Fix syntax error in the generated script

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Correct issues with debugging the generated script
2012-03-06 09:14:06 -08:00 · 2012-03-05 15:55:25 -08:00 · 2012-02-29 15:04:17 -08:00 · 2012-02-25 08:28:15 -08:00 · 2012-02-25 07:51:55 -08:00 · 2012-02-25 07:40:47 -08:00
334 changed files with 11035 additions and 30783 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -1,199 +0,0 @@
-#!/bin/bash
-#
-#     Shorewall Packet Filtering Firewall RPM configuration program - V4.5
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2012 - Tom Eastep (teastep@shorewall.net)
-#
-#	Shorewall documentation is available at http://www.shorewall.net
-#
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-#       Usage: ./configure [ <option>=<setting> ] ...
-#
-#
-################################################################################################
-#
-# Build updates this
-#
-VERSION=4.5.2.1
-
-case "$BASH_VERSION" in
-    [4-9].*)
-	;;
-    *)
-	echo "ERROR: This program requires Bash 4.0 or later" >&2
-	exit 1
-	;;
-esac
-
-declare -A params
-declare -A options
-
-getfileparams() {
-    while read option; do
-	case $option in
-	    \#*)
-		;;
-	    *)
-		on=${option%=*}
-		ov=${option#*=}
-		ov=${ov%#*}
-		[ -n "$on" ] && options[${on}]="${ov}"
-		;;
-	esac
-
-    done
-
-    return 0
-}
-
-for p in $@; do
-
-    if [ -n "${p}" ]; then
-	declare -u pn
-
-	pn=${p%=*}
-	pn=${pn#--}
-	pv=${p#*=}
-
-	if [ -n "${pn}" ]; then
-
-	    case ${pn} in
-		VENDOR)
-		    pn=HOST
-		    ;;
-		SHAREDSTATEDIR)
-		    pn=VARLIB
-		    ;;
-		DATADIR)
-		    pn=SHAREDIR
-		    ;;
-	    esac
-
-	    params[${pn}]="${pv}"
-	else
-	    echo "ERROR: Invalid option ($p)" >&2
-	    exit 1
-	fi
-    fi
-done
-
-vendor=${params[HOST]}
-
-if [ -z "$vendor" ]; then
-    case `uname` in
-	Darwin)
-	    $params[HOST]=apple
-	    rcfile=shorewallrc.apple
-	    ;;
-
-	cygwin*)
-	    $params[HOST]=cygwin
-	    rcfile=shorewallrc.cygwin
-	    ;;
-	*)
-	    if [ -f /etc/debian_version ]; then
-		params[HOST]=debian
-		rcfile=shorewallrc.debian
-	    elif [ -f /etc/redhat-release ]; then
-		params[HOST]=redhat
-		rcfile=shorewallrc.redhat
-	    elif [ -f /etc/slackware-version ] ; then
-		params[HOST]=slackware
-		rcfile=shorewallrc.slackware
-	    elif [ -f /etc/SuSE-release ]; then
-		params[HOST]=suse
-		rcfile=shorewallrc.suse
-	    elif [ -f /etc/arch-release ] ; then
-		params[HOST]=archlinux
-		rcfile=shorewallrc.archlinux
-	    else
-		params[HOST]=linux
-		rcfile=shorewallrc.default
-	    fi
-	    ;;
-    esac
-
-    vendor=${params[HOST]}
-elif [ $vendor = linux ]; then
-    rcfile=shorewallrc.default;
-else
-    rcfile=shorewallrc.$vendor
-    if [ ! -f $rcfile ]; then
-	echo "ERROR: $vendor is not a recognized host type" >&2
-	exit 1
-    fi
-fi
-
-if [ $vendor = linux ]; then
-    echo "INFO: Creating a generic Linux installation - " `date`;
-else
-    echo "INFO: Creating a ${vendor}-specific installation - " `date`;
-fi
-
-echo
-
-getfileparams < $rcfile || exit 1
-
-for p in ${!params[@]}; do
-    options[${p}]="${params[${p}]}"
-done
-
-echo '#'                                                                 > shorewallrc
-echo "# Created by Shorewall Core version $VERSION configure - " `date` >> shorewallrc
-echo '#'                                                                >> shorewallrc
-
-if [ $# -gt 0 ]; then
-    echo "# Input: $@" >> shorewallrc
-    echo '#'           >> shorewallrc
-fi
-
-if [ -n "${options[VARLIB]}" ]; then
-    if [ -z "${options[VARDIR]}" ]; then
-	options[VARDIR]='${VARLIB}/${PRODUCT}'
-    fi
-elif [ -n "${options[VARDIR]}" ]; then
-    if [ -z "{$options[VARLIB]}" ]; then
-	options[VARLIB]=${options[VARDIR]}
-	options[VARDIR]='${VARLIB}/${PRODUCT}'
-    fi
-fi
-
-for on in \
-    HOST \
-    PREFIX \
-    SHAREDIR \
-    LIBEXECDIR \
-    PERLLIBDIR \
-    CONFDIR \
-    SBINDIR \
-    MANDIR \
-    INITDIR \
-    INITSOURCE \
-    INITFILE \
-    AUXINITSOURCE \
-    AUXINITFILE \
-    SYSTEMD \
-    SYSCONFFILE \
-    SYSCONFDIR \
-    SPARSE \
-    ANNOTATED \
-    VARLIB \
-    VARDIR
-do
-    echo "$on=${options[${on}]}"
-    echo "$on=${options[${on}]}" >> shorewallrc
-done
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -1,164 +0,0 @@
-#! /usr/bin/perl -w
-#
-#     Shorewall Packet Filtering Firewall RPM configuration program - V4.5
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2012 - Tom Eastep (teastep@shorewall.net)
-#
-#	Shorewall documentation is available at http://www.shorewall.net
-#
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-#       Usage: ./configure.pl <option>=<setting> ...
-#
-#
-################################################################################################
-use strict;
-
-#
-# Build updates this
-#
-use constant {
-    VERSION => '4.5.2.1'
-};
-
-my %params;
-my %options;
-
-my %aliases = ( VENDOR         => 'HOST',
-		SHAREDSTATEDIR => 'VARLIB',
-		DATADIR        => 'SHAREDIR' );
-
-for ( @ARGV ) {
-    die "ERROR: Invalid option specification ( $_ )" unless /^(?:--)?(\w+)=(.*)$/;
-
-    my $pn = uc $1;
-    my $pv = $2 || '';
-
-    $pn = $aliases{$pn} if exists $aliases{$pn};
-
-    $params{$pn} = $pv;
-}
-
-my $vendor = $params{HOST};
-my $rcfile;
-my $rcfilename;
-
-if ( defined $vendor ) {
-    $rcfilename = $vendor eq 'linux' ? 'shorewallrc.default' : 'shorewallrc.' . $vendor;
-    die qq("ERROR: $vendor" is not a recognized host type) unless -f $rcfilename;
-} else {
-    if ( -f '/etc/debian_version' ) {
-	$vendor = 'debian';
-	$rcfilename = 'shorewallrc.debian';
-    } elsif ( -f '/etc/redhat-release' ){
-	$vendor = 'redhat';
-	$rcfilename = 'shorewallrc.redhat';
-    } elsif ( -f '/etc/slackware-version' ) {
-	$vendor = 'slackware';
-	$rcfilename = 'shorewallrc.slackware';
-    } elsif ( -f '/etc/SuSE-release' ) {
-	$vendor = 'suse';
-	$rcfilename = 'shorewallrc.suse';
-    } elsif ( -f '/etc/arch-release' ) {
-	$vendor = 'archlinux';
-	$rcfilename = 'shorewallrc.archlinux';
-    } elsif ( `uname` =~ '^Darwin' ) {
-	$vendor = 'apple';
-	$rcfilename = 'shorewallrc.apple';
-    } elsif ( `uname` =~ '^Cygwin' ) {
-	$vendor = 'cygwin';
-	$rcfilename = 'shorewallrc.cygwin';
-    } else {
-	$vendor = 'linux';
-	$rcfilename = 'shorewallrc.default';
-    }
-
-    $params{HOST} = $vendor;
-}
-
-my @localtime = localtime;
-my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
-
-if ( $vendor eq 'linux' ) {
-    printf "INFO: Creating a generic Linux installation - %s %2d %04d %02d:%02d:%02d\n\n", $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
-} else {
-    printf "INFO: Creating a %s-specific installation - %s %2d %04d %02d:%02d:%02d\n\n", $vendor, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
-}
-
-open $rcfile, '<', $rcfilename or die "Unable to open $rcfilename for input: $!";
-
-while ( <$rcfile> ) {
-    s/\s*#.*//;
-    unless ( /^\s*$/ ) {
-	chomp;
-	die "ERROR: Invalid entry ($_) in $rcfilename, line $." unless /\s*(\w+)=(.*)/;
-	$options{$1} = $2;
-    }
-}
-
-close $rcfile;
-
-while ( my ( $p, $v ) = each %params ) {
-    $options{$p} = ${v};
-}
-
-my $outfile;
-
-open $outfile, '>', 'shorewallrc' or die "Can't open 'shorewallrc' for output: $!";
-
-printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n#\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
-
-print  $outfile "# Input: @ARGV\n#\n" if @ARGV;
-
-if ( $options{VARLIB} ) {
-    unless ( $options{VARDIR} ) {
-	$options{VARDIR} = '${VARLIB}/${PRODUCT}';
-    }
-} elsif ( $options{VARDIR} ) {
-    $options{VARLIB} = $options{VARDIR};
-    $options{VARDIR} = '${VARLIB}/${PRODUCT}';
-}
-
-for ( qw/ HOST
-	  PREFIX
-	  SHAREDIR
-	  LIBEXECDIR
-	  PERLLIBDIR
-	  CONFDIR
-	  SBINDIR
-	  MANDIR
-	  INITDIR
-	  INITSOURCE
-	  INITFILE
-	  AUXINITSOURCE
-	  AUXINITFILE
-	  SYSTEMD
-	  SYSCONFFILE
-	  SYSCONFDIR
-	  SPARSE
-	  ANNOTATED
-	  VARLIB
-	  VARDIR / ) {
-
-    my $val = $options{$_} || '';
-
-    print          "$_=$val\n";
-    print $outfile "$_=$val\n";
-}
-
-close $outfile;
-
-1;
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -27,18 +27,14 @@ VERSION=xxx #The Build script inserts the actual version
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <configuration-file> ] "
+    echo "usage: $ME"
    echo "       $ME -v"
    echo "       $ME -h"
+    echo "       $ME -s"
+    echo "       $ME -f"
    exit $1
 }

-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
-
 split() {
    local ifs
    ifs=$IFS
@@ -91,16 +87,69 @@ install_file() # $1 = source $2 = target $3 = mode
    run_install $T $OWNERSHIP -m $3 $1 ${2}
 }

-require()
-{
-    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
-}
-
-cd "$(dirname $0)"
+[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"

 #
 # Parse the run line
 #
+# ARGS is "yes" if we've already parsed an argument
+#
+T="-T"
+
+[ -n "${LIBEXEC:=/usr/share}" ]
+[ -n "${PERLLIB:=/usr/share/shorewall}" ]
+MACHOST=
+
+case "$LIBEXEC" in
+    /*)
+	;;
+    *)
+	LIBEXEC=/usr/${LIBEXEC}
+	;;
+esac
+
+case "$PERLLIB" in
+    /*)
+	;;
+    *)
+	PERLLIB=/usr/${PERLLIB}
+	;;
+esac
+
+INSTALLD='-D'
+
+case $(uname) in
+    CYGWIN*)
+	if [ -z "$DESTDIR" ]; then
+	    DEST=
+	    INIT=
+	fi
+
+	OWNER=$(id -un)
+	GROUP=$(id -gn)
+	CYGWIN=Yes
+	;;
+    Darwin)
+	if [ -z "$DESTDIR" ]; then
+	    DEST=
+	    INIT=
+	fi
+
+	[ -z "$OWNER" ] && OWNER=root
+	[ -z "$GROUP" ] && GROUP=wheel
+	MAC=Yes
+        MACHOST=Yes
+	INSTALLD=
+	T=
+	;;
+    *)
+	[ -z "$OWNER" ] && OWNER=root
+	[ -z "$GROUP" ] && GROUP=root
+	;;
+esac
+
+OWNERSHIP="-o $OWNER -g $GROUP"
+
 finished=0

 while [ $finished -eq 0 ]; do
@@ -119,6 +168,14 @@ while [ $finished -eq 0 ]; do
 			echo "Shorewall Firewall Installer Version $VERSION"
 			exit 0
 			;;
+		    a*)
+			ANNOTATED=Yes
+			option=${option#a}
+			;;
+		    p*)
+			ANNOTATED=
+			option=${option#p}
+			;;
 		    *)
 			usage 1
 			;;
@@ -128,264 +185,102 @@ while [ $finished -eq 0 ]; do
 	    shift
 	    ;;
 	*)
+	    [ -n "$option" ] && usage 1
 	    finished=1
 	    ;;
    esac
 done

-#
-# Read the RC file
-#
-if [ $# -eq 0 ]; then
-    if [ -f ./shorewallrc ]; then
-	. ./shorewallrc
-	file=./shorewallrc
-    elif [ -f ~/.shorewallrc ]; then
-	. ~/.shorewallrc || exit 1
-	file=~/.shorewallrc
-    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	. /usr/share/shorewall/shorewallrc
-	file=/usr/share/shorewall/shorewallrc
-    else
-	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
-    fi
-elif [ $# -eq 1 ]; then
-    file=$1
-    case $file in
-	/*|.*)
-	    ;;
-	*)
-	    file=./$file || exit 1
-	    ;;
-    esac
-
-    . $file
-else
-    usage 1
-fi
-
-update=0
-
-if [ -z "${VARLIB}" ]; then
-    VARLIB=${VARDIR}
-    VARDIR="${VARLIB}/${PRODUCT}"
-    update=1
-elif [ -z "${VARDIR}" ]; then
-    VARDIR="${VARLIB}/${PRODUCT}"
-    update=2
-fi
-
-for var in SHAREDIR LIBEXECDIR PERLLIBDIR CONFDIR SBINDIR VARLIB VARDIR; do
-    require $var
-done
-
-[ "${INITFILE}" != 'none/' ] && require INITSOURCE && require INITDIR
-
-T="-T"
-
-INSTALLD='-D'
-
-if [ -z "$BUILD" ]; then
-    case $(uname) in
-	cygwin*)
-	    BUILD=cygwin
-	    ;;
-	Darwin)
-	    BUILD=apple
-	    ;;
-	*)
-	    if [ -f /etc/debian_version ]; then
-		BUILD=debian
-	    elif [ -f /etc/redhat-release ]; then
-		BUILD=redhat
-	    elif [ -f /etc/slackware-version ] ; then
-		BUILD=slackware
-	    elif [ -f /etc/SuSE-release ]; then
-		BUILD=suse
-	    elif [ -f /etc/arch-release ] ; then
-		BUILD=archlinux
-	    else
-		BUILD=linux
-	    fi
-	    ;;
-    esac
-fi
-
-case $BUILD in
-    cygwin*)
-	if [ -z "$DESTDIR" ]; then
-	    DEST=
-	    INIT=
-	fi
-
-	OWNER=$(id -un)
-	GROUP=$(id -gn)
-	;;
-    apple)
-	if [ -z "$DESTDIR" ]; then
-	    DEST=
-	    INIT=
-	    SPARSE=Yes
-	fi
-
-	[ -z "$OWNER" ] && OWNER=root
-	[ -z "$GROUP" ] && GROUP=wheel
-	INSTALLD=
-	T=
-	;;
-    *)
-	[ -z "$OWNER" ] && OWNER=root
-	[ -z "$GROUP" ] && GROUP=root
-	;;
-esac
-
-OWNERSHIP="-o $OWNER -g $GROUP"
+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

 #
 # Determine where to install the firewall script
 #

-[ -n "$HOST" ] || HOST=$BUILD
-
-case "$HOST" in
-    cygwin)
-	echo "Installing Cygwin-specific configuration..."
-	;;
-    apple)
-	echo "Installing Mac-specific configuration...";
-	;;
-    debian|redhat|slackware|archlinux|linux|suse)
-	;;
-    *)
-	echo "ERROR: Unknown HOST \"$HOST\"" >&2
-	exit 1;
-	;;
-esac
-
-if [ -z "$file" ]; then
-    if $HOST = linux; then
-	file=shorewallrc.default
-    else
-	file=shorewallrc.${HOST}
-    fi
-
-    echo "You have not specified a configuration file and ~/.shorewallrc does not exist" >&2
-    echo "Shorewall-core $VERSION has determined that the $file configuration is appropriate for your system" >&2
-    echo "Please review the settings in that file. If you wish to change them, make a copy and modify the copy" >&2
-    echo "Then re-run install.sh passing either $file or the name of your modified copy" >&2
-    echo "" >&2
-    echo "Example:" >&2
-    echo "" >&2
-    echo "   ./install.sh $file" &>2
-fi
-
 if [ -n "$DESTDIR" ]; then
-    if [ $BUILD != cygwin ]; then
+    if [ -z "$CYGWIN" ]; then
 	if [ `id -u` != 0 ] ; then
 	    echo "Not setting file owner/group permissions, not running as root."
 	    OWNERSHIP=""
 	fi
    fi
+
+    install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
+    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
+
+    CYGWIN=
+    MAC=
+else
+    if [ -n "$CYGWIN" ]; then
+	echo "Installing Cygwin-specific configuration..."
+    elif [ -n "$MAC" ]; then
+	echo "Installing Mac-specific configuration..."
+    else
+	if [ -f /etc/debian_version ]; then
+	    echo "Installing Debian-specific configuration..."
+	    DEBIAN=yes
+	elif [ -f /etc/redhat-release ]; then
+	    echo "Installing Redhat/Fedora-specific configuration..."
+	    FEDORA=yes
+	elif [ -f /etc/slackware-version ] ; then
+	    echo "Installing Slackware-specific configuration..."
+	    DEST="/etc/rc.d"
+	    MANDIR="/usr/man"
+	    SLACKWARE=yes
+	elif [ -f /etc/arch-release ] ; then
+	    echo "Installing ArchLinux-specific configuration..."
+	    DEST="/etc/rc.d"
+	    INIT="shorewall"
+	    ARCHLINUX=yes
+	fi
+    fi
 fi

+#
+# Change to the directory containing this script
+#
+cd "$(dirname $0)"
+
 echo "Installing Shorewall Core Version $VERSION"

 #
-# Create directories
+# Create /usr/share/shorewall
 #
-mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall
-chmod 755 ${DESTDIR}${LIBEXECDIR}/shorewall
-
-mkdir -p ${DESTDIR}${SHAREDIR}/shorewall
-chmod 755 ${DESTDIR}${SHAREDIR}/shorewall
-
-mkdir -p ${DESTDIR}${CONFDIR}
-chmod 755 ${DESTDIR}${CONFDIR}
-
-if [ -n "${SYSCONFDIR}" ]; then
-    mkdir -p ${DESTDIR}${SYSCONFDIR}
-    chmod 755 ${DESTDIR}${SYSCONFDIR}
-fi
-
-if [ -n "${SYSTEMD}" ]; then
-    mkdir -p ${DESTDIR}${SYSTEMD}
-    chmod 755 ${DESTDIR}${SYSTEMD}
-fi
-
-mkdir -p ${DESTDIR}${SBINDIR}
-chmod 755 ${DESTDIR}${SBINDIR}
-
-mkdir -p ${DESTDIR}${MANDIR}
-chmod 755 ${DESTDIR}${MANDIR}
-
-if [ -n "${INITFILE}" ]; then
-    mkdir -p ${DESTDIR}${INITDIR}
-    chmod 755 ${DESTDIR}${INITDIR}
-
-    if [ -n "$AUXINITSOURCE" -a -f "$AUXINITSOURCE" ]; then
-	install_file $AUXINITSOURCE ${DESTDIR}${INITDIR}/$AUXINITFILE 0544
-	[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$AUXINITFILE
-	echo  "$Product script installed in ${DESTDIR}${INITDIR}/$AUXINITFILE"
-    fi
-fi
-#
-# Note: ${VARDIR} is created at run-time since it has always been
-#       a relocatable directory on a per-product basis
+mkdir -p ${DESTDIR}${LIBEXEC}/shorewall
+chmod 755 ${DESTDIR}/usr/share/shorewall
 #
 # Install wait4ifup
 #
-install_file wait4ifup ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup 0755
+install_file wait4ifup ${DESTDIR}${LIBEXEC}/shorewall/wait4ifup 0755

 echo
-echo "wait4ifup installed in ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup"
+echo "wait4ifup installed in ${DESTDIR}${LIBEXEC}/shorewall/wait4ifup"

 #
 # Install the libraries
 #
 for f in lib.* ; do
-    install_file $f ${DESTDIR}${SHAREDIR}/shorewall/$f 0644
-    echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/shorewall/$f"
+    install_file $f ${DESTDIR}/usr/share/shorewall/$f 0644
+    echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall/$f"
 done

+if [ -z "$MACHOST" ]; then
+    eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
+    eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
+else
+    eval sed -i \'\' -e \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
+    eval sed -i \'\' -e \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
+fi
+
 #
 # Symbolically link 'functions' to lib.base
 #
-ln -sf lib.base ${DESTDIR}${SHAREDIR}/shorewall/functions
+ln -sf lib.base ${DESTDIR}/usr/share/shorewall/functions
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}${SHAREDIR}/shorewall/coreversion
-chmod 644 ${DESTDIR}${SHAREDIR}/shorewall/coreversion
-
-if [ -z "${DESTDIR}" ]; then
-    if [ $update -ne 0 ]; then
-	echo "Updating $file - original saved in $file.bak"
-
-	cp $file $file.bak
-
-	echo '#'                                             >> $file
-	echo "# Updated by Shorewall-core $VERSION -" `date` >> $file
-	echo '#'                                             >> $file
-
-	[ $update -eq 1 ] && sed -i 's/VARDIR/VARLIB/' $file
-
-	echo 'VARDIR=${VARLIB}/${PRODUCT}' >> $file
-    fi
-
-    [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc ~/.shorewallrc
-fi
-
-[ $file != "${DESTDIR}${SHAREDIR}/shorewall/shorewallrc" ] && cp $file ${DESTDIR}${SHAREDIR}/shorewall/shorewallrc
-
-if [ ${SHAREDIR} != /usr/share ]; then
-    for f in lib.*; do
-	if [ $BUILD != apple ]; then
-	    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SHAREDIR}/shorewall/$f
-	else
-	    eval sed -i \'\' -e \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SHAREDIR}/shorewall/$f
-	fi
-    done
-fi
+echo "$VERSION" > ${DESTDIR}/usr/share/shorewall/coreversion
+chmod 644 ${DESTDIR}/usr/share/shorewall/coreversion
 #
 #  Report Success
 #
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -20,61 +20,57 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# This library contains the code common to all Shorewall components except the
-# generated scripts.
+# This library contains the code common to all Shorewall components.
+#
+# - It is loaded by /sbin/shorewall.
+# - It is released as part of Shorewall[6] Lite where it is used by /sbin/shorewall[6]-lite
+#   and /usr/share/shorewall[6]-lite/shorecap.
 #

-SHOREWALL_LIBVERSION=40509
+SHOREWALL_LIBVERSION=40500
+SHOREWALL_CAPVERSION=40501

 [ -n "${g_program:=shorewall}" ]

-if [ -z "$g_readrc" ]; then
-    #
-    # This is modified by the installer when ${SHAREDIR} != /usr/share
-    #
-    . /usr/share/shorewall/shorewallrc
-
-    g_sharedir="$SHAREDIR"/$g_program
-    g_confdir="$CONFDIR"/$g_program
-    g_readrc=1
-fi
-
-g_basedir=${SHAREDIR}/shorewall
-
 case $g_program in
    shorewall)
+	SHAREDIR=/usr/share/shorewall
+	CONFDIR=/etc/shorewall
 	g_product="Shorewall"
 	g_family=4
-	g_tool=iptables
+	g_tool=
+	g_basedir=/usr/share/shorewall
 	g_lite=
 	;;
    shorewall6)
+	SHAREDIR=/usr/share/shorewall6
+	CONFDIR=/etc/shorewall6
 	g_product="Shorewall6"
 	g_family=6
-	g_tool=ip6tables
+	g_tool=
+	g_basedir=/usr/share/shorewall
 	g_lite=
 	;;
    shorewall-lite)
+	SHAREDIR=/usr/share/shorewall-lite
+	CONFDIR=/etc/shorewall-lite
 	g_product="Shorewall Lite"
 	g_family=4
 	g_tool=iptables
+	g_basedir=/usr/share/shorewall-lite
 	g_lite=Yes
 	;;
    shorewall6-lite)
+	SHAREDIR=/usr/share/shorewall6-lite
+	CONFDIR=/etc/shorewall6-lite
 	g_product="Shorewall6 Lite"
 	g_family=6
 	g_tool=ip6tables
+	g_basedir=/usr/share/shorewall6-lite
 	g_lite=Yes
 	;;
 esac

-if [ -z "${VARLIB}" ]; then
-    VARLIB=${VARDIR}
-    VARDIR=${VARLIB}/$g_program
-elif [ -z "${VARDIR}" ]; then
-    VARDIR="${VARLIB}/${PRODUCT}"
-fi
-
 #
 # Conditionally produce message
 #
@@ -127,6 +123,71 @@ combine_list()
    echo $o
 }

+#
+# Call this function to assert mutual exclusion with Shorewall. If you invoke the
+# /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as
+# the first argument. Example "shorewall nolock refresh"
+#
+# This function uses the lockfile utility from procmail if it exists.
+# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the
+# behavior of lockfile.
+#
+mutex_on()
+{
+    local try
+    try=0
+    local lockf
+    lockf=${LOCKFILE:=${VARDIR}/lock}
+    local lockpid
+
+    MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
+
+    if [ $MUTEX_TIMEOUT -gt 0 ]; then
+
+	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
+
+	if [ -f $lockf ]; then
+	    lockpid=`cat ${lockf} 2> /dev/null`
+	    if [ -z "$lockpid" -o $lockpid = 0 ]; then
+		rm -f ${lockf}
+		error_message "WARNING: Stale lockfile ${lockf} removed"
+	    elif ! qt ps p ${lockpid}; then
+		rm -f ${lockf}
+		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
+	    fi
+	fi
+
+	if qt mywhich lockfile; then
+	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
+	    chmod u+w ${lockf}
+	    echo $$ > ${lockf}
+	    chmod u-w ${lockf}
+	else
+	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
+		sleep 1
+		try=$((${try} + 1))
+	    done
+
+	    if  [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
+	        # Create the lockfile
+		echo $$ > ${lockf}
+	    else
+		echo "Giving up on lock file ${lockf}" >&2
+	    fi
+	fi
+    fi
+}
+
+#
+# Call this function to release mutual exclusion
+#
+mutex_off()
+{
+    rm -f ${LOCKFILE:=${VARDIR}/lock}
+}
+
+[ -z "$LEFTSHIFT" ] && . /usr/share/shorewall/lib.common
+
 #
 # Validate an IP address
 #
@@ -255,8 +316,6 @@ ip_range_explicit() {
    done
 }

-[ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
-
 #
 # Netmask to VLSM
 #
@@ -285,7 +344,7 @@ ip_vlsm() {
 #
 ensure_config_path() {
    local F
-    F=${g_sharedir}/configpath
+    F=${SHAREDIR}/configpath
    if [ -z "$CONFIG_PATH" ]; then
 	[ -f $F ] || { echo "   ERROR: $F does not exist"; exit 2; }
 	. $F
@@ -396,14 +455,14 @@ mktempfile() {
    else
 	case "$MKTEMP" in
 	    BSD)
-		mktemp ${TMPDIR:-/tmp}/shorewall.XXXXXX
+		mktemp /tmp/shorewall.XXXXXX
 		;;
 	    STD)
 		mktemp -t shorewall.XXXXXX
 		;;
 	    None)
-		rm -f ${TMPDIR:-/tmp}/shorewall-$$
-		> ${TMPDIR:-}/shorewall-$$ && echo ${TMPDIR:-/tmp}/shorewall-$$
+		rm -f /tmp/shorewall-$$
+		> /tmp/shorewall-$$ && echo /tmp/shorewall-$$
 		;;
 	    *)
 		error_message "ERROR:Internal error in mktempfile"
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -84,7 +84,7 @@ get_script_version() { # $1 = script

    temp=$( $SHOREWALL_SHELL $1 version | tail -n 1 | sed 's/-.*//' )

-    if [ -z "$temp" ]; then
+    if [ $? -ne 0 ]; then
 	version=0
    else
 	ifs=$IFS
@@ -676,11 +676,7 @@ find_file()
 		fi
 	    done

