Correct configure and configure.pl to output SPARSE

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Fix interface_is_usable()
2012-05-15 11:32:35 -07:00 · 2012-05-15 06:50:49 -07:00 · 2012-05-13 13:56:48 -07:00 · 2012-05-13 12:29:01 -07:00 · 2012-05-12 07:45:55 -07:00 · 2012-05-12 07:45:32 -07:00
122 changed files with 1543 additions and 992 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -56,7 +56,7 @@ getfileparams() {
 	esac

    done
-    
+
    return 0
 }

@@ -70,7 +70,7 @@ for p in $@; do
 	pv=${p#*=}

 	if [ -n "${pn}" ]; then
-	    
+
 	    case ${pn} in
 		VENDOR)
 		    pn=HOST
@@ -85,7 +85,7 @@ for p in $@; do
 		    pn=CONFDIR
 		    ;;
 	    esac
-    
+
 	    params[${pn}]="${pv}"
 	else
 	    echo "ERROR: Invalid option ($p)" >&2
@@ -102,7 +102,7 @@ if [ -z "$vendor" ]; then
 	    $params[HOST]=apple
 	    rcfile=shorewallrc.apple
 	    ;;
-	
+
 	cygwin*)
 	    $params[HOST]=cygwin
 	    rcfile=shorewallrc.cygwin
@@ -159,7 +159,7 @@ echo '#'                                                                 > shore
 echo "# Created by Shorewall Core version $VERSION configure - " `date` >> shorewallrc
 echo '#'                                                                >> shorewallrc

-if [ -n "$@" ]; then
+if [ $# -gt 0 ]; then
    echo "# Input: $@" >> shorewallrc
    echo '#'           >> shorewallrc
 fi
@@ -181,6 +181,7 @@ for on in \
    SYSTEMD \
    SYSCONFFILE \
    SYSCONFDIR \
+    SPARSE \
    ANNOTATED \
    VARDIR
 do
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -30,7 +30,7 @@ use strict;
 #
 # Build updates this
 #
-use constant { 
+use constant {
    VERSION => '4.5.2.1'
 };

@@ -131,7 +131,7 @@ for ( qw/ HOST
 	  PERLLIBDIR
 	  CONFDIR
 	  SBINDIR
-	  MANDIR 
+	  MANDIR
 	  INITDIR
 	  INITSOURCE
 	  INITFILE
@@ -140,6 +140,7 @@ for ( qw/ HOST
 	  SYSTEMD
 	  SYSCONFFILE
 	  SYSCONFDIR
+	  SPARSE
 	  ANNOTATED
 	  VARDIR / ) {

--- a/Shorewall-core/init.slackware.firewall.sh
+++ b/Shorewall-core/init.slackware.firewall.sh
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -33,7 +33,7 @@ usage() # $1 = exit status
    exit $1
 }

-fatal_error() 
+fatal_error()
 {
    echo "   ERROR: $@" >&2
    exit 1
@@ -91,7 +91,7 @@ install_file() # $1 = source $2 = target $3 = mode
    run_install $T $OWNERSHIP -m $3 $1 ${2}
 }

-require() 
+require()
 {
    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
 }
@@ -307,6 +307,16 @@ chmod 755 ${DESTDIR}${SBINDIR}
 mkdir -p ${DESTDIR}${MANDIR}
 chmod 755 ${DESTDIR}${MANDIR}

+if [ -n "${INITFILE}" ]; then
+    mkdir -p ${DESTDIR}${INITDIR}
+    chmod 755 ${DESTDIR}${INITDIR}
+
+    if [ -n "$AUXINITSOURCE" -a -f "$AUXINITSOURCE" ]; then
+	install_file $AUXINITSOURCE ${DESTDIR}${INITDIR}/$AUXINITFILE 0544
+	[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$AUXINITFILE
+	echo  "$Product script installed in ${DESTDIR}${INITDIR}/$AUXINITFILE"
+    fi
+fi
 #
 # Note: ${VARDIR} is created at run-time since it has always been
 #       a relocatable directory on a per-product basis
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -41,6 +41,7 @@ if [ -z "$g_readrc" ]; then
    g_libexec="$LIBEXECDIR"
    g_sharedir="$SHAREDIR"/$g_program
    g_sbindir="$SBINDIR"
+    g_perllib="$PERLLIBDIR"
    g_vardir="$VARDIR"
    g_confdir="$CONFDIR"/$g_program
    g_readrc=1
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -31,9 +31,11 @@ if [ -z "$g_readrc" ]; then
    . /usr/share/shorewall/shorewallrc

    g_libexec="$LIBEXECDIR"
-    g_sbindir="$SBINDIR"
-    g_confdir="$CONFDIR"/$g_program
    g_sharedir="$SHAREDIR"/$g_program
+    g_sbindir="$SBINDIR"
+    g_perllib="$PERLLIBDIR"
+    g_vardir="$VARDIR"
+    g_confdir="$CONFDIR"/$g_program
    g_readrc=1
 fi

@@ -432,7 +434,7 @@ save_config() {
 # order we all know and love
 #
 sort_routes() {
-    local dest 
+    local dest
    local rest
    local crvsn

@@ -454,16 +456,28 @@ sort_routes() {
    done | sort -r | while read dest rest; do echo $rest; done
 }

+#
+# Isolate the table in the routing rules being read from stdin.
+# Piping through sed to remove trailing whitespace works around
+# recent 'features' in dash and ip.
+#
+find_tables() {
+    sed -r 's/[[:space:]]+$//' | while read rule; do
+	echo ${rule##* }
+    done
+}
+
 #
 # Show routing configuration
 #
 show_routing() {
+    local rule
+    local table
+
    if [ -n "$(ip -$g_family rule list)" ]; then
 	heading "Routing Rules"
 	ip -$g_family rule list
-	ip -$g_family rule list | while read rule; do
-	    echo ${rule##* }
-	done | sort -u | while read table; do
+	ip -$g_family rule list | find_tables | sort -u | while read table; do
 	    heading "Table $table:"
 	    if [ $g_family -eq 6 ]; then
 		ip -$g_family -o route list table $table | fgrep -v cache
@@ -1015,12 +1029,12 @@ perip_accounting() {

 	if [ -n "$hnames" ]; then
 	    for hname in $hnames; do
-		iptaccount -l $hname | egrep '^IP:|^Show' 
+		iptaccount -l $hname | egrep '^IP:|^Show'
 		echo
 	    done
 	else
 	    echo "   No IP Accounting Tables Defined"
-	    echo 
+	    echo
 	fi
    else
 	echo "   iptaccount is not installed"
@@ -1245,7 +1259,7 @@ do_dump_command() {
 	netstat -${g_family}tunap
    else
 	netstat -tunap
-    fi	
+    fi

    if [ -n "$TC_ENABLED" ]; then
 	heading "Traffic Control"
@@ -2022,11 +2036,11 @@ determine_capabilities() {
 	qt $g_tool -A $chain -m conntrack --ctorigdst 192.168.1.1 -j ACCEPT && CONNTRACK_MATCH=Yes
    else
 	qt $g_tool -A $chain -m conntrack --ctorigdst ::1 -j ACCEPT && CONNTRACK_MATCH=Yes
-    fi	
+    fi

    if [ -n "$CONNTRACK_MATCH" ]; then
 	qt $g_tool -A $chain -m conntrack -p tcp --ctorigdstport 22 -j ACCEPT && NEW_CONNTRACK_MATCH=Yes
-	
+
 	if [ $g_family -eq 4 ]; then
 	    qt $g_tool -A $chain -m conntrack ! --ctorigdst 1.2.3.4 || OLD_CONNTRACK_MATCH=Yes
 	else
@@ -2115,7 +2129,7 @@ determine_capabilities() {

 	qt $g_tool -t mangle -F $chain
 	qt $g_tool -t mangle -X $chain
-	
+
 	qt $g_tool -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
    fi

@@ -2209,10 +2223,10 @@ determine_capabilities() {
    [ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes

    CAPVERSION=$SHOREWALL_CAPVERSION
-   
+
    KERNELVERSION=$(uname -r 2> /dev/null | sed -e 's/-.*//')

-    case "$KERNELVERSION" in 
+    case "$KERNELVERSION" in
 	*.*.*)
 	    KERNELVERSION=$(printf "%d%02d%02d" $(echo $KERNELVERSION | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
 	    ;;
@@ -2302,7 +2316,7 @@ report_capabilities() {
 	report_capability "IMQ Target (IMQ_TARGET)" $IMQ_TARGET
 	report_capability "DSCP Match (DSCP_MATCH)" $DSCP_MATCH
 	report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET
-	
+
 	if [ $g_family -eq 4 ]; then
 	    report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
 	else
@@ -2522,7 +2536,7 @@ forget_command() {
 ipcalc_command() {
    local address
    local vlsm
-    
+
    [ $g_family -eq 6 ] && usage 1

    if [ $# -eq 2 ]; then
@@ -2553,7 +2567,7 @@ iprange_command() {

    [ $g_family -eq 6 ] && usage 1

-    range=''	
+    range=''

    while [ $# -gt 0 ]; do
 	shift
@@ -2615,7 +2629,7 @@ get_config() {
    ensure_config_path

    config=$(find_file ${g_program}.conf)
-    
+
    if [ -f $config ]; then
 	if [ -r $config ]; then
 	    . $config
@@ -2662,7 +2676,7 @@ get_config() {
 		echo "   ERROR: The program specified in IPTABLES does not exist or is not executable" >&2
 		exit 2
 	    fi
-	else	 
+	else
 	    IPTABLES=$(mywhich iptables 2> /dev/null)
 	    if [ -z "$IPTABLES" ] ; then
 		echo "   ERROR: Can't find iptables executable" >&2
@@ -2677,7 +2691,7 @@ get_config() {
 		echo "   ERROR: The program specified in IP6TABLES does not exist or is not executable" >&2
 		exit 2
 	    fi
-	else	 
+	else
 	    IP6TABLES=$(mywhich ip6tables 2> /dev/null)
 	    if [ -z "$IP6TABLES" ] ; then
 		echo "   ERROR: Can't find ip6tables executable" >&2
@@ -2734,7 +2748,7 @@ verify_firewall_script() {
 	else
 	    echo "          The file $g_firewall does not exist" >&2
 	fi
-	
+
 	exit 2
    fi
 }
@@ -3175,7 +3189,7 @@ shorewall_cli() {
 	    [ $# -eq 1 ] || usage 1
 	    [ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root"
 	    get_config
-	    status_command 
+	    status_command
 	    ;;
 	dump)
 	    get_config Yes No Yes
@@ -3285,6 +3299,6 @@ shorewall_cli() {
 	    else
 		usage 1
 	    fi
-	    ;; 
+	    ;;
    esac
 }
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -593,7 +593,7 @@ find_first_interface_address() # $1 = interface
 	#
 	[ -n "$addr" ] || startup_error "Can't determine the IP address of $1"
 	#
-	# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)	
+	# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
 	# along with everything else on the line
 	#
 	echo $addr | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
--- a/Shorewall-core/shorewallrc.cygwin
+++ b/Shorewall-core/shorewallrc.cygwin
@@ -16,5 +16,5 @@ INITSOURCE=                           #Unused on Cygwin
 ANNOTATED=                            #Unused on Cygwin
 SYSTEMD=                              #Unused on Cygwin
 SYSCONFDIR=                           #Unused on Cygwin
-SPARSE=Yes                            #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.                     
+SPARSE=Yes                            #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
 VARDIR=/var/lib                       #Unused on Cygwin
--- a/Shorewall-core/shorewallrc.debian
+++ b/Shorewall-core/shorewallrc.debian
@@ -9,7 +9,7 @@ LIBEXECDIR=${PREFIX}/share              #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/share/shorewall    #Directory to install Shorewall Perl module directory
 CONFDIR=/etc                            #Directory where subsystem configurations are installed
 SBINDIR=/sbin                           #Directory where system administration programs are installed
-MANDIR=${PREFIX}/man                    #Directory where manpages are installed.
+MANDIR=${PREFIX}/share/man              #Directory where manpages are installed.
 INITDIR=/etc/init.d                     #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.debian.sh               #Name of the distributed file to be installed as the SysV init script
--- a/Shorewall-core/shorewallrc.redhat
+++ b/Shorewall-core/shorewallrc.redhat
@@ -6,7 +6,7 @@ HOST=redhat
 PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/libexec            #Directory for executable scripts.
-PERLLIBDIR=/usr/share/perl5             #Directory to install Shorewall Perl module directory
+PERLLIBDIR=/usr/share/perl5/vendor_perl #Directory to install Shorewall Perl module directory
 CONFDIR=/etc                            #Directory where subsystem configurations are installed
 SBINDIR=/sbin                           #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man                  #Directory where manpages are installed.
--- a/Shorewall-core/shorewallrc.slackware
+++ b/Shorewall-core/shorewallrc.slackware
@@ -11,10 +11,10 @@ CONFDIR=/etc                               #Directory where subsystem configurat
 SBINDIR=/sbin                              #Directory where system administration programs are installed
 MANDIR=${PREFIX}/man                       #Directory where manpages are installed.
 INITDIR=/etc/rc.d                          #Directory where SysV init scripts are installed.
-INITSOURCE=init.slackware.firewall         #Name of the distributed file to be installed as the SysV init script
-INITFILE=rc.firewall                       #Name of the product's installed SysV init script
-AUXINITSOURCE=init.slackware.$PRODUCT      #Name of the distributed file to be installed as a second SysV init script
-AUXINITFILE=rc.$PRODUCT                    #Name of the product's installed second init script
+AUXINITSOURCE=init.slackware.firewall.sh   #Name of the distributed file to be installed as the SysV init script
+AUXINITFILE=rc.firewall                    #Name of the product's installed SysV init script
+INITSOURCE=init.slackware.$PRODUCT.sh      #Name of the distributed file to be installed as a second SysV init script
+INITFILE=rc.$PRODUCT                       #Name of the product's installed second init script
 SYSTEMD=                                   #Name of the directory where .service files are installed (systems running systemd only)
 SYSCONFFILE=                               #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                                #Name of the directory where SysV init parameter files are installed.
--- a/Shorewall-lite/Makefile
+++ b/Shorewall-lite/Makefile
@@ -3,9 +3,9 @@ VARDIR=$(shell /sbin/shorewall-lite show vardir)
 SHAREDIR=/usr/share/shorewall-lite
 RESTOREFILE?=.restore

-all: $(VARDIR)/${RESTOREFILE}
+all: $(VARDIR)/$(RESTOREFILE)

-$(VARDIR)/${RESTOREFILE}: $(VARDIR)/firewall
+$(VARDIR)/$(RESTOREFILE): $(VARDIR)/firewall
 	@/sbin/shorewall-lite -q save >/dev/null; \
 	if \
 	    /sbin/shorewall-lite -q restart >/dev/null 2>&1; \
--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@@ -23,7 +23,7 @@ export SHOREWALL_INIT_SCRIPT
 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
 test -n "$INITLOG" || {
-	echo "INITLOG cannot be empty, please configure $0" ; 
+	echo "INITLOG cannot be empty, please configure $0" ;
 	exit 1;
 }

@@ -35,9 +35,9 @@ fi

 echo_notdone () {

-  if [ "$INITLOG" = "/dev/null" ] ; then 
+  if [ "$INITLOG" = "/dev/null" ] ; then
 	  echo "not done."
-  else 
+  else
 	  echo "not done (check $INITLOG)."
  fi

--- a/Shorewall-lite/init.fedora.sh
+++ b/Shorewall-lite/init.fedora.sh
@@ -41,10 +41,10 @@ start() {
    echo -n $"Starting Shorewall: "
    $shorewall $OPTIONS start 2>&1 | $logger
    retval=${PIPESTATUS[0]}
-    if [[ $retval == 0 ]]; then 
+    if [[ $retval == 0 ]]; then
 	touch $lockfile
 	success
-    else 
+    else
 	failure
    fi
    echo
@@ -55,10 +55,10 @@ stop() {
    echo -n $"Stopping Shorewall: "
    $shorewall $OPTIONS stop 2>&1 | $logger
    retval=${PIPESTATUS[0]}
-    if [[ $retval == 0 ]]; then 
+    if [[ $retval == 0 ]]; then
 	rm -f $lockfile
 	success
-    else 
+    else
 	failure
    fi
    echo
@@ -71,7 +71,7 @@ restart() {
    echo -n $"Restarting Shorewall: "
    $shorewall $OPTIONS restart 2>&1 | $logger
    retval=${PIPESTATUS[0]}
-    if [[ $retval == 0 ]]; then 
+    if [[ $retval == 0 ]]; then
 	touch $lockfile
 	success
    else # Failed to start, clean up lock file if present
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -33,7 +33,7 @@ usage() # $1 = exit status
    exit $1
 }

-fatal_error() 
+fatal_error()
 {
    echo "   ERROR: $@" >&2
    exit 1
@@ -91,7 +91,7 @@ install_file() # $1 = source $2 = target $3 = mode
    run_install $T $OWNERSHIP -m $3 $1 ${2}
 }

-require() 
+require()
 {
    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
 }
@@ -118,7 +118,7 @@ while [ $finished -eq 0 ] ; do
    case "$1" in
 	-*)
 	    option=${option#-}
-	    
+
 	    while [ -n "$option" ]; do
 		case $option in
 		    h)
@@ -268,7 +268,7 @@ if [ -n "$DESTDIR" ]; then
 	echo "Not setting file owner/group permissions, not running as root."
 	OWNERSHIP=""
    fi
-    
+
    install -d $OWNERSHIP -m 755 ${DESTDIR}/${SBINDIR}
    install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}

@@ -496,6 +496,7 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
 	echo "Set startup=1 in ${SYSCONFDIR}/$PRODUCT to enable"
 	touch /var/log/$PRODUCT-init.log
 	perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' ${CONFDIR}/${PRODUCT}/${PRODUCT}.conf
+	update-rc.d $PRODUCT enable defaults
    elif [ -n "$SYSTEMD" ]; then
 	if systemctl enable $PRODUCT; then
 	    echo "$Product will start automatically at boot"
--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011 - 
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011 -
 #         Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
@@ -35,6 +35,7 @@ g_program=shorewall-lite
 g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR"/shorewall-lite
 g_sbindir="$SBINDIR"
+g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall-lite
 g_readrc=1

--- a/Shorewall-lite/shorewall-lite.conf
+++ b/Shorewall-lite/shorewall-lite.conf
@@ -1,5 +1,5 @@
 ###############################################################################
-#  /etc/shorewall-lite/shorewall-lite.conf Version 4 - Change the following 
+#  /etc/shorewall-lite/shorewall-lite.conf Version 4 - Change the following
 #  variables to override the values in the shorewall.conf file used to
 #  compile /var/lib/shorewall-lite/firewall. Those values may be found in
 #  /var/lib/shorewall-lite/firewall.conf.
--- a/Shorewall/Macros/macro.Amanda
+++ b/Shorewall/Macros/macro.Amanda
@@ -11,6 +11,7 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	10080
+PARAM	-	-	tcp	10080
 #
 # You may also need this rule.  With AMANDA 2.4.4 on Linux kernel 2.6,
 # it should not be necessary to use this.  The ip_conntrack_amanda
--- a/Shorewall/Macros/macro.BLACKLIST
+++ b/Shorewall/Macros/macro.BLACKLIST
@@ -8,4 +8,8 @@
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-$BLACKLIST_DISPOSITION:$BLACKLIST_LOGLEVEL
+?IF $BLACKLIST_LOGLEVEL
+blacklog
+?ELSE
+$BLACKLIST_DISPOSITION
+?ENDIF
--- a/Shorewall/Makefile
+++ b/Shorewall/Makefile
@@ -3,9 +3,9 @@ VARDIR=$(shell /sbin/shorewall show vardir)
 CONFDIR=/etc/shorewall
 RESTOREFILE?=firewall

-all: $(VARDIR)/${RESTOREFILE}
+all: $(VARDIR)/$(RESTOREFILE)

-$(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
+$(VARDIR)/$(RESTOREFILE): $(CONFDIR)/*
 	@/sbin/shorewall -q save >/dev/null; \
 	if \
 	    /sbin/shorewall -q restart >/dev/null 2>&1; \
--- a/Shorewall/Perl/.includepath
+++ b/Shorewall/Perl/.includepath
@@ -1,3 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<includepath />
-
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -85,7 +85,7 @@ sub initialize() {
    # The section number is initialized to a value less thatn LEGACY. It will be set to LEGACY if a
    # the first non-commentary line in the accounting file isn't a section header
    #
-    # This allows the section header processor to quickly check for correct order 
+    # This allows the section header processor to quickly check for correct order
    #
    $asection           = -1;
    #
@@ -194,7 +194,7 @@ sub process_accounting_rule( ) {
    $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
    $sports = ''    if $sports eq 'any' || $sports eq 'all';

-    fatal_error "USER/GROUP may only be specified in the OUTPUT section" unless $user eq '-' || $asection == OUTPUT; 
+    fatal_error "USER/GROUP may only be specified in the OUTPUT section" unless $user eq '-' || $asection == OUTPUT;

    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_test ( $mark, $globals{TC_MASK} ) . do_headers( $headers );
    my $rule2 = 0;
@@ -250,7 +250,7 @@ sub process_accounting_rule( ) {

    if ( $source eq 'any' || $source eq 'all' ) {
        $source = ALLIP;
-    } else { 
+    } else {
 	fatal_error "MAC addresses only allowed in the INPUT and FORWARD sections" if $source =~ /~/ && ( $asection == OUTPUT || ! $asection );
    }

@@ -289,7 +289,7 @@ sub process_accounting_rule( ) {

    if ( ! $chainref ) {
 	if ( reserved_chain_name( $chain ) ) {
-	    fatal_error "May not use chain $chain in the $sectionname section" if $asection && $chain ne $defaultchain; 
+	    fatal_error "May not use chain $chain in the $sectionname section" if $asection && $chain ne $defaultchain;
 	    $chainref = ensure_accounting_chain $chain, 0 , $restriction;
 	} elsif ( $asection ) {
 	    fatal_error "Unknown accounting chain ($chain)";
@@ -312,7 +312,7 @@ sub process_accounting_rule( ) {
 	}
    } else {
 	fatal_error "$chain is not an accounting chain" unless $chainref->{accounting};
-    
+
 	if ( $ipsec ne '-' ) {
 	    $dir = $chainref->{ipsec};
 	    fatal_error "Adding an IPSEC rule into a non-IPSEC chain is not allowed" unless $dir;
@@ -338,7 +338,7 @@ sub process_accounting_rule( ) {
    }

    fatal_error "$chain is not an accounting chain" unless $chainref->{accounting};
-    
+
    $restriction = $dir eq 'in' ? INPUT_RESTRICT : OUTPUT_RESTRICT if $dir;

    expand_rule
@@ -394,7 +394,7 @@ sub setup_accounting() {

 	my $nonEmpty = 0;

-	$nonEmpty |= process_accounting_rule while read_a_line;
+	$nonEmpty |= process_accounting_rule while read_a_line( NORMAL_READ );

 	clear_comment;

--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -219,6 +219,7 @@ our %EXPORT_TAGS = (
 				       do_ipsec_options
 				       do_ipsec
 				       log_rule
+				       handle_network_list
 				       expand_rule
 				       addnatjump
 				       set_chain_variables
@@ -363,7 +364,7 @@ use constant { ALL_COMMANDS => 1, NOT_RESTORE => 2 };
 #
 # Optimization masks
 #
-use constant { 
+use constant {
 	       OPTIMIZE_POLICY_MASK  => 0x02 , # Call optimize_policy_chains()
 	       OPTIMIZE_RULESET_MASK => 0x1C , # Call optimize_ruleset()
 	     };
@@ -499,7 +500,7 @@ my %ipset_exists;
 #                                shell command, the text of the command is in
 #                                the cmd
 #         cmd        => Shell command, if mode == CMD_MODE and cmdlevel == 0
-#         cmdlevel   => nesting level within loops and conditional blocks. 
+#         cmdlevel   => nesting level within loops and conditional blocks.
 #                       determines indentation
 #         simple     => true|false. If true, there are no matches or options
 #         jump       => 'j' or 'g' (determines whether '-j' or '-g' is included)
@@ -509,7 +510,7 @@ my %ipset_exists;
 #         <option>   => iptables/ip6tables -A options (e.g., i => eth0)
 #         <match>    => iptables match. Value may be a scalar or array.
 #                       if an array, multiple "-m <match>"s will be generated
-#    } 
+#    }
 #
 # The following constants and hash are used to classify keys in a rule hash
 #
@@ -523,7 +524,7 @@ my %opttype = ( rule          => CONTROL,
 		cmd           => CONTROL,

 		dhcp          => UNIQUE,
-		
+
 	        mode          => CONTROL,
 		cmdlevel      => CONTROL,
 		simple        => CONTROL,
@@ -537,12 +538,12 @@ my %opttype = ( rule          => CONTROL,
 		sport         => UNIQUE,
 		'icmp-type'   => UNIQUE,
 		'icmpv6-type' => UNIQUE,
-		
+
 		comment       => CONTROL,

 		policy        => MATCH,
 		state         => EXCLUSIVE,
-		
+
 		jump          => TARGET,
 		target        => TARGET,
 		targetopts    => TARGET,
@@ -562,7 +563,7 @@ my %aliases = ( protocol        => 'p',
 	      );

 my @unique_options = ( qw/p dport sport icmp-type icmpv6-type s d i o/ );
-	     
+
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
@@ -619,7 +620,7 @@ sub initialize( $$$ ) {
    $hashlimitset       = 0;
    $ipset_rules        = 0 if $hard;

-    %ipset_exists       = ();   
+    %ipset_exists       = ();

    %helpers = ( amanda          => TCP,
 		 ftp             => TCP,
@@ -699,13 +700,13 @@ sub incr_cmd_level( $ ) {
 }

 sub decr_cmd_level( $ ) {
-    assert( --$_[0]->{cmdlevel} >= 0);
+    assert( --$_[0]->{cmdlevel} >= 0, $_[0] );
 }

 #
-# Transform the passed iptables rule into an internal-form hash reference. 
-# Most of the compiler has been converted to use the new form natively. 
-# A few parts, mostly those dealing with expand_rule(), still generate 
+# Transform the passed iptables rule into an internal-form hash reference.
+# Most of the compiler has been converted to use the new form natively.
+# A few parts, mostly those dealing with expand_rule(), still generate
 # iptables command strings which are converted into the new form by
 # transform_rule()
 #
@@ -714,14 +715,14 @@ sub decr_cmd_level( $ ) {
 sub set_rule_option( $$$ ) {
    my ( $ruleref, $option, $value ) = @_;

-    assert( defined $value && reftype $ruleref );
+    assert( defined $value && reftype $ruleref , $value, $ruleref );

    $ruleref->{simple} = 0;
-    
+
    my $opttype = $opttype{$option} || MATCH;

    if ( exists $ruleref->{$option} ) {
-	assert( defined( my $value1 = $ruleref->{$option} ) );
+	assert( defined( my $value1 = $ruleref->{$option} ) , $ruleref );

 	if ( $opttype == MATCH ) {
 	    if ( $globals{KLUDGEFREE} ) {
@@ -735,14 +736,14 @@ sub set_rule_option( $$$ ) {

 		push @{$ruleref->{$option}}, ( reftype $value ? @$value : $value );
 	    } else {
-		$ruleref->{$option} = join(' ', $value1, $value );
+		$ruleref->{$option} = join(' ', $value1, $value ) unless $value1 eq $value;
 	    }
 	} elsif ( $opttype == EXCLUSIVE ) {
 	    $ruleref->{$option} .= ",$value";
 	} elsif ( $opttype == UNIQUE ) {
 	    fatal_error "Multiple $option settings in one rule is prohibited";
 	} else {
-	    assert(0);
+	    assert(0, $opttype );
 	}
    } else {
 	$ruleref->{$option} = $value;
@@ -759,7 +760,7 @@ sub transform_rule( $ ) {
    while ( $input ) {
 	my $option;
 	my $invert = '';
-	
+
 	if ( $input =~ s/^(!\s+)?-([psdjgiom])\s+// ) {
 	    #
 	    # Normal case of single-character
@@ -768,7 +769,7 @@ sub transform_rule( $ ) {
 	} elsif ( $input =~ s/^(!\s+)?--([^\s]+)\s*// ) {
 	    $invert = '!' if $1;
 	    my $opt = $option = $2;
-	    fatal_error "Unrecognized iptables option ($opt}" unless $option = $aliases{$option};	    
+	    fatal_error "Unrecognized iptables option ($opt}" unless $option = $aliases{$option};
 	} else {
 	    fatal_error "Unrecognized iptables option string ($input)";
 	}
@@ -794,7 +795,7 @@ sub transform_rule( $ ) {
 		last PARAM if $input =~ /^--([^\s]+)/ && $aliases{$1 || '' };
 		$input =~ s/^([^\s]+)\s*//;
 		my $token = $1;
-		$params = $params eq '' ? $token : join( ' ' , $params, $token);	
+		$params = $params eq '' ? $token : join( ' ' , $params, $token);
 	    }

 	    if ( $input =~ /^(?:!\s+--([^\s]+)|!\s+[^-])/ ) {
@@ -823,7 +824,7 @@ sub rule_target( $ ) {
 sub clear_rule_target( $ ) {
    my $ruleref = shift;

-    assert( reftype $ruleref );
+    assert( reftype $ruleref , $ruleref );

    delete $ruleref->{jump};
    delete $ruleref->{targetopts};
@@ -835,7 +836,7 @@ sub clear_rule_target( $ ) {
 sub set_rule_target( $$$ ) {
    my ( $ruleref, $target, $opts) = @_;

