Revert 83a8c7eda3

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Additional simplification of evaluate_expression()
2012-07-09 10:58:15 -07:00 · 2012-07-08 07:48:27 -07:00 · 2012-07-08 07:36:15 -07:00 · 2012-07-07 09:47:10 -07:00 · 2012-07-07 08:02:57 -07:00 · 2012-07-07 07:55:17 -07:00
167 changed files with 6733 additions and 3037 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -81,9 +81,6 @@ for p in $@; do
 		DATADIR)
 		    pn=SHAREDIR
 		    ;;
 		SYSCONFDIR)
 		    pn=CONFDIR
 		    ;;
 	    esac
 	    params[${pn}]="${pv}"
@@ -132,7 +129,7 @@ if [ -z "$vendor" ]; then
    vendor=${params[HOST]}
 elif [ $vendor = linux ]; then
-    rcfile=$shorewallrc.default;
+    rcfile=shorewallrc.default;
 else
    rcfile=shorewallrc.$vendor
    if [ ! -f $rcfile ]; then
@@ -159,7 +156,7 @@ echo '#'                                                                 > shore
 echo "# Created by Shorewall Core version $VERSION configure - " `date` >> shorewallrc
 echo '#'                                                                >> shorewallrc
-if [ -n "$@" ]; then
+if [ $# -gt 0 ]; then
    echo "# Input: $@" >> shorewallrc
    echo '#'           >> shorewallrc
 fi
@@ -181,6 +178,7 @@ for on in \
    SYSTEMD \
    SYSCONFFILE \
    SYSCONFDIR \
    SPARSE \
    ANNOTATED \
    VARDIR
 do
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -39,8 +39,7 @@ my %options;
 my %aliases = ( VENDOR         => 'HOST',
 		SHAREDSTATEDIR => 'VARDIR',
-		DATADIR        => 'SHAREDIR',
+		DATADIR        => 'SHAREDIR' );
 		SYSCONFDIR     => 'CONFDIR' );
 for ( @ARGV ) {
    die "ERROR: Invalid option specification ( $_ )" unless /^(?:--)?(\w+)=(.*)$/;
@@ -140,6 +139,7 @@ for ( qw/ HOST
 	  SYSTEMD
 	  SYSCONFFILE
 	  SYSCONFDIR
 	  SPARSE
 	  ANNOTATED
 	  VARDIR / ) {
--- a/Shorewall-core/init.slackware.firewall.sh
+++ b/Shorewall-core/init.slackware.firewall.sh
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -307,6 +307,16 @@ chmod 755 ${DESTDIR}${SBINDIR}
 mkdir -p ${DESTDIR}${MANDIR}
 chmod 755 ${DESTDIR}${MANDIR}
 if [ -n "${INITFILE}" ]; then
    mkdir -p ${DESTDIR}${INITDIR}
    chmod 755 ${DESTDIR}${INITDIR}
    if [ -n "$AUXINITSOURCE" -a -f "$AUXINITSOURCE" ]; then
 	install_file $AUXINITSOURCE ${DESTDIR}${INITDIR}/$AUXINITFILE 0544
 	[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$AUXINITFILE
 	echo  "$Product script installed in ${DESTDIR}${INITDIR}/$AUXINITFILE"
    fi
 fi
 #
 # Note: ${VARDIR} is created at run-time since it has always been
 #       a relocatable directory on a per-product basis
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -28,7 +28,7 @@
 #
 SHOREWALL_LIBVERSION=40502
-SHOREWALL_CAPVERSION=40502
+SHOREWALL_CAPVERSION=40504
 [ -n "${g_program:=shorewall}" ]
@@ -41,6 +41,7 @@ if [ -z "$g_readrc" ]; then
    g_libexec="$LIBEXECDIR"
    g_sharedir="$SHAREDIR"/$g_program
    g_sbindir="$SBINDIR"
    g_perllib="$PERLLIBDIR"
    g_vardir="$VARDIR"
    g_confdir="$CONFDIR"/$g_program
    g_readrc=1
@@ -129,71 +130,6 @@ combine_list()
    echo $o
 }
 #
 # Call this function to assert mutual exclusion with Shorewall. If you invoke the
 # /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as
 # the first argument. Example "shorewall nolock refresh"
 #
 # This function uses the lockfile utility from procmail if it exists.
 # Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the
 # behavior of lockfile.
 #
 mutex_on()
 {
    local try
    try=0
    local lockf
    lockf=${LOCKFILE:=${VARDIR}/lock}
    local lockpid
    MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
    if [ $MUTEX_TIMEOUT -gt 0 ]; then
 	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
 	if [ -f $lockf ]; then
 	    lockpid=`cat ${lockf} 2> /dev/null`
 	    if [ -z "$lockpid" -o $lockpid = 0 ]; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} removed"
 	    elif ! qt ps p ${lockpid}; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
 	    fi
 	fi
 	if qt mywhich lockfile; then
 	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
 	    chmod u+w ${lockf}
 	    echo $$ > ${lockf}
 	    chmod u-w ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1
 		try=$((${try} + 1))
 	    done
 	    if  [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
 	        # Create the lockfile
 		echo $$ > ${lockf}
 	    else
 		echo "Giving up on lock file ${lockf}" >&2
 	    fi
 	fi
    fi
 }
 #
 # Call this function to release mutual exclusion
 #
 mutex_off()
 {
    rm -f ${LOCKFILE:=${VARDIR}/lock}
 }
 [ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
 #
 # Validate an IP address
 #
@@ -322,6 +258,8 @@ ip_range_explicit() {
    done
 }
 [ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
 #
 # Netmask to VLSM
 #
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -31,9 +31,11 @@ if [ -z "$g_readrc" ]; then
    . /usr/share/shorewall/shorewallrc
    g_libexec="$LIBEXECDIR"
    g_sbindir="$SBINDIR"
    g_confdir="$CONFDIR"/$g_program
    g_sharedir="$SHAREDIR"/$g_program
    g_sbindir="$SBINDIR"
    g_perllib="$PERLLIBDIR"
    g_vardir="$VARDIR"
    g_confdir="$CONFDIR"/$g_program
    g_readrc=1
 fi
@@ -454,16 +456,28 @@ sort_routes() {
    done | sort -r | while read dest rest; do echo $rest; done
 }
 #
 # Isolate the table in the routing rules being read from stdin.
 # Piping through sed to remove trailing whitespace works around
 # recent 'features' in dash and ip.
 #
 find_tables() {
    sed -r 's/[[:space:]]+$//' | while read rule; do
 	echo ${rule##* }
    done
 }
 #
 # Show routing configuration
 #
 show_routing() {
    local rule
    local table
    if [ -n "$(ip -$g_family rule list)" ]; then
 	heading "Routing Rules"
 	ip -$g_family rule list
-	ip -$g_family rule list | while read rule; do
+	ip -$g_family rule list | find_tables | sort -u | while read table; do
 	    echo ${rule##* }
 	done | sort -u | while read table; do
 	    heading "Table $table:"
 	    if [ $g_family -eq 6 ]; then
 		ip -$g_family -o route list table $table | fgrep -v cache
@@ -1980,6 +1994,7 @@ determine_capabilities() {
    IMQ_TARGET=
    DSCP_MATCH=
    DSCP_TARGET=
    GEOIP_MATCH=
    chain=fooX$$
@@ -2188,6 +2203,7 @@ determine_capabilities() {
    qt $g_tool -A $chain -j NFLOG && NFLOG_TARGET=Yes
    qt $g_tool -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
    qt $g_tool -A $chain -m statistic --mode nth --every 2 --packet 1 && STATISTIC_MATCH=Yes
    qt $g_tool -A $chain -m geoip --src-cc US && GEOIP_MATCH=Yes
    if [ $g_family -eq 4 ]; then
 	qt $g_tool -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes
@@ -2302,6 +2318,7 @@ report_capabilities() {
 	report_capability "IMQ Target (IMQ_TARGET)" $IMQ_TARGET
 	report_capability "DSCP Match (DSCP_MATCH)" $DSCP_MATCH
 	report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET
 	report_capability "Geo IP match" $GEOIP_MATCH
 	if [ $g_family -eq 4 ]; then
 	    report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
@@ -2392,6 +2409,7 @@ report_capabilities1() {
    report_capability1 IMQ_TARGET
    report_capability1 DSCP_MATCH
    report_capability1 DSCP_TARGET
    report_capability1 GEOIP_MATCH
    echo CAPVERSION=$SHOREWALL_CAPVERSION
    echo KERNELVERSION=$KERNELVERSION
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -717,3 +717,69 @@ truncate() # $1 = length