-	    if [ -n "$g_shorewalldir" ]; then
-		echo ${g_shorewalldir}/$1
-	    else
-		echo ${g_confdir}/$1
-	    fi
+	    echo ${CONFDIR}/$1
 	    ;;
    esac
 }
@@ -721,69 +717,3 @@ truncate() # $1 = length
 {
    cut -b -${1}
 }
-
-#
-# Call this function to assert mutual exclusion with Shorewall. If you invoke the
-# /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as
-# the first argument. Example "shorewall nolock refresh"
-#
-# This function uses the lockfile utility from procmail if it exists.
-# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the
-# behavior of lockfile.
-#
-mutex_on()
-{
-    local try
-    try=0
-    local lockf
-    lockf=${LOCKFILE:=${VARDIR}/lock}
-    local lockpid
-
-    MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
-
-    if [ $MUTEX_TIMEOUT -gt 0 ]; then
-
-	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
-
-	if [ -f $lockf ]; then
-	    lockpid=`cat ${lockf} 2> /dev/null`
-	    if [ -z "$lockpid" -o $lockpid = 0 ]; then
-		rm -f ${lockf}
-		error_message "WARNING: Stale lockfile ${lockf} removed"
-	    elif [ $lockpid -eq $$ ]; then
-                return 0
-	    elif ! qt ps p ${lockpid}; then
-		rm -f ${lockf}
-		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
-	    fi
-	fi
-
-	if qt mywhich lockfile; then
-	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
-	    chmod u+w ${lockf}
-	    echo $$ > ${lockf}
-	    chmod u-w ${lockf}
-	else
-	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
-		sleep 1
-		try=$((${try} + 1))
-	    done
-
-	    if  [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
-	        # Create the lockfile
-		echo $$ > ${lockf}
-	    else
-		echo "Giving up on lock file ${lockf}" >&2
-	    fi
-	fi
-    fi
-}
-
-#
-# Call this function to release mutual exclusion
-#
-mutex_off()
-{
-    rm -f ${LOCKFILE:=${VARDIR}/lock}
-}
-
--- a/Shorewall-core/shorewallrc.apple
+++ b/Shorewall-core/shorewallrc.apple
@@ -1,20 +0,0 @@
-#
-# Apple OS X Shorewall 4.5 rc file
-#
-BUILD=apple
-HOST=apple
-PREFIX=/usr                            #Top-level directory for shared files, libraries, etc.
-SHAREDIR=${PREFIX}/share               #Directory for arch-neutral files.
-LIBEXECDIR=${PREFIX}/share             #Directory for executable scripts.
-PERLLIBDIR=${PREFIX}/share/shorewall   #Directory to install Shorewall Perl module directory
-CONFDIR=/etc                           #Directory where subsystem configurations are installed
-SBINDIR=/sbin                          #Directory where system administration programs are installed
-MANDIR=${SHAREDIR}/man                 #Directory where manpages are installed.
-INITDIR=                               #Unused on OS X
-INITFILE=                              #Unused on OS X
-INITSOURCE=                            #Unused on OS X
-ANNOTATED=                             #Unused on OS X
-SYSTEMD=                               #Unused on OS X
-SYSCONFDIR=                            #Unused on OS X
-SPARSE=Yes                             #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
-VARLIB=/var/lib                        #Unused on OS X
--- a/Shorewall-core/shorewallrc.archlinux
+++ b/Shorewall-core/shorewallrc.archlinux
@@ -1,21 +0,0 @@
-#
-# Arch Linux Shorewall 4.5 rc file
-#
-BUILD=                                 #Default is to detect the build system
-HOST=archlinux
-PREFIX=/usr                            #Top-level directory for shared files, libraries, etc.
-SHAREDIR=${PREFIX}/share               #Directory for arch-neutral files.
-LIBEXECDIR=${PREFIX}/share             #Directory for executable scripts.
-PERLLIBDIR=${PREFIX}/share/shorewall   #Directory to install Shorewall Perl module directory
-CONFDIR=/etc                           #Directory where subsystem configurations are installed
-SBINDIR=/usr/sbin                      #Directory where system administration programs are installed
-MANDIR=${SHAREDIR}/man                 #Directory where manpages are installed.
-INITDIR=                               #Directory where SysV init scripts are installed.
-INITFILE=                              #Name of the product's installed SysV init script
-INITSOURCE=                            #Name of the distributed file to be installed as the SysV init script
-ANNOTATED=                             #If non-zero, annotated configuration files are installed
-SYSCONFDIR=                            #Directory where SysV init parameter files are installed
-SYSTEMD=/usr/lib/systemd/system        #Directory where .service files are installed (systems running systemd only)
-SPARSE=                                #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARLIB=/var/lib                        #Directory where product variable data is stored.
-VARDIR=${VARLIB}/$PRODUCT              #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.cygwin
+++ b/Shorewall-core/shorewallrc.cygwin
@@ -1,20 +0,0 @@
-#
-# Cygwin Shorewall 4.5 rc file
-#
-BUILD=cygwin
-HOST=cygwin
-PREFIX=/usr                           #Top-level directory for shared files, libraries, etc.
-SHAREDIR=${PREFIX}/share              #Directory for arch-neutral files.
-LIBEXECDIR=${PREFIX}/share            #Directory for executable scripts.
-PERLLIBDIR=${PREFIX}/share/shorewall  #Directory to install Shorewall Perl module directory
-CONFDIR=/etc                          #Directory where subsystem configurations are installed
-SBINDIR=/bin                          #Directory where system administration programs are installed
-MANDIR=${SHAREDIR}/man                #Directory where manpages are installed.
-INITDIR=/etc/init.d                   #Unused on Cygwin
-INITFILE=                             #Unused on Cygwin
-INITSOURCE=                           #Unused on Cygwin
-ANNOTATED=                            #Unused on Cygwin
-SYSTEMD=                              #Unused on Cygwin
-SYSCONFDIR=                           #Unused on Cygwin
-SPARSE=Yes                            #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
-VARLIB=/var/lib                       #Unused on Cygwin
--- a/Shorewall-core/shorewallrc.debian
+++ b/Shorewall-core/shorewallrc.debian
@@ -1,22 +0,0 @@
-#
-# Debian Shorewall 4.5 rc file
-#
-BUILD=                                  #Default is to detect the build system
-HOST=debian
-PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
-SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
-LIBEXECDIR=${PREFIX}/share              #Directory for executable scripts.
-PERLLIBDIR=${PREFIX}/share/shorewall    #Directory to install Shorewall Perl module directory
-CONFDIR=/etc                            #Directory where subsystem configurations are installed
-SBINDIR=/sbin                           #Directory where system administration programs are installed
-MANDIR=${PREFIX}/share/man              #Directory where manpages are installed.
-INITDIR=/etc/init.d                     #Directory where SysV init scripts are installed.
-INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
-INITSOURCE=init.debian.sh               #Name of the distributed file to be installed as the SysV init script
-ANNOTATED=                              #If non-zero, annotated configuration files are installed
-SYSCONFFILE=default.debian              #Name of the distributed file to be installed in $SYSCONFDIR
-SYSCONFDIR=/etc/default                 #Directory where SysV init parameter files are installed
-SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
-SPARSE=Yes                              #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARLIB=/var/lib                         #Directory where product variable data is stored.
-VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.default
+++ b/Shorewall-core/shorewallrc.default
@@ -1,22 +0,0 @@
-#
-# Default Shorewall 4.5 rc file
-#
-HOST=linux                              #Generic Linux
-BUILD=                                  #Default is to detect the build system
-PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
-SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
-LIBEXECDIR=${PREFIX}/share              #Directory for executable scripts.
-PERLLIBDIR=${PREFIX}/share/shorewall    #Directory to install Shorewall Perl module directory
-CONFDIR=/etc                            #Directory where subsystem configurations are installed
-SBINDIR=/sbin                           #Directory where system administration programs are installed
-MANDIR=${PREFIX}/man                    #Directory where manpages are installed.
-INITDIR=/etc/init.d                     #Directory where SysV init scripts are installed.
-INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
-INITSOURCE=init.sh                      #Name of the distributed file to be installed as the SysV init script
-ANNOTATED=                              #If non-zero, annotated configuration files are installed
-SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
-SYSCONFFILE=                            #Name of the distributed file to be installed in $SYSCONFDIR
-SYSCONFDIR=                             #Directory where SysV init parameter files are installed
-SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARLIB=/var/lib                         #Directory where product variable data is stored.
-VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.redhat
+++ b/Shorewall-core/shorewallrc.redhat
@@ -1,22 +0,0 @@
-#
-# RedHat/FedoraShorewall 4.5 rc file
-#
-BUILD=                                  #Default is to detect the build system
-HOST=redhat
-PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
-SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
-LIBEXECDIR=${PREFIX}/libexec            #Directory for executable scripts.
-PERLLIBDIR=/usr/share/perl5/vendor_perl #Directory to install Shorewall Perl module directory
-CONFDIR=/etc                            #Directory where subsystem configurations are installed
-SBINDIR=/sbin                           #Directory where system administration programs are installed
-MANDIR=${SHAREDIR}/man                  #Directory where manpages are installed.
-INITDIR=/etc/rc.d/init.d                #Directory where SysV init scripts are installed.
-INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
-INITSOURCE=init.fedora.sh               #Name of the distributed file to be installed as the SysV init script
-ANNOTATED=                              #If non-zero, annotated configuration files are installed
-SYSTEMD=/lib/systemd/system             #Directory where .service files are installed (systems running systemd only)
-SYSCONFFILE=sysconfig                   #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT
-SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter files are installed
-SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARLIB=/var/lib                         #Directory where product variable data is stored.
-VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.slackware
+++ b/Shorewall-core/shorewallrc.slackware
@@ -1,23 +0,0 @@
-#
-# Slackware Shorewall 4.5 rc file
-#
-BUILD=slackware
-HOST=slackware
-PREFIX=/usr                                #Top-level directory for shared files, libraries, etc.
-SHAREDIR=${PREFIX}/share                   #Directory for arch-neutral files.
-LIBEXECDIR=${PREFIX}/share                 #Directory for executable scripts.
-PERLLIBDIR=${PREFIX}/share/shorewall       #Directory to install Shorewall Perl module directory
-CONFDIR=/etc                               #Directory where subsystem configurations are installed
-SBINDIR=/sbin                              #Directory where system administration programs are installed
-MANDIR=${PREFIX}/man                       #Directory where manpages are installed.
-INITDIR=/etc/rc.d                          #Directory where SysV init scripts are installed.
-AUXINITSOURCE=init.slackware.firewall.sh   #Name of the distributed file to be installed as the SysV init script
-AUXINITFILE=rc.firewall                    #Name of the product's installed SysV init script
-INITSOURCE=init.slackware.$PRODUCT.sh      #Name of the distributed file to be installed as a second SysV init script
-INITFILE=rc.$PRODUCT                       #Name of the product's installed second init script
-SYSTEMD=                                   #Name of the directory where .service files are installed (systems running systemd only)
-SYSCONFFILE=                               #Name of the distributed file to be installed in $SYSCONFDIR
-SYSCONFDIR=                                #Name of the directory where SysV init parameter files are installed.
-ANNOTATED=                                 #If non-empty, install annotated configuration files
-VARLIB=/var/lib                            #Directory where product variable data is stored.
-VARDIR=${VARLIB}/$PRODUCT                  #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.suse
+++ b/Shorewall-core/shorewallrc.suse
@@ -1,22 +0,0 @@
-#
-# SuSE Shorewall 4.5 rc file
-#
-BUILD=                                                #Default is to detect the build system
-HOST=suse
-PREFIX=/usr                                           #Top-level directory for shared files, libraries, etc.
-CONFDIR=/etc                                          #Directory where subsystem configurations are installed
-SHAREDIR=${PREFIX}/share                              #Directory for arch-neutral files.
-LIBEXECDIR=${PREFIX}/lib                              #Directory for executable scripts.
-PERLLIBDIR=${PREFIX}/lib/perl5/vendor_perl/5.14.2     #Directory to install Shorewall Perl module directory
-SBINDIR=/sbin                                         #Directory where system administration programs are installed
-MANDIR=${SHAREDIR}/man/                               #Directory where manpages are installed.
-INITDIR=/etc/init.d                                   #Directory where SysV init scripts are installed.
-INITFILE=$PRODUCT                                     #Name of the product's SysV init script
-INITSOURCE=init.suse.sh                               #Name of the distributed file to be installed as the SysV init script
-ANNOTATED=                                            #If non-zero, annotated configuration files are installed
-SYSTEMD=                                              #Directory where .service files are installed (systems running systemd only)
-SYSCONFFILE=                                          #Name of the distributed file to be installed in $SYSCONFDIR
-SYSCONFDIR=/etc/sysconfig/                            #Directory where SysV init parameter files are installed
-SPARSE=                                               #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARLIB=/var/lib                                       #Directory where persistent product data is stored.
-VARDIR=${VARLIB}/$PRODUCT                             #Directory where product variable data is stored.
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -31,7 +31,7 @@ VERSION=xxx #The Build script inserts the actual version
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <shorewallrc file> ]"
+    echo "usage: $ME"
    exit $1
 }

@@ -60,37 +60,8 @@ remove_file() # $1 = file to restore
    fi
 }

-#
-# Read the RC file
-#
-if [ $# -eq 0 ]; then
-    if [ -f ./shorewallrc ]; then
-	. ./shorewallrc
-    elif [ -f ~/.shorewallrc ]; then
-	. ~/.shorewallrc || exit 1
-	file=./.shorewallrc
-    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	. /usr/share/shorewall/shorewallrc
-    else
-	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
-    fi
-elif [ $# -eq 1 ]; then
-    file=$1
-    case $file in
-	/*|.*)
-	    ;;
-	*)
-	    file=./$file
-	    ;;
-    esac
-
-    . $file
-else
-    usage 1
-fi
-
-if [ -f ${SHAREDIR}/shorewall/coreversion ]; then
-    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall/coreversion)"
+if [ -f /usr/share/shorewall/coreversion ]; then
+    INSTALLED_VERSION="$(cat /usr/share/shorewall/coreversion)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
 	echo "WARNING: Shorewall Core Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
@@ -101,9 +72,12 @@ else
    VERSION=""
 fi

+[ -n "${LIBEXEC:=/usr/share}" ]
+[ -n "${PERLLIB:=/usr/share/shorewall}" ]
+
 echo "Uninstalling Shorewall Core $VERSION"

-rm -rf ${SHAREDIR}/shorewall
+rm -rf /usr/share/shorewall

 echo "Shorewall Core Uninstalled"

--- a/Shorewall-init/ifupdown.sh
+++ b/Shorewall-init/ifupdown.sh
@@ -22,21 +22,6 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-setstatedir() {
-    local statedir
-    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
-	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
-    fi
-
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
-
-    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/$PRODUCT compile
-	fi
-    fi
-}
-
 Debian_SuSE_ppp() {
    NEWPRODUCTS=
    INTERFACE="$1"
@@ -86,11 +71,6 @@ Debian_SuSE_ppp() {
 IFUPDOWN=0
 PRODUCTS=

-#
-# The installer may alter this
-#
-. /usr/share/shorewall/shorewallrc
-
 if [ -f /etc/default/shorewall-init ]; then
    . /etc/default/shorewall-init
 elif [ -f /etc/sysconfig/shorewall-init ]; then
@@ -121,11 +101,15 @@ if [ -f /etc/debian_version ]; then
 	    else
 		exit 0
 	    fi
+
+	    case "$PHASE" in
+		pre-*)
+		    exit 0
+		    ;;
+	    esac
 	    ;;
    esac
 elif [ -f /etc/SuSE-release ]; then
-    PHASE=''
-
    case $0 in
 	/etc/ppp*)
 	    #
@@ -157,8 +141,6 @@ else
    #
    # Assume RedHat/Fedora/CentOS/Foobar/...
    #
-    PHASE=''
-
    case $0 in
 	/etc/ppp*)
 	    INTERFACE="$1"
@@ -199,13 +181,15 @@ else
    esac
 fi

-[ -n "$LOGFILE" ] || LOGFILE=/dev/null
-
 for PRODUCT in $PRODUCTS; do
-    setstatedir
-
-    if [ -x $VARLIB/$PRODUCT/firewall ]; then
-	  ( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
+    VARDIR=/var/lib/$PRODUCT
+    [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir
+    if [ -x $VARDIR/firewall ]; then
+	  ( . /usr/share/$PRODUCT/lib.base
+	    mutex_on
+	    ${VARDIR}/firewall -V0 $COMMAND $INTERFACE || echo_notdone
+	    mutex_off
+	  )
    fi
 done

--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -1,10 +1,10 @@
 #!/bin/sh
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2010,2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       On most distributions, this file should be called /etc/init.d/shorewall.
 #
@@ -62,33 +62,10 @@ not_configured () {
 	exit 0
 }

-# set the STATEDIR variable
-setstatedir() {
-    local statedir
-    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
-	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
-    fi
-
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
-
-    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/$PRODUCT compile
-	fi
-    fi
-}
-
-#
-# The installer may alter this
-#
-. /usr/share/shorewall/shorewallrc
-
-vardir=$VARDIR
-
 # check if shorewall-init is configured or not
-if [ -f "$SYSCONFDIR/shorewall-init" ]
+if [ -f "/etc/default/shorewall-init" ]
 then
-	. $SYSCONFDIR/shorewall-init
+	. /etc/default/shorewall-init
 	if [ -z "$PRODUCTS" ]
 	then
 		not_configured
@@ -99,27 +76,27 @@ fi

 # Initialize the firewall
 shorewall_start () {
-  local PRODUCT
-  local STATEDIR
+  local product
+  local VARDIR

  echo -n "Initializing \"Shorewall-based firewalls\": "
-  for PRODUCT in $PRODUCTS; do
-      setstatedir
-
-      if [ ! -x ${VARDIR}/$PRODUCT/firewall ]; then
-	  if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	      ${SBINDIR}/$PRODUCT compile
-	  fi
-      fi
-
-      if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
+  for product in $PRODUCTS; do
+      VARDIR=/var/lib/$product
+      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
+      if [ -x ${VARDIR}/firewall ]; then
 	  #
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  ( 
-	      if ! ${VARDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
-		  ${VARDIR}/$PRODUCT/firewall stop || echo_notdone
+	      . /usr/share/$product/lib.base
+	      #
+	      # Get mutex so the firewall state is stable
+	      #
+	      mutex_on
+	      if ! ${VARDIR}/firewall status > /dev/null 2>&1; then
+		  ${VARDIR}/firewall stop || echo_notdone
 	      fi
+	      mutex_off
 	  )
      fi
  done
@@ -131,21 +108,19 @@ shorewall_start () {

 # Clear the firewall
 shorewall_stop () {
-  local PRODUCT
+  local product
  local VARDIR

  echo -n "Clearing \"Shorewall-based firewalls\": "
-  for PRODUCT in $PRODUCTS; do
-      setstatedir
-
-      if [ ! -x ${VARDIR}/$PRODUCT/firewall ]; then
-	  if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	      ${SBINDIR}/$PRODUCT compile
-	  fi
-      fi
-
-      if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
-	  ${VARDIR}/$PRODUCT/firewall clear || echo_notdone
+  for product in $PRODUCTS; do
+      VARDIR=/var/lib/$product
+      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
+      if [ -x ${VARDIR}/firewall ]; then
+	  ( . /usr/share/$product/lib.base
+	    mutex_on
+	    ${VARDIR}/firewall clear || echo_notdone
+	    mutex_off
+	  )
      fi
  done

--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -13,10 +13,6 @@
 # Description:       Place the firewall in a safe state at boot time
 #                    prior to bringing up the network.  
 ### END INIT INFO
-#determine where the files were installed
-
-. /usr/share/shorewall/shorewallrc
-
 prog="shorewall-init"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/shorewall-init"
@@ -24,8 +20,6 @@ lockfile="/var/lock/subsys/shorewall-init"
 # Source function library.
 . /etc/rc.d/init.d/functions

-vardir=$VARDIR
-
 # Get startup options (override default)
 OPTIONS=

@@ -37,25 +31,9 @@ else
    exit 6
 fi

-# set the STATEDIR variable
-setstatedir() {
-    local statedir
-    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
-	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
-    fi
-
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
-
-    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/$PRODUCT compile
-	fi
-    fi
-}
-
 # Initialize the firewall
 start () {
-    local PRODUCT
+    local product
    local vardir

    if [ -z "$PRODUCTS" ]; then
@@ -65,19 +43,13 @@ start () {
    fi

    echo -n "Initializing \"Shorewall-based firewalls\": "
-    for PRODUCT in $PRODUCTS; do
-	setstatedir
-
-	if [ ! -x ${VARDIR}/firewall ]; then
-	    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-		${SBINDIR}/$PRODUCT compile
-	    fi
-	fi
-
-	if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
-	    ${VARDIR}/$PRODUCT/firewall stop 2>&1 | $logger
+    for product in $PRODUCTS; do
+	vardir=/var/lib/$product
+	[ -f /etc/$product/vardir ] && . /etc/$product/vardir 
+	if [ -x ${vardir}/firewall ]; then
+	    ${vardir}/firewall stop 2>&1 | $logger
 	    retval=${PIPESTATUS[0]}
-	    [ $retval -ne 0 ] && break
+	    [ retval -ne 0 ] && break
 	fi
    done

@@ -93,23 +65,17 @@ start () {

 # Clear the firewall
 stop () {
-    local PRODUCT
+    local product
    local vardir

    echo -n "Clearing \"Shorewall-based firewalls\": "
-    for PRODUCT in $PRODUCTS; do
-	setstatedir
-
-	if [ ! -x ${VARDIR}/firewall ]; then
-	    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-		${SBINDIR}/$PRODUCT compile
-	    fi
-	fi
-
-	if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
-	    ${VARDIR}/$PRODUCT/firewall clear 2>&1 | $logger
+    for product in $PRODUCTS; do
+	vardir=/var/lib/$product
+	[ -f /etc/$product/vardir ] && . /etc/$product/vardir 
+	if [ -x ${vardir}/firewall ]; then
+	    ${vardir}/firewall clear 2>&1 | $logger
 	    retval=${PIPESTATUS[0]}
-	    [ $retval -ne 0 ] && break
+	    [ retval -ne 0 ] && break
 	fi
    done

@@ -136,15 +102,19 @@ case "$1" in
 	status_q || exit 0
 	$1
 	;;
-    restart|reload|force-reload|condrestart|try-restart)
+    restart|reload|force-reload)
 	echo "Not implemented"
 	exit 3
 	;;
+    condrestart|try-restart)
+	echo "Not implemented"
+	exit 3
+        ;;
    status)
 	status $prog
 	;;
  *)
-	echo "Usage: /etc/init.d/shorewall-init {start|stop|status}"
+	echo "Usage: /etc/init.d/shorewall-init {start|stop}"
 	exit 1
 esac

--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -1,9 +1,9 @@
 #! /bin/bash
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2010,2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       On most distributions, this file should be called /etc/init.d/shorewall.
 #
@@ -53,39 +53,18 @@ else
 	exit 0
 fi

-#
-# The installer may alter this
-#
-. /usr/share/shorewall/shorewallrc
-
-# Locate the current PRODUCT's statedir
-setstatedir() {
-    local statedir
-    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
-	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
-    fi
-
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
-
-    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/$PRODUCT compile $STATEDIR/firewall
-	fi
-    fi
-}
-
 # Initialize the firewall
 shorewall_start () {
  local PRODUCT
-  local STATEDIR
+  local VARDIR

  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-      setstatedir
-
-      if [ -x ${STATEDIR}/firewall ]; then
-	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-	      ${STATEDIR}/firewall stop || echo_notdone
+      VARDIR=/var/lib/$PRODUCT
+      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
+      if [ -x ${VARDIR}/firewall ]; then
+	  if ! /sbin/$PRODUCT status > /dev/null 2>&1; then
+	      ${VARDIR}/firewall stop || echo_notdone
 	  fi
      fi
  done
@@ -104,14 +83,8 @@ shorewall_stop () {

  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-      setstatedir
-
-      if [ ! -x ${VARDIR}/firewall ]; then
-	  if [ $PRODUCT = shorewall -o $product = shorewall6 ]; then
-	      ${SBINDIR}/$PRODUCT compile
-	  fi
-      fi
-
+      VARDIR=/var/lib/$PRODUCT
+      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
      if [ -x ${VARDIR}/firewall ]; then
 	  ${VARDIR}/firewall clear || exit 1
      fi
--- a/Shorewall-init/init.suse.sh
+++ b/Shorewall-init/init.suse.sh
@@ -1,135 +0,0 @@
-#! /bin/bash
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2010,2012 - Tom Eastep (teastep@shorewall.net)
-#
-#       On most distributions, this file should be called /etc/init.d/shorewall.
-#
-#       Complete documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-#
-### BEGIN INIT INFO
-# Provides: shorewall-init
-# Required-Start: $local_fs
-# Required-Stop:  $local_fs
-# Default-Start:  2 3 5
-# Default-Stop:   0 1 6
-# Short-Description: Initialize the firewall at boot time
-# Description:       Place the firewall in a safe state at boot time
-#                    prior to bringing up the network.  
-### END INIT INFO
-
-if [ "$(id -u)" != "0" ]
-then
-  echo "You must be root to start, stop or restart \"Shorewall \"."
-  exit 1
-fi
-
-# check if shorewall-init is configured or not
-if [ -f "/etc/sysconfig/shorewall-init" ]
-then
-	. /etc/sysconfig/shorewall-init
-	if [ -z "$PRODUCTS" ]
-	then
-		exit 0
-	fi
-else
-	exit 0
-fi
-
-#
-# The installer may alter this
-#
-. /usr/share/shorewall/shorewallrc
-
-# set the STATEDIR variable
-setstatedir() {
-    local statedir
-    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
-	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
-    fi
-
-    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
-
-    if [ ! -x $STATEDIR/firewall ]; then
-	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
-	    ${SBINDIR}/$PRODUCT compile
-	fi
-    fi
-}
-
-# Initialize the firewall
-shorewall_start () {
-  local PRODUCT
-  local STATEDIR
-
-  echo -n "Initializing \"Shorewall-based firewalls\": "
-  for PRODUCT in $PRODUCTS; do
-      setstatedir
-
-      if [ -x $STATEDIR/firewall ]; then
-	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-	      $STATEDIR/$PRODUCT/firewall stop || echo_notdone
-	  fi
-      fi
-  done
-
-  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
-      ipset -R < "$SAVE_IPSETS"
-  fi
-
-  return 0
-}
-
-# Clear the firewall
-shorewall_stop () {
-  local PRODUCT
-  local STATEDIR
-
-  echo -n "Clearing \"Shorewall-based firewalls\": "
-  for PRODUCT in $PRODUCTS; do
-      setstatedir
-
-      if [ -x ${STATEDIR}/firewall ]; then
-	  ${STATEDIR}/firewall clear || exit 1
-      fi
-  done
-
-  if [ -n "$SAVE_IPSETS" ]; then
-      mkdir -p $(dirname "$SAVE_IPSETS")
-      if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
-      fi
-  fi
-
-  return 0
-}
-
-case "$1" in
-  start)
-     shorewall_start
-     ;;
-  stop)
-     shorewall_stop
-     ;;
-  *)
-     echo "Usage: /etc/init.d/shorewall-init {start|stop}"
-     exit 1
-esac
-
-exit 0
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -28,18 +28,12 @@ VERSION=xxx #The Build script inserts the actual version.
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <configuration-file> ]"
+    echo "usage: $ME"
    echo "       $ME -v"
    echo "       $ME -h"
    exit $1
 }

-fatal_error() 
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
-
 split() {
    local ifs
    ifs=$IFS
@@ -82,9 +76,9 @@ cant_autostart()
    echo  "WARNING: Unable to configure shorewall init to start automatically at boot" >&2
 }

-require() 
+delete_file() # $1 = file to delete
 {
-    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
+    rm -f $1
 }

 install_file() # $1 = source $2 = target $3 = mode
@@ -92,248 +86,180 @@ install_file() # $1 = source $2 = target $3 = mode
    run_install $T $OWNERSHIP -m $3 $1 ${2}
 }

-cd "$(dirname $0)"
-
-PRODUCT=shorewall-init
+[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"

+# DEST is the SysVInit script directory
+# INIT is the name of the script in the $DEST directory
+# ARGS is "yes" if we've already parsed an argument
 #
-# Parse the run line
-#
-finished=0
+ARGS=""

-while [ $finished -eq 0 ] ; do
+if [ -z "$DEST" ] ; then
+	DEST="/etc/init.d"
+fi
+
+if [ -z "$INIT" ] ; then
+	INIT="shorewall-init"
+fi
+
+while [ $# -gt 0 ] ; do
    case "$1" in
-	-*)
-	    option=${option#-}
-
-	    while [ -n "$option" ]; do
-		case $option in
-		    h)
-			usage 0
-			;;
-		    v)
-			echo "Shorewall-init Firewall Installer Version $VERSION"
-			exit 0
-			;;
-		    *)
-			usage 1
-			;;
-		esac
-	    done
-
-	    shift
+	-h|help|?)
+	    usage 0
+	    ;;
+        -v)
+	    echo "Shorewall Init Installer Version $VERSION"
+	    exit 0
 	    ;;
 	*)
-	    finished=1
+	    usage 1
 	    ;;
    esac
-done
-
-#
-# Read the RC file
-#
-if [ $# -eq 0 ]; then
-    #
-    # Load packager's settings if any
-    #
-    if [ -f ./shorewallrc ]; then
-	. ./shorewallrc || exit 1
-	file=~/.shorewallrc
-    elif [ -f ~/.shorewallrc ]; then
-	. ~/.shorewallrc || exit 1
-	file=./.shorewallrc
-     else
-	fatal_error "No configuration file specified and ~/.shorewallrc not found"
-    fi
-elif [ $# -eq 1 ]; then
-    file=$1
-    case $file in
-	/*|.*)
-	    ;;
-	*)
-	    file=./$file
-	    ;;
-    esac
-
-    . $file
-else
-    usage 1
-fi
-
-if [ -z "${VARLIB}" ]; then
-    VARLIB=${VARDIR}
-    VARDIR=${VARLIB}/${PRODUCT}
-elif [ -z "${VARDIR}" ]; then
-    VARDIR=${VARLIB}/${PRODUCT}
-fi
-
-for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARLIB VARDIR; do
-    require $var
+    shift
+    ARGS="yes"
 done

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

-if [ -z "$BUILD" ]; then
-    case $(uname) in
-	cygwin*)
-	    BUILD=cygwin
-	    ;;
-	Darwin)
-	    BUILD=apple
-	    ;;
-	*)
-	    if [ -f /etc/debian_version ]; then
-		BUILD=debian
-	    elif [ -f /etc/redhat-release ]; then
-		BUILD=redhat
-	    elif [ -f /etc/SuSE-release ]; then
-		BUILD=suse
-	    elif [ -f /etc/slackware-version ] ; then
-		BUILD=slackware
-	    elif [ -f /etc/arch-release ] ; then
-		BUILD=archlinux
-	    else
-		BUILD=linux
-	    fi
-	    ;;
-    esac
-fi
+[ -n "${LIBEXEC:=/usr/share}" ]

-[ -n "$OWNER" ] || OWNER=$(id -un)
-[ -n "$GROUP" ] || GROUP=$(id -gn)
-
-case $BUILD in
-    apple)
-	T=
-	;;
-    debian|redhat|suse|slackware|archlinux)
+case "$LIBEXEC" in
+    /*)
 	;;
    *)
-	[ -n "$BUILD" ] && echo "ERROR: Unknown BUILD environment ($BUILD)" >&2 || echo "ERROR: Unknown BUILD environment"
-	exit 1
+	LIBEXEC=/usr/${LIBEXEC}
+	;;
+esac
+
+#
+# Determine where to install the firewall script
+#
+
+case $(uname) in
+    Darwin)
+	[ -z "$OWNER" ] && OWNER=root
+	[ -z "$GROUP" ] && GROUP=wheel
+	T=
+	;;	
+    *)
+	[ -z "$OWNER" ] && OWNER=root
+	[ -z "$GROUP" ] && GROUP=root
 	;;
 esac

 OWNERSHIP="-o $OWNER -g $GROUP"

-[ -n "$HOST" ] || HOST=$BUILD
-
-case "$HOST" in
-    debian)
-	echo "Installing Debian-specific configuration..."
-	;;
-    redhat|redhat)
-	echo "Installing Redhat/Fedora-specific configuration..."
-	;;
-    slackware)
-	echo "Shorewall-init is currently not supported on Slackware" >&2
-	exit 1
-	;;
-    archlinux)
-	echo "Shorewall-init is currently not supported on Arch Linux" >&2
-	exit 1
-	;;
-    suse|suse)
-	echo "Installing SuSE-specific configuration..."
-	;;
-    linux)
-	echo "ERROR: Shorewall-init is not supported on this system" >&2
-	;;
-    *)
-	echo "ERROR: Unsupported HOST distribution: \"$HOST\"" >&2
-	exit 1;
-	;;
-esac
-
-[ -z "$TARGET" ] && TARGET=$HOST
-
 if [ -n "$DESTDIR" ]; then
    if [ `id -u` != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
 	OWNERSHIP=""
    fi
    
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
+    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
+elif [ -f /etc/debian_version ]; then
+    DEBIAN=yes
+elif [ -f /etc/SuSE-release ]; then
+    SUSE=Yes
+elif [ -f /etc/redhat-release ]; then
+    FEDORA=Yes
+elif [ -f /etc/slackware-version ] ; then
+    echo "Shorewall-init is currently not supported on Slackware" >&2
+    exit 1
+#   DEST="/etc/rc.d"
+#   INIT="rc.firewall"
+elif [ -f /etc/arch-release ] ; then
+    echo "Shorewall-init is currently not supported on Arch Linux" >&2
+    exit 1
+#   DEST="/etc/rc.d"
+#   INIT="shorewall-init"
+#   ARCHLINUX=yes
+elif [ -d /etc/sysconfig/network-scripts/ ]; then
+    #
+    # Assume RedHat-based
+    #
+    REDHAT=Yes
+else
+    echo "Unknown distribution: Shorewall-init support is not available" >&2
+    exit 1
 fi

+if [ -z "$DESTDIR" ]; then
+    if [ -f /lib/systemd/system ]; then
+	SYSTEMD=Yes
+    fi
+elif [ -n "$SYSTEMD" ]; then
+    mkdir -p ${DESTDIR}/lib/systemd/system
+fi
+
+#
+# Change to the directory containing this script
+#
+cd "$(dirname $0)"
+
 echo "Installing Shorewall Init Version $VERSION"

 #
 # Check for /usr/share/shorewall-init/version
 #
-if [ -f ${DESTDIR}${SHAREDIR}/shorewall-init/version ]; then
+if [ -f ${DESTDIR}/usr/share/shorewall-init/version ]; then
    first_install=""
 else
    first_install="Yes"
 fi

-if [ -n "$DESTDIR" ]; then
-    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
-    chmod 755 ${DESTDIR}${CONFDIR}/logrotate.d
-fi
-
 #
-# Install the Firewall Script
+# Install the Init Script
 #
-if [ -n "$INITFILE" ]; then
-    install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
-    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$INITFILE
-    
-    if [ -n "${AUXINITSOURCE}" ]; then
-	install_file $INITSOURCE ${DESTDIR}${INITDIR}/$AUXINITFILE 0544
+if [ -z "$SYSTEMD" ]; then
+    if [ -n "$DEBIAN" ]; then
+	install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
+    elif [ -n "$FEDORA" ]; then
+	install_file init.fedora.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
+    #elif [ -n "$ARCHLINUX" ]; then
+    #    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
+    else
+	install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
    fi

-    echo  "Shorewall-init script installed in ${DESTDIR}${INITDIR}/$INITFILE"
-fi
-
-#
-# Install the .service file
-#
-if [ -n "$SYSTEMD" ]; then
-    mkdir -p ${DESTDIR}${SYSTEMD}
-    run_install $OWNERSHIP -m 600 shorewall-init.service ${DESTDIR}${SYSTEMD}/shorewall-init.service
-    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/shorewall-init.service
-    echo "Service file installed as ${DESTDIR}${SYSTEMD}/shorewall-init.service"
+    echo  "Shorewall Init script installed in ${DESTDIR}${DEST}/$INIT"
+else
+    #
+    # Install the .service file
+    #
+    run_install $OWNERSHIP -m 600 shorewall-init.service ${DESTDIR}/lib/systemd/system/shorewall-init.service
+    echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall-init.service"
    if [ -n "$DESTDIR" ]; then
-	mkdir -p ${DESTDIR}${SBINDIR}
-        chmod 755 ${DESTDIR}${SBINDIR}
+	mkdir -p ${DESTDIR}/sbin/
+	chmod 755 ${DESTDIR}/sbin/
+	run_install $OWNERSHIP -m 600 shorewall-init ${DESTDIR}/sbin/shorewall-init
+	echo "CLI installed as ${DESTDIR}/lib/systemd/system/shorewall-init.service"
    fi
-    run_install $OWNERSHIP -m 700 shorewall-init ${DESTDIR}${SBINDIR}/shorewall-init
-    echo "CLI installed as ${DESTDIR}${SBINDIR}/shorewall-init"
 fi

 #
 # Create /usr/share/shorewall-init if needed
 #
-mkdir -p ${DESTDIR}${SHAREDIR}/shorewall-init
-chmod 755 ${DESTDIR}${SHAREDIR}/shorewall-init
-
-#
-# Install logrotate file
-#
-if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT
-    echo "Logrotate file installed as ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT"
-fi
+mkdir -p ${DESTDIR}/usr/share/shorewall-init
+chmod 755 ${DESTDIR}/usr/share/shorewall-init

 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/${SHAREDIR}/shorewall-init/version
-chmod 644 ${DESTDIR}${SHAREDIR}/shorewall-init/version
+echo "$VERSION" > ${DESTDIR}/usr/share/shorewall-init/version
+chmod 644 ${DESTDIR}/usr/share/shorewall-init/version

 #
 # Remove and create the symbolic link to the init script
 #
 if [ -z "$DESTDIR" ]; then
-    rm -f ${SHAREDIR}/shorewall-init/init
-    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/shorewall-init/init
+    rm -f /usr/share/shorewall-init/init
+    ln -s ${DEST}/${INIT} /usr/share/shorewall-init/init
 fi