-    assert( reftype $ruleref );
+    assert( reftype $ruleref , $ruleref );

    $ruleref->{jump}     = 'j';
    $ruleref->{target}   = $target;
@@ -860,20 +861,20 @@ sub format_option( $$ ) {

    $rule;
 }
-	
+
 sub format_rule( $$;$ ) {
    my ( $chainref, $ruleref, $suppresshdr ) = @_;

    return $ruleref->{cmd} if exists $ruleref->{cmd};

    my $rule = $suppresshdr ? '' : "-A $chainref->{name}";
-    
+
    for ( @unique_options ) {
 	if ( exists $ruleref->{$_} ) {
 	    my $value = $ruleref->{$_};

 	    $rule .= ' !' if $value =~ s/^! //;
-	    
+
 	    if ( length == 1 ) {
 		$rule .= join( '' , ' -', $_, ' ', $value );
 	    } else {
@@ -882,8 +883,8 @@ sub format_rule( $$;$ ) {
 	}
    }

-    $rule .= format_option( 'state',   $ruleref->{state} )   if defined $ruleref->{state};  
-    $rule .= format_option( 'policy',  $ruleref->{policy} )  if defined $ruleref->{policy};  
+    $rule .= format_option( 'state',   $ruleref->{state} )   if defined $ruleref->{state};
+    $rule .= format_option( 'policy',  $ruleref->{policy} )  if defined $ruleref->{policy};

    $rule .= format_option( $_, $ruleref->{$_} ) for sort ( grep ! $opttype{$_}, keys %{$ruleref} );

@@ -912,7 +913,7 @@ sub compatible( $$ ) {
 		#
 		my @val1 = split ' ', $val1;
 		my @val2 = split ' ', $val2;
-		
+
 		return 0 if @val1 > @val2; # $val1 is more specific than $val2

 		for ( my $i = 0; $i < @val1; $i++ ) {
@@ -937,11 +938,11 @@ sub merge_rules( $$$ ) {
    my ( $tableref, $toref, $fromref ) = @_;

    my $target = $fromref->{target};
-    
+
    for my $option ( @unique_options ) {
 	$toref->{$option} = $fromref->{$option} if exists $fromref->{$option};
    }
-		    
+
    for my $option ( grep ! $opttype{$_}, keys %$fromref ) {
 	set_rule_option( $toref, $option, $fromref->{$option} );
    }
@@ -969,12 +970,12 @@ sub merge_rules( $$$ ) {

 #
 # Trace a change to the chain table
-# 
+#
 sub trace( $$$$ ) {
    my ($chainref, $action, $rulenum, $message) = @_;

-    my $heading = $rulenum ? 
-	sprintf "                NF-(%s)-> %s:%s:%d", $action, $chainref->{table}, $chainref->{name}, $rulenum : 
+    my $heading = $rulenum ?
+	sprintf "                NF-(%s)-> %s:%s:%d", $action, $chainref->{table}, $chainref->{name}, $rulenum :
 	sprintf "                NF-(%s)-> %s:%s", $action, $chainref->{table}, $chainref->{name};

    my $length = length $heading;
@@ -1033,7 +1034,7 @@ sub push_rule( $$ ) {
 sub add_trule( $$ ) {
    my ( $chainref, $ruleref ) = @_;

-    assert( reftype $ruleref );
+    assert( reftype $ruleref , $ruleref );
    push @{$chainref->{rules}}, $ruleref;
    $chainref->{referenced} = 1;

@@ -1129,7 +1130,7 @@ sub add_rule($$;$) {

    our $splitcount;

-    assert( ! reftype $rule );
+    assert( ! reftype $rule , $rule );

    $iprangematch = 0;
    #
@@ -1175,12 +1176,12 @@ sub add_rule($$;$) {
 # New add_rule implementation
 #
 sub push_matches {
-    
+
    my $ruleref = shift;
    my $dont_optimize = 0;

    while ( @_ ) {
-	my ( $option, $value ) = ( shift , shift );
+	my ( $option, $value ) = ( shift, shift );

 	assert( defined $value );

@@ -1203,9 +1204,9 @@ sub push_irule( $$$;@ ) {
    ( $target, my $targetopts ) = split ' ', $target, 2;

    my $ruleref       = {};
-    
+
    $ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE;
- 
+
    if ( $jump ) {
 	$ruleref->{jump}       = $jump;
 	$ruleref->{target}     = $target;
@@ -1301,7 +1302,7 @@ sub insert_rule1($$$)
    my $ruleref = transform_rule( $rule );

    $ruleref->{comment}  = "$comment" if $comment;
-    assert( ! ( $ruleref->{cmdlevel} = $chainref->{cmdlevel}) );
+    assert( ! ( $ruleref->{cmdlevel} = $chainref->{cmdlevel}) , $chainref->{name} );
    $ruleref->{mode} = CAT_MODE;

    splice( @{$chainref->{rules}}, $number, 0, $ruleref );
@@ -1325,9 +1326,9 @@ sub insert_irule( $$$$;@ ) {
    my ( $chainref, $jump, $target, $number, @matches ) = @_;

    my $ruleref = {};
-   
+
    $ruleref->{mode} = ( $ruleref->{cmdlevel} = $chainref->{cmdlevel} ) ? CMD_MODE : CAT_MODE;
- 
+
    if ( $jump ) {
 	$jump = 'j' if $jump eq 'g' && ! have_capability 'GOTO_TARGET';
 	( $target, my $targetopts ) = split ' ', $target, 2;
@@ -1392,7 +1393,7 @@ sub delete_chain_and_references( $ ) {
    #  We're going to delete this chain but first, we must delete all references to it.
    #
    my $tableref = $chain_table{$chainref->{table}};
-    my $name1    = $chainref->{name}; 
+    my $name1    = $chainref->{name};
    for ( @{$chainref->{rules}} ) {
 	decrement_reference_count( $tableref->{$_->{target}}, $name1 ) if $_->{target};
    }
@@ -1435,11 +1436,11 @@ sub decrement_reference_count( $$ ) {
    my ($toref, $chain) = @_;

    if ( $toref && $toref->{referenced} ) {
-	assert($toref->{references}{$chain} > 0 );
+	assert($toref->{references}{$chain} > 0 , $toref, $chain );
 	delete $toref->{references}{$chain} unless --$toref->{references}{$chain};
 	delete_chain( $toref )              unless ( keys %{$toref->{references}} );
    }
-}	
+}

 #
 # Move the rules from one chain to another
@@ -1473,11 +1474,11 @@ sub move_rules( $$ ) {
 	# We set aside the filtered rules for the time being
 	#
 	$filtered = $filtered1;
-	
+
 	push @filtered1 , shift @{$chain1->{rules}} while $filtered--;

 	$chain1->{filtered} = 0;
-	
+
 	$filtered = $filtered2;
 	push @filtered2 , shift @{$chain2->{rules}} while $filtered--;

@@ -1506,25 +1507,25 @@ sub move_rules( $$ ) {
 		trace( $chain2, 'I', ++$rule, $filtered1[$filtered++] ) while $filtered < $filtered1;
 	    }

-	    splice @{$rules}, 0, 0, @filtered1;   
+	    splice @{$rules}, 0, 0, @filtered1;
 	}
-    
+
 	#
 	# Restore the filters originally in chain2 but drop duplicates of those from $chain1
 	#
      FILTER:
 	while ( @filtered2 ) {
 	    $filtered = pop @filtered2;
-	    
+
 	    for ( $rule = 0; $rule < $filtered1; $rule++ ) {
 		$filtered2--, next FILTER if ${$rules}[$rule] eq $filtered;
 	    }
-	    
+
 	    unshift @{$rules}, $filtered;
 	}
-	   
+
 	$chain2->{filtered} = $filtered1 + $filtered2;
-	
+
 	delete_chain $chain1;

 	$count;
@@ -1735,21 +1736,21 @@ sub output_chain($)
 #
 # Prerouting Chain for an interface
 #
-sub prerouting_chain($) 
+sub prerouting_chain($)
 {
    my $interface = shift;
    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_pre';
 }
-	    
+
 #
 # Postouting Chain for an interface
 #
-sub postrouting_chain($) 
+sub postrouting_chain($)
 {
    my $interface = shift;
    ( $config{USE_PHYSICAL_NAMES} ? chain_base( get_physical( $interface ) ) : $interface ) . '_post';
 }
-	    
+
 #
 # Output Chain for a zone
 #
@@ -2085,7 +2086,7 @@ sub delete_jumps ( $$ ) {
 	    }
 	}

-	assert( ! $refs );
+	assert( ! $refs , $from, $to );
    }

    delete $toref->{references}{$from};
@@ -2361,7 +2362,7 @@ sub ensure_audit_chain( $;$$ ) {
 	$tgt ||= $action;

 	add_ijump $ref, j => 'AUDIT', targetopts => '--type ' . lc $action;
-	
+
 	if ( $tgt eq 'REJECT' ) {
 	    add_ijump $ref , g => 'reject';
 	} else {
@@ -2390,8 +2391,8 @@ sub require_audit($$;$) {
    require_capability 'AUDIT_TARGET', 'audit', 's';

    return ensure_audit_chain $target, $action, $tgt;
-}   
-  
+}
+
 #
 # Returns the Level and Tag for the current action chain
 #
@@ -2399,7 +2400,7 @@ sub get_action_logging() {
    my $chainref = get_action_chain;
    my $wholeaction = $chainref->{action};
    my ( undef, $level, $tag, undef ) = split ':', $wholeaction;
-    
+
    $level = '' if $level =~ /^none/;

    ( $level, $tag );
@@ -2588,7 +2589,7 @@ sub delete_references( $ ) {
    #
    # Make sure the above loop found all references
    #
-    assert ( ! $toref->{referenced} );
+    assert ( ! $toref->{referenced}, $toref->{name} );

    $count;
 }
@@ -2659,7 +2660,7 @@ sub replace_references1( $$ ) {
 	if ( $fromref->{referenced} ) {
 	    for ( @{$fromref->{rules}} ) {
 		$rule++;
-		if ( $_->{target} eq $name ) { 
+		if ( $_->{target} eq $name ) {
 		    if ( compatible( $_ , $ruleref ) ) {
 			#
 			# The target is the passed chain -- merge the two rules into one
@@ -2737,8 +2738,8 @@ sub optimize_level0() {
 	next if $family == F_IPV6 && $table eq 'nat';
 	my $tableref = $chain_table{$table};
 	my @chains  = grep $_->{referenced}, values %$tableref;
-	my $chains  = @chains; 
-	
+	my $chains  = @chains;
+
 	for my $chainref ( @chains ) {
 	    #
 	    # If the chain isn't branched to, then delete it
@@ -2768,8 +2769,8 @@ sub optimize_level4( $$ ) {
 	$passes++;

 	my @chains  = grep $_->{referenced}, values %$tableref;
-	my $chains  = @chains; 
-	
+	my $chains  = @chains;
+
 	progress_message "\n Table $table pass $passes, $chains referenced chains, level 4a...";

 	for my $chainref ( @chains ) {
@@ -2867,8 +2868,8 @@ sub optimize_level4( $$ ) {
 	$passes++;

 	my @chains  = grep $_->{referenced}, values %$tableref;
-	my $chains  = @chains; 
-	
+	my $chains  = @chains;
+
 	progress_message "\n Table $table pass $passes, $chains referenced chains, level 4b...";

 	for my $chainref ( @chains ) {
@@ -2879,8 +2880,8 @@ sub optimize_level4( $$ ) {
 		# Last rule is a simple branch
 		my $targetref = $tableref->{$lastrule->{target}};

-		if ( $targetref && 
-		     ($targetref->{optflags} & DONT_MOVE) == 0 && 
+		if ( $targetref &&
+		     ($targetref->{optflags} & DONT_MOVE) == 0 &&
 		     ( keys %{$targetref->{references}} < 2 || @{$targetref->{rules}} < 4 ) ) {
 		    copy_rules( $targetref, $chainref );
 		    $progress = 1;
@@ -2941,7 +2942,7 @@ sub optimize_level8( $$$ ) {

 		unless ( $chainref->{name} =~ /^~/ ) {
 		    #
-		    # For simple use of the BLACKLIST section, we can end up with many identical 
+		    # For simple use of the BLACKLIST section, we can end up with many identical
 		    # chains. To distinguish them from other renamed chains, we keep track of
 		    # these chains via the 'blacklistsection' member.
 		    #
@@ -2961,14 +2962,14 @@ sub optimize_level8( $$$ ) {
 	#
 	for my $oldname ( @rename ) {
 	    my $newname = $renamed{ $oldname } = $rename{ $oldname } . $chainseq++;
-	    
+
 	    trace( $tableref->{$oldname}, 'RN', 0, " Renamed $newname" ) if $debug;
 	    $tableref->{$newname} = $tableref->{$oldname};
 	    $tableref->{$oldname}{name} = $newname;
 	    progress_message "  Chain $oldname renamed to $newname";
 	}
 	#
-	# Next, map the combined names 
+	# Next, map the combined names
 	#
 	while ( my ( $oldname, $combinedname ) = each %combined ) {
 	    $renamed{$oldname} = $renamed{$combinedname} || $combinedname;
@@ -3081,7 +3082,7 @@ sub get_keys( $ ) {
 # Adjacent rules are compatible if:
 #
 #   - They all specify destination ports
-#   - All of the rest of their members are identical with the possible exception of 'comment'. 
+#   - All of the rest of their members are identical with the possible exception of 'comment'.
 #
 #  Adjacent distinct comments are combined, separated by ', '. Redundant adjacent comments are dropped.
 #
@@ -3096,7 +3097,7 @@ sub combine_dports {
 	    my $ruleref;
 	    my $ports1;
 	    my $basenum = $rulenum;
-	    
+
 	    if ( $ports1 = get_dports( $baseref ) ) {
 		my $proto        = $baseref->{p};
 		my @keys1        = get_keys( $baseref );
@@ -3135,7 +3136,7 @@ sub combine_dports {
 			}

 			next RULE if $ports1 eq $ports2;
-   
+
 			last if ( $ports += port_count( $ports2 ) ) > 15;

 			if ( $comment2 ) {
@@ -3162,7 +3163,7 @@ sub combine_dports {
 			push @ports, split ',', $ports2;

 			trace( $chainref, 'D', $rulenum, $ruleref ) if $debug;
-			
+
 		    } else {
 			last;
 		    }
@@ -3181,7 +3182,7 @@ sub combine_dports {

 		    trace ( $chainref, 'R', $basenum, $baseref ) if $debug;
 		}
-	    } 
+	    }

 	    push @rules, $baseref;

@@ -3191,7 +3192,7 @@ sub combine_dports {

    \@rules;
 }
-	
+
 sub optimize_level16( $$$ ) {
    my ( $table, $tableref , $passes ) = @_;
    my @chains   = ( grep $_->{referenced}, values %{$tableref} );
@@ -3295,7 +3296,7 @@ sub setup_zone_mss() {

 	    for my $zone1 ( all_zones ) {
 		add_ijump ensure_chain( 'filter', rules_chain( $zone, $zone1 ) ),  j => $target , @sourcedev, @source, p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @ipsecin ;
-		add_ijump ensure_chain( 'filter', rules_chain( $zone1, $zone ) ),  j => $target , @destdev,   @dest,   p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @ipsecout ;	    
+		add_ijump ensure_chain( 'filter', rules_chain( $zone1, $zone ) ),  j => $target , @destdev,   @dest,   p => 'tcp --tcp-flags SYN,RST SYN', @mssmatch, @ipsecout ;
 	    }
 	}
    }
@@ -3401,9 +3402,9 @@ sub source_iexclusion( $$$$$;@ ) {
 	@exclusion = mysplit( $2 );

 	my $chainref1 = new_chain( $table , newexclusionchain( $table ) );
-	
+
 	add_ijump( $chainref1 , j => 'RETURN', imatch_source_net( $_ ) ) for @exclusion;
-	
+
 	if ( $targetopts ) {
 	    add_ijump( $chainref1, $jump => $target, targetopts => $targetopts );
 	} else {
@@ -3415,7 +3416,7 @@ sub source_iexclusion( $$$$$;@ ) {
 	add_ijump( $chainref,
 		   $jump      => $target,
 		   targetopts => $targetopts,
-		   imatch_source_net( $source ), 
+		   imatch_source_net( $source ),
 		   @_ );
    } else {
 	add_ijump( $chainref, $jump => $target, imatch_source_net( $source ), @_ );
@@ -3452,9 +3453,9 @@ sub dest_iexclusion( $$$$$;@ ) {
 	@exclusion = mysplit( $2 );

 	my $chainref1 = new_chain( $table , newexclusionchain( $table ) );
-	
+
 	add_ijump( $chainref1 , j => 'RETURN', imatch_dest_net( $_ ) ) for @exclusion;
-	
+
 	if ( $targetopts ) {
 	    add_ijump( $chainref1, $jump => $target, targetopts => $targetopts, @_ );
 	} else {
@@ -3969,7 +3970,7 @@ sub do_ratelimit( $$ ) {
 	if ( $rate =~ /^[sd]:((\w*):)?((\d+)(\/(sec|min|hour|day))?):(\d+)$/ ) {
 	    fatal_error "Invalid Rate ($3)" unless $4;
 	    fatal_error "Invalid Burst ($7)" unless $7;
-	    $limit .= "--hashlimit $3 --hashlimit-burst $7 --hashlimit-name ";
+	    $limit .= "--$match $3 --hashlimit-burst $7 --hashlimit-name ";
 	    $limit .= $2 ? $2 : 'shorewall' . $hashlimitset++;
 	    $limit .= ' --hashlimit-mode ';
 	    $units = $6;
@@ -4081,7 +4082,7 @@ sub resolve_id( $$ ) {

    $id;
 }
-    
+

 #
 # Create a "-m owner" match for the passed USER/GROUP
@@ -4223,14 +4224,14 @@ sub validate_helper( $;$ ) {

    my $helper_proto = $helpers{$helper_base};

-    if ( $helper_proto) {	    
+    if ( $helper_proto) {
 	#
 	#  Recognized helper
 	#
 	if ( supplied $proto ) {
 	    my $protonum = -1;

-	    fatal_error "Unknown PROTO ($protonum)" unless defined ( $protonum = resolve_proto( $proto ) );	
+	    fatal_error "Unknown PROTO ($protonum)" unless defined ( $protonum = resolve_proto( $proto ) );

 	    unless ( $protonum == $helper_proto ) {
 		fatal_error "The $helper_base helper requires PROTO=" . (proto_name $helper_proto );
@@ -4298,7 +4299,7 @@ my %headers = ( hop          => 1,
 		route        => 1,
 		frag         => 1,
 		auth         => 1,
-		esp          => 1,  
+		esp          => 1,
 		none         => 1,
 		'hop-by-hop' => 1,
 		'ipv6-opts'  => 1,
@@ -4352,7 +4353,7 @@ sub do_probability( $ ) {
    require_capability 'STATISTIC_MATCH', 'A non-empty PROBABILITY column', 's';

    my $invert = $probability =~ s/^!// ? '! ' : "";
-    
+
    fatal_error "Invalid PROBABILITY ($probability)" unless $probability =~ /^0?\.\d{1,8}$/;

    "-m statistic --mode random --probability $probability ";
@@ -4448,7 +4449,7 @@ sub match_dest_dev( $;$ ) {
 	    }
 	} else {
 	    my $bridgeref = find_interface $interfaceref->{bridge};
-	    
+
 	    if ( have_capability( 'PHYSDEV_BRIDGE' ) ) {
 		"-o $bridgeref->{physical} -m physdev --physdev-is-bridged --physdev-out $interface ";
 	    } else {
@@ -4474,7 +4475,7 @@ sub imatch_dest_dev( $;$ ) {
 	    }
 	} else {
 	    my $bridgeref = find_interface $interfaceref->{bridge};
-	    
+
 	    if ( have_capability( 'PHYSDEV_BRIDGE' ) ) {
 		( o => $bridgeref->{physical}, physdev => "--physdev-is-bridged --physdev-out $interface" );
 	    } else {
@@ -4570,13 +4571,13 @@ sub record_runtime_address( $$;$ ) {
    }

    $addr . ' ';
-   
+
 }

 #
 # If the passed address is a run-time address variable for an optional interface, then
 # begin a conditional rule block that tests the address for nil. Returns 1 if a conditional
-# block was opened. The caller stores the result, and if the result is true the caller 
+# block was opened. The caller stores the result, and if the result is true the caller
 # invokes conditional_rule_end() when the conditional block is complete.
 #
 sub conditional_rule( $$ ) {
@@ -4613,7 +4614,7 @@ sub conditional_rule_end( $ ) {
    my $chainref = shift;
    decr_cmd_level $chainref;
    add_commands( $chainref , "fi\n" );
-}	
+}

 sub mysplit( $;$ );

@@ -4764,7 +4765,7 @@ sub match_dest_net( $ ) {
 	if ( $net =~ /^([&%])(.+)/ ) {
 	    return '! -d ' . record_runtime_address $1, $2;
 	}
-	
+
 	validate_net $net, 1;
 	return "! -d $net ";
    }
@@ -4811,7 +4812,7 @@ sub imatch_dest_net( $ ) {
 	if ( $net =~ /^([&%])(.+)/ ) {
 	    return ( d => '! ' . record_runtime_address( $1, $2, 1 ) );
 	}
-	
+
 	validate_net $net, 1;
 	return ( d => "! $net " );
    }
@@ -5474,7 +5475,7 @@ sub split_network( $$$ ) {
    }

    invalid_network_list( $srcdst, $list ) if @result > 2;
-	
+
    @result;
 }

@@ -5486,7 +5487,7 @@ sub handle_network_list( $$ ) {

    my $nets = '';
    my $excl = '';
-	
+
    my @nets = mysplit $list;

    for ( @nets ) {
@@ -5506,7 +5507,7 @@ sub handle_network_list( $$ ) {
 	    $excl .= ",$_";
 	} else {
 	    $nets = $nets ? join(',', $nets, $_ ) : $_;
-	}	    
+	}
    }

    ( $nets, $excl );
@@ -5550,7 +5551,7 @@ sub expand_rule( $$$$$$$$$$;$ )
    } else {
 	$jump = $basictarget = '';
    }
-    
+
    our @ends = ();
    #
    # In the generated rules, we sometimes need run-time loops or conditional blocks. This function is used
@@ -5658,7 +5659,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 		    fatal_error "Source Interface ($iiface) not allowed when the SOURCE is the firewall";
 		}
 	    }
- 
+
 	    $chainref->{restricted} |= $restriction;
 	    $rule .= match_source_dev( $iiface );
 	}
@@ -5752,12 +5753,12 @@ sub expand_rule( $$$$$$$$$$;$ )
 		    fatal_error "Destination Interface ($diface) not allowed in the mangle OUTPUT chain";
 		}
 	    }
-	    
+
 	    if ( $iiface ) {
 		my $bridge = port_to_bridge( $diface );
 		fatal_error "Source interface ($iiface) is not a port on the same bridge as the destination interface ( $diface )" if $bridge && $bridge ne source_port_to_bridge( $iiface );
 	    }
-	    
+
 	    $chainref->{restricted} |= $restriction;
 	    $rule .= match_dest_dev( $diface );
 	}
@@ -5922,7 +5923,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 	    # Use the current rule and send all possible matches to the exclusion chain
 	    #
 	    for my $onet ( mysplit $onets ) {
-		
+
 		my $cond = conditional_rule( $chainref, $onet );

 		$onet = match_orig_dest $onet;
@@ -5943,7 +5944,7 @@ sub expand_rule( $$$$$$$$$$;$ )

 		conditional_rule_end( $chainref ) if $cond;
 	    }
-		
+
 	    #
 	    # Generate RETURNs for each exclusion
 	    #
@@ -5997,12 +5998,12 @@ sub expand_rule( $$$$$$$$$$;$ )
 	    my $cond = conditional_rule( $chainref, $onet );

 	    $onet = match_orig_dest $onet;
-	    
+
 	    for my $inet ( mysplit $inets ) {
 		my $source_match;

 		my $cond = conditional_rule( $chainref, $inet );
-		
+
 		$source_match = match_source_net( $inet, $restriction, $mac ) if $globals{KLUDGEFREE};

 		for my $dnet ( mysplit $dnets ) {
@@ -6090,7 +6091,7 @@ sub copy_options( $ ) {
 }

 #
-# This function is called after the blacklist rules have been added to the canonical chains. It 
+# This function is called after the blacklist rules have been added to the canonical chains. It
 # either copies the relevant interface option rules into each canonocal chain, or it inserts one
 # or more jumps to the relevant option chains. The argument indicates whether blacklist rules are
 # present.
@@ -6122,7 +6123,7 @@ sub add_interface_options( $ ) {
 		    $digest = format_rule( $chainref, $_, 1 );
 		}
 	    }
-	    
+
 	    $chainref->{digest} = sha1 $digest;
 	}
 	#
@@ -6131,10 +6132,10 @@ sub add_interface_options( $ ) {
 	for my $zone1 ( off_firewall_zones ) {
 	    my @input_interfaces   = keys %{zone_interfaces( $zone1 )};
 	    my @forward_interfaces = @input_interfaces;
-	    
+
 	    if ( @input_interfaces > 1 ) {
 		#
-		# This zone has multiple interfaces - discover if all of the interfaces have the same 
+		# This zone has multiple interfaces - discover if all of the interfaces have the same
 		# input and/or forward options
 		#
 		my $digest;
@@ -6165,14 +6166,14 @@ sub add_interface_options( $ ) {

 		    @forward_interfaces = ( $forward_interfaces[0] );
 		}
-	    }  
+	    }
 	    #
 	    # Now insert the jumps
 	    #
 	    for my $zone2 ( all_zones ) {
 		my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )};
 		my $chain1ref;
-	    
+
 		if ( zone_type( $zone2 ) & (FIREWALL | VSERVER ) ) {
 		    if ( @input_interfaces == 1 && copy_options( $input_interfaces[0] ) ) {
 			$chain1ref = $input_chains{$input_interfaces[0]};
@@ -6231,7 +6232,7 @@ sub add_interface_options( $ ) {
 	    my $chain1ref;

 	    $chainref = $filter_table->{input_option_chain $interface};
-	   
+
 	    if( @{$chainref->{rules}} ) {
 		move_rules $chainref, $chain1ref = $filter_table->{input_chain $interface};
 		set_interface_option( $interface, 'use_input_chain', 1 );
@@ -6264,7 +6265,7 @@ sub add_interface_options( $ ) {
 #
 # We may have to generate part of the input at run-time. The rules array in each chain
 # table entry may contain both rules or shell source, determined by the contents of the 'mode'
-# member. We alternate between writing the rules into the temporary file to be passed to 
+# member. We alternate between writing the rules into the temporary file to be passed to
 # iptables-restore (CAT_MODE) and and writing shell source into the generated script (CMD_MODE).
 #
 # The following two functions are responsible for the mode transitions.
@@ -6300,7 +6301,7 @@ sub emitr( $$ ) {
 	    # A command
 	    #
 	    enter_cmd_mode unless $mode == CMD_MODE;
-	    
+
 	    if ( exists $ruleref->{cmd} ) {
 		emit join( '', '    ' x $ruleref->{cmdlevel}, $ruleref->{cmd} );
 	    } else {
@@ -6308,7 +6309,7 @@ sub emitr( $$ ) {
 		# Must preserve quotes in the rule
 		#
 		( my $rule = format_rule( $chainref, $ruleref ) ) =~ s/"/\\"/g;
-		
+
 		emit join( '', '    ' x $ruleref->{cmdlevel} , 'echo "' , $rule, '" >&3' );
 	    }
 	}
@@ -6350,7 +6351,7 @@ sub emitr1( $$ ) {
 		emitstd $ruleref->{cmd};
 	    } else {
 		( my $rule = format_rule( $chainref, $ruleref ) ) =~ s/"/\\"/g;
-		
+
 		emitstd join( '', '    ' x $ruleref->{cmdlevel} , 'echo "' , $rule, '" >&3' );
 	    }
 	}
@@ -6486,7 +6487,7 @@ sub load_ipsets() {
 	       'esac' ,
 	       '' ,
 	       'if [ "$COMMAND" = start ]; then' );
-	
+
 	if ( $config{SAVE_IPSETS} ) {
 	    emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
 		   '        $IPSET -F' ,
@@ -6556,7 +6557,7 @@ sub load_ipsets() {
 		   '        grep -qE -- "^(-N|create )" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
 		   '    fi' );
 	}
-	    
+
 	if ( @ipsets ) {
 	    emit( 'elif [ "$COMMAND" = refresh ]; then' );
 	    ensure_ipset( $_ ) for @ipsets;
@@ -6622,7 +6623,7 @@ sub create_netfilter_load( $ ) {
 	for my $chain ( @builtins ) {
 	    my $chainref = $chain_table{$table}{$chain};
 	    if ( $chainref ) {
-		assert( $chainref->{cmdlevel} == 0 );
+		assert( $chainref->{cmdlevel} == 0, $chainref->{name} );
 		emit_unindented ":$chain $chainref->{policy} [0:0]";
 		push @chains, $chainref;
 	    }
@@ -6633,7 +6634,7 @@ sub create_netfilter_load( $ ) {
 	for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
 	    my $chainref =  $chain_table{$table}{$chain};
 	    unless ( $chainref->{builtin} ) {
-		assert( $chainref->{cmdlevel} == 0 );
+		assert( $chainref->{cmdlevel} == 0 , $chainref->{name} );
 		emit_unindented ":$chainref->{name} - [0:0]";
 		push @chains, $chainref;
 	    }
@@ -6705,7 +6706,7 @@ sub preview_netfilter_load() {
 	for my $chain ( @builtins ) {
 	    my $chainref = $chain_table{$table}{$chain};
 	    if ( $chainref ) {
-		assert( $chainref->{cmdlevel} == 0 );
+		assert( $chainref->{cmdlevel} == 0 , $chainref->{name} );
 		print ":$chain $chainref->{policy} [0:0]\n";
 		push @chains, $chainref;
 	    }
@@ -6716,7 +6717,7 @@ sub preview_netfilter_load() {
 	for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
 	    my $chainref =  $chain_table{$table}{$chain};
 	    unless ( $chainref->{builtin} ) {
-		assert( $chainref->{cmdlevel} == 0 );
+		assert( $chainref->{cmdlevel} == 0, $chainref->{name} );
 		print ":$chainref->{name} - [0:0]\n";
 		push @chains, $chainref;
 	    }
@@ -6760,7 +6761,7 @@ sub create_chainlist_reload($) {
 	unless ( @chains ) {
 	    @chains = qw( blacklst ) if $filter_table->{blacklst};
 	    push @chains, 'blackout' if $filter_table->{blackout};
-	    
+
 	    for ( grep $_->{blacklistsection} && $_->{referenced}, values %{$filter_table} ) {
 		push @chains, $_->{name} if $_->{blacklistsection};
 	    }
@@ -6803,7 +6804,7 @@ sub create_chainlist_reload($) {
 		my $chainref;
 		fatal_error "No $table chain found with name $chain" unless $chainref = $chain_table{$table}{$chain};
 		fatal_error "Built-in chains may not be refreshed" if $chainref->{builtin};
-		
+
 		if ( $chainseq{$table} && @{$chainref->{rules}} ) {
 		    $tables{$table} = 1;
 		} else {
@@ -6935,7 +6936,7 @@ sub create_stop_load( $ ) {
 	for my $chain ( @builtins ) {
 	    my $chainref = $chain_table{$table}{$chain};
 	    if ( $chainref ) {
-		assert( $chainref->{cmdlevel} == 0 );
+		assert( $chainref->{cmdlevel} == 0 , $chainref->{name} );
 		emit_unindented ":$chain $chainref->{policy} [0:0]";
 		push @chains, $chainref;
 	    }
@@ -6946,7 +6947,7 @@ sub create_stop_load( $ ) {
 	for my $chain ( grep $chain_table{$table}{$_}->{referenced} , ( sort keys %{$chain_table{$table}} ) ) {
 	    my $chainref =  $chain_table{$table}{$chain};
 	    unless ( $chainref->{builtin} ) {
-		assert( $chainref->{cmdlevel} == 0 );
+		assert( $chainref->{cmdlevel} == 0 , $chainref->{name} );
 		emit_unindented ":$chainref->{name} - [0:0]";
 		push @chains, $chainref;
 	    }
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -354,7 +354,7 @@ sub generate_script_3($) {
 	    emit 'cat > ${VARDIR}/.modules << EOF';
 	    open_file $fn;

