '[ -n "$ARPTABLES" -a -x "$ARPTABLES" ] || startup_error "Can\'t find arptables executable"' );
-    }
-
-    if ( $need_arptables ) {
-	emit( 'ARPTABLES_RESTORE=${ARPTABLES}-restore',
-	      '[ -x "$ARPTABLES_RESTORE" ] || startup_error "$ARPTABLES_RESTORE does not exist or is not executable"' );
-    }
-
    if ( $config{EXPORTPARAMS} ) {
 	append_file 'params';
    } else {
@@ -342,7 +336,6 @@ sub generate_script_3($) {
    }

    create_netfilter_load( $test );
-    create_arptables_load( $test ) if $have_arptables;
    create_chainlist_reload( $_[0] );

    emit "#\n# Start/Restart the Firewall\n#";
@@ -375,7 +368,6 @@ sub generate_script_3($) {
    emit '';

    load_ipsets;
-    create_nfobjects;

    if ( $family == F_IPV4 ) {
 	emit ( 'if [ "$COMMAND" = refresh ]; then' ,
@@ -385,8 +377,8 @@ sub generate_script_3($) {
 	       'fi',
 	       '' );

-	verify_address_variables;
 	save_dynamic_chains;
+
 	mark_firewall_not_started;

 	emit ( '',
@@ -414,7 +406,6 @@ sub generate_script_3($) {
 	       'fi',
 	       '' );

-	verify_address_variables;
 	save_dynamic_chains;
 	mark_firewall_not_started;

@@ -470,76 +461,59 @@ sub generate_script_3($) {
 	  '    if [ -f $iptables_save_file ]; then' );

    if ( $family == F_IPV4 ) {
-	emit( '        cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux' );
-
-	emit( '',
-	      '        arptables_save_file=${VARDIR}/$(basename $0)-arptables',
-	      '        if [ -f $arptables_save_file ]; then',
-	      '            cat $arptables_save_file | $ARPTABLES_RESTORE',
-	      '        fi')
-	    if $config{SAVE_ARPTABLES};
-
+	emit '        cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux'
    } else {
 	emit '        cat $iptables_save_file | $IP6TABLES_RESTORE # Use this nonsensical form to appease SELinux'
    }

-    emit( '    else',
-	  '       fatal_error "$iptables_save_file does not exist"',
-	  '    fi',
-	  ''
-	);
-
-    push_indent;
+    emit<<'EOF';
+    else
+        fatal_error "$iptables_save_file does not exist"
+    fi
+EOF
+    pop_indent;
    setup_load_distribution;
    setup_forwarding( $family , 1 );
-    pop_indent;
+    push_indent;

    my $config_dir = $globals{CONFIGDIR};

    emit<<"EOF";
    set_state Started $config_dir
    run_restored_exit
-elif [ \$COMMAND = refresh ]; then
+else
+    if [ \$COMMAND = refresh ]; then
        chainlist_reload
 EOF
-    push_indent;
    setup_load_distribution;
    setup_forwarding( $family , 0 );
-    pop_indent;
-    #
-    # Use a parameter list rather than 'here documents' to avoid an extra blank line
-    #
-    emit(
-'    run_refreshed_exit',
+
+    emit( '        run_refreshed_exit' ,
 	  '        do_iptables -N shorewall' ,
 	  "        set_state Started $config_dir" ,
-'    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
 	  '    else' ,
-'    setup_netfilter'
-	);
-    push_indent;
-    emit 'setup_arptables' if $have_arptables;
-    setup_load_distribution;
-    pop_indent;
+	  '        setup_netfilter' );

-    emit<<'EOF';
+    setup_load_distribution;
+
+    emit<<"EOF";
        conditionally_flush_conntrack
 EOF
-    push_indent;
-    initialize_switches;
    setup_forwarding( $family , 0 );
-    pop_indent;

    emit<<"EOF";
        run_start_exit
        do_iptables -N shorewall
        set_state Started $config_dir
-    [ \$0 = \${VARDIR}/firewall ] || cp -f \$(my_pathname) \${VARDIR}/firewall
        run_started_exit
    fi
+
 EOF

    emit<<'EOF';
+    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall
+fi
+
 date > ${VARDIR}/restarted

 case $COMMAND in
@@ -571,12 +545,11 @@ EOF
 #
 sub compiler {

-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc                      , $shorewallrc1 , $directives ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , ''          , '/usr/share/shorewall/shorewallrc', ''            , 0 );
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc ) =
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , ''          , '');

    $export = 0;
    $test   = 0;
-    $have_arptables = 0;

    sub validate_boolean( $ ) {
 	 my $val = numeric_value( shift );
@@ -610,10 +583,8 @@ sub compiler {
 		  update        => { store => \$update,        validate=> \&validate_boolean    } ,
 		  convert       => { store => \$convert,       validate=> \&validate_boolean    } ,
 		  annotate      => { store => \$annotate,      validate=> \&validate_boolean    } ,
-		  directives    => { store => \$directives,    validate=> \&validate_boolean    } ,
 		  config_path   => { store => \$config_path } ,
 		  shorewallrc   => { store => \$shorewallrc } ,
-		  shorewallrc1  => { store => \$shorewallrc1 } ,
 		);
    #
    #                               P A R A M E T E R    P R O C E S S I N G
@@ -631,7 +602,7 @@ sub compiler {
    #
    # Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals
    #
-    initialize_package_globals( $update, $shorewallrc, $shorewallrc1 );
+    initialize_package_globals( $update, $shorewallrc );

    set_config_path( $config_path ) if $config_path;

@@ -649,7 +620,7 @@ sub compiler {
    #
    #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
    #
-    get_configuration( $export , $update , $annotate , $directives );
+    get_configuration( $export , $update , $annotate );
    #
    # Create a temp file to hold the script
    #
@@ -694,6 +665,11 @@ sub compiler {
    #                           (Produces no output to the compiled script)
    #
    process_policies;
+    #
+    #                                       N O T R A C K
+    #                           (Produces no output to the compiled script)
+    #
+    setup_notrack;

    enable_script;

@@ -733,14 +709,6 @@ sub compiler {
    #
    setup_proxy_arp;

-    emit( "#\n# Disable automatic helper association on kernel 3.5.0 and later\n#" ,
-	  'if [ -f /proc/sys/net/netfilter/nf_conntrack_helper ]; then' ,
-	  '    progress_message "Disabling Kernel Automatic Helper Association"',
-	  "    echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper",
-	  'fi',
-	  ''
-	);
-
    if ( $scriptfilename || $debug ) {
 	emit 'return 0';
 	pop_indent;
@@ -785,8 +753,6 @@ sub compiler {
 	emit "}\n"; # End of setup_routing_and_traffic_shaping()
    }

-    $have_arptables = process_arprules if $family == F_IPV4;
-
    disable_script;
    #
    #                                       N E T F I L T E R
@@ -822,10 +788,6 @@ sub compiler {
    #
    process_rules( $convert );
    #
-    # Process the conntrack file
-    #
-    setup_conntrack;
-    #
    # Add Tunnel rules.
    #
    setup_tunnels;
@@ -850,16 +812,16 @@ sub compiler {

 	optimize_level0;

-	if ( ( my $optimize = $config{OPTIMIZE} ) & 0x1E ) {
+	if ( $config{OPTIMIZE} & 0x1E ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
 	    # Optimize Policy Chains
 	    #
-	    optimize_policy_chains if ( $optimize & OPTIMIZE_POLICY_MASK2n4 ) == OPTIMIZE_POLICY_MASK; # Level 2 but not 4
+	    optimize_policy_chains if $config{OPTIMIZE} & 2;
 	    #
 	    # More Optimization
 	    #
-	    optimize_ruleset if $config{OPTIMIZE} & OPTIMIZE_RULESET_MASK;
+	    optimize_ruleset if $config{OPTIMIZE} & 0x1C;
 	}

 	enable_script;
@@ -870,7 +832,7 @@ sub compiler {
 	generate_script_2;
 	#
 	#                          N E T F I L T E R   L O A D
-	#    (Produces setup_netfilter(), setup_arptables(), chainlist_reload() and define_firewall() )
+	#    (Produces setup_netfilter(), chainlist_reload() and define_firewall() )
 	#
 	generate_script_3( $chains );
 	#
@@ -883,7 +845,7 @@ sub compiler {
 	#                           S T O P _ F I R E W A L L
 	#         (Writes the stop_firewall() function to the compiled script)
 	#
-	compile_stop_firewall( $test, $export , $have_arptables );
+	compile_stop_firewall( $test, $export );
 	#
 	#                               U P D O W N
 	#               (Writes the updown() function to the compiled script)
@@ -915,26 +877,23 @@ sub compiler {

 	    optimize_level0;

-	    if ( ( my $optimize = $config{OPTIMIZE} ) & 0x1e ) {
+	    if ( $config{OPTIMIZE} & OPTIMIZE_MASK ) {
 		progress_message2 'Optimizing Ruleset...';
 		#
 		# Optimize Policy Chains
 		#
-		optimize_policy_chains if ( $optimize & OPTIMIZE_POLICY_MASK2n4 ) == OPTIMIZE_POLICY_MASK; # Level 2 but not 4
+		optimize_policy_chains if $config{OPTIMIZE} & OPTIMIZE_POLICY_MASK;
 		#
 		# Ruleset Optimization
 		#
-		optimize_ruleset if $optimize & OPTIMIZE_RULESET_MASK;
+		optimize_ruleset if $config{OPTIMIZE} & OPTIMIZE_RULESET_MASK;
 	    }

 	    enable_script if $debug;

 	    generate_script_2 if $debug;

-	    if ( $preview ) {
-		preview_netfilter_load;
-		preview_arptables_load if $have_arptables;
-	    }
+	    preview_netfilter_load if $preview;
 	}
 	#
 	# Re-initialize the chain table so that process_routestopped() has the same
@@ -944,7 +903,7 @@ sub compiler {
 	initialize_chain_table(0);

 	if ( $debug ) {
-	    compile_stop_firewall( $test, $export, $have_arptables );
+	    compile_stop_firewall( $test, $export );
 	    disable_script;
 	} else {
 	    #
@@ -952,7 +911,6 @@ sub compiler {
 	    # call that function during normal 'check', we must validate routestopped here.
 	    #
 	    process_routestopped;
-	    process_stoppedrules;
 	}

 	if ( $family == F_IPV4 ) {
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -26,13 +26,13 @@
 #
 package Shorewall::IPAddrs;
 require Exporter;
-use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 numeric_value F_IPV4 F_IPV6 :protocols %config );
+use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 numeric_value F_IPV4 F_IPV6 );
 use Socket;

 use strict;

 our @ISA = qw(Exporter);
-our @EXPORT = ( qw( ALLIPv4
+our @EXPORT = qw( ALLIPv4
                  ALLIPv6
 		  NILIPv4
 		  NILIPv6
@@ -48,8 +48,15 @@ our @EXPORT = ( qw( ALLIPv4
 		  ALLIP
 		  NILIP
 		  ALL
+		  TCP
+		  UDP
+		  UDPLITE
+		  ICMP
+		  DCCP
+		  IPv6_ICMP
+		  SCTP
+		  GRE

-		  valid_address
 		  validate_address
 		  validate_net
 		  decompose_net
@@ -66,7 +73,6 @@ our @EXPORT = ( qw( ALLIPv4
 		  nilip
 		  rfc1918_networks
 		  resolve_proto
-		  resolve_dnsname
 		  proto_name
 		  validate_port
 		  validate_portpair
@@ -74,28 +80,27 @@ our @EXPORT = ( qw( ALLIPv4
 		  validate_port_list
 		  validate_icmp
 		  validate_icmp6
-		 ) );
+		 );
 our @EXPORT_OK = qw( );
 our $VERSION = 'MODULEVERSION';

 #
 # Some IPv4/6 useful stuff
 #
-our @allipv4 = ( '0.0.0.0/0' );
-our @allipv6 = ( '::/0' );
-our $allip;
-our @allip;
-our @nilipv4 = ( '0.0.0.0' );
-our @nilipv6 = ( '::' );
-our $nilip;
-our @nilip;
-our $valid_address;
-our $validate_address;
-our $validate_net;
-our $resolve_dnsname;
-our $validate_range;
-our $validate_host;
-our $family;
+my @allipv4 = ( '0.0.0.0/0' );
+my @allipv6 = ( '::/0' );
+my $allip;
+my @allip;
+my @nilipv4 = ( '0.0.0.0' );
+my @nilipv6 = ( '::' );
+my $nilip;
+my @nilip;
+my $valid_address;
+my $validate_address;
+my $validate_net;
+my $validate_range;
+my $validate_host;
+my $family;

 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
@@ -110,9 +115,16 @@ use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       IPv6_LINK_ALLRTRS   => 'ff01::2' ,
 	       IPv6_SITE_ALLNODES  => 'ff02::1' ,
 	       IPv6_SITE_ALLRTRS   => 'ff02::2' ,
-	   };
+	       ICMP                => 1,
+	       TCP                 => 6,
+	       UDP                 => 17,
+	       DCCP                => 33,
+	       GRE                 => 47,
+	       IPv6_ICMP           => 58,
+	       SCTP                => 132,
+	       UDPLITE             => 136 };

-our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
+my @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );

 #
 # Note: initialize() is declared at the bottom of the file
@@ -155,21 +167,6 @@ sub validate_4address( $$ ) {
    defined wantarray ? wantarray ? @addrs : $addrs[0] : undef;
 }

-sub resolve_4dnsname( $ ) {
-    my $net = $_[0];
-    my @addrs;
-
-    fatal_error "Unknown Host ($net)" unless  @addrs = gethostbyname( $net );
-
-    shift @addrs for (1..4);
-    for ( @addrs ) {
-	$_ = ( inet_ntoa( $_ ) );
-    }
-
-    @addrs;
-} 
-    
-
 sub decodeaddr( $ ) {
    my $address = $_[0];

@@ -220,19 +217,16 @@ sub validate_4net( $$ ) {
 	fatal_error "Invalid IP address ($net)"       unless valid_4address $net;
    } else {
 	fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/' || ! defined $net;
-	my $net1 = validate_4address $net, $allow_name;
-	$net  = $net1 unless $config{DEFER_DNS_RESOLUTION};
+	validate_4address $net, $_[1];
 	$vlsm = 32;
    }

    if ( defined wantarray ) {
-	if ( wantarray ) {
 	assert ( ! $allow_name );
+	if ( wantarray ) {
 	    ( decodeaddr( $net ) , $vlsm );
-	} elsif ( valid_4address $net ) {
-	    $vlsm == 32 ? $net : "$net/$vlsm";
 	} else {
-	    $net;
+	    "$net/$vlsm";
 	}
    }
 }
@@ -247,8 +241,6 @@ sub validate_4range( $$ ) {
    my $last  = decodeaddr $high;

    fatal_error "Invalid IP Range ($low-$high)" unless $first <= $last;
-
-    "$low-$high";
 }

 sub validate_4host( $$ ) {
@@ -343,7 +335,6 @@ sub resolve_proto( $ ) {
 	$number = numeric_value ( $proto );
 	defined $number && $number <= 255 ? $number : undef;
    } else {
-	fatal_error "A protocol list  ($proto) is not allowed in this context" if $proto =~ /,/; 
 	#
 	# Allow 'icmp' as a synonym for 'ipv6-icmp' in IPv6 compilations
 	#
@@ -630,24 +621,9 @@ sub validate_6address( $$ ) {
    defined wantarray ? wantarray ? @addrs : $addrs[0] : undef;
 }

-sub resolve_6dnsname( $ ) {
-    my $net = $_[0];
-    my @addrs;
-    
-    require Socket6;
-    fatal_error "Unknown Host ($net)" unless (@addrs = Socket6::gethostbyname2( $net, Socket6::AF_INET6()));
-
-    shift @addrs for (1..4);
-    for ( @addrs ) {
-	$_ = Socket6::inet_ntop( Socket6::AF_INET6(), $_ );
-    }
-
-    @addrs;
-} 
-
 sub validate_6net( $$ ) {
    my ($net, $vlsm, $rest) = split( '/', $_[0], 3 );
-    my $allow_name = $_[0];
+    my $allow_name = $_[1];

    if ( $net =~ /\+(\[?)/ ) {
 	if ( $1 ) {
@@ -659,29 +635,22 @@ sub validate_6net( $$ ) {
 	}
    }

-    fatal_error "Invalid Network address ($_[0])" unless supplied $net;
-
-    $net = $1 if $net =~ /^\[(.*)\]$/;
-
    if ( defined $vlsm ) {
        fatal_error "Invalid VLSM ($vlsm)"              unless $vlsm =~ /^\d+$/ && $vlsm <= 128;
 	fatal_error "Invalid Network address ($_[0])"   if defined $rest;
 	fatal_error "Invalid IPv6 address ($net)"       unless valid_6address $net;
    } else {
-	fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/';
-	my $net1 = validate_6address $net, $allow_name;
-	$net  = $net1 unless $config{DEFER_DNS_RESOLUTION};
+	fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/' || ! defined $net;
+	validate_6address $net, $allow_name;
 	$vlsm = 128;
    }

    if ( defined wantarray ) {
-	if ( wantarray ) {
 	assert ( ! $allow_name );
+	if ( wantarray ) {
 	    ( $net , $vlsm );
-	} elsif ( valid_6address ( $net ) ) {
-	    $vlsm == 32 ? $net : "$net/$vlsm";
 	} else {
-	    $net;
+	    "$net/$vlsm";
 	}
    }
 }
@@ -728,13 +697,11 @@ sub validate_6range( $$ ) {
    while ( @low ) {
 	my ( $l, $h) = ( shift @low, shift @high );
 	next     if hex "0x$l" == hex "0x$h";
-	return "$low-$high" if hex "0x$l"  < hex "0x$h";
+	return 1 if hex "0x$l"  < hex "0x$h";
 	last;
    }

    fatal_error "Invalid IPv6 Range ($low-$high)";
-
-    
 }

 sub validate_6host( $$ ) {
@@ -813,10 +780,6 @@ sub validate_net ( $$ ) {
    $validate_net->(@_);
 }