-if [ $HOST = debian ]; then
+if [ -n "$DEBIAN" ]; then
    if [ -n "${DESTDIR}" ]; then
 	mkdir -p ${DESTDIR}/etc/network/if-up.d/
-	mkdir -p ${DESTDIR}/etc/network/if-down.d/
+	mkdir -p ${DESTDIR}/etc/network/if-post-down.d/
    fi

    if [ ! -f ${DESTDIR}/etc/default/shorewall-init ]; then
@@ -345,20 +271,20 @@ if [ $HOST = debian ]; then
    fi
 else
    if [ -n "$DESTDIR" ]; then
-	mkdir -p ${DESTDIR}${SYSCONFDIR}
+	mkdir -p ${DESTDIR}/etc/sysconfig

 	if [ -z "$RPM" ]; then
-	    if [ $HOST = suse ]; then
+	    if [ -n "$SUSE" ]; then
 		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d
-		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d
+		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-down.d
 	    else
 		mkdir -p ${DESTDIR}/etc/NetworkManager/dispatcher.d
 	    fi
 	fi
    fi

-    if [ -d ${DESTDIR}${SYSCONFDIR} -a ! -f ${DESTDIR}${SYSCONFDIR}/shorewall-init ]; then
-	install_file sysconfig ${DESTDIR}${SYSCONFDIR}/shorewall-init 0644
+    if [ -d ${DESTDIR}/etc/sysconfig -a ! -f ${DESTDIR}/etc/sysconfig/shorewall-init ]; then
+	install_file sysconfig ${DESTDIR}/etc/sysconfig/shorewall-init 0644
    fi 
 fi

@@ -366,119 +292,105 @@ fi
 # Install the ifupdown script
 #

-cp ifupdown.sh ifupdown
+mkdir -p ${DESTDIR}${LIBEXEC}/shorewall-init

-[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown
-
-mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
-
-install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544
+install_file ifupdown.sh ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown 0544

 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    install_file ifupdown ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
+    install_file ifupdown.sh ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
 fi

-case $HOST in
-    debian)
-	install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
-	install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544
-	install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
-	;;
-    suse)
-	if [ -z "$RPM" ]; then
-	    install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-up.d/shorewall 0544
-	    install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-down.d/shorewall 0544
-	fi
-	;;
-    redhat)
-	if [ -f ${DESTDIR}${SBINDIR}/ifup-local -o -f ${DESTDIR}${SBINDIR}/ifdown-local ]; then
-	    echo "WARNING: ${SBINDIR}/ifup-local and/or ${SBINDIR}/ifdown-local already exist; up/down events will not be handled"
-	elif [ -z "$DESTDIR" ]; then
-	    install_file ifupdown ${DESTDIR}${SBINDIR}/ifup-local 0544
-	    install_file ifupdown ${DESTDIR}${SBINDIR}/ifdown-local 0544
-	fi
-	;;
-esac
+if [ -n "$DEBIAN" ]; then
+    install_file ifupdown.sh ${DESTDIR}/etc/network/if-up.d/shorewall 0544
+    install_file ifupdown.sh ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
+elif [ -n "$SUSE" ]; then
+    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-up.d/shorewall 0544
+    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-down.d/shorewall 0544
+elif [ -n "$REDHAT" ]; then
+    if [ -f ${DESTDIR}/sbin/ifup-local -o -f ${DESTDIR}/sbin/ifdown-local ]; then
+	echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; up/down events will not be handled"
+    else
+	install_file ifupdown.sh ${DESTDIR}/sbin/ifup-local 0544
+	install_file ifupdown.sh ${DESTDIR}/sbin/ifdown-local 0544
+    fi
+fi

 if [ -z "$DESTDIR" ]; then
    if [ -n "$first_install" ]; then
-	if [ $HOST = debian ]; then
+	if [ -n "$DEBIAN" ]; then
 	    
-	    update-rc.d shorewall-init enable
+	    update-rc.d shorewall-init defaults

 	    echo "Shorewall Init will start automatically at boot"
 	else
 	    if [ -n "$SYSTEMD" ]; then
-		if systemctl enable shorewall-init.service; then
+		if systemctl enable shorewall-init; then
 		    echo "Shorewall Init will start automatically at boot"
 		fi
-	    elif [ -x ${SBINDIR}/insserv -o -x /usr${SBINDIR}/insserv ]; then
-		if insserv ${INITDIR}/shorewall-init ; then
+	    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+		if insserv /etc/init.d/shorewall-init ; then
 		    echo "Shorewall Init will start automatically at boot"
 		else
 		    cant_autostart
 		fi
-	    elif [ -x ${SBINDIR}/chkconfig -o -x /usr${SBINDIR}/chkconfig ]; then
+	    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 		if chkconfig --add shorewall-init ; then
 		    echo "Shorewall Init will start automatically in run levels as follows:"
 		    chkconfig --list shorewall-init
 		else
 		    cant_autostart
 		fi
-	    elif [ -x ${SBINDIR}/rc-update ]; then
+	    elif [ -x /sbin/rc-update ]; then
 		if rc-update add shorewall-init default; then
 		    echo "Shorewall Init will start automatically at boot"
 		else
 		    cant_autostart
 		fi
-	    else
+	    elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
 		cant_autostart
 	    fi
+
 	fi
    fi
 else
    if [ -n "$first_install" ]; then
-	if [ $HOST = debian ]; then
+	if [ -n "$DEBIAN" ]; then
 	    if [ -n "${DESTDIR}" ]; then
 		mkdir -p ${DESTDIR}/etc/rcS.d
 	    fi

-	    ln -sf ../init.d/shorewall-init ${DESTDIR}${CONFDIR}/rcS.d/S38shorewall-init
+	    ln -sf ../init.d/shorewall-init ${DESTDIR}/etc/rcS.d/S38shorewall-init
 	    echo "Shorewall Init will start automatically at boot"
 	fi
    fi
 fi

-[ -z "${DESTDIR}" ] && [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc .
-
 if [ -f ${DESTDIR}/etc/ppp ]; then
-    case $HOST in
-	debian|suse)
-	    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
-		mkdir -p ${DESTDIR}/etc/ppp/$directory #SuSE doesn't create the IPv6 directories
-		cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown ${DESTDIR}${CONFDIR}/ppp/$directory/shorewall
-	    done
-	    ;;
-	redhat)
-	    #
-	    # Must use the dreaded ip_xxx.local file
-	    #
-	    for file in ip-up.local ip-down.local; do
-		FILE=${DESTDIR}/etc/ppp/$file
-		if [ -f $FILE ]; then
-		    if fgrep -q Shorewall-based $FILE ; then
-			cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown $FILE
-		    else
-			echo "$FILE already exists -- ppp devices will not be handled"
-			break
-		    fi
+    if [ -n "$DEBIAN" ] -o -n "$SUSE" ]; then
+	for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
+	    mkdir -p ${DESTDIR}/etc/ppp/$directory #SuSE doesn't create the IPv6 directories
+	    cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown ${DESTDIR}/etc/ppp/$directory/shorewall
+	done
+    elif [ -n "$REDHAT" ]; then
+	#
+	# Must use the dreaded ip_xxx.local file
+	#
+	for file in ip-up.local ip-down.local; do
+	    FILE=${DESTDIR}/etc/ppp/$file
+	    if [ -f $FILE ]; then
+		if fgrep -q Shorewall-based $FILE ; then
+		    cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown $FILE
 		else
-		    cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown $FILE
+		    echo "$FILE already exists -- ppp devices will not be handled"
+		    break
 		fi
-	    done
-	    ;;
-    esac
+	    else
+		cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown $FILE
+	    fi
+	done
+    fi
 fi
+
 #
 #  Report Success
 #
--- a/Shorewall-init/logrotate
+++ b/Shorewall-init/logrotate
@@ -1,5 +0,0 @@
-/var/log/shorewall-ifupdown.log {
-  missingok
-  notifempty
-  create 0600 root root
-}
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -23,14 +23,15 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #########################################################################################
-#
-# This is modified by the installer when ${SHAREDIR} <> /usr/share
-#
-. /usr/share/shorewall/shorewallrc
+if [ "$(id -u)" != "0" ]
+then
+  echo "You must be root to start, stop or restart \"Shorewall \"."
+  exit 1
+fi

 # check if shorewall-init is configured or not
-if [ -f "$SYSCONFDIR/shorewall-init" ]; then
-    . $SYSCONFDIR/shorewall-init
+if [ -f "/etc/sysconfig/shorewall-init" ]; then
+    . /etc/sysconfig/shorewall-init
    if [ -z "$PRODUCTS" ]; then
        echo "ERROR: No products configured" >&2
 	exit 1
@@ -47,6 +48,8 @@ shorewall_start () {

  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
+      VARDIR=/var/lib/$PRODUCT
+      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
      if [ -x ${VARDIR}/firewall ]; then
 	  if ! /sbin/$PRODUCT status > /dev/null 2>&1; then
 	      ${VARDIR}/firewall stop || exit 1
@@ -54,10 +57,6 @@ shorewall_start () {
      fi
  done

-  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
-      ipset -R < "$SAVE_IPSETS"
-  fi
-
  return 0
 }

@@ -75,13 +74,6 @@ shorewall_stop () {
      fi
  done

-  if [ -n "$SAVE_IPSETS" ]; then
-      mkdir -p $(dirname "$SAVE_IPSETS")
-      if ipset -S > "${SAVE_IPSETS}.tmp"; then
-	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
-      fi
-  fi
-
  return 0
 }

--- a/Shorewall-init/shorewall-init.service
+++ b/Shorewall-init/shorewall-init.service
@@ -13,8 +13,8 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-init
 StandardOutput=syslog
-ExecStart=/shorewall-init $OPTIONS start
-ExecStop=/shorewall-init $OPTIONS stop
+ExecStart=/sbin/shorewall-init $OPTIONS start
+ExecStop=/sbin/shorewall-init $OPTIONS stop

 [Install]
 WantedBy=multi-user.target
--- a/Shorewall-init/sysconfig
+++ b/Shorewall-init/sysconfig
@@ -16,8 +16,3 @@ IFUPDOWN=0
 # during 'start' and will save them there during 'stop'.
 #
 SAVE_IPSETS=""
-#
-# Where Up/Down events get logged
-#
-LOGFILE=/var/log/shorewall-ifupdown.log
-
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -31,7 +31,7 @@ VERSION=xxx  #The Build script inserts the actual version
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <shorewallrc file> ]"
+    echo "usage: $ME"
    exit $1
 }

@@ -40,27 +40,6 @@ qt()
    "$@" >/dev/null 2>&1
 }

-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    set -- $1
-    echo $*
-    IFS=$ifs
-}
-
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    return 0
-	fi
-    done
-
-    return 2
-}
-
 remove_file() # $1 = file to restore
 {
    if [ -f $1 -o -L $1 ] ; then
@@ -69,37 +48,8 @@ remove_file() # $1 = file to restore
    fi
 }

-#
-# Read the RC file
-#
-if [ $# -eq 0 ]; then
-    if [ -f ./shorewallrc ]; then
-	. ./shorewallrc
-    elif [ -f ~/.shorewallrc ]; then
-	. ~/.shorewallrc || exit 1
-	file=./.shorewallrc
-    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	. /usr/share/shorewall/shorewallrc
-    else
-	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
-    fi
-elif [ $# -eq 1 ]; then
-    file=$1
-    case $file in
-	/*|.*)
-	    ;;
-	*)
-	    file=./$file
-	    ;;
-    esac
-
-    . $file || exit 1
-else
-    usage 1
-fi
-
-if [ -f ${SHAREDIR}/shorewall-init/version ]; then
-    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall-init/version)"
+if [ -f /usr/share/shorewall-init/version ]; then
+    INSTALLED_VERSION="$(cat /usr/share/shorewall-init/version)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
 	echo "WARNING: Shorewall Init Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
@@ -110,55 +60,56 @@ else
    VERSION=""
 fi

-[ -n "${LIBEXEC:=${SHAREDIR}}" ]
+[ -n "${LIBEXEC:=/usr/share}" ]

 echo "Uninstalling Shorewall Init $VERSION"

-INITSCRIPT=${CONFDIR}/init.d/shorewall-init
+INITSCRIPT=/etc/init.d/shorewall-init

-if [ -f "$INITSCRIPT" ]; then
-    if mywhich updaterc.d ; then
+if [ -n "$INITSCRIPT" ]; then
+    if [ -x /usr/sbin/updaterc.d ]; then
 	updaterc.d shorewall-init remove
-    elif mywhich insserv ; then
+    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
        insserv -r $INITSCRIPT
-    elif mywhich chkconfig ; then
+    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 	chkconfig --del $(basename $INITSCRIPT)
-    elif mywhich systemctl ; then
+    elif [ -x /sbin/systemctl ]; then
 	systemctl disable shorewall-init
+    else
+	rm -f /etc/rc*.d/*$(basename $INITSCRIPT)
    fi

    remove_file $INITSCRIPT
 fi

-[ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
-[ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
+[ "$(readlink -m -q /sbin/ifup-local)"   = /usr/share/shorewall-init ] && remove_file /sbin/ifup-local
+[ "$(readlink -m -q /sbin/ifdown-local)" = /usr/share/shorewall-init ] && remove_file /sbin/ifdown-local

-remove_file ${CONFDIR}/default/shorewall-init
-remove_file ${CONFDIR}/sysconfig/shorewall-init
+remove_file /etc/default/shorewall-init
+remove_file /etc/sysconfig/shorewall-init

-remove_file ${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall
+remove_file /etc/NetworkManager/dispatcher.d/01-shorewall

-remove_file ${CONFDIR}/network/if-up.d/shorewall
-remove_file ${CONFDIR}/network/if-down.d/shorewall
+remove_file /etc/network/if-up.d/shorewall
+remove_file /etc/network/if-down.d/shorewall

-remove_file ${CONFDIR}/sysconfig/network/if-up.d/shorewall
-remove_file ${CONFDIR}/sysconfig/network/if-down.d/shorewall
+remove_file /etc/sysconfig/network/if-up.d/shorewall
+remove_file /etc/sysconfig/network/if-down.d/shorewall
+remove_file /lib/systemd/system/shorewall.service

-[ -n "$SYSTEMD" ] && remove_file ${SYSTEMD}/shorewall.service
-
-if [ -d ${CONFDIR}/ppp ]; then
+if [ -d /etc/ppp ]; then
    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
-	remove_file ${CONFDIR}/ppp/$directory/shorewall
+	remove_file /etc/ppp/$directory/shorewall
    done

    for file in if-up.local if-down.local; do
-	if fgrep -q Shorewall-based ${CONFDIR}/ppp/$FILE; then
-	    remove_file ${CONFDIR}/ppp/$FILE
+	if fgrep -q Shorewall-based /etc/ppp/$FILE; then
+	    remove_file /etc/ppp/$FILE
 	fi
    done
 fi

-rm -rf ${SHAREDIR}/shorewall-init
+rm -rf /usr/share/shorewall-init
 rm -rf ${LIBEXEC}/shorewall-init

 echo "Shorewall Init Uninstalled"
--- a/Shorewall-lite/Makefile
+++ b/Shorewall-lite/Makefile
@@ -3,16 +3,16 @@ VARDIR=$(shell /sbin/shorewall-lite show vardir)
 SHAREDIR=/usr/share/shorewall-lite
 RESTOREFILE?=.restore

-all: $(VARDIR)/$(RESTOREFILE)
+all: $(VARDIR)/${RESTOREFILE}

-$(VARDIR)/$(RESTOREFILE): $(VARDIR)/firewall
+$(VARDIR)/${RESTOREFILE}: $(VARDIR)/firewall
 	@/sbin/shorewall-lite -q save >/dev/null; \
 	if \
 	    /sbin/shorewall-lite -q restart >/dev/null 2>&1; \
 	then \
 	    /sbin/shorewall-lite -q save >/dev/null; \
 	else \
-	    /sbin/shorewall-lite -q restart 2>&1 | tail >&2; exit 1; \
+	    /sbin/shorewall-lite -q restart 2>&1 | tail >&2; \
 	fi

 # EOF
--- a/Shorewall-lite/configpath
+++ b/Shorewall-lite/configpath
@@ -4,4 +4,4 @@
 # /usr/share/shorewall-lite/configpath
 #

-CONFIG_PATH=${CONFDIR}/shorewall-lite:${SHAREDIR}/shorewall-lite:${SHAREDIR}/shorewall
+CONFIG_PATH=/etc/shorewall-lite:/usr/share/shorewall-lite
--- a/Shorewall-lite/init.archlinux.sh
+++ b/Shorewall-lite/init.archlinux.sh
@@ -0,0 +1,58 @@
+#!/bin/bash
+
+OPTIONS="-f"
+
+if [ -f /etc/sysconfig/shorewall ] ; then
+	. /etc/sysconfig/shorewall
+elif [ -f /etc/default/shorewall ] ; then
+	. /etc/default/shorewall
+fi
+
+# if you want to override options, do so in /etc/sysconfig/shorewall or
+# in /etc/default/shorewall --
+# i strongly encourage you use the latter, since /etc/sysconfig/ does not exist.
+
+. /etc/rc.conf
+. /etc/rc.d/functions
+
+DAEMON_NAME="shorewall" # of course shorewall is NOT a deamon.
+
+case "$1" in
+	start)
+		stat_busy "Starting $DAEMON_NAME"
+		/sbin/shorewall-lite $OPTIONS start &>/dev/null
+		if [ $? -gt 0 ]; then
+			stat_fail
+		else
+			add_daemon $DAEMON_NAME
+			stat_done
+		fi
+		;;
+
+
+	stop)
+		stat_busy "Stopping $DAEMON_NAME"
+		/sbin/shorewall-lite stop &>/dev/null
+		if [ $? -gt 0 ]; then
+			stat_fail
+		else
+			rm_daemon $DAEMON_NAME
+			stat_done
+		fi
+		;;
+
+	restart|reload)
+		stat_busy "Restarting $DAEMON_NAME"
+		/sbin/shorewall-lite restart &>/dev/null
+		if [ $? -gt 0  ]; then
+			stat_fail
+		else
+			stat_done
+		fi
+		;;
+
+	*)
+		echo "usage: $0 {start|stop|restart}"
+esac
+exit 0
+
--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@@ -57,23 +57,17 @@ not_configured () {
 	exit 0
 }

-#
-# The installer may alter this
-#
-. /usr/share/shorewall/shorewallrc
-
 # parse the shorewall params file in order to use params in
 # /etc/default/shorewall
-
-if [ -f "$CONFDIR/shorewall-lite/params" ]
+if [ -f "/etc/shorewall-lite/params" ]
 then
-	. $CONFDIR/shorewall-lite/params
+	. /etc/shorewall-lite/params
 fi

 # check if shorewall is configured or not
-if [ -f "$SYSCONFDIR/shorewall-lite" ]
+if [ -f "/etc/default/shorewall-lite" ]
 then
-	. $SYSCONFDIR/shorewall-lite
+	. /etc/default/shorewall-lite
 	SRWL_OPTS="$SRWL_OPTS $OPTIONS"
 	if [ "$startup" != "1" ]
 	then
--- a/Shorewall-lite/init.fedora.sh
+++ b/Shorewall-lite/init.fedora.sh
@@ -20,21 +20,16 @@
 # Source function library.
 . /etc/rc.d/init.d/functions

-#
-# The installer may alter this
-#
-. /usr/share/shorewall/shorewallrc
-
 prog="shorewall-lite"
-shorewall="${SBINDIR}/$prog"
+shorewall="/sbin/$prog"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/$prog"

 # Get startup options (override default)
 OPTIONS=

-if [ -f ${SYSCONFDIR}/$prog ]; then
-    . ${SYSCONFDIR}/$prog
+if [ -f /etc/sysconfig/$prog ]; then
+    . /etc/sysconfig/$prog
 fi

 start() {
--- a/Shorewall-lite/init.sh
+++ b/Shorewall-lite/init.sh
@@ -1,11 +1,11 @@
 #!/bin/sh
 RCDLINKS="2,S41 3,S41 6,K41"
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.1
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
@@ -61,14 +61,10 @@ usage() {
 # Get startup options (override default)
 ################################################################################
 OPTIONS=
-
-#
-# The installer may alter this
-#
-. /usr/share/shorewall/shorewallrc
-
-if [ -f ${SYSCONFDIR}/shorewall-lite ]; then
-    . ${SYSCONFDIR}/shorewall-lite
+if [ -f /etc/sysconfig/shorewall ]; then
+    . /etc/sysconfig/shorewall
+elif [ -f /etc/default/shorewall ] ; then
+    . /etc/default/shorewall
 fi

 SHOREWALL_INIT_SCRIPT=1
@@ -80,13 +76,13 @@ command="$1"

 case "$command" in
    start)
-	exec ${SBINDIR}/shorewall-lite $OPTIONS start $STARTOPTIONS
+	exec /sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
 	;;
    restart|reload)
-	exec ${SBINDIR}/shorewall-lite $OPTIONS restart $RESTARTOPTIONS
+	exec /sbin/shorewall-lite $OPTIONS restart $RESTARTOPTIONS
 	;;
    status|stop)
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $@
+	exec /sbin/shorewall-lite $OPTIONS $command $@
 	;;
    *)
 	usage
--- a/Shorewall-lite/init.suse.sh
+++ b/Shorewall-lite/init.suse.sh
@@ -1,92 +0,0 @@
-#!/bin/sh
-#
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012 - Tom Eastep (teastep@shorewall.net)
-#
-#	On most distributions, this file should be called /etc/init.d/shorewall.
-#
-#	Complete documentation is available at http://shorewall.net
-#
-#	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
-#	as published by the Free Software Foundation.
-#
-#	This program is distributed in the hope that it will be useful,
-#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#	GNU General Public License for more details.
-#
-#	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
-#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-#	If an error occurs while starting or restarting the firewall, the
-#	firewall is automatically stopped.
-#
-#	Commands are:
-#
-#	   shorewall start			  Starts the firewall
-#	   shorewall restart			  Restarts the firewall
-#	   shorewall reload			  Reload the firewall
-#						  (same as restart)
-#	   shorewall stop			  Stops the firewall
-#	   shorewall status			  Displays firewall status
-#
-
-
-### BEGIN INIT INFO
-# Provides:	  shorewall-lite
-# Required-Start: $network $remote_fs
-# Required-Stop:  
-# Default-Start:  2 3 5
-# Default-Stop:	  0 1 6
-# Description:	  starts and stops the shorewall firewall
-# Short-Description: Packet filtering firewall
-### END INIT INFO
-
-################################################################################
-# Give Usage Information						       #
-################################################################################
-usage() {
-    echo "Usage: $0 start|stop|reload|restart|status"
-    exit 1
-}
-
-################################################################################
-# Get startup options (override default)
-################################################################################
-OPTIONS=
-
-#
-# The installer may alter this
-#
-. /usr/share/shorewall/shorewallrc
-
-if [ -f ${SYSCONFDIR}/shorewall-lite ]; then
-    . ${SYSCONFDIR}/shorewall-lite
-fi
-
-SHOREWALL_INIT_SCRIPT=1
-
-################################################################################
-# E X E C U T I O N    B E G I N S   H E R E				       #
-################################################################################
-command="$1"
-
-case "$command" in
-    start)
-	exec ${SBINDIR}/shorewall-lite $OPTIONS start $STARTOPTIONS
-	;;
-    restart|reload)
-	exec ${SBINDIR}/shorewall-lite $OPTIONS restart $RESTARTOPTIONS
-	;;
-    status|stop)
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $@
-	;;
-    *)
-	usage
-	;;
-esac
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -27,18 +27,12 @@ VERSION=xxx #The Build script inserts the actual version
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <configuration-file> ]"
+    echo "usage: $ME"
    echo "       $ME -v"
    echo "       $ME -h"
    exit $1
 }

-fatal_error()
-{
-    echo "   ERROR: $@" >&2
-    exit 1
-}
-
 split() {
    local ifs
    ifs=$IFS
@@ -91,11 +85,6 @@ install_file() # $1 = source $2 = target $3 = mode
    run_install $T $OWNERSHIP -m $3 $1 ${2}
 }

-require()
-{
-    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
-}
-
 #
 # Change to the directory containing this script
 #
@@ -109,122 +98,68 @@ else
    Product="Shorewall6 Lite"
 fi

+[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
+
 #
 # Parse the run line
 #
-finished=0
+# DEST is the SysVInit script directory
+# INIT is the name of the script in the $DEST directory
+#
+if [ -z "$DEST" ] ; then
+	DEST="/etc/init.d"
+fi

-while [ $finished -eq 0 ] ; do
+if [ -z "$INIT" ] ; then
+	INIT="$PRODUCT"
+fi
+
+while [ $# -gt 0 ] ; do
    case "$1" in
-	-*)
-	    option=${option#-}
-
-	    while [ -n "$option" ]; do
-		case $option in
-		    h)
-			usage 0
-			;;
-		    v)
-			echo "$Product Firewall Installer Version $VERSION"
-			exit 0
-			;;
-		    *)
-			usage 1
-			;;
-		esac
-	    done
-
-	    shift
+	-h|help|?)
+	    usage 0
+	    ;;
+        -v)
+	    echo "$Product Firewall Installer Version $VERSION"
+	    exit 0
 	    ;;
 	*)
-	    finished=1
+	    usage 1
 	    ;;
    esac
+    shift
 done

-#
-# Read the RC file
-#
-if [ $# -eq 0 ]; then
-    if [ -f ./shorewallrc ]; then
-	. ./shorewallrc || exit 1
-	file=./shorewallrc
-    elif [ -f ~/.shorewallrc ]; then
-	. ~/.shorewallrc
-    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	. /usr/share/shorewall/shorewallrc
-    else
-	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
-    fi
-elif [ $# -eq 1 ]; then
-    file=$1
-    case $file in
-	/*|.*)
-	    ;;
-	*)
-	    file=./$file
-	    ;;
-    esac
+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

-    . $file
-else
-    usage 1
-fi
+[ -n "${LIBEXEC:=/usr/share}" ]

-if [ -z "${VARLIB}" ]; then
-    VARLIB=${VARDIR}
-    VARDIR=${VARLIB}/${PRODUCT}
-elif [ -z "${VARDIR}" ]; then
-    VARDIR=${VARLIB}/${PRODUCT}
-fi
-
-for var in SHAREDIR LIBEXECDIRDIRDIR CONFDIR SBINDIR VARLIB VARDIR; do
-    require $var
-done
-
-PATH=${SBINDIR}:/bin:/usr${SBINDIR}:/usr/bin:/usr/local/bin:/usr/local${SBINDIR}
+case "$LIBEXEC" in
+    /*)
+	;;
+    *)
+	LIBEXEC=/usr/${LIBEXEC}
+	;;
+esac

 #
 # Determine where to install the firewall script
 #
-cygwin=
+CYGWIN=
 INSTALLD='-D'
 T='-T'

-if [ -z "$BUILD" ]; then
-    case $(uname) in
-	cygwin*)
-	    BUILD=cygwin
-	    ;;
-	Darwin)
-	    BUILD=apple
-	    ;;
-	*)
-	    if [ -f ${CONFDIR}/debian_version ]; then
-		BUILD=debian
-	    elif [ -f ${CONFDIR}/redhat-release ]; then
-		BUILD=redhat
-	    elif [ -f ${CONFDIR}/SuSE-release ]; then
-		BUILD=suse
-	    elif [ -f ${CONFDIR}/slackware-version ] ; then
-		BUILD=slackware
-	    elif [ -f ${CONFDIR}/arch-release ] ; then
-		BUILD=archlinux
-	    else
-		BUILD=linux
-	    fi
-	    ;;
-    esac
-fi
+case $(uname) in
+    CYGWIN*)
+	if [ -z "$DESTDIR" ]; then
+	    DEST=
+	    INIT=
+	fi

-case $BUILD in
-    cygwin*)
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;
-    apple)
-	[ -z "$OWNER" ] && OWNER=root
-	[ -z "$GROUP" ] && GROUP=wheel
+    Darwin)
 	INSTALLD=
 	T=
 	;;	   
@@ -236,81 +171,64 @@ esac

 OWNERSHIP="-o $OWNER -g $GROUP"

-[ -n "$HOST" ] || HOST=$BUILD
-
-case "$HOST" in
-    cygwin)
-	echo "$PRODUCT is not supported on Cygwin" >&2
-	exit 1
-	;;
-    apple)
-	echo "$PRODUCT is not supported on OS X" >&2
-	exit 1
-	;;
-    debian)
-	echo "Installing Debian-specific configuration..."
-	;;
-    redhat)
-	echo "Installing Redhat/Fedora-specific configuration..."
-	;;
-    slackware)
-	echo "Installing Slackware-specific configuration..."
-	;;
-    archlinux)
-	echo "Installing ArchLinux-specific configuration..."
-	;;
-    suse)
-	echo "Installing Suse-specific configuration..."
-	;;
-    linux)
-	;;
-    *)
-	echo "ERROR: Unknown HOST \"$HOST\"" >&2
-	exit 1;
-	;;
-esac
-
-[ -z "$INITDIR" ] && INITDIR="${CONFDIR}/init.d"
-
 if [ -n "$DESTDIR" ]; then
    if [ `id -u` != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
 	OWNERSHIP=""
    fi
    
-    install -d $OWNERSHIP -m 755 ${DESTDIR}/${SBINDIR}
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
-else
+    install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
+    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
+elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
+    DEBIAN=yes
+elif [ -f /etc/redhat-release ]; then
+    FEDORA=yes
+elif [ -f /etc/slackware-version ] ; then
+    DEST="/etc/rc.d"
+    INIT="rc.firewall"
+elif [ -f /etc/arch-release ] ; then
+      DEST="/etc/rc.d"
+      INIT="$PRODUCT"
+      ARCHLINUX=yes
+fi
+
+if [ -z "$DESTDIR" ]; then
    if [ ! -f /usr/share/shorewall/coreversion ]; then
 	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
 	exit 1
    fi
+
+    if [ -f /lib/systemd/system ]; then
+	SYSTEMD=Yes
+    fi
+elif [ -n "$SYSTEMD" ]; then
+    mkdir -p ${DESTDIR}/lib/systemd/system
 fi

 echo "Installing $Product Version $VERSION"

 #
-# Check for ${CONFDIR}/$PRODUCT
+# Check for /etc/$PRODUCT
 #
-if [ -z "$DESTDIR" -a -d ${CONFDIR}/$PRODUCT ]; then
+if [ -z "$DESTDIR" -a -d /etc/$PRODUCT ]; then
    if [ ! -f /usr/share/shorewall/coreversion ]; then
 	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
 	exit 1
    fi

-    [ -f ${CONFDIR}/$PRODUCT/shorewall.conf ] && \
-	mv -f ${CONFDIR}/$PRODUCT/shorewall.conf ${CONFDIR}/$PRODUCT/$PRODUCT.conf
+    [ -f /etc/$PRODUCT/shorewall.conf ] && \
+	mv -f /etc/$PRODUCT/shorewall.conf /etc/$PRODUCT/$PRODUCT.conf
 else
-    rm -rf ${DESTDIR}${CONFDIR}/$PRODUCT
-    rm -rf ${DESTDIR}${SHAREDIR}/$PRODUCT
-    rm -rf ${DESTDIR}${VARDIR}
-    [ "$LIBEXECDIR" = /usr/share ] || rm -rf ${DESTDIR}/usr/share/$PRODUCT/wait4ifup ${DESTDIR}/usr/share/$PRODUCT/shorecap
+    rm -rf ${DESTDIR}/etc/$PRODUCT
+    rm -rf ${DESTDIR}/usr/share/$PRODUCT
+    rm -rf ${DESTDIR}/var/lib/$PRODUCT
+    [ "$LIBEXEC" = /usr/share ] || rm -rf /usr/share/$PRODUCT/wait4ifup /usr/share/$PRODUCT/shorecap
 fi

 #
-# Check for ${SBINDIR}/$PRODUCT
+# Check for /sbin/$PRODUCT
 #
-if [ -f ${DESTDIR}${SBINDIR}/$PRODUCT ]; then
+if [ -f ${DESTDIR}/sbin/$PRODUCT ]; then
    first_install=""
 else
    first_install="Yes"
@@ -318,114 +236,113 @@ fi

 delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules

-install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0544
+install_file $PRODUCT ${DESTDIR}/sbin/$PRODUCT 0544

-echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
+echo "$Product control program installed in ${DESTDIR}/sbin/$PRODUCT"

 #
-# Create ${CONFDIR}/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
+# Install the Firewall Script
 #
-mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
-mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT
-mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
-mkdir -p ${DESTDIR}${VARDIR}
+if [ -n "$DEBIAN" ]; then
+    install_file init.debian.sh ${DESTDIR}/etc/init.d/$PRODUCT 0544
+elif [ -n "$FEDORA" ]; then
+    install_file init.fedora.sh ${DESTDIR}/etc/init.d/$PRODUCT 0544
+elif [ -n "$ARCHLINUX" ]; then
+    install_file init.archlinux.sh ${DESTDIR}/${DEST}/$INIT 0544
+else
+    install_file init.sh ${DESTDIR}/${DEST}/$INIT 0544
+fi

-chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
+echo  "$Product script installed in ${DESTDIR}${DEST}/$INIT"
+
+#
+# Create /etc/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
+#
+mkdir -p ${DESTDIR}/etc/$PRODUCT
+mkdir -p ${DESTDIR}/usr/share/$PRODUCT
+mkdir -p ${DESTDIR}${LIBEXEC}/$PRODUCT
+mkdir -p ${DESTDIR}/var/lib/$PRODUCT
+
+chmod 755 ${DESTDIR}/etc/$PRODUCT
 chmod 755 ${DESTDIR}/usr/share/$PRODUCT

 if [ -n "$DESTDIR" ]; then
-    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
-    chmod 755 ${DESTDIR}${CONFDIR}/logrotate.d
-    mkdir -p ${DESTDIR}${INITDIR}
-    chmod 755 ${DESTDIR}${INITDIR}
+    mkdir -p ${DESTDIR}/etc/logrotate.d
+    chmod 755 ${DESTDIR}/etc/logrotate.d
 fi