-	    emit_unindented $currentline while read_a_line;
+	    emit_unindented $currentline while read_a_line( NORMAL_READ );

 	    emit_unindented 'EOF';
 	    emit '', 'reload_kernel_modules < ${VARDIR}/.modules';
@@ -425,7 +425,7 @@ sub generate_script_3($) {
 	emit 'cat > ${VARDIR}/proxyarp << __EOF__';
    } else {
 	emit 'cat > ${VARDIR}/proxyndp << __EOF__';
-    } 
+    }

    dump_proxy_arp;
    emit_unindented '__EOF__';
@@ -493,7 +493,7 @@ EOF
 	  "        set_state Started $config_dir" ,
 	  '    else' ,
 	  '        setup_netfilter' );
-    
+
    setup_load_distribution;

    emit<<"EOF";
@@ -578,7 +578,7 @@ sub compiler {
 		  log           => { store => \$log },
 		  log_verbosity => { store => \$log_verbosity, validate => \&validate_verbosity } ,
 		  test          => { store => \$test },
-		  preview       => { store => \$preview,       validate=> \&validate_boolean    } ,    
+		  preview       => { store => \$preview,       validate=> \&validate_boolean    } ,
 		  confess       => { store => \$confess,       validate=> \&validate_boolean    } ,
 		  update        => { store => \$update,        validate=> \&validate_boolean    } ,
 		  convert       => { store => \$convert,       validate=> \&validate_boolean    } ,
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -47,18 +47,18 @@ our @EXPORT = qw(
 		 warning_message
 		 fatal_error
 		 assert
-		 
+
 		 progress_message
 		 progress_message_nocompress
 		 progress_message2
 		 progress_message3
-		 
+
 		 supplied
-		 
+
 		 get_action_params
 		 get_action_chain
 		 set_action_param
-		 
+
 		 have_capability
 		 require_capability
                );
@@ -150,6 +150,15 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script

 				       MIN_VERBOSITY
 				       MAX_VERBOSITY
+
+				       PLAIN_READ
+				       EMBEDDED_ENABLED
+				       EXPAND_VARIABLES
+				       STRIP_COMMENTS
+				       SUPPRESS_WHITESPACE
+				       CONFIG_CONTINUATION
+				       DO_INCLUDE
+				       NORMAL_READ
 				     ) ] );

 Exporter::export_ok_tags('internal');
@@ -292,7 +301,7 @@ my  %capdesc = ( NAT_ENABLED     => 'NAT',
 		 IPTABLES_S      => 'iptables -S',
 		 BASIC_FILTER    => 'Basic Filter',
 		 CT_TARGET       => 'CT Target',
-		 STATISTIC_MATCH => 
+		 STATISTIC_MATCH =>
 		                    'Statistics Match',
 		 IMQ_TARGET      => 'IMQ Target',
 		 DSCP_MATCH      => 'DSCP Match',
@@ -386,7 +395,7 @@ my  $first_entry;            # Message to output or function to call on first no
 my $shorewall_dir;           # Shorewall Directory; if non-empty, search here first for files.

 our $debug;                  # Global debugging flag
-my  $confess;                # If true, use Carp to report errors with stack trace.   
+my  $confess;                # If true, use Carp to report errors with stack trace.

 our $family;                 # Protocol family (4 or 6)
 our $toolname;               # Name of the tool to use (iptables or iptables6)
@@ -438,6 +447,20 @@ my $ifstack;
 # From .shorewallrc
 #
 our %shorewallrc;
+#
+# read_a_line options
+#
+use constant { PLAIN_READ          => 0,     # No read_a_line options
+               EMBEDDED_ENABLED    => 1,     # Look for embedded Shell and Perl
+	       EXPAND_VARIABLES    => 2,     # Expand Shell variables
+	       STRIP_COMMENTS      => 4,     # Remove comments
+	       SUPPRESS_WHITESPACE => 8,     # Ignore blank lines
+	       CHECK_GUNK          => 16,    # Look for unprintable characters
+	       CONFIG_CONTINUATION => 32,    # Suppress leading whitespace if
+                                             # continued line ends in ',' or ':'
+	       DO_INCLUDE          => 64,    # Look for INCLUDE <filename>
+               NORMAL_READ         => -1     # All options
+	   };

 sub process_shorewallrc($);
 #
@@ -471,7 +494,7 @@ sub initialize( $;$ ) {
    $indent         = '';      # Current total indentation
    ( $dir, $file ) = ('',''); # Script's Directory and Filename
    $tempfile       = '';      # Temporary File Name
-    $sillyname      = 
+    $sillyname      =
    $sillyname1     = '';      # Temporary ipchains
    $omitting       = 0;
    $ifstack        = 0;
@@ -747,7 +770,7 @@ sub initialize( $;$ ) {

    $debug = 0;
    $confess = 0;
-    
+
    %params = ();

    %compiler_params = ();
@@ -759,35 +782,73 @@ sub initialize( $;$ ) {
 		    CONFDIR  => '/etc/',
 		    );

-    if ( $shorewallrc ) {
-	process_shorewallrc( $shorewallrc );
+    process_shorewallrc( $shorewallrc ) if $shorewallrc;

-	$globals{SHAREDIRPL} = "$shorewallrc{SHAREDIR}/shorewall/";
+    $globals{SHAREDIRPL} = "$shorewallrc{SHAREDIR}/shorewall/";

-	if ( $family == F_IPV4 ) {
-	    $globals{SHAREDIR}      = "$shorewallrc{SHAREDIR}/shorewall";
-	    $globals{CONFDIR}       = "$shorewallrc{CONFDIR}/shorewall";
-	    $globals{PRODUCT}       = 'shorewall';
-	    $config{IPTABLES}       = undef;
-	    $validlevels{ULOG}      = 'ULOG';
-	} else {
-	    $globals{SHAREDIR}      = "$shorewallrc{SHAREDIR}/shorewall6";
-	    $globals{CONFDIR}       = "$shorewallrc{CONFDIR}/shorewall6";
-	    $globals{PRODUCT}       = 'shorewall6';
-	    $config{IP6TABLES}      = undef;
-	}
+    if ( $family == F_IPV4 ) {
+	$globals{SHAREDIR}      = "$shorewallrc{SHAREDIR}/shorewall";
+	$globals{CONFDIR}       = "$shorewallrc{CONFDIR}/shorewall";
+	$globals{PRODUCT}       = 'shorewall';
+	$config{IPTABLES}       = undef;
+	$validlevels{ULOG}      = 'ULOG';
+    } else {
+	$globals{SHAREDIR}      = "$shorewallrc{SHAREDIR}/shorewall6";
+	$globals{CONFDIR}       = "$shorewallrc{CONFDIR}/shorewall6";
+	$globals{PRODUCT}       = 'shorewall6';
+	$config{IP6TABLES}      = undef;
    }
 }

 my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );

+#
+# Create 'currentlineinfo'
+#
+sub currentlineinfo() {
+    my $linenumber = $currentlinenumber || 1;
+
+    if ( $currentfile ) {
+	my $lineinfo = " $currentfilename ";
+	
+	if ( $linenumber eq 'EOF' ) {
+	    $lineinfo .= '(EOF)'
+	} else {
+	    $lineinfo .= "(line $linenumber)";
+	}
+	#
+	# Unwind the current include stack
+	#
+	for ( my $i = @includestack - 1; $i >= 0; $i-- ) {
+	    my $info = $includestack[$i];
+	    $linenumber = $info->[2] || 1;
+	    $lineinfo .= "\n      from $info->[1] (line $linenumber)";
+	}
+	#
+	# Now unwind the open stack; each element is an include stack
+	#
+	for ( my $i = @openstack - 1; $i >= 0; $i-- ) {
+	    my $istack = $openstack[$i];
+	    for ( my $j = ( @$istack - 1 ); $j >= 0; $j-- ) {
+		my $info = $istack->[$j];
+		$linenumber = $info->[2] || 1;
+		$lineinfo .= "\n      from $info->[1] (line $linenumber)";
+	    }
+	}
+
+	$lineinfo;
+
+    } else {
+	'';
+    }
+}
+
 #
 # Issue a Warning Message
 #
 sub warning_message
 {
-    my $linenumber = $currentlinenumber || 1;
-    my $currentlineinfo = $currentfile ?  " : $currentfilename " . ( $linenumber eq 'EOF' ? '(EOF)' : "(line $linenumber)" ) : '';
+    my $currentlineinfo = currentlineinfo;
    our @localtime;

    $| = 1; #Reset output buffering (flush any partially filled buffers).
@@ -815,6 +876,30 @@ sub cleanup() {
    close  $script, $script = undef         if $script;
    close  $perlscript, $perlscript = undef if $perlscript;
    close  $log, $log = undef               if $log;
+
+    if ( $currentfile ) {
+	#
+	# We have a current input file; close it
+	#
+	close $currentfile;
+	#
+	# Unwind the current include stack
+	#
+	for ( my $i = @includestack - 1; $i >= 0; $i-- ) {
+	    my $info = $includestack[$i];
+	    close $info->[0];
+	}
+	#
+	# Now unwind the open stack; each element is an include stack
+	#
+	for ( my $i = @openstack - 1; $i >= 0; $i-- ) {
+	    my $istack = $openstack[$i];
+	    for ( my $j = ( @$istack - 1 ); $j >= 0; $j-- ) {
+		my $info = $istack->[$j];
+		close $info->[0];
+	    }
+	}
+    }
    #
    # Unlink temporary files
    #
@@ -842,8 +927,7 @@ sub cleanup() {
 # Issue fatal error message and die
 #
 sub fatal_error	{
-    my $linenumber = $currentlinenumber || 1;
-    my $currentlineinfo = $currentfile ?  " : $currentfilename " . ( $linenumber eq 'EOF' ? '(EOF)' : "(line $linenumber)" ) : '';
+    my $currentlineinfo = currentlineinfo;

    $| = 1; #Reset output buffering (flush any partially filled buffers).

@@ -889,13 +973,16 @@ sub fatal_error1 {
 }

 #
-# C/C++-like assertion checker
+# C/C++-like assertion checker -- the optional arguments are not used but will
+#                                 appear in the stack trace
 #
-sub assert( $;$ ) {
+sub assert( $;@ ) {
    unless ( $_[0] ) {
 	my @caller0 = caller 0; # Where assert() was called
 	my @caller1 = caller 1; # Who called assert()

+	$confess = 1;
+
 	fatal_error "Internal error in $caller1[3] at $caller0[1] line $caller0[2]";
    }
 }
@@ -943,7 +1030,9 @@ sub normalize_hex( $ ) {
 # Return the argument expressed in Hex
 #
 sub in_hex( $ ) {
-    sprintf '0x%x', $_[0];
+    my $value = $_[0];
+
+    $value =~ /^0x/ ? $value : sprintf '0x%x', $_[0];
 }

 sub in_hex2( $ ) {
@@ -1334,9 +1423,7 @@ sub find_file($)

    return $filename if $filename =~ '/';

-    my $directory;
-
-    for $directory ( @config_path ) {
+    for my $directory ( @config_path ) {
 	my $file = "$directory$filename";
 	return $file if -f $file;
    }
@@ -1405,11 +1492,13 @@ sub supplied( $ ) {
 #    supply '-' in omitted trailing columns.
 #    Handles all of the supported forms of column/pair specification
 #
-sub split_line1( $$;$ ) {
-    my ( $description, $columnsref, $nopad) = @_;
+sub split_line1( $$;$$ ) {
+    my ( $description, $columnsref, $nopad, $maxcolumns ) = @_;

-    my @maxcolumns = ( keys %$columnsref );
-    my $maxcolumns = @maxcolumns;
+    unless ( defined $maxcolumns ) {
+	my @maxcolumns = ( keys %$columnsref );
+	$maxcolumns = @maxcolumns;
+    }
    #
    # First see if there is a semicolon on the line; what follows will be column/value paris
    #
@@ -1472,7 +1561,7 @@ sub split_line1( $$;$ ) {
 	    fatal_error "Non-ASCII gunk in the value of the $column column" if $columns =~ /[^\s[:print:]]/;
 	    $line[$column] = $value;
 	}
-    }   
+    }

    @line;
 }
@@ -1574,7 +1663,7 @@ sub process_conditional( $$$ ) {

 	fatal_error "Invalid IF variable ($rest)" unless ($rest =~ s/^\$// || $rest =~ /^__/ ) && $rest =~ /^\w+$/;

-	push @ifstack, [ 'IF', $lastomit, $omitting, $linenumber ];
+	push @ifstack, [ 'IF', $omitting, $omitting, $linenumber ];

 	if ( $rest eq '__IPV6' ) {
 	    $omitting = $family == F_IPV4;
@@ -1585,8 +1674,8 @@ sub process_conditional( $$$ ) {

 	    $cap =~ s/^__//;

-	    $omitting = ! ( exists $ENV{$rest}    ? $ENV{$rest}    : 
-			    exists $params{$rest} ? $params{$rest} : 
+	    $omitting = ! ( exists $ENV{$rest}    ? $ENV{$rest}    :
+			    exists $params{$rest} ? $params{$rest} :
 			    exists $config{$rest} ? $config{$rest} :
 			    exists $capdesc{$cap} ? have_capability( $cap ) : 0 );
 	}
@@ -1607,7 +1696,7 @@ sub process_conditional( $$$ ) {
    }

    $omitting;
-}   
+}

 #
 # Functions for copying a file into the script
@@ -1676,7 +1765,7 @@ sub copy1( $ ) {
 	my ( $do_indent, $here_documents ) = ( 1, '');

 	open_file( $_[0] );
-	
+
 	while ( $currentfile ) {
 	    while ( <$currentfile> ) {
 		$currentlinenumber++;
@@ -1748,7 +1837,7 @@ sub copy1( $ ) {

 			next;
 		    }
-			
+
 		    if ( $indent ) {
 			s/^(\s*)/$indent1$1$indent2/;
 			s/        /\t/ if $indent2;
@@ -1877,7 +1966,7 @@ EOF
 #
 sub push_open( $ ) {

-    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber, $ifstack ];
+    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber, $ifstack ] if $currentfile;
    my @a = @includestack;
    push @openstack, \@a;
    @includestack = ();
@@ -1930,12 +2019,10 @@ sub shorewall {
 sub first_entry( $ ) {
    $first_entry = $_[0];
    my $reftype = reftype $first_entry;
-    if ( $reftype ) {
-	fatal_error "Invalid argument to first_entry()" unless $reftype eq 'CODE';
-    }
+    assert( $reftype eq 'CODE' ) if $reftype;
 }

-sub read_a_line(;$$$$);
+sub read_a_line($);

 sub embedded_shell( $ ) {
    my $multiline = shift;
@@ -1952,7 +2039,7 @@ sub embedded_shell( $ ) {

 	my $last = 0;

-	while ( read_a_line( 0, 0, 0, 0 ) ) {
+	while ( read_a_line( PLAIN_READ ) ) {
 	    last if $last = $currentline =~ s/^\s*END(\s+SHELL)?\s*;?//;
 	    $command .= "$currentline\n";
 	}
@@ -1986,7 +2073,7 @@ sub embedded_perl( $ ) {

 	my $last = 0;

-	while ( read_a_line( 0, 0, 0, 0 ) ) {
+	while ( read_a_line( PLAIN_READ ) ) {
 	    last if $last = $currentline =~ s/^\s*END(\s+PERL)?\s*;?//;
 	    $command .= "$currentline\n";
 	}
@@ -2100,11 +2187,11 @@ sub set_action_param( $$ ) {
 }

 #
-# Expand Shell Variables in the passed buffer using %params and @actparms
+# Expand Shell Variables in the passed buffer using @actparms, %params, %shorewallrc and %config, 
 #
 sub expand_variables( \$ ) {
    my ( $lineref, $count ) = ( $_[0], 0 );
-    #                    $1      $2   $3      -     $4
+    #                         $1      $2   $3      -     $4
    while ( $$lineref =~ m( ^(.*?) \$({)? (\w+) (?(2)}) (.*)$ )x ) {

 	my ( $first, $var, $rest ) = ( $1, $3, $4);
@@ -2142,7 +2229,7 @@ sub handle_first_entry() {
 }

 #
-# Read a line from the current include stack.
+# Read a line from the current include stack. Based on the passed options, it will conditionally:
 #
 #   - Ignore blank or comment-only lines.
 #   - Remove trailing comments.
@@ -2153,11 +2240,8 @@ sub handle_first_entry() {
 #   - Handle ?IF, ?ELSE, ?ENDIF
 #

-sub read_a_line(;$$$$) {
-    my $embedded_enabled    = defined $_[0] ? shift : 1;
-    my $expand_variables    = defined $_[0] ? shift : 1;
-    my $strip_comments      = defined $_[0] ? shift : 1;
-    my $suppress_whitespace = defined $_[0] ? shift : 1;
+sub read_a_line($) {
+    my $options = $_[0];

    while ( $currentfile ) {

@@ -2172,12 +2256,12 @@ sub read_a_line(;$$$$) {
 	    #
 	    # Suppress leading whitespace in certain continuation lines
 	    #
-	    s/^\s*// if $currentline =~ /[,:]$/ && $suppress_whitespace;
+	    s/^\s*// if $currentline =~ /[,:]$/ && $options & CONFIG_CONTINUATION;
 	    #
 	    # If this is a continued line with a trailing comment, remove comment. Note that
 	    # the result will now end in '\'.
 	    #
-	    s/\s*#.*$// if $strip_comments && /[\\]\s*#.*$/;
+	    s/\s*#.*$// if ($options & STRIP_COMMENTS) && /[\\]\s*#.*$/;
 	    #
 	    # Continuation
 	    #
@@ -2189,8 +2273,8 @@ sub read_a_line(;$$$$) {
 		$omitting = process_conditional( $omitting, $currentline, $currentlinenumber );
 		$currentline='';
 		next;
-	    }		
-		    
+	    }
+
 	    if ( $omitting ) {
 		print "OMIT=> $currentline\n" if $debug;
 		$currentline='';
@@ -2200,7 +2284,7 @@ sub read_a_line(;$$$$) {
 	    #
 	    # Must check for shell/perl before doing variable expansion
 	    #
-	    if ( $embedded_enabled ) {
+	    if ( $options & EMBEDDED_ENABLED ) {
 		if ( $currentline =~ s/^\s*(BEGIN\s+)?SHELL\s*;?// ) {
 		    handle_first_entry if $first_entry;
 		    embedded_shell( $1 );
@@ -2214,13 +2298,20 @@ sub read_a_line(;$$$$) {
 		}
 	    }
 	    #
-	    # Now remove concatinated comments
+	    # Now remove concatinated comments if asked
 	    #
-	    $currentline =~ s/\s*#.*$// if $strip_comments;
-	    #
-	    # Ignore ( concatenated ) Blank Lines after comments are removed.
-	    #
-	    $currentline = '', $currentlinenumber = 0, next if $currentline =~ /^\s*$/ && $suppress_whitespace;
+	    $currentline =~ s/\s*#.*$// if $options & STRIP_COMMENTS;
+
+	    if ( $options & SUPPRESS_WHITESPACE ) {
+		#
+		# Ignore (concatinated) blank lines
+		#
+		$currentline = '', $currentlinenumber = 0, next if $currentline =~ /^\s*$/;
+		#
+		# Eliminate trailing whitespace
+		#
+		$currentline =~ s/\s*$//;
+	    }
 	    #
 	    # Line not blank -- Handle any first-entry message/capabilities check
 	    #
@@ -2228,9 +2319,9 @@ sub read_a_line(;$$$$) {
 	    #
 	    # Expand Shell Variables using %params and @actparms
 	    #
-	    expand_variables( $currentline ) if $expand_variables;
+	    expand_variables( $currentline ) if $options & EXPAND_VARIABLES;

-	    if ( $currentline =~ /^\s*\??INCLUDE\s/ ) {
+	    if ( ( $options & DO_INCLUDE ) && $currentline =~ /^\s*\??INCLUDE\s/ ) {

 		my @line = split ' ', $currentline;

@@ -2252,6 +2343,7 @@ sub read_a_line(;$$$$) {

 		$currentline = '';
 	    } else {
+		fatal_error "Non-ASCII gunk in file" if ( $options && CHECK_GUNK ) && $currentline =~ /[^\s[:print:]]/;
 		print "IN===> $currentline\n" if $debug;
 		return 1;
 	    }
@@ -2261,33 +2353,13 @@ sub read_a_line(;$$$$) {
    }
 }

-#
-# Simple version of the above. Doesn't do line concatenation, shell variable expansion or INCLUDE processing
-#
-sub read_a_line1() {
-    while ( $currentfile ) {
-	while ( $currentline = <$currentfile> ) {
-	    next if $currentline =~ /^\s*#/;
-	    chomp $currentline;
-	    next if $currentline =~ /^\s*$/;
-	    $currentline =~ s/#.*$//;       # Remove Trailing Comments
-	    fatal_error "Non-ASCII gunk in file" if $currentline =~ /[^\s[:print:]]/;
-	    $currentlinenumber = $.;
-	    print "IN===> $currentline\n" if $debug;
-	    return 1;
-	}
-
-	close_file;
-    }
-}
-
 sub process_shorewallrc( $ ) {
    my $shorewallrc = shift;

    $shorewallrc{PRODUCT} = $family == F_IPV4 ? 'shorewall' : 'shorewall6';

    if ( open_file $shorewallrc ) {
-	while ( read_a_line1 ) {
+	while ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE | CHECK_GUNK ) ) {
 	    if ( $currentline =~ /^([a-zA-Z]\w*)=(.*)$/ ) {
 		my ($var, $val) = ($1, $2);
 		$val = $1 if $val =~ /^\"([^\"]*)\"$/;
@@ -2542,7 +2614,7 @@ sub load_kernel_modules( ) {
 	$modulesdir = "/lib/modules/$uname/kernel/net/ipv4/netfilter:/lib/modules/$uname/kernel/net/ipv6/netfilter:/lib/modules/$uname/kernel/net/netfilter:/lib/modules/$uname/extra:/lib/modules/$uname/extra/ipset";
    }

-    my @moduledirectories; 
+    my @moduledirectories;

    for ( split /:/, $modulesdir ) {
 	push @moduledirectories, $_ if -d $_;
@@ -2568,7 +2640,7 @@ sub load_kernel_modules( ) {

 	my @suffixes = split /\s+/ , $config{MODULE_SUFFIX};

-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {
 	    fatal_error "Invalid modules file entry" unless ( $currentline =~ /^loadmodule\s+([a-zA-Z]\w*)\s*(.*)$/ );
 	    my ( $module, $arguments ) = ( $1, $2 );
 	    unless ( $loadedmodules{ $module } ) {
@@ -2581,7 +2653,7 @@ sub load_kernel_modules( ) {
 			    } else {
 				system( "modprobe $module $arguments" );
 			    }
-				    
+
 			    $loadedmodules{ $module } = 1;
 			}
 		    }
@@ -3245,7 +3317,7 @@ sub ensure_config_path() {

 	add_param( CONFDIR => $globals{CONFDIR} );

-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {
 	    if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*?)\s*$/ ) {
 		my ($var, $val) = ($1, $2);
 		$config{$var} = ( $val =~ /\"([^\"]*)\"$/ ? $1 : $val ) if exists $config{$var};
@@ -3324,7 +3396,7 @@ sub update_config_file( $ ) {
 	#
 	# Debian or derivative
 	#
-	$fn = $annotate ? "/usr/share/doc/${product}/default-config/${product}.conf.annotated" : "/usr/share/doc/${product}/default-config/${product}.conf";
+	$fn = $annotate ? "$shorewallrc{SHAREDIR}/doc/${product}/default-config/${product}.conf.annotated" : "$shorewallrc{SHAREDIR}/doc/${product}/default-config/${product}.conf";
    } else {
 	#
 	# The rest of the World
@@ -3336,7 +3408,7 @@ sub update_config_file( $ ) {

 	open $template, '<' , $fn or fatal_error "Unable to open $fn: $!";

-	unless ( open $output, '>', "$configfile.updated" ) { 
+	unless ( open $output, '>', "$configfile.updated" ) {
 	    close $template;
 	    fatal_error "Unable to open $configfile.updated for output: $!";
 	}
@@ -3407,7 +3479,7 @@ EOF

 	fatal_error "Can't rename $configfile to $configfile.bak: $!"     unless rename $configfile, "$configfile.bak";
 	fatal_error "Can't rename $configfile.updated to $configfile: $!" unless rename "$configfile.updated", $configfile;
-	
+
 	if ( system( "diff -q $configfile $configfile.bak > /dev/null" ) ) {
 	    progress_message3 "Configuration file $configfile updated - old file renamed $configfile.bak";
 	} else {
@@ -3443,14 +3515,14 @@ sub process_shorewall_conf( $$ ) {
 	    #
 	    # Don't expand shell variables or allow embedded scripting
 	    #
-	    while ( read_a_line1 ) {
+	    while ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE  | CHECK_GUNK ) ) {
 		if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*?)\s*$/ ) {
 		    my ($var, $val) = ($1, $2);

 		    warning_message "Unknown configuration option ($var) ignored", next unless exists $config{$var};

 		    $config{$var} = ( $val =~ /\"([^\"]*)\"$/ ? $1 : $val );
-		    
+
 		    warning_message "Option $var=$val is deprecated"
 			if $deprecated{$var} && supplied $val && lc $config{$var} ne $deprecated{$var};
 		} else {
@@ -3483,7 +3555,7 @@ sub process_shorewall_conf( $$ ) {
 # Process the records in the capabilities file
 #
 sub read_capabilities() {
-    while ( read_a_line1 ) {
+    while ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE  | CHECK_GUNK ) ) {
 	if ( $currentline =~ /^([a-zA-Z]\w*)=(.*)$/ ) {
 	    my ($var, $val) = ($1, $2);
 	    unless ( exists $capabilities{$var} ) {
@@ -3606,7 +3678,7 @@ sub get_params() {
 	    print "Params:\n";
 	    print $_ for @params;
 	}
-	
+
 	my ( $variable , $bug );

 	if ( $params[0] =~ /^declare/ ) {
@@ -3635,7 +3707,7 @@ sub get_params() {
 		    } else {
 			warning_message "Param line ($_) ignored" unless $bug++;
 		    }
-		}	
+		}
 	    }
 	} elsif ( $params[0] =~ /^export .*?="/ || $params[0] =~ /^export [^\s=]+\s*$/ ) {
 	    #
@@ -3663,7 +3735,7 @@ sub get_params() {
 		    } else {
 			warning_message "Param line ($_) ignored" unless $bug++;
 		    }
-		}	
+		}
 	    }
 	} else {
 	    #
@@ -3677,7 +3749,7 @@ sub get_params() {

 	    for ( @params ) {
 		if ( /^export (.*?)='(.*'"'"')$/ ) {
-		    $params{$variable=$1}="${2}\n";		    
+		    $params{$variable=$1}="${2}\n";
 		} elsif ( /^export (.*?)='(.*)'$/ ) {
 		    $params{$1} = $2 unless $1 eq '_';
 		} elsif ( /^export (.*?)='(.*)$/ ) {
@@ -3689,7 +3761,7 @@ sub get_params() {
 			$params{$variable} .= $_;
 		    } else {
 			warning_message "Param line ($_) ignored" unless $bug++;
-		    }				
+		    }
 		}
 	    }
 	}
@@ -3986,7 +4058,7 @@ sub get_configuration( $$$ ) {

    default_yes_no 'ACCOUNTING'                 , 'Yes';
    default_yes_no 'OPTIMIZE_ACCOUNTING'        , '';
-    
+
    if ( supplied $config{ACCOUNTING_TABLE} ) {
 	my $value = $config{ACCOUNTING_TABLE};
 	fatal_error "Invalid ACCOUNTING_TABLE setting ($value)" unless $value eq 'filter' || $value eq 'mangle';
@@ -4023,7 +4095,7 @@ sub get_configuration( $$$ ) {
    }

    fatal_error 'Invalid Packet Mark layout' if $config{ZONE_BITS} + $globals{ZONE_OFFSET} > 31;
-    
+
    $globals{EXCLUSION_MASK} = 1 << ( $globals{ZONE_OFFSET} + $config{ZONE_BITS} );
    $globals{PROVIDER_MIN}   = 1 << $config{PROVIDER_OFFSET};