 {
    cut -b -${1}
 }
 #
 # Call this function to assert mutual exclusion with Shorewall. If you invoke the
 # /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as
 # the first argument. Example "shorewall nolock refresh"
 #
 # This function uses the lockfile utility from procmail if it exists.
 # Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the
 # behavior of lockfile.
 #
 mutex_on()
 {
    local try
    try=0
    local lockf
    lockf=${LOCKFILE:=${VARDIR}/lock}
    local lockpid
    MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
    if [ $MUTEX_TIMEOUT -gt 0 ]; then
 	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
 	if [ -f $lockf ]; then
 	    lockpid=`cat ${lockf} 2> /dev/null`
 	    if [ -z "$lockpid" -o $lockpid = 0 ]; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} removed"
 	    elif [ $lockpid -eq $$ ]; then
                return 0
 	    elif ! qt ps p ${lockpid}; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
 	    fi
 	fi
 	if qt mywhich lockfile; then
 	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
 	    chmod u+w ${lockf}
 	    echo $$ > ${lockf}
 	    chmod u-w ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1
 		try=$((${try} + 1))
 	    done
 	    if  [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
 	        # Create the lockfile
 		echo $$ > ${lockf}
 	    else
 		echo "Giving up on lock file ${lockf}" >&2
 	    fi
 	fi
    fi
 }
 #
 # Call this function to release mutual exclusion
 #
 mutex_off()
 {
    rm -f ${LOCKFILE:=${VARDIR}/lock}
 }
--- a/Shorewall-core/shorewallrc.debian
+++ b/Shorewall-core/shorewallrc.debian
@@ -9,7 +9,7 @@ LIBEXECDIR=${PREFIX}/share              #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/share/shorewall    #Directory to install Shorewall Perl module directory
 CONFDIR=/etc                            #Directory where subsystem configurations are installed
 SBINDIR=/sbin                           #Directory where system administration programs are installed
-MANDIR=${PREFIX}/man                    #Directory where manpages are installed.
+MANDIR=${PREFIX}/share/man              #Directory where manpages are installed.
 INITDIR=/etc/init.d                     #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.debian.sh               #Name of the distributed file to be installed as the SysV init script
--- a/Shorewall-core/shorewallrc.redhat
+++ b/Shorewall-core/shorewallrc.redhat
@@ -6,7 +6,7 @@ HOST=redhat
 PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/libexec            #Directory for executable scripts.
-PERLLIBDIR=/usr/share/perl5             #Directory to install Shorewall Perl module directory
+PERLLIBDIR=/usr/share/perl5/vendor_perl #Directory to install Shorewall Perl module directory
 CONFDIR=/etc                            #Directory where subsystem configurations are installed
 SBINDIR=/sbin                           #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man                  #Directory where manpages are installed.
--- a/Shorewall-core/shorewallrc.slackware
+++ b/Shorewall-core/shorewallrc.slackware
@@ -11,10 +11,10 @@ CONFDIR=/etc                               #Directory where subsystem configurat
 SBINDIR=/sbin                              #Directory where system administration programs are installed
 MANDIR=${PREFIX}/man                       #Directory where manpages are installed.
 INITDIR=/etc/rc.d                          #Directory where SysV init scripts are installed.
-INITSOURCE=init.slackware.firewall         #Name of the distributed file to be installed as the SysV init script
+AUXINITSOURCE=init.slackware.firewall.sh   #Name of the distributed file to be installed as the SysV init script
-INITFILE=rc.firewall                       #Name of the product's installed SysV init script
+AUXINITFILE=rc.firewall                    #Name of the product's installed SysV init script
-AUXINITSOURCE=init.slackware.$PRODUCT      #Name of the distributed file to be installed as a second SysV init script
+INITSOURCE=init.slackware.$PRODUCT.sh      #Name of the distributed file to be installed as a second SysV init script
-AUXINITFILE=rc.$PRODUCT                    #Name of the product's installed second init script
+INITFILE=rc.$PRODUCT                       #Name of the product's installed second init script
 SYSTEMD=                                   #Name of the directory where .service files are installed (systems running systemd only)
 SYSCONFFILE=                               #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                                #Name of the directory where SysV init parameter files are installed.
--- a/Shorewall-init/ifupdown.sh
+++ b/Shorewall-init/ifupdown.sh
@@ -106,15 +106,11 @@ if [ -f /etc/debian_version ]; then
 	    else
 		exit 0
 	    fi
 	    case "$PHASE" in
 		pre-*)
 		    exit 0
 		    ;;
 	    esac
 	    ;;
    esac
 elif [ -f /etc/SuSE-release ]; then
    PHASE=''
    case $0 in
 	/etc/ppp*)
 	    #
@@ -146,6 +142,8 @@ else
    #
    # Assume RedHat/Fedora/CentOS/Foobar/...
    #
    PHASE=''
    case $0 in
 	/etc/ppp*)
 	    INTERFACE="$1"
@@ -186,20 +184,12 @@ else
    esac
 fi
 [ -n "$LOGFILE" ] || LOGFILE=/dev/null
 for PRODUCT in $PRODUCTS; do
    #
    # For backward compatibility, lib.base appends the product name to VARDIR
    # Save it here and restore it below
    #
    save_vardir=${VARDIR}
    if [ -x $VARDIR/$PRODUCT/firewall ]; then
-	  ( . ${SHAREDIR}/shorewall/lib.base
+	  ( ${VARDIR}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
 	    mutex_on
 	    ${VARDIR}/firewall -V0 $COMMAND $INTERFACE || echo_notdone
 	    mutex_off
 	  )
    fi
    VARDIR=${save_vardir}
 done
 exit 0
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -260,6 +260,11 @@ else
    first_install="Yes"
 fi
 if [ -n "$DESTDIR" ]; then
    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
    chmod 755 ${DESTDIR}${CONFDIR}/logrotate.d
 fi
 #
 # Install the Firewall Script
 #
@@ -295,6 +300,14 @@ fi
 mkdir -p ${DESTDIR}/usr/share/shorewall-init
 chmod 755 ${DESTDIR}/usr/share/shorewall-init
 #
 # Install logrotate file
 #
 if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT
    echo "Logrotate file installed as ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT"
 fi
 #
 # Create the version file
 #
@@ -312,7 +325,7 @@ fi
 if [ $HOST = debian ]; then
    if [ -n "${DESTDIR}" ]; then
 	mkdir -p ${DESTDIR}/etc/network/if-up.d/
-	mkdir -p ${DESTDIR}/etc/network/if-post-down.d/
+	mkdir -p ${DESTDIR}/etc/network/if-down.d/
    fi
    if [ ! -f ${DESTDIR}/etc/default/shorewall-init ]; then
@@ -347,7 +360,7 @@ fi
 cp ifupdown.sh ifupdown
-d[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown
+[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown
 mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
@@ -360,6 +373,7 @@ fi
 case $HOST in
    debian)
 	install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
 	install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544
 	install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
 	;;
    suse)
@@ -382,7 +396,7 @@ if [ -z "$DESTDIR" ]; then
    if [ -n "$first_install" ]; then
 	if [ $HOST = debian ]; then
-	    update-rc.d shorewall-init defaults
+	    update-rc.d shorewall-init enable
 	    echo "Shorewall Init will start automatically at boot"