-sub resolve_dnsname( $ ) {
-    $resolve_dnsname->(@_);
-}
-
 sub validate_range ($$ ) {
    $validate_range->(@_);
 }
@@ -848,7 +811,6 @@ sub initialize( $ ) {
 	$validate_net     = \&validate_4net;
 	$validate_range   = \&validate_4range;
 	$validate_host    = \&validate_4host;
-	$resolve_dnsname  = \&resolve_4dnsname;
    } else {
 	$allip            = ALLIPv6;
 	@allip            = @allipv6;
@@ -859,7 +821,6 @@ sub initialize( $ ) {
 	$validate_net     = \&validate_6net;
 	$validate_range   = \&validate_6range;
 	$validate_host    = \&validate_6host;
-	$resolve_dnsname  = \&resolve_6dnsname;
    }
 }

--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -35,15 +35,11 @@ use strict;

 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
-our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule ) ] );
 our @EXPORT_OK = ();
-
-Exporter::export_ok_tags('rules');
-
 our $VERSION = 'MODULEVERSION';

-our @addresses_to_add;
-our %addresses_to_add;
+my @addresses_to_add;
+my %addresses_to_add;

 #
 # Called by the compiler
@@ -56,9 +52,17 @@ sub initialize() {
 #
 # Process a single rule from the the masq file
 #
-sub process_one_masq1( $$$$$$$$$$ )
+sub process_one_masq( )
 {
-    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest ) = @_;
+    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition ) =
+	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8 };
+
+    if ( $interfacelist eq 'COMMENT' ) {
+	process_comment;
+	return 1;
+    }
+
+    fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';

    my $pre_nat;
    my $add_snat_aliases = $config{ADD_SNAT_ALIASES};
@@ -115,7 +119,7 @@ sub process_one_masq1( $$$$$$$$$$ )
    #
    # Handle Protocol, Ports and Condition
    #
-    $baserule .= do_proto( $proto, $ports, '' );
+    $baserule .= do_proto( $proto, $ports, '' ) . do_condition( $condition );
    #
    # Handle Mark
    #
@@ -150,8 +154,6 @@ sub process_one_masq1( $$$$$$$$$$ )

 	my $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface);

-	$baserule .= do_condition( $condition , $chainref->{name} );
-
 	my $detectaddress = 0;
 	my $exceptionrule = '';
 	my $randomize     = '';
@@ -188,16 +190,12 @@ sub process_one_masq1( $$$$$$$$$$ )
 		} else {
 		    my $addrlist = '';
 		    for my $addr ( split_list $addresses , 'address' ) {
-			if ( $addr =~ /^([&%])(.+)$/ ) {
-			    my ( $type, $interface ) = ( $1, $2 );
+			if ( $addr =~ /^&(.+)$/ ) {
 			    $target = 'SNAT ';
-			    if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
-				$conditional = conditional_rule( $chainref, $addr );
-				$addrlist .= '--to-source ' . "\$$1 ";
-			    } elsif ( $conditional = conditional_rule( $chainref, $addr ) ) {
-				$addrlist .= '--to-source ' . get_interface_address $interface;
+			    if ( $conditional = conditional_rule( $chainref, $addr ) ) {
+				$addrlist .= '--to-source ' . get_interface_address $1;
 			    } else {
-				$addrlist .= '--to-source ' . record_runtime_address( $type, $interface );
+				$addrlist .= '--to-source ' . record_runtime_address( '&', $1 );
 			    }
 			} elsif ( $addr =~ /^.*\..*\..*\./ ) {
 			    $target = 'SNAT ';
@@ -235,7 +233,7 @@ sub process_one_masq1( $$$$$$$$$$ )
 		     $baserule . $rule ,
 		     $networks ,
 		     $destnets ,
-		     $origdest ,
+		     '' ,
 		     $target ,
 		     '' ,
 		     '' ,
@@ -269,28 +267,18 @@ sub process_one_masq1( $$$$$$$$$$ )

 }

-sub process_one_masq( )
-{
-    my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest ) =
-	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9 };
-
-    fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
-
-    for my $proto ( split_list $protos, 'Protocol' ) {
-	process_one_masq1( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest );
-    }
-}
-
 #
 # Process the masq file
 #
 sub setup_masq()
 {
-    if ( my $fn = open_file( 'masq', 1, 1 ) ) {
+    if ( my $fn = open_file 'masq' ) {

 	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } );

 	process_one_masq while read_a_line( NORMAL_READ );
+
+	clear_comment;
    }
 }

@@ -381,7 +369,7 @@ sub do_one_nat( $$$$$ )
 #
 sub setup_nat() {

-    if ( my $fn = open_file( 'nat', 1, 1 ) ) {
+    if ( my $fn = open_file 'nat' ) {

 	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } );

@@ -389,6 +377,9 @@ sub setup_nat() {

 	    my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 'nat file', { external => 0, interface => 1, internal => 2, allints => 3, local => 4 };

+	    if ( $external eq 'COMMENT' ) {
+		process_comment;
+	    } else {
 		( $interfacelist, my $digit ) = split /:/, $interfacelist;

 		$digit = defined $digit ? ":$digit" : '';
@@ -404,6 +395,9 @@ sub setup_nat() {
 		progress_message "   NAT entry \"$currentline\" $done";
 	    }
 	}
+
+	clear_comment;
+    }
 }

 #
@@ -411,7 +405,7 @@ sub setup_nat() {
 #
 sub setup_netmap() {

-    if ( my $fn = open_file 'netmap', 1, 1 ) {
+    if ( my $fn = open_file 'netmap' ) {

 	first_entry "$doing $fn...";

@@ -433,8 +427,8 @@ sub setup_netmap() {
 		    my @rulein;
 		    my @ruleout;

-		    $net1 = validate_net $net1, 0;
-		    $net2 = validate_net $net2, 0;
+		    validate_net $net1, 0;
+		    validate_net $net2, 0;

 		    unless ( $interfaceref->{root} ) {
 			@rulein  = imatch_source_dev( $interface );
@@ -468,7 +462,7 @@ sub setup_netmap() {

 		    require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';

-		    $net2 = validate_net $net2, 0;
+		    validate_net $net2, 0;

 		    unless ( $interfaceref->{root} ) {
 			@match = imatch_dest_dev(  $interface );
@@ -514,229 +508,12 @@ sub setup_netmap() {
 		progress_message "   Network $net1 on $iface mapped to $net2 ($type)";
 	    }
 	}
+
+	clear_comment;
    }

 }

-#
-# Called from process_rule1 to add a rule to the NAT table
-#
-sub handle_nat_rule( $$$$$$$$$$$$ ) {
-    my ( $dest,           # <server>[:port]
-	 $proto,          # Protocol
-	 $ports,          # Destination port list
-	 $origdest,       # Original Destination
-	 $action_target,  # If the target is an action, the name of the log action chain to jump to
-	 $action,         # The Action
-	 $sourceref,      # Reference to the Source Zone's table entry in the Zones module
-	 $action_chain,   # Name of the action chain if the rule is in an action
-	 $rule,           # Matches 
-	 $source,         # Source Address
-	 $loglevel,       # [<level>[:<tag>]]
-	 $log_action,     # Action name to include in the log message
-       ) = @_;
-
-    my ( $server, $serverport , $origdstports ) = ( '', '', '' );
-    my $randomize = $dest =~ s/:random$// ? ' --random' : '';
-
-    #
-    # Isolate server port
-    #
-    if ( $dest =~ /^(.*)(?::(.+))$/ ) {
-	#
-	# Server IP and Port
-	#
-	$server = $1;      # May be empty
-	$serverport = $2;  # Not Empty due to RE
-
-	$origdstports = validate_port( $proto, $ports )	if $ports && $ports ne '-' && port_count( $ports ) == 1;
-
-	if ( $serverport =~ /^(\d+)-(\d+)$/ ) {
-	    #
-	    # Server Port Range
-	    #
-	    fatal_error "Invalid port range ($serverport)" unless $1 < $2;
-	    my @ports = ( $1, $2 );
-	    $_ = validate_port( proto_name( $proto ), $_) for ( @ports );
-	    ( $ports = $serverport ) =~ tr/-/:/;
-	} else {
-	    $serverport = $ports = validate_port( proto_name( $proto ), $serverport );
-	}
-    } elsif ( $dest ne ':' ) {
-	#
-	# Simple server IP address (may be empty or "-")
-	#
-	$server = $dest;
-    }
-    #
-    # Generate the target
-    #
-    my $target = '';
-
-    if ( $action eq 'REDIRECT' ) {
-	fatal_error "A server IP address ($server) may not be specified in a REDIRECT rule" if $server;
-	$target  = 'REDIRECT';
-	$target .= " --to-port $serverport" if $serverport;
-	if ( $origdest eq '' || $origdest eq '-' ) {
-	    $origdest = ALLIP;
-	} elsif ( $origdest eq 'detect' ) {
-	    fatal_error 'ORIGINAL DEST "detect" is invalid in an action' if $action_chain;
-
-	    if ( $config{DETECT_DNAT_IPADDRS} ) {
-		my $interfacesref = $sourceref->{interfaces};
-		my @interfaces = keys %$interfacesref;
-		$origdest = @interfaces ? "detect:@interfaces" : ALLIP;
-	    } else {
-		$origdest = ALLIP;
-	    }
-	}
-    } elsif ( $action_target ) {
-	fatal_error "A server port ($serverport) is not allowed in $action rule" if $serverport;
-	$target = $action_target;
-    } else {
-	if ( $server eq '' ) {
-	    fatal_error "A server and/or port must be specified in the DEST column in $action rules" unless $serverport;
-	} elsif ( $server =~ /^(.+)-(.+)$/ ) {
-	    validate_range( $1, $2 );
-	} else {
-	    unless ( $server eq ALLIP ) {
-		my @servers = validate_address $server, 1;
-		$server = join ',', @servers;
-	    }
-	}
-
-	if ( $action eq 'DNAT' ) {
-	    $target = $action;
-	    if ( $server ) {
-		$serverport = ":$serverport" if $serverport;
-		for my $serv ( split /,/, $server ) {
-		    $target .= " --to-destination ${serv}${serverport}";
-		}
-	    } else {
-		$target .= " --to-destination :$serverport";
-	    }
-	}
-
-	unless ( $origdest && $origdest ne '-' && $origdest ne 'detect' ) {
-	    if ( ! $action_chain && $config{DETECT_DNAT_IPADDRS} ) {
-		my $interfacesref = $sourceref->{interfaces};
-		my @interfaces = keys %$interfacesref;
-		$origdest = @interfaces ? "detect:@interfaces" : ALLIP;
-	    } else {
-		$origdest = ALLIP;
-	    }
-	}
-    }
-
-    $target .= $randomize;
-    #
-    # And generate the nat table rule(s)
-    #
-    my $firewallsource = $sourceref && ( $sourceref->{type} & ( FIREWALL | VSERVER ) );
-
-    expand_rule ( ensure_chain ('nat' ,
-				( $action_chain   ? $action_chain :
-				  $firewallsource ? 'OUTPUT' :
-				  dnat_chain $sourceref->{name} ) ) ,
-		  $firewallsource ? OUTPUT_RESTRICT : PREROUTE_RESTRICT ,
-		  $rule ,
-		  $source ,
-		  $origdest ,
-		  '' ,
-		  $target ,
-		  $loglevel ,
-		  $log_action ,
-		  $serverport ? do_proto( $proto, '', '' ) : '',
-		);
-
-    ( $ports, $origdstports, $server );
-}
-
-#
-# Called from process_rule1() to handle the nat table part of the NONAT and ACCEPT+ actions
-#
-sub handle_nonat_rule( $$$$$$$$$$ ) {
-    my ( $action, $source, $dest, $origdest, $sourceref, $inaction, $chain, $loglevel, $log_action, $rule ) = @_;
-
-    my $sourcezone = $sourceref->{name};
-    #
-    # NONAT or ACCEPT+ may not specify a destination interface
-    #
-    fatal_error "Invalid DEST ($dest) in $action rule" if $dest =~ /:/;
-
-    $origdest = '' unless $origdest and $origdest ne '-';
-
-    if ( $origdest eq 'detect' ) {
-	my $interfacesref = $sourceref->{interfaces};
-	my $interfaces = [ ( keys %$interfacesref ) ];
-	$origdest = $interfaces ? "detect:@$interfaces" : ALLIP;
-    }
-
-    my $tgt = 'RETURN';
-
-    my $nonat_chain;
-
-    my $chn;
-
-    if ( $inaction ) {
-	$nonat_chain = ensure_chain( 'nat', $chain );
-    } elsif ( $sourceref->{type} == FIREWALL ) {
-	$nonat_chain = $nat_table->{OUTPUT};
-    } else {
-	$nonat_chain = ensure_chain( 'nat', dnat_chain( $sourcezone ) );
-
-	my @interfaces = keys %{zone_interfaces $sourcezone};
-
-	for ( @interfaces ) {
-	    my $ichain = input_chain $_;
-
-	    if ( $nat_table->{$ichain} ) {
-		#
-		# Static NAT is defined on this interface
-		#
-		$chn = new_chain( 'nat', newnonatchain ) unless $chn;
-		add_ijump $chn, j => $nat_table->{$ichain}, @interfaces > 1 ? imatch_source_dev( $_ )  : ();
-	    }
-	}
-
-	if ( $chn ) {
-	    #
-	    # Call expand_rule() to correctly handle logging. Because
-	    # the 'logname' argument is passed, expand_rule() will
-	    # not create a separate logging chain but will rather emit
-	    # any logging rule in-line.
-	    #
-	    expand_rule( $chn,
-			 PREROUTE_RESTRICT,
-			 '', # Rule
-			 '', # Source
-			 '', # Dest
-			 '', # Original dest
-			 'ACCEPT',
-			 $loglevel,
-			 $log_action,
-			 '',
-			 dnat_chain( $sourcezone  ) );
-	    $loglevel = '';
-	    $tgt = $chn->{name};
-	} else {
-	    $tgt = 'ACCEPT';
-	}
-    }
-
-    expand_rule( $nonat_chain ,
-		 PREROUTE_RESTRICT ,
-		 $rule ,
-		 $source ,
-		 $dest ,
-		 $origdest ,
-		 $tgt,
-		 $loglevel ,
-		 $log_action ,
-		 '',
-	       );
-}
-
 sub add_addresses () {
    if ( @addresses_to_add ) {
 	my @addrs = @addresses_to_add;
--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -251,6 +251,9 @@ sub setup_forwarding( $$ ) {
 	if ( @$interfaces ) {
 	    progress_message2 "$doing Interface forwarding..." if $first;

+	    push_indent;
+	    push_indent;
+
 	    save_progress_message 'Setting up IPv6 Interface Forwarding...';

 	    for my $interface ( @$interfaces ) {
@@ -267,6 +270,9 @@ sub setup_forwarding( $$ ) {
 		       "    error_message \"WARNING: Cannot set IPv6 forwarding on $interface\"" ) unless $optional;
 		emit   "fi\n";
 	    }
+
+	    pop_indent;
+	    pop_indent;
 	}
    }
 }
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -39,9 +39,7 @@ our @EXPORT = qw( process_providers
 		  @routemarked_interfaces
 		  handle_stickiness
 		  handle_optional_interfaces
-		  compile_updown
 		  setup_load_distribution
-		  have_providers
 	       );
 our @EXPORT_OK = qw( initialize lookup_provider );
 our $VERSION = '4.4_24';
@@ -53,28 +51,26 @@ use constant { LOCAL_TABLE   => 255,
 	       UNSPEC_TABLE  => 0
 	       };

-our @routemarked_providers;
-our %routemarked_interfaces;
+my  @routemarked_providers;
+my  %routemarked_interfaces;
 our @routemarked_interfaces;
-our %provider_interfaces;
-our @load_providers;
-our @load_interfaces;
+my  %provider_interfaces;
+my  @load_providers;
+my  @load_interfaces;

-our $balancing;
-our $fallback;
-our $metrics;
-our $first_default_route;
-our $first_fallback_route;
-our $maxload;
-our $tproxies;
+my $balancing;
+my $fallback;
+my $first_default_route;
+my $first_fallback_route;
+my $maxload;

-our %providers;
+my %providers;

-our @providers;
+my @providers;

-our $family;
+my $family;

-our $lastmark;
+my $lastmark;

 use constant { ROUTEMARKED_SHARED => 1, ROUTEMARKED_UNSHARED => 2 };

@@ -99,11 +95,9 @@ sub initialize( $ ) {
    @load_interfaces        = ();
    $balancing              = 0;
    $fallback               = 0;
-    $metrics                = 0;
    $first_default_route    = 1;
    $first_fallback_route   = 1;
    $maxload                = 0;
-    $tproxies               = 0;

    %providers  = ( local   => { number => LOCAL_TABLE   , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
 		    main    => { number => MAIN_TABLE    , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
@@ -118,15 +112,10 @@ sub initialize( $ ) {
 #
 sub setup_route_marking() {
    my $mask = in_hex( $globals{PROVIDER_MASK} );
-    my $exmask = have_capability( 'EXMARK' ) ? "/$mask" : '';

    require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;

-    if ( $config{RESTORE_ROUTEMARKS} ) {
-	add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;
-    } else {
    add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask", connmark => "! --mark 0/$mask" for qw/PREROUTING OUTPUT/;
-    }

    my $chainref  = new_chain 'mangle', 'routemark';

@@ -150,10 +139,10 @@ sub setup_route_marking() {

 	    if ( $providerref->{shared} ) {
 		add_commands( $chainref, qq(if [ -n "$providerref->{mac}" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
-		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}${exmask}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
+		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
 		decr_cmd_level( $chainref ), add_commands( $chainref, "fi\n" ) if $providerref->{optional};
 	    } else {
-		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}${exmask}", imatch_source_dev( $interface );
+		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface );
 	    }
 	}

@@ -338,35 +327,24 @@ sub balance_fallback_route( $$$$ ) {
    }
 }

-sub start_provider( $$$$ ) {
-    my ($what, $table, $number, $test ) = @_;
+sub start_provider( $$$ ) {
+    my ($table, $number, $test ) = @_;