@@ -4038,7 +4110,7 @@ sub get_configuration( $$$ ) {
    }

    if ( ( my $userbits = $config{PROVIDER_OFFSET} - $config{TC_BITS} ) > 0 ) {
-	
+
 	$globals{USER_MASK} = make_mask( $userbits ) << $config{TC_BITS};
    } else {
 	$globals{USER_MASK} = 0;
@@ -4078,7 +4150,7 @@ sub get_configuration( $$$ ) {
    default_log_level 'LOGALLNEW',           '';

    default_log_level 'SFILTER_LOG_LEVEL', 'info';
-    
+
    if ( $val = $config{SFILTER_DISPOSITION} ) {
 	fatal_error "Invalid SFILTER_DISPOSITION setting ($val)" unless $val =~ /^(A_)?(DROP|REJECT)$/;
 	require_capability 'AUDIT_TARGET' , "SFILTER_DISPOSITION=$val", 's' if $1;
@@ -4265,10 +4337,10 @@ sub append_file( $;$$ ) {
    my $user_exit = find_file $file;
    my $result = 0;
    my $save_indent = $indent;
-    
+
    $indent = '' if $unindented;

-    unless ( $user_exit =~ m(^/usr/share/shorewall6?/) ) {
+    unless ( $user_exit =~ m(^$shorewallrc{SHAREDIR}/shorewall6?/) ) {
 	if ( -f $user_exit ) {
 	    if ( $nomsg ) {
 		#
@@ -4327,8 +4399,9 @@ sub run_user_exit1( $ ) {
 	#
 	push_open $file;

-	if ( read_a_line1 ) {
+	if ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE  | CHECK_GUNK ) ) {
 	    close_file;
+	    pop_open;

 	    my $command = qq(package Shorewall::User;\n# line 1 "$file"\n) . `cat $file`;

@@ -4358,8 +4431,9 @@ sub run_user_exit2( $$ ) {
 	#
 	push_open $file;

-	if ( read_a_line1 ) {
+	if ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE  | CHECK_GUNK ) ) {
 	    close_file;
+	    pop_open;

 	    unless (my $return = eval `cat $file` ) {
 		fatal_error "Couldn't parse $file: $@" if $@;
@@ -4461,7 +4535,7 @@ sub dump_mark_layout() {
 	     $globals{TC_MAX} + 1,
 	     $globals{USER_MASK},
 	     $globals{USER_MASK} );
-    
+
    dumpout( "Provider",
 	     $config{PROVIDER_BITS},
 	     $globals{PROVIDER_MIN},
@@ -4479,7 +4553,7 @@ sub dump_mark_layout() {
 	     $globals{EXCLUSION_MASK},
 	     $globals{EXCLUSION_MASK},
 	     $globals{EXCLUSION_MASK} );
-}	
+}

 END {
    cleanup;
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -293,9 +293,9 @@ sub compare_nets( $$ ) {

    @net1 = decompose_net( $_[0] );
    @net2 = decompose_net( $_[1] );
-    
+
    $net1[0] eq $net2[0] && $net1[1] == $net2[1];
-}			    
+}

 sub allipv4() {
    @allipv4;
@@ -392,7 +392,7 @@ sub validate_portpair( $$ ) {
 	$what = 'port';
    }

-    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless 
+    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
 	defined $protonum && ( $protonum == TCP  ||
 			       $protonum == UDP  ||
 			       $protonum == SCTP ||
@@ -423,7 +423,7 @@ sub validate_portpair1( $$ ) {
 	$what = 'port';
    }

-    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless 
+    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
 	defined $protonum && ( $protonum == TCP  ||
 			       $protonum == UDP  ||
 			       $protonum == SCTP ||
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -72,14 +72,14 @@ sub process_tos() {

 	my ( $pretosref, $outtosref );

-	first_entry( sub { progress_message2 "$doing $fn..."; 
+	first_entry( sub { progress_message2 "$doing $fn...";
 			   warning_message "Use of the tos file is deprecated in favor of the TOS target in tcrules";
-			   $pretosref = ensure_chain 'mangle' , $chain; 
+			   $pretosref = ensure_chain 'mangle' , $chain;
 			   $outtosref = ensure_chain 'mangle' , 'outtos';
 		       }
 		   );

-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {

 	    my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) = split_line 'tos file entry', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 } ;

@@ -149,7 +149,7 @@ sub setup_ecn()
 			   warning_message 'ECN will not be applied to forwarded packets' unless have_capability 'MANGLE_FORWARD';
 		       } );

-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {

 	    my ($interface, $hosts ) = split_line 'ecn file entry', { interface => 0, hosts => 1 };

@@ -202,7 +202,7 @@ sub setup_blacklist() {
    my $audit       = $disposition =~ /^A_/;
    my $target      = $disposition eq 'REJECT' ? 'reject' : $disposition;
    my $orig_target = $target;
-    
+
    #
    # We go ahead and generate the blacklist chains and jump to them, even if they turn out to be empty. That is necessary
    # for 'refresh' to work properly.
@@ -216,7 +216,7 @@ sub setup_blacklist() {
 	} elsif ( $audit ) {
 	    require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
 	    $target = verify_audit( $disposition );
-	}	    
+	}
    }

  BLACKLIST:
@@ -227,7 +227,7 @@ sub setup_blacklist() {

 	    first_entry "$doing $fn...";

-	    while ( read_a_line ) {
+	    while ( read_a_line ( NORMAL_READ ) ) {

 		if ( $first_entry ) {
 		    unless  ( @$zones || @$zones1 ) {
@@ -253,7 +253,7 @@ sub setup_blacklist() {

 		for ( @options ) {
 		    $whitelist++ if $_ eq 'whitelist';
-		    $auditone++  if $_ eq 'audit'; 
+		    $auditone++  if $_ eq 'audit';
 		}

 		warning_message "Duplicate 'whitelist' option ignored" if $whitelist > 1;
@@ -268,7 +268,7 @@ sub setup_blacklist() {
 		    } else {
 			warning_message "Duplicate 'audit' option ignored" if $auditone > 1;

-			
+

 			$tgt = verify_audit( 'A_' . $target, $orig_target, $target );
 		    }
@@ -331,7 +331,7 @@ sub setup_blacklist() {
 }

 #
-# Remove instances of 'blacklist' from the passed file. 
+# Remove instances of 'blacklist' from the passed file.
 #
 sub remove_blacklist( $ ) {
    my $file = shift;
@@ -343,10 +343,10 @@ sub remove_blacklist( $ ) {
    my $oldfile = open_file $fn;
    my $newfile;
    my $changed;
-	
+
    open $newfile, '>', "$fn.new" or fatal_error "Unable to open $fn.new for output: $!";

-    while ( read_a_line(1,1,0) ) {
+    while ( read_a_line( EMBEDDED_ENABLED | EXPAND_VARIABLES ) ) {
 	my ( $rule, $comment ) = split '#', $currentline, 2;

 	if ( $rule =~ /blacklist/ ) {
@@ -358,12 +358,12 @@ sub remove_blacklist( $ ) {
 		$currentline = join( '#', $rule, $comment );
 	    } else {
 		$currentline =~ s/blacklist/         /g;
-	    }	    
+	    }
 	}
-   
+
 	print $newfile "$currentline\n";
    }
-	
+
    close $newfile;

    if ( $changed ) {
@@ -384,7 +384,7 @@ sub convert_blacklist() {
    my $target      = $disposition eq 'REJECT' ? 'reject' : $disposition;
    my $orig_target = $target;
    my @rules;
-    
+
    if ( @$zones || @$zones1 ) {
 	if ( supplied $level ) {
 	    $target = 'blacklog';
@@ -396,7 +396,7 @@ sub convert_blacklist() {

 	first_entry "Converting $fn...";

-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {
 	    my ( $networks, $protocol, $ports, $options ) = split_line 'blacklist file', { networks => 0, proto => 1, port => 2, options => 3 };

 	    if ( $options eq '-' ) {
@@ -411,7 +411,7 @@ sub convert_blacklist() {

 	    for ( @options ) {
 		$whitelist++ if $_ eq 'whitelist';
-		$auditone++  if $_ eq 'audit'; 
+		$auditone++  if $_ eq 'audit';
 	    }

 	    warning_message "Duplicate 'whitelist' option ignored" if $whitelist > 1;
@@ -468,7 +468,7 @@ sub convert_blacklist() {
 		open $blrules, '>',  $fn1 or fatal_error "Unable to open $fn1: $!";
 		print $blrules <<'EOF';
 #
-# Shorewall version 5 - Blacklist Rules File
+# Shorewall version 4.5 - Blacklist Rules File
 #
 # For information about entries in this file, type "man shorewall-blrules"
 #
@@ -481,7 +481,7 @@ sub convert_blacklist() {
 EOF
 	    }

-	    print( $blrules 
+	    print( $blrules
 		   "#\n" ,
 		   "# Rules generated from blacklist file $fn by Shorewall $globals{VERSION} - $date\n" ,
 		   "#\n" );
@@ -509,10 +509,10 @@ EOF
 			    $rule .= "all\t\t\t$zone\t\t\t";
 			}
 		    }
-		
+
 		    $rule .= "\t$protocols" if $protocols ne '-';
 		    $rule .= "\t$ports"     if $ports     ne '-';
-		
+
 		    print $blrules "$rule\n";
 		}
 	    }
@@ -521,19 +521,19 @@ EOF
 	} else {
 	    warning_message q(There are interfaces or zones with the 'blacklist' option but the 'blacklist' file is empty or does not exist) unless @rules;
 	}
-	
+
 	if ( -f $fn ) {
 	    rename $fn, "$fn.bak";
 	    progress_message2 "Blacklist file $fn saved in $fn.bak";
 	}
-	
+
 	for my $file ( qw(zones interfaces hosts) ) {
 	    remove_blacklist $file;
 	}

 	progress_message2 "Blacklist successfully converted";

-	return 1;	    
+	return 1;
    } else {
 	my $fn = find_file 'blacklist';
 	if ( -f $fn ) {
@@ -554,7 +554,7 @@ sub process_routestopped() {

 	first_entry "$doing $fn...";

-	while ( read_a_line ) {
+	while ( read_a_line ( NORMAL_READ ) ) {

 	    my ($interface, $hosts, $options , $proto, $ports, $sports ) =
 		split_line 'routestopped file', { interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 };
@@ -697,7 +697,7 @@ sub add_common_rules ( $ ) {

    if ( $config{FASTACCEPT} ) {
 	add_ijump( $filter_table->{OUTPUT} , j => 'ACCEPT', state_imatch $faststate )
-    } 
+    }

    my $policy   = $config{SFILTER_DISPOSITION};
    $level       = $config{SFILTER_LOG_LEVEL};
@@ -711,11 +711,11 @@ sub add_common_rules ( $ ) {
 	$chainref = new_standard_chain 'sfilter';

 	log_rule $level , $chainref , $policy , '' if $level ne '';
-	
+
 	add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit;
-	
+
 	add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy;
-	
+
 	$target = 'sfilter';
    } else {
 	$target = $policy eq 'REJECT' ? 'reject' : $policy;
@@ -731,11 +731,11 @@ sub add_common_rules ( $ ) {

 	add_ijump ( $chainref, j => 'RETURN', policy => '--pol ipsec --dir out' );
 	log_rule $level , $chainref , $policy , '' if $level ne '';
-	
+
 	add_ijump( $chainref, j => 'AUDIT', targetopts => '--type ' . lc $policy ) if $audit;
-	
+
 	add_ijump $chainref, g => $policy eq 'REJECT' ? 'reject' : $policy;
-	
+
 	$target1 = 'sfilter1';
    } else {
 	#
@@ -752,9 +752,9 @@ sub add_common_rules ( $ ) {
 	unless ( $interfaceref->{options}{ignore} ) {

 	    my @filters = @{$interfaceref->{filter}};
-	
+
 	    $chainref = $filter_table->{forward_option_chain $interface};
-	
+
 	    if ( @filters ) {
 		add_ijump( $chainref , @ipsec ? 'j' : 'g' => $target1, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
 	    } elsif ( $interfaceref->{bridge} eq $interface ) {
@@ -765,12 +765,12 @@ sub add_common_rules ( $ ) {
 			    $interfaceref->{physical} eq '+' );
 	    }

-	
+
 	    if ( @filters ) {
 		$chainref = $filter_table->{input_option_chain $interface};
 		add_ijump( $chainref , g => $target, imatch_source_net( $_ ), @ipsec ), $chainref->{filtered}++ for @filters;
 	    }
-	
+
 	    for ( option_chains( $interface ) ) {
 		add_ijump( $filter_table->{$_}, j => $dynamicref, @state ) if $dynamicref;
 		add_ijump( $filter_table->{$_}, j => 'ACCEPT', state_imatch $faststate ) if $config{FASTACCEPT};
@@ -915,13 +915,13 @@ sub add_common_rules ( $ ) {
 			     1 ) for input_option_chain( $interface ), output_option_chain( $interface );

 	    add_ijump( $filter_table->{forward_option_chain $interface} ,
-		       j => 'ACCEPT', 
+		       j => 'ACCEPT',
 		       p =>  "udp --dport $ports" ,
 		       imatch_dest_dev( $interface ) )
 		if get_interface_option( $interface, 'bridge' );

 	    unless ( $family == F_IPV6 || get_interface_option( $interface, 'allip' ) ) {
-		add_ijump( $filter_table->{input_chain( $interface ) } , 
+		add_ijump( $filter_table->{input_chain( $interface ) } ,
 			   j => 'ACCEPT' ,
 			   p => "udp --dport $ports" ,
 			   s => NILIPv4 . '/32' );
@@ -948,7 +948,7 @@ sub add_common_rules ( $ ) {
 	    $globals{LOGPARMS} = "$globals{LOGPARMS}--log-ip-options ";

 	    log_rule $level , $logflagsref , $config{TCP_FLAGS_DISPOSITION}, '';
-	    
+
 	    $globals{LOGPARMS} = $savelogparms;

 	    if ( $audit ) {
@@ -1097,7 +1097,7 @@ sub setup_mac_lists( $ ) {

 	    first_entry "$doing $fn...";

-	    while ( read_a_line ) {
+	    while ( read_a_line( NORMAL_READ ) ) {

 		my ( $original_disposition, $interface, $mac, $addresses  ) = split_line1 'maclist file', { disposition => 0, interface => 1, mac => 2, addresses => 3 };

@@ -1128,7 +1128,7 @@ sub setup_mac_lists( $ ) {
 			    my $source = match_source_net $address;
 			    log_rule_limit $level, $chainref , mac_chain( $interface) , $disposition, '', '', 'add' , "${mac}${source}"
 				if supplied $level;
-			    
+
 			    add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $disposition ) if $audit && $disposition ne 'ACCEPT';
 			    add_jump( $chainref , $targetref->{target}, 0, "${mac}${source}" );
 			}
@@ -1348,7 +1348,7 @@ sub handle_loopback_traffic() {
 		    my $exclusion   = source_exclusion( $hostref->{exclusions}, $natref);

 		    for my $net ( @{$hostref->{hosts}} ) {
-			insert_ijump( $natout, 
+			insert_ijump( $natout,
 				      j => $exclusion,
 				      $rulenum++,
 				      imatch_source_net( $net , 0, ) );
@@ -1383,7 +1383,7 @@ sub add_interface_jumps {
 	addnatjump 'PREROUTING'  , input_chain( $interface )  , imatch_source_dev( $interface );
 	addnatjump 'POSTROUTING' , output_chain( $interface ) , imatch_dest_dev( $interface );
 	addnatjump 'POSTROUTING' , masq_chain( $interface ) , imatch_dest_dev( $interface );
-	
+
 	if ( have_capability 'RAWPOST_TABLE' ) {
 	    insert_ijump ( $rawpost_table->{POSTROUTING}, j => postrouting_chain( $interface ), 0, imatch_dest_dev( $interface) )   if $rawpost_table->{postrouting_chain $interface};
 	    insert_ijump ( $raw_table->{PREROUTING},      j => prerouting_chain( $interface ),  0, imatch_source_dev( $interface) ) if $raw_table->{prerouting_chain $interface};
@@ -1403,14 +1403,15 @@ sub add_interface_jumps {

 	if ( $interfaceref->{options}{port} ) {
 	    my $bridge = $interfaceref->{bridge};
+
 	    add_ijump ( $filter_table->{forward_chain $bridge},
 			j => 'ACCEPT',
 			imatch_source_dev( $interface, 1),
 			imatch_dest_dev( $interface, 1)
-		     ) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge};
+		     ) unless $interfaceref->{nets};

 	    add_ijump( $filter_table->{forward_chain $bridge} ,
-		       j => $forwardref , 
+		       j => $forwardref ,
 		       imatch_source_dev( $interface, 1 )
 		     ) unless $forward_jump_added{$interface} || ! use_forward_chain $interface, $forwardref;

@@ -1449,7 +1450,7 @@ sub add_interface_jumps {
 # The biggest disadvantage of the zone-policy-rule model used by Shorewall is that it doesn't scale well as the number of zones increases (Order N**2 where N = number of zones).
 # A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this function and the rules that it generates.
 #
-# The function traverses the full "source-zone by destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table and 
+# The function traverses the full "source-zone by destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table and
 # nat-table rules.
 #
 sub generate_matrix() {
@@ -1462,7 +1463,7 @@ sub generate_matrix() {
    my $fw       = firewall_zone;
    my @zones    = off_firewall_zones;
    my @vservers = vserver_zones;
-    
+
    my $notrackref = $raw_table->{notrack_chain $fw};
    my @state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
    my $interface_jumps_added = 0;
@@ -1476,22 +1477,26 @@ sub generate_matrix() {
    progress_message  '  Handling complex zones...';

    #
-    # Special processing for complex configurations
+    # Special processing for configurations with more than 2 off-firewall zones or with other special considerations like IPSEC.
    #
    for my $zone ( @zones ) {
 	my $zoneref = find_zone( $zone );
-	
+
 	next if  @zones <= 2 && ! $zoneref->{complex};
 	#
-	# Complex zone or we have more than one non-firewall zone -- process_rules created a zone forwarding chain
+	# Complex zone or we have more than two off-firewall zones -- Shorewall::Rules::classic_blacklist created a zone forwarding chain
 	#
 	my $frwd_ref = $filter_table->{zone_forward_chain( $zone )};

+	assert( $frwd_ref, $zone );
+	#
+	# Add Zone mark if any
+	#
 	add_ijump( $frwd_ref , j => 'MARK --set-mark ' . in_hex( $zoneref->{mark} ) . '/' . in_hex( $globals{ZONE_MASK} ) ) if $zoneref->{mark};

 	if ( have_ipsec ) {
 	    #
-	    # Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the
+	    # Prior to KLUDGEFREE, policy match could only match an 'in' or an 'out' policy (but not both), so we place the
 	    # '--pol ipsec --dir in' rules at the front of the (interface) forwarding chains. Otherwise, decrypted packets
 	    # can match '--pol none --dir out' rules and send the packets down the wrong rules chain.
 	    #
@@ -1509,6 +1514,9 @@ sub generate_matrix() {
 			copy_rules( $sourcechainref, $frwd_ref, 1 ) unless $ipsec_jump_added{$zone}++;
 			$sourcechainref = $filter_table->{FORWARD};
 		    } elsif ( $interfaceref->{options}{port} ) {
+			#
+			# The forwarding chain for a bridge with ports is always used
+			#
 			add_ijump( $filter_table->{ forward_chain $interfaceref->{bridge} } ,
 				   j => $sourcechainref ,
 				   imatch_source_dev( $interface , 1 ) )
@@ -1518,6 +1526,9 @@ sub generate_matrix() {
 		    }
 		} else {
 		    if ( $interfaceref->{options}{port} ) {
+			#
+			# The forwarding chain for a bridge with ports is always used
+			#
 			$sourcechainref = $filter_table->{ forward_chain $interfaceref->{bridge} };
 			@interfacematch = imatch_source_dev $interface, 1;
 		    } else {
@@ -1689,14 +1700,14 @@ sub generate_matrix() {
 				       imatch_source_dev( $interface),
 				       @source,
 				       @ipsec_in_match );
-				      
+
 			    if ( get_physical( $interface ) eq '+' ) {
 				#
 				# The jump from the PREROUTING chain to dnat may not have been added above
-				# 
+				#
 				addnatjump 'PREROUTING', 'dnat' unless $preroutingref->{references}{PREROUTING};
 			    }
-				
+
 			    check_optimization( $dnatref ) if @source;
 			}

@@ -1725,7 +1736,7 @@ sub generate_matrix() {

 			if ( @vservers || use_input_chain( $interface, $interfacechainref ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
 			    $inputchainref = $interfacechainref;
-			    
+
 			    if ( $isport ) {
 				add_ijump( $filter_table->{ input_chain $bridge },
 					   j => $inputchainref ,
@@ -1762,7 +1773,7 @@ sub generate_matrix() {

 			    if ( use_forward_chain $interface, $forwardref ) {
 				add_ijump $forwardref , j => $ref, @source, @ipsec_in_match;
-				
+
 				if ( $isport ) {
 				    add_ijump( $filter_table->{ forward_chain $bridge } ,
 					       j => $forwardref ,
@@ -1903,7 +1914,7 @@ sub generate_matrix() {
 			    # Either we must use the interface's forwarding chain or that chain has rules and we have nowhere to move them
 			    #
 			    $chain3ref = $forwardchainref;
-			    
+
 			    if ( $interfaceref->{options}{port} ) {
 				add_ijump( $filter_table->{ forward_chain $interfaceref->{bridge} } ,
 					   j => $chain3ref,
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -54,7 +54,7 @@ sub initialize() {
 #
 sub process_one_masq( )
 {
-    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition ) = 
+    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition ) =
 	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8 };

    if ( $interfacelist eq 'COMMENT' ) {
@@ -208,7 +208,7 @@ sub process_one_masq( )
 			    $addrlist .= "--to-source $addr ";
 			    $exceptionrule = do_proto( $proto, '', '' ) if $addr =~ /:/;
 			} else {
-			    my $ports = $addr; 
+			    my $ports = $addr;
 			    $ports =~ s/^://;
 			    validate_portpair1( $proto, $ports );
 			    $addrlist .= "--to-ports $ports ";
@@ -276,7 +276,7 @@ sub setup_masq()

 	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } );

-	process_one_masq while read_a_line;
+	process_one_masq while read_a_line( NORMAL_READ );

 	clear_comment;
    }
@@ -373,7 +373,7 @@ sub setup_nat() {

 	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } );

-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {

 	    my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 'nat file', { external => 0, interface => 1, internal => 2, allints => 3, local => 4 };

@@ -409,7 +409,7 @@ sub setup_netmap() {

 	first_entry "$doing $fn...";

-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {

 	    my ( $type, $net1, $interfacelist, $net2, $net3, $proto, $dport, $sport ) = split_line 'netmap file', { type => 0, net1 => 1, interface => 2, net2 => 3, net3 => 4, proto => 5, dport => 6, sport => 7 };

@@ -426,7 +426,7 @@ sub setup_netmap() {
 		unless ( $type =~ /:/ ) {
 		    my @rulein;
 		    my @ruleout;
-		    
+
 		    validate_net $net1, 0;
 		    validate_net $net2, 0;

@@ -439,7 +439,7 @@ sub setup_netmap() {
 		    require_capability 'NAT_ENABLED', 'Stateful NAT Entries', '';

 		    if ( $type eq 'DNAT' ) {
-			dest_iexclusion(  ensure_chain( 'nat' , input_chain $interface ) , 
+			dest_iexclusion(  ensure_chain( 'nat' , input_chain $interface ) ,
 					  j => 'NETMAP' ,
 					  "--to $net2",
 					  $net1 ,
@@ -465,10 +465,10 @@ sub setup_netmap() {
 		    validate_net $net2, 0;

 		    unless ( $interfaceref->{root} ) {
-			@match = imatch_dest_dev(  $interface ); 
+			@match = imatch_dest_dev(  $interface );
 			$interface = $interfaceref->{name};
 		    }
-			
+
 		    if ( $chain eq 'P' ) {
 			$chain = prerouting_chain $interface;
 			@match = imatch_source_dev( $iface ) unless $iface eq $interface;
@@ -481,7 +481,7 @@ sub setup_netmap() {

 		    my $chainref = ensure_chain( $table, $chain );

-		    
+
 		    if ( $target eq 'DNAT' ) {
 			dest_iexclusion( $chainref ,
 					 j => 'RAWDNAT' ,
@@ -504,7 +504,7 @@ sub setup_netmap() {
 		    fatal_error 'TYPE must be specified' if $type eq '-';
 		    fatal_error "Invalid TYPE ($type)";
 		}
-		
+
 		progress_message "   Network $net1 on $iface mapped to $net2 ($type)";
 	    }
 	}
--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -286,7 +286,7 @@ sub setup_interface_proc( $ ) {
    if ( interface_has_option( $interface, 'arp_filter' , $value ) ) {
 	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/arp_filter";
    }
-	 
+
    if ( interface_has_option( $interface, 'arp_ignore' , $value ) ) {
 	push @emitted, "echo $value > /proc/sys/net/ipv4/conf/$physical/arp_ignore";
    }
@@ -315,6 +315,6 @@ sub setup_interface_proc( $ ) {
 	emit "fi\n";
    }
 }
-	 
+

 1;
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -161,7 +161,7 @@ sub setup_route_marking() {
 	    my $chainref2 = new_chain( 'mangle', load_chain( $physical ) );

 	    set_optflags( $chainref2, DONT_OPTIMIZE | DONT_MOVE | DONT_DELETE );
-	
+
  	    add_ijump ( $chainref1,
 			j => $chainref2 ,
 		        mark => "--mark 0/$mask" );
@@ -171,7 +171,7 @@ sub setup_route_marking() {

 sub copy_table( $$$ ) {
    my ( $duplicate, $number, $realm ) = @_;
-    
+
    my $filter = $family == F_IPV6 ? q(fgrep -v ' cache ' | sed 's/ via :: / /' | ) : '';

    emit '';
@@ -186,7 +186,7 @@ sub copy_table( $$$ ) {
 	   '        default)',
 	   '            ;;',
 	   '        *)' );
-	   
+
    if ( $family == F_IPV4 ) {
 	emit ( '            case $net in',
 	       '                255.255.255.255*)',
@@ -218,7 +218,7 @@ sub copy_and_edit_table( $$$$ ) {
    # Shell and iptables use a different wildcard character
    #
    $copy =~ s/\+/*/g;
-    
+
    emit '';

    if ( $realm ) {
@@ -244,7 +244,7 @@ sub copy_and_edit_table( $$$$ ) {
 	     );
    } else {
 	emit (  "                    run_ip route add table $number \$net \$route $realm" );
-    } 
+    }

    emit (  '                    ;;',
 	    '            esac',
@@ -557,9 +557,9 @@ sub process_a_provider() {
 # Generate the start_provider_...() function for the passed provider
 #
 sub add_a_provider( $$ ) {
-  
+
    my ( $providerref, $tcdevices ) = @_;
-    
+
    my $table       = $providerref->{provider};
    my $number      = $providerref->{number};
    my $mark        = $providerref->{rawmark};
@@ -608,16 +608,18 @@ sub add_a_provider( $$ ) {
 	}
    }

-    emit( qq(echo $load > \${VARDIR}/${physical}_load) ) if $load;
+    emit( "echo $load > \${VARDIR}/${physical}_load",
+	  'echo ' . in_hex( $mark ) . '/' . in_hex( $globals{PROVIDER_MASK} ) . " > \${VARDIR}/${physical}_mark" ) if $load;

-    emit( '', 
+    emit( '',
 	  "cat <<EOF >> \${VARDIR}/undo_${table}_routing" );
-    
+
    emit_unindented 'case \$COMMAND in';
    emit_unindented '    enable|disable)';
    emit_unindented '        ;;';
    emit_unindented '    *)';
    emit_unindented "        rm -f \${VARDIR}/${physical}_load" if $load;
+    emit_unindented "        rm -f \${VARDIR}/${physical}_mark" if $load;
    emit_unindented <<"CEOF", 1;
        rm -f \${VARDIR}/${physical}.status
        ;;
@@ -630,12 +632,13 @@ CEOF
    setup_interface_proc( $interface );

    if ( $mark ne '-' ) {
+	my $hexmark = in_hex( $mark );
 	my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : '';