 	else
--- a/Shorewall-init/logrotate
+++ b/Shorewall-init/logrotate
@@ -0,0 +1,5 @@
 /var/log/shorewall-ifupdown.log {
  missingok
  notifempty
  create 0600 root root
 }
--- a/Shorewall-init/sysconfig
+++ b/Shorewall-init/sysconfig
@@ -16,3 +16,8 @@ IFUPDOWN=0
 # during 'start' and will save them there during 'stop'.
 #
 SAVE_IPSETS=""
 #
 # Where Up/Down events get logged
 #
 LOGFILE=/var/log/shorewall-ifupdown.log
--- a/Shorewall-lite/Makefile
+++ b/Shorewall-lite/Makefile
@@ -3,9 +3,9 @@ VARDIR=$(shell /sbin/shorewall-lite show vardir)
 SHAREDIR=/usr/share/shorewall-lite
 RESTOREFILE?=.restore
-all: $(VARDIR)/${RESTOREFILE}
+all: $(VARDIR)/$(RESTOREFILE)
-$(VARDIR)/${RESTOREFILE}: $(VARDIR)/firewall
+$(VARDIR)/$(RESTOREFILE): $(VARDIR)/firewall
 	@/sbin/shorewall-lite -q save >/dev/null; \
 	if \
 	    /sbin/shorewall-lite -q restart >/dev/null 2>&1; \
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -403,6 +403,7 @@ echo "Common functions linked through ${DESTDIR}${SHAREDIR}/$PRODUCT/functions"
 #
 install_file shorecap ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap 0755
 [ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${LIBEXECDIR}/$PRODUCT/shorecap
 echo
 echo "Capability file builder installed in ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap"
@@ -496,6 +497,7 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
 	echo "Set startup=1 in ${SYSCONFDIR}/$PRODUCT to enable"
 	touch /var/log/$PRODUCT-init.log
 	perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' ${CONFDIR}/${PRODUCT}/${PRODUCT}.conf
 	update-rc.d $PRODUCT enable defaults
    elif [ -n "$SYSTEMD" ]; then
 	if systemctl enable $PRODUCT; then
 	    echo "$Product will start automatically at boot"
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -45,17 +45,22 @@
 #    used during firewall compilation, then the generated firewall program will likewise not
 #    require Shorewall to be installed.
 SHAREDIR=/usr/share/shorewall-lite
 VARDIR=/var/lib/shorewall-lite
 CONFDIR=/etc/shorewall-lite
 g_program=shorewall-lite
 g_product="Shorewall Lite"
 g_family=4
 g_base=shorewall
 g_basedir=/usr/share/shorewall-lite
-. /usr/share/shorewall-lite/lib.base
+g_program=shorewall-lite
-. /usr/share/shorewall/lib.cli
+
 #
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc
 g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR"/shorewall-lite
 g_sbindir="$SBINDIR"
 g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall-lite
 g_readrc=1
 . ${SHAREDIR}/shorewall/lib.cli
 . /usr/share/shorewall-lite/configpath
 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -35,6 +35,7 @@ g_program=shorewall-lite
 g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR"/shorewall-lite
 g_sbindir="$SBINDIR"
 g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall-lite
 g_readrc=1
--- a/Shorewall/Macros/macro.Amanda
+++ b/Shorewall/Macros/macro.Amanda
@@ -11,6 +11,7 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	10080
 PARAM	-	-	tcp	10080
 #
 # You may also need this rule.  With AMANDA 2.4.4 on Linux kernel 2.6,
 # it should not be necessary to use this.  The ip_conntrack_amanda
--- a/Shorewall/Macros/macro.BLACKLIST
+++ b/Shorewall/Macros/macro.BLACKLIST
@@ -8,4 +8,8 @@
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-$BLACKLIST_DISPOSITION:$BLACKLIST_LOGLEVEL
+?IF $BLACKLIST_LOGLEVEL
 blacklog
 ?ELSE
 $BLACKLIST_DISPOSITION
 ?ENDIF
--- a/Shorewall/Macros/macro.MSSQL
+++ b/Shorewall/Macros/macro.MSSQL
@@ -0,0 +1,11 @@
 #
 # Shorewall version 4 - MSSQL Macro
 #
 # /usr/share/shorewall/macro.MSSQL
 #
 #	This macro handles MSSQL (Microsoft SQL Server)
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	tcp	1433
--- a/Shorewall/Macros/macro.mDNS
+++ b/Shorewall/Macros/macro.mDNS
@@ -1,9 +1,11 @@
 #
-# Shorewall version 4 - Multicast DNS Macro
+# Shorewall version 4 - Multicast DNS Macro -- this macro assumes that only
 #                       the DEST zone sends mDNS queries. If both zones send
 #                       queries, use the mDNSbi macro.
 #
 # /usr/share/shorewall/macro.mDNS
 #
-#	This macro handles multicast DNS traffic.