-    emit "\n#\n# Add $what $table ($number)\n#";
+    emit "\n#\n# Add Provider $table ($number)\n#";

-    if ( $number ) {
    emit "start_provider_$table() {";
-    } else {
-	emit "start_interface_$table() {";
-    }
-
    push_indent;
    emit $test;
    push_indent;

-
-    if ( $number ) {
    emit "qt ip -$family route flush table $number";
    emit "echo \"qt \$IP -$family route flush table $number\" > \${VARDIR}/undo_${table}_routing";
-    } else {
-	emit( "> \${VARDIR}/undo_${table}_routing" );
-    }
 }

 #
 # Process a record in the providers file
 #
-sub process_a_provider( $ ) {
-    my $pseudo = $_[0]; # When true, this is an optional interface that we are treating somewhat like a provider.
+sub process_a_provider() {

    my ($table, $number, $mark, $duplicate, $interface, $gateway,  $options, $copy ) =
 	split_line 'providers file', { table => 0, number => 1, mark => 2, duplicate => 3, interface => 4, gateway => 5, options => 6, copy => 7 };
@@ -374,8 +352,6 @@ sub process_a_provider( $ ) {
    fatal_error "Duplicate provider ($table)" if $providers{$table};

    fatal_error 'NAME must be specified' if $table eq '-';
-
-    unless ( $pseudo ) {
    fatal_error "Invalid Provider Name ($table)" unless $table =~ /^[\w]+$/;

    my $num = numeric_value $number;
@@ -388,7 +364,6 @@ sub process_a_provider( $ ) {
    for my $providerref ( values %providers  ) {
 	fatal_error "Duplicate provider number ($number)" if $providerref->{number} == $number;
    }
-    }

    fatal_error 'INTERFACE must be specified' if $interface eq '-';

@@ -408,11 +383,6 @@ sub process_a_provider( $ ) {
    my $physical    = get_physical $interface;
    my $gatewaycase = '';

-    if ( $physical =~ /\+$/ ) {
-	return 0 if $pseudo;
-	fatal_error "Wildcard interfaces ($physical) may not be used as provider interfaces";
-    }
-
    if ( $gateway eq 'detect' ) {
 	fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
 	$gateway = get_interface_gateway $interface;
@@ -426,15 +396,8 @@ sub process_a_provider( $ ) {
 	$gateway = '';
    }

-    my ( $loose, $track, $balance, $default, $default_balance, $optional, $mtu, $tproxy, $local, $load, $what );
-
-    if ( $pseudo ) {	
-	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what ) =
-	( 0,      0                       , 0 ,        0,        0,                               1                                  , ''  , 0       , 0,      0,     'interface');
-    } else {
-	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what )=
-	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider');
-    }
+    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $local , $load ) =
+	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0      , 0 );

    unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
@@ -472,12 +435,7 @@ sub process_a_provider( $ ) {
 		$default = -1;
 		$default_balance = 0;
 	    } elsif ( $option eq 'local' ) {
-		warning_message q(The 'local' provider option is deprecated in favor of 'tproxy');
-		$local = $tproxy = 1;
-		$track  = 0           if $config{TRACK_PROVIDERS};
-		$default_balance = 0  if $config{USE_DEFAULT_RT};
-	    } elsif ( $option eq 'tproxy' ) {
-		$tproxy = 1;
+		$local = 1;
 		$track = 0           if $config{TRACK_PROVIDERS};
 		$default_balance = 0 if $config{USE_DEFAULT_RT};
 	    } elsif ( $option =~ /^load=(0?\.\d{1,8})/ ) {
@@ -501,13 +459,7 @@ sub process_a_provider( $ ) {
 	fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none';
 	fatal_error "'track' not valid with 'local'"          if $track;
 	fatal_error "DUPLICATE not valid with 'local'"        if $duplicate ne '-';
-    } elsif ( $tproxy ) {
-	fatal_error "Only one 'tproxy' provider is allowed"    if $tproxies++;
-	fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'none';
-	fatal_error "'track' not valid with 'tproxy'"          if $track;
-	fatal_error "DUPLICATE not valid with 'tproxy'"        if $duplicate ne '-';
-	fatal_error "MARK not allowed with 'tproxy'"           if $mark ne '-';
-	$mark = $globals{TPROXY_MARK};
+	fatal_error "MARK required with 'local'"              unless $mark;
    }

    my $val = 0;
@@ -519,10 +471,6 @@ sub process_a_provider( $ ) {

 	require_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' );

-	if ( $tproxy && ! $local ) {
-	    $val = $globals{TPROXY_MARK};
-	    $pref = 1;
-	} else {
 	$val = numeric_value $mark;

 	fatal_error "Invalid Mark Value ($mark)" unless defined $val && $val;
@@ -537,14 +485,13 @@ sub process_a_provider( $ ) {
 	    fatal_error "Duplicate mark value ($mark)" if numeric_value( $providerref->{mark} ) == $val;
 	}

+	$pref = 10000 + $number - 1;
+
 	$lastmark = $val;

-	    $pref = 10000 + $number - 1;
    }

-    }
-
-    unless ( $loose || $pseudo ) {
+    unless ( $loose ) {
 	warning_message q(The 'proxyarp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyarp' );
 	warning_message q(The 'proxyndp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyndp' );
    }
@@ -580,16 +527,11 @@ sub process_a_provider( $ ) {
 			   duplicate   => $duplicate ,
 			   address     => $address ,
 			   local       => $local ,
-			   tproxy      => $tproxy ,
 			   load        => $load ,
-			   pseudo      => $pseudo ,
-			   what        => $what ,
 			   rules       => [] ,
 			   routes      => [] ,
 			 };

-    $provider_interfaces{$interface} = $table unless $shared;
-
    if ( $track ) {
 	fatal_error "The 'track' option requires a numeric value in the MARK column" if $mark eq '-';

@@ -608,22 +550,7 @@ sub process_a_provider( $ ) {

    push @providers, $table;

-    progress_message "   Provider \"$currentline\" $done" unless $pseudo;
-
-    return 1;
-}
-
-#
-# Emit a 'started' message
-#
-sub emit_started_message( $$$$$ ) {
-    my ( $spaces, $level, $pseudo, $name, $number ) = @_;
-
-    if ( $pseudo ) {
-	emit qq(${spaces}progress_message${level} "   Optional interface $name Started");
-    } else {
-	emit qq(${spaces}progress_message${level} "   Provider $name ($number) Started");
-    }
+    progress_message "   Provider \"$currentline\" $done";
 }

 #
@@ -652,34 +579,28 @@ sub add_a_provider( $$ ) {
    my $duplicate   = $providerref->{duplicate};
    my $address     = $providerref->{address};
    my $local       = $providerref->{local};
-    my $tproxy      = $providerref->{tproxy};
    my $load        = $providerref->{load};
-    my $pseudo      = $providerref->{pseudo};
-    my $what        = $providerref->{what};
-    my $label       = $pseudo ? 'Optional Interface' : 'Provider';

-    my $dev         = var_base $physical;
+    my $dev         = chain_base $physical;
    my $base        = uc $dev;
    my $realm = '';

    if ( $shared ) {
 	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
 	$realm = "realm $number";
-	start_provider( $label , $table, $number, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
-    } elsif ( $pseudo ) {
-	start_provider( $label , $table, $number, qq(if [ -n "\$SW_${base}_IS_USABLE" ]; then) );
+	start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
    } else {
 	if ( $optional ) {
-	    start_provider( $label, $table , $number, qq(if [ -n "\$SW_${base}_IS_USABLE" ]; then) );
+	    start_provider( $table, $number, qq(if [ -n "\$SW_${base}_IS_USABLE" ]; then) );
 	} elsif ( $gatewaycase eq 'detect' ) {
-	    start_provider( $label, $table, $number, qq(if interface_is_usable $physical && [ -n "$gateway" ]; then) );
+	    start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$gateway" ]; then) );
 	} else {
-	    start_provider( $label, $table, $number, "if interface_is_usable $physical; then" );
+	    start_provider( $table, $number, "if interface_is_usable $physical; then" );
 	}
 	$provider_interfaces{$interface} = $table;

 	if ( $gatewaycase eq 'none' ) {
-	    if ( $tproxy ) {
+	    if ( $local ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $number";
 	    } else {
 		emit "run_ip route add default dev $physical table $number";
@@ -712,7 +633,7 @@ CEOF

    if ( $mark ne '-' ) {
 	my $hexmark = in_hex( $mark );
-	my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex( $globals{ $tproxy && ! $local ? 'TPROXY_MARK' : 'PROVIDER_MASK' } ) : '';
+	my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : '';

 	emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $config{DELETE_THEN_ADD};

@@ -757,20 +678,19 @@ CEOF
 	emit '';
 	if ( $gateway ) {
 	    if ( $family == F_IPV4 ) {
-		emit qq(run_ip route replace $gateway/32 dev $physical table ) . DEFAULT_TABLE;
+		emit qq(run_ip route replace $gateway dev $physical table ) . DEFAULT_TABLE;
 		emit qq(run_ip route replace default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
 	    } else {
 		emit qq(qt \$IP -6 route del default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
 		emit qq(run_ip route add default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
 	    }
 	    emit qq(echo "qt \$IP -$family route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_${table}_routing);
-	    emit qq(echo "qt \$IP -4  route del $gateway/32 dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_${table}_routing) if $family == F_IPV4;
 	} else {
 	    emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $physical metric $number);
 	    emit qq(echo "qt \$IP -$family route del default dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_${table}_routing);
 	}

-	$metrics = 1;
+	$fallback = 1;
    }

    emit( qq(\n) ,
@@ -778,7 +698,7 @@ CEOF
 	  qq(    qt \$IP -6 rule add from all table ) . DEFAULT_TABLE . qq( prio 32767\n) ,
 	  qq(fi) ) if $family == F_IPV6;

-    unless ( $tproxy ) {
+    unless ( $local ) {
 	emit '';

 	if ( $loose ) {
@@ -792,7 +712,7 @@ CEOF
 	    emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
 	    emit( "run_ip rule add from $address pref 20000 table $number" ,
 		  "echo \"qt \$IP -$family rule del from $address\" >> \${VARDIR}/undo_${table}_routing" );
-	} elsif ( ! $pseudo ) {
+	} else {
 	    emit  ( "find_interface_addresses $physical | while read address; do" );
 	    emit  ( "    qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
 	    emit  ( "    run_ip rule add from \$address pref 20000 table $number",
@@ -842,7 +762,7 @@ CEOF
 		if ( $gateway ) {
 		    emit qq(add_gateway "via $gateway dev $physical $realm" ) . $tbl;
 		} else {
-		    emit qq(add_gateway "dev $physical $realm" ) . $tbl;
+		    emit qq(add_gateway "nexthop dev $physical $realm" ) . $tbl;
 		}
 	    }
 	    	} else {
@@ -855,17 +775,15 @@ CEOF
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
 	}

-	emit_started_message( '', 2, $pseudo, $table, $number );
+	emit ( qq(progress_message2 "   Provider $table ($number) Started") );

 	pop_indent;

-	unless ( $pseudo ) {
 	emit( 'else' );
-	    emit( qq(    echo $weight > \${VARDIR}/${physical}_weight) );
-	    emit_started_message( '    ', '', $pseudo, $table, $number );
-	}
-
-	emit "fi\n";
+	emit( qq(    echo $weight > \${VARDIR}/${physical}_weight) ,
+	      qq(    progress_message "   Provider $table ($number) Started"),
+	      qq(fi\n)
+	    );
    } else {
 	emit( qq(echo 0 > \${VARDIR}/${physical}.status) );
 	emit( qq(progress_message "Provider $table ($number) Started") );
@@ -882,8 +800,6 @@ CEOF
    if ( $optional ) {
 	if ( $shared ) {
 	    emit ( "error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Started\"" );
-	} elsif ( $pseudo ) {
-	    emit ( "error_message \"WARNING: Optional Interface $physical is not usable -- $table not Started\"" );
 	} else {
 	    emit ( "error_message \"WARNING: Interface $physical is not usable -- Provider $table ($number) not Started\"" );
 	}
@@ -901,14 +817,14 @@ CEOF

    pop_indent;

-    emit "} # End of start_${what}_${table}();";
+    emit '}'; # End of start_provider_$table();

    if ( $optional ) {
 	emit( '',
 	      '#',
-	      "# Stop $what $table",
+	      "# Stop provider $table",
 	      '#',
-	      "stop_${what}_${table}() {" );
+	      "stop_provider_$table() {" );

 	push_indent;

@@ -936,13 +852,8 @@ CEOF
 	    emit( qq(delete_gateway "$via" $tbl $physical) );
 	}

-	emit (". $undo" );
-
-	if ( $pseudo ) {
-	    emit( "rm -f $undo" );
-	} else {
-	    emit( "> $undo" );
-	}
+	emit (". $undo",
+	      "> $undo" );

 	emit ( '',
 	       "distribute_load $maxload @load_interfaces" ) if $load;
@@ -953,13 +864,7 @@ CEOF
 		  "qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface};
 	}

-	emit( "echo 1 > \${VARDIR}/${physical}.status" );
-
-	if ( $pseudo ) {
-	    emit( "progress_message2 \"   Optional Interface $table stopped\"" );
-	} else {
 	emit( "progress_message2 \"   Provider $table ($number) stopped\"" );
-	}

 	pop_indent;

@@ -1007,7 +912,7 @@ sub add_an_rtrule( ) {
    if ( $dest eq '-' ) {
 	$dest = 'to ' . ALLIP;
    } else {
-	$dest = validate_net( $dest, 0 );
+	validate_net( $dest, 0 );
 	$dest = "to $dest";
    }

@@ -1019,22 +924,22 @@ sub add_an_rtrule( ) {
 	if ( $source =~ /:/ ) {
 	    ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
 	    fatal_error "Invalid SOURCE" if defined $remainder;
-	    $source = validate_net ( $source, 0 );
+	    validate_net ( $source, 0 );
 	    $interface = physical_name $interface;
 	    $source = "iif $interface from $source";
 	} elsif ( $source =~ /\..*\..*/ ) {
-	    $source = validate_net ( $source, 0 );
+	    validate_net ( $source, 0 );
 	    $source = "from $source";
 	} else {
 	    $source = 'iif ' . physical_name $source;
 	}
-    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ||  $source =~  /^(.+?):\[(.+)\]\s*$/ || $source =~ /^(.+?):(\[.+?\](?:\/\d+))$/ ) {
+    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ||  $source =~  /^(.+?):\[(.+)\]\s*$/ ) {
 	my ($interface, $source ) = ($1, $2);
-	$source = validate_net ($source, 0);
+	validate_net ($source, 0);
 	$interface = physical_name $interface;
 	$source = "iif $interface from $source";
    } elsif (  $source =~ /:.*:/ || $source =~ /\..*\..*/ ) {
-	$source = validate_net ( $source, 0 );
+	validate_net ( $source, 0 );
 	$source = "from $source";
    } else {
 	$source = 'iif ' . physical_name $source;
@@ -1089,7 +994,7 @@ sub add_a_route( ) {
    }

    fatal_error 'DEST must be specified' if $dest eq '-';
-    $dest = validate_net ( $dest, 0 );
+    validate_net ( $dest, 1 );

    validate_address ( $gateway, 1 ) if $gateway ne '-';

@@ -1122,8 +1027,8 @@ sub setup_null_routing() {
    emit "> \${VARDIR}/undo_rfc1918_routing\n";
    for ( rfc1918_networks ) {
 	emit( qq(if ! \$IP -4 route ls | grep -q '^$_.* dev '; then),
-	      qq(    run_ip route replace blackhole $_),
-	      qq(    echo "qt \$IP -4 route del blackhole $_" >> \${VARDIR}/undo_rfc1918_routing),
+	      qq(    run_ip route replace unreachable $_),
+	      qq(    echo "qt \$IP -4 route del unreachable $_" >> \${VARDIR}/undo_rfc1918_routing),
 	      qq(fi\n) );
    }
 }
@@ -1212,10 +1117,6 @@ sub finish_providers() {
 	       '# We don\'t have any \'balance\' providers so we restore any default route that we\'ve saved',
 	       '#',
 	       "restore_default_route $config{USE_DEFAULT_RT}" ,
-	       '#',
-	       '# And delete any routes in the \'balance\' table',
-	       '#',
-	       "qt \$IP -$family route del default table " . BALANCE_TABLE,
 	       '' );
    }

@@ -1229,17 +1130,10 @@ sub finish_providers() {
 	}

 	emit( "    progress_message \"Fallback route '\$(echo \$FALLBACK_ROUTE | sed 's/\$\\s*//')' Added\"",
-	      'else',
-	      '    #',
-	      '    # We don\'t have any \'fallback\' providers so we delete any default routes in the default table',
-	      '    #',
-	      '    delete_default_routes ' . DEFAULT_TABLE,
 	      'fi',
 	      '' );
    } elsif ( $config{USE_DEFAULT_RT} ) {
-	emit( 'delete_default_routes ' . DEFAULT_TABLE,
-	      ''
-	    );
+	emit "qt \$IP -$family route del default table " . DEFAULT_TABLE;
    }

    unless ( $config{KEEP_RT_TABLES} ) {
@@ -1268,33 +1162,20 @@ sub process_providers( $ ) {
    my $tcdevices = shift;

    our $providers = 0;
-    our $pseudoproviders = 0;