-	emit ( "qt \$IP -$family rule del fwmark ${mark}${mask}" ) if $config{DELETE_THEN_ADD};
+	emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $config{DELETE_THEN_ADD};

-	emit ( "run_ip rule add fwmark ${mark}${mask} pref $pref table $number",
-	       "echo \"qt \$IP -$family rule del fwmark ${mark}${mask}\" >> \${VARDIR}/undo_${table}_routing"
+	emit ( "run_ip rule add fwmark ${hexmark}${mask} pref $pref table $number",
+	       "echo \"qt \$IP -$family rule del fwmark ${hexmark}${mask}\" >> \${VARDIR}/undo_${table}_routing"
 	     );
    }

@@ -686,7 +689,7 @@ CEOF
 	    emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $physical metric $number);
 	    emit qq(echo "qt \$IP -$family route del default dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_${table}_routing);
 	}
-	
+
 	$fallback = 1;
    }

@@ -724,19 +727,19 @@ CEOF
 	emit '';
 	emit $_ for @{$providers{$table}->{rules}};
    }
-    
+
    if ( @{$providerref->{routes}} ) {
 	emit '';
 	emit $_ for @{$providers{$table}->{routes}};
    }

    emit( '' );
-    
+
    my ( $tbl, $weight );

    emit( qq(echo 0 > \${VARDIR}/${physical}.status) );

-    if ( $optional ) {	
+    if ( $optional ) {
 	emit( '',
 	      'if [ $COMMAND = enable ]; then' );

@@ -759,7 +762,7 @@ CEOF
 		if ( $gateway ) {
 		    emit qq(add_gateway "via $gateway dev $physical $realm" ) . $tbl;
 		} else {
-		    emit qq(add_gateway "nexthop dev $physical $realm" ) . $tbl;
+		    emit qq(add_gateway "dev $physical $realm" ) . $tbl;
 		}
 	    }
 	    	} else {
@@ -775,7 +778,7 @@ CEOF
 	emit ( qq(progress_message2 "   Provider $table ($number) Started") );

 	pop_indent;
- 
+
 	emit( 'else' );
 	emit( qq(    echo $weight > \${VARDIR}/${physical}_weight) ,
 	      qq(    progress_message "   Provider $table ($number) Started"),
@@ -785,18 +788,18 @@ CEOF
 	emit( qq(echo 0 > \${VARDIR}/${physical}.status) );
 	emit( qq(progress_message "Provider $table ($number) Started") );
    }
-    
+
    pop_indent;

    emit 'else';

    push_indent;
-    
+
    emit( qq(echo 1 > \${VARDIR}/${physical}.status) );

    if ( $optional ) {
 	if ( $shared ) {
-	    emit ( "error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Started\"" );	    
+	    emit ( "error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Started\"" );
 	} else {
 	    emit ( "error_message \"WARNING: Interface $physical is not usable -- Provider $table ($number) not Started\"" );
 	}
@@ -839,7 +842,7 @@ CEOF

 	    if ( $gateway ) {
 		$via = "via $gateway dev $physical";
-	    } else {    
+	    } else {
 		$via = "dev $physical";
 	    }

@@ -856,12 +859,13 @@ CEOF
 	       "distribute_load $maxload @load_interfaces" ) if $load;

 	unless ( $shared ) {
-	    emit( '', 
+	    emit( '',
 		  "qt \$TC qdisc del dev $physical root",
 		  "qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface};
 	}

-	emit( "progress_message2 \"   Provider $table ($number) stopped\"" );
+	emit( "echo 1 > \${VARDIR}/${physical}.status",
+	      "progress_message2 \"   Provider $table ($number) stopped\"" );

 	pop_indent;

@@ -928,7 +932,7 @@ sub add_an_rtrule( ) {
 	    validate_net ( $source, 0 );
 	    $source = "from $source";
 	} else {
-	    $source = "iif $source";
+	    $source = 'iif ' . physical_name $source;
 	}
    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ||  $source =~  /^(.+?):\[(.+)\]\s*$/ ) {
 	my ($interface, $source ) = ($1, $2);
@@ -939,7 +943,7 @@ sub add_an_rtrule( ) {
 	validate_net ( $source, 0 );
 	$source = "from $source";
    } else {
-	$source = "iif $source";
+	$source = 'iif ' . physical_name $source;
    }

    my $mark = '';
@@ -1001,14 +1005,14 @@ sub add_a_route( ) {
    my $routes = $providerref->{routes};

    fatal_error "You may not add routes to the $provider table" if $number == LOCAL_TABLE || $number == UNSPEC_TABLE;
-    
+
    if ( $gateway ne '-' ) {
 	if ( $device ne '-' ) {
 	    push @$routes, qq(run_ip route add $dest via $gateway dev $physical table $number);
 	    emit qq(echo "qt \$IP -$family route del $dest via $gateway dev $physical table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	} else {
 	    push @$routes, qq(run_ip route add $dest via $gateway table $number);
-	    emit qq(echo "\$IP -$family route del $dest via $gateway table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE; 
+	    emit qq(echo "\$IP -$family route del $dest via $gateway table $number" >> \${VARDIR}/undo_${provider}_routing) if $number >= DEFAULT_TABLE;
 	}
    } else {
 	fatal_error "You must specify a device for this route" unless $physical;
@@ -1055,7 +1059,7 @@ sub start_providers() {
    emit 'DEFAULT_ROUTE=';
    emit 'FALLBACK_ROUTE=';
    emit '';
-    
+
    for my $provider ( qw/main default/ ) {
 	emit '';
 	emit qq(> \${VARDIR}/undo_${provider}_routing );
@@ -1068,7 +1072,7 @@ sub start_providers() {

 sub finish_providers() {
    my $table = MAIN_TABLE;
-    
+
    if ( $config{USE_DEFAULT_RT} ) {
 	emit ( 'run_ip rule add from ' . ALLIP . ' table ' . MAIN_TABLE .    ' pref 999',
 	       'run_ip rule add from ' . ALLIP . ' table ' . BALANCE_TABLE . ' pref 32765',
@@ -1096,7 +1100,7 @@ sub finish_providers() {
 		    ''
 		  );
 	}
- 
+
 	emit  ( "    progress_message \"Default route '\$(echo \$DEFAULT_ROUTE | sed 's/\$\\s*//')' Added\"",
 		'else',
 		'    error_message "WARNING: No Default route added (all \'balance\' providers are down)"' );
@@ -1114,6 +1118,10 @@ sub finish_providers() {
 	       '# We don\'t have any \'balance\' providers so we restore any default route that we\'ve saved',
 	       '#',
 	       "restore_default_route $config{USE_DEFAULT_RT}" ,
+	       '#',
+	       '# And delete any routes in the \'balance\' table',
+	       '#',
+	       "qt \$IP -$family route del default table " . BALANCE_TABLE,
 	       '' );
    }

@@ -1163,8 +1171,8 @@ sub process_providers( $ ) {
    $lastmark = 0;

    if ( my $fn = open_file 'providers' ) {
-	first_entry "$doing $fn..."; 
-	process_a_provider, $providers++ while read_a_line;
+	first_entry "$doing $fn...";
+	process_a_provider, $providers++ while read_a_line( NORMAL_READ );
    }

    if ( $providers ) {
@@ -1180,10 +1188,10 @@ sub process_providers( $ ) {

 	if ( $fn ) {
 	    first_entry "$doing $fn...";
-	    
+
 	    emit '';

-	    add_an_rtrule while read_a_line;
+	    add_an_rtrule while read_a_line( NORMAL_READ );
 	}

 	$fn = open_file 'routes';
@@ -1191,12 +1199,12 @@ sub process_providers( $ ) {
 	if ( $fn ) {
 	    first_entry "$doing $fn...";
 	    emit '';
-	    add_a_route while read_a_line;
+	    add_a_route while read_a_line( NORMAL_READ );
 	}
    }

    add_a_provider( $providers{$_}, $tcdevices ) for @providers;
-    
+
    emit << 'EOF';;

 #
@@ -1221,7 +1229,7 @@ EOF
 		emit( "$providerref->{physical}|$provider)" );
 	    }

-	    emit ( "    if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then", 
+	    emit ( "    if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
 		   "        start_provider_$provider",
 		   '    else',
 		   "        startup_error \"Interface $providerref->{physical} is already enabled\"",
@@ -1257,7 +1265,7 @@ EOF
 	my $providerref = $providers{$provider};

 	emit( "$providerref->{physical}|$provider)",
-	      "    if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then", 
+	      "    if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
 	      "        stop_provider_$provider",
 	      '    else',
 	      "        startup_error \"Interface $providerref->{physical} is already disabled\"",
@@ -1284,11 +1292,11 @@ sub setup_providers() {

    if ( $providers ) {
 	emit "\nif [ -z \"\$g_noroutes\" ]; then";
-	
+
 	push_indent;

 	start_providers;
-	
+
 	emit '';

 	emit "start_provider_$_" for @providers;
@@ -1515,7 +1523,7 @@ sub handle_stickiness( $ ) {
 			$rule1 = clone_rule( $_ );

 			clear_rule_target( $rule1 );
-			set_rule_option( $rule1, 'mark', "--mark $mark\/$mask -m recent --name $list --set" ); 
+			set_rule_option( $rule1, 'mark', "--mark $mark\/$mask -m recent --name $list --set" );

 			$rule2 = '';
 		    }
@@ -1549,7 +1557,7 @@ sub handle_stickiness( $ ) {
 			while ( my ( $key, $value ) = each %$_ ) {
 			    $rule2->{$key} = $value;
 			}
-			
+
 			clear_rule_target( $rule2 );
 			set_rule_option  ( $rule2, 'mark', "--mark 0\/$mask -m recent --name $list --rdest --remove" );
 		    } else {
@@ -1584,7 +1592,7 @@ sub handle_stickiness( $ ) {
 sub setup_load_distribution() {
    emit ( '',
 	   "        distribute_load $maxload @load_interfaces" ,
-	   '' 
+	   ''
 	 ) if @load_interfaces;
 }

--- a/Shorewall/Perl/Shorewall/Proxyarp.pm
+++ b/Shorewall/Perl/Shorewall/Proxyarp.pm
@@ -120,7 +120,7 @@ sub setup_proxy_arp() {

 	my ( %set, %reset );

-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {

 	    my ( $address, $interface, $external, $haveroute, $persistent ) =
 		split_line $file_opt . 'file ', { address => 0, interface => 1, external => 2, haveroute => 3, persistent => 4 };
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -105,7 +105,7 @@ sub process_notrack_rule( $$$$$$$ ) {
 		 '' ,
 		 $target ,
 		 $exception_rule );
-    
+
    progress_message "  Notrack rule \"$currentline\" $done";

    $globals{UNTRACKED} = 1;
@@ -130,36 +130,36 @@ sub setup_notrack() {

 	my $nonEmpty = 0;

-	while ( read_a_line ) {	    
+	while ( read_a_line( NORMAL_READ ) ) {
 	    my ( $source, $dest, $proto, $ports, $sports, $user );

 	    if ( $format == 1 ) {
 		( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
-		
+
 		if ( $source eq 'FORMAT' ) {
 		    $format = process_format( $dest );
 		    next;
 		}
-		
+
 		if ( $source eq 'COMMENT' ) {
 		    process_comment;
 		    next;
-		}	    
+		}
 	    } else {
 		( $action, $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6 }, { COMMENT => 0, FORMAT => 2 };
-		
+
 		if ( $action eq 'FORMAT' ) {
 		    $format = process_format( $source );
 		    $action = 'NOTRACK';
 		    next;
 		}
-		
+
 		if ( $action eq 'COMMENT' ) {
 		    process_comment;
 		    next;
-		}	    
+		}
 	    }
-	    
+
 	    process_notrack_rule $action, $source, $dest, $proto, $ports, $sports, $user;
 	}

--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -341,7 +341,7 @@ sub process_a_policy() {
    fatal_error "Invalid default action ($default:$remainder)" if defined $remainder;

    ( $policy , my $queue ) = get_target_param $policy;
-    
+
    fatal_error "Invalid policy ($policy)" unless exists $validpolicies{$policy};

    if ( $audit ) {
@@ -492,7 +492,7 @@ sub process_policies()

    for my $option ( qw( DROP_DEFAULT REJECT_DEFAULT ACCEPT_DEFAULT QUEUE_DEFAULT NFQUEUE_DEFAULT) ) {
 	my $action = $config{$option};
-	
+
 	unless ( $action eq 'none' ) {
 	    my ( $act, $param ) = get_target_param( $action );

@@ -529,7 +529,7 @@ sub process_policies()

    if ( my $fn = open_file 'policy' ) {
 	first_entry "$doing $fn...";
-	process_a_policy while read_a_line;
+	process_a_policy while read_a_line( NORMAL_READ );
    } else {
 	fatal_error q(The 'policy' file does not exist or has zero size);
    }
@@ -552,7 +552,7 @@ sub policy_rules( $$$$$ ) {
 	add_ijump $chainref, j => $default if $default && $default ne 'none';
 	log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
 	fatal_error "Null target in policy_rules()" unless $target;
-	
+
 	add_ijump( $chainref , j => 'AUDIT', targetopts => '--type ' . lc $target ) if $chainref->{audit};
 	add_ijump( $chainref , g => $target eq 'REJECT' ? 'reject' : $target ) unless $target eq 'CONTINUE';
    }
@@ -685,7 +685,7 @@ sub setup_syn_flood_chains() {
 	my $limit = $chainref->{synparams};
 	if ( $limit && ! $filter_table->{syn_flood_chain $chainref} ) {
 	    my $level = $chainref->{loglevel};
-	    my $synchainref = @zones > 1 ? 
+	    my $synchainref = @zones > 1 ?
 		    new_chain 'filter' , syn_flood_chain $chainref :
 		    new_chain( 'filter' , '@' . $chainref->{name} );
 	    add_rule $synchainref , "${limit}-j RETURN";
@@ -763,7 +763,7 @@ sub finish_chain_section ($$) {
    my $chain               = $chainref->{name};
    my $related_level       = $config{RELATED_LOG_LEVEL};
    my $related_target      = $globals{RELATED_TARGET};
-    
+
    push_comment(''); #These rules should not have comments

    if ( $state =~ /RELATED/ && ( $related_level || $related_target ne 'ACCEPT' ) ) {
@@ -775,7 +775,7 @@ sub finish_chain_section ($$) {
 		      $config{RELATED_DISPOSITION},
 		      '' );
 	    add_ijump( $relatedref, g => $related_target );
-		    
+
 	    $related_target = $relatedref->{name};
 	}

@@ -863,9 +863,9 @@ sub split_action ( $ ) {
 #
 # Create a normalized action name from the passed pieces.
 #
-# Internally, action invocations are uniquely identified by a 4-tuple that 
+# Internally, action invocations are uniquely identified by a 4-tuple that
 # includes the action name, log level, log tag and params. The pieces of the tuple
-# are separated by ":". 
+# are separated by ":".
 #
 sub normalize_action( $$$ ) {
    my $action = shift;
@@ -904,7 +904,7 @@ sub externalize( $ ) {
    $target .= ":$tag"   if $tag;
    $target;
 }
-    
+
 #
 # Define an Action
 #
@@ -988,7 +988,7 @@ sub createsimpleactionchain( $ ) {
    my $normalized = normalize_action_name( $action );

    return createlogactionchain( $normalized, $action, 'none', '', '' ) if $filter_table->{$action} || $nat_table->{$action};
-	
+
    my $chainref = new_standard_chain $action;

    $usedactions{$normalized} = $chainref;
@@ -1205,7 +1205,7 @@ sub dropBcast( $$$$ ) {
 		log_rule_limit $level, $chainref, 'dropBcast' , 'DROP', '', $tag, 'add', join( ' ', ' -d' , IPv6_MULTICAST , '-j DROP ' );
 	    }
 	}
-	
+
 	add_ijump $chainref, j => $target, addrtype => '--dst-type BROADCAST';
    } else {
 	if ( $family == F_IPV4 ) {
@@ -1394,7 +1394,7 @@ sub process_actions() {
    for my $file ( qw/actions.std actions/ ) {
 	open_file $file;

-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {
 	    my ( $action ) = split_line 'action file' , { action => 0 };

 	    if ( $action =~ /:/ ) {
@@ -1454,7 +1454,7 @@ sub process_action( $) {

 	push_comment( '' );

-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {

 	    my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition );

@@ -1482,8 +1482,8 @@ sub process_action( $) {

 	    if ( $target eq 'DEFAULTS' ) {
 		default_action_params( $action, split_list $source, 'defaults' ), next if $format == 2;
-		fatal_error 'DEFAULTS only allowed in FORMAT-2 actions'; 
-	    }	      
+		fatal_error 'DEFAULTS only allowed in FORMAT-2 actions';
+	    }

 	    process_rule1( $chainref,
 			   merge_levels( "$action:$level:$tag", $target ),
@@ -1520,7 +1520,7 @@ sub process_action( $) {
 #
 sub use_policy_action( $ ) {
    my $ref = use_action( $_[0] );
-    
+
    process_action( $ref ) if $ref;
 }

@@ -1547,7 +1547,7 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {

    push_open $macrofile;

-    while ( read_a_line ) {
+    while ( read_a_line( NORMAL_READ ) ) {

 	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition );

@@ -1559,7 +1559,7 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {
 	}

 	fatal_error 'TARGET must be specified' if $mtarget eq '-';
-	
+
 	if ( $mtarget eq 'COMMENT' ) {
 	    process_comment unless $nocomment;
 	    next;
@@ -1589,7 +1589,7 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {

 	my $actiontype = $targets{$action} || find_macro( $action );

-	fatal_error "Invalid Action ($mtarget) in macro" unless $actiontype & ( ACTION +  STANDARD + NATRULE +  MACRO );
+	fatal_error "Invalid Action ($mtarget) in macro" unless $actiontype & ( ACTION +  STANDARD + NATRULE + MACRO + CHAIN );

 	if ( $msource ) {
 	    if ( $msource eq '-' ) {
@@ -1663,12 +1663,12 @@ sub verify_audit($;$$) {
 #
 # Once a rule has been expanded via wildcards (source and/or dest zone eq 'all'), it is processed by this function. If
 # the target is a macro, the macro is expanded and this function is called recursively for each rule in the expansion.
-# Similarly, if a new action tuple is encountered, this function is called recursively for each rule in the action 
+# Similarly, if a new action tuple is encountered, this function is called recursively for each rule in the action
 # body. In this latter case, a reference to the tuple's chain is passed in the first ($chainref) argument.
 #
 sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
    my ( $chainref,   #reference to Action Chain if we are being called from process_action(); undef otherwise
-	 $target, 
+	 $target,
 	 $current_param,
 	 $source,
 	 $dest,
@@ -1693,7 +1693,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
    my $normalized_target;
    my $normalized_action;
    my $blacklist = ( $section eq 'BLACKLIST' );
- 
+
    ( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if defined $chainref;

    $param = '' unless defined $param;
@@ -1822,8 +1822,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {

 			  CONTINUE => sub { $action = 'RETURN'; } ,

-			  WHITELIST => sub { 
-			      fatal_error "'WHITELIST' may only be used in the blrules file" unless $blacklist; 
+			  WHITELIST => sub {
+			      fatal_error "'WHITELIST' may only be used in the blrules file" unless $blacklist;
 			      $action = 'RETURN';
 			  } ,

@@ -1838,7 +1838,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 	    $function->();
 	} elsif ( $actiontype & SET ) {
 	    my %xlate = ( ADD => 'add-set' , DEL => 'del-set' );
-	    
+
 	    my ( $setname, $flags, $rest ) = split ':', $param, 3;
 	    fatal_error "Invalid ADD/DEL parameter ($param)" if $rest;
 	    fatal_error "Expected ipset name ($setname)" unless $setname =~ s/^\+// && $setname =~ /^[a-zA-Z]\w*$/;
@@ -1864,7 +1864,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 	    $sourcezone = $source;
 	    $source = ALLIP;
 	}
-   
+
 	if ( $dest =~ /^(.*?):(.*)/ ) {
 	    fatal_error "Missing DEST Qualifier ($dest)" if $2 eq '';
 	    $destzone = $1;
@@ -1927,7 +1927,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
        # We are generating rules in an action chain -- the chain name is the name of that action chain
        #
 	$chain = $chainref->{name};
-    } else { 
+    } else {
 	unless ( $actiontype & NATONLY ) {
 	    #
 	    # Check for illegal bridge port rule
@@ -1971,7 +1971,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 	    if ( $blacklist ) {
 		my $blacklistchain = blacklist_chain( ${sourcezone}, ${destzone} );
 		my $blacklistref = $filter_table->{$blacklistchain};
-		
+
 		unless ( $blacklistref  ) {
 		    my @state;
 		    $blacklistref = new_chain 'filter', $blacklistchain;
@@ -1979,7 +1979,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 		    @state = state_imatch( 'NEW,INVALID' ) if $config{BLACKLISTNEWONLY};
 		    add_ijump( $chainref, j => $blacklistref, @state );
 		}
-		    
+
 		$chain = $blacklistchain;
 		$chainref = $blacklistref;
 	    }
@@ -2017,7 +2017,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {

    unless ( $section eq 'NEW' || $inaction ) {
 	if ( $config{FASTACCEPT} ) {
-	    fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" unless 
+	    fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" unless
 		$section eq 'BLACKLIST' ||
 		( $section eq 'RELATED' && ( $config{RELATED_DISPOSITION} ne 'ACCEPT' || $config{RELATED_LOG_LEVEL} ) )
 	}
@@ -2407,7 +2407,7 @@ sub process_rule ( ) {
 	progress_message "Rule \"$currentline\" ignored.";
 	return 1;
    }
-    
+
    my $intrazone = 0;
    my $wild      = 0;
    my $thisline  = $currentline; #We must save $currentline because it is overwritten by macro expansion
@@ -2473,11 +2473,11 @@ sub classic_blacklist() {
    my @vservers = vserver_zones;
    my @state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
    my $result;
-    
+
    for my $zone ( @zones ) {
 	my $zoneref = find_zone( $zone );
 	my $simple  =  @zones <= 2 && ! $zoneref->{complex};
-	
+
 	if ( $zoneref->{options}{in}{blacklist} ) {
 	    my $blackref = $filter_table->{blacklst};
 	    add_ijump ensure_rules_chain( rules_chain( $zone, $_ ) ) , j => $blackref , @state for firewall_zone, @vservers;
@@ -2567,7 +2567,7 @@ sub process_rules( $ ) {
 		     }
 		   );

-	process_rule while read_a_line;
+	process_rule while read_a_line( NORMAL_READ );
    }

    $section = '';
@@ -2585,7 +2585,7 @@ sub process_rules( $ ) {

 	first_entry "$doing $fn...";

-	process_rule while read_a_line;
+	process_rule while read_a_line( NORMAL_READ );

 	clear_comment;
    }
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -197,11 +197,11 @@ sub process_tc_rule( ) {
    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp );
    if ( $family == F_IPV4 ) {
 	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp ) =
-	    split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13 };
+	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13 }, undef , 14;
 	$headers = '-';
    } else {
-	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp ) = 
-	    split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 };
+	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp ) =
+	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 }, undef, 15;
    }

    our @tccmd;
@@ -220,13 +220,13 @@ sub process_tc_rule( ) {
    my $chain    = $globals{MARKING_CHAIN};
    my $classid  = 0;

-    if ( $remainder ) { 
+    if ( $remainder ) {
 	if ( $originalmark =~ /^\w+\(?.*\)$/ ) {
 	    $mark = $originalmark; # Most likely, an IPv6 address is included in the parameter list
 	} else {
-	    fatal_error "Invalid MARK ($originalmark)" 
+	    fatal_error "Invalid MARK ($originalmark)"
 		unless ( $mark =~ /^([0-9a-fA-F]+)$/ &&
-			 $designator =~ /^([0-9a-fA-F]+)$/ && 
+			 $designator =~ /^([0-9a-fA-F]+)$/ &&
 			 ( $chain = $designator{$remainder} ) );
 	    $mark    = join( ':', $mark, $designator );
 	    $classid = 1;
@@ -287,7 +287,7 @@ sub process_tc_rule( ) {
 						  $val = numeric_value ($s);
 						  fatal_error "Invalid Shift Bits ($s)" unless defined $val && $val >= 0 && $val < 128;
 						  $shift = $s;
-					      }			    
+					      }
 					  } else {
 					      fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless $cmd eq 'IPMARK';
 					  }
@@ -379,7 +379,7 @@ sub process_tc_rule( ) {
 				      },
 		       DSCP => sub() {
 			                  assert( $cmd =~ /^DSCP\((\w+)\)$/ );
-					  require_capability 'DSCP_TARGET', 'The DSCP action', 's'; 
+					  require_capability 'DSCP_TARGET', 'The DSCP action', 's';
 					  my $dscp = numeric_value( $1 );
 					  $dscp = $dscpmap{$1} unless defined $dscp;
 					  fatal_error( "Invalid DSCP ($1)" ) unless defined $dscp && $dscp <= 0x38 && ! ( $dscp & 1 );
@@ -526,7 +526,7 @@ sub process_tc_rule( ) {
 	}
    }

-    fatal_error "USER/GROUP only allowed in the OUTPUT chain" unless ( $user eq '-' || ( $chain eq 'tcout' || $chain eq 'tcpost' ) ); 
+    fatal_error "USER/GROUP only allowed in the OUTPUT chain" unless ( $user eq '-' || ( $chain eq 'tcout' || $chain eq 'tcpost' ) );

    if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
 				     $restrictions{$chain} | $restriction,
@@ -587,7 +587,7 @@ sub calculate_quantum( $$ ) {
 #
 sub process_in_bandwidth( $ ) {
    my $in_rate     = shift;
-    
+
    return 0 if $in_rate eq '-' or $in_rate eq '0';

    my $in_burst    = '10kb';
@@ -605,7 +605,7 @@ sub process_in_bandwidth( $ ) {
 	    fatal_error "Invalid IN-BANDWIDTH ($in_band)" unless supplied( $in_interval ) && supplied( $in_decay );
 	    fatal_error "Invalid Interval ($in_interval)" unless $in_interval =~ /^(?:(?:250|500)ms|(?:1|2|4|8)sec)$/;
 	    fatal_error "Invalid Decay ($in_decay)"       unless $in_decay    =~ /^(?:500ms|(?:1|2|4|8|16|32|64)sec)$/;
-	    
+
 	    if ( $in_decay =~ /ms/ ) {
 		fatal_error "Decay must be at least twice the interval" unless $in_interval eq '250ms';
 	    } else {
@@ -615,12 +615,12 @@ sub process_in_bandwidth( $ ) {
 		    $decay    =~ s/sec//;

 		    fatal_error "Decay must be at least twice the interval" unless $decay > $interval;
-		} 
+		}
 	    }
 	}
-	    
+
 	$in_avrate = rate_to_kbit( $in_rate );
-	$in_rate = 0; 
+	$in_rate = 0;
    } else {
 	if ( $in_band =~ /:/ ) {
 	    ( $in_band, $burst ) = split /:/, $in_rate, 2;
@@ -629,7 +629,7 @@ sub process_in_bandwidth( $ ) {
 	}

 	$in_rate = rate_to_kbit( $in_band );
-	
+
    }

    [ $in_rate, $in_burst, $in_avrate, $in_interval, $in_decay ];
@@ -643,7 +643,7 @@ sub handle_in_bandwidth( $$ ) {
    my ($in_rate, $in_burst, $in_avrate, $in_interval, $in_decay ) = @$arrayref;

    emit ( "run_tc qdisc add dev $physical handle ffff: ingress" );
-    
+
    if ( have_capability 'BASIC_FILTER' ) {
 	if ( $in_rate ) {
 	    emit( "run_tc filter add dev $physical parent ffff: protocol all prio 10 basic \\",
@@ -663,7 +663,7 @@ sub handle_in_bandwidth( $$ ) {
 	      "    police rate ${in_rate}kbit burst $in_burst drop flowid :1\n" );
    }
 }
-	
+
 sub process_flow($) {
    my $flow = shift;

@@ -774,7 +774,7 @@ sub process_simple_device() {
 	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
 	emit '';
    }
-    
+
    emit( "run_tc filter add dev $physical parent $number:0 protocol all prio 1 u32" .
 	  "\\\n    match ip protocol 6 0xff" .
 	  "\\\n    match u8 0x05 0x0f at 0" .
@@ -1319,7 +1319,7 @@ sub process_tc_filter() {
 	} else {
 	    push @$filtersref, ( "\nrun_tc $rule\\" ,
 				 "   link $tnum:0 offset plus 40 eat" );
-	}    
+	}
 	#
 	# The rule to match the port(s) will be inserted into the new table
 	#
@@ -1452,10 +1452,10 @@ sub process_tcfilters() {

    if ( $fn ) {
 	my @family = ( $family );
-	
+
 	first_entry( "$doing $fn..." );
-	
-	while ( read_a_line ) {
+
+	while ( read_a_line( NORMAL_READ ) ) {
 	    if ( $currentline =~ /^\s*IPV4\s*$/ ) {
 		Shorewall::IPAddrs::initialize( $family = F_IPV4 ) unless $family == F_IPV4;
 	    } elsif ( $currentline =~ /^\s*IPV6\s*$/ ) {
@@ -1555,7 +1555,7 @@ sub process_tcinterfaces() {

    if ( $fn ) {
 	first_entry "$doing $fn...";
-	process_simple_device while read_a_line;
+	process_simple_device while read_a_line( NORMAL_READ );
    }
 }