+#	This macro handles multicast DNS traffic
 #
 ###############################################################################
 #ACTION	SOURCE	DEST			PROTO	DEST	SOURCE	RATE	USER/
--- a/Shorewall/Macros/macro.mDNSbi
+++ b/Shorewall/Macros/macro.mDNSbi
@@ -0,0 +1,16 @@
 #
 # Shorewall version 4 - Bi-directional Multicast DNS Macro.
 #
 # /usr/share/shorewall/macro.mDNSbi
 #
 #	This macro handles multicast DNS traffic
 #
 ###############################################################################
 #ACTION	SOURCE	DEST			PROTO	DEST	SOURCE	RATE	USER/
 #						PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	224.0.0.251		udp	5353
 PARAM	-	-			udp	32768:	5353
 PARAM	-	224.0.0.251		2
 PARAM	DEST	SOURCE:224.0.0.251	udp	5353
 PARAM	DEST	SOURCE			udp	32768:	5353
 PARAM	DEST	SOURCE:224.0.0.251	2
--- a/Shorewall/Makefile
+++ b/Shorewall/Makefile
@@ -3,9 +3,9 @@ VARDIR=$(shell /sbin/shorewall show vardir)
 CONFDIR=/etc/shorewall
 RESTOREFILE?=firewall
-all: $(VARDIR)/${RESTOREFILE}
+all: $(VARDIR)/$(RESTOREFILE)
-$(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
+$(VARDIR)/$(RESTOREFILE): $(CONFDIR)/*
 	@/sbin/shorewall -q save >/dev/null; \
 	if \
 	    /sbin/shorewall -q restart >/dev/null 2>&1; \
--- a/Shorewall/Perl/.includepath
+++ b/Shorewall/Perl/.includepath
@@ -1,3 +0,0 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <includepath />
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -46,6 +46,7 @@ my $jumpchainref;
 my %accountingjumps;
 my $asection;
 my $defaultchain;
 my $ipsecdir;
 my $defaultrestriction;
 my $restriction;
 my $accounting_commands = { COMMENT => 0, SECTION => 2 };
@@ -92,6 +93,7 @@ sub initialize() {
    # These are the legacy values
    #
    $defaultchain       = 'accounting';
    $ipsecdir           = '';
    $defaultrestriction = NO_RESTRICT;
    $sectionname        = '';
 }
@@ -111,20 +113,25 @@ sub process_section ($) {
    if ( $sectionname eq 'INPUT' ) {
 	$defaultchain = 'accountin';
 	$ipsecdir     = 'in';
 	$defaultrestriction = INPUT_RESTRICT;
    } elsif ( $sectionname eq 'OUTPUT' ) {
 	$defaultchain = 'accountout';
 	$ipsecdir     = 'out';
 	$defaultrestriction = OUTPUT_RESTRICT;
    } elsif ( $sectionname eq 'FORWARD' ) {
 	$defaultchain = 'accountfwd';
 	$ipsecdir     = '';
 	$defaultrestriction = NO_RESTRICT;
     } else {
 	 fatal_error "The $sectionname SECTION is not allowed when ACCOUNTING_TABLE=filter" unless $acctable eq 'mangle';
 	 if ( $sectionname eq 'PREROUTING' ) {
 	     $defaultchain = 'accountpre';
 	     $ipsecdir     = 'in';
 	     $defaultrestriction = PREROUTE_RESTRICT;
 	 } else {
 	     $defaultchain = 'accountpost';
 	     $ipsecdir     = 'out';
 	     $defaultrestriction = POSTROUTE_RESTRICT;
 	 }
     }
@@ -285,7 +292,21 @@ sub process_accounting_rule( ) {
    }
    my $chainref = $chain_table{$config{ACCOUNTING_TABLE}}{$chain};
-    my $dir;
+    my $dir = $ipsecdir;
    if ( $asection && $ipsec ne '-' ) {
 	if ( $ipsecdir ) {
 	    fatal_error "Invalid IPSEC ($ipsec)" if $ipsec =~ /^(?:in|out)\b/;
 	} else {
 	    if ( $ipsec =~ s/^(?:(in|out)\b)// ) {
 		$dir = $1;
 	    } else {
 		fatal_error q(IPSEC rules in the $asection section require that the value begin with 'in' or 'out');
 	    }
 	}
 	$rule .= do_ipsec( $dir, $ipsec );
    }
    if ( ! $chainref ) {
 	if ( reserved_chain_name( $chain ) ) {
@@ -297,6 +318,7 @@ sub process_accounting_rule( ) {
 	    $chainref = ensure_accounting_chain $chain, 0 , $restriction;
 	}
 	unless ( $asection ) {
 	    $dir = ipsec_chain_name( $chain );
 	    if ( $ipsec ne '-' ) {
@@ -310,9 +332,11 @@ sub process_accounting_rule( ) {
 		warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );
 		$chainref->{ipsec} = $dir;
 	    }
 	}
    } else {
 	fatal_error "$chain is not an accounting chain" unless $chainref->{accounting};
 	unless ( $asection ) {
 	    if ( $ipsec ne '-' ) {
 		$dir = $chainref->{ipsec};
 		fatal_error "Adding an IPSEC rule into a non-IPSEC chain is not allowed" unless $dir;
@@ -321,6 +345,7 @@ sub process_accounting_rule( ) {
 		$restriction |= $chainref->{restriction};
 	    }
 	}
    }
    set_optflags( $chainref, DONT_OPTIMIZE ) if $target eq 'RETURN';
@@ -366,7 +391,6 @@ sub process_accounting_rule( ) {
 	} else {
 	    $jumpchainref->{ipsec} = $chainref->{ipsec};
 	}
    }
    if ( $rule2 ) {
@@ -394,7 +418,7 @@ sub setup_accounting() {
 	my $nonEmpty = 0;
-	$nonEmpty |= process_accounting_rule while read_a_line;
+	$nonEmpty |= process_accounting_rule while read_a_line( NORMAL_READ );
 	clear_comment;
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -354,7 +354,7 @@ sub generate_script_3($) {
 	    emit 'cat > ${VARDIR}/.modules << EOF';
 	    open_file $fn;
-	    emit_unindented $currentline while read_a_line;
+	    emit_unindented $currentline while read_a_line( NORMAL_READ );
 	    emit_unindented 'EOF';
 	    emit '', 'reload_kernel_modules < ${VARDIR}/.modules';
@@ -812,16 +812,16 @@ sub compiler {
 	optimize_level0;
-	if ( $config{OPTIMIZE} & 0x1E ) {
+	if ( ( my $optimize = $config{OPTIMIZE} ) & 0x1E ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
 	    # Optimize Policy Chains
 	    #
-	    optimize_policy_chains if $config{OPTIMIZE} & 2;
+	    optimize_policy_chains if ( $optimize & OPTIMIZE_POLICY_MASK2n4 ) == OPTIMIZE_POLICY_MASK; # Level 2 but not 4
 	    #
 	    # More Optimization
 	    #
-	    optimize_ruleset if $config{OPTIMIZE} & 0x1C;
+	    optimize_ruleset if $config{OPTIMIZE} & OPTIMIZE_RULESET_MASK;
 	}
 	enable_script;
@@ -877,16 +877,16 @@ sub compiler {
 	    optimize_level0;
-	    if ( $config{OPTIMIZE} & OPTIMIZE_MASK ) {
+	    if ( ( my $optimize = $config{OPTIMIZE} & OPTIMIZE_MASK ) ) {
 		progress_message2 'Optimizing Ruleset...';
 		#
 		# Optimize Policy Chains
 		#
-		optimize_policy_chains if $config{OPTIMIZE} & OPTIMIZE_POLICY_MASK;
+		optimize_policy_chains if ( $optimize & OPTIMIZE_POLICY_MASK2n4 ) == OPTIMIZE_POLICY_MASK; # Level 2 but not 4
 		#
 		# Ruleset Optimization
 		#
-		optimize_ruleset if $config{OPTIMIZE} & OPTIMIZE_RULESET_MASK;
+		optimize_ruleset if $optimize & OPTIMIZE_RULESET_MASK;
 	    }
 	    enable_script if $debug;
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -54,6 +54,7 @@ our @EXPORT = qw(
 		 progress_message3
 		 supplied
 		 split_list
 		 get_action_params
 		 get_action_chain
@@ -150,6 +151,15 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       MIN_VERBOSITY
 				       MAX_VERBOSITY
 				       PLAIN_READ
 				       EMBEDDED_ENABLED
 				       EXPAND_VARIABLES
 				       STRIP_COMMENTS
 				       SUPPRESS_WHITESPACE
 				       CONFIG_CONTINUATION
 				       DO_INCLUDE
 				       NORMAL_READ
 				     ) ] );
 Exporter::export_ok_tags('internal');
@@ -297,6 +307,11 @@ my  %capdesc = ( NAT_ENABLED     => 'NAT',
 		 IMQ_TARGET      => 'IMQ Target',
 		 DSCP_MATCH      => 'DSCP Match',
 		 DSCP_TARGET     => 'DSCP Target',
 		 GEOIP_MATCH     => 'GeoIP Match' ,
 		 #
 		 # Constants
 		 #
 		 LOG_OPTIONS     => 'Log Options',
 		 CAPVERSION      => 'Capability Version',
 		 KERNELVERSION   => 'Kernel Version',
 	       );
@@ -380,6 +395,7 @@ our $currentfilename;        # File NAME
 my  $currentlinenumber;      # Line number
 my  $perlscript;             # File Handle Reference to current temporary file being written by an in-line Perl script
 my  $perlscriptname;         # Name of that file.