-if [ -n "$INITFILE" ]; then
-
-    initfile="${DESTDIR}/${INITDIR}/${INITFILE}"
-    install_file ${INITSOURCE} "$initfile" 0544
-
-    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' "$initfile"
-
-    echo  "$Product init script installed in $initfile"
-fi
 #
 # Install the .service file
 #
 if [ -n "$SYSTEMD" ]; then
-    mkdir -p ${DESTDIR}${SYSTEMD}
-    run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}/${SYSTEMD}/$PRODUCT.service
-    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}/lib/systemd/system/$PRODUCT.service
    echo "Service file installed as ${DESTDIR}/lib/systemd/system/$PRODUCT.service"
 fi

 #
 # Install the config file
 #
-if [ ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf ]; then
-   install_file $PRODUCT.conf ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf 0744
-   echo "Config file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf"
+if [ ! -f ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf ]; then
+   install_file $PRODUCT.conf ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf 0744
+   echo "Config file installed as ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf"
 fi

-if [ $HOST = archlinux ] ; then
-   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
+if [ -n "$ARCHLINUX" ] ; then
+   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf
 fi

 #
 # Install the  Makefile
 #
-run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}${CONFDIR}/$PRODUCT
-[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${CONFDIR}/$PRODUCT/Makefile
-[ $SBINDIR = /sbin ]       || eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\'       ${DESTDIR}/${CONFDIR}/$PRODUCT/Makefile
-echo "Makefile installed as ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile"
+run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/$PRODUCT
+echo "Makefile installed as ${DESTDIR}/etc/$PRODUCT/Makefile"

 #
 # Install the default config path file
 #
-install_file configpath ${DESTDIR}${SHAREDIR}/$PRODUCT/configpath 0644
-echo "Default config path file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/configpath"
+install_file configpath ${DESTDIR}/usr/share/$PRODUCT/configpath 0644
+echo "Default config path file installed as ${DESTDIR}/usr/share/$PRODUCT/configpath"

 #
 # Install the libraries
 #
 for f in lib.* ; do
    if [ -f $f ]; then
-	install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
-	echo "Library ${f#*.} file installed as ${DESTDIR}/${SHAREDIR}/$PRODUCT/$f"
+	install_file $f ${DESTDIR}/usr/share/$PRODUCT/$f 0644
+	echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/$PRODUCT/$f"
    fi
 done

-ln -sf lib.base ${DESTDIR}${SHAREDIR}/$PRODUCT/functions
+ln -sf lib.base ${DESTDIR}/usr/share/$PRODUCT/functions

-echo "Common functions linked through ${DESTDIR}${SHAREDIR}/$PRODUCT/functions"
+echo "Common functions linked through ${DESTDIR}/usr/share/$PRODUCT/functions"

 #
 # Install Shorecap
 #

-install_file shorecap ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap 0755
-[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${LIBEXECDIR}/$PRODUCT/shorecap
+install_file shorecap ${DESTDIR}${LIBEXEC}/$PRODUCT/shorecap 0755

 echo
-echo "Capability file builder installed in ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap"
+echo "Capability file builder installed in ${DESTDIR}${LIBEXEC}/$PRODUCT/shorecap"

 #
 # Install the Modules files
 #

 if [ -f modules ]; then
-    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}${SHAREDIR}/$PRODUCT
-    echo "Modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/modules"
+    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/$PRODUCT
+    echo "Modules file installed as ${DESTDIR}/usr/share/$PRODUCT/modules"
 fi

 if [ -f helpers ]; then
-    run_install $OWNERSHIP -m 0600 helpers ${DESTDIR}${SHAREDIR}/$PRODUCT
-    echo "Helper modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers"
+    run_install $OWNERSHIP -m 0600 helpers ${DESTDIR}/usr/share/$PRODUCT
+    echo "Helper modules file installed as ${DESTDIR}/usr/share/$PRODUCT/helpers"
 fi

 for f in modules.*; do
-    run_install $OWNERSHIP -m 0644 $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f
-    echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
+    run_install $OWNERSHIP -m 0644 $f ${DESTDIR}/usr/share/$PRODUCT/$f
+    echo "Module file $f installed as ${DESTDIR}/usr/share/$PRODUCT/$f"
 done

 #
@@ -435,18 +352,18 @@ done
 if [ -d manpages ]; then
    cd manpages

-    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${SHAREDIR}/man/man5/ ${DESTDIR}${SHAREDIR}/man/man8/
+    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}/usr/share/man/man5/ ${DESTDIR}/usr/share/man/man8/

    for f in *.5; do
 	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${SHAREDIR}/man/man5/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}${SHAREDIR}/man/man5/$f.gz"
+	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}/usr/share/man/man5/$f.gz
+	echo "Man page $f.gz installed to ${DESTDIR}/usr/share/man/man5/$f.gz"
    done

    for f in *.8; do
 	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${SHAREDIR}/man/man8/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}${SHAREDIR}/man/man8/$f.gz"
+	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}/usr/share/man/man8/$f.gz
+	echo "Man page $f.gz installed to ${DESTDIR}/usr/share/man/man8/$f.gz"
    done

    cd ..
@@ -454,79 +371,73 @@ if [ -d manpages ]; then
    echo "Man Pages Installed"
 fi

-if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT
-    echo "Logrotate file installed as ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT"
+if [ -d ${DESTDIR}/etc/logrotate.d ]; then
+    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}/etc/logrotate.d/$PRODUCT
+    echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/$PRODUCT"
 fi

 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}${SHAREDIR}/$PRODUCT/version
-chmod 644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
+echo "$VERSION" > ${DESTDIR}/usr/share/$PRODUCT/version
+chmod 644 ${DESTDIR}/usr/share/$PRODUCT/version
 #
 # Remove and create the symbolic link to the init script
 #

 if [ -z "$DESTDIR" ]; then
-    rm -f ${SHAREDIR}/$PRODUCT/init
-    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/$PRODUCT/init
+    rm -f /usr/share/$PRODUCT/init
+    ln -s ${DEST}/${INIT} /usr/share/$PRODUCT/init
 fi

-delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.common
-delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.cli
-delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/wait4ifup
+delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.common
+delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.cli
+delete_file ${DESTDIR}/usr/share/$PRODUCT/wait4ifup

-if [ -n "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
-    if [ ${DESTDIR} ]; then
-	mkdir -p ${DESTDIR}${SYSCONFDIR}
-	chmod 755 ${DESTDIR}${SYSCONFDIR}
-    fi
+if [ -z "$DESTDIR" ]; then
+    touch /var/log/$PRODUCT-init.log

-    run_install $OWNERSHIP -m 0644 default.debian ${DESTDIR}${SYSCONFDIR}/${PRODUCT}
-    echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
-fi
+    if [ -n "$first_install" ]; then
+	if [ -n "$DEBIAN" ]; then
+	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/$PRODUCT

-if [ ${SHAREDIR} != /usr/share ]; then
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SHAREDIR}/${PRODUCT}/lib.base
-    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SBINDIR}/$PRODUCT
-fi
+	    update-rc.d $PRODUCT defaults
+
+	    if [ -x /sbin/insserv ]; then
+		insserv /etc/init.d/$PRODUCT
+	    else
+		ln -s ../init.d/$PRODUCT /etc/rcS.d/S40$PRODUCT
+	    fi

-if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
-    if mywhich update-rc.d ; then
-	echo "$PRODUCT will start automatically at boot"
-	echo "Set startup=1 in ${SYSCONFDIR}/$PRODUCT to enable"
-	touch /var/log/$PRODUCT-init.log
-	perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' ${CONFDIR}/${PRODUCT}/${PRODUCT}.conf
-	update-rc.d $PRODUCT enable defaults
-    elif [ -n "$SYSTEMD" ]; then
-	if systemctl enable ${PRODUCT}.service; then
 	    echo "$Product will start automatically at boot"
-	fi
-    elif mywhich insserv; then
-	if insserv ${INITDIR}/${INITFILE} ; then
-	    echo "$PRODUCT will start automatically at boot"
-	    echo "Set STARTUP_ENABLED=Yes in ${CONFDIR}/$PRODUCT/${PRODUCT}.conf to enable"
 	else
-	    cant_autostart
+	    if [ -n "$SYSTEMD" ]; then
+		if systemctl enable $PRODUCT; then
+		    echo "$Product will start automatically at boot"
+		fi
+	    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
+		if insserv /etc/init.d/$PRODUCT ; then
+		    echo "$Product will start automatically at boot"
+		else
+		    cant_autostart
+		fi
+	    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
+		if chkconfig --add $PRODUCT ; then
+		    echo "$Product will start automatically in run levels as follows:"
+		    chkconfig --list $PRODUCT
+		else
+		    cant_autostart
+		fi
+	    elif [ -x /sbin/rc-update ]; then
+		if rc-update add $PRODUCT default; then
+		    echo "$Product will start automatically at boot"
+		else
+		    cant_autostart
+		fi
+	    elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
+		cant_autostart
+	    fi
 	fi
-    elif mywhich chkconfig; then
-	if chkconfig --add $PRODUCT ; then
-	    echo "$PRODUCT will start automatically in run levels as follows:"
-	    echo "Set STARTUP_ENABLED=Yes in ${CONFDIR}/$PRODUCT/${PRODUCT}.conf to enable"
-	    chkconfig --list $PRODUCT
-	else
-	    cant_autostart
-	fi
-    elif mywhich rc-update ; then
-	if rc-update add $PRODUCT default; then
-	    echo "$PRODUCT will start automatically at boot"
-	    echo "Set STARTUP_ENABLED=Yes in ${CONFDIR}/$PRODUCT/$PRODUCT.conf to enable"
-	else
-	    cant_autostart
-	fi
-    elif [ "$INITFILE" != rc.${PRODUCT} ]; then #Slackware starts this automatically
-	cant_autostart
    fi
 fi

--- a/Shorewall-lite/lib.base
+++ b/Shorewall-lite/lib.base
@@ -24,10 +24,11 @@

 g_program=shorewall-lite
 g_family=4
-#
-# This may be altered by the installer
-#
 g_basedir=/usr/share/shorewall

-. ${g_basedir}/lib.base
+[ -n "${VARDIR:=/var/lib/$g_program}" ]
+[ -n "${SHAREDIR:=/usr/share/$g_program}" ]
+[ -n "${CONFDIR:=/etc/$g_program}" ]
+
+. /usr/share/shorewall/lib.base

--- a/Shorewall-lite/manpages/shorewall-lite-vardir.xml
+++ b/Shorewall-lite/manpages/shorewall-lite-vardir.xml
@@ -1,6 +1,4 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
-"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
  <refmeta>
    <refentrytitle>shorewall-lite-vardir</refentrytitle>
@@ -36,28 +34,6 @@
    directory. If you add this file, you should copy the files from
    <filename>/var/lib/shorewall-lite</filename> to the new directory before
    performing a <command>shorewall-lite restart</command>.</para>
-
-    <note>
-      <para>Beginning with Shorewall 4.5.2, use of this file is deprecated in
-      favor of specifying VARDIR in the <filename>shorewallrc</filename> file
-      used during installation of Shorewall Core. While the name of the
-      variable remains VARDIR, the meaning is slightly different. When set in
-      shorewallrc, Shorewall Lite, will create a directory under the specified
-      path name to hold state information.</para>
-
-      <para>Example:</para>
-
-      <blockquote>
-        <para>VARDIR=<filename><filename>/opt/var/lib/</filename></filename></para>
-
-        <para>The state directory for Shorewall Lite will be
-        /opt/var/lib/shorewall-lite/.</para>
-      </blockquote>
-
-      <para> When VARDIR is set in /etc/shorewall-lite/vardir, Shorewall Lite
-      will save its state in the <replaceable>directory</replaceable>
-      specified.</para>
-    </note>
  </refsect1>

  <refsect1>
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@@ -337,8 +337,6 @@

      <arg choice="plain"><option>show</option></arg>

-      <arg><option>-b</option></arg>
-
      <arg><option>-x</option></arg>

      <arg><option>-l</option></arg>
@@ -843,12 +841,6 @@
                Netfilter table to display. The default is <emphasis
                role="bold">filter</emphasis>.</para>

-                <para>The <emphasis role="bold">-b</emphasis> ('brief') option
-                causes rules which have not been used (i.e. which have zero
-                packet and byte counts) to be omitted from the output. Chains
-                with no rules displayed are also omitted from the
-                output.</para>
-
                <para>The <emphasis role="bold">-l</emphasis> option causes
                the rule number for each Netfilter rule to be
                displayed.</para>
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -45,19 +45,17 @@
 #    used during firewall compilation, then the generated firewall program will likewise not
 #    require Shorewall to be installed.

-
+SHAREDIR=/usr/share/shorewall-lite
+VARDIR=/var/lib/shorewall-lite
+CONFDIR=/etc/shorewall-lite
 g_program=shorewall-lite
+g_product="Shorewall Lite"
+g_family=4
+g_base=shorewall
+g_basedir=/usr/share/shorewall-lite

-#
-# This is modified by the installer when ${SHAREDIR} != /usr/share
-#
-. /usr/share/shorewall/shorewallrc
-
-g_sharedir="$SHAREDIR"/shorewall-lite
-g_confdir="$CONFDIR"/shorewall-lite
-g_readrc=1
-
-. ${SHAREDIR}/shorewall/lib.cli
+. /usr/share/shorewall-lite/lib.base
+. /usr/share/shorewall/lib.cli
 . /usr/share/shorewall-lite/configpath

 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -25,18 +25,8 @@
 #       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
 ################################################################################################
-PRODUCT=shorewall-lite
+g_program=shorewall-lite

-#
-# This is modified by the installer when ${SHAREDIR} != /usr/share
-#
-. /usr/share/shorewall/shorewallrc
-
-g_program=$PRODUCT
-g_sharedir="$SHAREDIR"/shorewall-lite
-g_confdir="$CONFDIR"/shorewall-lite
-g_readrc=1
-
-. ${SHAREDIR}/shorewall/lib.cli
+. /usr/share/shorewall/lib.cli

 shorewall_cli $@
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -31,7 +31,7 @@ VERSION=xxx  #The Build script inserts the actual version
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <shorewallrc file> ]"
+    echo "usage: $ME"
    exit $1
 }

@@ -40,25 +40,16 @@ qt()
    "$@" >/dev/null 2>&1
 }

-split() {
-    local ifs
-    ifs=$IFS
-    IFS=:
-    set -- $1
-    echo $*
-    IFS=$ifs
-}
-
-mywhich() {
-    local dir
-
-    for dir in $(split $PATH); do
-	if [ -x $dir/$1 ]; then
-	    return 0
-	fi
-    done
-
-    return 2
+restore_file() # $1 = file to restore
+{
+    if [ -f ${1}-shorewall.bkout ]; then
+	if (mv -f ${1}-shorewall-lite.bkout $1); then
+	    echo
+	    echo "$1 restored"
+        else
+	    exit 1
+        fi
+    fi
 }

 remove_file() # $1 = file to restore
@@ -69,37 +60,8 @@ remove_file() # $1 = file to restore
    fi
 }

-#
-# Read the RC file
-#
-if [ $# -eq 0 ]; then
-    if [ -f ./shorewallrc ]; then
-	. ./shorewallrc
-    elif [ -f ~/.shorewallrc ]; then
-	. ~/.shorewallrc || exit 1
-	file=./.shorewallrc
-    elif [ -f /usr/share/shorewall/shorewallrc ]; then
-	. /usr/share/shorewall/shorewallrc
-    else
-	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
-    fi
-elif [ $# -eq 1 ]; then
-    file=$1
-    case $file in
-	/*|.*)
-	    ;;
-	*)
-	    file=./$file
-	    ;;
-    esac
-
-    . $file
-else
-    usage 1
-fi
-
-if [ -f ${SHAREDIR}/shorewall-lite/version ]; then
-    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall-lite/version)"
+if [ -f /usr/share/shorewall-lite/version ]; then
+    INSTALLED_VERSION="$(cat /usr/share/shorewall-lite/version)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
 	echo "WARNING: Shorewall Lite Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
@@ -110,40 +72,49 @@ else
    VERSION=""
 fi

+[ -n "${LIBEXEC:=/usr/share}" ]
+
 echo "Uninstalling Shorewall Lite $VERSION"

-if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall ]; then
-   shorewall-lite clear
+if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall ]; then
+   /sbin/shorewall-lite clear
 fi

-if [ -L ${SHAREDIR}/shorewall-lite/init ]; then
-    FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall-lite/init)
-elIF [ -n "$INITFILE" ]; then
-    FIREWALL=${INITDIR}/${INITFILE}
+if [ -L /usr/share/shorewall-lite/init ]; then
+    FIREWALL=$(readlink -m -q /usr/share/shorewall-lite/init)
+else
+    FIREWALL=/etc/init.d/shorewall-lite
 fi

-if [ -f "$FIREWALL" ]; then
-    if mywhich updaterc.d ; then
+if [ -n "$FIREWALL" ]; then
+    if [ -x /usr/sbin/updaterc.d ]; then
 	updaterc.d shorewall-lite remove
-    elif if mywhich insserv ; then
+    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
        insserv -r $FIREWALL
-    elif [ mywhich chkconfig ; then
+    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 	chkconfig --del $(basename $FIREWALL)
-    elif mywhich systemctl ; then
+    elif [ -x /sbin/systemctl ]; then
 	systemctl disable shorewall-lite
+    else
+	rm -f /etc/rc*.d/*$(basename $FIREWALL)
    fi

    remove_file $FIREWALL
+    rm -f ${FIREWALL}-*.bkout
 fi

-rm -f ${SBINDIR}/shorewall-lite
+rm -f /sbin/shorewall-lite
+rm -f /sbin/shorewall-lite-*.bkout

-rm -rf ${SBINDIR}/shorewall-lite
-rm -rf ${VARDIR}/shorewall-lite
-rm -rf ${SHAREDIR}/shorewall-lite
+rm -rf /etc/shorewall-lite
+rm -rf /etc/shorewall-lite-*.bkout
+rm -rf /var/lib/shorewall-lite
+rm -rf /var/lib/shorewall-lite-*.bkout
+rm -rf /usr/share/shorewall-lite
 rm -rf ${LIBEXEC}/shorewall-lite
-rm -f  ${CONFDIR}/logrotate.d/shorewall-lite
-[ -n "$SYSTEMD" ] && rm -f  ${SYSTEMD}/shorewall-lite.service
+rm -rf /usr/share/shorewall-lite-*.bkout
+rm -f  /etc/logrotate.d/shorewall-lite
+rm -f  /lib/systemd/system/shorewall-lite.service

 echo "Shorewall Lite Uninstalled"

--- a/Shorewall/Macros/macro.A_AllowICMPs
+++ b/Shorewall/Macros/macro.A_AllowICMPs
@@ -9,7 +9,7 @@
 #ACTION		SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #					PORT(S)	PORT(S)	LIMIT	GROUP

-?COMMENT Needed ICMP types
+COMMENT Needed ICMP types

 A_ACCEPT       -	-	icmp	fragmentation-needed
 A_ACCEPT       -	-	icmp	time-exceeded
--- a/Shorewall/Macros/macro.A_DropDNSrep
+++ b/Shorewall/Macros/macro.A_DropDNSrep
@@ -9,6 +9,6 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP

-?COMMENT Late DNS Replies
+COMMENT Late DNS Replies

 A_DROP	-	-	udp	-	53
--- a/Shorewall/Macros/macro.A_DropUPnP
+++ b/Shorewall/Macros/macro.A_DropUPnP
@@ -9,6 +9,6 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP

-?COMMENT UPnP
+COMMENT UPnP

 A_DROP	-	-	udp	1900
--- a/Shorewall/Macros/macro.ActiveDir
+++ b/Shorewall/Macros/macro.ActiveDir
@@ -1,40 +0,0 @@
-#
-# Shorewall version 4 - Samba 4 Macro
-#
-# /usr/share/shorewall/macro.ActiveDir
-#
-#       This macro handles ports for Samba 4 Active Directory Service
-#
-# You can comment out the ports you do not want open
-#
-# 
-###############################################################################
-#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
-#                               PORT(S) PORT(S) LIMIT   GROUP
-PARAM   -       -       tcp     389 	#LDAP services
-PARAM   -       -       udp	389  
-PARAM   -       -       tcp     636	#LDAP SSL
-PARAM   -       -       tcp     3268	#LDAP GC
-PARAM   -       -       tcp     3269	#LDAP GC SSL
-PARAM   -       -       tcp     88	#Kerberos
-PARAM   -       -       udp	88
-
-# Use macro.DNS for DNS sevice
-
-PARAM   -       -       tcp     445	#Replication, User and Computer Authentication, Group Policy, Trusts
-PARAM   -       -       udp	445
-
-# Use macro.SMTP for Mail service
-
-PARAM   -       -       tcp     135	#RPC, EPM
-PARAM   -       -       tcp     5722	#RPC, DFSR (SYSVOL)
-PARAM   -       -       udp	123	#Windows Time
-PARAM   -       -       tcp     464	#Kerberosb change/set password
-PARAM   -       -       udp	464
-PARAM   -       -       udp	138	#DFS, Group Policy
-PARAM   -       -       tcp     9389	#SOAP
-PARAM   -       -       tcp     2535	#MADCAP
-PARAM   -       -       udp	2535
-PARAM   -       -       udp     137	#NetLogon, NetBIOS Name Resolution
-PARAM   -       -       tcp	139	#DFSN, NetBIOS Session Service, NetLogon    
-  
--- a/Shorewall/Macros/macro.AllowICMPs
+++ b/Shorewall/Macros/macro.AllowICMPs
@@ -9,7 +9,7 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP

-?COMMENT Needed ICMP types
+COMMENT Needed ICMP types

 DEFAULT ACCEPT
 PARAM	-	-	icmp	fragmentation-needed
--- a/Shorewall/Macros/macro.Amanda
+++ b/Shorewall/Macros/macro.Amanda
@@ -8,17 +8,9 @@
 #	files from those nodes.
 #
 ###############################################################################
-?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-
-?if ( __CT_TARGET && ! $AUTOHELPERS && __AMANDA_HELPER )
- PARAM	-	-	udp	10080 ; helper=amanda
-?else
- PARAM	-	-	udp	10080
-?endif
-
-PARAM	-	-	tcp	10080
+PARAM	-	-	udp	10080
 #
 # You may also need this rule.  With AMANDA 2.4.4 on Linux kernel 2.6,
 # it should not be necessary to use this.  The ip_conntrack_amanda
--- a/Shorewall/Macros/macro.BLACKLIST
+++ b/Shorewall/Macros/macro.BLACKLIST
@@ -1,15 +0,0 @@
-#
-# Shorewall version 4 - blacklist Macro
-#
-# /usr/share/shorewall/macro.blacklist
-#
-#	This macro handles blacklisting using BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-?if $BLACKLIST_LOGLEVEL
-blacklog
-?else
-$BLACKLIST_DISPOSITION
-?endif
--- a/Shorewall/Macros/macro.DCC
+++ b/Shorewall/Macros/macro.DCC
@@ -9,4 +9,4 @@
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	udp	6277
+PARAM	-	-	tcp	6277
--- a/Shorewall/Macros/macro.DropDNSrep
+++ b/Shorewall/Macros/macro.DropDNSrep
@@ -9,7 +9,7 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP

-?COMMENT Late DNS Replies
+COMMENT Late DNS Replies

 DEFAULT DROP
 PARAM	-	-	udp	-	53
--- a/Shorewall/Macros/macro.DropUPnP
+++ b/Shorewall/Macros/macro.DropUPnP
@@ -9,7 +9,7 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP

-?COMMENT UPnP
+COMMENT UPnP

 DEFAULT DROP
 PARAM	-	-	udp	1900
--- a/Shorewall/Macros/macro.FTP
+++ b/Shorewall/Macros/macro.FTP
@@ -6,11 +6,6 @@
 #	This macro handles FTP traffic.
 #
 ###############################################################################
-?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER  )
- PARAM	-	-	tcp	21 ; helper=ftp
-?else
- PARAM	-	-	tcp	21
-?endif
+PARAM	-	-	tcp	21
--- a/Shorewall/Macros/macro.IRC
+++ b/Shorewall/Macros/macro.IRC
@@ -6,12 +6,6 @@
 #	This macro handles IRC traffic (Internet Relay Chat).
 #
 ###############################################################################
-?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-
-?if ( __CT_TARGET && ! $AUTOHELPERS && __IRC_HELPER  )
- PARAM	-	-	tcp	6667 ; helper=irc
-?else
- PARAM	-	-	tcp	6667
-?endif
+PARAM	-	-	tcp	6667
--- a/Shorewall/Macros/macro.MSSQL
+++ b/Shorewall/Macros/macro.MSSQL
@@ -1,11 +0,0 @@
-#
-# Shorewall version 4 - MSSQL Macro
-#
-# /usr/share/shorewall/macro.MSSQL
-#
-#	This macro handles MSSQL (Microsoft SQL Server)
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	tcp	1433
--- a/Shorewall/Macros/macro.PPtP
+++ b/Shorewall/Macros/macro.PPtP
@@ -6,14 +6,8 @@
 #	This macro handles PPTP traffic.
 #
 ###############################################################################
-?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	47
 PARAM	DEST	SOURCE	47
-
-?if ( __CT_TARGET && ! $AUTOHELPERS && __PPTP_HELPER )
- PARAM	-	-	tcp	1723 ; helper=pptp
-?else
- PARAM	-	-	tcp	1723
-?endif
+PARAM	-	-	tcp	1723
--- a/Shorewall/Macros/macro.Puppet
+++ b/Shorewall/Macros/macro.Puppet
@@ -1,12 +0,0 @@
-#
-# Shorewall version 4 - Puppet Macro
-#
-# /usr/share/shorewall/macro.Puppet
-#
-#	This macro handles client-to-server for the Puppet configuration
-#	management system.
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	tcp	8140
--- a/Shorewall/Macros/macro.Rfc1918
+++ b/Shorewall/Macros/macro.Rfc1918
@@ -7,7 +7,7 @@
 #############################################################################################
 #ACTION		SOURCE		DEST	PROTO	DEST	SOURCE	ORIGINAL	RATE	USER/
 #						PORT(S)	PORT(S)	DEST		LIMIT	GROUP
-?FORMAT 2
+FORMAT 2
 PARAM		SOURCE:10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 \
 				DEST	-	-	-	-	-	-
 PARAM		SOURCE		DEST	-	-	-	10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
--- a/Shorewall/Macros/macro.SANE
+++ b/Shorewall/Macros/macro.SANE
@@ -6,16 +6,9 @@
 #	This macro handles SANE network scanning.
 #
 ###############################################################################
-?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-
-?if ( __CT_TARGET && ! $AUTOHELPERS && __SANE_HELPER )
- PARAM	-	-	tcp	6566 ; helper=sane
-?else
- PARAM	-	-	tcp	6566
-?endif
-
+PARAM	-	-	tcp	6566
 #
 # Kernels 2.6.23+ has nf_conntrack_sane module which will handle
 # sane data connection.
--- a/Shorewall/Macros/macro.SIP
+++ b/Shorewall/Macros/macro.SIP
@@ -1,17 +0,0 @@
-#
-# Shorewall version 4 - SIP Macro
-#
-# /usr/share/shorewall/macro.SIP
-#
-#	This macro handles SIP traffic.
-#
-###############################################################################
-?FORMAT 2
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-
-?if ( __CT_TARGET && ! $AUTOHELPERS && __SIP_HELPER  )
- PARAM	-	-	udp	5060 ; helper=sip
-?else
- PARAM	-	-	udp	5060
-?endif
--- a/Shorewall/Macros/macro.SMB
+++ b/Shorewall/Macros/macro.SMB
@@ -10,17 +10,9 @@
 #	between hosts you fully trust.
 #
 ###############################################################################
-?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	135,445
-
-?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM	-	-	udp	137 ; helper=netbios-ns
- PARAM	-	-	udp	138:139
-?else
- PARAM	-	-	udp	137:139
-?endif
-
+PARAM	-	-	udp	137:139
 PARAM	-	-	udp	1024:	137
 PARAM	-	-	tcp	135,139,445
--- a/Shorewall/Macros/macro.SMBBI
+++ b/Shorewall/Macros/macro.SMBBI
@@ -10,28 +10,13 @@
 #	allow SMB traffic between hosts you fully trust.
 #
 ###############################################################################
-?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	135,445
-
-?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM	-	-	udp	137 ; helper=netbios-ns
- PARAM	-	-	udp	138:139
-?else
- PARAM	-	-	udp	137:139
-?endif
-
+PARAM	-	-	udp	137:139
 PARAM	-	-	udp	1024:	137
 PARAM	-	-	tcp	135,139,445
 PARAM	DEST	SOURCE	udp	135,445
-
-?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
- PARAM	DEST	SOURCE	udp	137 ; helper=netbios-ns
- PARAM	DEST	SOURCE	udp	138:139
-?else
- PARAM	DEST	SOURCE	udp	137:139
-?endif
-
+PARAM	DEST	SOURCE	udp	137:139
 PARAM	DEST	SOURCE	udp	1024:	137
 PARAM	DEST	SOURCE	tcp	135,139,445
--- a/Shorewall/Macros/macro.SNMP
+++ b/Shorewall/Macros/macro.SNMP
@@ -3,17 +3,10 @@
 #
 # /usr/share/shorewall/macro.SNMP
 #
-#	This macro handles SNMP traffic.
-#
-#       Note: To allow SNMP Traps, use the SNMPTrap macro
+#	This macro handles SNMP traffic (including traps).
 #
 ###############################################################################
-?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-
-?if ( __CT_TARGET && ! $AUTOHELPERS && __SNMP_HELPER )
- PARAM	-	-  	udp     161 ; helper=snmp
-?else
- PARAM	-	-	udp	161
-?endif
+PARAM	-	-	udp	161:162
+PARAM	-	-	tcp	161
--- a/Shorewall/Macros/macro.SNMPTrap
+++ b/Shorewall/Macros/macro.SNMPTrap
@@ -1,12 +0,0 @@
-#
-# Shorewall version 4 - SNMP Trap Macro
-#
-# /usr/share/shorewall/macro.SNMP
-#
-#	This macro handles SNMP traps.
-#
-###############################################################################
-?FORMAT 2
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	udp	162
--- a/Shorewall/Macros/macro.TFTP
+++ b/Shorewall/Macros/macro.TFTP
@@ -8,12 +8,6 @@
 #	Internet.
 #
 ###############################################################################
-?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-
-?if ( __CT_TARGET && ! $AUTOHELPERS && __TFTP_HELPER )
- PARAM	-	-	udp	69 ; helper=tftp
-?else
- PARAM	-	-	udp	69
-?endif
+PARAM	-	-	udp	69
--- a/Shorewall/Macros/macro.Teredo
+++ b/Shorewall/Macros/macro.Teredo
@@ -1,11 +0,0 @@
-#
-# Shorewall version 4 - Teredo Macro
-#
-# /usr/share/shorewall/macro.Teredo
-#
-#	This macro handles Teredo IPv6 over UDP tunneling traffic
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	udp	3544
--- a/Shorewall/Macros/macro.mDNS
+++ b/Shorewall/Macros/macro.mDNS
@@ -1,11 +1,9 @@
 #
-# Shorewall version 4 - Multicast DNS Macro -- this macro assumes that only
-#                       the DEST zone sends mDNS queries. If both zones send
-#                       queries, use the mDNSbi macro.
+# Shorewall version 4 - Multicast DNS Macro
 #
 # /usr/share/shorewall/macro.mDNS
 #
-#	This macro handles multicast DNS traffic
+#	This macro handles multicast DNS traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST			PROTO	DEST	SOURCE	RATE	USER/
--- a/Shorewall/Macros/macro.mDNSbi
+++ b/Shorewall/Macros/macro.mDNSbi
@@ -1,16 +0,0 @@
-#
-# Shorewall version 4 - Bi-directional Multicast DNS Macro.
-#
-# /usr/share/shorewall/macro.mDNSbi
-#
-#	This macro handles multicast DNS traffic
-#
-###############################################################################
-#ACTION	SOURCE	DEST			PROTO	DEST	SOURCE	RATE	USER/
-#						PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	224.0.0.251		udp	5353
-PARAM	-	-			udp	32768:	5353
-PARAM	-	224.0.0.251		2
-PARAM	DEST	SOURCE:224.0.0.251	udp	5353
-PARAM	DEST	SOURCE			udp	32768:	5353
-PARAM	DEST	SOURCE:224.0.0.251	2
--- a/Shorewall/Macros/macro.template
+++ b/Shorewall/Macros/macro.template
@@ -71,17 +71,9 @@
 #	Remaining		Any value in the rules file REPLACES the value
 #	columns			given in the macro file.
 #
-# Multiple parameters may be passed to a macro. Within this file, $1 refers to the first parameter,
-# $2 to the second an so on. $1 is a synonym for PARAM but may be used anywhere in the file whereas
-# PARAM may only be used in the ACTION column.
-#
-# You can specify default values for parameters by using DEFAULT or DEFAULTS entry:
-#
-#      DEFAULTS  <default for $1>,<default for $2>,...
-#
 #######################################################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
-?FORMAT 2
-#################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
+FORMAT 2
+####################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
--- a/Shorewall/Makefile
+++ b/Shorewall/Makefile
@@ -2,22 +2,20 @@
 VARDIR=$(shell /sbin/shorewall show vardir)
 CONFDIR=/etc/shorewall
 RESTOREFILE?=firewall
+all: $(VARDIR)/${RESTOREFILE}