@@ -1573,7 +1573,7 @@ sub process_tcpri() {
 		warning_message "There are entries in $fn1 but $fn was empty" unless @tcdevices || $family == F_IPV6;
 	    };

-	process_tc_priority while read_a_line;
+	process_tc_priority while read_a_line( NORMAL_READ );

 	clear_comment;

@@ -1586,7 +1586,7 @@ sub process_tcpri() {

 	    add_ijump( $mangle_table->{tcpost} ,
 		       j    => 'CONNMARK --save-mark --ctmask '    . in_hex( $globals{TC_MASK} ),
-		       mark => '! --mark 0/' . in_hex( $globals{TC_MASK} ) 
+		       mark => '! --mark 0/' . in_hex( $globals{TC_MASK} )
 		     );
 	}
    }
@@ -1604,7 +1604,7 @@ sub process_traffic_shaping() {
    if ( $fn ) {
 	first_entry "$doing $fn...";

-	validate_tc_device while read_a_line;
+	validate_tc_device while read_a_line( NORMAL_READ );
    }

    $devnum = $devnum > 10 ? 10 : 1;
@@ -1614,7 +1614,7 @@ sub process_traffic_shaping() {
    if ( $fn ) {
 	first_entry "$doing $fn...";

-	validate_tc_class while read_a_line;
+	validate_tc_class while read_a_line( NORMAL_READ );
    }

    process_tcfilters;
@@ -1711,7 +1711,7 @@ sub process_traffic_shaping() {

 		my $priority = $tcref->{priority} << 8;
 		my $parent   = in_hexp $tcref->{parent};
-		
+
 		emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum" );

 		if ( $devref->{qdisc} eq 'htb' ) {
@@ -1758,7 +1758,7 @@ sub process_traffic_shaping() {
 		    my ( $tos, $mask ) = split q(/), $tospair;
 		    emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) . " u32 match ip tos $tos $mask flowid $classid";
 		}
-		
+
 		save_progress_message_short qq("   TC Class $classid defined.");
 		emit '';

@@ -1767,7 +1767,7 @@ sub process_traffic_shaping() {
 	    emit '';

 	    emit "$_" for @{$devref->{filters}};
-	
+
 	    save_progress_message_short qq("   TC Device $device defined.");

 	    pop_indent;
@@ -1819,7 +1819,7 @@ sub process_tc() {
    # enabled.

    my %empty;
-    
+
    $config{TC_ENABLED} eq 'Shared' ? \%empty : \%tcdevices;
 }

@@ -1959,13 +1959,13 @@ sub setup_tc() {
    if ( $config{TC_ENABLED} ) {
 	our  @tccmd = ( { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
 			  target    => 'CONNMARK --save-mark --mask' ,
-			  mark      => SMALLMARK ,
+			  mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK,
 			  mask      => in_hex( $globals{TC_MASK} ) ,
 			  connmark  => 1
 			} ,
 			{ match     => sub ( $ ) { $_[0] eq 'RESTORE' },
 			  target    => 'CONNMARK --restore-mark --mask' ,
-			  mark      => SMALLMARK ,
+			  mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK ,
 			  mask      => in_hex( $globals{TC_MASK} ) ,
 			  connmark  => 1
 			} ,
@@ -2038,7 +2038,7 @@ sub setup_tc() {

 	    first_entry "$doing $fn...";

-	    process_tc_rule while read_a_line;
+	    process_tc_rule while read_a_line( NORMAL_READ );

 	    clear_comment;
 	}
@@ -2049,7 +2049,7 @@ sub setup_tc() {

 	    first_entry "$doing $fn...";

-	    process_secmark_rule while read_a_line;
+	    process_secmark_rule while read_a_line( NORMAL_READ );

 	    clear_comment;
 	}
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -234,7 +234,7 @@ sub setup_tunnels() {
    }

    sub setup_one_tunnel($$$$) {
-	my ( $kind , $zone, $gateway, $gatewayzones ) = @_;
+	my ( $kind , $zone, $gateways, $gatewayzones ) = @_;

 	my $zonetype = zone_type( $zone );

@@ -243,35 +243,42 @@ sub setup_tunnels() {
 	my $inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
 	my $outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );

-	$gateway = ALLIP if $gateway eq '-';
+	$gateways = ALLIP if $gateways eq '-';

-	my @source = imatch_source_net $gateway;
-	my @dest   = imatch_dest_net   $gateway;
+	my ( $net, $excl ) = handle_network_list( $gateways , 'src' );
+	( $net, $excl )    = handle_network_list( $gateways , 'dst' );

-	my %tunneltypes = ( 'ipsec'         => { function => \&setup_one_ipsec ,         params   => [ $kind, \@source, \@dest , $gatewayzones ] } ,
-			    'ipsecnat'      => { function => \&setup_one_ipsec ,         params   => [ $kind, \@source, \@dest , $gatewayzones ] } ,
-			    'ipip'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 4 ] } ,
-			    'gre'           => { function => \&setup_one_other,          params   => [ \@source, \@dest , 47 ] } ,
-			    '6to4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
-			    '6in4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
-			    'pptpclient'    => { function => \&setup_pptp_client,        params   => [ $kind, \@source, \@dest ] } ,
-			    'pptpserver'    => { function => \&setup_pptp_server,        params   => [ $kind, \@source, \@dest ] } ,
-			    'openvpn'       => { function => \&setup_one_openvpn,        params   => [ $kind, \@source, \@dest ] } ,
-			    'openvpnclient' => { function => \&setup_one_openvpn_client, params   => [ $kind, \@source, \@dest ] } ,
-			    'openvpnserver' => { function => \&setup_one_openvpn_server, params   => [ $kind, \@source, \@dest ] } ,
-			    'l2tp'          => { function => \&setup_one_l2tp ,          params   => [ $kind, \@source, \@dest ] } ,
-			    'generic'       => { function => \&setup_one_generic ,       params   => [ $kind, \@source, \@dest ] } ,
-			  );
+	fatal_error "Exclusion is not allowed in the GATEWAYS column" if $excl;

-	$kind = "\L$kind";
+	for my $gateway ( split_list $gateways, 'GATEWAYS' ) {
+	    my @source = imatch_source_net $gateway;
+	    my @dest   = imatch_dest_net   $gateway;

-	(my $type) = split /:/, $kind;
+	    my %tunneltypes = ( 'ipsec'         => { function => \&setup_one_ipsec ,         params   => [ $kind, \@source, \@dest , $gatewayzones ] } ,
+				'ipsecnat'      => { function => \&setup_one_ipsec ,         params   => [ $kind, \@source, \@dest , $gatewayzones ] } ,
+				'ipip'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 4 ] } ,
+				'gre'           => { function => \&setup_one_other,          params   => [ \@source, \@dest , 47 ] } ,
+				'6to4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
+				'6in4'          => { function => \&setup_one_other,          params   => [ \@source, \@dest , 41 ] } ,
+				'pptpclient'    => { function => \&setup_pptp_client,        params   => [ $kind, \@source, \@dest ] } ,
+				'pptpserver'    => { function => \&setup_pptp_server,        params   => [ $kind, \@source, \@dest ] } ,
+				'openvpn'       => { function => \&setup_one_openvpn,        params   => [ $kind, \@source, \@dest ] } ,
+				'openvpnclient' => { function => \&setup_one_openvpn_client, params   => [ $kind, \@source, \@dest ] } ,
+				'openvpnserver' => { function => \&setup_one_openvpn_server, params   => [ $kind, \@source, \@dest ] } ,
+				'l2tp'          => { function => \&setup_one_l2tp ,          params   => [ $kind, \@source, \@dest ] } ,
+				'generic'       => { function => \&setup_one_generic ,       params   => [ $kind, \@source, \@dest ] } ,
+			      );

-	my $tunnelref = $tunneltypes{ $type };
+	    $kind = "\L$kind";

-	fatal_error "Tunnels of type $type are not supported" unless $tunnelref;
+	    (my $type) = split /:/, $kind;

-	$tunnelref->{function}->( $inchainref, $outchainref, @{$tunnelref->{params}} );
+	    my $tunnelref = $tunneltypes{ $type };
+
+	    fatal_error "Tunnels of type $type are not supported" unless $tunnelref;
+
+	    $tunnelref->{function}->( $inchainref, $outchainref, @{$tunnelref->{params}} );
+	}

 	progress_message "   Tunnel \"$currentline\" $done";
    }
@@ -283,16 +290,16 @@ sub setup_tunnels() {

 	first_entry "$doing $fn...";

-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {

-	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateway_zone => 3 };
+	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateways => 2, gateway_zone => 3 }, undef, 4;

 	    fatal_error 'TYPE must be specified' if $kind eq '-';
-	    fatal_error 'ZONE must be specified' if $zone eq '-';

 	    if ( $kind eq 'COMMENT' ) {
 		process_comment;
 	    } else {
+		fatal_error 'ZONE must be specified' if $zone eq '-';
 		setup_one_tunnel $kind, $zone, $gateway, $gatewayzones;
 	    }
 	}
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -545,7 +545,7 @@ sub determine_zones()

    if ( my $fn = open_file 'zones' ) {
 	first_entry "$doing $fn...";
-	push @z, process_zone( $ip ) while read_a_line;
+	push @z, process_zone( $ip ) while read_a_line( NORMAL_READ );
    } else {
 	fatal_error q(The 'zones' file does not exist or has zero size);
    }
@@ -711,7 +711,7 @@ sub add_group_to_zone($$$$$)
    my $interfaceref;
    my $zoneref  = $zones{$zone};
    my $zonetype = $zoneref->{type};
-    
+

    $zoneref->{interfaces}{$interface} = 1;

@@ -934,9 +934,9 @@ sub process_interface( $$ ) {
 	    return;
 	}

-	fatal_error "Invalid FORMAT ($1)";
+	fatal_error "Invalid FORMAT ($originalinterface)";
    }
-	
+
    if ( $zone eq '-' ) {
 	$zone = '';
    } else {
@@ -992,7 +992,7 @@ sub process_interface( $$ ) {
 	$root = substr( $interface, 0, -1 );
 	$roots{$root} = $interface;
 	my $len = length $root;
-	
+
 	if ( $minroot ) {
 	    $minroot = $len if $minroot > $len;
 	} else {
@@ -1090,7 +1090,7 @@ sub process_interface( $$ ) {
 		    assert( 0 );
 		}
 	    } elsif ( $type == NUMERIC_IF_OPTION ) {
-		fatal_error "The '$option' option may not be specified on a wildcard interface" if $wildcard && ! $type && IF_OPTION_WILDOK; 
+		fatal_error "The '$option' option may not be specified on a wildcard interface" if $wildcard && ! $type && IF_OPTION_WILDOK;
 		$value = $defaultinterfaceoptions{$option} unless defined $value;
 		fatal_error "The '$option' option requires a value" unless defined $value;
 		my $numval = numeric_value $value;
@@ -1208,13 +1208,13 @@ sub process_interface( $$ ) {
 sub validate_interfaces_file( $ ) {
    my  $export = shift;
    our $format = 1;
-    
+
    my @ifaces;
    my $nextinum = 1;

    if ( my $fn = open_file 'interfaces' ) {
 	first_entry "$doing $fn...";
-	push @ifaces, process_interface( $nextinum++, $export ) while read_a_line;
+	push @ifaces, process_interface( $nextinum++, $export ) while read_a_line( NORMAL_READ );
    } else {
 	fatal_error q(The 'interfaces' file does not exist or has zero size);
    }
@@ -1297,7 +1297,7 @@ sub known_interface($)
    if ( $minroot ) {
 	while ( length $iface > $minroot ) {
 	    chop $iface;
-	
+
 	    if ( my $i = $roots{$iface} ) {
 		$interfaceref = $interfaces{$i};

@@ -1373,7 +1373,7 @@ sub physical_name( $ ) {

    $devref ? $devref->{physical} : $device;
 }
-    
+
 #
 # Returns true if there are bridge port zones defined in the config
 #
@@ -1479,7 +1479,7 @@ sub get_interface_option( $$ ) {
    assert( $ref = known_interface( $interface ) );

    $ref->{options}{$option};
-    
+
 }

 #
@@ -1742,7 +1742,7 @@ sub compile_updown() {

    if ( @$optional ) {
 	my @interfaces = map $interfaces{$_}->{physical}, @$optional;
-	my $interfaces = join '|', @interfaces; 
+	my $interfaces = join '|', @interfaces;

 	if ( $interfaces =~ s/\+/*/g || @interfaces > 1 ) {
 	    emit( "$interfaces)",
@@ -1838,7 +1838,7 @@ sub process_host( ) {

 	fatal_error "Unknown interface ($interface)" unless ($interfaceref = $interfaces{$interface}) && $interfaceref->{root};
    } else {
-	fatal_error "Invalid HOST(S) column contents: $hosts" 
+	fatal_error "Invalid HOST(S) column contents: $hosts"
    }

    if ( $hosts =~ /^!?\+/ ) {
@@ -1935,7 +1935,7 @@ sub validate_hosts_file()

    if ( my $fn = open_file 'hosts' ) {
 	first_entry "$doing $fn...";
-	$ipsec |= process_host while read_a_line;
+	$ipsec |= process_host while read_a_line( NORMAL_READ );
    }

    $have_ipsec = $ipsec || haveipseczones;
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -37,6 +37,7 @@
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
 #         --preview                   # Preview the ruleset.
+#         --shorewallrc=<path>        # Path to shorewallrc file.
 #         --config_path=<path-list>   # Search path for config files
 #
 use strict;
@@ -65,7 +66,7 @@ sub usage( $ ) {
    [ --annotate ]
    [ --update ]
    [ --convert ]
-    [ --shorewallrc ]
+    [ --shorewallrc=<pathname> ]
    [ --config_path=<path-list> ]
 ';

--- a/Shorewall/Perl/macro.BLACKLIST
+++ b/Shorewall/Perl/macro.BLACKLIST
@@ -1,11 +0,0 @@
-#
-# Shorewall version 4 - blacklist Macro
-#
-# /usr/share/shorewall/macro.blacklist
-#
-#	This macro handles blacklisting using BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-$BLACKLIST_DISPOSITION:$BLACKLIST_LOGLEVEL
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -38,7 +38,7 @@ checkkernelversion() {
    if [ $g_family -eq 6 ]; then
 	kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')

-	case "$kernel" in 
+	case "$kernel" in
 	    *.*.*)
 		kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
 		;;
@@ -235,8 +235,8 @@ case "$COMMAND" in
 	    status=2
 	elif checkkernelversion; then
 	    if [ $# -eq 1 ]; then
-		$IP6TABLES -Z
-		$IP6TABLES -t mangle -Z
+		$g_tool -Z
+		$g_tool -t mangle -Z
 		date > ${VARDIR}/restarted
 		status=0
 		progress_message3 "$g_product Counters Reset"
@@ -245,7 +245,7 @@ case "$COMMAND" in
 		status=0
 		for chain in $@; do
 		    if chain_exists $chain; then
-			if qt $IP6TABLES -Z $chain; then
+			if qt $g_tool-Z $chain; then
 			    progress_message3 "Filter $chain Counters Reset"
 			else
 			    error_message "ERROR: Reset of chain $chain failed"
--- a/Shorewall/Samples/LICENSE
+++ b/Shorewall/Samples/LICENSE
@@ -55,7 +55,7 @@ modified by someone else and passed on, the recipients should know
 that what they have is not the original version, so that the original
 author's reputation will not be affected by problems that might be
 introduced by others.
-
+
  Finally, software patents pose a constant threat to the existence of
 any free program.  We wish to make sure that a company cannot
 effectively restrict the users of a free program by obtaining a
@@ -111,7 +111,7 @@ modification follow.  Pay close attention to the difference between a
 "work based on the library" and a "work that uses the library".  The
 former contains code derived from the library, whereas the latter must
 be combined with the library in order to run.
-
+
 		  GNU LESSER GENERAL PUBLIC LICENSE
   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

@@ -146,7 +146,7 @@ such a program is covered only if its contents constitute a work based
 on the Library (independent of the use of the Library in a tool for
 writing it).  Whether that is true depends on what the Library does
 and what the program that uses the Library does.
-  
+
  1. You may copy and distribute verbatim copies of the Library's
 complete source code as you receive it, in any medium, provided that
 you conspicuously and appropriately publish on each copy an
@@ -158,7 +158,7 @@ Library.
  You may charge a fee for the physical act of transferring a copy,
 and you may at your option offer warranty protection in exchange for a
 fee.
-
+
  2. You may modify your copy or copies of the Library or any portion
 of it, thus forming a work based on the Library, and copy and
 distribute such modifications or work under the terms of Section 1
@@ -216,7 +216,7 @@ instead of to this License.  (If a newer version than version 2 of the
 ordinary GNU General Public License has appeared, then you can specify
 that version instead if you wish.)  Do not make any other change in
 these notices.
-
+
  Once this change is made in a given copy, it is irreversible for
 that copy, so the ordinary GNU General Public License applies to all
 subsequent copies and derivative works made from that copy.
@@ -267,7 +267,7 @@ Library will still fall under Section 6.)
 distribute the object code for the work under the terms of Section 6.
 Any executables containing that work also fall under Section 6,
 whether or not they are linked directly with the Library itself.
-
+
  6. As an exception to the Sections above, you may also combine or
 link a "work that uses the Library" with the Library to produce a
 work containing portions of the Library, and distribute that work
@@ -329,7 +329,7 @@ restrictions of other proprietary libraries that do not normally
 accompany the operating system.  Such a contradiction means you cannot
 use both them and the Library together in an executable that you
 distribute.
-
+
  7. You may place library facilities that are a work based on the
 Library side-by-side in a single library together with other library
 facilities not covered by this License, and distribute such a combined
@@ -370,7 +370,7 @@ subject to these terms and conditions.  You may not impose any further
 restrictions on the recipients' exercise of the rights granted herein.
 You are not responsible for enforcing compliance by third parties with
 this License.
-
+
  11. If, as a consequence of a court judgment or allegation of patent
 infringement or for any other reason (not limited to patent issues),
 conditions are imposed on you (whether by court order, agreement or
@@ -422,7 +422,7 @@ conditions either of that version or of any later version published by
 the Free Software Foundation.  If the Library does not specify a
 license version number, you may choose any version ever published by
 the Free Software Foundation.
-
+
  14. If you wish to incorporate parts of the Library into other free
 programs whose distribution conditions are incompatible with these,
 write to the author to ask for permission.  For software which is
@@ -456,7 +456,7 @@ SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
 DAMAGES.

 		     END OF TERMS AND CONDITIONS
-
+
           How to Apply These Terms to Your New Libraries

  If you develop a new library, and you want it to be of the greatest
--- a/Shorewall/Samples/Universal/interfaces
+++ b/Shorewall/Samples/Universal/interfaces
@@ -7,6 +7,8 @@
 # http://www.shorewall.net/manpages/shorewall-interfaces.html
 #
 ###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
-	lo		-		ignore
-net	all		-		dhcp,physical=+,routeback,optional
+FORMAT 2
+###############################################################################
+#ZONE	INTERFACE	OPTIONS
+-	lo		ignore
+net	all		dhcp,physical=+,routeback,optional
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -61,6 +61,8 @@ IP=

 IPSET=

+LOCKFILE=
+
 MODULESDIR=

 PERL=/usr/bin/perl
--- a/Shorewall/Samples/one-interface/interfaces
+++ b/Shorewall/Samples/one-interface/interfaces
@@ -11,5 +11,7 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 ###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
-net     eth0            detect          dhcp,tcpflags,logmartians,nosmurfs
+FORMAT 2
+###############################################################################
+#ZONE	INTERFACE	OPTIONS
+net     eth0            dhcp,tcpflags,logmartians,nosmurfs
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -13,7 +13,7 @@
 #
 # For information about the settings in this file, type "man shorewall.conf"
 #
-# The manpage is also online at 
+# The manpage is also online at
 # http://shorewall.net/manpages/shorewall.conf.html
 #
 ###############################################################################
@@ -72,6 +72,8 @@ IP=

 IPSET=

+LOCKFILE=
+
 MODULESDIR=

 PERL=/usr/bin/perl
--- a/Shorewall/Samples/three-interfaces/interfaces
+++ b/Shorewall/Samples/three-interfaces/interfaces
@@ -11,7 +11,9 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 ###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
-net     eth0            detect          tcpflags,dhcp,nosmurfs,routefilter,logmartians
-loc     eth1            detect          tcpflags,nosmurfs,routefilter,logmartians
-dmz     eth2            detect		tcpflags,nosmurfs,routefilter,logmartians
+FORMAT 2
+###############################################################################
+#ZONE	INTERFACE	OPTIONS
+net     eth0            tcpflags,dhcp,nosmurfs,routefilter,logmartians
+loc     eth1            tcpflags,nosmurfs,routefilter,logmartians
+dmz     eth2            tcpflags,nosmurfs,routefilter,logmartians
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -14,7 +14,7 @@
 #
 # For information about the settings in this file, type "man shorewall.conf"
 #
-# The manpage is also online at 
+# The manpage is also online at
 # http://shorewall.net/manpages/shorewall.conf.html
 #
 ###############################################################################
@@ -70,6 +70,8 @@ IP=

 IPSET=

+LOCKFILE=
+
 MODULESDIR=

 PERL=/usr/bin/perl
--- a/Shorewall/Samples/two-interfaces/interfaces
+++ b/Shorewall/Samples/two-interfaces/interfaces
@@ -11,6 +11,8 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 ###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
-net     eth0            detect          dhcp,tcpflags,nosmurfs,routefilter,logmartians
-loc     eth1            detect          tcpflags,nosmurfs,routefilter,logmartians
+FORMAT 2
+###############################################################################
+#ZONE	INTERFACE	OPTIONS
+net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians
+loc     eth1            tcpflags,nosmurfs,routefilter,logmartians
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -3,7 +3,7 @@
 # Shorewall version 4.0 - Sample shorewall.conf for two-interface
 #                         configuration.
 # Copyright (C) 2006,2007 by the Shorewall Team
-#               2011 by Thomas M. Eastep            
+#               2011 by Thomas M. Eastep
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -14,7 +14,7 @@
 #
 # For information about the settings in this file, type "man shorewall.conf"
 #
-# The manpage is also online at 
+# The manpage is also online at
 # http://shorewall.net/manpages/shorewall.conf.html
 #
 ###############################################################################
@@ -73,6 +73,8 @@ IP=

 IPSET=

+LOCKFILE=
+
 MODULESDIR=

 PERL=/usr/bin/perl
--- a/Shorewall/action.Broadcast
+++ b/Shorewall/action.Broadcast
@@ -22,7 +22,7 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   Broadcast[([<action>|-[,{audit|-}])] 
+#   Broadcast[([<action>|-[,{audit|-}])]
 #
 #       Default action is DROP
 #
@@ -51,7 +51,7 @@ if ( have_capability( 'ADDRTYPE' ) ) {
 	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
 	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
 	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST ';
-    }	
+    }

    add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST ';
    add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
@@ -64,7 +64,7 @@ if ( have_capability( 'ADDRTYPE' ) ) {
    decr_cmd_level $chainref;
    add_commands $chainref, 'done';
 }
-    
+
 log_rule_limit $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', ' -d 224.0.0.0/4 ' if $level ne '';
 add_jump $chainref, $target, 0, '-d 224.0.0.0/4 ';

--- a/Shorewall/action.Drop
+++ b/Shorewall/action.Drop
@@ -33,7 +33,7 @@
 ###############################################################################
 FORMAT 2
 #
-# The following magic provides different defaults for $2 thru $5, when $1 is 
+# The following magic provides different defaults for $2 thru $5, when $1 is
 # 'audit'.
 #
 BEGIN PERL;
@@ -41,7 +41,7 @@ use Shorewall::Config;

 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );

-if ( defined $p1 ) { 
+if ( defined $p1 ) {
    if ( $p1 eq 'audit' ) {
 	set_action_param( 2, 'A_REJECT')   unless supplied $p2;
 	set_action_param( 3, 'A_DROP')     unless supplied $p3;
--- a/Shorewall/action.DropSmurfs
+++ b/Shorewall/action.DropSmurfs
@@ -41,15 +41,15 @@ if ( $level ne '-' || $audit ne '-' ) {
 	fatal_error "Invalid argument ($audit) to DropSmurfs" if $audit ne 'audit';
 	require_capability 'AUDIT_TARGET', q(Passing 'audit' to the DropSmurfs action), 's';
 	add_ijump( $logchainref, j => 'AUDIT --type DROP' );
-    } 
-	
+    }
+
    add_ijump( $logchainref, j => 'DROP' );

    $target = $logchainref;
 } else {
    $target = 'DROP';
 }
-		    
+
 if ( have_capability( 'ADDRTYPE' ) ) {
    if ( $family == F_IPV4 ) {
 	add_ijump $chainref , j => 'RETURN', s => '0.0.0.0';         ;
@@ -64,7 +64,7 @@ if ( have_capability( 'ADDRTYPE' ) ) {
    } else {
 	add_commands $chainref, 'for address in $ALL_ACASTS; do';
    }
-    
+
    incr_cmd_level $chainref;
    add_ijump( $chainref, g => $target, s => '$address' );
    decr_cmd_level $chainref;
@@ -80,6 +80,6 @@ if ( $family == F_IPV4 ) {
 END PERL;


-    
+


--- a/Shorewall/action.Invalid
+++ b/Shorewall/action.Invalid
@@ -22,7 +22,7 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   Invalid[([<action>|-[,{audit|-}])] 
+#   Invalid[([<action>|-[,{audit|-}])]
 #
 #       Default action is DROP
 #
--- a/Shorewall/action.NotSyn
+++ b/Shorewall/action.NotSyn
@@ -22,7 +22,7 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   NotSyn[([<action>|-[,{audit|-}])] 
+#   NotSyn[([<action>|-[,{audit|-}])]
 #
 #       Default action is DROP
 #
--- a/Shorewall/action.RST
+++ b/Shorewall/action.RST
@@ -0,0 +1,56 @@
+#
+# Shorewall 4 - RST Action
+#
+#    /usr/share/shorewall/action.RST
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#   RST[([<action>|-[,{audit|-}])]
+#
+#       Default action is DROP
+#
+##########################################################################################
+FORMAT 2
+
+DEFAULTS DROP,-
+
+BEGIN PERL;
+
+use Shorewall::IPAddrs;
+use Shorewall::Config;
+use Shorewall::Chains;
+
+my ( $action, $audit ) = get_action_params( 2 );
+
+fatal_error "Invalid parameter ($audit) to action NotSyn"   if supplied $audit && $audit ne 'audit';
+fatal_error "Invalid parameter ($action) to action NotSyn"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;
+
+my $chainref         = get_action_chain;
+my ( $level, $tag )  = get_action_logging;
+my $target           = require_audit ( $action , $audit );
+
+log_rule_limit $level, $chainref, 'RST' , $action, '', $tag, 'add', '-p 6 --tcp-flags RST RST ' if $level ne '';
+add_jump $chainref , $target, 0, '-p 6 --tcp-flags RST RST, ';
+
+allow_optimize( $chainref );
+
+1;
+
+END PERL;
--- a/Shorewall/action.Reject
+++ b/Shorewall/action.Reject
@@ -29,7 +29,7 @@
 ###############################################################################
 FORMAT 2
 #
-# The following magic provides different defaults for $2 thru $5, when $1 is 
+# The following magic provides different defaults for $2 thru $5, when $1 is
 # 'audit'.
 #
 BEGIN PERL;
@@ -37,7 +37,7 @@ use Shorewall::Config;

 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );

-if ( defined $p1 ) { 
+if ( defined $p1 ) {
    if ( $p1 eq 'audit' ) {
 	set_action_param( 2, 'A_REJECT')  unless supplied $p2;
 	set_action_param( 3, 'A_REJECT')  unless supplied $p3;
--- a/Shorewall/action.TCPFlags
+++ b/Shorewall/action.TCPFlags
@@ -24,7 +24,7 @@ my ( $disposition, $audit ) = get_action_params( 2 );
 my $chainref        = get_action_chain;
 my ( $level, $tag ) = get_action_logging;

-fatal_error q(The first argument to 'TCPFlags' must be ACCEPT, REJECT, or DROP) unless $disposition =~ /^(ACCEPT|REJECT|DROP)$/; 
+fatal_error q(The first argument to 'TCPFlags' must be ACCEPT, REJECT, or DROP) unless $disposition =~ /^(ACCEPT|REJECT|DROP)$/;

 if ( $level ne '-' || $audit ne '-' ) {
    my $logchainref = ensure_filter_chain newlogchain( $chainref->{table} ), 0;
@@ -42,13 +42,13 @@ if ( $level ne '-' || $audit ne '-' ) {
 	fatal_error "Invalid argument ($audit) to TCPFlags" if $audit ne 'audit';
 	require_capability 'AUDIT_TARGET', q(Passing 'audit' to the TCPFlags action), 's';
 	add_ijump( $logchainref, j => 'AUDIT --type ' . lc $disposition );
-    } 
+    }

    add_ijump( $logchainref, g => $disposition );

    $disposition = $logchainref;
 }
-		    
+
 add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL FIN,URG,PSH';
 add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags ALL NONE';
 add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,RST SYN,RST';
@@ -58,6 +58,6 @@ add_ijump $chainref , g => $disposition, p => 'tcp --syn --sport 0';
 END PERL;