 my  $embedded;               # True if we're in an embedded perl script
 my  @tempfiles;              # Files that need unlinking at END
 my  $first_entry;            # Message to output or function to call on first non-blank line of a file
@@ -435,9 +451,29 @@ my $omitting;
 my @ifstack;
 my $ifstack;
 #
 # Entries on the ifstack are a 4-tuple:
 #
 #    [0] - Keyword (IF, ELSEIF, ELSE or ENDIF)
 #    [1] - True if the outermost IF evaluated to false
 #    [2] - True if the the last unterminated IF evaluated to false
 #
 # From .shorewallrc
 #
 our %shorewallrc;
 #
 # read_a_line options
 #
 use constant { PLAIN_READ          => 0,     # No read_a_line options
               EMBEDDED_ENABLED    => 1,     # Look for embedded Shell and Perl
 	       EXPAND_VARIABLES    => 2,     # Expand Shell variables
 	       STRIP_COMMENTS      => 4,     # Remove comments
 	       SUPPRESS_WHITESPACE => 8,     # Ignore blank lines
 	       CHECK_GUNK          => 16,    # Look for unprintable characters
 	       CONFIG_CONTINUATION => 32,    # Suppress leading whitespace if
                                             # continued line ends in ',' or ':'
 	       DO_INCLUDE          => 64,    # Look for INCLUDE <filename>
               NORMAL_READ         => -1     # All options
 	   };
 sub process_shorewallrc($);
 #
@@ -476,7 +512,7 @@ sub initialize( $;$ ) {
    $omitting       = 0;
    $ifstack        = 0;
    @ifstack        = ();
-
+    $embedded       = 0;
    #
    # Misc Globals
    #
@@ -489,8 +525,8 @@ sub initialize( $;$ ) {
 		    KLUDGEFREE => '',
 		    STATEMATCH => '-m state --state',
 		    UNTRACKED  => 0,
-		    VERSION    => "4.4.22.1",
+		    VERSION    => "4.5.6",
-		    CAPVERSION => 40502 ,
+		    CAPVERSION => 40504 ,
 		  );
    #
    # From shorewall.conf file
@@ -533,6 +569,7 @@ sub initialize( $;$ ) {
 	  RESTOREFILE => undef,
 	  IPSECFILE => undef,
 	  LOCKFILE => undef,
 	  GEOIPDIR => undef,
 	  #
 	  # Default Actions/Macros
 	  #
@@ -721,7 +758,9 @@ sub initialize( $;$ ) {
 	       IMQ_TARGET => undef,
 	       DSCP_MATCH => undef,
 	       DSCP_TARGET => undef,
 	       GEOIP_MATCH => undef,
 	       CAPVERSION => undef,
 	       LOG_OPTIONS => 1,
 	       KERNELVERSION => undef,
 	       );
    #
@@ -759,8 +798,7 @@ sub initialize( $;$ ) {
 		    CONFDIR  => '/etc/',
 		    );
-    if ( $shorewallrc ) {
+    process_shorewallrc( $shorewallrc ) if $shorewallrc;
 	process_shorewallrc( $shorewallrc );
    $globals{SHAREDIRPL} = "$shorewallrc{SHAREDIR}/shorewall/";
@@ -776,18 +814,57 @@ sub initialize( $;$ ) {
 	$globals{PRODUCT}       = 'shorewall6';
 	$config{IP6TABLES}      = undef;
    }
    }
 }
 my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
 #
 # Create 'currentlineinfo'
 #
 sub currentlineinfo() {
    my $linenumber = $currentlinenumber || 1;
    if ( $currentfile ) {
 	my $lineinfo = " $currentfilename ";
 	if ( $linenumber eq 'EOF' ) {
 	    $lineinfo .= '(EOF)'
 	} else {
 	    $lineinfo .= "(line $linenumber)";
 	}
 	#
 	# Unwind the current include stack
 	#
 	for ( my $i = @includestack - 1; $i >= 0; $i-- ) {
 	    my $info = $includestack[$i];
 	    $linenumber = $info->[2] || 1;
 	    $lineinfo .= "\n      from $info->[1] (line $linenumber)";
 	}
 	#
 	# Now unwind the open stack; each element is an include stack
 	#
 	for ( my $i = @openstack - 1; $i >= 0; $i-- ) {
 	    my $istack = $openstack[$i];
 	    for ( my $j = ( @$istack - 1 ); $j >= 0; $j-- ) {
 		my $info = $istack->[$j];
 		$linenumber = $info->[2] || 1;
 		$lineinfo .= "\n      from $info->[1] (line $linenumber)";
 	    }
 	}
 	$lineinfo;
    } else {
 	'';
    }
 }
 #
 # Issue a Warning Message
 #
 sub warning_message
 {
-    my $linenumber = $currentlinenumber || 1;
+    my $currentlineinfo = currentlineinfo;
    my $currentlineinfo = $currentfile ?  " : $currentfilename " . ( $linenumber eq 'EOF' ? '(EOF)' : "(line $linenumber)" ) : '';
    our @localtime;
    $| = 1; #Reset output buffering (flush any partially filled buffers).
@@ -815,6 +892,30 @@ sub cleanup() {
    close  $script, $script = undef         if $script;
    close  $perlscript, $perlscript = undef if $perlscript;
    close  $log, $log = undef               if $log;
    if ( $currentfile ) {
 	#
 	# We have a current input file; close it
 	#
 	close $currentfile;
 	#
 	# Unwind the current include stack
 	#
 	for ( my $i = @includestack - 1; $i >= 0; $i-- ) {
 	    my $info = $includestack[$i];
 	    close $info->[0];
 	}
 	#
 	# Now unwind the open stack; each element is an include stack
 	#
 	for ( my $i = @openstack - 1; $i >= 0; $i-- ) {
 	    my $istack = $openstack[$i];
 	    for ( my $j = ( @$istack - 1 ); $j >= 0; $j-- ) {
 		my $info = $istack->[$j];
 		close $info->[0];
 	    }
 	}
    }
    #
    # Unlink temporary files
    #
@@ -842,8 +943,7 @@ sub cleanup() {
 # Issue fatal error message and die
 #
 sub fatal_error	{
-    my $linenumber = $currentlinenumber || 1;
+    my $currentlineinfo = currentlineinfo;
    my $currentlineinfo = $currentfile ?  " : $currentfilename " . ( $linenumber eq 'EOF' ? '(EOF)' : "(line $linenumber)" ) : '';
    $| = 1; #Reset output buffering (flush any partially filled buffers).
@@ -862,8 +962,14 @@ sub fatal_error	{
    }
    cleanup;
    if ( $embedded ) {
 	confess "@_$currentlineinfo" if $confess;
 	die "@_$currentlineinfo\n";
    }  else {
 	confess "   ERROR: @_$currentlineinfo" if $confess;
 	die "   ERROR: @_$currentlineinfo\n";
    }
 }
 sub fatal_error1 {
@@ -889,13 +995,16 @@ sub fatal_error1 {
 }
 #
-# C/C++-like assertion checker
+# C/C++-like assertion checker -- the optional arguments are not used but will
 #                                 appear in the stack trace
 #
-sub assert( $;$ ) {
+sub assert( $;@ ) {
    unless ( $_[0] ) {
 	my @caller0 = caller 0; # Where assert() was called
 	my @caller1 = caller 1; # Who called assert()
 	$confess = 1;
 	fatal_error "Internal error in $caller1[3] at $caller0[1] line $caller0[2]";
    }
 }
@@ -943,7 +1052,9 @@ sub normalize_hex( $ ) {
 # Return the argument expressed in Hex
 #
 sub in_hex( $ ) {
-    sprintf '0x%x', $_[0];
+    my $value = $_[0];
    $value =~ /^0x/ ? $value : sprintf '0x%x', $_[0];
 }
 sub in_hex2( $ ) {
@@ -1334,9 +1445,7 @@ sub find_file($)
    return $filename if $filename =~ '/';
-    my $directory;
+    for my $directory ( @config_path ) {
    for $directory ( @config_path ) {
 	my $file = "$directory$filename";
 	return $file if -f $file;
    }
@@ -1344,10 +1453,10 @@ sub find_file($)
    "$config_path[0]$filename";
 }
-sub split_list( $$ ) {
+sub split_list( $$;$ ) {
-    my ($list, $type ) = @_;
+    my ($list, $type, $origlist ) = @_;
-    fatal_error "Invalid $type list ($list)" if $list =~ /^,|,$|,,|!,|,!$/;
+    fatal_error( "Invalid $type list (" . ( $origlist ? $origlist : $list ) . ')' ) if $list =~ /^,|,$|,,|!,|,!$/;
    split /,/, $list;