-all: $(VARDIR)/$(RESTOREFILE)
-
-$(VARDIR)/$(RESTOREFILE): $(CONFDIR)/*
+$(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
 	@/sbin/shorewall -q save >/dev/null; \
 	if \
 	    /sbin/shorewall -q restart >/dev/null 2>&1; \
 	then \
 	    /sbin/shorewall -q save >/dev/null; \
 	else \
-	    /sbin/shorewall -q restart 2>&1 | tail >&2; exit 1; \
+	    /sbin/shorewall -q restart 2>&1 | tail >&2; \
 	fi

 clean:
 	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~
-
 .PHONY: clean

 # EOF
--- a/Shorewall/Perl/.includepath
+++ b/Shorewall/Perl/.includepath
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<includepath />
+
--- a/Shorewall/Perl/.project
+++ b/Shorewall/Perl/.project
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<projectDescription>
+	<name>Shorewall</name>
+	<comment></comment>
+	<projects>
+	</projects>
+	<buildSpec>
+		<buildCommand>
+			<name>org.epic.perleditor.perlbuilder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
+	</buildSpec>
+	<natures>
+		<nature>org.epic.perleditor.perlnature</nature>
+	</natures>
+</projectDescription>
--- a/Shorewall/Perl/Shorewall/ARP.pm
+++ b/Shorewall/Perl/Shorewall/ARP.pm
@@ -1,314 +0,0 @@
-#
-# Shorewall 4.5 -- /usr/share/shorewall/Shorewall/ARP.pm
-#
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
-#
-#     (c) 2013 - Tom Eastep (teastep@shorewall.net)
-#
-#       Complete documentation is available at http://shorewall.net
-#
-#       This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
-#       as published by the Free Software Foundation.
-#
-#       This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
-#
-#       You should have received a copy of the GNU General Public License
-#       along with this program; if not, write to the Free Software
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-#
-#  This file is responsible for Shorewall's arptables support
-#
-package Shorewall::ARP;
-require Exporter;
-
-use Shorewall::Config qw(:DEFAULT :internal);
-use Shorewall::Zones;
-use Shorewall::IPAddrs;
-use strict;
-
-our @ISA = qw(Exporter);
-our @EXPORT = ( qw( process_arprules create_arptables_load preview_arptables_load ) );
-
-our %arp_table;
-our $arp_input;
-our $arp_output;
-our $arp_forward;
-our $sourcemac;
-our $destmac;
-our $addrlen;
-our $hw;
-our @builtins;
-our $arptablesjf;
-our @map = ( qw( 0 Request Reply Request_Reverse Reply_Reverse DRARP_Request DRARP_Reply DRARP_Error InARP_Request ARP_NAK ) );
-
-
-#
-# Handles the network and mac parts of the SOURCE ($source == 1 ) and DEST ($source == 0) columns in the arprules file.
-# Returns any match(es) specified.
-#
-sub match_arp_net( $$$ ) {
-    my ( $net, $mac, $source ) = @_;
-
-    my $return = '';
-
-    if ( supplied $net ) {
-	my $invert = ( $net =~ s/^!// ) ? '! ' : '';
-	validate_net $net, 0;
-	$return = $source ? "-s ${invert}$net " : "-d ${invert}$net ";
-    }
-
-    if ( supplied $mac ) {
-	my ( $addr , $mask ) = split( '/', $mac, 2 );
-
-	my $invert = ( $addr =~ s/^!// ) ? '! ' : '';
-
-	fatal_error "Invalid MAC address ($addr)" unless $addr =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
-	if ( supplied $mask ) {
-	    fatal_error "Invalid MAC Mask ($mask)" unless $mask =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
-	    $return .= $source ? "$sourcemac $invert$addr/$mask " : "$destmac $invert$addr/mask ";
-	} else {
-	    $return .= $source ? "$sourcemac $invert$addr " : "$destmac $invert$addr ";
-	}
-    }
-
-    $return;
-}
-
-#
-# Process a rule in the arprules file
-#
-sub process_arprule() {
-    my ( $originalaction, $source, $dest, $opcode ) = split_line( 'arprules file entry', {action => 0, source => 1, dest => 2, opcode => 3 } );
-
-    my $chainref;
-    my $iifaceref;
-    my $iiface;
-    my $difaceref;
-    my $diface;
-    my $saddr;
-    my $smac;
-    my $daddr;
-    my $dmac;
-    my $rule = '';
-
-    fatal_error "ACTION must be specified" if $originalaction eq '-';
-
-    my ( $action, $newaddr ) = split( ':', $originalaction, 2 );
-
-    my %functions = ( DROP   => sub() { $rule .= "-j DROP" },
-		      ACCEPT => sub() { $rule .= "-j ACCEPT" },
-		      SNAT   => sub() { validate_address $newaddr, 0;
-					$rule .= "-j mangle --mangle-ip-s $newaddr"; },
-		      DNAT   => sub() { validate_address $newaddr, 0;
-					$rule .= "-j mangle --mangle-ip-d $newaddr"; },
-		      SMAT   => sub() { fatal_error "Invalid MAC address ($newaddr)" unless $newaddr =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
-					$rule .= "$addrlen 6 -j mangle --mangle-$hw-s $newaddr"; },
-		      DMAT   => sub() { fatal_error "Invalid MAC address ($newaddr)" unless $newaddr =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
-					$rule .= "$addrlen 6 -j mangle --mangle-$hw-d $newaddr"; },
-		      SNATC  => sub() { validate_address $newaddr, 0;
-					$rule .= "-j mangle --mangle-ip-s $newaddr --mangle-target CONTINUE"; },
-		      DNATC  => sub() { validate_address $newaddr, 0;
-					$rule .= "-j mangle --mangle-ip-d $newaddr --mangle-target CONTINUE"; },
-		      SMATC  => sub() { fatal_error "Invalid MAC address ($newaddr)" unless $newaddr =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
-					$rule .= "$addrlen 6 -j mangle --mangle-$hw-s $newaddr --mangle-target CONTINUE"; },
-		      DMATC  => sub() { fatal_error "Invalid MAC address ($newaddr)" unless $newaddr =~ /^(?:[0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}$/;
-					$rule .= "$addrlen 6 -j mangle --mangle-$hw-d $newaddr --mangle-target CONTINUE"; },
-		    );
-
-    if ( supplied $newaddr ) {
-	fatal_error "The $action ACTION does not allow a new address" unless $action =~ /^(?:SNAT|DNAT|SMAT|DMAT)C?$/;
-    } else {
-	fatal_error "The $action ACTION requires a new address" if $action =~ /^(?:SNAT|DNAT|SMAT|DMAT)C?$/;
-    }
-
-    my $function = $functions{$action};
-
-    fatal_error "Unknown ACTION ($action)" unless $function;
-
-    if ( $source ne '-' ) {
-	( $iiface, $saddr, $smac ) = split /:/, $source, 3;
-
-	fatal_error "SOURCE interface missing" unless supplied $iiface; 
-
-	$iiface = ( $iifaceref = find_interface( $iiface ) )->{physical};
-
-	fatal_error "Wildcard Interfaces ( $iiface )may not be used in this context" if $iiface =~ /\+$/;
-
-	$rule .= "-i $iiface ";
-	$rule .= match_arp_net( $saddr , $smac, 1 ) if supplied( $saddr );
-	$chainref = $arp_input;
-    }
-
-    if ( $dest ne '-' ) {
-	( $diface, $daddr, $dmac ) = split /:/, $dest, 3;
-
-	fatal_error "DEST interface missing" unless supplied $diface; 
-
-	$diface = ( $difaceref = find_interface( $diface ) )->{physical};
-
-	fatal_error "A wildcard interfaces ( $diface) may not be used in this context" if $diface =~ /\+$/;
-
-	if ( $iiface ) {
-	    fatal_error "When both SOURCE and DEST are given, the interfaces must be ports on the same bridge"
-		if $iifaceref->{bridge} ne $difaceref->{bridge};
-	    $chainref = $arp_forward;
-	} else {
-	    $chainref = $arp_output;
-	}
-
-	$rule .= "-o $diface ";
-	$rule .= match_arp_net( $daddr , $dmac, 0 ) if supplied( $daddr );
-
-    }
-
-    if ( $opcode ne '-' ) {
-	my $invert = ( $opcode =~ s/^!// ) ? '! ' : '';
-	warning_message q(arptables versions through 0.3.4 ignore '!' after '--opcode') if $invert && ! $arptablesjf;
-	fatal_error "Invalid ARP OPCODE ($opcode)" unless $opcode =~ /^\d$/ && $opcode;
-	$rule .= $arptablesjf ? " --arpop ${invert}$map[$opcode] " : "--opcode ${invert}$opcode ";
-    }
-
-    $function ->();
-
-    fatal_error "Either SOURCE or DEST must be specified" unless $chainref;
-
-    push @$chainref, $rule;
-
-}
-
-#
-# Process the arprules file -- returns true if there were any arp rules
-#
-sub process_arprules() {
-    my $result = 0;
-
-    if ( $arptablesjf = have_capability 'ARPTABLESJF' ) {
-	$arp_input  = $arp_table{IN}       = [];
-	$arp_output = $arp_table{OUT}      = [];
-	$arp_forward = $arp_table{FORWARD} = [];
-	@builtins = qw( IN OUT FORWARD );
-	$sourcemac = '-z';
-	$destmac   = '-y';
-	$addrlen   = '--arhln';
-	$hw        = 'hw';
-    } else {
-	$arp_input   = $arp_table{INPUT}   = [];
-	$arp_output  = $arp_table{OUTPUT}  = [];
-	$arp_forward = $arp_table{FORWARD} = [];
-	@builtins = qw( INPUT OUTPUT FORWARD );
-	$sourcemac = '--source-mac';
-	$destmac   = '--destination-mac';
-	$addrlen   = '--h-length';
-	$hw        = 'mac';
-    }
-
-    my $fn = open_file 'arprules';
-
-    if ( $fn ) {
-	first_entry( sub() {
-			 $result = 1;
-			 progress_message2 "$doing $fn..."; }
-		   );
-	process_arprule while read_a_line( NORMAL_READ );
-    }
-
-    $result;
-}
-
-#
-# Generate the arptables_load() function
-#
-sub create_arptables_load( $ ) {
-    my $test = shift;
-
-    emit ( '#',
-	   '# Create the input to arptables-restore and pass that input to the utility',
-	   '#',
-	   'setup_arptables()',
-	   '{'
-	   );
-
-    push_indent;
-
-    save_progress_message "Preparing arptables-restore input...";
-
-    emit '';
-
-    emit "exec 3>\${VARDIR}/.arptables-input";
-
-    my $date = localtime;
-
-    unless ( $test ) {
-	emit_unindented '#';
-	emit_unindented "# Generated by Shorewall $globals{VERSION} - $date";
-	emit_unindented '#';
-    }
-
-    emit '';
-    emit 'cat >&3 << __EOF__';
-
-    emit_unindented "*filter";
-
-    emit_unindented ":$_ ACCEPT" for @builtins;
-
-    for ( @builtins ) {
-	my $rules = $arp_table{$_};
-
-	while ( my $rule = shift @$rules ) {
-	    emit_unindented "-A $_ $rule";
-	}
-    }
-
-    emit_unindented "COMMIT\n" if $arptablesjf;
-
-    emit_unindented "__EOF__";
-
-    #
-    # Now generate the actual ip[6]tables-restore command
-    #
-    emit(  'exec 3>&-',
-	   '',
-	   'progress_message2 "Running $ARPTABLES_RESTORE..."',
-	   '',
-	   'cat ${VARDIR}/.arptables-input | $ARPTABLES_RESTORE # Use this nonsensical form to appease SELinux',
-	   'if [ $? != 0 ]; then',
-	   qq(    fatal_error "arptables-restore Failed. Input is in \${VARDIR}/.arptables-input"),
-	   "fi\n",
-	   "run_ip neigh flush nud stale nud reachable\n",
-	   );    
-
-    pop_indent;
-    emit "}\n";
-}	  
-
-#
-# Preview the generated ARP rules
-#
-sub preview_arptables_load() {
-
-    my $date = localtime;
-
-    print "#\n# Generated by Shorewall $globals{VERSION} - $date\n#\n";
-
-    print "*filter\n";
-
-    print ":$_ ACCEPT\n" for qw( INPUT OUTPUT FORWARD );
-
-    for ( @builtins ) {
-	my $rules = $arp_table{$_};
-
-	while ( my $rule = shift @$rules ) {
-	    print "-A $rule\n";
-	}
-    }
-
-    print "COMMIT\n" if $arptablesjf;
-
-    print "\n";
-}	  
-
-1;
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -40,17 +40,17 @@ our $VERSION = 'MODULEVERSION';
 #
 # Per-IP accounting tables. Each entry contains the associated network.
 #
-our %tables;
+my %tables;

-our $jumpchainref;
-our %accountingjumps;
-our $asection;
-our $defaultchain;
-our $ipsecdir;
-our $defaultrestriction;
-our $restriction;
-our $sectionname;
-our $acctable;
+my $jumpchainref;
+my %accountingjumps;
+my $asection;
+my $defaultchain;
+my $defaultrestriction;
+my $restriction;
+my $accounting_commands = { COMMENT => 0, SECTION => 2 };
+my $sectionname;
+my $acctable;

 #
 # Sections in the Accounting File
@@ -92,7 +92,6 @@ sub initialize() {
    # These are the legacy values
    #
    $defaultchain       = 'accounting';
-    $ipsecdir           = '';
    $defaultrestriction = NO_RESTRICT;
    $sectionname        = '';
 }
@@ -112,25 +111,20 @@ sub process_section ($) {

    if ( $sectionname eq 'INPUT' ) {
 	$defaultchain = 'accountin';
-	$ipsecdir     = 'in';
 	$defaultrestriction = INPUT_RESTRICT;
    } elsif ( $sectionname eq 'OUTPUT' ) {
 	$defaultchain = 'accountout';
-	$ipsecdir     = 'out';
 	$defaultrestriction = OUTPUT_RESTRICT;
    } elsif ( $sectionname eq 'FORWARD' ) {
 	$defaultchain = 'accountfwd';
-	$ipsecdir     = '';
 	$defaultrestriction = NO_RESTRICT;
     } else {
 	 fatal_error "The $sectionname SECTION is not allowed when ACCOUNTING_TABLE=filter" unless $acctable eq 'mangle';
 	 if ( $sectionname eq 'PREROUTING' ) {
 	     $defaultchain = 'accountpre';
-	     $ipsecdir     = 'in';
 	     $defaultrestriction = PREROUTE_RESTRICT;
 	 } else {
 	     $defaultchain = 'accountpost';
-	     $ipsecdir     = 'out';
 	     $defaultrestriction = POSTROUTE_RESTRICT;
 	 }
     }
@@ -141,14 +135,27 @@ sub process_section ($) {
 #
 # Accounting
 #
-sub process_accounting_rule1( $$$$$$$$$$$ ) {
-
-    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) = @_;
+sub process_accounting_rule( ) {

    $acctable = $config{ACCOUNTING_TABLE};

    $jumpchainref = 0;

+    my ($action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers ) =
+	split_line1 'Accounting File', { action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 }, $accounting_commands;
+
+    fatal_error 'ACTION must be specified' if $action eq '-';
+
+    if ( $action eq 'COMMENT' ) {
+	process_comment;
+	return 0;
+    }
+
+    if ( $action eq 'SECTION' ) {
+	process_section( $chain );
+	return 0;
+    }
+
    $asection = LEGACY if $asection < 0;

    our $disposition = '';
@@ -222,11 +229,6 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 	    }
 	} elsif ( $action =~ /^NFLOG/ ) {
 	    $target = validate_level $action;
-	} elsif ( $action =~ /^NFACCT\((\w+)\)$/ ) {
-	    require_capability 'NFACCT_MATCH', 'The NFACCT action', 's';
-	    $nfobjects{$1} = 1;
-	    $target = '';
-	    $rule .= "-m nfacct --nfacct-name $1 ";
 	} else {
 	    ( $action, my $cmd ) = split /:/, $action;

@@ -283,21 +285,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
    }

    my $chainref = $chain_table{$config{ACCOUNTING_TABLE}}{$chain};
-    my $dir = $ipsecdir;
-
-    if ( $asection && $ipsec ne '-' ) {
-	if ( $ipsecdir ) {
-	    fatal_error "Invalid IPSEC ($ipsec)" if $ipsec =~ /^(?:in|out)\b/;
-	} else {
-	    if ( $ipsec =~ s/^(?:(in|out)\b)// ) {
-		$dir = $1;
-	    } else {
-		fatal_error q(IPSEC rules in the $asection section require that the value begin with 'in' or 'out');
-	    }
-	}
-
-	$rule .= do_ipsec( $dir, $ipsec );
-    }
+    my $dir;

    if ( ! $chainref ) {
 	if ( reserved_chain_name( $chain ) ) {
@@ -309,36 +297,32 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 	    $chainref = ensure_accounting_chain $chain, 0 , $restriction;
 	}

-	unless ( $asection ) {
-	    $dir = ipsec_chain_name( $chain );
+	$dir      = ipsec_chain_name( $chain );

-	    if ( $ipsec ne '-' ) {
-		if ( $dir ) {
-		    $rule .= do_ipsec( $dir, $ipsec );
-		    $chainref->{ipsec} = $dir;
-		} else {
-		    fatal_error "Adding an IPSEC rule to an unreferenced accounting chain is not allowed";
-		}
-	    } else {
-		warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );
+	if ( $ipsec ne '-' ) {
+	    if ( $dir ) {
+		$rule .= do_ipsec( $dir, $ipsec );
 		$chainref->{ipsec} = $dir;
+	    } else {
+		fatal_error "Adding an IPSEC rule to an unreferenced accounting chain is not allowed";
 	    }
+	} else {
+	    warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );
+	    $chainref->{ipsec} = $dir;
 	}
    } else {
 	fatal_error "$chain is not an accounting chain" unless $chainref->{accounting};
    
-	unless ( $asection ) {
-	    if ( $ipsec ne '-' ) {
-		$dir = $chainref->{ipsec};
-		fatal_error "Adding an IPSEC rule into a non-IPSEC chain is not allowed" unless $dir;
-		$rule .= do_ipsec( $dir , $ipsec );
-	    } elsif ( $asection ) {
-		$restriction |= $chainref->{restriction};
-	    }
+	if ( $ipsec ne '-' ) {
+	    $dir = $chainref->{ipsec};
+	    fatal_error "Adding an IPSEC rule into a non-IPSEC chain is not allowed" unless $dir;
+	    $rule .= do_ipsec( $dir , $ipsec );
+	} elsif ( $asection ) {
+	    $restriction |= $chainref->{restriction};
 	}
    }

-    set_optflags( $chainref, DONT_OPTIMIZE ) if $target eq 'RETURN';
+    dont_optimize( $chainref ) if $target eq 'RETURN';

    if ( $jumpchainref ) {
 	if ( $asection ) {
@@ -382,6 +366,7 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
 	} else {
 	    $jumpchainref->{ipsec} = $chainref->{ipsec};
 	}
+
    }

    if ( $rule2 ) {
@@ -401,37 +386,17 @@ sub process_accounting_rule1( $$$$$$$$$$$ ) {
    return 1;
 }

-sub process_accounting_rule( ) {
-
-    my ($action, $chain, $source, $dest, $protos, $ports, $sports, $user, $mark, $ipsec, $headers ) =
-	split_line1 'Accounting File', { action => 0, chain => 1, source => 2, dest => 3, proto => 4, dport => 5, sport => 6, user => 7, mark => 8, ipsec => 9, headers => 10 };
-
-    my $nonempty = 0;
-
-    for my $proto ( split_list $protos, 'Protocol' ) {
-	fatal_error 'ACTION must be specified' if $action eq '-';
-
-	if ( $action eq 'SECTION' ) {
-	    process_section( $chain );
-	} else {
-	    for my $proto ( split_list $protos, 'Protocol' ) {
-		$nonempty |= process_accounting_rule1( $action, $chain, $source, $dest, $proto, $ports, $sports, $user, $mark, $ipsec, $headers );
-	    }
-	}
-    }
-
-    $nonempty;
-}
-
 sub setup_accounting() {

-    if ( my $fn = open_file 'accounting', 1, 1 ) {
+    if ( my $fn = open_file 'accounting' ) {

 	first_entry "$doing $fn...";

 	my $nonEmpty = 0;

-	$nonEmpty |= process_accounting_rule while read_a_line( NORMAL_READ );
+	$nonEmpty |= process_accounting_rule while read_a_line;
+
+	clear_comment;

 	if ( $nonEmpty ) {
 	    my $tableref = $chain_table{$acctable};
@@ -442,7 +407,7 @@ sub setup_accounting() {
 		}

 		if ( $tableref->{accounting} ) {
-		    set_optflags( 'accounting' , DONT_OPTIMIZE );
+		    dont_optimize( 'accounting' );
 		    for my $chain ( qw/INPUT FORWARD/ ) {
 			insert_ijump( $tableref->{$chain}, j => 'accounting', 0 );
 		    }
@@ -464,7 +429,7 @@ sub setup_accounting() {
 		    insert_ijump( $tableref->{POSTROUTING}, j => 'accountpost', 0 );
 		}
 	    } elsif ( $tableref->{accounting} ) {
-		set_optflags( 'accounting' , DONT_OPTIMIZE );
+		dont_optimize( 'accounting' );
 		for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
 		    insert_ijump( $tableref->{$chain}, j => 'accounting', 0 );
 		}
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
@@ -34,9 +34,9 @@ use Shorewall::Accounting;
 use Shorewall::Rules;
 use Shorewall::Proc;
 use Shorewall::Proxyarp;
+use Shorewall::IPAddrs;
 use Shorewall::Raw;
 use Shorewall::Misc;
-use Shorewall::ARP;

 use strict;

@@ -45,22 +45,20 @@ our @EXPORT = qw( compiler );
 our @EXPORT_OK = qw( $export );
 our $VERSION = 'MODULEVERSION';

-our $export;
+my $export;

-our $test;
+my $test;

-our $family;
-
-our $have_arptables;
+my $family;

 #
 # Initilize the package-globals in the other modules
 #
-sub initialize_package_globals( $$$ ) {
-    Shorewall::Config::initialize($family, $_[1], $_[2]);
+sub initialize_package_globals( $ ) {
+    Shorewall::Config::initialize($family);
    Shorewall::Chains::initialize ($family, 1, $export );
-    Shorewall::Zones::initialize ($family, $_[0]);
-    Shorewall::Nat::initialize($family);
+    Shorewall::Zones::initialize ($family, shift);
+    Shorewall::Nat::initialize;
    Shorewall::Providers::initialize($family);
    Shorewall::Tc::initialize($family);
    Shorewall::Accounting::initialize;
@@ -73,7 +71,7 @@ sub initialize_package_globals( $$$ ) {
 #
 # First stage of script generation.
 #
-#    Copy lib.core and lib.common to the generated script.
+#    Copy prog.header, lib.core and lib.common to the generated script.
 #    Generate the various user-exit jacket functions.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
@@ -91,7 +89,13 @@ sub generate_script_1( $ ) {

 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";

-	    copy  $globals{SHAREDIRPL} . '/lib.core', 0;
+	    if ( $family == F_IPV4 ) {
+		copy $globals{SHAREDIRPL} . 'prog.header';
+	    } else {
+		copy $globals{SHAREDIRPL} . 'prog.header6';
+	    }
+
+	    copy2 $globals{SHAREDIRPL} . '/lib.core', 0;
 	    copy2 $globals{SHAREDIRPL} . '/lib.common', 0;
 	}

@@ -150,9 +154,7 @@ sub generate_script_2() {
 	   '    #',
 	   '    # Be sure that umask is sane',
 	   '    #',
-	   '    umask 077' );
-
-    emit ( '',
+	   '    umask 077',
 	   '    #',
 	   '    # These variables are required by the library functions called in this script',
 	   '    #'
@@ -160,53 +162,63 @@ sub generate_script_2() {

    push_indent;

-    if ( $shorewallrc1{TEMPDIR} ) {
-	emit( '',
-	      qq(TMPDIR="$shorewallrc{TEMPDIR}") ,
-	      q(export TMPDIR) );
-    }
-
    if ( $family == F_IPV4 ) {
 	emit( 'g_family=4' );

 	if ( $export ) {
-	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall-lite),
+	    emit ( 'SHAREDIR=/usr/share/shorewall-lite',
+		   'CONFDIR=/etc/shorewall-lite',
 		   'g_product="Shorewall Lite"',
 		   'g_program=shorewall-lite',
 		   'g_basedir=/usr/share/shorewall-lite',
-		   qq(CONFIG_PATH="$shorewallrc1{CONFDIR}/shorewall-lite:$shorewallrc1{SHAREDIR}/shorewall-lite") ,
 		 );
 	} else {
-	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall),
+	    emit ( 'SHAREDIR=/usr/share/shorewall',
+		   'CONFDIR=/etc/shorewall',
 		   'g_product=Shorewall',
 		   'g_program=shorewall',
 		   'g_basedir=/usr/share/shorewall',
-		   qq(CONFIG_PATH="$config{CONFIG_PATH}") ,
 		 );
 	}
    } else {
 	emit( 'g_family=6' );

 	if ( $export ) {
-	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall6-lite),
+	    emit ( 'SHAREDIR=/usr/share/shorewall6-lite',
+		   'CONFDIR=/etc/shorewall6-lite',
 		   'g_product="Shorewall6 Lite"',
 		   'g_program=shorewall6-lite',
 		   'g_basedir=/usr/share/shorewall6',
-		   qq(CONFIG_PATH="$shorewallrc1{CONFDIR}/shorewall6-lite:$shorewallrc{SHAREDIR}/shorewall6-lite") ,
 		 );
 	} else {
-	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall6),
+	    emit ( 'SHAREDIR=/usr/share/shorewall6',
+		   'CONFDIR=/etc/shorewall6',
 		   'g_product=Shorewall6',
 		   'g_program=shorewall6',
-		   'g_basedir=/usr/share/shorewall',
-		   qq(CONFIG_PATH="$config{CONFIG_PATH}") ,
+		   'g_basedir=/usr/share/shorewall'
 		 );
 	}
    }

-    emit (   '[ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir' );
-    emit ( qq([ -n "\${VARDIR:=$shorewallrc1{VARDIR}}" ]) );
-    emit ( qq([ -n "\${VARLIB:=$shorewallrc1{VARLIB}}" ]) );
+    emit( '[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir' );
+
+    if ( $family == F_IPV4 ) {
+	if ( $export ) {
+	    emit ( 'CONFIG_PATH="/etc/shorewall-lite:/usr/share/shorewall-lite"' ,
+		   '[ -n "${VARDIR:=/var/lib/shorewall-lite}" ]' );
+	} else {
+	    emit ( qq(CONFIG_PATH="$config{CONFIG_PATH}") ,
+		   '[ -n "${VARDIR:=/var/lib/shorewall}" ]' );
+	}
+    } else {
+	if ( $export ) {
+	    emit ( 'CONFIG_PATH="/etc/shorewall6-lite:/usr/share/shorewall6-lite"' ,
+		   '[ -n "${VARDIR:=/var/lib/shorewall6-lite}" ]' );
+	} else {
+	    emit ( qq(CONFIG_PATH="$config{CONFIG_PATH}") ,
+		   '[ -n "${VARDIR:=/var/lib/shorewall6}" ]' );
+	}
+    }

    emit 'TEMPFILE=';

@@ -229,22 +241,6 @@ sub generate_script_2() {

    set_chain_variables;

-    my $need_arptables = $have_arptables || $config{SAVE_ARPTABLES};
-
-    if ( my $arptables = $config{ARPTABLES} ) {
-	emit( qq(ARPTABLES="$arptables"),
-	      '[ -x "$ARPTABLES" ] || startup_error "ARPTABLES=$ARPTABLES does not exist or is not executable"',
-	    );
-    } elsif ( $need_arptables ) {
-	emit( '[ -z "$ARPTABLES" ] && ARPTABLES=$(mywhich arptables)',
-	      '[ -n "$ARPTABLES" -a -x "$ARPTABLES" ] || startup_error "Can\'t find arptables executable"' );
-    }
-
-    if ( $need_arptables ) {
-	emit( 'ARPTABLES_RESTORE=${ARPTABLES}-restore',
-	      '[ -x "$ARPTABLES_RESTORE" ] || startup_error "$ARPTABLES_RESTORE does not exist or is not executable"' );
-    }
-
    if ( $config{EXPORTPARAMS} ) {
 	append_file 'params';
    } else {
@@ -342,7 +338,6 @@ sub generate_script_3($) {
    }

    create_netfilter_load( $test );
-    create_arptables_load( $test ) if $have_arptables;
    create_chainlist_reload( $_[0] );

    emit "#\n# Start/Restart the Firewall\n#";
@@ -361,7 +356,7 @@ sub generate_script_3($) {
 	    emit 'cat > ${VARDIR}/.modules << EOF';
 	    open_file $fn;

-	    emit_unindented $currentline while read_a_line( NORMAL_READ );
+	    emit_unindented $currentline while read_a_line;

 	    emit_unindented 'EOF';
 	    emit '', 'reload_kernel_modules < ${VARDIR}/.modules';
@@ -375,7 +370,6 @@ sub generate_script_3($) {
    emit '';

    load_ipsets;
-    create_nfobjects;

    if ( $family == F_IPV4 ) {
 	emit ( 'if [ "$COMMAND" = refresh ]; then' ,
@@ -385,8 +379,8 @@ sub generate_script_3($) {
 	       'fi',
 	       '' );

-	verify_address_variables;
 	save_dynamic_chains;
+
 	mark_firewall_not_started;

 	emit ( '',
@@ -414,7 +408,6 @@ sub generate_script_3($) {
 	       'fi',
 	       '' );

-	verify_address_variables;
 	save_dynamic_chains;
 	mark_firewall_not_started;

@@ -470,76 +463,59 @@ sub generate_script_3($) {
 	  '    if [ -f $iptables_save_file ]; then' );

    if ( $family == F_IPV4 ) {
-	emit( '        cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux' );
-
-	emit( '',
-	      '        arptables_save_file=${VARDIR}/$(basename $0)-arptables',
-	      '        if [ -f $arptables_save_file ]; then',
-	      '            cat $arptables_save_file | $ARPTABLES_RESTORE',
-	      '        fi')
-	    if $config{SAVE_ARPTABLES};
-
+	emit '        cat $iptables_save_file | $IPTABLES_RESTORE # Use this nonsensical form to appease SELinux'
    } else {
 	emit '        cat $iptables_save_file | $IP6TABLES_RESTORE # Use this nonsensical form to appease SELinux'
    }

-    emit( '    else',
-	  '       fatal_error "$iptables_save_file does not exist"',
-	  '    fi',
-	  ''
-	);
-
-    push_indent;
+    emit<<'EOF';
+    else
+        fatal_error "$iptables_save_file does not exist"
+    fi
+EOF
+    pop_indent;
    setup_load_distribution;
    setup_forwarding( $family , 1 );
-    pop_indent;
+    push_indent;

    my $config_dir = $globals{CONFIGDIR};

    emit<<"EOF";
    set_state Started $config_dir
    run_restored_exit
-elif [ \$COMMAND = refresh ]; then
-    chainlist_reload
+else
+    if [ \$COMMAND = refresh ]; then
+        chainlist_reload
 EOF
-    push_indent;
    setup_load_distribution;
    setup_forwarding( $family , 0 );
-    pop_indent;
-    #
-    # Use a parameter list rather than 'here documents' to avoid an extra blank line
-    #
-    emit(
-'    run_refreshed_exit',
-'    do_iptables -N shorewall',
-"    set_state Started $config_dir",
-'    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
-'else',
-'    setup_netfilter'
-	);
-    push_indent;
-    emit 'setup_arptables' if $have_arptables;
-    setup_load_distribution;
-    pop_indent;

-    emit<<'EOF';
-    conditionally_flush_conntrack
-EOF
-    push_indent;
-    initialize_switches;
-    setup_forwarding( $family , 0 );
-    pop_indent;
+    emit( '        run_refreshed_exit' ,
+	  '        do_iptables -N shorewall' ,
+	  "        set_state Started $config_dir" ,
+	  '    else' ,
+	  '        setup_netfilter' );
+    
+    setup_load_distribution;

    emit<<"EOF";
-    run_start_exit
-    do_iptables -N shorewall
-    set_state Started $config_dir
-    [ \$0 = \${VARDIR}/firewall ] || cp -f \$(my_pathname) \${VARDIR}/firewall
-    run_started_exit
-fi
+        conditionally_flush_conntrack
+EOF
+    setup_forwarding( $family , 0 );
+
+    emit<<"EOF";
+        run_start_exit
+        do_iptables -N shorewall
+        set_state Started $config_dir
+        run_started_exit
+    fi
+
 EOF

    emit<<'EOF';
+    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall
+fi
+
 date > ${VARDIR}/restarted

 case $COMMAND in
@@ -571,12 +547,11 @@ EOF
 #
 sub compiler {

-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc                      , $shorewallrc1 , $directives ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , ''          , '/usr/share/shorewall/shorewallrc', ''            , 0 );
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path ) =
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , '');