-    
+


--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -41,4 +41,5 @@ DropSmurfs          # Drop smurf packets
 Invalid             # Handles packets in the INVALID conntrack state
 NotSyn              # Handles TCP packets which do not have SYN=1 and ACK=0
 Reject		    # Default Action for REJECT policy
+RST		    # Handle packets with RST set
 TCPFlags            # Handle bad flag combinations.
--- a/Shorewall/configfiles/interfaces
+++ b/Shorewall/configfiles/interfaces
@@ -7,8 +7,6 @@
 # http://www.shorewall.net/manpages/shorewall-interfaces.html
 #
 ###############################################################################
-FORMAT 1
-#ZONE	INTERFACE	BROADCAST	OPTIONS
-
 FORMAT 2
+###############################################################################
 #ZONE		INTERFACE		OPTIONS
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -61,6 +61,8 @@ IP=

 IPSET=

+LOCKFILE=
+
 MODULESDIR=

 PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
--- a/Shorewall/configfiles/tunnels
+++ b/Shorewall/configfiles/tunnels
@@ -7,5 +7,5 @@
 # http://www.shorewall.net/manpages/shorewall-tunnels.html
 #
 ###############################################################################
-#TYPE			ZONE	GATEWAY		GATEWAY
-#						ZONE
+#TYPE			ZONE	GATEWAYS			GATEWAY
+#								ZONES
--- a/Shorewall/init.fedora.sh
+++ b/Shorewall/init.fedora.sh
@@ -41,10 +41,10 @@ start() {
    echo -n $"Starting Shorewall: "
    $shorewall $OPTIONS start 2>&1 | $logger
    retval=${PIPESTATUS[0]}
-    if [[ $retval == 0 ]]; then 
+    if [[ $retval == 0 ]]; then
 	touch $lockfile
 	success
-    else 
+    else
 	failure
    fi
    echo
@@ -55,10 +55,10 @@ stop() {
    echo -n $"Stopping Shorewall: "
    $shorewall $OPTIONS stop 2>&1 | $logger
    retval=${PIPESTATUS[0]}
-    if [[ $retval == 0 ]]; then 
+    if [[ $retval == 0 ]]; then
 	rm -f $lockfile
 	success
-    else 
+    else
 	failure
    fi
    echo
@@ -71,7 +71,7 @@ restart() {
    echo -n $"Restarting Shorewall: "
    $shorewall $OPTIONS restart 2>&1 | $logger
    retval=${PIPESTATUS[0]}
-    if [[ $retval == 0 ]]; then 
+    if [[ $retval == 0 ]]; then
 	touch $lockfile
 	success
    else # Failed to start, clean up lock file if present
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -38,7 +38,7 @@ usage() # $1 = exit status
    exit $1
 }

-fatal_error() 
+fatal_error()
 {
    echo "   ERROR: $@" >&2
    exit 1
@@ -95,7 +95,7 @@ install_file() # $1 = source $2 = target $3 = mode
    run_install $T $OWNERSHIP -m $3 $1 ${2}
 }

-require() 
+require()
 {
    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
 }
@@ -248,12 +248,18 @@ OWNERSHIP="-o $OWNER -g $GROUP"
 # Determine where to install the firewall script
 #

-if [ $PRODUCT = shorewall -a -z "${DESTDIR}" ]; then
+if [ $PRODUCT = shorewall -a "$BUILD" = "$HOST" ]; then
+    #
+    # Fix up 'use Digest::' if SHA is installed
+    #
+    if perl -e 'use Digest::SHA;' 2> /dev/null ; then
+	sed -i 's/Digest::SHA1/Digest::SHA/' Perl/Shorewall/Chains.pm
+    fi
    #
    # Verify that Perl is installed
    #
    if ! perl -c Perl/compiler.pl; then
-	echo "ERROR: $Product $VERSION requires Perl which either is not installed or is not able to compile the $Product Perl code" >&2
+	echo "ERROR: $Product $VERSION requires Perl which either is not installed or is not able to compile the Shorewall Perl code" >&2
 	echo "       Try perl -c $PWD/Perl/compiler.pl" >&2
 	exit 1
    fi
@@ -327,14 +333,11 @@ echo "$PRODUCT control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
 # Install the Firewall Script
 #
 if [ -n "$INITFILE" ]; then
-    install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
-    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$INITFILE
-  
-    if [ -n "${AUXINITSOURCE}" ]; then
+    if [ -f "${INITSOURCE}" ]; then
 	install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
+	[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$INITFILE
+	echo  "$Product script installed in ${DESTDIR}${INITDIR}/$INITFILE"
    fi
-
-    echo  "$Product script installed in ${DESTDIR}${INITDIR}/$INITFILE"
 fi

 #
@@ -433,7 +436,7 @@ run_install $OWNERSHIP -m 0644 $PRODUCT.conf.annotated ${DESTDIR}${SHAREDIR}/$PR

 if [ ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf ]; then
    run_install $OWNERSHIP -m 0644 ${PRODUCT}.conf${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
-    
+
    if [ "$SHAREDIR" != /usr/share -o "$CONFDIR" != /etc ]; then
 	if [ $PRODUCT = shorewall ]; then
 	    perl -p -w -i -e "s|^CONFIG_PATH=.*|CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall|;" ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
@@ -957,11 +960,9 @@ echo "Standard actions file installed as ${DESTDIR}${SHAREDIR}d/$PRODUCT/actions
 # Install the  Makefiles
 #
 run_install $OWNERSHIP -m 0644 Makefile-lite ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/Makefile
-[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SHAREDIR}/$PRODUCT/configfiles/Makefile
-[ $SBINDIR = /sbin ]       || eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\'       ${DESTDIR}/${SHAREDIR}/$PRODUCT/configfiles/Makefile

 if [ -z "$SPARSE" ]; then
-    run_install $OWNERSHIP -m 0600 ${DESTDIR}/${SHAREDIR}/$PRODUCT/configfiles/Makefile ${DESTDIR}${CONFDIR}/$PRODUCT
+    run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}${CONFDIR}/$PRODUCT
    echo "Makefile installed as ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile"
 fi
 #
@@ -1068,13 +1069,13 @@ cd manpages
 [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/

 for f in *.5; do
-    gzip -c $f > $f.gz
+    gzip -9c $f > $f.gz
    run_install $INSTALLD  -m 0644 $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz
    echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
 done

 for f in *.8; do
-    gzip -c $f > $f.gz
+    gzip -9c $f > $f.gz
    run_install $INSTALLD  -m 0644 $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz
    echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
 done
@@ -1104,6 +1105,7 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
 	echo "Set startup=1 in ${CONFDIR}/default/$PRODUCT to enable"
 	touch /var/log/$PRODUCT-init.log
 	perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' ${CONFDIR}/$PRODUCT/$PRODUCT.conf
+	update-rc.d $PRODUCT enable
    elif [ -n "$SYSTEMD" ]; then
 	if systemctl enable $PRODUCT; then
 	    echo "$Product will start automatically at boot"
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -34,7 +34,7 @@ get_config() {

    ensure_config_path

-    
+

    if [ "$1" = Yes ]; then
 	params=$(find_file params)
@@ -90,7 +90,7 @@ get_config() {
 		    exit 2
 		fi
 	    fi
-	    
+
 	    g_tool=$IPTABLES
 	else
 	    if [ -n "$IP6TABLES" ]; then
@@ -507,7 +507,11 @@ start_command() {
 			c*)
 			    AUTOMAKE=
 			    option=${option#c}
-			    ;;			    
+			    ;;
+			T*)
+			    g_confess=Yes
+			    option=${option#T}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -870,7 +874,7 @@ restart_command() {
 			c*)
 			    AUTOMAKE=
 			    option=${option#c}
-			    ;;			    
+			    ;;
 			n*)
 			    g_noroutes=Yes
 			    option=${option#n}
@@ -880,6 +884,10 @@ restart_command() {
 			    g_purge=Yes
 			    option=${option%p}
 			    ;;
+			T*)
+			    g_confess=Yes
+			    option=${option#T}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -964,6 +972,27 @@ refresh_command() {
 			    finished=1
 			    option=
 			    ;;
+			d*)
+			    g_debug=Yes
+			    option=${option#d}
+			    ;;
+			n*)
+			    g_noroutes=Yes
+			    option=${option#n}
+			    ;;
+			T*)
+			    g_confess=Yes
+			    option=${option#T}
+			    ;;
+			D)
+			    if [ $# -gt 1 ]; then
+				g_shorewalldir="$2"
+				option=
+				shift
+			    else
+				fatal_error "ERROR: the -D option requires a directory name"
+			    fi
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -1341,6 +1370,10 @@ reload_command() # $* = original arguments less the command.
 			    option=
 			    shift
 			    ;;
+			T*)
+			    g_confess=Yes
+			    option=${option#T}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -1406,7 +1439,7 @@ reload_command() # $* = original arguments less the command.
 	fi

 	. $directory/$g_program.conf
-	
+
 	ensure_config_path
    fi

@@ -1556,7 +1589,7 @@ usage() # $1 = exit status
    fi

    echo "   iptrace <iptables match expression>"
-    echo "   load [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
+    echo "   load [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ <directory> ] <system>"
    echo "   logdrop <address> ..."
    echo "   logreject <address> ..."
    echo "   logwatch [<refresh interval>]"
@@ -1567,11 +1600,11 @@ usage() # $1 = exit status
 	echo "   noiptrace <ip6tables match expression>"
    fi

-    echo "   refresh [ <chain>... ]"
+    echo "   refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
    echo "   reject <address> ..."
-    echo "   reload [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
+    echo "   reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ <directory> ] <system>"
    echo "   reset [ <chain> ... ]"
-    echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ][ <directory> ]"
+    echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ <directory> ]"
    echo "   restore [ -n ] [ <file name> ]"
    echo "   safe-restart [ -t <timeout> ] [ <directory> ]"
    echo "   safe-start [ -t <timeout> ] [ <directory> ]"
@@ -1585,7 +1618,7 @@ usage() # $1 = exit status
    echo "   show dynamic <zone>"
    echo "   show filters"
    echo "   show ip"
-    
+
    if [ $g_family -eq 4 ]; then
 	echo "   show ipa"
    fi
@@ -1599,7 +1632,7 @@ usage() # $1 = exit status
    echo "   show tc [ device ]"
    echo "   show vardir"
    echo "   show zones"
-    echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ <directory> ]"
+    echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ <directory> ]"
    echo "   status"
    echo "   stop"
    echo "   try <directory> [ <timeout> ]"
--- a/Shorewall/lib.core
+++ b/Shorewall/lib.core
@@ -176,8 +176,28 @@ interface_is_up() {
 #
 interface_is_usable() # $1 = interface
 {
-    [ "$1" = lo ] && return 0
-    interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && run_isusable_exit $1
+    local status;
+    status=0
+
+    if [ "$1" != lo ]; then
+	if [ $g_family -eq 4 ]; then
+	    if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ]; then
+		[ "$COMMAND" = enable ] || run_isusable_exit $1
+		status=$?
+	    else
+		status=1
+	    fi
+	else
+	    if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" ]; then
+		[ "$COMMAND" = enable ] || run_isusable_exit $1
+		status=$?
+	    else
+		status=1
+	    fi
+	fi
+    fi
+
+    return $status
 }

 #
@@ -203,7 +223,7 @@ get_routed_networks() # $1 = interface name, $2-n = Fatal error message
    local mask

    [ $g_family -eq 4 ] && mask=32 || mask=128
-    
+

    $IP -$g_family route show dev $1 2> /dev/null |
 	while read address rest; do
@@ -385,7 +405,7 @@ restore_default_route() # $1 = USE_DEFAULT_RT
 	done < ${VARDIR}/default_route

 	replace_default_route $1
-	
+
 	if [ $result = 1 ]; then
 	    #
 	    # We didn't restore a default route with metric 0
@@ -594,6 +614,7 @@ distribute_load() {
    local interface
    local totalload
    local load
+    local mark
    local maxload

    maxload=$1
@@ -605,6 +626,8 @@ distribute_load() {
 	if interface_up $interface; then
 	    load=$(cat ${VARDIR}/${interface}_load)
 	    eval ${interface}_load=$load
+	    mark=$(cat ${VARDIR}/${interface}_mark)
+	    eval ${interface}_mark=$mark
 	    totalload=$( bc <<EOF
 scale=8
 $totalload + $load
@@ -617,7 +640,8 @@ EOF
 	for interface in $@; do
 	    qt $g_tool -t mangle -F ~$interface
 	    eval load=\$${interface}_load
-	
+	    eval mark=\$${interface}_mark
+
 	    if [ -n "$load" ]; then
 		load=$(bc <<EOF
 scale=8
@@ -629,7 +653,7 @@ scale=8
 $totalload - $load
 EOF
 )
-		run_iptables -t mangle -A ~$interface -m statistic --mode random --probability $load
+		run_iptables -t mangle -A ~$interface -m statistic --mode random --probability $load -j MARK --set-mark $mark
 	    fi
 	done
    fi
@@ -888,7 +912,7 @@ add_gateway() # $1 = Delta $2 = Table Number
    local weight
    local delta
    local dev
-    
+
    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/default //; s/[\]//g'`

    if [ -z "$route" ]; then
@@ -920,7 +944,7 @@ delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device

    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
    gateway=$1
-  
+
    if [ -n "$route" ]; then
 	if echo $route | fgrep -q ' nexthop '; then
 	    gateway="nexthop $gateway"
@@ -1214,7 +1238,7 @@ add_gateway() # $1 = Delta $2 = Table Number
    local weight
    local delta
    local dev
-    
+
    run_ip route add default scope global table $2 $1
 }

@@ -1229,7 +1253,7 @@ delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device

    route=`$IP -6 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
    gateway=$1
-  
+
    dev=$(find_device $route)
    [ "$dev" = "$3" ] && run_ip route delete default table $2
 }
--- a/Shorewall/manpages/shorewall-blrules.xml
+++ b/Shorewall/manpages/shorewall-blrules.xml
@@ -60,7 +60,31 @@

          <variablelist>
            <varlistentry>
-              <term>blacklog</term>
+              <term><emphasis role="bold">BLACKLIST</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.3. This is actually a macro that
+                expands as follows:</para>
+
+                <itemizedlist>
+                  <listitem>
+                    <para>If BLACKLIST_LOGLEVEL is specified in <ulink
+                    url="shorewall.conf.html">shorewall.conf</ulink>(5), then
+                    the macro expands to <emphasis
+                    role="bold">blacklog</emphasis>.</para>
+                  </listitem>
+
+                  <listitem>
+                    <para>Otherwise it expands to the action specified for
+                    BLACKLIST_DISPOSITION in <ulink
+                    url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+                  </listitem>
+                </itemizedlist>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">blacklog</emphasis></term>

              <listitem>
                <para>May only be used if BLACKLIST_LOGLEVEL is specified in
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -27,6 +27,34 @@
    interfaces to Shorewall. The order of entries in this file is not
    significant in determining zone composition.</para>

+    <para>Beginning with Shorewall 4.5.3, the interfaces file supports two
+    different formats:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>FORMAT 1 (default - deprecated)</term>
+
+        <listitem>
+          <para>There is a BROADCAST column which can be used to specify the
+          broadcast address associated with the interface.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>FORMAT 2</term>
+
+        <listitem>
+          <para>The BROADCAST column is omitted.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <para>The format is specified by a line as follows:</para>
+
+    <blockquote>
+      <para><emphasis role="bold">FORMAT {1|2}</emphasis></para>
+    </blockquote>
+
    <para>The columns in the file are as follows.</para>

    <variablelist>
@@ -128,6 +156,8 @@ loc     eth2            -</programlisting>
        role="bold">detect</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...}</term>

        <listitem>
+          <para>Only available if FORMAT 1.</para>
+
          <para>If you use the special value <emphasis
          role="bold">detect</emphasis>, Shorewall will detect the broadcast
          address(es) for you if your iptables and kernel include Address Type
@@ -172,7 +202,7 @@ loc     eth2            -</programlisting>
                changed; the value assigned to the setting will be the value
                specified (if any) or 1 if no value is given.</para>

-                <para></para>
+                <para/>

                <note>
                  <para>This option does not work with a wild-card
@@ -206,7 +236,7 @@ loc     eth2            -</programlisting>

                <para>8 - do not reply for all local addresses</para>

-                <para></para>
+                <para/>

                <note>
                  <para>This option does not work with a wild-card
@@ -214,7 +244,7 @@ loc     eth2            -</programlisting>
                  the INTERFACE column.</para>
                </note>

-                <para></para>
+                <para/>

                <warning>
                  <para>Do not specify <emphasis
@@ -355,7 +385,7 @@ loc     eth2            -</programlisting>
        1
        teastep@lists:~$ </programlisting>

-                <para></para>
+                <para/>

                <note>
                  <para>This option does not work with a wild-card
@@ -629,7 +659,7 @@ loc     eth2            -</programlisting>
                changed; the value assigned to the setting will be the value
                specified (if any) or 1 if no value is given.</para>

-                <para></para>
+                <para/>

                <note>
                  <para>This option does not work with a wild-card
@@ -705,11 +735,14 @@ loc     eth2            -</programlisting>
          connected to your local network and that your local subnet is
          192.168.1.0/24. The interface gets its IP address via DHCP from
          subnet 206.191.149.192/27. You have a DMZ with subnet 192.168.2.0/24
-          using eth2.</para>
+          using eth2. Your iptables and/or kernel do not support "Address Type
+          Match" and you prefer to specify broadcast addresses explicitly
+          rather than having Shorewall detect them.</para>

          <para>Your entries for this setup would look like:</para>

-          <programlisting>#ZONE   INTERFACE BROADCAST        OPTIONS
+          <programlisting>FORMAT 1
+#ZONE   INTERFACE BROADCAST        OPTIONS
 net     eth0      206.191.149.223  dhcp
 loc     eth1      192.168.1.255
 dmz     eth2      192.168.2.255</programlisting>
@@ -723,10 +756,11 @@ dmz     eth2      192.168.2.255</programlisting>
          <para>The same configuration without specifying broadcast addresses
          is:</para>

-          <programlisting>#ZONE   INTERFACE BROADCAST        OPTIONS
-net     eth0      detect           dhcp
-loc     eth1      detect
-dmz     eth2      detect</programlisting>
+          <programlisting>FORMAT 2
+#ZONE   INTERFACE OPTIONS
+net     eth0      dhcp
+loc     eth1      
+dmz     eth2</programlisting>
        </listitem>
      </varlistentry>

@@ -737,7 +771,8 @@ dmz     eth2      detect</programlisting>
          <para>You have a simple dial-in system with no ethernet
          connections.</para>

-          <programlisting>#ZONE   INTERFACE BROADCAST        OPTIONS
+          <programlisting>FORMAT 2
+#ZONE   INTERFACE OPTIONS
 net     ppp0      -</programlisting>
        </listitem>
      </varlistentry>
@@ -749,8 +784,9 @@ net     ppp0      -</programlisting>
          <para>You have a bridge with no IP address and you want to allow
          traffic through the bridge.</para>

-          <programlisting>#ZONE   INTERFACE BROADCAST        OPTIONS
-       br0       -                routeback</programlisting>
+          <programlisting>FORMAT 2
+#ZONE   INTERFACE OPTIONS
+-       br0       routeback</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
@@ -772,10 +808,9 @@ net     ppp0      -</programlisting>
    shorewall-blacklist(5), shorewall-hosts(5), shorewall-maclist(5),
    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-proxyarp(5), shorewall-rtrules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
-    shorewall-zones(5)</para>
+    shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5),
+    shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
+    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@@ -87,8 +87,7 @@
          being zero). Otherwise, the value must be between 1 and 255. Each
          provider must be assigned a unique mark value. This column may be
          omitted if you don't use packet marking to direct connections to a
-          particular provider and you don't specify <option>track</option> in
-          the OPTIONS column.</para>
+          particular provider.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -1505,7 +1505,7 @@
          SSH connection to the ipset S:</para>

          <programlisting>        #ACTION                       SOURCE           DEST           PROTO       DEST
-        #                                                             PORT(S)        
+        #                                                             PORT(S)
        ADD(+S:dst,src,dst)           net              fw             tcp         22</programlisting>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall-tcfilters.xml
+++ b/Shorewall/manpages/shorewall-tcfilters.xml
@@ -204,7 +204,7 @@
          ALL cannot be used because IPv4 ICMP and IPv6 ICMP are two different
          protocols.</para>

-          <programlisting>       #CLASS    SOURCE    DEST         PROTO   DEST 
+          <programlisting>       #CLASS    SOURCE    DEST         PROTO   DEST
       #                                        PORT

       IPV4
@@ -213,7 +213,7 @@
       1:10      0.0.0.0/0 0.0.0.0/0    icmp    echo-reply

       IPV6
- 
+
       1:10      ::/0      ::/0         icmp6   echo-request
       1:10      ::/0      ::/0         icmp6   echo-reply</programlisting>
        </listitem>
--- a/Shorewall/manpages/shorewall-tcrules.xml
+++ b/Shorewall/manpages/shorewall-tcrules.xml
@@ -407,39 +407,6 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
              classes will have a value &gt; 256.</para>
            </listitem>

-            <listitem>
-              <para><emphasis
-              role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[/<replaceable>mask</replaceable>][,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])</para>
-
-              <para>Transparently redirects a packet without altering the IP
-              header. Requires a local provider to be defined in <ulink
-              url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
-
-              <para>There are three parameters to TPROXY - only the first
-              (mark) is required:</para>
-
-              <itemizedlist>
-                <listitem>
-                  <para><replaceable>mark</replaceable> - the MARK value
-                  corresponding to the local provider in <ulink
-                  url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
-                </listitem>
-
-                <listitem>
-                  <para><replaceable>port</replaceable> - the port on which
-                  the proxy server is listening. If omitted, the original
-                  destination port.</para>
-                </listitem>
-
-                <listitem>
-                  <para><replaceable>address</replaceable> - a local (to the
-                  firewall) IP address on which the proxy server is listening.
-                  If omitted, the IP address of the interface on which the
-                  request arrives.</para>
-                </listitem>
-              </itemizedlist>
-            </listitem>
-
            <listitem>
              <para><emphasis role="bold">TTL</emphasis>([<emphasis
              role="bold">-</emphasis>|<emphasis
@@ -569,7 +536,7 @@ Normal-Service       =&gt; 0x00</programlisting>
                  <term>T</term>

                  <listitem>
-                    <para>POSTROUTING chain (default).</para>
+                    <para>POSTROUTING chain.</para>
                  </listitem>
                </varlistentry>
              </variablelist>
--- a/Shorewall/manpages/shorewall-tunnels.xml
+++ b/Shorewall/manpages/shorewall-tunnels.xml
@@ -57,7 +57,7 @@

          <programlisting>        <emphasis role="bold">6to4</emphasis> or <emphasis
              role="bold">6in4</emphasis>  - 6to4 or 6in4 tunnel. The <emphasis
-              role="bold">6in4</emphasis> synonym was added in 4.4.24.        
+              role="bold">6in4</emphasis> synonym was added in 4.4.24.
        <emphasis role="bold">ipsec</emphasis>         - IPv4 IPSEC
        <emphasis role="bold">ipsecnat</emphasis>      - IPv4 IPSEC with NAT Traversal (UDP port 4500 encapsulation)
        <emphasis role="bold">ipip</emphasis>          - IPv4 encapsulated in IPv4 (Protocol 4)
@@ -125,8 +125,9 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">GATEWAY</emphasis> -
-        <emphasis>address-or-range</emphasis></term>
+        <term><emphasis role="bold">GATEWAY</emphasis>S -
+        <emphasis>address-or-range</emphasis> <emphasis role="bold">[ , ...
+        ]</emphasis></term>

        <listitem>
          <para>The IP address of the remote tunnel gateway. If the remote
@@ -134,6 +135,11 @@
          as <emphasis role="bold">0.0.0.0/0</emphasis>. May be specified as a
          network address and if your kernel and iptables include iprange
          match support then IP address ranges are also allowed.</para>
+
+          <para>Beginning with Shorewall 4.5.3, a list of addresses or ranges
+          may be given. Exclusion (<ulink
+          url="shorewall-exclusion.html">shorewall-exclusion</ulink> (5) ) is
+          not supported.</para>
        </listitem>
      </varlistentry>

@@ -148,7 +154,7 @@
          comma-separated list of the names of the zones that the host might
          be in. This column only applies to IPSEC tunnels where it enables
          ISAKMP traffic to flow through the tunnel to the remote
-          gateway.</para>
+          gateway(s).</para>
        </listitem>
      </varlistentry>
    </variablelist>
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -96,7 +96,7 @@
        role="bold">none</emphasis>}</term>

        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>

@@ -106,7 +106,7 @@
        role="bold">none</emphasis>}</term>

        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>

@@ -116,7 +116,7 @@
        role="bold">none</emphasis>}</term>

        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>

@@ -126,7 +126,7 @@
        role="bold">none</emphasis>}</term>

        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>

@@ -482,7 +482,7 @@
          </itemizedlist>

          <blockquote>
-            <para></para>
+            <para/>

            <para>If CONFIG_PATH is not given or if it is set to the empty
            value then the contents of /usr/share/shorewall/configpath are
@@ -814,7 +814,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
            </varlistentry>
          </variablelist>

-          <para></para>
+          <para/>

          <blockquote>
            <para>If this variable is not set or is given an empty value
@@ -938,6 +938,19 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis
+        role="bold">LOCKFILE</emphasis>=[<emphasis>pathname</emphasis>]</term>
+
+        <listitem>
+          <para>Specifies the name of the Shorewall lock file, used to prevent
+          simultaneous state-changing commands. If not specified,
+          ${VARDIR}/shorewall/lock is assumed (${VARDIR} is normally /var/lib
+          but can be changed when Shorewall-core is installed -- see the
+          output of <command>shorewall show vardir</command>).</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">LOG_MARTIANS=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis
@@ -1011,7 +1024,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
            </listitem>
          </itemizedlist>

-          <para></para>
+          <para/>

          <blockquote>
            <para>For example, using the default LOGFORMAT, the log prefix for
@@ -1028,7 +1041,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
              control your firewall after you enable this option.</para>
            </important>

-            <para></para>
+            <para/>

            <caution>
              <para>Do not use this option if the resulting log messages will
@@ -1664,7 +1677,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        role="bold">"</emphasis></term>

        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall.xml
+++ b/Shorewall/manpages/shorewall.xml
@@ -283,6 +283,8 @@

      <arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>

+      <arg><option>-T</option></arg>
+
      <arg><replaceable>directory</replaceable></arg>

      <arg choice="plain"><replaceable>system</replaceable></arg>
@@ -349,7 +351,9 @@

      <arg>-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>refresh</option><arg
+      <arg
+      choice="plain"><option>refresh</option><arg><option>-n</option></arg><arg><option>-d</option></arg><arg><option>-T</option></arg><arg>-<option>D</option>
+      <replaceable>directory</replaceable> </arg><arg
      rep="repeat"><replaceable>chain</replaceable></arg></arg>
    </cmdsynopsis>

@@ -381,6 +385,8 @@

      <arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>

+      <arg><option>-T</option></arg>
+
      <arg><replaceable>directory</replaceable></arg>

      <arg choice="plain"><replaceable>system</replaceable></arg>
@@ -415,6 +421,8 @@

      <arg><option>-c</option></arg>

+      <arg><option>-T</option></arg>
+
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>

@@ -599,6 +607,8 @@

      <arg><option>-c</option></arg>

+      <arg><option>-T</option></arg>
+
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>

@@ -1038,6 +1048,10 @@
          <para>If <option>-r</option> is included, it specifies that the root
          user on <replaceable>system</replaceable> is named
          <replaceable>root-user-name</replaceable> rather than "root".</para>
+
+          <para>The <option>-T</option> option was added in Shorewall 4.5.3
+          and causes a Perl stack trace to be included with each
+          compiler-generated error and warning message.</para>
        </listitem>
      </varlistentry>

@@ -1113,6 +1127,20 @@
          list or until an entry in the list names another table. Built-in
          chains such as FORWARD may not be refreshed.</para>

+          <para>The <option>-n</option> option was added in Shorewall 4.5.3
+          causes Shorewall to avoid updating the routing table(s).</para>
+
+          <para>The <option>-d </option>option was added in Shorewall 4.5.3
+          causes the compiler to run under the Perl debugger.</para>
+
+          <para>The <option>-T</option> option was added in Shorewall 4.5.3
+          and causes a Perl stack trace to be included with each
+          compiler-generated error and warning message.</para>
+
+          <para>The -<option>D</option> option was added in Shorewall 4.5.3
+          and causes Shorewall to look in the given
+          <emphasis>directory</emphasis> first for configuration files.</para>
+
          <para>Example:<programlisting><command>shorewall refresh net2fw nat:net_dnat</command> #Refresh the 'net2loc' chain in the filter table and the 'net_dnat' chain in the nat table</programlisting></para>

          <para>The <emphasis role="bold">refresh</emphasis> command has
@@ -1166,6 +1194,10 @@
          <para>If <option>-r</option> is included, it specifies that the root
          user on <replaceable>system</replaceable> is named
          <replaceable>root-user-name</replaceable> rather than "root".</para>
+
+          <para>The <option>-T</option> option was added in Shorewall 4.5.3
+          and causes a Perl stack trace to be included with each
+          compiler-generated error and warning message.</para>
        </listitem>
      </varlistentry>

@@ -1210,6 +1242,10 @@
          url="shorewall.conf.html">shorewall.conf</ulink>(5). When both
          <option>-f</option> and <option>-c</option>are present, the result
          is determined by the option that appears last.</para>
+
+          <para>The <option>-T</option> option was added in Shorewall 4.5.3
+          and causes a Perl stack trace to be included with each
+          compiler-generated error and warning message.</para>
        </listitem>
      </varlistentry>