 }
@@ -1405,11 +1514,13 @@ sub supplied( $ ) {
 #    supply '-' in omitted trailing columns.
 #    Handles all of the supported forms of column/pair specification
 #
-sub split_line1( $$;$ ) {
+sub split_line1( $$;$$ ) {
-    my ( $description, $columnsref, $nopad) = @_;
+    my ( $description, $columnsref, $nopad, $maxcolumns ) = @_;
    unless ( defined $maxcolumns ) {
 	my @maxcolumns = ( keys %$columnsref );
-    my $maxcolumns = @maxcolumns;
+	$maxcolumns = @maxcolumns;
    }
    #
    # First see if there is a semicolon on the line; what follows will be column/value paris
    #
@@ -1546,62 +1657,128 @@ sub close_file() {
 }
 #
-# Process an ?IF, ?ELSE or ?END directive
+# Process an ?IF, ?ELSIF, ?ELSE or ?END directive
 #
 sub have_capability( $ );
-sub process_conditional( $$$ ) {
+#
-    my ( $omitting, $line, $linenumber ) = @_;
+# Report an error from process_conditional()
 #
 sub cond_error( $$$ ) {
    $currentfilename   = $_[1];
    $currentlinenumber = $_[2];
    fatal_error $_[0];
 }
-    print "CD===> $currentline\n" if $debug;
+#
 # Evaluate an expression in an ?IF or ?ELSIF directive
 #
 sub evaluate_expression( $$$ ) {
    my ( $expression , $filename , $linenumber ) = @_;
    my $val;
    my $count = 0;
-    fatal_error "Invalid compiler directive ($line)" unless $line =~ /^\s*\?(IF\s+|ELSE|ENDIF)(.*)$/;
+    #                         $1      $2   $3      -     $4
    while ( $expression =~ m( ^(.*?) \$({)? (\w+) (?(2)}) (.*)$ )x ) {
 	my ( $first, $var, $rest ) = ( $1, $3, $4);
-    my ($keyword, $rest) = ( $1, $2 );
+	$val = ( exists $ENV{$var}     ? $ENV{$var}    :
-
+		 exists $params{$var}  ? $params{$var} :
-    if ( supplied $rest ) {
+		 exists $config{$var}  ? $config{$var} :
-	$rest =~ s/#.*//;
+		 exists $capdesc{$var} ? have_capability( $var ) : 0 );
-	$rest =~ s/\s*$//;
+	$val = 0 unless defined $val;
-    } else {
+	$val = "'$val'" unless $val =~ /^-?\d+$/;
-	$rest = '';
+	$expression = join( '', $first, $val || 0, $rest );
 	cond_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
    }
-    my ( $lastkeyword, $prioromit, $lastomit, $lastlinenumber ) = @ifstack ? @{$ifstack[-1]} : ('', 0, 0, 0 );
+    #                         $1      $2   $3      -     $4
    while ( $expression =~ m( ^(.*?) __({)? (\w+) (?(2)}) (.*)$ )x ) {
 	my ( $first, $cap, $rest ) = ( $1, $3, $4);
 	if ( exists $capdesc{$cap} ) {
 	    $val = have_capability( $cap )
 	} elsif ( $cap =~ /^IPV([46])$/ ) {
 	    $val = ( $family == $1 );
 	} else {
 	    cond_error "Unknown capability ($cap)", $filename, $linenumber;
 	}
 	$expression = join( '', $first, $val || 0, $rest );
    }
    $expression =~ s/^\s*(.+)\s*$/$1/;
    unless ( $expression =~ /^\d+$/ ) {
 	#
 	# Not a simple one-term expression -- compile it
 	#
 	$val = eval qq(package Shorewall::User;\nuse strict;\n# line $linenumber "$filename"\n$expression);
 	unless ( $val ) {
 	    cond_error( "Couldn't parse expression: $@" , $filename, $linenumber ) if $@;
 	    cond_error( "Undefined expression" , $filename, $linenumber ) unless defined $val;
 	}
    }
    $val;
 }
 #
 # Each entry in @ifstack consists of a 4-tupple
 #
 # [0] = The keyword (IF,ELSIF or ELSE)
 # [1] = True if we were already omitting at the last IF directive
 # [2] = True if we have included any block of the current IF...ELSEIF....ELSEIF... sequence.
 # [3] = The line number of the directive
 #
 sub process_conditional( $$$$ ) {
    my ( $omitting, $line, $filename, $linenumber ) = @_;
    print "CD===> $line\n" if $debug;
    cond_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF)(.*)$/;
    my ($keyword, $expression) = ( $1, $2 );
    if ( supplied $expression ) {
 	$expression =~ s/#.*//;
 	$expression =~ s/\s*$//;
    } else {
 	$expression = '';
    }
    my ( $lastkeyword, $prioromit, $included, $lastlinenumber ) = @ifstack ? @{$ifstack[-1]} : ('', 0, 0, 0 );
    if ( $keyword =~ /^IF/ ) {
-	fatal_error "Missing IF variable" unless $rest;
+	cond_error( "Missing IF expression" , $filename, $linenumber ) unless $expression;
-	my $invert = $rest =~ s/^!\s*//;
+	my $nextomitting = $omitting || ! evaluate_expression( $expression , $filename, $linenumber );
-
+	push @ifstack, [ 'IF', $omitting, ! $nextomitting, $linenumber ];
-	fatal_error "Invalid IF variable ($rest)" unless ($rest =~ s/^\$// || $rest =~ /^__/ ) && $rest =~ /^\w+$/;
+	$omitting = $nextomitting;
-
+    } elsif ( $keyword =~ /^ELSIF/ ) {
-	push @ifstack, [ 'IF', $lastomit, $omitting, $linenumber ];
+	cond_error( "?ELSIF has no matching ?IF" , $filename, $linenumber ) unless @ifstack > $ifstack && $lastkeyword =~ /IF/;
-
+	cond_error( "Missing IF expression" , $filename, $linenumber ) unless $expression;
-	if ( $rest eq '__IPV6' ) {
+	if ( $omitting && ! $included ) {
-	    $omitting = $family == F_IPV4;
+	    #
-	} elsif ( $rest eq '__IPV4' ) {
+	    # We can only change to including if we were previously omitting
-	    $omitting = $family == F_IPV6;
+	    #
 	    $omitting = $prioromit || ! evaluate_expression( $expression , $filename, $linenumber );
 	    $included = ! $omitting;
 	} else {
-	    my $cap = $rest;
+	    #
-
+	    # We have already included -- so we don't want to include this part
-	    $cap =~ s/^__//;
+	    #
-
+	    $omitting = 1;
 	    $omitting = ! ( exists $ENV{$rest}    ? $ENV{$rest}    : 
 			    exists $params{$rest} ? $params{$rest} : 
 			    exists $config{$rest} ? $config{$rest} :
 			    exists $capdesc{$cap} ? have_capability( $cap ) : 0 );