-    $export         = 0;
-    $test           = 0;
-    $have_arptables = 0;
+    $export = 0;
+    $test   = 0;

    sub validate_boolean( $ ) {
 	 my $val = numeric_value( shift );
@@ -610,10 +585,7 @@ sub compiler {
 		  update        => { store => \$update,        validate=> \&validate_boolean    } ,
 		  convert       => { store => \$convert,       validate=> \&validate_boolean    } ,
 		  annotate      => { store => \$annotate,      validate=> \&validate_boolean    } ,
-		  directives    => { store => \$directives,    validate=> \&validate_boolean    } ,
 		  config_path   => { store => \$config_path } ,
-		  shorewallrc   => { store => \$shorewallrc } ,
-		  shorewallrc1  => { store => \$shorewallrc1 } ,
 		);
    #
    #                               P A R A M E T E R    P R O C E S S I N G
@@ -631,7 +603,7 @@ sub compiler {
    #
    # Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals
    #
-    initialize_package_globals( $update, $shorewallrc, $shorewallrc1 );
+    initialize_package_globals( $update );

    set_config_path( $config_path ) if $config_path;

@@ -649,7 +621,7 @@ sub compiler {
    #
    #                      S H O R E W A L L . C O N F  A N D  C A P A B I L I T I E S
    #
-    get_configuration( $export , $update , $annotate , $directives );
+    get_configuration( $export , $update , $annotate );
    #
    # Create a temp file to hold the script
    #
@@ -694,6 +666,11 @@ sub compiler {
    #                           (Produces no output to the compiled script)
    #
    process_policies;
+    #
+    #                                       N O T R A C K
+    #                           (Produces no output to the compiled script)
+    #
+    setup_notrack;

    enable_script;

@@ -732,14 +709,10 @@ sub compiler {
    # Proxy Arp/Ndp
    #
    setup_proxy_arp;
-
-    emit( "#\n# Disable automatic helper association on kernel 3.5.0 and later\n#" ,
-	  'if [ -f /proc/sys/net/netfilter/nf_conntrack_helper ]; then' ,
-	  '    progress_message "Disabling Kernel Automatic Helper Association"',
-	  "    echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper",
-	  'fi',
-	  ''
-	);
+    #
+    # Handle MSS settings in the zones file
+    #
+    setup_zone_mss;

    if ( $scriptfilename || $debug ) {
 	emit 'return 0';
@@ -785,26 +758,28 @@ sub compiler {
 	emit "}\n"; # End of setup_routing_and_traffic_shaping()
    }

-    $have_arptables = process_arprules if $family == F_IPV4;
-
    disable_script;
    #
    #                                       N E T F I L T E R
    #       (Produces no output to the compiled script -- rules are stored in the chain table)
    #
    process_tos;
-    #
-    # ECN
-    #
-    setup_ecn if $family == F_IPV4 && have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
-    #
-    # Setup Masquerading/SNAT
-    #
-    setup_masq;
-    #
-    # Setup Nat
-    #
-    setup_nat if $family == F_IPV4;
+
+    if ( $family == F_IPV4 ) {
+	#
+	# ECN
+	#
+	setup_ecn if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
+	#
+	# Setup Masquerading/SNAT
+	#
+	setup_masq;
+	#
+	# Setup Nat
+	#
+	setup_nat;
+    }
+
    #
    # Setup NETMAP
    #
@@ -818,10 +793,6 @@ sub compiler {
    #
    process_rules( $convert );
    #
-    # Process the conntrack file
-    #
-    setup_conntrack;
-    #
    # Add Tunnel rules.
    #
    setup_tunnels;
@@ -846,16 +817,16 @@ sub compiler {

 	optimize_level0;

-	if ( ( my $optimize = $config{OPTIMIZE} ) & 0x1E ) {
+	if ( $config{OPTIMIZE} & 0x1E ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
 	    # Optimize Policy Chains
 	    #
-	    optimize_policy_chains if ( $optimize & OPTIMIZE_POLICY_MASK2n4 ) == OPTIMIZE_POLICY_MASK; # Level 2 but not 4
+	    optimize_policy_chains if $config{OPTIMIZE} & 2;
 	    #
 	    # More Optimization
 	    #
-	    optimize_ruleset if $config{OPTIMIZE} & OPTIMIZE_RULESET_MASK;
+	    optimize_ruleset if $config{OPTIMIZE} & 0x1C;
 	}

 	enable_script;
@@ -866,7 +837,7 @@ sub compiler {
 	generate_script_2;
 	#
 	#                          N E T F I L T E R   L O A D
-	#    (Produces setup_netfilter(), setup_arptables(), chainlist_reload() and define_firewall() )
+	#    (Produces setup_netfilter(), chainlist_reload() and define_firewall() )
 	#
 	generate_script_3( $chains );
 	#
@@ -879,7 +850,7 @@ sub compiler {
 	#                           S T O P _ F I R E W A L L
 	#         (Writes the stop_firewall() function to the compiled script)
 	#
-	compile_stop_firewall( $test, $export , $have_arptables );
+	compile_stop_firewall( $test, $export );
 	#
 	#                               U P D O W N
 	#               (Writes the updown() function to the compiled script)
@@ -899,10 +870,6 @@ sub compiler {
 	# And generate the auxilary config file
 	#
 	enable_script, generate_aux_config if $export;
-	#
-	# Report used/required capabilities
-	#
-	report_used_capabilities;
    } else {
 	#
 	# Just checking the configuration
@@ -915,26 +882,23 @@ sub compiler {

 	    optimize_level0;

-	    if ( ( my $optimize = $config{OPTIMIZE} ) & 0x1e ) {
+	    if ( $config{OPTIMIZE} & OPTIMIZE_MASK ) {
 		progress_message2 'Optimizing Ruleset...';
 		#
 		# Optimize Policy Chains
 		#
-		optimize_policy_chains if ( $optimize & OPTIMIZE_POLICY_MASK2n4 ) == OPTIMIZE_POLICY_MASK; # Level 2 but not 4
+		optimize_policy_chains if $config{OPTIMIZE} & OPTIMIZE_POLICY_MASK;
 		#
 		# Ruleset Optimization
 		#
-		optimize_ruleset if $optimize & OPTIMIZE_RULESET_MASK;
+		optimize_ruleset if $config{OPTIMIZE} & OPTIMIZE_RULESET_MASK;
 	    }

 	    enable_script if $debug;

 	    generate_script_2 if $debug;

-	    if ( $preview ) {
-		preview_netfilter_load;
-		preview_arptables_load if $have_arptables;
-	    }
+	    preview_netfilter_load if $preview;
 	}
 	#
 	# Re-initialize the chain table so that process_routestopped() has the same
@@ -944,7 +908,7 @@ sub compiler {
 	initialize_chain_table(0);

 	if ( $debug ) {
-	    compile_stop_firewall( $test, $export, $have_arptables );
+	    compile_stop_firewall( $test, $export );
 	    disable_script;
 	} else {
 	    #
@@ -952,12 +916,7 @@ sub compiler {
 	    # call that function during normal 'check', we must validate routestopped here.
 	    #
 	    process_routestopped;
-	    process_stoppedrules;
 	}
-	#
-	# Report used/required capabilities
-	#
-	report_used_capabilities;

 	if ( $family == F_IPV4 ) {
 	    progress_message3 "Shorewall configuration verified";
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -26,13 +26,13 @@
 #
 package Shorewall::IPAddrs;
 require Exporter;
-use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 numeric_value F_IPV4 F_IPV6 :protocols %config );
+use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 numeric_value F_IPV4 F_IPV6 );
 use Socket;

 use strict;

 our @ISA = qw(Exporter);
-our @EXPORT = ( qw( ALLIPv4
+our @EXPORT = qw( ALLIPv4
                  ALLIPv6
 		  NILIPv4
 		  NILIPv6
@@ -48,8 +48,15 @@ our @EXPORT = ( qw( ALLIPv4
 		  ALLIP
 		  NILIP
 		  ALL
+		  TCP
+		  UDP
+		  UDPLITE
+		  ICMP
+		  DCCP
+		  IPv6_ICMP
+		  SCTP
+		  GRE

-		  valid_address
 		  validate_address
 		  validate_net
 		  decompose_net
@@ -66,36 +73,33 @@ our @EXPORT = ( qw( ALLIPv4
 		  nilip
 		  rfc1918_networks
 		  resolve_proto
-		  resolve_dnsname
 		  proto_name
 		  validate_port
 		  validate_portpair
-		  validate_portpair1
 		  validate_port_list
 		  validate_icmp
 		  validate_icmp6
-		 ) );
+		 );
 our @EXPORT_OK = qw( );
 our $VERSION = 'MODULEVERSION';

 #
 # Some IPv4/6 useful stuff
 #
-our @allipv4 = ( '0.0.0.0/0' );
-our @allipv6 = ( '::/0' );
-our $allip;
-our @allip;
-our @nilipv4 = ( '0.0.0.0' );
-our @nilipv6 = ( '::' );
-our $nilip;
-our @nilip;
-our $valid_address;
-our $validate_address;
-our $validate_net;
-our $resolve_dnsname;
-our $validate_range;
-our $validate_host;
-our $family;
+my @allipv4 = ( '0.0.0.0/0' );
+my @allipv6 = ( '::/0' );
+my $allip;
+my @allip;
+my @nilipv4 = ( '0.0.0.0' );
+my @nilipv6 = ( '::' );
+my $nilip;
+my @nilip;
+my $valid_address;
+my $validate_address;
+my $validate_net;
+my $validate_range;
+my $validate_host;
+my $family;

 use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       ALLIPv6             => '::/0' ,
@@ -110,9 +114,16 @@ use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       IPv6_LINK_ALLRTRS   => 'ff01::2' ,
 	       IPv6_SITE_ALLNODES  => 'ff02::1' ,
 	       IPv6_SITE_ALLRTRS   => 'ff02::2' ,
-	   };
+	       ICMP                => 1,
+	       TCP                 => 6,
+	       UDP                 => 17,
+	       DCCP                => 33,
+	       GRE                 => 47,
+	       IPv6_ICMP           => 58,
+	       SCTP                => 132,
+	       UDPLITE             => 136 };

-our @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
+my @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );

 #
 # Note: initialize() is declared at the bottom of the file
@@ -155,21 +166,6 @@ sub validate_4address( $$ ) {
    defined wantarray ? wantarray ? @addrs : $addrs[0] : undef;
 }

-sub resolve_4dnsname( $ ) {
-    my $net = $_[0];
-    my @addrs;
-
-    fatal_error "Unknown Host ($net)" unless  @addrs = gethostbyname( $net );
-
-    shift @addrs for (1..4);
-    for ( @addrs ) {
-	$_ = ( inet_ntoa( $_ ) );
-    }
-
-    @addrs;
-} 
-    
-
 sub decodeaddr( $ ) {
    my $address = $_[0];

@@ -220,19 +216,16 @@ sub validate_4net( $$ ) {
 	fatal_error "Invalid IP address ($net)"       unless valid_4address $net;
    } else {
 	fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/' || ! defined $net;
-	my $net1 = validate_4address $net, $allow_name;
-	$net  = $net1 unless $config{DEFER_DNS_RESOLUTION};
+	validate_4address $net, $_[1];
 	$vlsm = 32;
    }

    if ( defined wantarray ) {
+	assert ( ! $allow_name );
 	if ( wantarray ) {
-	    assert( ! $allow_name );
 	    ( decodeaddr( $net ) , $vlsm );
-	} elsif ( valid_4address $net ) {
-	    $vlsm == 32 ? $net : "$net/$vlsm";
 	} else {
-	    $net;
+	    "$net/$vlsm";
 	}
    }
 }
@@ -247,8 +240,6 @@ sub validate_4range( $$ ) {
    my $last  = decodeaddr $high;

    fatal_error "Invalid IP Range ($low-$high)" unless $first <= $last;
-
-    "$low-$high";
 }

 sub validate_4host( $$ ) {
@@ -343,7 +334,6 @@ sub resolve_proto( $ ) {
 	$number = numeric_value ( $proto );
 	defined $number && $number <= 255 ? $number : undef;
    } else {
-	fatal_error "A protocol list  ($proto) is not allowed in this context" if $proto =~ /,/; 
 	#
 	# Allow 'icmp' as a synonym for 'ipv6-icmp' in IPv6 compilations
 	#
@@ -381,7 +371,6 @@ sub validate_port( $$ ) {

 sub validate_portpair( $$ ) {
    my ($proto, $portpair) = @_;
-    my $what;

    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/:/:/ > 1;

@@ -390,58 +379,16 @@ sub validate_portpair( $$ ) {

    my @ports = split /:/, $portpair, 2;

-    my $protonum = resolve_proto( $proto ) || 0;
-
-    $_ = validate_port( $protonum, $_) for grep $_, @ports;
+    $_ = validate_port( $proto, $_) for ( grep $_, @ports );

    if ( @ports == 2 ) {
-	$what = 'port range';
 	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
-    } else {
-	$what = 'port';
    }

-    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, UDPLITE, SCTP or DCCP" unless
-	defined $protonum && ( $protonum == TCP     ||
-			       $protonum == UDP     ||
-			       $protonum == UDPLITE ||
-			       $protonum == SCTP    ||
-			       $protonum == DCCP );
    join ':', @ports;

 }

-sub validate_portpair1( $$ ) {
-    my ($proto, $portpair) = @_;
-    my $what;
-
-    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;
-
-    $portpair = "0$portpair"       if substr( $portpair,  0, 1 ) eq ':';
-    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
-
-    my @ports = split /-/, $portpair, 2;
-
-    my $protonum = resolve_proto( $proto ) || 0;
-
-    $_ = validate_port( $protonum, $_) for grep $_, @ports;
-
-    if ( @ports == 2 ) {
-	$what = 'port range';
-	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
-    } else {
-	$what = 'port';
-    }
-
-    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
-	defined $protonum && ( $protonum == TCP  ||
-			       $protonum == UDP  ||
-			       $protonum == SCTP ||
-			       $protonum == DCCP );
-    join '-', @ports;
-
-}
-
 sub validate_port_list( $$ ) {
    my $result = '';
    my ( $proto, $list ) = @_;
@@ -631,35 +578,9 @@ sub validate_6address( $$ ) {
    defined wantarray ? wantarray ? @addrs : $addrs[0] : undef;
 }

-sub resolve_6dnsname( $ ) {
-    my $net = $_[0];
-    my @addrs;
-    
-    require Socket6;
-    fatal_error "Unknown Host ($net)" unless (@addrs = Socket6::gethostbyname2( $net, Socket6::AF_INET6()));
-
-    shift @addrs for (1..4);
-    for ( @addrs ) {
-	$_ = Socket6::inet_ntop( Socket6::AF_INET6(), $_ );
-    }
-
-    @addrs;
-} 
-
 sub validate_6net( $$ ) {
-    my ( $net, $allow_name ) = @_;
-
-    if ( $net =~ /^\[(.+)]$/ ) {
-	$net = $1;
-    } elsif ( $net =~ /^\[(.+)\]\/(\d+)$/ ) {
-	$net = join( '/', $1, $2 );
-    }
-
-    fatal_error "Invalid Network Address($net)" if $net =~ /\[/;
-
-    ($net, my $vlsm, my $rest) = split( '/', $net, 3 );
-
-    fatal_error 'Invalid Network Address(' . join( '/', $net, $vlsm, $rest ) if defined $rest;
+    my ($net, $vlsm, $rest) = split( '/', $_[0], 3 );
+    my $allow_name = $_[1];

    if ( $net =~ /\+(\[?)/ ) {
 	if ( $1 ) {
@@ -671,28 +592,22 @@ sub validate_6net( $$ ) {
 	}
    }

-    fatal_error "Invalid Network address ($_[0])" unless supplied $net;
-
-
    if ( defined $vlsm ) {
        fatal_error "Invalid VLSM ($vlsm)"              unless $vlsm =~ /^\d+$/ && $vlsm <= 128;
 	fatal_error "Invalid Network address ($_[0])"   if defined $rest;
 	fatal_error "Invalid IPv6 address ($net)"       unless valid_6address $net;
    } else {
-	fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/';
-	my $net1 = validate_6address $net, $allow_name;
-	$net  = $net1 unless $config{DEFER_DNS_RESOLUTION};
+	fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/' || ! defined $net;
+	validate_6address $net, $allow_name;
 	$vlsm = 128;
    }

    if ( defined wantarray ) {
+	assert ( ! $allow_name );
 	if ( wantarray ) {
-	    assert( ! $allow_name );
 	    ( $net , $vlsm );
-	} elsif ( valid_6address ( $net ) ) {
-	    $vlsm == 32 ? $net : "$net/$vlsm";
 	} else {
-	    $net;
+	    "$net/$vlsm";
 	}
    }
 }
@@ -739,13 +654,11 @@ sub validate_6range( $$ ) {
    while ( @low ) {
 	my ( $l, $h) = ( shift @low, shift @high );
 	next     if hex "0x$l" == hex "0x$h";
-	return "$low-$high" if hex "0x$l"  < hex "0x$h";
+	return 1 if hex "0x$l"  < hex "0x$h";
 	last;
    }

    fatal_error "Invalid IPv6 Range ($low-$high)";
-
-    
 }

 sub validate_6host( $$ ) {
@@ -824,10 +737,6 @@ sub validate_net ( $$ ) {
    $validate_net->(@_);
 }

-sub resolve_dnsname( $ ) {
-    $resolve_dnsname->(@_);
-}
-
 sub validate_range ($$ ) {
    $validate_range->(@_);
 }
@@ -859,7 +768,6 @@ sub initialize( $ ) {
 	$validate_net     = \&validate_4net;
 	$validate_range   = \&validate_4range;
 	$validate_host    = \&validate_4host;
-	$resolve_dnsname  = \&resolve_4dnsname;
    } else {
 	$allip            = ALLIPv6;
 	@allip            = @allipv6;
@@ -870,7 +778,6 @@ sub initialize( $ ) {
 	$validate_net     = \&validate_6net;
 	$validate_range   = \&validate_6range;
 	$validate_host    = \&validate_6host;
-	$resolve_dnsname  = \&resolve_6dnsname;
    }
 }

--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2007,2008,2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -35,22 +35,16 @@ use strict;

 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
-our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule ) ] );
 our @EXPORT_OK = ();
-
-Exporter::export_ok_tags('rules');
-
 our $VERSION = 'MODULEVERSION';

-our @addresses_to_add;
-our %addresses_to_add;
-our $family;
+my @addresses_to_add;
+my %addresses_to_add;

 #
 # Called by the compiler
 #
-sub initialize($) {
-    $family = shift;
+sub initialize() {
    @addresses_to_add = ();
    %addresses_to_add = ();
 }
@@ -58,12 +52,20 @@ sub initialize($) {
 #
 # Process a single rule from the the masq file
 #
-sub process_one_masq1( $$$$$$$$$$ )
+sub process_one_masq( )
 {
-    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest ) = @_;
+    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user ) = 
+	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7 };
+
+    if ( $interfacelist eq 'COMMENT' ) {
+	process_comment;
+	return 1;
+    }
+
+    fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';

    my $pre_nat;
-    my $add_snat_aliases = $family == F_IPV4 && $config{ADD_SNAT_ALIASES};
+    my $add_snat_aliases = $config{ADD_SNAT_ALIASES};
    my $destnets = '';
    my $baserule = '';

@@ -74,33 +76,28 @@ sub process_one_masq1( $$$$$$$$$$ )
    #
    # Parse the remaining part of the INTERFACE column
    #
-    if ( $family == F_IPV4 ) {
-	if ( $interfacelist =~ /^([^:]+)::([^:]*)$/ ) {
-	    $add_snat_aliases = 0;
-	    $destnets = $2;
-	    $interfacelist = $1;
-	} elsif ( $interfacelist =~ /^([^:]+:[^:]+):([^:]+)$/ ) {
-	    $destnets = $2;
-	    $interfacelist = $1;
-	} elsif ( $interfacelist =~ /^([^:]+):$/ ) {
-	    $add_snat_aliases = 0;
-	    $interfacelist = $1;
-	} elsif ( $interfacelist =~ /^([^:]+):([^:]*)$/ ) {
-	    my ( $one, $two ) = ( $1, $2 );
-	    if ( $2 =~ /\./ || $2 =~ /^%/ ) {
-		$interfacelist = $one;
-		$destnets = $two;
-	    }
-	}
-    } elsif ( $interfacelist =~ /^(.+?):(.+)$/ ) {
+    if ( $interfacelist =~ /^([^:]+)::([^:]*)$/ ) {
+	$add_snat_aliases = 0;
+	$destnets = $2;
 	$interfacelist = $1;
-	$destnets      = $2;
+    } elsif ( $interfacelist =~ /^([^:]+:[^:]+):([^:]+)$/ ) {
+	$destnets = $2;
+	$interfacelist = $1;
+    } elsif ( $interfacelist =~ /^([^:]+):$/ ) {
+	$add_snat_aliases = 0;
+	$interfacelist = $1;
+    } elsif ( $interfacelist =~ /^([^:]+):([^:]*)$/ ) {
+	my ( $one, $two ) = ( $1, $2 );
+	if ( $2 =~ /\./ ) {
+	    $interfacelist = $one;
+	    $destnets = $two;
+	}
    }
    #
    # If there is no source or destination then allow all addresses
    #
-    $networks = ALLIP if $networks eq '-';
-    $destnets = ALLIP if $destnets eq '-';
+    $networks = ALLIPv4 if $networks eq '-';
+    $destnets = ALLIPv4 if $destnets eq '-';

    #
    # Handle IPSEC options, if any
@@ -120,9 +117,9 @@ sub process_one_masq1( $$$$$$$$$$ )
    }

    #
-    # Handle Protocol, Ports and Condition
+    # Handle Protocol and Ports
    #
-    $baserule .= do_proto( $proto, $ports, '' );
+    $baserule .= do_proto $proto, $ports, '';
    #
    # Handle Mark
    #
@@ -140,9 +137,6 @@ sub process_one_masq1( $$$$$$$$$$ )
 	if ( $interface =~ /(.*)[(](\w*)[)]$/ ) {
 	    $interface = $1;
 	    my $provider  = $2;
-
-	    fatal_error "Missing Provider ($fullinterface)" unless supplied $provider;
-
 	    $fullinterface =~ s/[(]\w*[)]//;
 	    my $realm = lookup_provider( $provider );

@@ -160,8 +154,6 @@ sub process_one_masq1( $$$$$$$$$$ )

 	my $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface);

-	$baserule .= do_condition( $condition , $chainref->{name} );
-
 	my $detectaddress = 0;
 	my $exceptionrule = '';
 	my $randomize     = '';
@@ -172,7 +164,6 @@ sub process_one_masq1( $$$$$$$$$$ )
 	#
 	if ( $addresses ne '-' ) {
 	    if ( $addresses eq 'random' ) {
-		require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '') if $family == F_IPV6;
 		$randomize = '--random ';
 	    } else {
 		$addresses =~ s/:persistent$// and $persistent = ' --persistent ';
@@ -194,129 +185,46 @@ sub process_one_masq1( $$$$$$$$$$ )
 			$detectaddress = 1;
 		    }
 		} elsif ( $addresses eq 'NONAT' ) {
-		    fatal_error "'persistent' may not be specified with 'NONAT'" if $persistent;
-		    fatal_error "'random' may not be specified with 'NONAT'"     if $randomize;
 		    $target = 'RETURN';
 		    $add_snat_aliases = 0;
-		} elsif ( $addresses ) {
+		} else {
 		    my $addrlist = '';
-		    my @addrs = split_list $addresses, 'address';
-
-		    fatal_error "Only one IPv6 ADDRESS may be specified" if $family == F_IPV6 && @addrs > 1;
-
-		    for my $addr ( @addrs ) {
-			if ( $addr =~ /^([&%])(.+)$/ ) {
-			    my ( $type, $interface ) = ( $1, $2 );
-
-			    my $ports = '';
-
-			    if ( $interface =~ s/:(.+)$// ) {
-				validate_portpair1( $proto, $1 );
-				$ports = ":$1";
-			    }
-			    #
-			    # Address Variable
-			    #
+		    for my $addr ( split_list $addresses , 'address' ) {
+			if ( $addr =~ /^&(.+)$/ ) {
 			    $target = 'SNAT ';
-			    if ( $interface =~ /^{([a-zA-Z_]\w*)}$/ ) {
-				#
-				# User-defined address variable
-				#
-				$conditional = conditional_rule( $chainref, $addr );
-				$addrlist .= '--to-source ' . "\$${1}${ports} ";
+			    if ( $conditional = conditional_rule( $chainref, $addr ) ) {
+				$addrlist .= '--to-source ' . get_interface_address $1;
 			    } else {
-				if ( $conditional = conditional_rule( $chainref, $addr ) ) {
-				    #
-				    # Optional Interface -- rule is conditional
-				    #
-				    $addr = get_interface_address $interface;
-				} else {
-				    #
-				    # Interface is not optional
-				    #
-				    $addr = record_runtime_address( $type, $interface );
-				}
-
-				if ( $ports ) {
-				    $addr =~ s/ $//;
-				    $addr = $family == F_IPV4 ? "${addr}${ports} " : "[$addr]$ports ";
-				}
-
-				$addrlist .= '--to-source ' . $addr;
+				$addrlist .= '--to-source ' . record_runtime_address $1;
 			    }
-			} elsif ( $family == F_IPV4 ) {
-			    if ( $addr =~ /^.*\..*\..*\./ ) {
-				$target = 'SNAT ';
-				my ($ipaddr, $rest) = split ':', $addr;
-				if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
-				    validate_range( $1, $2 );
-				} else {
-				    validate_address $ipaddr, 0;
-				}
-				validate_portpair1( $proto, $rest ) if supplied $rest;
-				$addrlist .= "--to-source $addr ";
-				$exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
+			} elsif ( $addr =~ /^.*\..*\..*\./ ) {
+			    $target = 'SNAT ';
+			    my ($ipaddr, $rest) = split ':', $addr;
+			    if ( $ipaddr =~ /^(.+)-(.+)$/ ) {
+				validate_range( $1, $2 );
 			    } else {
-				my $ports = $addr;
-				$ports =~ s/^://;
-				validate_portpair1( $proto, $ports );
-				$addrlist .= "--to-ports $ports ";
-				$exceptionrule = do_proto( $proto, '', '' );
+				validate_address $ipaddr, 0;
 			    }
+			    $addrlist .= "--to-source $addr ";
+			    $exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
 			} else {
-			    $target = 'SNAT ';
-
-			    if ( $addr =~ /^\[/ ) {
-				#
-				# Can have ports specified
-				#
-				my $ports;
-
-				if ( $addr =~ s/:([^]:]+)$// ) {
-				    $ports = $1;
-				}
-
-				fatal_error "Invalid IPv6 Address ($addr)" unless $addr =~ /^\[(.+)\]$/;
-
-				$addr = $1;
-
-				if ( $addr =~ /^(.+)-(.+)$/ ) {
-				    fatal_error "Correct address range syntax is '[<addr1>-<addr2>]'" if $addr =~ /]-\[/;
-				    validate_range( $1, $2 );
-				} else {
-				    validate_address $addr, 0;
-				}
-
-				if ( supplied $ports ) {
-				    validate_portpair1( $proto, $ports );
-				    $exceptionrule = do_proto( $proto, '', '' );
-				    $addr = "[$addr]:$ports";
-				}
-
-				$addrlist .= "--to-source $addr ";
-			    } else {
-				if ( $addr =~ /^(.+)-(.+)$/ ) {
-				    validate_range( $1, $2 );
-				} else {
-				    validate_address $addr, 0;
-				}
-
-				$addrlist .= "--to-source $addr ";
-			    }
+			    my $ports = $addr; 
+			    $ports =~ s/^://;
+			    my $portrange = $ports;
+			    $portrange =~ s/-/:/;
+			    validate_portpair( $proto, $portrange );
+			    $addrlist .= "--to-ports $ports ";
+			    $exceptionrule = do_proto( $proto, '', '' );
 			}
 		    }

 		    $target .= $addrlist;
-		} else {
-		    fatal_error( "':persistent' is not allowed in a MASQUERADE rule" ) if $persistent;
-		    require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '' )     if $family == F_IPV6;
 		}
 	    }

 	    $target .= $randomize;
 	    $target .= $persistent;
 	} else {
-	    require_capability( 'MASQUERADE_TGT', 'Masquerade rules', '' )  if $family == F_IPV6;
 	    $add_snat_aliases = 0;
 	}
 	#
@@ -327,7 +235,7 @@ sub process_one_masq1( $$$$$$$$$$ )
 		     $baserule . $rule ,
 		     $networks ,
 		     $destnets ,
-		     $origdest ,
+		     '' ,
 		     $target ,
 		     '' ,
 		     '' ,
@@ -361,28 +269,18 @@ sub process_one_masq1( $$$$$$$$$$ )

 }

-sub process_one_masq( )
-{
-    my ($interfacelist, $networks, $addresses, $protos, $ports, $ipsec, $mark, $user, $condition, $origdest ) =
-	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9 };
-
-    fatal_error 'INTERFACE must be specified' if $interfacelist eq '-';
-
-    for my $proto ( split_list $protos, 'Protocol' ) {
-	process_one_masq1( $interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest );
-    }
-}
-
 #
 # Process the masq file
 #
 sub setup_masq()
 {
-    if ( my $fn = open_file( 'masq', 1, 1 ) ) {
+    if ( my $fn = open_file 'masq' ) {

-	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , "a non-empty masq file" , 's'; } );
+	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } );

-	process_one_masq while read_a_line( NORMAL_READ );
+	process_one_masq while read_a_line;
+
+	clear_comment;
    }
 }

@@ -473,28 +371,34 @@ sub do_one_nat( $$$$$ )
 #
 sub setup_nat() {

-    if ( my $fn = open_file( 'nat', 1, 1 ) ) {
+    if ( my $fn = open_file 'nat' ) {

 	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } );

-	while ( read_a_line( NORMAL_READ ) ) {
+	while ( read_a_line ) {

 	    my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 'nat file', { external => 0, interface => 1, internal => 2, allints => 3, local => 4 };

-	    ( $interfacelist, my $digit ) = split /:/, $interfacelist;
+	    if ( $external eq 'COMMENT' ) {
+		process_comment;
+	    } else {
+		( $interfacelist, my $digit ) = split /:/, $interfacelist;

-	    $digit = defined $digit ? ":$digit" : '';
+		$digit = defined $digit ? ":$digit" : '';

-	    fatal_error 'EXTERNAL must be specified' if $external eq '-';
-	    fatal_error 'INTERNAL must be specified' if $interfacelist eq '-';
+		fatal_error 'EXTERNAL must be specified' if $external eq '-';
+		fatal_error 'INTERNAL must be specified' if $interfacelist eq '-';

-	    for my $interface ( split_list $interfacelist , 'interface' ) {
-		fatal_error "Invalid Interface List ($interfacelist)" unless supplied $interface;
-		do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat;
+		for my $interface ( split_list $interfacelist , 'interface' ) {
+		    fatal_error "Invalid Interface List ($interfacelist)" unless supplied $interface;
+		    do_one_nat $external, "${interface}${digit}", $internal, $allints, $localnat;
+		}
+
+		progress_message "   NAT entry \"$currentline\" $done";
 	    }
-
-	    progress_message "   NAT entry \"$currentline\" $done";
 	}
+
+	clear_comment;
    }
 }

@@ -503,11 +407,11 @@ sub setup_nat() {
 #
 sub setup_netmap() {

-    if ( my $fn = open_file 'netmap', 1, 1 ) {
+    if ( my $fn = open_file 'netmap' ) {

 	first_entry "$doing $fn...";

-	while ( read_a_line( NORMAL_READ ) ) {
+	while ( read_a_line ) {

 	    my ( $type, $net1, $interfacelist, $net2, $net3, $proto, $dport, $sport ) = split_line 'netmap file', { type => 0, net1 => 1, interface => 2, net2 => 3, net3 => 4, proto => 5, dport => 6, sport => 7 };

@@ -525,8 +429,8 @@ sub setup_netmap() {
 		    my @rulein;
 		    my @ruleout;
 		    
-		    $net1 = validate_net $net1, 0;
-		    $net2 = validate_net $net2, 0;
+		    validate_net $net1, 0;
+		    validate_net $net2, 0;

 		    unless ( $interfaceref->{root} ) {
 			@rulein  = imatch_source_dev( $interface );
@@ -560,7 +464,7 @@ sub setup_netmap() {

 		    require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';

-		    $net2 = validate_net $net2, 0;
+		    validate_net $net2, 0;

 		    unless ( $interfaceref->{root} ) {
 			@match = imatch_dest_dev(  $interface ); 
@@ -606,251 +510,12 @@ sub setup_netmap() {
 		progress_message "   Network $net1 on $iface mapped to $net2 ($type)";
 	    }
 	}
+
+	clear_comment;
    }