    $lastmark = 0;

    if ( my $fn = open_file 'providers' ) {
 	first_entry "$doing $fn...";
-	$providers += process_a_provider(0) while read_a_line( NORMAL_READ );
-    }
-    #
-    # Treat optional interfaces as pseudo-providers
-    #
-    for ( grep interface_is_optional( $_ ) && ! $provider_interfaces{ $_ }, all_real_interfaces ) {
-	#
-	#               TABLE             NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
-	$currentline =  var_base($_) ." 0      -    -         $_        -       -       -";
-	#
-	$pseudoproviders += process_a_provider(1);
+	process_a_provider, $providers++ while read_a_line( NORMAL_READ );
    }

    if ( $providers ) {
-	fatal_error q(Either all 'fallback' providers must specify a weight or non of them can specify a weight) if $fallback && $metrics;
-
 	my $fn = open_file( 'route_rules' );

 	if ( $fn ){
 	    if ( -f ( my $fn1 = find_file 'rtrules' ) ) {
-		warning_message "Both $fn and $fn1 exist: $fn1 will be ignored";
+		warning_message "Both $fn and $fn1 exists: $fn1 will be ignored";
 	    }
 	} else {
 	    $fn = open_file( 'rtrules' );
@@ -1307,19 +1188,17 @@ sub process_providers( $ ) {

 	    add_an_rtrule while read_a_line( NORMAL_READ );
 	}
-    }

-    if ( $providers || $pseudoproviders ) {
-	my $fn = open_file 'routes';
+	$fn = open_file 'routes';

 	if ( $fn ) {
 	    first_entry "$doing $fn...";
 	    emit '';
 	    add_a_route while read_a_line( NORMAL_READ );
 	}
+    }

    add_a_provider( $providers{$_}, $tcdevices ) for @providers;
-    }

    emit << 'EOF';;

@@ -1340,20 +1219,14 @@ EOF

 	if ( $providerref->{optional} ) {
 	    if ( $providerref->{shared} || $providerref->{physical} eq $provider) {
-		emit "$provider)";
+		emit "$provider})";
 	    } else {
 		emit( "$providerref->{physical}|$provider)" );
 	    }

-	    if ( $providerref->{pseudo} ) {
-		emit ( "    if [ ! -f \${VARDIR}/$product/undo_${provider}_routing ]; then",
-		       "        start_interface_$provider" );
-	    } else {
 	    emit ( "    if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
-		       "        start_provider_$provider" );
-	    }
-
-	    emit ( '    else',
+		   "        start_provider_$provider",
+		   '    else',
 		   "        startup_error \"Interface $providerref->{physical} is already enabled\"",
 		   '    fi',
 		   '    ;;'
@@ -1366,10 +1239,9 @@ EOF

    emit << 'EOF';;
        *)
-            startup_error "$g_interface is not an optional provider or interface"
+            startup_error "$g_interface is not an optional provider or provider interface"
            ;;
    esac
-
 }

 #
@@ -1387,26 +1259,14 @@ EOF
    for my $provider (@providers ) {
 	my $providerref = $providers{$provider};

-	if ( $providerref->{optional} ) {
-	    if ( $provider eq $providerref->{physical} ) {
-		emit( "$provider)" );
-	    } else {
-		emit( "$providerref->{physical}|$provider)" );
-	    }
-
-	    if ( $providerref->{pseudo} ) {
-		emit( "    if [ -f \${VARDIR}/$product/undo_${provider}_routing ]; then" );
-	    } else {
-		emit( "    if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then" );
-	    }
-
-	    emit( "        stop_$providerref->{what}_$provider",
+	emit( "$providerref->{physical}|$provider)",
+	      "    if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
+	      "        stop_provider_$provider",
 	      '    else',
 	      "        startup_error \"Interface $providerref->{physical} is already disabled\"",
 	      '    fi',
 	      '    ;;'
-		);
-	}
+	    ) if $providerref->{optional};
    }

    pop_indent;
@@ -1422,10 +1282,6 @@ EOF

 }

-sub have_providers() {
-    return our $providers;
-}
-
 sub setup_providers() {
    our $providers;

@@ -1438,7 +1294,7 @@ sub setup_providers() {

 	emit '';

-	emit "start_$providers{$_}->{what}_$_" for @providers;
+	emit "start_provider_$_" for @providers;

 	emit '';

@@ -1471,228 +1327,6 @@ sub setup_providers() {

 }

-#
-# Emit the updown() function
-#
-sub compile_updown() {
-    emit( '',
-	  '#',
-	  '# Handle the "up" and "down" commands',
-	  '#',
-	  'updown() # $1 = interface',
-	  '{',
-	);
-
-    push_indent;
-
-    emit( 'local state',
-	  'state=cleared',
-	  ''
-	);
-
-    emit 'progress_message3 "$g_product $COMMAND triggered by $1"';
-    emit '';
-
-    if ( $family == F_IPV4 ) {
-	emit 'if shorewall_is_started; then';
-    } else {
-	emit 'if shorewall6_is_started; then';
-    }
-
-    emit( '    state=started',
-	  'elif [ -f ${VARDIR}/state ]; then',
-	  '    case "$(cat ${VARDIR}/state)" in',
-	  '        Stopped*)',
-	  '            state=stopped',
-	  '            ;;',
-	  '        Cleared*)',
-	  '            ;;',
-	  '        *)',
-	  '            state=unknown',
-	  '            ;;',
-	  '    esac',
-	  'else',
-	  '    state=unknown',
-	  'fi',
-	  ''
-	);
-
-    emit( 'case $1 in' );
-
-    push_indent;
-
-    my $ignore   = find_interfaces_by_option 'ignore', 1;
-    my $required = find_interfaces_by_option 'required';
-    my $optional = find_interfaces_by_option 'optional';
-
-    if ( @$ignore ) {
-	my $interfaces = join '|', map get_physical( $_ ), @$ignore;
-
-	$interfaces =~ s/\+/*/g;
-
-	emit( "$interfaces)",
-	      '    progress_message3 "$COMMAND on interface $1 ignored"',
-	      '    exit 0',
-	      '    ;;'
-	    );
-    }
-
-    my @nonshared = ( grep $providers{$_}->{optional},
-		      sort( { $providers{$a}->{number} <=> $providers{$b}->{number} } values %provider_interfaces ) );
-
-    if ( @nonshared ) {
-	my $interfaces = join( '|', map $providers{$_}->{physical}, @nonshared );
-
-	emit "$interfaces)";
-
-	push_indent;
-
-	emit( q(if [ "$state" = started ]; then) ,
-	      q(    if [ "$COMMAND" = up ]; then) , 
-	      q(        progress_message3 "Attempting enable on interface $1") ,
-	      q(        COMMAND=enable) ,
-	      q(        detect_configuration),        
-	      q(        enable_provider $1),
-	      q(    elif [ "$PHASE" != post-down ]; then # pre-down or not Debian) ,
-	      q(        progress_message3 "Attempting disable on interface $1") ,
-	      q(        COMMAND=disable) ,
-	      q(        detect_configuration),        
-	      q(        disable_provider $1) ,
-	      q(    fi) ,
-	      q(elif [ "$COMMAND" = up ]; then) ,
-	      q(    echo 0 > ${VARDIR}/${1}.status) ,
-	      q(    COMMAND=start),
-	      q(    progress_message3 "$g_product attempting start") ,
-	      q(    detect_configuration),
-	      q(    define_firewall),
-	      q(else),
-	      q(    progress_message3 "$COMMAND on interface $1 ignored") ,
-	      q(fi) ,
-	      q(;;) );
-
-	pop_indent;
-    }
-
-    if ( @$required ) {
-	my $interfaces = join '|', map get_physical( $_ ), @$required;
-
-	my $wildcard = ( $interfaces =~ s/\+/*/g );
-
-	emit( "$interfaces)",
-	      '    if [ "$COMMAND" = up ]; then' );
-
-	if ( $wildcard ) {
-	    emit( '        if [ "$state" = started ]; then',
-		  '            COMMAND=restart',
-		  '        else',
-		  '            COMMAND=start',
-		  '        fi' );
-	} else {
-	    emit( '        COMMAND=start' );
-	}
-
-	emit( '        progress_message3 "$g_product attempting $COMMAND"',
-	      '        detect_configuration',
-	      '        define_firewall',
-	      '    elif [ "$PHASE" != pre-down ]; then # Not Debian pre-down phase'
-	    );
-
-	push_indent;
-
-	if ( $wildcard ) {
-
-	    emit( '    if [ "$state" = started ]; then',
-		  '        progress_message3 "$g_product attempting restart"',
-		  '        COMMAND=restart',
-		  '        detect_configuration',
-		  '        define_firewall',
-		  '    fi' );
-
-	} else {
-	    emit( '    COMMAND=stop',
-		  '    progress_message3 "$g_product attempting stop"',
-		  '    detect_configuration',
-		  '    stop_firewall' );
-	}
-
-	pop_indent;
-
-	emit( '    fi',
-	      '    ;;'
-	    );
-    }
-
-    if ( @$optional ) {
-	my @interfaces = map( get_physical( $_ ), grep( ! $provider_interfaces{$_} , @$optional ) );
-	my $interfaces = join '|', @interfaces;
-
-	if ( $interfaces ) {
-	    if ( $interfaces =~ s/\+/*/g || @interfaces > 1 ) {
-		emit( "$interfaces)",
-		      '    if [ "$COMMAND" = up ]; then',
-		      '        echo 0 > ${VARDIR}/${1}.state',
-		      '    else',
-		      '        echo 1 > ${VARDIR}/${1}.state',
-		      '    fi' );
-	    } else {
-		emit( "$interfaces)",
-		      '    if [ "$COMMAND" = up ]; then',
-		      "        echo 0 > \${VARDIR}/$interfaces.state",
-		      '    else',
-		      "        echo 1 > \${VARDIR}/$interfaces.state",
-		      '    fi' );
-	    }
-
-	    emit( '',
-		  '    if [ "$state" = started ]; then',
-		  '        COMMAND=restart',
-		  '        progress_message3 "$g_product attempting restart"',
-		  '        detect_configuration',
-		  '        define_firewall',
-		  '    elif [ "$state" = stopped ]; then',
-		  '        COMMAND=start',
-		  '        progress_message3 "$g_product attempting start"',
-		  '        detect_configuration',
-		  '        define_firewall',
-		  '    else',
-		  '        progress_message3 "$COMMAND on interface $1 ignored"',
-		  '    fi',
-		  '    ;;',
-		);
-	}
-    }
-
-    if ( my @plain_interfaces = all_plain_interfaces ) {			
-	my $interfaces = join ( '|', @plain_interfaces );
-
-	$interfaces =~ s/\+/*/g;
-	
-	emit( "$interfaces)",
-	      '    case $state in',
-	      '        started)',
-	      '            COMMAND=restart',
-	      '            progress_message3 "$g_product attempting restart"',
-	      '            detect_configuration',
-	      '            define_firewall',
-	      '            ;;',
-	      '        *)',
-	      '            progress_message3 "$COMMAND on interface $1 ignored"',
-	      '            ;;',
-	      '    esac',
-	    );
-    }
-
-    pop_indent;
-
-    emit( 'esac' );
-
-    pop_indent;
-
-    emit( '}',
-	  '',
-	);
-}
-
 sub lookup_provider( $ ) {
    my $provider    = $_[0];
    my $providerref = $providers{ $provider };
@@ -1732,7 +1366,7 @@ sub handle_optional_interfaces( $ ) {
 	#
 	# Clear the '_IS_USABLE' variables
 	#
-	emit( join( '_', 'SW', uc var_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @$interfaces;
+	emit( join( '_', 'SW', uc chain_base( get_physical( $_ ) ) , 'IS_USABLE=' ) ) for @$interfaces;

 	if ( $wildcards ) {
 	    #
@@ -1752,7 +1386,7 @@ sub handle_optional_interfaces( $ ) {
 	for my $interface ( grep $provider_interfaces{$_}, @$interfaces ) {
 	    my $provider    = $provider_interfaces{$interface};
 	    my $physical    = get_physical $interface;
-	    my $base        = uc var_base( $physical );
+	    my $base        = uc chain_base( $physical );
 	    my $providerref = $providers{$provider};

 	    emit( "$physical)" ), push_indent if $wildcards;
@@ -1773,7 +1407,7 @@ sub handle_optional_interfaces( $ ) {

 	for my $interface ( grep ! $provider_interfaces{$_}, @$interfaces ) {
 	    my $physical    = get_physical $interface;
-	    my $base        = uc var_base( $physical );
+	    my $base        = uc chain_base( $physical );
 	    my $case        = $physical;
 	    my $wild        = $case =~ s/\+$/*/;

@@ -1861,7 +1495,7 @@ sub handle_stickiness( $ ) {

 	for my $providerref ( @routemarked_providers ) {
 	    my $interface = $providerref->{physical};
-	    my $base      = uc var_base $interface;
+	    my $base      = uc chain_base $interface;
 	    my $mark      = $providerref->{mark};

 	    for ( grep rule_target($_) eq 'sticky', @{$tcpreref->{rules}} ) {
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -20,7 +20,7 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   This module contains the code that handles the /etc/shorewall/conntrack file.
+#   This module contains the code that handles the /etc/shorewall/notrack file.
 #
 package Shorewall::Raw;
 require Exporter;
@@ -32,109 +32,63 @@ use Shorewall::Chains qw(:DEFAULT :internal);
 use strict;

 our @ISA = qw(Exporter);
-our @EXPORT = qw( setup_conntrack );
-our @EXPORT_OK = qw( handle_helper_rule );
+our @EXPORT = qw( setup_notrack );
+our @EXPORT_OK = qw( );
 our $VERSION = 'MODULEVERSION';

-our %valid_ctevent = ( new        => 1,
-		       related    => 1,
-		       destroy    => 1,
-		       reply      => 1,
-		       assured    => 1,
-		       protoinfo  => 1,
-		       helper     => 1,
-		       mark       => 1,
-		       natseqinfo => 1,
-		       secmark    => 1 );
+my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured => 1, protoinfo => 1, helper => 1, mark => 1, natseqinfo => 1, secmark => 1 );

 #
 # Notrack
 #
-sub process_conntrack_rule( $$$$$$$$$$ ) {
+sub process_notrack_rule( $$$$$$$ ) {

-    my ($chainref, $zoneref, $action, $source, $dest, $proto, $ports, $sports, $user, $switch ) = @_;
-
-    require_capability 'RAW_TABLE', 'conntrack rules', '';
+    my ($action, $source, $dest, $proto, $ports, $sports, $user ) = @_;

    $proto  = ''    if $proto  eq 'any';
    $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
    $sports = ''    if $sports eq 'any' || $sports eq 'all';

-    my $zone;
-    my $restriction = PREROUTE_RESTRICT;
+    ( my $zone, $source) = split /:/, $source, 2;
+    my $zoneref  = find_zone $zone;
+    my $chainref = ensure_raw_chain( notrack_chain $zone );
+    my $restriction = $zoneref->{type} == FIREWALL || $zoneref->{type} == VSERVER ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;

-    if ( $chainref ) {
-	$restriction = OUTPUT_RESTRICT if $chainref->{name} eq 'OUTPUT';
-    } else {
-	#
-	# Entry in the conntrack file
-	#
-	if ( $zoneref ) {
-	    $zone = $zoneref->{name};
-	} else {
-	    ($zone, $source) = split /:/, $source, 2;
-	    $zoneref = find_zone ( $zone );
-	}
-
-	$chainref = ensure_raw_chain( notrack_chain $zone );
-	$restriction = OUTPUT_RESTRICT if $zoneref->{type}  & (FIREWALL | VSERVER );
    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
-    }
+    require_capability 'RAW_TABLE', 'Notrack rules', '';

    my $target = $action;
    my $exception_rule = '';
-    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_condition( $switch , $chainref->{name} );
+    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user );

-    if ( $action eq 'NOTRACK' ) {
-	#
-	# A patch that deimplements the NOTRACK target has been posted on the
-	# Netfilter development list
-	#
-	$action = 'CT --notrack' if have_capability 'CT_TARGET';
-    } elsif ( $action ne 'DROP' ) {
+    unless ( $action eq 'NOTRACK' ) {
 	(  $target, my ( $option, $args, $junk ) ) = split ':', $action, 4;

 	fatal_error "Invalid notrack ACTION ( $action )" if $junk || $target ne 'CT';

-	require_capability 'CT_TARGET', 'CT entries in the conntrack file', '';
+	require_capability 'CT_TARGET', 'CT entries in the notrack file', '';

 	if ( $option eq 'notrack' ) {
-	    fatal_error "Invalid conntrack ACTION ( $action )" if supplied $args;
+	    fatal_error "Invalid notrack ACTION ( $action )" if supplied $args;
 	    $action = 'CT --notrack';
 	} else {
 	    fatal_error "Invalid or missing CT option and arguments" unless supplied $option && supplied $args;

 	    if ( $option eq 'helper' ) {
-		my $modifiers = '';
-
-		if ( $args =~ /^([-\w.]+)\((.+)\)$/ ) {
-		    $args      = $1;
-		    $modifiers = $2;
-		}
-
 		fatal_error "Invalid helper' ($args)" if $args =~ /,/;
 		validate_helper( $args, $proto );
-		$action = "CT --helper $helpers_aliases{$args}";
+		$action = "CT --helper $args";
 		$exception_rule = do_proto( $proto, '-', '-' );
-
-		for my $mod ( split_list1( $modifiers, 'ctevents' ) ) {
-		    fatal_error "Invalid helper option ($mod)" unless $mod =~ /^(\w+)=(.+)$/;
-		    $mod    = $1;
-		    my $val = $2;
-		    
-		    if ( $mod eq 'ctevents' ) {
-			for ( split_list( $val, 'ctevents' ) ) {
+	    } elsif ( $option eq 'ctevents' ) {
+		for ( split ',', $args ) {
 		    fatal_error "Invalid 'ctevents' event ($_)" unless $valid_ctevent{$_};
 		}

-			$action .= " --ctevents $val";
-		    } elsif ( $mod eq 'expevents' ) {
-			fatal_error "Invalid expevent argument ($val)" unless $val eq 'new';
-			$action .= ' --expevents new';
-		    } else {
-			fatal_error "Invalid helper option ($mod)";
-		    }
-		}
+		$action = "CT --ctevents $args";
+	    } elsif ( $option eq 'expevent' ) {
+		fatal_error "Invalid expevent argument ($args)" unless $args eq 'new';
+	    } elsif ( $option eq 'zone' ) {
+		fatal_error "Invalid zone id ($args)" unless $args =~ /^\d+$/;
 	    } else {
 		fatal_error "Invalid CT option ($option)";
 	    }
@@ -152,142 +106,64 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 		 $target ,
 		 $exception_rule );