 	}
-
+	$ifstack[-1] = [ 'ELSIF', $prioromit, $included, $lastlinenumber ];
 	$omitting = ! $omitting if $invert;
 	$omitting ||= $lastomit; #?IF cannot transition from omitting -> not omitting
    } elsif ( $keyword eq 'ELSE' ) {
-	fatal_error "Invalid ?ELSE" unless $rest eq '';
+	cond_error( "Invalid ?ELSE" , $filename, $linenumber ) unless $expression eq '';
-	fatal_error "?ELSE has no matching ?IF" unless @ifstack > $ifstack && $lastkeyword eq 'IF';
+	cond_error( "?ELSE has no matching ?IF" , $filename, $linenumber ) unless @ifstack > $ifstack && $lastkeyword =~ /IF/;
-	$omitting = ! $omitting unless $lastomit;
+	$omitting = $included || ! $omitting unless $prioromit;
-	$ifstack[-1] = [ 'ELSE', $prioromit, $omitting, $lastlinenumber ];
+	$ifstack[-1] = [ 'ELSE', $prioromit, 1, $lastlinenumber ];
    } else {
-	fatal_error "Invalid ?ENDIF" unless $rest eq '';
+	cond_error( "Invalid ?ENDIF" , $filename, $linenumber ) unless $expression eq '';
-	fatal_error q(Unexpected "?ENDIF" without matching ?IF or ?ELSE) if @ifstack <= $ifstack;
+	cond_error( q(Unexpected "?ENDIF" without matching ?IF or ?ELSE) , $filename, $linenumber ) if @ifstack <= $ifstack;
 	$omitting = $prioromit;
 	pop @ifstack;
    }
@@ -1631,7 +1808,7 @@ sub copy( $ ) {
 	    $lineno++;
 	    if ( /^\s*\?/ ) {
-		$omitting = process_conditional( $omitting, $_, $lineno );
+		$omitting = process_conditional( $omitting, $_, $file, $lineno );
 		next;
 	    }
@@ -1684,7 +1861,7 @@ sub copy1( $ ) {
 		chomp;
 		if ( /^\s*\?/ ) {
-		    $omitting = process_conditional( $omitting, $_, $currentlinenumber );
+		    $omitting = process_conditional( $omitting, $_, $currentfilename, $currentlinenumber );
 		    next;
 		}
@@ -1815,7 +1992,7 @@ EOF
 		chomp;
 		if ( /^\s*\?/ ) {
-		    $omitting = process_conditional( $omitting, $_, $lineno );
+		    $omitting = process_conditional( $omitting, $_, $file, $lineno );
 		    next;
 		}
@@ -1877,7 +2054,7 @@ EOF
 #
 sub push_open( $ ) {
-    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber, $ifstack ];
+    push @includestack, [ $currentfile, $currentfilename, $currentlinenumber, $ifstack ] if $currentfile;
    my @a = @includestack;
    push @openstack, \@a;
    @includestack = ();
@@ -1930,12 +2107,10 @@ sub shorewall {
 sub first_entry( $ ) {
    $first_entry = $_[0];
    my $reftype = reftype $first_entry;
-    if ( $reftype ) {
+    assert( $reftype eq 'CODE' ) if $reftype;
 	fatal_error "Invalid argument to first_entry()" unless $reftype eq 'CODE';
    }
 }
-sub read_a_line(;$$$$);
+sub read_a_line($);
 sub embedded_shell( $ ) {
    my $multiline = shift;
@@ -1952,8 +2127,8 @@ sub embedded_shell( $ ) {
 	my $last = 0;
-	while ( read_a_line( 0, 0, 0, 0 ) ) {
+	while ( read_a_line( PLAIN_READ ) ) {
-	    last if $last = $currentline =~ s/^\s*END(\s+SHELL)?\s*;?//;
+	    last if $last = $currentline =~ s/^\s*\??END(\s+SHELL)?\s*(?:;\s*)?$//;
 	    $command .= "$currentline\n";
 	}
@@ -1986,15 +2161,19 @@ sub embedded_perl( $ ) {
 	my $last = 0;
-	while ( read_a_line( 0, 0, 0, 0 ) ) {
+	while ( read_a_line( PLAIN_READ ) ) {
-	    last if $last = $currentline =~ s/^\s*END(\s+PERL)?\s*;?//;
+	    last if $last = $currentline =~ s/^\s*\??END(\s+PERL)?\s*(?:;\s*)?//;
 	    $command .= "$currentline\n";
 	}
 	fatal_error ( "Missing END PERL" ) unless $last;
 	fatal_error ( "Invalid END PERL directive" ) unless $currentline =~ /^\s*$/;
    } else {
 	$currentline = '';
    }
    $embedded++;
    unless (my $return = eval $command ) {
 	#
 	# Perl found the script offensive or the script itself died
@@ -2012,6 +2191,8 @@ sub embedded_perl( $ ) {
 	fatal_error "Perl Script Returned False";
    }
    $embedded--;
    if ( $perlscript ) {
 	fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;
@@ -2100,7 +2281,7 @@ sub set_action_param( $$ ) {
 }
 #
-# Expand Shell Variables in the passed buffer using %params and @actparms
+# Expand Shell Variables in the passed buffer using @actparms, %params, %shorewallrc and %config, 
 #
 sub expand_variables( \$ ) {
    my ( $lineref, $count ) = ( $_[0], 0 );
@@ -2142,7 +2323,7 @@ sub handle_first_entry() {
 }
 #
-# Read a line from the current include stack.
+# Read a line from the current include stack. Based on the passed options, it will conditionally:
 #
 #   - Ignore blank or comment-only lines.
 #   - Remove trailing comments.
@@ -2153,11 +2334,8 @@ sub handle_first_entry() {
 #   - Handle ?IF, ?ELSE, ?ENDIF
 #
-sub read_a_line(;$$$$) {
+sub read_a_line($) {
-    my $embedded_enabled    = defined $_[0] ? shift : 1;
+    my $options = $_[0];
    my $expand_variables    = defined $_[0] ? shift : 1;
    my $strip_comments      = defined $_[0] ? shift : 1;
    my $suppress_whitespace = defined $_[0] ? shift : 1;
    while ( $currentfile ) {
@@ -2165,62 +2343,65 @@ sub read_a_line(;$$$$) {
 	$currentlinenumber = 0;
 	while ( <$currentfile> ) {
 	    chomp;
 	    #
 	    # Handle conditionals
 	    #
 	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF)/ ) {
 		$omitting = process_conditional( $omitting, $_, $currentfilename, $. );
 		next;
 	    }
 	    if ( $omitting ) {
 		print "OMIT=> $_\n" if $debug;
 		next;
 	    }
 	    $currentlinenumber = $. unless $currentlinenumber;
 	    chomp;
 	    #
 	    # Suppress leading whitespace in certain continuation lines
 	    #
-	    s/^\s*// if $currentline =~ /[,:]$/ && $suppress_whitespace;
+	    s/^\s*// if $currentline =~ /[,:]$/ && $options & CONFIG_CONTINUATION;