@@ -1541,6 +1577,10 @@
          url="shorewall.conf.html">shorewall.conf</ulink>(5). When both
          <option>-f</option> and <option>-c</option>are present, the result
          is determined by the option that appears last.</para>
+
+          <para>The <option>-T</option> option was added in Shorewall 4.5.3
+          and causes a Perl stack trace to be included with each
+          compiler-generated error and warning message.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall/modules
+++ b/Shorewall/modules
@@ -16,24 +16,24 @@
 #
 # Essential Modules
 #
-INCLUDE modules.essential
+?INCLUDE modules.essential
 #
 # Other xtables modules
 #
-INCLUDE modules.xtables
+?INCLUDE modules.xtables
 #
 # Helpers
 #
-INCLUDE helpers
+?INCLUDE helpers
 #
 # Ipset
 #
-INCLUDE modules.ipset
+?INCLUDE modules.ipset
 #
 # Traffic Shaping
 #
-INCLUDE modules.tc
+?INCLUDE modules.tc
 #
 # Extensions
 #
-INCLUDE modules.extensions
+?INCLUDE modules.extensions
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011 - 
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011 -
 #         Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
@@ -36,6 +36,7 @@ g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR"/shorewall
 g_sbindir="$SBINDIR"
 g_perllib="$PERLLIBDIR"
+g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall
 g_readrc=1

--- a/Shorewall6-lite/Makefile
+++ b/Shorewall6-lite/Makefile
@@ -3,9 +3,9 @@ VARDIR=$(shell /sbin/shorewall6-lite show vardir)
 SHAREDIR=/usr/share/shorewall6-lite
 RESTOREFILE?=.restore

-all: $(VARDIR)/${RESTOREFILE}
+all: $(VARDIR)/$(RESTOREFILE)

-$(VARDIR)/${RESTOREFILE}: $(VARDIR)/firewall
+$(VARDIR)/$(RESTOREFILE): $(VARDIR)/firewall
 	@/sbin/shorewall6-lite -q save >/dev/null; \
 	if \
 	    /sbin/shorewall6-lite -q restart >/dev/null 2>&1; \
--- a/Shorewall6-lite/init.debian.sh
+++ b/Shorewall6-lite/init.debian.sh
@@ -24,7 +24,7 @@ export SHOREWALL_INIT_SCRIPT
 test -x $SRWL || exit 0
 test -x $WAIT_FOR_IFUP || exit 0
 test -n "$INITLOG" || {
-	echo "INITLOG cannot be empty, please configure $0" ; 
+	echo "INITLOG cannot be empty, please configure $0" ;
 	exit 1;
 }

@@ -36,9 +36,9 @@ fi

 echo_notdone () {

-  if [ "$INITLOG" = "/dev/null" ] ; then 
+  if [ "$INITLOG" = "/dev/null" ] ; then
 	  echo "not done."
-  else 
+  else
 	  echo "not done (check $INITLOG)."
  fi

--- a/Shorewall6-lite/init.fedora.sh
+++ b/Shorewall6-lite/init.fedora.sh
@@ -41,10 +41,10 @@ start() {
    echo -n $"Starting Shorewall: "
    $shorewall $OPTIONS start 2>&1 | $logger
    retval=${PIPESTATUS[0]}
-    if [[ $retval == 0 ]]; then 
+    if [[ $retval == 0 ]]; then
 	touch $lockfile
 	success
-    else 
+    else
 	failure
    fi
    echo
@@ -55,10 +55,10 @@ stop() {
    echo -n $"Stopping Shorewall: "
    $shorewall $OPTIONS stop 2>&1 | $logger
    retval=${PIPESTATUS[0]}
-    if [[ $retval == 0 ]]; then 
+    if [[ $retval == 0 ]]; then
 	rm -f $lockfile
 	success
-    else 
+    else
 	failure
    fi
    echo
@@ -71,7 +71,7 @@ restart() {
    echo -n $"Restarting Shorewall: "
    $shorewall $OPTIONS restart 2>&1 | $logger
    retval=${PIPESTATUS[0]}
-    if [[ $retval == 0 ]]; then 
+    if [[ $retval == 0 ]]; then
 	touch $lockfile
 	success
    else # Failed to start, clean up lock file if present
--- a/Shorewall6-lite/shorewall6-lite
+++ b/Shorewall6-lite/shorewall6-lite
@@ -4,7 +4,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011, 2012 - 
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011, 2012 -
 #         Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
@@ -35,7 +35,7 @@ g_program=shorewall6-lite
 g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR"/shorewall6-lite
 g_sbindir="$SBINDIR"
-g_perllib="$PERLLIBDIR"
+g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall6-lite
 g_readrc=1

--- a/Shorewall6-lite/shorewall6-lite.conf
+++ b/Shorewall6-lite/shorewall6-lite.conf
@@ -1,5 +1,5 @@
 ###############################################################################
-#  /etc/shorewall6-lite/shorewall6-lite.conf Version 4 - Change the following 
+#  /etc/shorewall6-lite/shorewall6-lite.conf Version 4 - Change the following
 #  variables to override the values in the shorewall.conf file used to
 #  compile /var/lib/shorewall-lite/firewall. Those values may be found in
 #  /var/lib/shorewall-lite/firewall.conf.
--- a/Shorewall6/Makefile
+++ b/Shorewall6/Makefile
@@ -3,9 +3,9 @@ VARDIR=$(shell /sbin/shorewall6 show vardir)
 CONFDIR=/etc/shorewall6
 RESTOREFILE?=firewall

-all: $(VARDIR)/${RESTOREFILE}
+all: $(VARDIR)/$(RESTOREFILE)

-$(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
+$(VARDIR)/$(RESTOREFILE): $(CONFDIR)/*
 	@/sbin/shorewall6 -q save >/dev/null; \
 	if \
 	    /sbin/shorewall6 -q restart >/dev/null 2>&1; \
--- a/Shorewall6/Makefile-lite
+++ b/Shorewall6/Makefile-lite
@@ -23,10 +23,10 @@
 # to the name of the remote firewall corresponding to the directory.
 #
 #	To make the 'firewall' script, type "make".
-# 
+#
 #	Once the script is compiling correctly, you can install it by
 #	typing "make install".
-#  
+#
 ################################################################################
 #                             V A R I A B L E S
 #
@@ -55,7 +55,7 @@ all: firewall
 #
 # Only generate the capabilities file if it doesn't already exist
 #
-capabilities: 
+capabilities:
 	ssh root@$(HOST) "MODULESDIR=$(MODULESDIR) /usr/share/shorewall6-lite/shorecap > $(LITEDIR)/capabilities"
 	scp root@$(HOST):$(LITEDIR)/capabilities .
 #
@@ -78,5 +78,5 @@ save:
 #
 # Remove generated files
 #
-clean: 
+clean:
 	rm -f capabilities firewall firewall.conf reload
--- a/Shorewall6/Samples6/LICENSE
+++ b/Shorewall6/Samples6/LICENSE
@@ -55,7 +55,7 @@ modified by someone else and passed on, the recipients should know
 that what they have is not the original version, so that the original
 author's reputation will not be affected by problems that might be
 introduced by others.
-
+
  Finally, software patents pose a constant threat to the existence of
 any free program.  We wish to make sure that a company cannot
 effectively restrict the users of a free program by obtaining a
@@ -111,7 +111,7 @@ modification follow.  Pay close attention to the difference between a
 "work based on the library" and a "work that uses the library".  The
 former contains code derived from the library, whereas the latter must
 be combined with the library in order to run.
-
+
 		  GNU LESSER GENERAL PUBLIC LICENSE
   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

@@ -146,7 +146,7 @@ such a program is covered only if its contents constitute a work based
 on the Library (independent of the use of the Library in a tool for
 writing it).  Whether that is true depends on what the Library does
 and what the program that uses the Library does.
-  
+
  1. You may copy and distribute verbatim copies of the Library's
 complete source code as you receive it, in any medium, provided that
 you conspicuously and appropriately publish on each copy an
@@ -158,7 +158,7 @@ Library.
  You may charge a fee for the physical act of transferring a copy,
 and you may at your option offer warranty protection in exchange for a
 fee.
-
+
  2. You may modify your copy or copies of the Library or any portion
 of it, thus forming a work based on the Library, and copy and
 distribute such modifications or work under the terms of Section 1
@@ -216,7 +216,7 @@ instead of to this License.  (If a newer version than version 2 of the
 ordinary GNU General Public License has appeared, then you can specify
 that version instead if you wish.)  Do not make any other change in
 these notices.
-
+
  Once this change is made in a given copy, it is irreversible for
 that copy, so the ordinary GNU General Public License applies to all
 subsequent copies and derivative works made from that copy.
@@ -267,7 +267,7 @@ Library will still fall under Section 6.)
 distribute the object code for the work under the terms of Section 6.
 Any executables containing that work also fall under Section 6,
 whether or not they are linked directly with the Library itself.
-
+
  6. As an exception to the Sections above, you may also combine or
 link a "work that uses the Library" with the Library to produce a
 work containing portions of the Library, and distribute that work
@@ -329,7 +329,7 @@ restrictions of other proprietary libraries that do not normally
 accompany the operating system.  Such a contradiction means you cannot
 use both them and the Library together in an executable that you
 distribute.
-
+
  7. You may place library facilities that are a work based on the
 Library side-by-side in a single library together with other library
 facilities not covered by this License, and distribute such a combined
@@ -370,7 +370,7 @@ subject to these terms and conditions.  You may not impose any further
 restrictions on the recipients' exercise of the rights granted herein.
 You are not responsible for enforcing compliance by third parties with
 this License.
-
+
  11. If, as a consequence of a court judgment or allegation of patent
 infringement or for any other reason (not limited to patent issues),
 conditions are imposed on you (whether by court order, agreement or
@@ -422,7 +422,7 @@ conditions either of that version or of any later version published by
 the Free Software Foundation.  If the Library does not specify a
 license version number, you may choose any version ever published by
 the Free Software Foundation.
-
+
  14. If you wish to incorporate parts of the Library into other free
 programs whose distribution conditions are incompatible with these,
 write to the author to ask for permission.  For software which is
@@ -456,7 +456,7 @@ SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
 DAMAGES.

 		     END OF TERMS AND CONDITIONS
-
+
           How to Apply These Terms to Your New Libraries

  If you develop a new library, and you want it to be of the greatest
--- a/Shorewall6/Samples6/Universal/interfaces
+++ b/Shorewall6/Samples6/Universal/interfaces
@@ -7,7 +7,9 @@
 # http://www.shorewall.net/manpages/shorewall-interfaces.html
 #
 ###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
-	lo		-		ignore
-net	all		-		dhcp,physical=+,routeback
+FORMAT 2
+###############################################################################
+#ZONE	INTERFACE	OPTIONS
+-	lo		ignore
+net	all		dhcp,physical=+,routeback

--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -60,6 +60,8 @@ IP=

 IPSET=

+LOCKFILE=
+
 MODULESDIR=

 PERL=/usr/bin/perl
--- a/Shorewall6/Samples6/one-interface/interfaces
+++ b/Shorewall6/Samples6/one-interface/interfaces
@@ -11,5 +11,7 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-interfaces"
 ###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
-net     eth0            detect          tcpflags
+FORMAT 2
+###############################################################################
+#ZONE	INTERFACE	OPTIONS
+net     eth0            tcpflags
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -60,6 +60,8 @@ IP=

 IPSET=

+LOCKFILE=
+
 MODULESDIR=

 PERL=/usr/bin/perl
--- a/Shorewall6/Samples6/three-interfaces/interfaces
+++ b/Shorewall6/Samples6/three-interfaces/interfaces
@@ -11,7 +11,9 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-interfaces"
 ###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
-net     eth0            detect          tcpflags,forward=1
-loc     eth1            detect          tcpflags,forward=1
-dmz     eth2            detect		tcpflags,forward=1
+FORMAT 2
+###############################################################################
+#ZONE	INTERFACE	OPTIONS
+net     eth0            tcpflags,forward=1
+loc     eth1            tcpflags,forward=1
+dmz     eth2            tcpflags,forward=1
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -60,6 +60,8 @@ IP=

 IPSET=

+LOCKFILE=
+
 MODULESDIR=

 PERL=/usr/bin/perl
--- a/Shorewall6/Samples6/two-interfaces/interfaces
+++ b/Shorewall6/Samples6/two-interfaces/interfaces
@@ -11,6 +11,8 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-interfaces"
 ###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
-net     eth0            detect          tcpflags,forward=1
-loc     eth1            detect          tcpflags,forward=1
+FORMAT 2
+###############################################################################
+#ZONE	INTERFACE	OPTIONS
+net     eth0            tcpflags,forward=1
+loc     eth1            tcpflags,forward=1
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -60,6 +60,8 @@ IP=

 IPSET=

+LOCKFILE=
+
 MODULESDIR=

 PERL=/usr/bin/perl
--- a/Shorewall6/action.A_AllowICMPs
+++ b/Shorewall6/action.A_AllowICMPs
@@ -7,7 +7,7 @@
 #
 ###############################################################################
 #TARGET		SOURCE		DEST	PROTO		DEST
-#							PORT(S)	
+#							PORT(S)
 COMMENT Needed ICMP types (RFC4890)

 A_ACCEPT	-		-	ipv6-icmp	destination-unreachable
--- a/Shorewall6/action.AllowICMPs
+++ b/Shorewall6/action.AllowICMPs
@@ -7,7 +7,7 @@
 #
 ###############################################################################
 #TARGET	SOURCE		DEST	PROTO		DEST
-#						PORT(S)	
+#						PORT(S)

 FORMAT 2
 DEFAULTS ACCEPT
--- a/Shorewall6/action.Broadcast
+++ b/Shorewall6/action.Broadcast
@@ -22,7 +22,7 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   Broadcast[([<action>|-[,{audit|-}])] 
+#   Broadcast[([<action>|-[,{audit|-}])]
 #
 #       Default action is DROP
 #
@@ -49,7 +49,7 @@ if ( have_capability( 'ADDRTYPE' ) ) {
 	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type BROADCAST ';
 	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type MULTICAST ';
 	log_rule_limit $level, $chainref, 'dropBcast' , $action, '', $tag, 'add', ' -m addrtype --dst-type ANYCAST ';
-    }	
+    }

    add_jump $chainref, $target, 0, '-m addrtype --dst-type BROADCAST ';
    add_jump $chainref, $target, 0, '-m addrtype --dst-type MULTICAST ';
@@ -62,7 +62,7 @@ if ( have_capability( 'ADDRTYPE' ) ) {
    decr_cmd_level $chainref;
    add_commands $chainref, 'done';
 }
-  
+
 log_rule_limit( $level, $chainref, 'Broadcast' , $action, '', $tag, 'add', join( ' ', '-d', IPv6_MULTICAST . ' ' ) )  if $level ne '';
 add_jump $chainref, $target, 0, join( ' ', '-d', IPv6_MULTICAST . ' ' );

--- a/Shorewall6/action.Drop
+++ b/Shorewall6/action.Drop
@@ -33,7 +33,7 @@
 ###############################################################################
 FORMAT 2
 #
-# The following magic provides different defaults for $2 thru $5, when $1 is 
+# The following magic provides different defaults for $2 thru $5, when $1 is
 # 'audit'.
 #
 BEGIN PERL;
@@ -41,7 +41,7 @@ use Shorewall::Config;

 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );

-if ( defined $p1 ) { 
+if ( defined $p1 ) {
    if ( $p1 eq 'audit' ) {
 	set_action_param( 2, 'A_REJECT')   unless supplied $p2;
 	set_action_param( 3, 'A_DROP')     unless supplied $p3;
--- a/Shorewall6/action.Reject
+++ b/Shorewall6/action.Reject
@@ -29,7 +29,7 @@
 ###############################################################################
 FORMAT 2
 #
-# The following magic provides different defaults for $2 thru $5, when $1 is 
+# The following magic provides different defaults for $2 thru $5, when $1 is
 # 'audit'.
 #
 BEGIN PERL;
@@ -37,7 +37,7 @@ use Shorewall::Config;

 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );

-if ( defined $p1 ) { 
+if ( defined $p1 ) {
    if ( $p1 eq 'audit' ) {
 	set_action_param( 2, 'A_REJECT')  unless supplied $p2;
 	set_action_param( 3, 'A_REJECT')  unless supplied $p3;
--- a/Shorewall6/actions.std
+++ b/Shorewall6/actions.std
@@ -8,7 +8,7 @@
 #
 # Builtin Actions are:
 #
-#    allowBcasts        # Accept multicast and anycast packets 
+#    allowBcasts        # Accept multicast and anycast packets
 #    dropBcasts         # Silently Drop multicast and anycast packets
 #    dropNotSyn		# Silently Drop Non-syn TCP packets
 #    rejNotSyn		# Silently Reject Non-syn TCP packets
--- a/Shorewall6/configfiles/interfaces
+++ b/Shorewall6/configfiles/interfaces
@@ -7,8 +7,6 @@
 # http://www.shorewall.net/manpages6/shorewall6-interfaces.html
 #
 ###############################################################################
-FORMAT 1
-#ZONE	INTERFACE	ANYCAST		OPTIONS
-
 FORMAT 2
+###############################################################################
 #ZONE		INTERFACE		OPTIONS
--- a/Shorewall6/configfiles/restored
+++ b/Shorewall6/configfiles/restored
@@ -4,7 +4,7 @@
 # /etc/shorewall6/restored
 #
 #	Add commands below that you want to be executed after shorewall6 has
-#	completed a 'restore' command. 
+#	completed a 'restore' command.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.
--- a/Shorewall6/configfiles/scfilter
+++ b/Shorewall6/configfiles/scfilter
@@ -4,7 +4,7 @@
 # /etc/shorewall/scfilter
 #
 #	Replace the 'cat' command below to filter the output of
-#       'show connections. 
+#       'show connections.
 #
 # See http://shorewall.net/shorewall_extension_scripts.htm for additional
 # information.
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tom Eastep	5c18c6c3d6	Correct configure and configure.pl to output SPARSE Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-15 11:32:35 -07:00
Tom Eastep	860f3bd440	Fix interface_is_usable() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-15 06:50:49 -07:00
Tom Eastep	a88e0daef3	Improve interface_is_usable() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-13 13:56:48 -07:00
Tom Eastep	10a189eb26	Don't invoke 'isusable' during 'enable'. - Separate IPv4 and IPv6 as they use different null addresses Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-13 12:29:01 -07:00
Tom Eastep	6639dce30d	Update .status file on disable Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-12 07:45:55 -07:00
Tom Eastep	509ca0698e	Correct add of default IPv6 route when no gateway specified Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-12 07:45:32 -07:00
Tom Eastep	b062014ce4	Clear the 'balance' table if no balanced providers. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-11 11:28:30 -07:00
Tom Eastep	5b19603c8e	Fix another conditional compilation bug. ?IF $false ?IF $false ... ?ENDIF foo <------- This line is not omitted! ?ENDIF Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-11 07:48:38 -07:00
Tom Eastep	746a363d41	Add some decimal->hex convertions in routing rules. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-10 11:11:15 -07:00
Tom Eastep	6e5b07c804	Deprecate the current TPROXY implementation. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-10 11:02:08 -07:00
Tom Eastep	865078f925	Allow Shorewall::Config::in_hex() to accept an argument already expressed in hex. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-10 07:29:59 -07:00
Tom Eastep	b55d8c04e4	Do logical->physical mapping in rtrules. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-08 14:52:18 -07:00
Tom Eastep	3b6f5b2d8a	Finish alternative balancing Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-08 13:55:13 -07:00
Tom Eastep	6639b3534e	Close all input files in Shorewall::Config::cleanup() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-08 08:58:14 -07:00
Tom Eastep	59bf343521	Leave first filename and linenumber on the same line as error text. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-08 08:55:24 -07:00
Tom Eastep	089d980dae	Document the --shorewallrc parameter to compiler.pl Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-08 07:59:22 -07:00
Tom Eastep	1d6e6b65db	Finish a comment Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-07 17:06:35 -07:00
Tom Eastep	2224fdbc65	Correct help text in compiler.pl Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-07 16:55:51 -07:00
Tom Eastep	fd1d6cf935	Handle default shorewallrc location Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-07 16:55:17 -07:00
Tom Eastep	5d7442e9e9	Correct typo in converted blrules file. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-07 12:13:26 -07:00
Tom Eastep	ef90006334	Avoid reference to unitialized variable on bogus FORMAT in interfaces Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-07 12:00:21 -07:00
Tom Eastep	2cbf1e86ad	Allow synonyms for column names in alternate specification formats - gateway and gateways in the tunnels file - mark and action in the tcrules file Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-07 11:59:47 -07:00
Tom Eastep	dd8e9ff09d	Fix 'COMMENT' along in the tunnels file. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-07 11:58:37 -07:00
Tom Eastep	4320150dc4	Add alternate specification in tunnels file ('gateways') - Make similar change in tcrules file with 'action' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-07 07:43:11 -07:00
Tom Eastep	7453b70666	Add emphasis to the 'required' option in the config basics doc Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-07 07:14:56 -07:00
Tom Eastep	003daec41c	Remove a couple of hard-coded '/usr/share' in Shorewall::Config Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-06 17:30:17 -07:00
Tom Eastep	cb159eba2e	Add RST action. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-06 12:14:30 -07:00
Tom Eastep	aac00c3cc7	Pop open stack in run_user_exit1 and run_user_exit2 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-05 10:31:55 -07:00
Tom Eastep	cd35b6a13f	Modify macro.BLACKLIST to use blacklog when appropriate Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-05 08:56:55 -07:00
Tom Eastep	af228806fc	Allow manual changes to be used in macros. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-05 08:56:26 -07:00
Tom Eastep	69f6aae982	Delete extra copy of macro.BLACKLIST Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-05 08:40:25 -07:00
Tom Eastep	53d66833b2	Document how to avoid dhcp client setting default route Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-04 08:28:06 -07:00
Tom Eastep	1d90ee174c	Cleanup of ERROR/WARNING message enhancement. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-04 07:01:08 -07:00
Tom Eastep	097ab853db	Apply Tuomo Soini's tunnels patch Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-04 06:18:22 -07:00
Tom Eastep	3e37f47fb5	Print out the include/open stack in WARNING and ERROR messages. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-03 17:17:55 -07:00
Tom Eastep	bd30d59f3d	Fix annotated interfaces files. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-03 14:09:49 -07:00
Tom Eastep	e4c4900b32	Add recent changes to a couple of config files. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-03 12:32:47 -07:00
Tom Eastep	4d23ec2c48	Belatedly document FORMAT-2 interfaces Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-03 10:07:36 -07:00
Tom Eastep	15aa1dae62	Enhancements to the 'refresh' command. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-02 13:48:18 -07:00
Tom Eastep	894931731b	Merge branch 'master' of ssh://shorewall.git.sourceforge.net/gitroot/shorewall/shorewall	2012-05-02 07:04:30 -07:00
Tom Eastep	3333486c9d	Another change to Debian startup at boot Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-01 10:55:29 -07:00
Tom Eastep	2dd82a9898	Update Multi-ISP documentation Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-01 10:28:12 -07:00
Tom Eastep	45c637ad6b	Fix Debian boot startup (again) Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-01 10:15:39 -07:00
Tom Eastep	731b310359	Use --hashlimit-upto when available. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-30 13:45:09 -07:00
Tom Eastep	35c08c109e	Fix IPv4 'reset' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-30 07:54:40 -07:00
Tom Eastep	766771d812	Remove absurd test Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-30 07:48:07 -07:00
Tom Eastep	b9e6349994	Add some comments Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-29 09:07:34 -07:00
Tom Eastep	9efb60c53a	Move init.slackware.firewall.sh to Shorewall-core Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-27 16:15:04 -07:00
Tom Eastep	e0570cc35e	Install fixes for Slackware Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-27 07:16:11 -07:00
Tom Eastep	9612044933	Make products start automatically at boot on Debian and derivatives Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-25 11:49:22 -07:00
Tom Eastep	3a362a7004	Update FAQ 17 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-25 09:44:24 -07:00
Tom Eastep	c9b4d3d8c8	Add/improve comments. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-25 09:44:08 -07:00
Tom Eastep	dc63efdbfd	Use ?INCLUDE in modules files. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-25 07:33:40 -07:00
Tom Eastep	d904a2de86	Search and destroy trailing whitespace Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-24 14:52:57 -07:00
Tom Eastep	f860cd037d	Change a comment in generate_matrix() to acknowledge 'KLUDGEFREE' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-24 13:34:56 -07:00
Tom Eastep	0f53c3cc7d	Convert all interfaces files to format-2 only Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-24 10:53:09 -07:00
Tom Eastep	3bdf703522	Allow TC experts to SAVE/RESTORE all parts of the packet mark Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-24 09:19:38 -07:00
Tom Eastep	8211c5de35	Add a comment about 'find_tables()' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-24 09:15:29 -07:00
Tom Eastep	dc85d4a844	Do SHA/SHA1 test if $BUILD = $TEST, independent of $DESTDIR Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-24 08:52:17 -07:00
Tom Eastep	a50bb407aa	Patch from Roberto Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-21 17:51:54 -07:00
Tom Eastep	f40144f6af	Corret tcrules manpages Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-21 09:53:00 -07:00
Tom Eastep	0adbdbb101	Add TCP to macro.Amanda Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-20 09:46:13 -07:00
Tom Eastep	34f5838365	Allow multiple GATEWAYS to be listed in the tunnels file. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-18 09:28:37 -07:00
Tom Eastep	2b7e5dd9d8	Suppress duplicate option when not KLUDGEFREE Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-17 07:35:37 -07:00
Tom Eastep	44c8ef2ede	Correct ill-advised change to push_matches() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-17 07:30:17 -07:00
Tom Eastep	52ebca3fe1	Merge branch '4.5.2' Conflicts: Shorewall-core/lib.cli Shorewall/Perl/Shorewall/Config.pm Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-16 13:47:05 -07:00
Tom Eastep	3a967d66cf	Fix configure Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-16 12:57:34 -07:00
Tom Eastep	5a350d1899	More variable synchronization Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-16 11:40:49 -07:00
Tom Eastep	9d219445d9	Make 'show routing work with iproute 20111117 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-16 11:40:36 -07:00
Tom Eastep	02342d5833	Make 'show routing work with iproute 20111117 Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-16 08:20:21 -07:00
Tom Eastep	805166a354	Ressurect LOCKFILE Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-16 07:21:06 -07:00
Tom Eastep	1462fcd351	Synchronize global settings Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-15 09:43:41 -07:00
Tom Eastep	aaab505006	Improve the debuggability of failed assertions Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-14 17:57:49 -07:00
Tom Eastep	c3e575baf7	Merge branch 'master' of ssh://shorewall.git.sourceforge.net/gitroot/shorewall/shorewall	2012-04-14 15:58:42 -07:00
Tom Eastep	63a2a32b4b	Suppress trailing whitespace. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-14 13:50:59 -07:00
Tom Eastep	eb7a21030d	Correct Makefiles Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-14 12:03:51 -07:00
Tom Eastep	1bc03123b9	Delete code to modify Makefile Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-14 12:03:08 -07:00
Tom Eastep	e6aabec7ef	Install correct Makefile Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-14 12:03:00 -07:00
Tom Eastep	a32ce5c34a	Correct Makefiles Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-14 12:01:37 -07:00
Tom Eastep	baa1a2983b	Fix redhat PERLLIBDIR. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-14 11:38:13 -07:00
Tom Eastep	fdc4a84a83	Delete code to modify Makefile Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-14 11:36:08 -07:00
Tom Eastep	d3943ea0fe	Install correct Makefile Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-14 11:17:27 -07:00
Tom Eastep	79b5c38ecb	Handle trailing whitespace in Shorewall::Config::read_a_line1() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-14 10:14:25 -07:00
Tom Eastep	31752d9ee1	Move macro.BLACKLIST to where it belongs Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-14 08:14:45 -07:00
Tom Eastep	24e2fe4a04	Make options argument to read_a_line manditory Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-14 08:04:28 -07:00
Tom Eastep	2d1a12f016	Correct the output of 'version -a' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-12 18:56:36 -07:00
Tom Eastep	f88584b916	Merge branch '4.5.2' Conflicts: Shorewall-core/configure.pl Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-12 14:48:56 -07:00
Tom Eastep	4ff93bccf0	Remove blank line in shorewallrc.suse Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-12 06:54:19 -07:00
Tom Eastep	355f8e195c	Fix configure.pl Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-12 06:53:58 -07:00
Tom Eastep	439fe77d1c	Merge branch '4.5.2' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-12 06:26:56 -07:00
Tom Eastep	6b980d6e6a	Merge branch '4.5.2'	2012-04-11 15:41:48 -07:00
Tom Eastep	59d1a57f06	Add the -T option to the load, reload, restart and start commands. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-11 14:28:44 -07:00
Tom Eastep	42950e53cd	Use logical add rather than arithmetic add for uniformity Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-11 14:28:09 -07:00
Tom Eastep	ae9f538ef8	Simplify an assertion Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-11 14:27:48 -07:00
Tom Eastep	e880d2fd84	Remove some whitespace Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-11 08:03:02 -07:00
Tom Eastep	6404c57cf8	Clean up configure.pl - Remove blank lines at the end - Simply the handling of vendor Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-11 08:01:49 -07:00
Tom Eastep	e791a63671	Merge branch '4.5.2' Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-11 07:13:40 -07:00
Tom Eastep	07ff3f294d	Fix INCLUDE inside an ?IF ... ?ENDIF Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-10 17:27:23 -07:00
Tom Eastep	6ba69c9540	Eliminate read_a_line1() Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-10 17:01:38 -07:00
Tom Eastep	5ee554708c	Control the proliferation of arguments to read_a_line() by using a bit-mapped single argument. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-04-10 13:51:25 -07:00