-    progress_message "  Conntrack rule \"$currentline\" $done";
-}
+    progress_message "  Notrack rule \"$currentline\" $done";

-sub handle_helper_rule( $$$$$$$$$$$ ) {
-    my ( $helper, $source, $dest, $proto, $ports, $sports, $sourceref, $action_target, $actionchain, $user, $rule ) = @_;
-
-    if ( $helper ne '-' ) {
-	fatal_error "A HELPER is not allowed with this ACTION" if $action_target;
-	#
-	# This means that an ACCEPT or NAT rule with a helper is being processed
-	#
-	process_conntrack_rule( $actionchain ? ensure_raw_chain( $actionchain ) : undef ,
-				$sourceref ,
-				"CT:helper:$helper",
-				$source ,
-				$dest ,
-				$proto ,
-				$ports ,
-				$sports ,
-				$user,
-				'-',
-			      );
-    } else {
-	assert( $action_target );
-	#
-	# The target is an action
-	#
-	if ( $actionchain ) {
-	    #
-	    # And the source is another action chain
-	    #
-	    expand_rule( ensure_raw_chain( $actionchain ) ,
-			 PREROUTE_RESTRICT ,
-			 $rule ,
-			 $source ,
-			 $dest ,
-			 '' ,
-			 $action_target ,
-			 '',
-			 'CT' ,
-			 '' );
-	} else {
-	    expand_rule( ensure_raw_chain( notrack_chain( $sourceref->{name} ) ) ,
-			 ( $sourceref->{type} == FIREWALL || $sourceref->{type} == VSERVER ?
-			   OUTPUT_RESTRICT :
-			   PREROUTE_RESTRICT ) ,
-			 $rule ,
-			 $source ,
-			 $dest ,
-			 '' ,
-			 $action_target ,
-			 '' ,
-			 'CT' ,
-			 '' );
-	}
-    }
+    $globals{UNTRACKED} = 1;
 }

 sub process_format( $ ) {
    my $format = shift;

-    fatal_error q(FORMAT must be '1', '2' or '3') unless $format =~ /^[123]$/;
-    format_warning;
+    fatal_error q(FORMAT must be '1' or '2') unless $format =~ /^[12]$/;

-    $file_format = $format;
+    $format;
 }

-sub setup_conntrack() {
+sub setup_notrack() {

-    for my $name ( qw/notrack conntrack/ ) {
+    my $format = 1;
+    my $action = 'NOTRACK';

-	my $fn = open_file( $name, 3 , 1 );
+    if ( my $fn = open_file 'notrack' ) {

-	if ( $fn ) {
+	first_entry "$doing $fn...";

-	    my $action;
-
-	    my $empty = 1;
-
-	    first_entry( "$doing $fn..." );
+	my $nonEmpty = 0;

 	while ( read_a_line( NORMAL_READ ) ) {
-		my ( $source, $dest, $protos, $ports, $sports, $user, $switch );
+	    my ( $source, $dest, $proto, $ports, $sports, $user );

-		if ( $file_format == 1 ) {
-		    ( $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 };
+	    if ( $format == 1 ) {
+		( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
+
+		if ( $source eq 'FORMAT' ) {
+		    $format = process_format( $dest );
+		    next;
+		}
+
+		if ( $source eq 'COMMENT' ) {
+		    process_comment;
+		    next;
+		}
+	    } else {
+		( $action, $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6 }, { COMMENT => 0, FORMAT => 2 };
+
+		if ( $action eq 'FORMAT' ) {
+		    $format = process_format( $source );
 		    $action = 'NOTRACK';
-		} else {
-		    ( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 };
+		    next;
 		}

-		$empty = 0;
-
-		for my $proto ( split_list $protos, 'Protocol' ) {
-		    if ( $file_format < 3 ) {
-			if ( $source =~ /^all(-)?(:(.+))?$/ ) {
-			    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-';
-			    for my $zone ( $1 ? off_firewall_zones : all_zones ) {
-				process_conntrack_rule( undef ,
-							undef,
-							$action,
-							$zone . ( $2 || ''),
-							$dest,
-							$proto,
-							$ports,
-							$sports,
-							$user ,
-							$switch );
-			    }
-			} else {
-			    process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
-			}
-		    } elsif ( $action =~ s/:O$// ) {
-			process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
-		    } elsif ( $action =~ s/:OP// || $action =~ s/:PO// ) {
-			process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
-			process_conntrack_rule( $raw_table->{OUTPUT},     undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
-		    } else {
-			$action =~ s/:P//;
-			process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
-		    }
+		if ( $action eq 'COMMENT' ) {
+		    process_comment;
+		    next;
 		}
 	    }

-	    if ( $name eq 'notrack') {
-		if ( $empty ) {
-		    if ( unlink( $fn ) ) {
-			warning_message "Empty notrack file ($fn) removed";
-		    } else {
-			warning_message "Unable to remove empty notrack file ($fn): $!";
-		    }
-		} else {
-		    warning_message "Non-empty notrack file ($fn); please move its contents to the conntrack file";
-		}
-	    }
+	    process_notrack_rule $action, $source, $dest, $proto, $ports, $sports, $user;
 	}
+
+	clear_comment;
    }
 }

--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -2,6 +2,7 @@
 # Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Tunnels.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
 #     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
@@ -61,7 +62,7 @@ sub setup_tunnels() {
 	    }
 	}

-	my @options = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
+	my @options = $globals{UNTRACKED} ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';

 	add_tunnel_rule $inchainref,  p => 50, @$source;
 	add_tunnel_rule $outchainref, p => 50, @$dest;
@@ -125,9 +126,9 @@ sub setup_tunnels() {
    sub setup_pptp_server {
 	my ($inchainref, $outchainref, $kind, $source, $dest ) = @_;

-	add_tunnel_rule $inchainref,  p => 47, @$source;
-	add_tunnel_rule $outchainref, p => 47, @$dest;
-	add_tunnel_rule $inchainref,  p => 'tcp --dport 1723', @$source
+	add_tunnel_rule $inchainref,  p => 47, @$dest;
+	add_tunnel_rule $outchainref, p => 47, @$source;
+	add_tunnel_rule $inchainref,  p => 'tcp --dport 1723', @$dest
 	}

    sub setup_one_openvpn {
@@ -285,20 +286,26 @@ sub setup_tunnels() {
    #
    # Setup_Tunnels() Starts Here
    #
-    if ( my $fn = open_file( 'tunnels', 1, 1 ) ) {
+    if ( my $fn = open_file 'tunnels' ) {

 	first_entry "$doing $fn...";

 	while ( read_a_line( NORMAL_READ ) ) {

-	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateways => 2, gateway_zone => 3 , gateway_zones => 3 }, {}, 4;
+	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateways => 2, gateway_zone => 3 }, undef, 4;

 	    fatal_error 'TYPE must be specified' if $kind eq '-';

+	    if ( $kind eq 'COMMENT' ) {
+		process_comment;
+	    } else {
 		fatal_error 'ZONE must be specified' if $zone eq '-';
 		setup_one_tunnel $kind, $zone, $gateway, $gatewayzones;
 	    }
 	}
+
+	clear_comment;
+    }
 }

 1;
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -31,7 +31,7 @@ use Shorewall::IPAddrs;
 use strict;

 our @ISA = qw(Exporter);
-our @EXPORT = ( qw( NOTHING
+our @EXPORT = qw( NOTHING
 		  NUMERIC
 		  NETWORK
 		  IPSECPROTO
@@ -41,9 +41,6 @@ our @EXPORT = ( qw( NOTHING
 		  IP
 		  BPORT
 		  IPSEC
-		    GROUP
-		    NO_UPDOWN
-		    NO_SFILTER

 		  determine_zones
 		  zone_report
@@ -58,15 +55,13 @@ our @EXPORT = ( qw( NOTHING
 		  all_parent_zones
 		  complex_zones
 		  vserver_zones
-		    on_firewall_zones
 		  off_firewall_zones
 		  non_firewall_zones
 		  single_interface
-		    var_base
+		  chain_base
 		  validate_interfaces_file
 		  all_interfaces
 		  all_real_interfaces
-		    all_plain_interfaces
 		  all_bridges
 		  interface_number
 		  find_interface
@@ -77,7 +72,6 @@ our @EXPORT = ( qw( NOTHING
 		  port_to_bridge
 		  source_port_to_bridge
 		  interface_is_optional
-		    interface_is_required
 		  find_interfaces_by_option
 		  find_interfaces_by_option1
 		  get_interface_option
@@ -86,13 +80,13 @@ our @EXPORT = ( qw( NOTHING
 		  set_interface_provider
 		  interface_zones
 		  verify_required_interfaces
+		  compile_updown
 		  validate_hosts_file
 		  find_hosts_by_option
 		  find_zone_hosts_by_option
 		  find_zones_by_option
 		  all_ipsets
 		  have_ipsec
-		 ),
 		 );

 our @EXPORT_OK = qw( initialize );
@@ -120,8 +114,7 @@ use constant { IN_OUT     => 1,
 #
 #     @zones contains the ordered list of zones with sub-zones appearing before their parents.
 #
-#     %zones{<zone1> => {name =>       <name>,
-#                        type =>       <zone type>       FIREWALL, IP, IPSEC, BPORT;
+#     %zones{<zone1> => {type =>       <zone type>       FIREWALL, IP, IPSEC, BPORT;
 #                        complex =>    0|1
 #                        super   =>    0|1
 #                        options =>    { in_out  => < policy match string >
@@ -148,12 +141,12 @@ use constant { IN_OUT     => 1,
 #
 #     $firewall_zone names the firewall zone.
 #
-our @zones;
-our %zones;
-our %zonetypes;
-our $firewall_zone;
+my @zones;
+my %zones;
+my %zonetypes;
+my $firewall_zone;

-our %reservedName = ( all => 1,
+my  %reservedName = ( all => 1,
 		      any => 1,
 		      none => 1,
 		      SOURCE => 1,
@@ -173,14 +166,13 @@ our %reservedName = ( all => 1,
 #                                     zone        => <zone name>
 #                                     multizone   => undef|1   #More than one zone interfaces through this interface
 #                                     nets        => <number of nets in interface/hosts records referring to this interface>
-#                                     bridge      => <bridge name> # Same as ->{name} if not a bridge port.
+#                                     bridge      => <bridge name>
 #                                     ports       => <number of port on this bridge>
 #                                     ipsec       => undef|1 # Has an ipsec host group
 #                                     broadcasts  => 'none', 'detect' or [ <addr1>, <addr2>, ... ]
 #                                     number      => <ordinal position in the interfaces file>
 #                                     physical    => <physical interface name>
 #                                     base        => <shell variable base representing this interface>
-#                                     provider    => <Provider Name, if interface is associated with a provider>
 #                                     zones       => { zone1 => 1, ... }
 #                                   }
 #                 }
@@ -188,24 +180,22 @@ our %reservedName = ( all => 1,
 #    The purpose of the 'base' member is to ensure that the base names associated with the physical interfaces are assigned in
 #    the same order as the interfaces are encountered in the configuration files.
 #
-our @interfaces;
-our %interfaces;
-our %roots;
-our @bport_zones;
-our %ipsets;
-our %physical;
-our %basemap;
-our %basemap1;
-our %mapbase;
-our %mapbase1;
-our $family;
-our $upgrade;
-our $have_ipsec;
-our $baseseq;
-our $minroot;
-our $zonemark;
-our $zonemarkincr;
-our $zonemarklimit;
+my @interfaces;
+my %interfaces;
+my %roots;
+my @bport_zones;
+my %ipsets;
+my %physical;
+my %basemap;
+my %mapbase;
+my $family;
+my $upgrade;
+my $have_ipsec;
+my $baseseq;
+my $minroot;
+my $zonemark;
+my $zonemarkincr;
+my $zonemarklimit;

 use constant { FIREWALL => 1,
 	       IP       => 2,
@@ -229,21 +219,17 @@ use constant { SIMPLE_IF_OPTION   => 1,
 	       IF_OPTION_WILDOK   => 64
 	   };

-use constant { NO_UPDOWN   => 1, 
-	       NO_SFILTER  => 2 };
+my %validinterfaceoptions;

-our %validinterfaceoptions;
+my %defaultinterfaceoptions = ( routefilter => 1 , wait => 60 );

-our %defaultinterfaceoptions = ( routefilter => 1 , wait => 60 );
+my %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 );

-our %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN );
+my %validhostoptions;

-our %validhostoptions;
-
-our %validzoneoptions = ( mss            => NUMERIC,
+my %validzoneoptions = ( mss          => NUMERIC,
 			 nomark       => NOTHING,
 			 blacklist    => NOTHING,
-			  dynamic_shared => NOTHING,
 			 strict       => NOTHING,
 			 next         => NOTHING,
 			 reqid        => NUMERIC,
@@ -258,10 +244,7 @@ use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
 #
 # Hash of options that have their own key in the returned hash.
 #
-our %zonekey = ( mss            => UNRESTRICTED | COMPLEX ,
-		 blacklist      => NOFW, 
-		 nomark         => NOFW | IN_OUT_ONLY,
-		 dynamic_shared => IN_OUT_ONLY );
+my %zonekey = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW, nomark => NOFW | IN_OUT_ONLY );

 #
 # Rather than initializing globals in an INIT block or during declaration,
@@ -287,9 +270,7 @@ sub initialize( $$ ) {
    %ipsets = ();
    %physical = ();
    %basemap = ();
-    %basemap1 = ();
    %mapbase = ();
-    %mapbase1 = ();
    $baseseq = 0;
    $minroot = 0;

@@ -300,7 +281,6 @@ sub initialize( $$ ) {
 				  bridge      => SIMPLE_IF_OPTION,
 				  detectnets  => OBSOLETE_IF_OPTION,
 				  dhcp        => SIMPLE_IF_OPTION,
-				  ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				  maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  logmartians => BINARY_IF_OPTION,
 				  nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
@@ -311,7 +291,6 @@ sub initialize( $$ ) {
 				  required    => SIMPLE_IF_OPTION,
 				  routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
 				  routefilter => NUMERIC_IF_OPTION ,
-				  rpfilter    => SIMPLE_IF_OPTION,
 				  sfilter     => IPLIST_IF_OPTION,
 				  sourceroute => BINARY_IF_OPTION,
 				  tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -337,7 +316,6 @@ sub initialize( $$ ) {
 	%validinterfaceoptions = (  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
 				    dhcp        => SIMPLE_IF_OPTION,
-				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				    maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -345,7 +323,6 @@ sub initialize( $$ ) {
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
 				    routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
-				    rpfilter    => SIMPLE_IF_OPTION,
 				    sfilter     => IPLIST_IF_OPTION,
 				    sourceroute => BINARY_IF_OPTION,
 				    tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -407,7 +384,7 @@ sub parse_zone_option_list($$\$$)

 	    if ( $key ) {
 		fatal_error "Option '$e' not permitted with this zone type " if $key & NOFW && ($zonetype & ( FIREWALL | VSERVER) );
-		fatal_error "Option '$e' is only permitted in the OPTIONS columns" if $key & IN_OUT_ONLY && $column != IN_OUT;
+		fatal_error "Opeion '$e' is only permitted in the OPTIONS columns" if $key & IN_OUT_ONLY && $column != IN_OUT;
 		$$complexref = 1 if $key & COMPLEX;
 		$h{$e} = $val || 1;
 	    } else {
@@ -506,8 +483,7 @@ sub process_zone( \$ ) {

    my $complex = 0;

-    my $zoneref = $zones{$zone} = { name       => $zone,
-				    type       => $type,
+    my $zoneref = $zones{$zone} = { type       => $type,
 				    parents    => \@parents,
 				    bridge     => '',
 				    options    => { in_out  => parse_zone_option_list( $options , $type, $complex , IN_OUT ) ,
@@ -543,7 +519,6 @@ sub process_zone( \$ ) {
    }

    if ( $zoneref->{options}{in_out}{blacklist} ) {
-	warning_message q(The 'blacklist' option is deprecated);
 	for ( qw/in out/ ) {
 	    unless ( $zoneref->{options}{$_}{blacklist} ) {
 		$zoneref->{options}{$_}{blacklist} = 1;
@@ -551,10 +526,6 @@ sub process_zone( \$ ) {
 		warning_message( "Redundant 'blacklist' in " . uc( $_ ) . '_OPTIONS' );
 	    }
 	}
-    } else {
-	for ( qw/in out/ ) {
-	    warning_message q(The 'blacklist' option is deprecated), last if  $zoneref->{options}{$_}{blacklist};
-	}
    }

    return $zone;
@@ -594,7 +565,6 @@ sub determine_zones()
 		for ( @{$zones{$zone}{children}} ) {
 		    next ZONE unless $ordered{$_};
 		}
-
 		$ordered{$zone} = 1;
 		push @zones, $zone;
 		redo PUSHED;
@@ -602,7 +572,7 @@ sub determine_zones()
 	}
    }

-    assert( @zones == @z );
+    assert( scalar @zones == scalar @z );

 }

@@ -767,13 +737,6 @@ sub add_group_to_zone($$$$$)
 	    $new = \@exclusions;
 	}

-	if ( substr( $host, 0, 1 ) eq '+' ) {
-	    fatal_error "Invalid ipset name ($host)" unless $host =~ /^\+(6_)?[a-zA-Z][-\w]*$/;
-	    require_capability( 'IPSET_MATCH', 'Ipset names in host lists', '');
-	} else {
-	    $host = validate_host $host, 0;
-	}
-
 	unless ( $switched ) {
 	    if ( $type == $zonetype ) {
 		fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if $interfaces{$interface}{zone} eq $zone;
@@ -792,6 +755,13 @@ sub add_group_to_zone($$$$$)
 	    }
 	}

+	if ( substr( $host, 0, 1 ) eq '+' ) {
+	    fatal_error "Invalid ipset name ($host)" unless $host =~ /^\+(6_)?[a-zA-Z]\w*$/;
+	    require_capability( 'IPSET_MATCH', 'Ipset names in host lists', '');
+	} else {
+	    validate_host $host, 0;
+	}
+
 	push @$new, $host;
    }