 }

-#
-# Called from process_rule1 to add a rule to the NAT table
-#
-sub handle_nat_rule( $$$$$$$$$$$$ ) {
-    my ( $dest,           # <server>[:port]
-	 $proto,          # Protocol
-	 $ports,          # Destination port list
-	 $origdest,       # Original Destination
-	 $action_target,  # If the target is an action, the name of the log action chain to jump to
-	 $action,         # The Action
-	 $sourceref,      # Reference to the Source Zone's table entry in the Zones module
-	 $action_chain,   # Name of the action chain if the rule is in an action
-	 $rule,           # Matches 
-	 $source,         # Source Address
-	 $loglevel,       # [<level>[:<tag>]]
-	 $log_action,     # Action name to include in the log message
-       ) = @_;
-
-    my ( $server, $serverport , $origdstports ) = ( '', '', '' );
-    my $randomize = $dest =~ s/:random$// ? ' --random' : '';
-
-    #
-    # Isolate server port
-    #
-    if ( ( $family == F_IPV4 && $dest =~ /^(.*)(?::(.+))$/ ) || ( $family == F_IPV6 && $dest =~ /^\[(.*)]:(.+)$/ ) ) {
-	#
-	# Server IP and Port
-	#
-	$server = $1;      # May be empty
-	$serverport = $2;  # Not Empty due to RE
-
-	$origdstports = validate_port( $proto, $ports )	if $ports && $ports ne '-' && port_count( $ports ) == 1;
-
-	if ( $serverport =~ /^(\d+)-(\d+)$/ ) {
-	    #
-	    # Server Port Range
-	    #
-	    fatal_error "Invalid port range ($serverport)" unless $1 < $2;
-	    my @ports = ( $1, $2 );
-	    $_ = validate_port( proto_name( $proto ), $_) for ( @ports );
-	    ( $ports = $serverport ) =~ tr/-/:/;
-	} else {
-	    $serverport = $ports = validate_port( proto_name( $proto ), $serverport );
-	}
-    } elsif ( $dest ne ':' ) {
-	#
-	# Simple server IP address (may be empty or "-")
-	#
-	$server = $dest;
-    }
-    #
-    # Generate the target
-    #
-    my $target = '';
-
-    if ( $action eq 'REDIRECT' ) {
-	fatal_error "A server IP address ($server) may not be specified in a REDIRECT rule" if $server;
-	$target  = 'REDIRECT';
-	$target .= " --to-port $serverport" if $serverport;
-	if ( $origdest eq '' || $origdest eq '-' ) {
-	    $origdest = ALLIP;
-	} elsif ( $origdest eq 'detect' ) {
-	    fatal_error 'ORIGINAL DEST "detect" is invalid in an action' if $action_chain;
-
-	    if ( $config{DETECT_DNAT_IPADDRS} ) {
-		my $interfacesref = $sourceref->{interfaces};
-		my @interfaces = keys %$interfacesref;
-		$origdest = @interfaces ? "detect:@interfaces" : ALLIP;
-	    } else {
-		$origdest = ALLIP;
-	    }
-	}
-    } elsif ( $action_target ) {
-	fatal_error "A server port ($serverport) is not allowed in $action rule" if $serverport;
-	$target = $action_target;
-    } else {
-	if ( $server eq '' ) {
-	    fatal_error "A server and/or port must be specified in the DEST column in $action rules" unless $serverport;
-	} elsif ( $server =~ /^(.+)-(.+)$/ ) {
-	    if ( $family == F_IPV4 ) {
-		validate_range( $1, $2 );
-	    } else {
-		my ( $addr1, $addr2 ) = ( $1, $2 );
-
-		if ( $server =~ /^\[(.+)\]$/ ) {
-		    $server = $1;
-		    fatal_error "Correct address range syntax is '[<addr1>-<addr2>]'" if $server =~ /]-\[/;
-		    assert( $server =~ /^(.+)-(.+)$/ );
-		    ( $addr1, $addr2 ) = ( $1, $2 );
-		}
-
-		validate_range( $addr1, $addr2 );
-		$server = join( '-', $addr1, $addr2 );
-	    }
-	} elsif ( $server eq ALLIP || $server eq NILIP ) {
-	    fatal_error "Invalid or missing server IP address";
-	} else {
-	    $server = $1 if $family == F_IPV6 && $server =~ /^\[(.+)\]$/;
-	    fatal_error "Invalid server IP address ($server)" if $server eq ALLIP || $server eq NILIP;
-	    my @servers = validate_address $server, 1;
-	    $server = join ',', @servers;
-	}
-
-	if ( $action eq 'DNAT' ) {
-	    $target = $action;
-	    if ( $server ) {
-		$serverport = ":$serverport" if $serverport;
-		if ( $family == F_IPV4 ) {
-		    for my $serv ( split /,/, $server ) {
-			$target .= " --to-destination ${serv}${serverport}";
-		    }
-		} else {
-		    for my $serv ( split /,/, $server ) {
-			$target .= " --to-destination [${serv}]${serverport}";
-		    }
-		}
-	    } else {
-		$target .= " --to-destination :$serverport";
-	    }
-	}
-
-	unless ( $origdest && $origdest ne '-' && $origdest ne 'detect' ) {
-	    if ( ! $action_chain && $config{DETECT_DNAT_IPADDRS} ) {
-		my $interfacesref = $sourceref->{interfaces};
-		my @interfaces = keys %$interfacesref;
-		$origdest = @interfaces ? "detect:@interfaces" : ALLIP;
-	    } else {
-		$origdest = ALLIP;
-	    }
-	}
-    }
-
-    $target .= $randomize;
-    #
-    # And generate the nat table rule(s)
-    #
-    my $firewallsource = $sourceref && ( $sourceref->{type} & ( FIREWALL | VSERVER ) );
-
-    expand_rule ( ensure_chain ('nat' ,
-				( $action_chain   ? $action_chain :
-				  $firewallsource ? 'OUTPUT' :
-				  dnat_chain $sourceref->{name} ) ) ,
-		  $firewallsource ? OUTPUT_RESTRICT : PREROUTE_RESTRICT ,
-		  $rule ,
-		  $source ,
-		  $origdest ,
-		  '' ,
-		  $target ,
-		  $loglevel ,
-		  $log_action ,
-		  $serverport ? do_proto( $proto, '', '' ) : '',
-		);
-
-    ( $ports, $origdstports, $server );
-}
-
-#
-# Called from process_rule1() to handle the nat table part of the NONAT and ACCEPT+ actions
-#
-sub handle_nonat_rule( $$$$$$$$$$ ) {
-    my ( $action, $source, $dest, $origdest, $sourceref, $inaction, $chain, $loglevel, $log_action, $rule ) = @_;
-
-    my $sourcezone = $sourceref->{name};
-    #
-    # NONAT or ACCEPT+ may not specify a destination interface
-    #
-    fatal_error "Invalid DEST ($dest) in $action rule" if $dest =~ /:/;
-
-    $origdest = '' unless $origdest and $origdest ne '-';
-
-    if ( $origdest eq 'detect' ) {
-	my $interfacesref = $sourceref->{interfaces};
-	my $interfaces = [ ( keys %$interfacesref ) ];
-	$origdest = $interfaces ? "detect:@$interfaces" : ALLIP;
-    }
-
-    my $tgt = 'RETURN';
-
-    my $nonat_chain;
-
-    my $chn;
-
-    if ( $inaction ) {
-	$nonat_chain = ensure_chain( 'nat', $chain );
-    } elsif ( $sourceref->{type} == FIREWALL ) {
-	$nonat_chain = $nat_table->{OUTPUT};
-    } else {
-	$nonat_chain = ensure_chain( 'nat', dnat_chain( $sourcezone ) );
-
-	my @interfaces = keys %{zone_interfaces $sourcezone};
-
-	for ( @interfaces ) {
-	    my $ichain = input_chain $_;
-
-	    if ( $nat_table->{$ichain} ) {
-		#
-		# Static NAT is defined on this interface
-		#
-		$chn = new_chain( 'nat', newnonatchain ) unless $chn;
-		add_ijump $chn, j => $nat_table->{$ichain}, @interfaces > 1 ? imatch_source_dev( $_ )  : ();
-	    }
-	}
-
-	if ( $chn ) {
-	    #
-	    # Call expand_rule() to correctly handle logging. Because
-	    # the 'logname' argument is passed, expand_rule() will
-	    # not create a separate logging chain but will rather emit
-	    # any logging rule in-line.
-	    #
-	    expand_rule( $chn,
-			 PREROUTE_RESTRICT,
-			 '', # Rule
-			 '', # Source
-			 '', # Dest
-			 '', # Original dest
-			 'ACCEPT',
-			 $loglevel,
-			 $log_action,
-			 '',
-			 dnat_chain( $sourcezone  ) );
-	    $loglevel = '';
-	    $tgt = $chn->{name};
-	} else {
-	    $tgt = 'ACCEPT';
-	}
-    }
-
-    expand_rule( $nonat_chain ,
-		 PREROUTE_RESTRICT ,
-		 $rule ,
-		 $source ,
-		 $dest ,
-		 $origdest ,
-		 $tgt,
-		 $loglevel ,
-		 $log_action ,
-		 '',
-	       );
-}
-
 sub add_addresses () {
    if ( @addresses_to_add ) {
 	my @addrs = @addresses_to_add;
--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -219,30 +219,30 @@ sub setup_forwarding( $$ ) {

    if ( $family == F_IPV4 ) {
 	if ( $config{IP_FORWARDING} eq 'on' ) {
-	    emit 'echo 1 > /proc/sys/net/ipv4/ip_forward';
-	    emit 'progress_message2 IPv4 Forwarding Enabled';
+	    emit '        echo 1 > /proc/sys/net/ipv4/ip_forward';
+	    emit '        progress_message2 IPv4 Forwarding Enabled';
 	} elsif ( $config{IP_FORWARDING} eq 'off' ) {
-	    emit 'echo 0 > /proc/sys/net/ipv4/ip_forward';
-	    emit 'progress_message2 IPv4 Forwarding Disabled!';
+	    emit '        echo 0 > /proc/sys/net/ipv4/ip_forward';
+	    emit '        progress_message2 IPv4 Forwarding Disabled!';
 	}

 	emit '';

-	emit ( 'echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables' ,
+	emit ( '        echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables' ,
 	       ''
 	     ) if have_bridges;
    } else {
 	if ( $config{IP_FORWARDING} eq 'on' ) {
-	    emit 'echo 1 > /proc/sys/net/ipv6/conf/all/forwarding';
-	    emit 'progress_message2 IPv6 Forwarding Enabled';
+	    emit '        echo 1 > /proc/sys/net/ipv6/conf/all/forwarding';
+	    emit '        progress_message2 IPv6 Forwarding Enabled';
 	} elsif ( $config{IP_FORWARDING} eq 'off' ) {
-	    emit 'echo 0 > /proc/sys/net/ipv6/conf/all/forwarding';
-	    emit 'progress_message2 IPv6 Forwarding Disabled!';
+	    emit '        echo 0 > /proc/sys/net/ipv6/conf/all/forwarding';
+	    emit '        progress_message2 IPv6 Forwarding Disabled!';
 	}

 	emit '';

-	emit ( 'echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables' ,
+	emit ( '        echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables' ,
 	       ''
 	     ) if have_bridges;

@@ -251,6 +251,9 @@ sub setup_forwarding( $$ ) {
 	if ( @$interfaces ) {
 	    progress_message2 "$doing Interface forwarding..." if $first;

+	    push_indent;
+	    push_indent;
+
 	    save_progress_message 'Setting up IPv6 Interface Forwarding...';

 	    for my $interface ( @$interfaces ) {
@@ -267,6 +270,9 @@ sub setup_forwarding( $$ ) {
 		       "    error_message \"WARNING: Cannot set IPv6 forwarding on $interface\"" ) unless $optional;
 		emit   "fi\n";
 	    }
+
+	    pop_indent;
+	    pop_indent;
 	}
    }
 }
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
--- a/Shorewall/Perl/Shorewall/Proxyarp.pm
+++ b/Shorewall/Perl/Shorewall/Proxyarp.pm
@@ -120,7 +120,7 @@ sub setup_proxy_arp() {

 	my ( %set, %reset );

-	while ( read_a_line( NORMAL_READ ) ) {
+	while ( read_a_line ) {

 	    my ( $address, $interface, $external, $haveroute, $persistent ) =
 		split_line $file_opt . 'file ', { address => 0, interface => 1, external => 2, haveroute => 3, persistent => 4 };
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -3,7 +3,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2009,2010,2011,2012,2013 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -20,7 +20,7 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   This module contains the code that handles the /etc/shorewall/conntrack file.
+#   This module contains the code that handles the /etc/shorewall/notrack file.
 #
 package Shorewall::Raw;
 require Exporter;
@@ -32,109 +32,63 @@ use Shorewall::Chains qw(:DEFAULT :internal);
 use strict;

 our @ISA = qw(Exporter);
-our @EXPORT = qw( setup_conntrack );
-our @EXPORT_OK = qw( handle_helper_rule );
+our @EXPORT = qw( setup_notrack );
+our @EXPORT_OK = qw( );
 our $VERSION = 'MODULEVERSION';

-our %valid_ctevent = ( new        => 1,
-		       related    => 1,
-		       destroy    => 1,
-		       reply      => 1,
-		       assured    => 1,
-		       protoinfo  => 1,
-		       helper     => 1,
-		       mark       => 1,
-		       natseqinfo => 1,
-		       secmark    => 1 );
+my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured => 1, protoinfo => 1, helper => 1, mark => 1, natseqinfo => 1, secmark => 1 );

 #
 # Notrack
 #
-sub process_conntrack_rule( $$$$$$$$$$ ) {
+sub process_notrack_rule( $$$$$$$ ) {

-    my ($chainref, $zoneref, $action, $source, $dest, $proto, $ports, $sports, $user, $switch ) = @_;
-
-    require_capability 'RAW_TABLE', 'conntrack rules', '';
+    my ($action, $source, $dest, $proto, $ports, $sports, $user ) = @_;

    $proto  = ''    if $proto  eq 'any';
    $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
    $sports = ''    if $sports eq 'any' || $sports eq 'all';

-    my $zone;
-    my $restriction = PREROUTE_RESTRICT;
+    ( my $zone, $source) = split /:/, $source, 2;
+    my $zoneref  = find_zone $zone;
+    my $chainref = ensure_raw_chain( notrack_chain $zone );
+    my $restriction = $zoneref->{type} == FIREWALL || $zoneref->{type} == VSERVER ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;

-    if ( $chainref ) {
-	$restriction = OUTPUT_RESTRICT if $chainref->{name} eq 'OUTPUT';
-    } else {
-	#
-	# Entry in the conntrack file
-	#
-	if ( $zoneref ) {
-	    $zone = $zoneref->{name};
-	} else {
-	    ($zone, $source) = split /:/, $source, 2;
-	    $zoneref = find_zone ( $zone );
-	}
-
-	$chainref = ensure_raw_chain( notrack_chain $zone );
-	$restriction = OUTPUT_RESTRICT if $zoneref->{type}  & (FIREWALL | VSERVER );
-	fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
-    }
+    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
+    require_capability 'RAW_TABLE', 'Notrack rules', '';

    my $target = $action;
    my $exception_rule = '';
-    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_condition( $switch , $chainref->{name} );
+    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user );

-    if ( $action eq 'NOTRACK' ) {
-	#
-	# A patch that deimplements the NOTRACK target has been posted on the
-	# Netfilter development list
-	#
-	$action = 'CT --notrack' if have_capability 'CT_TARGET';
-    } elsif ( $action ne 'DROP' ) {
+    unless ( $action eq 'NOTRACK' ) {
 	(  $target, my ( $option, $args, $junk ) ) = split ':', $action, 4;

 	fatal_error "Invalid notrack ACTION ( $action )" if $junk || $target ne 'CT';

-	require_capability 'CT_TARGET', 'CT entries in the conntrack file', '';
+	require_capability 'CT_TARGET', 'CT entries in the notrack file', '';

 	if ( $option eq 'notrack' ) {
-	    fatal_error "Invalid conntrack ACTION ( $action )" if supplied $args;
+	    fatal_error "Invalid notrack ACTION ( $action )" if supplied $args;
 	    $action = 'CT --notrack';
 	} else {
 	    fatal_error "Invalid or missing CT option and arguments" unless supplied $option && supplied $args;

 	    if ( $option eq 'helper' ) {
-		my $modifiers = '';
-
-		if ( $args =~ /^([-\w.]+)\((.+)\)$/ ) {
-		    $args      = $1;
-		    $modifiers = $2;
-		}
-
 		fatal_error "Invalid helper' ($args)" if $args =~ /,/;
 		validate_helper( $args, $proto );
-		$action = "CT --helper $helpers_aliases{$args}";
+		$action = "CT --helper $args";
 		$exception_rule = do_proto( $proto, '-', '-' );
-
-		for my $mod ( split_list1( $modifiers, 'ctevents' ) ) {
-		    fatal_error "Invalid helper option ($mod)" unless $mod =~ /^(\w+)=(.+)$/;
-		    $mod    = $1;
-		    my $val = $2;
-		    
-		    if ( $mod eq 'ctevents' ) {
-			for ( split_list( $val, 'ctevents' ) ) {
-			    fatal_error "Invalid 'ctevents' event ($_)" unless $valid_ctevent{$_};
-			}
-
-			$action .= " --ctevents $val";
-		    } elsif ( $mod eq 'expevents' ) {
-			fatal_error "Invalid expevent argument ($val)" unless $val eq 'new';
-			$action .= ' --expevents new';
-		    } else {
-			fatal_error "Invalid helper option ($mod)";
-		    }
+	    } elsif ( $option eq 'ctevents' ) {
+		for ( split ',', $args ) {
+		    fatal_error "Invalid 'ctevents' event ($_)" unless $valid_ctevent{$_};
 		}
+
+		$action = "CT --ctevents $args";
+	    } elsif ( $option eq 'expevent' ) {
+		fatal_error "Invalid expevent argument ($args)" unless $args eq 'new';
+	    } elsif ( $option eq 'zone' ) {
+		fatal_error "Invalid zone id ($args)" unless $args =~ /^\d+$/;
 	    } else {
 		fatal_error "Invalid CT option ($option)";
 	    }
@@ -152,142 +106,64 @@ sub process_conntrack_rule( $$$$$$$$$$ ) {
 		 $target ,
 		 $exception_rule );
    
-    progress_message "  Conntrack rule \"$currentline\" $done";
-}
+    progress_message "  Notrack rule \"$currentline\" $done";

-sub handle_helper_rule( $$$$$$$$$$$ ) {
-    my ( $helper, $source, $dest, $proto, $ports, $sports, $sourceref, $action_target, $actionchain, $user, $rule ) = @_;
-
-    if ( $helper ne '-' ) {
-	fatal_error "A HELPER is not allowed with this ACTION" if $action_target;
-	#
-	# This means that an ACCEPT or NAT rule with a helper is being processed
-	#
-	process_conntrack_rule( $actionchain ? ensure_raw_chain( $actionchain ) : undef ,
-				$sourceref ,
-				"CT:helper:$helper",
-				$source ,
-				$dest ,
-				$proto ,
-				$ports ,
-				$sports ,
-				$user,
-				'-',
-			      );
-    } else {
-	assert( $action_target );
-	#
-	# The target is an action
-	#
-	if ( $actionchain ) {
-	    #
-	    # And the source is another action chain
-	    #
-	    expand_rule( ensure_raw_chain( $actionchain ) ,
-			 PREROUTE_RESTRICT ,
-			 $rule ,
-			 $source ,
-			 $dest ,
-			 '' ,
-			 $action_target ,
-			 '',
-			 'CT' ,
-			 '' );
-	} else {
-	    expand_rule( ensure_raw_chain( notrack_chain( $sourceref->{name} ) ) ,
-			 ( $sourceref->{type} == FIREWALL || $sourceref->{type} == VSERVER ?
-			   OUTPUT_RESTRICT :
-			   PREROUTE_RESTRICT ) ,
-			 $rule ,
-			 $source ,
-			 $dest ,
-			 '' ,
-			 $action_target ,
-			 '' ,
-			 'CT' ,
-			 '' );
-	}
-    }
+    $globals{UNTRACKED} = 1;
 }

 sub process_format( $ ) {
    my $format = shift;

-    fatal_error q(FORMAT must be '1', '2' or '3') unless $format =~ /^[123]$/;
-    format_warning;
+    fatal_error q(FORMAT must be '1' or '2') unless $format =~ /^[12]$/;

-    $file_format = $format;
+    $format;
 }

-sub setup_conntrack() {
+sub setup_notrack() {

-    for my $name ( qw/notrack conntrack/ ) {
+    my $format = 1;
+    my $action = 'NOTRACK';

-	my $fn = open_file( $name, 3 , 1 );
+    if ( my $fn = open_file 'notrack' ) {

-	if ( $fn ) {
+	first_entry "$doing $fn...";

-	    my $action;
+	my $nonEmpty = 0;

-	    my $empty = 1;
+	while ( read_a_line ) {	    
+	    my ( $source, $dest, $proto, $ports, $sports, $user );

-	    first_entry( "$doing $fn..." );
+	    if ( $format == 1 ) {
+		( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
 		
-	    while ( read_a_line( NORMAL_READ ) ) {
-		my ( $source, $dest, $protos, $ports, $sports, $user, $switch );
+		if ( $source eq 'FORMAT' ) {
+		    $format = process_format( $dest );
+		    next;
+		}
 		
-		if ( $file_format == 1 ) {
-		    ( $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 };
+		if ( $source eq 'COMMENT' ) {
+		    process_comment;
+		    next;
+		}	    
+	    } else {
+		( $action, $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6 }, { COMMENT => 0, FORMAT => 2 };
+		
+		if ( $action eq 'FORMAT' ) {
+		    $format = process_format( $source );
 		    $action = 'NOTRACK';
-		} else {
-		    ( $action, $source, $dest, $protos, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 };
+		    next;
 		}
 		
-		$empty = 0;
-
-		for my $proto ( split_list $protos, 'Protocol' ) {
-		    if ( $file_format < 3 ) {
-			if ( $source =~ /^all(-)?(:(.+))?$/ ) {
-			    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-';
-			    for my $zone ( $1 ? off_firewall_zones : all_zones ) {
-				process_conntrack_rule( undef ,
-							undef,
-							$action,
-							$zone . ( $2 || ''),
-							$dest,
-							$proto,
-							$ports,
-							$sports,
-							$user ,
-							$switch );
-			    }
-			} else {
-			    process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
-			}
-		    } elsif ( $action =~ s/:O$// ) {
-			process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
-		    } elsif ( $action =~ s/:OP// || $action =~ s/:PO// ) {
-			process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
-			process_conntrack_rule( $raw_table->{OUTPUT},     undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
-		    } else {
-			$action =~ s/:P//;
-			process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
-		    }
+		if ( $action eq 'COMMENT' ) {
+		    process_comment;
+		    next;
 		}	    
 	    }
 	    
-	    if ( $name eq 'notrack') {
-		if ( $empty ) {
-		    if ( unlink( $fn ) ) {
-			warning_message "Empty notrack file ($fn) removed";
-		    } else {
-			warning_message "Unable to remove empty notrack file ($fn): $!";
-		    }
-		} else {
-		    warning_message "Non-empty notrack file ($fn); please move its contents to the conntrack file";
-		}
-	    }
+	    process_notrack_rule $action, $source, $dest, $proto, $ports, $sports, $user;
 	}
+
+	clear_comment;
    }
 }

--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -2,6 +2,7 @@
 # Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Tunnels.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
 #     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
@@ -61,7 +62,7 @@ sub setup_tunnels() {
 	    }
 	}

-	my @options = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
+	my @options = $globals{UNTRACKED} ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';

 	add_tunnel_rule $inchainref,  p => 50, @$source;
 	add_tunnel_rule $outchainref, p => 50, @$dest;
@@ -125,9 +126,9 @@ sub setup_tunnels() {
    sub setup_pptp_server {
 	my ($inchainref, $outchainref, $kind, $source, $dest ) = @_;

-	add_tunnel_rule $inchainref,  p => 47, @$source;
-	add_tunnel_rule $outchainref, p => 47, @$dest;
-	add_tunnel_rule $inchainref,  p => 'tcp --dport 1723', @$source
+	add_tunnel_rule $inchainref,  p => 47, @$dest;
+	add_tunnel_rule $outchainref, p => 47, @$source;
+	add_tunnel_rule $inchainref,  p => 'tcp --dport 1723', @$dest
 	}

    sub setup_one_openvpn {
@@ -233,7 +234,7 @@ sub setup_tunnels() {
    }

    sub setup_one_tunnel($$$$) {
-	my ( $kind , $zone, $gateways, $gatewayzones ) = @_;
+	my ( $kind , $zone, $gateway, $gatewayzones ) = @_;

 	my $zonetype = zone_type( $zone );

@@ -242,42 +243,35 @@ sub setup_tunnels() {
 	my $inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
 	my $outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );

-	$gateways = ALLIP if $gateways eq '-';
+	$gateway = ALLIP if $gateway eq '-';

-	my ( $net, $excl ) = handle_network_list( $gateways , 'src' );
-	( $net, $excl )    = handle_network_list( $gateways , 'dst' );
+	my @source = imatch_source_net $gateway;
+	my @dest   = imatch_dest_net   $gateway;

-	fatal_error "Exclusion is not allowed in the GATEWAYS column" if $excl;
+	my %tunneltypes = ( 'ipsec'         => { function => \&setup_one_ipsec ,         params   => [ $kind, \@source, \@dest , $gatewayzones ] } ,
+			    'ipsecnat'      => { function => \&setup_one_ipsec ,         params   => [ $kind, \@source, \@dest , $gatewayzones ] } ,
+			    'ipip'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 4 ] } ,
+			    'gre'           => { function => \&setup_one_other,          params   => [ \@source, \@dest , 47 ] } ,
+			    '6to4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
+			    '6in4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
+			    'pptpclient'    => { function => \&setup_pptp_client,        params   => [ $kind, \@source, \@dest ] } ,
+			    'pptpserver'    => { function => \&setup_pptp_server,        params   => [ $kind, \@source, \@dest ] } ,
+			    'openvpn'       => { function => \&setup_one_openvpn,        params   => [ $kind, \@source, \@dest ] } ,
+			    'openvpnclient' => { function => \&setup_one_openvpn_client, params   => [ $kind, \@source, \@dest ] } ,
+			    'openvpnserver' => { function => \&setup_one_openvpn_server, params   => [ $kind, \@source, \@dest ] } ,
+			    'l2tp'          => { function => \&setup_one_l2tp ,          params   => [ $kind, \@source, \@dest ] } ,
+			    'generic'       => { function => \&setup_one_generic ,       params   => [ $kind, \@source, \@dest ] } ,
+			  );

-	for my $gateway ( split_list $gateways, 'GATEWAYS' ) {
-	    my @source = imatch_source_net $gateway;
-	    my @dest   = imatch_dest_net   $gateway;
+	$kind = "\L$kind";

-	    my %tunneltypes = ( 'ipsec'         => { function => \&setup_one_ipsec ,         params   => [ $kind, \@source, \@dest , $gatewayzones ] } ,
-				'ipsecnat'      => { function => \&setup_one_ipsec ,         params   => [ $kind, \@source, \@dest , $gatewayzones ] } ,
-				'ipip'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 4 ] } ,
-				'gre'           => { function => \&setup_one_other,          params   => [ \@source, \@dest , 47 ] } ,
-				'6to4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
-				'6in4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
-				'pptpclient'    => { function => \&setup_pptp_client,        params   => [ $kind, \@source, \@dest ] } ,
-				'pptpserver'    => { function => \&setup_pptp_server,        params   => [ $kind, \@source, \@dest ] } ,
-				'openvpn'       => { function => \&setup_one_openvpn,        params   => [ $kind, \@source, \@dest ] } ,
-				'openvpnclient' => { function => \&setup_one_openvpn_client, params   => [ $kind, \@source, \@dest ] } ,
-				'openvpnserver' => { function => \&setup_one_openvpn_server, params   => [ $kind, \@source, \@dest ] } ,
-				'l2tp'          => { function => \&setup_one_l2tp ,          params   => [ $kind, \@source, \@dest ] } ,
-				'generic'       => { function => \&setup_one_generic ,       params   => [ $kind, \@source, \@dest ] } ,
-			      );
+	(my $type) = split /:/, $kind;

-	    $kind = "\L$kind";
+	my $tunnelref = $tunneltypes{ $type };

-	    (my $type) = split /:/, $kind;
+	fatal_error "Tunnels of type $type are not supported" unless $tunnelref;

-	    my $tunnelref = $tunneltypes{ $type };
-
-	    fatal_error "Tunnels of type $type are not supported" unless $tunnelref;
-
-	    $tunnelref->{function}->( $inchainref, $outchainref, @{$tunnelref->{params}} );
-	}
+	$tunnelref->{function}->( $inchainref, $outchainref, @{$tunnelref->{params}} );

 	progress_message "   Tunnel \"$currentline\" $done";
    }
@@ -285,19 +279,25 @@ sub setup_tunnels() {
    #
    # Setup_Tunnels() Starts Here
    #
-    if ( my $fn = open_file( 'tunnels', 1, 1 ) ) {
+    if ( my $fn = open_file 'tunnels' ) {

 	first_entry "$doing $fn...";

-	while ( read_a_line( NORMAL_READ ) ) {
+	while ( read_a_line ) {

-	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateways => 2, gateway_zone => 3 , gateway_zones => 3 }, {}, 4;
+	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateway_zone => 3 };

 	    fatal_error 'TYPE must be specified' if $kind eq '-';
-
 	    fatal_error 'ZONE must be specified' if $zone eq '-';
-	    setup_one_tunnel $kind, $zone, $gateway, $gatewayzones;
+
+	    if ( $kind eq 'COMMENT' ) {
+		process_comment;
+	    } else {
+		setup_one_tunnel $kind, $zone, $gateway, $gatewayzones;
+	    }
 	}
+
+	clear_comment;
    }
 }

--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -37,8 +37,6 @@
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
 #         --preview                   # Preview the ruleset.
-#         --shorewallrc=<path>        # Path to global shorewallrc file.
-#         --shorewallrc1=<path>       # Path to export shorewallrc file.
 #         --config_path=<path-list>   # Search path for config files
 #
 use strict;
@@ -49,9 +47,7 @@ use Getopt::Long;

 sub usage( $ ) {

-    print STDERR << '_EOF_';
-
-usage: compiler.pl [ <option> ... ] [ <filename> ]
+    print STDERR 'usage: compiler.pl [ <option> ... ] [ <filename> ]

  options are:
    [ --export ]
@@ -69,12 +65,8 @@ usage: compiler.pl [ <option> ... ] [ <filename> ]
    [ --annotate ]
    [ --update ]
    [ --convert ]
-    [ --directives ]
-    [ --shorewallrc=<pathname> ]
-    [ --shorewallrc1=<pathname> ]
    [ --config_path=<path-list> ]
-
-_EOF_
+';

    exit shift @_;
 }
@@ -98,10 +90,7 @@ my $preview       = 0;
 my $annotate      = 0;
 my $update        = 0;
 my $convert       = 0;
-my $directives    = 0;
 my $config_path   = '';
-my $shorewallrc   = '';
-my $shorewallrc1  = '';

 Getopt::Long::Configure ('bundling');

@@ -129,14 +118,10 @@ my $result = GetOptions('h'               => \$help,
 			'confess'         => \$confess,
 			'a'               => \$annotate,
 			'annotate'        => \$annotate,
-			'directives'      => \$directives,
-			'D'               => \$directives,
 			'u'               => \$update,
 			'update'          => \$update,
 			'convert'         => \$convert,
 			'config_path=s'   => \$config_path,
-			'shorewallrc=s'   => \$shorewallrc,
-			'shorewallrc1=s'  => \$shorewallrc1,
 		       );

 usage(1) unless $result && @ARGV < 2;
@@ -158,8 +143,5 @@ compiler( script          => $ARGV[0] || '',
 	  update          => $update,
 	  convert         => $convert,
 	  annotate        => $annotate,
-	  directives      => $directives,
 	  config_path     => $config_path,
-	  shorewallrc     => $shorewallrc,
-	  shorewallrc1    => $shorewallrc1,
 	);
--- a/Shorewall/Perl/getparams
+++ b/Shorewall/Perl/getparams
@@ -25,25 +25,15 @@
 #
 #      $1 = Path name of params file
 #      $2 = $CONFIG_PATH
-#      $3 = Address family (4 or 6)
+#      $3 = Address family (4 o4 6)
 #
 if [ "$3" = 6 ]; then
-    PRODUCT=shorewall6
+    g_program=shorewall6
 else
-    PRODUCT=shorewall
+    g_program=shorewall
 fi

-#
-# This is modified by the installer when ${SHAREDIR} != /usr/share
-#
-. /usr/share/shorewall/shorewallrc
-
-g_program=$PRODUCT
-g_sharedir="$SHAREDIR/shorewall"
-g_confdir="$CONFDIR/$PRODUCT"
-g_readrc=1
-
-. $g_sharedir/lib.cli
+. /usr/share/shorewall/lib.cli

 CONFIG_PATH="$2"

--- a/Shorewall/Perl/lib.core
+++ b/Shorewall/Perl/lib.core
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -33,25 +33,25 @@ usage() {
 }

 checkkernelversion() {
-?if __IPV6
    local kernel

-    kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')
+    if [ $g_family -eq 6 ]; then
+	kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')

-    case "$kernel" in
-	*.*.*)
-	    kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
-	    ;;
-	*)
-	    kernel=$(printf "%d%02d00" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
-	    ;;
-    esac
+	case "$kernel" in 
+	    *.*.*)
+		kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
+		;;
+	    *)
+		kernel=$(printf "%d%02d00" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
+		;;
+	esac