@@ -855,10 +825,6 @@ sub all_zones() {
    @zones;
 }

-sub on_firewall_zones() {
-   grep ( ( $zones{$_}{type} & ( FIREWALL | VSERVER ) )  ,  @zones );
-}
-
 sub off_firewall_zones() {
   grep ( ! ( $zones{$_}{type} & ( FIREWALL | VSERVER ) )  ,  @zones );
 }
@@ -897,9 +863,9 @@ sub is_a_bridge( $ ) {
 #
 # Transform the passed interface name into a legal shell variable name.
 #
-sub var_base($) {
-    my $var = $_[0];
-    my $name  = $basemap{$var};
+sub chain_base($) {
+    my $chain = $_[0];
+    my $name  = $basemap{$chain};
    #
    # Return existing mapping, if any
    #
@@ -907,31 +873,31 @@ sub var_base($) {
    #
    # Remember initial value
    #
-    my $key = $var;
+    my $key = $chain;
    #
    # Handle VLANs and wildcards
    #
-    $var =~ s/\+$/_plus/;
-    $var =~ tr/./_/;
+    $chain =~ s/\+$//;
+    $chain =~ tr/./_/;

-    if ( $var eq '' || $var =~ /^[0-9]/ || $var =~ /[^\w]/ ) {
+    if ( $chain eq '' || $chain =~ /^[0-9]/ || $chain =~ /[^\w]/ ) {
 	#
 	# Must map. Remove all illegal characters
 	#
-	$var =~ s/[^\w]//g;
+	$chain =~ s/[^\w]//g;
 	#
 	# Prefix with if_ if it begins with a digit
 	#
-	$var = join( '' , 'if_', $var ) if $var =~ /^[0-9]/;
+	$chain = join( '' , 'if_', $chain ) if $chain =~ /^[0-9]/;
 	#
 	# Create a new unique name
 	#
-	1 while $mapbase{$name = join ( '_', $var, ++$baseseq )};
+	1 while $mapbase{$name = join ( '_', $chain, ++$baseseq )};
    } else {
 	#
 	# We'll store the identity mapping if it is unique
 	#
-	$var = join( '_', $key , ++$baseseq ) while $mapbase{$name = $var};
+	$chain = join( '_', $key , ++$baseseq ) while $mapbase{$name = $chain};
    }
    #
    # Store the reverse mapping
@@ -943,55 +909,6 @@ sub var_base($) {
    $basemap{$key} = $name;
 }

-#
-# This is a slightly relaxed version of the above that allows '-' in the generated name.
-#
-sub var_base1($) {
-    my $var = $_[0];
-    my $name  = $basemap1{$var};
-    #
-    # Return existing mapping, if any
-    #
-    return $name if $name;
-    #
-    # Remember initial value
-    #
-    my $key = $var;
-    #
-    # Handle VLANs and wildcards
-    #
-    $var =~ s/\+$//;
-    $var =~ tr/./_/;
-
-    if ( $var eq '' || $var =~ /^[0-9]/ || $var =~ /[^-\w]/ ) {
-	#
-	# Must map. Remove all illegal characters
-	#
-	$var =~ s/[^\w]//g;
-	#
-	# Prefix with if_ if it begins with a digit
-	#
-	$var = join( '' , 'if_', $var ) if $var =~ /^[0-9]/;
-	#
-	# Create a new unique name
-	#
-	1 while $mapbase1{$name = join ( '_', $var, ++$baseseq )};
-    } else {
-	#
-	# We'll store the identity mapping if it is unique
-	#
-	$var = join( '_', $key , ++$baseseq ) while $mapbase1{$name = $var};
-    }
-    #
-    # Store the reverse mapping
-    #
-    $mapbase1{$name} = $key;
-    #
-    # Store the mapping
-    #
-    $basemap1{$key} = $name;
-}
-
 #
 # Process a record in the interfaces file
 #
@@ -1002,14 +919,24 @@ sub process_interface( $$ ) {
    my ($zone, $originalinterface, $bcasts, $options );
    my $zoneref;
    my $bridge = '';
+    our $format;

-    if ( $file_format == 1 ) {
-	($zone, $originalinterface, $bcasts, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 };
+    if ( $format == 1 ) {
+	($zone, $originalinterface, $bcasts, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 }, { COMMENT => 0, FORMAT => 2 };
    } else {
-	($zone, $originalinterface, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, options => 2 };
+	($zone, $originalinterface, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, options => 2 }, { COMMENT => 0, FORMAT => 2 };
 	$bcasts = '-';
    }

+    if ( $zone eq 'FORMAT' ) {
+	if ( $originalinterface =~ /^([12])$/ ) {
+	    $format = $1;
+	    return;
+	}
+
+	fatal_error "Invalid FORMAT ($originalinterface)";
+    }
+
    if ( $zone eq '-' ) {
 	$zone = '';
    } else {
@@ -1102,7 +1029,7 @@ sub process_interface( $$ ) {

    if ( $options eq 'ignore' ) {
 	fatal_error "Ignored interfaces may not be associated with a zone" if $zone;
-	$options{ignore} = NO_UPDOWN | NO_SFILTER;
+	$options{ignore} = 1;
 	$options = '-';
    }

@@ -1200,7 +1127,7 @@ sub process_interface( $$ ) {
 		    $hostoptions{broadcast} = 1;
 		} elsif ( $option eq 'sfilter' ) {
 		    $filterref = [ split_list $value, 'address' ];
-		    validate_net( $_, 0) for @{$filterref}
+		    validate_net( $_, 1) for @{$filterref}
 		} else {
 		    assert(0);
 		}
@@ -1222,27 +1149,10 @@ sub process_interface( $$ ) {
 	    }
 	}

-	fatal_error q(The 'required', 'optional' and 'ignore' options are mutually exclusive)
-	    if ( ( $options{required} && $options{optional} ) ||
-		 ( $options{required} && $options{ignore}   ) ||
-		 ( $options{optional} && $options{ignore}   ) );
-
-	if ( $options{rpfilter} ) {
-	    require_capability( 'RPFILTER_MATCH', q(The 'rpfilter' option), 's' ) ;
-	    fatal_error q(The 'routefilter', 'sfilter' and 'rpfilter' options are mutually exclusive) if $options{routefilter} || @$filterref;
-	} else {
-	    fatal_error q(The 'routefilter', 'sfilter' and 'rpfilter' options are mutually exclusive) if $options{routefilter} && @$filterref;
-	}
-
-	if ( supplied( my $ignore = $options{ignore} ) ) {
-	    fatal_error "Invalid value ignore=0" if ! $ignore;
-	} else {
-	    $options{ignore} = 0;
-	}
+	fatal_error "Invalid combination of interface options" if $options{required} && $options{optional};

 	if ( $netsref eq 'dynamic' ) {
-	    my $ipset = $family == F_IPV4 ? "${zone}" : "6_${zone}";
-	    $ipset = join( '_', $ipset, var_base1( $physical ) ) unless $zoneref->{options}{in_out}{dynamic_shared};	    
+	    my $ipset = $family == F_IPV4 ? "${zone}_" . chain_base $physical : "6_${zone}_" . chain_base $physical;
 	    $netsref = [ "+$ipset" ];
 	    $ipsets{$ipset} = 1;
 	}
@@ -1261,10 +1171,6 @@ sub process_interface( $$ ) {
 	# No options specified -- auto-detect bridge
 	#
 	$hostoptionsref->{routeback} = $options{routeback} = is_a_bridge( $physical ) unless $export;
-	#
-	# And give the 'ignore' option a defined value
-	#
-	$options{ignore} ||= 0;
    }

    $physical{$physical} = $interfaces{$interface} = { name       => $interface ,
@@ -1277,7 +1183,7 @@ sub process_interface( $$ ) {
 						       options    => \%options ,
 						       zone       => '',
 						       physical   => $physical ,
-						       base       => var_base( $physical ),
+						       base       => chain_base( $physical ),
 						       zones      => {},
 						     };

@@ -1301,11 +1207,12 @@ sub process_interface( $$ ) {
 #
 sub validate_interfaces_file( $ ) {
    my  $export = shift;
+    our $format = 1;

    my @ifaces;
    my $nextinum = 1;

-    if ( my $fn = open_file 'interfaces', 2 ) {
+    if ( my $fn = open_file 'interfaces' ) {
 	first_entry "$doing $fn...";
 	push @ifaces, process_interface( $nextinum++, $export ) while read_a_line( NORMAL_READ );
    } else {
@@ -1401,7 +1308,7 @@ sub known_interface($)
 						   name     => $i ,
 						   number   => $interfaceref->{number} ,
 						   physical => $physical ,
-						   base     => var_base( $physical ) ,
+						   base     => chain_base( $physical ) ,
 						 };
 	    }
 	}
@@ -1509,65 +1416,11 @@ sub interface_is_optional($) {
    $optionsref && $optionsref->{optional};
 }

-#
-# Return the 'required' setting of the passed interface
-#
-sub interface_is_required($) {
-    my $optionsref = $interfaces{$_[0]}{options};
-    $optionsref && $optionsref->{required};
-}
-
-#
-# Return true if the interface is 'plain'
-#
-sub interface_is_plain($) {
-    my $interfaceref = $interfaces{$_[0]};
-    my $optionsref   = $interfaceref->{options};
-
-    $interfaceref->{bridge} eq $interfaceref->{name} && ! ( $optionsref && ( $optionsref->{required} || $optionsref->{optional} || $optionsref->{ignore} ) )
-}
-
-#
-# Return a minimal list of physical interfaces that are neither ignored, optional, required nor a bridge port.
-#
-sub all_plain_interfaces() {
-    my @plain1 = map get_physical($_), grep $_ ne '%vserver%' && interface_is_plain( $_ ), @interfaces;
-    my @plain2;
-    my @wild1;
-    my @wild2;
-   
-    for ( @plain1 ) {
-	if ( /\+$/ ) {
-	    return ( '+' ) if $_ eq '+';
-	    push @wild1, $_;
-	    chop;
-	    push @wild2, $_;
-	} else {
-	    push @plain2, $_;
-	}
-    }
-
-    return @plain2 unless @wild1;
-
-    @plain1 = ();
-
-NAME:
-    for my $name ( @plain2) {
-	for ( @wild2 ) {
-	    next NAME if substr( $name, 0, length( $_ ) ) eq $_;
-	}
-
-	push @plain1, $name;
-    }
-
-    ( @plain1, @wild1 );
-}
-
 #
 # Returns reference to array of interfaces with the passed option
 #
-sub find_interfaces_by_option( $;$ ) {
-    my ( $option , $nonzero ) = @_;
+sub find_interfaces_by_option( $ ) {
+    my $option = $_[0];
    my @ints = ();

    for my $interface ( @interfaces ) {
@@ -1576,11 +1429,7 @@ sub find_interfaces_by_option( $;$ ) {
 	next unless $interfaceref->{root};

 	my $optionsref = $interfaceref->{options};
-	if ( $nonzero ) {
-	    if ( $optionsref && $optionsref->{$option} ) {
-		push @ints , $interface
-	    }
-	} elsif ( $optionsref && defined $optionsref->{$option} ) {
+	if ( $optionsref && defined $optionsref->{$option} ) {
 	    push @ints , $interface
 	}
    }
@@ -1691,16 +1540,16 @@ sub verify_required_interfaces( $ ) {
 		my $physical = get_physical $interface;

 		if ( $physical =~ /\+$/ ) {
+		    my $base = uc chain_base $physical;
+
 		    $physical =~ s/\+$/*/;

-		    emit( "waittime=$wait",
-			  '',
-			  'for interface in $(find_all_interfaces); do',
+		    emit( 'for interface in $(find_all_interfaces); do',
 			  '    case $interface in',
 			  "        $physical)",
+			  "            waittime=$wait",
 			  '            while [ $waittime -gt 0 ]; do',
 			  '                interface_is_usable $interface && break',
-			  '                sleep 1',
 			  '                waittime=$(($waittime - 1))',
 			  '            done',
 			  '            ;;',
@@ -1713,8 +1562,8 @@ sub verify_required_interfaces( $ ) {
 		    emit qq(    waittime=$wait);
 		    emit  '';
 		    emit  q(    while [ $waittime -gt 0 ]; do);
-		    emit  q(        sleep 1);
 		    emit qq(        interface_is_usable $physical && break);
+		    emit  q(        sleep 1);
 		    emit   '        waittime=$(($waittime - 1))';
 		    emit  q(    done);
 		    emit  q(fi);
@@ -1748,7 +1597,7 @@ sub verify_required_interfaces( $ ) {
 	    my $physical = get_physical $interface;

 	    if ( $physical =~ /\+$/ ) {
-		my $base = uc var_base $physical;
+		my $base = uc chain_base $physical;

 		$physical =~ s/\+$/*/;

@@ -1785,12 +1634,181 @@ sub verify_required_interfaces( $ ) {
    $returnvalue;
 }

+#
+# Emit the updown() function
+#
+sub compile_updown() {
+    emit( '',
+	  '#',
+	  '# Handle the "up" and "down" commands',
+	  '#',
+	  'updown() # $1 = interface',
+	  '{',
+	);
+
+    push_indent;
+
+    emit( 'local state',
+	  'state=cleared',
+	  '' );
+
+    emit 'progress_message3 "$g_product $COMMAND triggered by $1"';
+    emit '';
+
+    if ( $family == F_IPV4 ) {
+	emit 'if shorewall_is_started; then';
+    } else {
+	emit 'if shorewall6_is_started; then';
+    }
+
+    emit( '    state=started',
+	  'elif [ -f ${VARDIR}/state ]; then',
+	  '    case "$(cat ${VARDIR}/state)" in',
+	  '        Stopped*)',
+	  '            state=stopped',
+	  '            ;;',
+	  '        Cleared*)',
+	  '            ;;',
+	  '        *)',
+	  '            state=unknown',
+	  '            ;;',
+	  '    esac',
+	  'else',
+	  '    state=unknown',
+	  'fi',
+	  ''
+	);
+
+    emit( 'case $1 in' );
+
+    push_indent;
+
+    my $ignore   = find_interfaces_by_option 'ignore';
+    my $required = find_interfaces_by_option 'required';
+    my $optional = find_interfaces_by_option 'optional';
+
+    if ( @$ignore ) {
+	my $interfaces = join '|', map $interfaces{$_}->{physical}, @$ignore;
+
+	$interfaces =~ s/\+/*/g;
+
+	emit( "$interfaces)",
+	      '    progress_message3 "$COMMAND on interface $1 ignored"',
+	      '    exit 0',
+	      '    ;;'
+	    );
+    }
+
+    if ( @$required ) {
+	my $interfaces = join '|', map $interfaces{$_}->{physical}, @$required;
+
+	my $wildcard = ( $interfaces =~ s/\+/*/g );
+
+	emit( "$interfaces)",
+	      '    if [ "$COMMAND" = up ]; then' );
+
+	if ( $wildcard ) {
+	    emit( '        if [ "$state" = started ]; then',
+		  '            COMMAND=restart',
+		  '        else',
+		  '            COMMAND=start',
+		  '        fi' );
+	} else {
+	    emit( '        COMMAND=start' );
+	}
+
+	emit( '        progress_message3 "$g_product attempting $COMMAND"',
+	      '        detect_configuration',
+	      '        define_firewall' );
+
+	if ( $wildcard ) {
+	    emit( '    elif [ "$state" = started ]; then',
+		  '        progress_message3 "$g_product attempting restart"',
+		  '        COMMAND=restart',
+		  '        detect_configuration',
+		  '        define_firewall' );
+	} else {
+	    emit( '    else',
+		  '        COMMAND=stop',
+		  '        progress_message3 "$g_product attempting stop"',
+		  '        detect_configuration',
+		  '        stop_firewall' );
+	}
+
+	emit( '    fi',
+	      '    ;;'
+	    );
+    }
+
+    if ( @$optional ) {
+	my @interfaces = map $interfaces{$_}->{physical}, @$optional;
+	my $interfaces = join '|', @interfaces;
+
+	if ( $interfaces =~ s/\+/*/g || @interfaces > 1 ) {
+	    emit( "$interfaces)",
+		  '    if [ "$COMMAND" = up ]; then',
+		  '        echo 0 > ${VARDIR}/${1}.state',
+		  '    else',
+		  '        echo 1 > ${VARDIR}/${1}.state',
+		  '    fi' );
+	} else {
+	    emit( "$interfaces)",
+		  '    if [ "$COMMAND" = up ]; then',
+		  "        echo 0 > \${VARDIR}/$interfaces.state",
+		  '    else',
+		  "        echo 1 > \${VARDIR}/$interfaces.state",
+		  '    fi' );
+	}
+
+	emit( '',
+	      '    if [ "$state" = started ]; then',
+	      '        COMMAND=restart',
+	      '        progress_message3 "$g_product attempting restart"',
+	      '        detect_configuration',
+	      '        define_firewall',
+	      '    elif [ "$state" = stopped ]; then',
+	      '        COMMAND=start',
+	      '        progress_message3 "$g_product attempting start"',
+	      '        detect_configuration',
+	      '        define_firewall',
+	      '    else',
+	      '        progress_message3 "$COMMAND on interface $1 ignored"',
+	      '    fi',
+	      '    ;;',
+	    );
+    }
+
+    emit( "*)",
+	  '    case $state in',
+	  '        started)',
+	  '            COMMAND=restart',
+	  '            progress_message3 "$g_product attempting restart"',
+	  '            detect_configuration',
+	  '            define_firewall',
+	  '            ;;',
+	  '        *)',
+	  '            progress_message3 "$COMMAND on interface $1 ignored"',
+	  '            ;;',
+	  '    esac',
+	);
+
+    pop_indent;
+
+    emit( 'esac' );
+
+    pop_indent;
+
+    emit( '}',
+	  '',
+	);
+}
+
 #
 # Process a record in the hosts file
 #
 sub process_host( ) {
    my $ipsec = 0;
-    my ($zone, $hosts, $options ) = split_line1 'hosts file', { zone => 0, host => 1, hosts => 1, options => 2 }, {}, 3;
+    my ($zone, $hosts, $options ) = split_line 'hosts file', { zone => 0, hosts => 1, options => 2 };

    fatal_error 'ZONE must be specified'  if $zone eq '-';
    fatal_error 'HOSTS must be specified' if $hosts eq '-';
@@ -1812,8 +1830,7 @@ sub process_host( ) {
 	    fatal_error "Invalid HOST(S) column contents: $hosts";
 	}
    } elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>$/   ||
-	      $hosts =~ /^([\w.@%-]+\+?)\[(.*)\]$/              ||
-	      $hosts =~ /^([\w.@%-]+\+?):(!?\[.+\](?:\/\d+)?)$/ ||
+	      $hosts =~ /^([\w.@%-]+\+?):\[(.*)\]$/ ||
 	      $hosts =~ /^([\w.@%-]+\+?):(!?\+.*)$/   ||
 	      $hosts =~ /^([\w.@%-]+\+?):(dynamic)$/ ) {
 	$interface = $1;
@@ -1854,7 +1871,6 @@ sub process_host( ) {
 	    } elsif ( $option eq 'norfc1918' ) {
 		warning_message "The 'norfc1918' host option is no longer supported"
 	    } elsif ( $option eq 'blacklist' ) {
-		warning_message "The 'blacklist' option is deprecated";
 		$zoneref->{options}{in}{blacklist} = 1;
 	    } elsif ( $option =~ /^mss=(\d+)$/ ) {
 		fatal_error "Invalid mss ($1)" unless $1 >= 500;
@@ -1891,14 +1907,8 @@ sub process_host( ) {
    if ( $hosts eq 'dynamic' ) {
 	fatal_error "Vserver zones may not be dynamic" if $type & VSERVER;
 	require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
-
-	my $set = $family == F_IPV4 ? "${zone}" : "6_${zone}";
-	
-	unless ( $zoneref->{options}{in_out}{dynamic_shared} ) {
-	    my $physical = var_base1( physical_name $interface );
-	    $set = join( '_', $set, $physical );
-	}
-
+	my $physical = chain_base( physical_name $interface );
+	my $set      = $family == F_IPV4 ? "${zone}_${physical}" : "6_${zone}_${physical}";
 	$hosts = "+$set";
 	$optionsref->{dynamic} = 1;
 	$ipsets{$set} = 1;
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -37,8 +37,7 @@
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
 #         --preview                   # Preview the ruleset.
-#         --shorewallrc=<path>        # Path to global shorewallrc file.
-#         --shorewallrc1=<path>       # Path to export shorewallrc file.
+#         --shorewallrc=<path>        # Path to shorewallrc file.
 #         --config_path=<path-list>   # Search path for config files
 #
 use strict;
@@ -67,9 +66,7 @@ sub usage( $ ) {
    [ --annotate ]
    [ --update ]
    [ --convert ]
-    [ --directives ]
    [ --shorewallrc=<pathname> ]
-    [ --shorewallrc1=<pathname> ]
    [ --config_path=<path-list> ]
 ';

@@ -95,10 +92,8 @@ my $preview       = 0;
 my $annotate      = 0;
 my $update        = 0;
 my $convert       = 0;
-my $directives    = 0;
 my $config_path   = '';
 my $shorewallrc   = '';
-my $shorewallrc1  = '';

 Getopt::Long::Configure ('bundling');

@@ -126,14 +121,11 @@ my $result = GetOptions('h'               => \$help,
 			'confess'         => \$confess,
 			'a'               => \$annotate,
 			'annotate'        => \$annotate,
-			'directives'      => \$directives,
-			'D'               => \$directives,
 			'u'               => \$update,
 			'update'          => \$update,
 			'convert'         => \$convert,
 			'config_path=s'   => \$config_path,
 			'shorewallrc=s'   => \$shorewallrc,
-			'shorewallrc1=s'  => \$shorewallrc1,
 		       );

 usage(1) unless $result && @ARGV < 2;
@@ -155,8 +147,6 @@ compiler( script          => $ARGV[0] || '',
 	  update          => $update,
 	  convert         => $convert,
 	  annotate        => $annotate,
-	  directives      => $directives,
 	  config_path     => $config_path,
-	  shorewallrc     => $shorewallrc,
-	  shorewallrc1    => $shorewallrc1,
+	  shorewallrc     => $shorewallrc
 	);
--- a/Shorewall/Perl/getparams
+++ b/Shorewall/Perl/getparams
@@ -25,12 +25,12 @@
 #
 #      $1 = Path name of params file
 #      $2 = $CONFIG_PATH
-#      $3 = Address family (4 or 6)
+#      $3 = Address family (4 o4 6)
 #
 if [ "$3" = 6 ]; then
-    PRODUCT=shorewall6
+    g_program=shorewall6
 else
-    PRODUCT=shorewall
+    g_program=shorewall
 fi

 #
@@ -38,9 +38,11 @@ fi
 #
 . /usr/share/shorewall/shorewallrc

-g_program=$PRODUCT
-g_sharedir="$SHAREDIR/shorewall"
-g_confdir="$CONFDIR/$PRODUCT"
+g_libexec="$LIBEXECDIR"
+g_sharedir="$SHAREDIR"/shorewall
+g_sbindir="$SBINDIR"
+g_perllib="$PERLLIBDIR"
+g_confdir="$CONFDIR"/shorewall
 g_readrc=1

 . $g_sharedir/lib.cli
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -33,9 +33,9 @@ usage() {
 }

 checkkernelversion() {
-?if __IPV6
    local kernel

+    if [ $g_family -eq 6 ]; then
 	kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')

 	case "$kernel" in
@@ -51,7 +51,7 @@ checkkernelversion() {
 	    error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
 	    return 1
 	fi
-?endif
+    fi

    return 0
 }
@@ -348,9 +348,7 @@ case "$COMMAND" in
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
-	mutex_on
-	( updown $1 )
-	mutex_off
+	updown $1
 	status=0
 	;;
    enable)
--- a/Shorewall/Samples/Universal/interfaces
+++ b/Shorewall/Samples/Universal/interfaces
@@ -7,7 +7,7 @@
 # http://www.shorewall.net/manpages/shorewall-interfaces.html
 #
 ###############################################################################
-?FORMAT 2
+FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
 -	lo		ignore
--- a/Shorewall/Samples/Universal/rules
+++ b/Shorewall/Samples/Universal/rules
@@ -6,15 +6,13 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-######################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
+###################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
-#SECTION INVALID
-#SECTION UNTRACKED
 SECTION NEW
-Invalid(DROP)	net		$FW		tcp
+
 SSH(ACCEPT)	net		$FW
 Ping(ACCEPT)	net		$FW
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -23,8 +23,6 @@ VERBOSITY=1

 BLACKLIST_LOGLEVEL=

-INVALID_LOG_LEVEL=
-
 LOG_MARTIANS=Yes

 LOG_VERBOSITY=2
@@ -43,8 +41,6 @@ MACLIST_LOG_LEVEL=info

 RELATED_LOG_LEVEL=

-RPFILTER_LOG_LEVEL=info
-
 SFILTER_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info
@@ -53,18 +49,12 @@ STARTUP_LOG=/var/log/shorewall-init.log

 TCP_FLAGS_LOG_LEVEL=info

-UNTRACKED_LOG_LEVEL=
-
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

-ARPTABLES=
-
 CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall

-GEOIPDIR=/usr/share/xt_geoip/LE
-
 IPTABLES=

 IP=
@@ -75,8 +65,6 @@ LOCKFILE=

 MODULESDIR=

-NFACCT=
-
 PERL=/usr/bin/perl

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -120,15 +108,11 @@ ADD_SNAT_ALIASES=No

 ADMINISABSENTMINDED=Yes

-IGNOREUNKNOWNVARIABLES=No
-
-AUTOCOMMENT=Yes
-
-AUTOHELPERS=Yes
+AUTO_COMMENT=Yes

 AUTOMAKE=No

-BLACKLIST="NEW,INVALID,UNTRACKED"
+BLACKLISTNEWONLY=Yes

 CLAMPMSS=No

@@ -136,8 +120,6 @@ CLEAR_TC=Yes

 COMPLETE=Yes

-DEFER_DNS_RESOLUTION=Yes
-
 DISABLE_IPV6=No

 DELETE_THEN_ADD=Yes
@@ -156,8 +138,6 @@ FASTACCEPT=Yes

 FORWARD_CLEAR_MARK=

-HELPERS=
-
 IMPLICIT_CONTINUE=No

 IPSET_WARNINGS=Yes
@@ -188,7 +168,7 @@ MUTEX_TIMEOUT=60

 NULL_ROUTE_RFC1918=No

-OPTIMIZE=31
+OPTIMIZE=15

 OPTIMIZE_ACCOUNTING=No

@@ -196,14 +176,10 @@ REQUIRE_INTERFACE=Yes

 RESTORE_DEFAULT_ROUTE=Yes

-RESTORE_ROUTEMARKS=Yes
-
 RETAIN_ALIASES=No

 ROUTE_FILTER=No

-SAVE_ARPTABLES=No
-
 SAVE_IPSETS=No

 TC_ENABLED=Internal
@@ -218,8 +194,6 @@ USE_DEFAULT_RT=No

 USE_PHYSICAL_NAMES=No

-WARNOLDCAPVERSION=Yes
-
 ZONE2ZONE=2

 ###############################################################################
@@ -228,22 +202,16 @@ ZONE2ZONE=2

 BLACKLIST_DISPOSITION=DROP

-INVALID_DISPOSITION=CONTINUE
-
 MACLIST_DISPOSITION=REJECT

 RELATED_DISPOSITION=ACCEPT

-RPFILTER_DISPOSITION=DROP
-
 SMURF_DISPOSITION=DROP

 SFILTER_DISPOSITION=DROP

 TCP_FLAGS_DISPOSITION=DROP

-UNTRACKED_DISPOSITION=CONTINUE
-
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################
--- a/Shorewall/Samples/one-interface/interfaces
+++ b/Shorewall/Samples/one-interface/interfaces
@@ -11,7 +11,7 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 ###############################################################################
-?FORMAT 2
+FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0
+net     eth0            dhcp,tcpflags,logmartians,nosmurfs
--- a/Shorewall/Samples/one-interface/rules
+++ b/Shorewall/Samples/one-interface/rules
@@ -10,20 +10,14 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-rules"
-######################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
+######################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
-#SECTION INVALID
-#SECTION UNTRACKED
 SECTION NEW

-# Drop packets in the INVALID state
-
-Invalid(DROP)  net    	        $FW		tcp
-
 # Drop Ping from the "bad" net zone.. and prevent your log from being flooded..

 Ping(DROP)	net		$FW
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -34,8 +34,6 @@ VERBOSITY=1

 BLACKLIST_LOGLEVEL=

-INVALID_LOG_LEVEL=
-
 LOG_MARTIANS=Yes

 LOG_VERBOSITY=2
@@ -54,8 +52,6 @@ MACLIST_LOG_LEVEL=info

 RELATED_LOG_LEVEL=

-RPFILTER_LOG_LEVEL=info
-
 SFILTER_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info
@@ -64,18 +60,12 @@ STARTUP_LOG=/var/log/shorewall-init.log

 TCP_FLAGS_LOG_LEVEL=info

-UNTRACKED_LOG_LEVEL=
-
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

-ARPTABLES=
-
 CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall

-GEOIPDIR=/usr/share/xt_geoip/LE
-
 IPTABLES=

 IP=
@@ -86,8 +76,6 @@ LOCKFILE=

 MODULESDIR=

-NFACCT=
-
 PERL=/usr/bin/perl

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -131,15 +119,11 @@ ADD_SNAT_ALIASES=No

 ADMINISABSENTMINDED=Yes

-IGNOREUNKNOWNVARIABLES=No
-
-AUTOCOMMENT=Yes
-
-AUTOHELPERS=Yes
+AUTO_COMMENT=Yes

 AUTOMAKE=No

-BLACKLIST="NEW,INVALID,UNTRACKED"
+BLACKLISTNEWONLY=Yes

 CLAMPMSS=No

@@ -147,8 +131,6 @@ CLEAR_TC=Yes

 COMPLETE=No

-DEFER_DNS_RESOLUTION=Yes
-
 DISABLE_IPV6=No

 DELETE_THEN_ADD=Yes
@@ -167,8 +149,6 @@ FASTACCEPT=No

 FORWARD_CLEAR_MARK=

-HELPERS=
-
 IMPLICIT_CONTINUE=No

 IPSET_WARNINGS=Yes
@@ -199,7 +179,7 @@ MUTEX_TIMEOUT=60

 NULL_ROUTE_RFC1918=No

-OPTIMIZE=31
+OPTIMIZE=1

 OPTIMIZE_ACCOUNTING=No

@@ -207,14 +187,10 @@ REQUIRE_INTERFACE=No

 RESTORE_DEFAULT_ROUTE=Yes

-RESTORE_ROUTEMARKS=Yes
-
 RETAIN_ALIASES=No

 ROUTE_FILTER=No

-SAVE_ARPTABLES=No
-
 SAVE_IPSETS=No

 TC_ENABLED=Internal
@@ -229,8 +205,6 @@ USE_DEFAULT_RT=No

 USE_PHYSICAL_NAMES=No

-WARNOLDCAPVERSION=Yes
-
 ZONE2ZONE=2

 ###############################################################################
@@ -239,22 +213,16 @@ ZONE2ZONE=2

 BLACKLIST_DISPOSITION=DROP

-INVALID_DISPOSITION=CONTINUE
-
 MACLIST_DISPOSITION=REJECT

 RELATED_DISPOSITION=ACCEPT

-RPFILTER_DISPOSITION=DROP
-
 SMURF_DISPOSITION=DROP

 SFILTER_DISPOSITION=DROP

 TCP_FLAGS_DISPOSITION=DROP

-UNTRACKED_DISPOSITION=CONTINUE
-
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################
--- a/Shorewall/Samples/three-interfaces/interfaces
+++ b/Shorewall/Samples/three-interfaces/interfaces
@@ -11,9 +11,9 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 ###############################################################################
-?FORMAT 2
+FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0
+net     eth0            tcpflags,dhcp,nosmurfs,routefilter,logmartians
 loc     eth1            tcpflags,nosmurfs,routefilter,logmartians
 dmz     eth2            tcpflags,nosmurfs,routefilter,logmartians
--- a/Shorewall/Samples/three-interfaces/masq
+++ b/Shorewall/Samples/three-interfaces/masq
@@ -10,9 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
-################################################################################################################
-#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
-#											GROUP		DEST
+##############################################################################
+#INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
 eth0			10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
--- a/Shorewall/Samples/three-interfaces/routestopped
+++ b/Shorewall/Samples/three-interfaces/routestopped
@@ -1,6 +1,6 @@
 #
-# Shorewall6 version 4.5 Sample Stoppedrules File for two-interface configuration.
-# Copyright (C) 2012 by the Shorewall Team
+# Shorewall version 4.0 - Sample Routestopped File for three-interface configuration.
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -9,9 +9,8 @@
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
-# For information about entries in this file, type "man shorewall-stoppedrules"
-###############################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
-#							PORT(S)		PORT(S)
-ACCEPT		eth1		-
-ACCEPT		-		eth1
+# For information about entries in this file, type "man shorewall-routestopped"
+##############################################################################
+#INTERFACE	HOST(S)
+eth1		-
+eth2		-
--- a/Shorewall/Samples/three-interfaces/rules
+++ b/Shorewall/Samples/three-interfaces/rules
@@ -10,19 +10,17 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-######################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
+######################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
-#SECTION INVALID
-#SECTION UNTRACKED
 SECTION NEW

 #       Don't allow connection pickup from the net
 #
-Invalid(DROP)	net		all		tcp
+Invalid(DROP)	net		all
 #
 #	Accept DNS connections from the firewall to the Internet
 #
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -32,8 +32,6 @@ VERBOSITY=1

 BLACKLIST_LOGLEVEL=

-INVALID_LOG_LEVEL=
-
 LOG_MARTIANS=Yes

 LOG_VERBOSITY=2
@@ -52,8 +50,6 @@ MACLIST_LOG_LEVEL=info

 RELATED_LOG_LEVEL=

-RPFILTER_LOG_LEVEL=info
-
 SFILTER_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info
@@ -62,18 +58,12 @@ STARTUP_LOG=/var/log/shorewall-init.log

 TCP_FLAGS_LOG_LEVEL=info

-UNTRACKED_LOG_LEVEL=
-
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

-ARPTABLES=
-
 CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall

-GEOIPDIR=/usr/share/xt_geoip/LE
-
 IPTABLES=

 IP=
@@ -84,8 +74,6 @@ LOCKFILE=

 MODULESDIR=

-NFACCT=
-
 PERL=/usr/bin/perl

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -129,15 +117,11 @@ ADD_SNAT_ALIASES=No