-    if [ $kernel -lt 20624 ]; then
-	error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
-	return 1
+	if [ $kernel -lt 20624 ]; then
+	    error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
+	    return 1
+	fi
    fi
-?endif

    return 0
 }
@@ -235,8 +235,8 @@ case "$COMMAND" in
 	    status=2
 	elif checkkernelversion; then
 	    if [ $# -eq 1 ]; then
-		$g_tool -Z
-		$g_tool -t mangle -Z
+		$IP6TABLES -Z
+		$IP6TABLES -t mangle -Z
 		date > ${VARDIR}/restarted
 		status=0
 		progress_message3 "$g_product Counters Reset"
@@ -245,7 +245,7 @@ case "$COMMAND" in
 		status=0
 		for chain in $@; do
 		    if chain_exists $chain; then
-			if qt $g_tool-Z $chain; then
+			if qt $IP6TABLES -Z $chain; then
 			    progress_message3 "Filter $chain Counters Reset"
 			else
 			    error_message "ERROR: Reset of chain $chain failed"
@@ -348,9 +348,7 @@ case "$COMMAND" in
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
-	mutex_on
-	( updown $1 )
-	mutex_off
+	updown $1
 	status=0
 	;;
    enable)
--- a/Shorewall/Perl/prog.header
+++ b/Shorewall/Perl/prog.header
@@ -0,0 +1,402 @@
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 1999-2011 - Tom Eastep (teastep@shorewall.net)
+#
+#	Options are:
+#
+#	    -n				  Don't alter Routing
+#	    -v and -q			  Standard Shorewall Verbosity control
+#           -t                            Timestamp progress messages
+#           -p                            Purge conntrack table
+#           -r                            Recover from failed start/restart
+#           -V <verbosity>                Set verbosity level explicitly
+#           -R <restore>                  Overrides RESTOREFILE setting
+#
+#	Commands are:
+#
+#	   start			  Starts the firewall
+#          refresh                        Refresh the firewall
+#	   restart			  Restarts the firewall
+#	   reload			  Reload the firewall
+#	   clear			  Removes all firewall rules
+#	   stop				  Stops the firewall
+#	   status			  Displays firewall status
+#	   version			  Displays the version of Shorewall that
+#	   				  generated this program
+#
+################################################################################
+# Functions imported from /usr/share/shorewall/prog.header
+################################################################################
+#
+# Find the value 'weight' in the passed arguments then echo the next value
+#
+
+find_weight() {
+    while [ $# -gt 1 ]; do
+	[ "x$1" = xweight ] && echo $2 && return
+	shift
+    done
+}
+
+#
+# Find the interfaces that have a route to the passed address - the default
+# route is not used.
+#
+
+find_rt_interface() {
+    $IP -4 route list | while read addr rest; do
+	case $addr in
+	    */*)
+		in_network ${1%/*} $addr && echo $(find_device $rest)
+		;;
+	    default)
+		;;
+	    *)
+		if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then
+		    echo $(find_device $rest)
+		fi
+		;;
+	esac
+    done
+}
+
+#
+# Echo the name of the interface(s) that will be used to send to the
+# passed address
+#
+
+find_interface_by_address() {
+    local dev
+    dev="$(find_rt_interface $1)"
+    local first
+    local rest
+
+    [ -z "$dev" ] && dev=$(find_default_interface)
+
+    [ -n "$dev" ] && echo $dev
+}
+
+#
+#  echo the list of networks routed out of a given interface
+#
+get_routed_networks() # $1 = interface name, $2-n = Fatal error message
+{
+    local address
+    local rest
+
+    $IP -4 route show dev $1 2> /dev/null |
+	while read address rest; do
+	    case "$address" in
+		default)
+		    if [ $# -gt 1 ]; then
+			shift
+			fatal_error "$@"
+		    else
+			echo "WARNING: default route ignored on interface $1" >&2
+		    fi
+		    ;;
+		multicast|broadcast|prohibit|nat|throw|nexthop)
+		    ;;
+		*)
+		    [ "$address" = "${address%/*}" ] && address="${address}/32"
+		    echo $address
+		    ;;
+	    esac
+        done
+}
+
+#
+# Get the broadcast addresses associated with an interface
+#
+get_interface_bcasts() # $1 = interface
+{
+    local addresses
+    addresses=
+
+    $IP -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
+}
+
+#
+# Delete IP address
+#
+del_ip_addr() # $1 = address, $2 = interface
+{
+    [ $(find_first_interface_address_if_any $2) = $1 ] || qtnoin $IP addr del $1 dev $2
+}
+
+# Add IP Aliases
+#
+add_ip_aliases() # $* = List of addresses
+{
+    local local
+    local addresses
+    local external
+    local interface
+    local inet
+    local cidr
+    local rest
+    local val
+    local arping
+    arping=$(mywhich arping)
+
+    address_details()
+    {
+	#
+	# Folks feel uneasy if they don't see all of the same
+	# decoration on these IP addresses that they see when their
+	# distro's net config tool adds them. In an attempt to reduce
+	# the anxiety level, we have the following code which sets
+	# the VLSM and BRD from an existing address in the same networks
+	#
+	# Get all of the lines that contain inet addresses with broadcast
+	#
+	$IP -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do
+	    case $cidr in
+		*/*)
+		    if in_network $external $cidr; then
+			echo "/${cidr#*/} brd $(broadcastaddress $cidr)"
+			break
+		    fi
+		    ;;
+	    esac
+	done
+    }
+
+    do_one()
+    {
+	val=$(address_details)
+
+	$IP addr add ${external}${val} dev $interface $label
+	[ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external
+	echo "$external $interface" >> $VARDIR/nat
+	[ -n "$label" ] && label="with $label"
+	progress_message "   IP Address $external added to interface $interface $label"
+    }
+
+    progress_message "Adding IP Addresses..."
+
+    while [ $# -gt 0 ]; do
+	external=$1
+	interface=$2
+	label=
+
+	if [ "$interface" != "${interface%:*}" ]; then
+	    label="${interface#*:}"
+	    interface="${interface%:*}"
+	    label="label $interface:$label"
+	fi
+
+	shift 2
+
+	list_search $external $(find_interface_addresses $interface) || do_one
+    done
+}
+
+#
+# Detect the gateway through a PPP or DHCP-configured interface
+#
+detect_dynamic_gateway() { # $1 = interface
+    local interface
+    interface=$1
+    local GATEWAYS
+    GATEWAYS=
+    local gateway
+
+    gateway=$(run_findgw_exit $1);
+
+    if [ -z "$gateway" ]; then
+	gateway=$( find_peer $($IP addr list $interface ) )
+    fi
+
+    if [ -z "$gateway" -a -f /var/lib/dhcpcd/dhcpcd-${1}.info ]; then
+	eval $(grep ^GATEWAYS=  /var/lib/dhcpcd/dhcpcd-${1}.info 2> /dev/null)
+	[ -n "$GATEWAYS" ] && GATEWAYS=${GATEWAYS%,*} && gateway=$GATEWAYS
+    fi
+
+    if [ -z "$gateway" -a -f /var/lib/dhcp/dhclient-${1}.lease ]; then
+	gateway=$(grep 'option routers' /var/lib/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done)
+    fi
+
+    [ -n "$gateway" ] && echo $gateway
+}
+
+#
+# Detect the gateway through an interface
+#
+detect_gateway() # $1 = interface
+{
+    local interface
+    interface=$1
+    local gateway
+    #
+    # First assume that this is some sort of dynamic interface
+    #
+    gateway=$( detect_dynamic_gateway $interface )
+    #
+    # Maybe there's a default route through this gateway already
+    #
+    [ -n "$gateway" ] || gateway=$(find_gateway $($IP -4 route list dev $interface | grep ^default))
+    #
+    # Last hope -- is there a load-balancing route through the interface?
+    #
+    [ -n "$gateway" ] || gateway=$(find_nexthop $interface)
+    #
+    # Be sure we found one
+    #
+    [ -n "$gateway" ] && echo $gateway
+}
+
+#
+# Disable IPV6
+#
+disable_ipv6() {
+    local foo
+    foo="$($IP -f inet6 addr list 2> /dev/null)"
+
+    if [ -n "$foo" ]; then
+	if [ -x "$IP6TABLES" ]; then
+	    $IP6TABLES -P FORWARD DROP
+	    $IP6TABLES -P INPUT DROP
+	    $IP6TABLES -P OUTPUT DROP
+	    $IP6TABLES -F
+	    $IP6TABLES -X
+	    $IP6TABLES -A OUTPUT -o lo -j ACCEPT
+	    $IP6TABLES -A INPUT -i lo -j ACCEPT
+	else
+	    error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
+	fi
+    fi
+}
+
+#
+# Add an additional gateway to the default route
+#
+add_gateway() # $1 = Delta $2 = Table Number
+{
+    local route
+    local weight
+    local delta
+    local dev
+    
+    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/default //; s/[\]//g'`
+
+    if [ -z "$route" ]; then
+	run_ip route add default scope global table $2 $1
+    else
+	delta=$1
+
+	if ! echo $route | fgrep -q ' nexthop '; then
+	    route=`echo $route | sed 's/via/nexthop via/'`
+	    dev=$(find_device $route)
+	    if [ -f ${VARDIR}/${dev}_weight ]; then
+		weight=`cat ${VARDIR}/${dev}_weight`
+		route="$route weight $weight"
+	    fi
+	fi
+
+	run_ip route replace default scope global table $2 $route $delta
+    fi
+}
+
+#
+# Remove a gateway from the default route
+#
+delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
+{
+    local route
+    local gateway
+    local dev
+
+    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
+    gateway=$1
+  
+    if [ -n "$route" ]; then
+	if echo $route | fgrep -q ' nexthop '; then
+	    gateway="nexthop $gateway"
+	    eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
+	    run_ip route replace table $2 $route
+	else
+	    dev=$(find_device $route)
+	    [ "$dev" = "$3" ] && run_ip route delete default table $2
+	fi
+    fi
+}
+
+#
+# Determine the MAC address of the passed IP through the passed interface
+#
+find_mac() # $1 = IP address, $2 = interface
+{
+    if interface_is_usable $2 ; then
+	qt ping -nc 1 -t 2 -I $2 $1
+
+	local result
+	result=$($IP neigh list |  awk "/^$1 / {print \$5}")
+
+	case $result in
+	    \<*\>)
+		;;
+	    *)
+		[ -n "$result" ] && echo $result
+		;;
+	esac
+    fi
+}
+
+#
+# Clear Proxy Arp
+#
+delete_proxyarp() {
+    if [ -f ${VARDIR}/proxyarp ]; then
+	while read address interface external haveroute; do
+	    qtnoin $IP -4 neigh del proxy $address dev $external
+	    [ -z "${haveroute}${g_noroutes}" ] && qtnoin $IP -4 route del $address/32 dev $interface
+	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
+	    [ -f $f ] && echo 0 > $f
+	done < ${VARDIR}/proxyarp
+
+	rm -f ${VARDIR}/proxyarp
+    fi
+}
+
+#
+# Remove all Shorewall-added rules
+#
+clear_firewall() {
+    stop_firewall
+
+    setpolicy INPUT ACCEPT
+    setpolicy FORWARD ACCEPT
+    setpolicy OUTPUT ACCEPT
+
+    run_iptables -F
+    qt $IPTABLES -t raw -F
+
+    echo 1 > /proc/sys/net/ipv4/ip_forward
+
+    if [ -n "$DISABLE_IPV6" ]; then
+	if [ -x $IP6TABLES ]; then
+    	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
+	    $IP6TABLES -P OUTPUT  ACCEPT 2> /dev/null
+	    $IP6TABLES -P FORWARD ACCEPT 2> /dev/null
+	fi
+    fi
+
+    run_clear_exit
+
+    set_state "Cleared"
+
+    logger -p kern.info "$g_product Cleared"
+}
+
+#
+# Get a list of all configured broadcast addresses on the system
+#
+get_all_bcasts()
+{
+    $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
+}
+
+################################################################################
+# End of functions in /usr/share/shorewall/prog.header
+################################################################################
--- a/Shorewall/Perl/prog.header6
+++ b/Shorewall/Perl/prog.header6
@@ -0,0 +1,311 @@
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 1999-2011- Tom Eastep (teastep@shorewall.net)
+#
+#	Options are:
+#
+#	    -n				  Don't alter Routing
+#	    -v and -q			  Standard Shorewall Verbosity control
+#           -t                            Timestamp progress messages
+#           -p                            Purge conntrack table
+#           -r                            Recover from failed start/restart
+#           -V <verbosity>                Set verbosity level explicitly
+#           -R <restore>                  Overrides RESTOREFILE setting
+#
+#	Commands are:
+#
+#	   start			  Starts the firewall
+#          refresh                        Refresh the firewall
+#	   restart			  Restarts the firewall
+#	   reload			  Reload the firewall
+#	   clear			  Removes all firewall rules
+#	   stop				  Stops the firewall
+#	   status			  Displays firewall status
+#	   version			  Displays the version of Shorewall that
+#	   				  generated this program
+#
+################################################################################
+# Functions imported from /usr/share/shorewall/prog.header6
+################################################################################
+#
+# Get all interface addresses with VLSMs
+#
+
+find_interface_full_addresses() # $1 = interface
+{
+    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
+}
+
+#
+# Normalize an IPv6 Address by compressing out consecutive zero elements
+#
+normalize_address() # $1 = valid IPv6 Address
+{
+    local address
+    address=$1
+    local j
+
+    while true; do
+	case $address in
+	    ::*)
+		address=0$address
+		;;
+	    *::*)
+		list_count $(split $address)
+
+		j=$?
+
+		if [ $j -eq 7 ]; then
+		    address=${address%::*}:0:${address#*::}
+		elif [ $j -eq 8 ]; then
+		    $address=${address%::*}:${address#*::}
+		    break 2
+		else
+		    address=${address%::*}:0::${address#*::}
+		fi
+		;;
+	    *)
+		echo $address
+		break 2
+		;;
+	esac
+    done
+}
+
+#
+# Reads correctly-formed and fully-qualified host and subnet addresses from STDIN. For each
+# that defines a /120 or larger network, it sends to STDOUT:
+#
+#    The corresponding subnet-router anycast address (all host address bits are zero)
+#    The corresponding anycast addresses defined by RFC 2526 (the last 128 addresses in the subnet)
+#
+convert_to_anycast() {
+    local address
+    local badress
+    local vlsm
+    local host
+    local o
+    local m
+    m=
+    local z
+    z=65535
+    local l
+
+    while read address; do
+	case $address in
+	    2*|3*)
+		vlsm=${address#*/}
+		vlsm=${vlsm:=128}
+
+		if [ $vlsm -le 120 ]; then
+	            #
+	            # Defines a viable subnet -- first get the subnet-router anycast address
+	            #
+		    host=$((128 - $vlsm))
+
+		    address=$(normalize_address ${address%/*})
+
+		    while [ $host -ge 16 ]; do
+			address=${address%:*}
+			host=$(($host - 16))
+		    done
+
+		    if [ $host -gt 0 ]; then
+			#
+			# VLSM is not a multiple of 16
+			#
+			host=$((16 - $host))
+			o=$((0x${address##*:}))
+			m=0
+			while [ $host -gt 0 ]; do
+			    m=$((($m >> 1) | 0x8000))
+			    z=$(($z >> 1))
+			    host=$(($host - 1))
+			done
+
+			o=$(($o & $m))
+
+			badress=${address%:*}
+
+			address=$badress:$(printf %04x $o)
+
+			z=$(($o | $z))
+
+			if [ $vlsm -gt 112 ]; then
+			    z=$(($z & 0xff80))
+			fi
+
+			badress=$badress:$(printf %04x $z)
+		    else
+			badress=$address
+		    fi
+		    #
+		    # Note: at this point $address and $badress are the same except possibly for
+		    #       the contents of the last half-word
+		    #
+		    list_count $(split $address)
+
+		    l=$?
+		    #
+		    # Now generate the anycast addresses defined by RFC 2526
+		    #
+		    if [ $l -lt 8 ]; then
+			#
+			# The subnet-router address
+			#
+			echo $address::
+
+		    	while [ $l -lt 8 ]; do
+			    badress=$badress:ffff
+			    l=$(($l + 1 ))
+			done
+		    else
+			#
+			# The subnet-router address
+			#
+			echo $address
+		    fi
+		    #
+		    # And the RFC 2526 addresses
+		    #
+		    echo $badress/121
+		fi
+		;;
+	esac
+    done
+}
+
+#
+# Generate a list of anycast addresses for a given interface
+#
+
+get_interface_acasts() # $1 = interface
+{
+    local addresses
+    addresses=
+
+    find_interface_full_addresses $1 | convert_to_anycast | sort -u
+}
+
+#
+# Get a list of all configured anycast addresses on the system
+#
+get_all_acasts()
+{
+    find_interface_full_addresses | convert_to_anycast | sort -u
+}
+
+#
+# Detect the gateway through an interface
+#
+detect_gateway() # $1 = interface
+{
+    local interface
+    interface=$1
+    #
+    # First assume that this is some sort of point-to-point interface
+    #
+    gateway=$( find_peer $($IP -6 addr list $interface ) )
+    #
+    # Maybe there's a default route through this gateway already
+    #
+    [ -n "$gateway" ] || gateway=$(find_gateway $($IP -6 route list dev $interface | grep '^default'))
+    #
+    # Last hope -- is there a load-balancing route through the interface?
+    #
+    [ -n "$gateway" ] || gateway=$(find_nexthop $interface)
+    #
+    # Be sure we found one
+    #
+    [ -n "$gateway" ] && echo $gateway
+}
+
+#
+# Add an additional gateway to the default route
+#
+add_gateway() # $1 = Delta $2 = Table Number
+{
+    local route
+    local weight
+    local delta
+    local dev
+    
+    run_ip route add default scope global table $2 $1
+}
+
+#
+# Remove a gateway from the default route
+#
+delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
+{
+    local route
+    local gateway
+    local dev
+
+    route=`$IP -6 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
+    gateway=$1
+  
+    dev=$(find_device $route)
+    [ "$dev" = "$3" ] && run_ip route delete default table $2
+}
+
+#
+# Determine how to do "echo -e"
+#
+
+find_echo() {
+    local result
+
+    result=$(echo "a\tb")
+    [ ${#result} -eq 3 ] && { echo echo; return; }
+
+    result=$(echo -e "a\tb")
+    [ ${#result} -eq 3 ] && { echo "echo -e"; return; }
+
+    result=$(which echo)
+    [ -n "$result" ] && { echo "$result -e"; return; }
+
+    echo echo
+}
+
+#
+# Clear Proxy NDP
+#
+delete_proxyndp() {
+    if [ -f ${VARDIR}/proxyndp ]; then
+	while read address interface external haveroute; do
+	    qt $IP -6 neigh del proxy $address dev $external
+	    [ -z "${haveroute}${g_noroutes}" ] && qt $IP -6 route del $address/128 dev $interface
+	    f=/proc/sys/net/ipv6/conf/$interface/proxy_ndp
+	    [ -f $f ] && echo 0 > $f
+	done < ${VARDIR}/proxyndp
+
+	rm -f ${VARDIR}/proxyndp
+    fi
+}
+
+#
+# Remove all Shorewall-added rules
+#
+clear_firewall() {
+    stop_firewall
+
+    setpolicy INPUT ACCEPT
+    setpolicy FORWARD ACCEPT
+    setpolicy OUTPUT ACCEPT
+
+    run_iptables -F
+    qt $IP6TABLES -t raw -F
+
+    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
+
+    run_clear_exit
+
+    set_state "Cleared"
+
+    logger -p kern.info "$g_product Cleared"
+}
+
+################################################################################
+# End of functions imported from /usr/share/shorewall/prog.header6
+################################################################################
--- a/Shorewall/Samples/LICENSE
+++ b/Shorewall/Samples/LICENSE
@@ -55,7 +55,7 @@ modified by someone else and passed on, the recipients should know
 that what they have is not the original version, so that the original
 author's reputation will not be affected by problems that might be
 introduced by others.
-
+
  Finally, software patents pose a constant threat to the existence of
 any free program.  We wish to make sure that a company cannot
 effectively restrict the users of a free program by obtaining a
@@ -111,7 +111,7 @@ modification follow.  Pay close attention to the difference between a
 "work based on the library" and a "work that uses the library".  The
 former contains code derived from the library, whereas the latter must
 be combined with the library in order to run.
-
+
 		  GNU LESSER GENERAL PUBLIC LICENSE
   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

@@ -158,7 +158,7 @@ Library.
  You may charge a fee for the physical act of transferring a copy,
 and you may at your option offer warranty protection in exchange for a
 fee.
-
+
  2. You may modify your copy or copies of the Library or any portion
 of it, thus forming a work based on the Library, and copy and
 distribute such modifications or work under the terms of Section 1
@@ -216,7 +216,7 @@ instead of to this License.  (If a newer version than version 2 of the
 ordinary GNU General Public License has appeared, then you can specify
 that version instead if you wish.)  Do not make any other change in
 these notices.
-
+
  Once this change is made in a given copy, it is irreversible for
 that copy, so the ordinary GNU General Public License applies to all
 subsequent copies and derivative works made from that copy.
@@ -267,7 +267,7 @@ Library will still fall under Section 6.)
 distribute the object code for the work under the terms of Section 6.
 Any executables containing that work also fall under Section 6,
 whether or not they are linked directly with the Library itself.
-
+
  6. As an exception to the Sections above, you may also combine or
 link a "work that uses the Library" with the Library to produce a
 work containing portions of the Library, and distribute that work
@@ -329,7 +329,7 @@ restrictions of other proprietary libraries that do not normally
 accompany the operating system.  Such a contradiction means you cannot
 use both them and the Library together in an executable that you
 distribute.
-
+
  7. You may place library facilities that are a work based on the
 Library side-by-side in a single library together with other library
 facilities not covered by this License, and distribute such a combined
@@ -370,7 +370,7 @@ subject to these terms and conditions.  You may not impose any further
 restrictions on the recipients' exercise of the rights granted herein.
 You are not responsible for enforcing compliance by third parties with
 this License.
-
+
  11. If, as a consequence of a court judgment or allegation of patent
 infringement or for any other reason (not limited to patent issues),
 conditions are imposed on you (whether by court order, agreement or
@@ -422,7 +422,7 @@ conditions either of that version or of any later version published by
 the Free Software Foundation.  If the Library does not specify a
 license version number, you may choose any version ever published by
 the Free Software Foundation.
-
+
  14. If you wish to incorporate parts of the Library into other free
 programs whose distribution conditions are incompatible with these,
 write to the author to ask for permission.  For software which is
@@ -456,7 +456,7 @@ SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
 DAMAGES.

 		     END OF TERMS AND CONDITIONS
-
+
           How to Apply These Terms to Your New Libraries

  If you develop a new library, and you want it to be of the greatest
--- a/Shorewall/Samples/Universal/interfaces
+++ b/Shorewall/Samples/Universal/interfaces
@@ -7,8 +7,6 @@
 # http://www.shorewall.net/manpages/shorewall-interfaces.html
 #
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ZONE	INTERFACE	OPTIONS
-	lo		ignore
-net	all		dhcp,physical=+,routeback,optional
+#ZONE	INTERFACE	BROADCAST	OPTIONS
+-	lo		-		ignore
+net	all		-		dhcp,physical=+,routeback,optional
--- a/Shorewall/Samples/Universal/rules
+++ b/Shorewall/Samples/Universal/rules
@@ -6,15 +6,13 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-######################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
+###################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
-#SECTION INVALID
-#SECTION UNTRACKED
 SECTION NEW
-Invalid(DROP)	net		$FW		tcp
+
 SSH(ACCEPT)	net		$FW
 Ping(ACCEPT)	net		$FW
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -21,9 +21,7 @@ VERBOSITY=1
 #		                L O G G I N G
 ###############################################################################

-BLACKLIST_LOG_LEVEL=
-
-INVALID_LOG_LEVEL=
+BLACKLIST_LOGLEVEL=

 LOG_MARTIANS=Yes

@@ -43,8 +41,6 @@ MACLIST_LOG_LEVEL=info

 RELATED_LOG_LEVEL=

-RPFILTER_LOG_LEVEL=info
-
 SFILTER_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info
@@ -53,17 +49,11 @@ STARTUP_LOG=/var/log/shorewall-init.log

 TCP_FLAGS_LOG_LEVEL=info

-UNTRACKED_LOG_LEVEL=
-
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

-ARPTABLES=
-
-CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
-
-GEOIPDIR=/usr/share/xt_geoip/LE
+CONFIG_PATH=/etc/shorewall:/usr/share/shorewall

 IPTABLES=

@@ -71,12 +61,8 @@ IP=

 IPSET=

-LOCKFILE=
-
 MODULESDIR=

-NFACCT=
-
 PERL=/usr/bin/perl

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -120,15 +106,11 @@ ADD_SNAT_ALIASES=No

 ADMINISABSENTMINDED=Yes

-IGNOREUNKNOWNVARIABLES=No
-
-AUTOCOMMENT=Yes
-
-AUTOHELPERS=Yes
+AUTO_COMMENT=Yes

 AUTOMAKE=No

-BLACKLIST="NEW,INVALID,UNTRACKED"
+BLACKLISTNEWONLY=Yes

 CLAMPMSS=No

@@ -136,8 +118,6 @@ CLEAR_TC=Yes

 COMPLETE=Yes

-DEFER_DNS_RESOLUTION=Yes
-
 DISABLE_IPV6=No

 DELETE_THEN_ADD=Yes
@@ -156,12 +136,8 @@ FASTACCEPT=Yes

 FORWARD_CLEAR_MARK=

-HELPERS=
-
 IMPLICIT_CONTINUE=No

-IPSET_WARNINGS=Yes
-
 IP_FORWARDING=On

 KEEP_RT_TABLES=No
@@ -188,7 +164,7 @@ MUTEX_TIMEOUT=60

 NULL_ROUTE_RFC1918=No

-OPTIMIZE=31
+OPTIMIZE=15

 OPTIMIZE_ACCOUNTING=No

@@ -196,14 +172,10 @@ REQUIRE_INTERFACE=Yes

 RESTORE_DEFAULT_ROUTE=Yes

-RESTORE_ROUTEMARKS=Yes
-
 RETAIN_ALIASES=No

 ROUTE_FILTER=No

-SAVE_ARPTABLES=No
-
 SAVE_IPSETS=No

 TC_ENABLED=Internal
@@ -218,8 +190,6 @@ USE_DEFAULT_RT=No

 USE_PHYSICAL_NAMES=No

-WARNOLDCAPVERSION=Yes
-
 ZONE2ZONE=2

 ###############################################################################
@@ -228,22 +198,16 @@ ZONE2ZONE=2

 BLACKLIST_DISPOSITION=DROP

-INVALID_DISPOSITION=CONTINUE
-
 MACLIST_DISPOSITION=REJECT

 RELATED_DISPOSITION=ACCEPT

-RPFILTER_DISPOSITION=DROP
-
 SMURF_DISPOSITION=DROP

 SFILTER_DISPOSITION=DROP

 TCP_FLAGS_DISPOSITION=DROP

-UNTRACKED_DISPOSITION=CONTINUE
-
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################
--- a/Shorewall/Samples/one-interface/interfaces
+++ b/Shorewall/Samples/one-interface/interfaces
@@ -11,7 +11,5 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ZONE	INTERFACE	OPTIONS
-net     eth0            dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0
+#ZONE	INTERFACE	BROADCAST	OPTIONS
+net     eth0            detect          dhcp,tcpflags,logmartians,nosmurfs
--- a/Shorewall/Samples/one-interface/rules
+++ b/Shorewall/Samples/one-interface/rules
@@ -10,20 +10,14 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-rules"
-######################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		SWITCH		HELPER
+######################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
-#SECTION INVALID
-#SECTION UNTRACKED
 SECTION NEW

-# Drop packets in the INVALID state
-
-Invalid(DROP)  net    	        $FW		tcp
-
 # Drop Ping from the "bad" net zone.. and prevent your log from being flooded..

 Ping(DROP)	net		$FW
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -32,9 +32,7 @@ VERBOSITY=1
 #		                L O G G I N G
 ###############################################################################

-BLACKLIST_LOG_LEVEL=
-
-INVALID_LOG_LEVEL=
+BLACKLIST_LOGLEVEL=

 LOG_MARTIANS=Yes

@@ -54,8 +52,6 @@ MACLIST_LOG_LEVEL=info

 RELATED_LOG_LEVEL=

-RPFILTER_LOG_LEVEL=info
-
 SFILTER_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info
@@ -64,17 +60,11 @@ STARTUP_LOG=/var/log/shorewall-init.log

 TCP_FLAGS_LOG_LEVEL=info

-UNTRACKED_LOG_LEVEL=
-
 ###############################################################################
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################

-ARPTABLES=
-
-CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
-
-GEOIPDIR=/usr/share/xt_geoip/LE
+CONFIG_PATH=/etc/shorewall:/usr/share/shorewall

 IPTABLES=

@@ -82,12 +72,8 @@ IP=

 IPSET=

-LOCKFILE=
-
 MODULESDIR=

-NFACCT=
-
 PERL=/usr/bin/perl

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -131,15 +117,11 @@ ADD_SNAT_ALIASES=No

 ADMINISABSENTMINDED=Yes

-IGNOREUNKNOWNVARIABLES=No
-
-AUTOCOMMENT=Yes
-
-AUTOHELPERS=Yes
+AUTO_COMMENT=Yes

 AUTOMAKE=No

-BLACKLIST="NEW,INVALID,UNTRACKED"
+BLACKLISTNEWONLY=Yes

 CLAMPMSS=No

@@ -147,8 +129,6 @@ CLEAR_TC=Yes

 COMPLETE=No

-DEFER_DNS_RESOLUTION=Yes
-
 DISABLE_IPV6=No

 DELETE_THEN_ADD=Yes
@@ -167,12 +147,8 @@ FASTACCEPT=No

 FORWARD_CLEAR_MARK=

-HELPERS=
-
 IMPLICIT_CONTINUE=No

-IPSET_WARNINGS=Yes
-
 IP_FORWARDING=Off

 KEEP_RT_TABLES=No
@@ -199,7 +175,7 @@ MUTEX_TIMEOUT=60

 NULL_ROUTE_RFC1918=No

-OPTIMIZE=31
+OPTIMIZE=1

 OPTIMIZE_ACCOUNTING=No

@@ -207,14 +183,10 @@ REQUIRE_INTERFACE=No

 RESTORE_DEFAULT_ROUTE=Yes

-RESTORE_ROUTEMARKS=Yes
-
 RETAIN_ALIASES=No

 ROUTE_FILTER=No

-SAVE_ARPTABLES=No
-
 SAVE_IPSETS=No

 TC_ENABLED=Internal
@@ -229,8 +201,6 @@ USE_DEFAULT_RT=No

 USE_PHYSICAL_NAMES=No

-WARNOLDCAPVERSION=Yes
-
 ZONE2ZONE=2

 ###############################################################################
@@ -239,22 +209,16 @@ ZONE2ZONE=2

 BLACKLIST_DISPOSITION=DROP

-INVALID_DISPOSITION=CONTINUE
-
 MACLIST_DISPOSITION=REJECT

 RELATED_DISPOSITION=ACCEPT

-RPFILTER_DISPOSITION=DROP
-
 SMURF_DISPOSITION=DROP

 SFILTER_DISPOSITION=DROP

 TCP_FLAGS_DISPOSITION=DROP

-UNTRACKED_DISPOSITION=CONTINUE
-
 ################################################################################
 #			P A C K E T  M A R K  L A Y O U T
 ################################################################################
--- a/Shorewall/Samples/three-interfaces/interfaces
+++ b/Shorewall/Samples/three-interfaces/interfaces
@@ -11,9 +11,7 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 ###############################################################################
-?FORMAT 2
-###############################################################################
-#ZONE	INTERFACE	OPTIONS
-net     eth0            tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0
-loc     eth1            tcpflags,nosmurfs,routefilter,logmartians
-dmz     eth2            tcpflags,nosmurfs,routefilter,logmartians
+#ZONE	INTERFACE	BROADCAST	OPTIONS
+net     eth0            detect          tcpflags,dhcp,nosmurfs,routefilter,logmartians
+loc     eth1            detect          tcpflags,nosmurfs,routefilter,logmartians
+dmz     eth2            detect		tcpflags,nosmurfs,routefilter,logmartians
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tom Eastep	25760aa653	Fix syntax error in the generated script Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-06 09:14:06 -08:00
Tom Eastep	649f73a360	Correct issues with debugging the generated script a) Rename DEBUG to g_debug_iptablesb b) Clear all of the tables prior to handling iptables-restore input.	2012-03-05 15:55:25 -08:00
Tom Eastep	93df86c90a	Add /sbin/shorewall-init for use with service.d Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-29 15:04:17 -08:00
Tom Eastep	d4e21314d0	Update the release model web page Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-25 08:28:15 -08:00
Tom Eastep	428e67dc9e	Fix incorrect manpage Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-25 07:51:55 -08:00
Tom Eastep	d3f4f59e36	Attempt to fix incorrect manpage Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-25 07:40:47 -08:00
Roberto C. Sanchez	1983d314b8	FIx typos	2012-02-25 07:32:01 -08:00
Tom Eastep	4ae5ee20aa	Fix broken init scripts. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-21 15:24:08 -08:00
Tom Eastep	408340ada2	Merge branch '4.5.0' of ssh://shorewall.git.sourceforge.net/gitroot/shorewall/shorewall into 4.5.0	2012-02-18 13:26:01 -08:00
Tom Eastep	12b92acef1	Fix compiler crash from unknown interface Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-18 11:05:47 -08:00
Tom Eastep	966597ee9d	Correct usage text for 'update'. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-18 11:05:27 -08:00
Tom Eastep	98aa70bcae	Correct a typo in the blrules manpages Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-18 11:05:11 -08:00
Tom Eastep	71a8ffca2e	Install the correct init script on Fedora	2012-02-17 13:47:49 -08:00
Tom Eastep	eef85fbcbc	Apply Simon Mater's patch for LIBEXEC/PERLLIB Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-13 07:02:48 -08:00