 ADMINISABSENTMINDED=Yes

-IGNOREUNKNOWNVARIABLES=No
-
-AUTOCOMMENT=Yes
-
-AUTOHELPERS=Yes
+AUTO_COMMENT=Yes

 AUTOMAKE=No

-BLACKLIST="NEW,INVALID,UNTRACKED"
+BLACKLISTNEWONLY=Yes

 CLAMPMSS=Yes

@@ -145,8 +129,6 @@ CLEAR_TC=Yes

 COMPLETE=No

-DEFER_DNS_RESOLUTION=Yes
-
 DISABLE_IPV6=No

 DELETE_THEN_ADD=Yes
@@ -165,8 +147,6 @@ FASTACCEPT=No

 FORWARD_CLEAR_MARK=

-HELPERS=
-
 IMPLICIT_CONTINUE=No

 IPSET_WARNINGS=Yes
@@ -197,7 +177,7 @@ MUTEX_TIMEOUT=60

 NULL_ROUTE_RFC1918=No

-OPTIMIZE=31
+OPTIMIZE=1

 OPTIMIZE_ACCOUNTING=No

@@ -205,14 +185,10 @@ REQUIRE_INTERFACE=No

 RESTORE_DEFAULT_ROUTE=Yes

-RESTORE_ROUTEMARKS=Yes
-
 RETAIN_ALIASES=No

 ROUTE_FILTER=No

-SAVE_ARPTABLES=No
-
 SAVE_IPSETS=No

 TC_ENABLED=Internal
@@ -227,8 +203,6 @@ USE_DEFAULT_RT=No

 USE_PHYSICAL_NAMES=No

-WARNOLDCAPVERSION=Yes
-
 ZONE2ZONE=2

 ###############################################################################
@@ -237,22 +211,16 @@ ZONE2ZONE=2

 BLACKLIST_DISPOSITION=DROP

-INVALID_DISPOSITION=CONTINUE
-
 MACLIST_DISPOSITION=REJECT

 RELATED_DISPOSITION=ACCEPT

-RPFILTER_DISPOSITION=DROP
-
 SMURF_DISPOSITION=DROP

 SFILTER_DISPOSITION=DROP

 TCP_FLAGS_DISPOSITION=DROP

-UNTRACKED_DISPOSITION=CONTINUE
-
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################
--- a/Shorewall/Samples/two-interfaces/interfaces
+++ b/Shorewall/Samples/two-interfaces/interfaces
@@ -11,8 +11,8 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 ###############################################################################
-?FORMAT 2
+FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
+net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians
 loc     eth1            tcpflags,nosmurfs,routefilter,logmartians
--- a/Shorewall/Samples/two-interfaces/masq
+++ b/Shorewall/Samples/two-interfaces/masq
@@ -10,9 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
-################################################################################################################
-#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
-#											GROUP		DEST
+###############################################################################
+#INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
 eth0			10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
--- a/Shorewall/Samples/two-interfaces/routestopped
+++ b/Shorewall/Samples/two-interfaces/routestopped
@@ -1,6 +1,6 @@
 #
-# Shorewall version 4.5 - Sample Stoppedrules File for two-interface configuration.
-# Copyright (C) 2012 by the Shorewall Team
+# Shorewall version 4.0 - Sample Routestopped File for two-interface configuration.
+# Copyright (C) 2006 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -9,9 +9,7 @@
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
-# For information about entries in this file, type "man shorewall-stoppedrules"
-###############################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
-#							PORT(S)		PORT(S)
-ACCEPT		eth1		-
-ACCEPT		-		eth1
+# For information about entries in this file, type "man shorewall-routestopped"
+##############################################################################
+#INTERFACE	HOST(S)                  OPTIONS
+eth1		-
--- a/Shorewall/Samples/two-interfaces/rules
+++ b/Shorewall/Samples/two-interfaces/rules
@@ -10,19 +10,17 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-######################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
+######################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
-#SECTION INVALID
-#SECTION UNTRACKED
 SECTION NEW

 #       Don't allow connection pickup from the net
 #
-Invalid(DROP)	net		all		tcp
+Invalid(DROP)	net		all
 #
 #	Accept DNS connections from the firewall to the network
 #
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -35,8 +35,6 @@ VERBOSITY=1

 BLACKLIST_LOGLEVEL=

-INVALID_LOG_LEVEL=
-
 LOG_MARTIANS=Yes

 LOG_VERBOSITY=2
@@ -55,8 +53,6 @@ MACLIST_LOG_LEVEL=info

 RELATED_LOG_LEVEL=

-RPFILTER_LOG_LEVEL=info
-
 SFILTER_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info
@@ -65,18 +61,12 @@ STARTUP_LOG=/var/log/shorewall-init.log

 TCP_FLAGS_LOG_LEVEL=info

-UNTRACKED_LOG_LEVEL=
-
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

-ARPTABLES=
-
 CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall

-GEOIPDIR=/usr/share/xt_geoip/LE
-
 IPTABLES=

 IP=
@@ -87,8 +77,6 @@ LOCKFILE=

 MODULESDIR=

-NFACCT=
-
 PERL=/usr/bin/perl

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -132,15 +120,11 @@ ADD_SNAT_ALIASES=No

 ADMINISABSENTMINDED=Yes

-IGNOREUNKNOWNVARIABLES=No
-
-AUTOCOMMENT=Yes
-
-AUTOHELPERS=Yes
+AUTO_COMMENT=Yes

 AUTOMAKE=No

-BLACKLIST="NEW,INVALID,UNTRACKED"
+BLACKLISTNEWONLY=Yes

 CLAMPMSS=Yes

@@ -148,8 +132,6 @@ CLEAR_TC=Yes

 COMPLETE=No

-DEFER_DNS_RESOLUTION=Yes
-
 DISABLE_IPV6=No

 DELETE_THEN_ADD=Yes
@@ -168,8 +150,6 @@ FASTACCEPT=No

 FORWARD_CLEAR_MARK=

-HELPERS=
-
 IMPLICIT_CONTINUE=No

 IPSET_WARNINGS=Yes
@@ -200,7 +180,7 @@ MUTEX_TIMEOUT=60

 NULL_ROUTE_RFC1918=No

-OPTIMIZE=31
+OPTIMIZE=1

 OPTIMIZE_ACCOUNTING=No

@@ -208,14 +188,10 @@ REQUIRE_INTERFACE=No

 RESTORE_DEFAULT_ROUTE=Yes

-RESTORE_ROUTEMARKS=Yes
-
 RETAIN_ALIASES=No

 ROUTE_FILTER=No

-SAVE_ARPTABLES=No
-
 SAVE_IPSETS=No

 TC_ENABLED=Internal
@@ -230,8 +206,6 @@ USE_DEFAULT_RT=No

 USE_PHYSICAL_NAMES=No

-WARNOLDCAPVERSION=Yes
-
 ZONE2ZONE=2

 ###############################################################################
@@ -240,22 +214,16 @@ ZONE2ZONE=2

 BLACKLIST_DISPOSITION=DROP

-INVALID_DISPOSITION=CONTINUE
-
 MACLIST_DISPOSITION=REJECT

 RELATED_DISPOSITION=ACCEPT

-RPFILTER_DISPOSITION=DROP
-
 SMURF_DISPOSITION=DROP

 SFILTER_DISPOSITION=DROP

 TCP_FLAGS_DISPOSITION=DROP

-UNTRACKED_DISPOSITION=CONTINUE
-
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################
--- a/Shorewall/action.Broadcast
+++ b/Shorewall/action.Broadcast
@@ -27,11 +27,11 @@
 #       Default action is DROP
 #
 ##########################################################################################
-?FORMAT 2
+FORMAT 2

 DEFAULTS DROP,-

-?BEGIN PERL;
+BEGIN PERL;

 use Shorewall::IPAddrs;
 use Shorewall::Config;
@@ -43,7 +43,6 @@ fatal_error "Invalid parameter ($audit) to action Broadcast"   if supplied $audi
 fatal_error "Invalid parameter ($action) to action Broadcast"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;

 my $chainref           = get_action_chain;
-
 my ( $level, $tag )    = get_action_logging;
 my $target             = require_audit ( $action , $audit );

@@ -71,4 +70,4 @@ add_jump $chainref, $target, 0, '-d 224.0.0.0/4 ';

 1;

-?END PERL;
+END PERL;
--- a/Shorewall/action.Drop
+++ b/Shorewall/action.Drop
@@ -31,12 +31,12 @@
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 #
 ###############################################################################
-?FORMAT 2
+FORMAT 2
 #
-# The following magic provides different defaults for @2 thru @5, when @1 is
+# The following magic provides different defaults for $2 thru $5, when $1 is
 # 'audit'.
 #
-?BEGIN PERL;
+BEGIN PERL;
 use Shorewall::Config;

 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
@@ -54,7 +54,7 @@ if ( defined $p1 ) {

 1;

-?END PERL;
+END PERL;

 DEFAULTS -,REJECT,DROP,ACCEPT,DROP

@@ -66,31 +66,31 @@ COUNT
 #
 # Reject 'auth'
 #
-Auth(@2)
+Auth($2)
 #
 # Don't log broadcasts
 #
-Broadcast(DROP,@1)
+Broadcast(DROP,$1)
 #
 # ACCEPT critical ICMP types
 #
-AllowICMPs(@4)	-	-	icmp
+AllowICMPs($4)	-	-	icmp
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log.
 #
-Invalid(DROP,@1)
+Invalid(DROP,$1)
 #
 # Drop Microsoft noise so that it doesn't clutter up the log.
 #
-SMB(@3)
-DropUPnP(@5)
+SMB($3)
+DropUPnP($5)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
-NotSyn(DROP,@1)	-	-	tcp
+NotSyn(DROP,$1)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
-DropDNSrep(@5)
+DropDNSrep($5)
--- a/Shorewall/action.DropSmurfs
+++ b/Shorewall/action.DropSmurfs
@@ -9,21 +9,19 @@
 #          audit = Audit dropped packets.
 #
 #################################################################################
-?FORMAT 2
+FORMAT 2

 DEFAULTS -

-?BEGIN PERL;
+BEGIN PERL;
 use strict;
 use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
-use Shorewall::IPAddrs qw( IPv6_MULTICAST );
 use Shorewall::Chains;
 use Shorewall::Rules;

 my ( $audit ) = get_action_params( 1 );

 my $chainref        = get_action_chain;
-
 my ( $level, $tag ) = get_action_logging;
 my $target;

@@ -79,7 +77,7 @@ if ( $family == F_IPV4 ) {
    add_ijump( $chainref, g => $target, s => IPv6_MULTICAST );
 }

-?END PERL;
+END PERL;



--- a/Shorewall/action.Established
+++ b/Shorewall/action.Established
@@ -1,49 +0,0 @@
-#
-# Shorewall 4 - Established Action
-#
-#    /usr/share/shorewall/action.Established
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
-#
-#       Complete documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-#   Established[([<action>])]
-#
-#       Default action is ACCEPT
-#
-##########################################################################################
-?FORMAT 2
-
-DEFAULTS ACCEPT
-
-?BEGIN PERL;
-
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my ( $action ) = get_action_params( 1 );
-
-if ( my $check = check_state( 'ESTABLISHED' ) ) {
-    perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} ESTABLISHED" : '' );
-}
-
-1;
-
-?END PERL;
--- a/Shorewall/action.Invalid
+++ b/Shorewall/action.Invalid
@@ -5,7 +5,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -22,33 +22,35 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   Invalid[([<action>])]
+#   Invalid[([<action>|-[,{audit|-}])]
 #
 #       Default action is DROP
 #
 ##########################################################################################
-?FORMAT 2
+FORMAT 2

 DEFAULTS DROP,-

-?BEGIN PERL;
+BEGIN PERL;

 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
-use Shorewall::Rules;

 my ( $action, $audit ) = get_action_params( 2 );

-if ( supplied $audit ) {
-     fatal_error "Invalid parameter ($audit) to action Invalid" if $audit ne 'audit';
-     $action = "A_$action";
-}
+fatal_error "Invalid parameter ($audit) to action Invalid"   if supplied $audit && $audit ne 'audit';
+fatal_error "Invalid parameter ($action) to action Invalid"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;

-if ( my $check = check_state( 'INVALID' ) ) {
-    perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} INVALID" : '' );
-}
+my $chainref         = get_action_chain;
+my ( $level, $tag )  = get_action_logging;
+my $target           = require_audit ( $action , $audit );
+
+log_rule_limit $level, $chainref, 'Invalid' , $action, '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
+add_jump $chainref , $target, 0, "$globals{STATEMATCH} INVALID ";
+
+allow_optimize( $chainref );

 1;

-?END PERL;
+END PERL;
--- a/Shorewall/action.New
+++ b/Shorewall/action.New
@@ -1,55 +0,0 @@
-#
-# Shorewall 4 - New Action
-#
-#    /usr/share/shorewall/action.New
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
-#
-#       Complete documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-#   Untracked[([<action>])]
-#
-#       Default action is DROP
-#
-##########################################################################################
-?FORMAT 2
-
-DEFAULTS ACCEPT
-
-?BEGIN PERL;
-
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my ( $action ) = get_action_params( 1 );
-
-my ( $level, $tag ) = get_action_logging;
-
-$action = join( ':', $action, $level, $tag ) if "${level}${tag}";
-
-if ( my $check = check_state( 'NEW' ) ) {
-    perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} NEW" : '' );
-}
-
-allow_optimize( get_action_chain );
-
-1;
-
-?END PERL;
--- a/Shorewall/action.NotSyn
+++ b/Shorewall/action.NotSyn
@@ -22,32 +22,35 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   NotSyn[([<action>])]
+#   NotSyn[([<action>|-[,{audit|-}])]
 #
 #       Default action is DROP
 #
 ##########################################################################################
-?FORMAT 2
+FORMAT 2

 DEFAULTS DROP,-

-?BEGIN PERL;
+BEGIN PERL;

-use strict;
 use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
-use Shorewall::Rules;

 my ( $action, $audit ) = get_action_params( 2 );

-if ( supplied $audit ) {
-     fatal_error "Invalid parameter ($audit) to action NotSyn" if $audit ne 'audit';
-     $action = "A_$action";
-}    
+fatal_error "Invalid parameter ($audit) to action NotSyn"   if supplied $audit && $audit ne 'audit';
+fatal_error "Invalid parameter ($action) to action NotSyn"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;

-perl_action_tcp_helper( $action, '-p 6 ! --syn' );
+my $chainref         = get_action_chain;
+my ( $level, $tag )  = get_action_logging;
+my $target           = require_audit ( $action , $audit );
+
+log_rule_limit $level, $chainref, 'NotSyn' , $action, '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
+add_jump $chainref , $target, 0, '-p 6 ! --syn ';
+
+allow_optimize( $chainref );

 1;

-?END PERL;
+END PERL;
--- a/Shorewall/action.RST
+++ b/Shorewall/action.RST
@@ -5,7 +5,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -22,30 +22,35 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   RST[([<action>])]
+#   RST[([<action>|-[,{audit|-}])]
 #
 #       Default action is DROP
 #
 ##########################################################################################
-?FORMAT 2
+FORMAT 2

 DEFAULTS DROP,-

-?BEGIN PERL;
+BEGIN PERL;

+use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;
-use Shorewall::Rules;

 my ( $action, $audit ) = get_action_params( 2 );

-if ( supplied $audit ) {
-     fatal_error "Invalid parameter ($audit) to action RST" if $audit ne 'audit';
-     $action = "A_$action";
-}    
+fatal_error "Invalid parameter ($audit) to action NotSyn"   if supplied $audit && $audit ne 'audit';
+fatal_error "Invalid parameter ($action) to action NotSyn"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;

-perl_action_tcp_helper( $action, '-p 6 --tcp-flags RST RST' );
+my $chainref         = get_action_chain;
+my ( $level, $tag )  = get_action_logging;
+my $target           = require_audit ( $action , $audit );
+
+log_rule_limit $level, $chainref, 'RST' , $action, '', $tag, 'add', '-p 6 --tcp-flags RST RST ' if $level ne '';
+add_jump $chainref , $target, 0, '-p 6 --tcp-flags RST RST, ';
+
+allow_optimize( $chainref );

 1;

-?END PERL;
+END PERL;
--- a/Shorewall/action.Reject
+++ b/Shorewall/action.Reject
@@ -27,12 +27,12 @@
 #
 # IF YOU ARE HAVING CONNECTION PROBLEMS, CHANGING THIS FILE WON'T HELP!!!!!!!!!
 ###############################################################################
-?FORMAT 2
+FORMAT 2
 #
-# The following magic provides different defaults for @2 thru @5, when @1 is
+# The following magic provides different defaults for $2 thru $5, when $1 is
 # 'audit'.
 #
-?BEGIN PERL;
+BEGIN PERL;
 use Shorewall::Config;

 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
@@ -50,7 +50,7 @@ if ( defined $p1 ) {

 1;

-?END PERL;
+END PERL;

 DEFAULTS -,REJECT,REJECT,ACCEPT,DROP

@@ -62,33 +62,33 @@ COUNT
 #
 # Don't log 'auth' -- REJECT
 #
-Auth(@2)
+Auth($2)
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
 #
-Broadcast(DROP,@1)
+Broadcast(DROP,$1)
 #
 # ACCEPT critical ICMP types
 #
-AllowICMPs(@4)	-	-	icmp
+AllowICMPs($4)	-	-	icmp
 #
 # Drop packets that are in the INVALID state -- these are usually ICMP packets
 # and just confuse people when they appear in the log (these ICMPs cannot be
 # rejected).
 #
-Invalid(DROP,@1)
+Invalid(DROP,$1)
 #
 # Reject Microsoft noise so that it doesn't clutter up the log.
 #
-SMB(@3)
-DropUPnP(@5)
+SMB($3)
+DropUPnP($5)
 #
 # Drop 'newnotsyn' traffic so that it doesn't get logged.
 #
-NotSyn(DROP,@1)	-	-	tcp
+NotSyn(DROP,$1)	-	-	tcp
 #
 # Drop late-arriving DNS replies. These are just a nuisance and clutter up
 # the log.
 #
-DropDNSrep(@5)
+DropDNSrep($5)
--- a/Shorewall/action.Related
+++ b/Shorewall/action.Related
@@ -1,50 +0,0 @@
-#
-# Shorewall 4 - Related Action
-#
-#    /usr/share/shorewall/action.Related
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2011,2012 - Tom Eastep (teastep@shorewall.net)
-#
-#       Complete documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-#   Related[([<action>])]
-#
-#       Default action is DROP
-#
-##########################################################################################
-?FORMAT 2
-
-DEFAULTS DROP
-
-?BEGIN PERL;
-
-use strict;
-use Shorewall::IPAddrs;
-use Shorewall::Config;
-use Shorewall::Chains;
-use Shorewall::Rules;
-
-my ( $action ) = get_action_params( 1 );
-
-if ( my $check = check_state( 'RELATED' ) ) {
-    perl_action_helper( $action, $check == 1 ? "$globals{STATEMATCH} RELATED" : '' );
-}
-
-1;
-
-?END PERL;
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tom Eastep	746a363d41	Add some decimal->hex convertions in routing rules. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-10 11:11:15 -07:00
Tom Eastep	6e5b07c804	Deprecate the current TPROXY implementation. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-10 11:02:08 -07:00
Tom Eastep	865078f925	Allow Shorewall::Config::in_hex() to accept an argument already expressed in hex. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-10 07:29:59 -07:00