 	    #
 	    # If this is a continued line with a trailing comment, remove comment. Note that
 	    # the result will now end in '\'.
 	    #
-	    s/\s*#.*$// if $strip_comments && /[\\]\s*#.*$/;
+	    s/\s*#.*$// if ($options & STRIP_COMMENTS) && /[\\]\s*#.*$/;
 	    #
 	    # Continuation
 	    #
 	    chop $currentline, next if ($currentline .= $_) =~ /\\$/;
 	    #
 	    # Handle conditionals
 	    #
 	    if ( $currentline =~ /^\s*\?(?:IF|ELSE|ENDIF)/ ) {
 		$omitting = process_conditional( $omitting, $currentline, $currentlinenumber );
 		$currentline='';
 		next;
 	    }		
 	    if ( $omitting ) {
 		print "OMIT=> $currentline\n" if $debug;
 		$currentline='';
 		$currentlinenumber = 0;
 		next;
 	    }
 	    #
 	    # Must check for shell/perl before doing variable expansion
 	    #
-	    if ( $embedded_enabled ) {
+	    if ( $options & EMBEDDED_ENABLED ) {
-		if ( $currentline =~ s/^\s*(BEGIN\s+)?SHELL\s*;?// ) {
+		if ( $currentline =~ s/^\s*\??(BEGIN\s+)SHELL\s*;?// || $currentline =~ s/^\s*\??SHELL\s*// ) {
 		    handle_first_entry if $first_entry;
 		    embedded_shell( $1 );
 		    next;
 		}
-		if ( $currentline =~ s/^\s*(BEGIN\s+)?PERL\s*\;?// ) {
+		if ( $currentline =~ s/^\s*\??(BEGIN\s+)PERL\s*;?// || $currentline =~ s/^\s*\??PERL\s*// ) {
 		    handle_first_entry if $first_entry;
 		    embedded_perl( $1 );
 		    next;
 		}
 	    }
 	    #
-	    # Now remove concatinated comments
+	    # Now remove concatinated comments if asked
 	    #
-	    $currentline =~ s/\s*#.*$// if $strip_comments;
+	    $currentline =~ s/\s*#.*$// if $options & STRIP_COMMENTS;
 	    if ( $options & SUPPRESS_WHITESPACE ) {
 		#
-	    # Ignore ( concatenated ) Blank Lines after comments are removed.
+		# Ignore (concatinated) blank lines
 		#
-	    $currentline = '', $currentlinenumber = 0, next if $currentline =~ /^\s*$/ && $suppress_whitespace;
+		$currentline = '', $currentlinenumber = 0, next if $currentline =~ /^\s*$/;
 		#
 		# Eliminate trailing whitespace
 		#
 		$currentline =~ s/\s*$//;
 	    }
 	    #
 	    # Line not blank -- Handle any first-entry message/capabilities check
 	    #
@@ -2228,9 +2409,9 @@ sub read_a_line(;$$$$) {
 	    #
 	    # Expand Shell Variables using %params and @actparms
 	    #
-	    expand_variables( $currentline ) if $expand_variables;
+	    expand_variables( $currentline ) if $options & EXPAND_VARIABLES;
-	    if ( $currentline =~ /^\s*\??INCLUDE\s/ ) {
+	    if ( ( $options & DO_INCLUDE ) && $currentline =~ /^\s*\??INCLUDE\s/ ) {
 		my @line = split ' ', $currentline;
@@ -2252,6 +2433,7 @@ sub read_a_line(;$$$$) {
 		$currentline = '';
 	    } else {
 		fatal_error "Non-ASCII gunk in file" if ( $options && CHECK_GUNK ) && $currentline =~ /[^\s[:print:]]/;
 		print "IN===> $currentline\n" if $debug;
 		return 1;
 	    }
@@ -2261,33 +2443,13 @@ sub read_a_line(;$$$$) {
    }
 }
 #
 # Simple version of the above. Doesn't do line concatenation, shell variable expansion or INCLUDE processing
 #
 sub read_a_line1() {
    while ( $currentfile ) {
 	while ( $currentline = <$currentfile> ) {
 	    next if $currentline =~ /^\s*#/;
 	    chomp $currentline;
 	    next if $currentline =~ /^\s*$/;
 	    $currentline =~ s/#.*$//;       # Remove Trailing Comments
 	    fatal_error "Non-ASCII gunk in file" if $currentline =~ /[^\s[:print:]]/;
 	    $currentlinenumber = $.;
 	    print "IN===> $currentline\n" if $debug;
 	    return 1;
 	}
 	close_file;
    }
 }
 sub process_shorewallrc( $ ) {
    my $shorewallrc = shift;
    $shorewallrc{PRODUCT} = $family == F_IPV4 ? 'shorewall' : 'shorewall6';
    if ( open_file $shorewallrc ) {
-	while ( read_a_line1 ) {
+	while ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE | CHECK_GUNK ) ) {
 	    if ( $currentline =~ /^([a-zA-Z]\w*)=(.*)$/ ) {
 		my ($var, $val) = ($1, $2);
 		$val = $1 if $val =~ /^\"([^\"]*)\"$/;
@@ -2368,6 +2530,22 @@ sub level_error( $ ) {
    fatal_error "Invalid log level ($_[0])";
 }
 my %logoptions = ( tcp_sequence         => '--log-tcp-sequence',
 		   ip_options           => '--log-ip-options',
 		   tcp_options          => '--log-tcp-options',
 		   uid                  => '--log-uid',
 		   macdecode            => '--log-macdecode',
 		   #
 		   # Because a level can pass through validate_level() more than once,
 		   # the full option names are also included here.
 		   #
 		   '--log-tcp-sequence' => '--log-tcp-sequence',
 		   '--log-ip-options'   => '--log-ip-options',
 		   '--log-tcp-options'  => '--log-tcp-options',
 		   '--log-uid'          => '--log-uid',
 		   '--log-macdecode'    => '--log-macdecode',
 		 );
 sub validate_level( $ ) {
    my $rawlevel = $_[0];
    my $level    = uc $rawlevel;
@@ -2378,7 +2556,11 @@ sub validate_level( $ ) {
 	my $qualifier;
 	unless ( $value =~ /^[0-7]$/ ) {
-	    level_error( $level ) unless $level =~ /^([A-Za-z0-7]+)(.*)$/ && defined( $value = $validlevels{$1} );
+	    } if ( $value =~ /^([0-7])(.*)$/ ) {
 		$value = $1;
 		$qualifier = $2;
 	    } elsif ( $value =~ /^([A-Za-z0-7]+)(.*)$/ ) {
 	        level_error( $level) unless defined( $value = $validlevels{$1} );
 		$qualifier = $2;
 	}
@@ -2386,9 +2568,32 @@ sub validate_level( $ ) {
 	    #
 	    # Syslog Level
 	    #
-	    level_error( $rawlevel ) if supplied $qualifier;
+	    if ( supplied $qualifier ) {
 		my $options = '';
 		my %options;
 		level_error ( $rawlevel ) unless $qualifier =~ /^\((.*)\)$/;
 		for ( split_list lc $1, "log options" ) {
 		    my $option = $logoptions{$_};
 		    fatal_error "Unknown LOG option ($_)" unless $option;
 		    unless ( $options{$option} ) {
 			if ( $options ) {
 			    $options = join( ',', $options, $option );
 			} else {
 			    $options = $option;
 			}
 			$options{$option} = 1;
 		    }
 		}
 		$value .= "($options)" if $options;
 	    }
 	    require_capability ( 'LOG_TARGET' , "Log level $level", 's' );
 	    return $value;
 	}
@@ -2568,7 +2773,7 @@ sub load_kernel_modules( ) {
 	my @suffixes = split /\s+/ , $config{MODULE_SUFFIX};
-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {
 	    fatal_error "Invalid modules file entry" unless ( $currentline =~ /^loadmodule\s+([a-zA-Z]\w*)\s*(.*)$/ );
 	    my ( $module, $arguments ) = ( $1, $2 );
 	    unless ( $loadedmodules{ $module } ) {
@@ -3003,6 +3208,10 @@ sub Dscp_Target() {
    have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j DSCP --set-dscp 0" );
 }
 sub GeoIP_Match() {
    qt1( "$iptables -A $sillyname -m geoip --src-cc US" );
 }
 our %detect_capability =
    ( ACCOUNT_TARGET =>\&Account_Target,
      AUDIT_TARGET => \&Audit_Target,
@@ -3022,6 +3231,7 @@ our %detect_capability =
      EXMARK => \&Exmark,
      FLOW_FILTER => \&Flow_Filter,
      FWMARK_RT_MASK => \&Fwmark_Rt_Mask,
      GEOIP_MATCH => \&GeoIP_Match,
      GOTO_TARGET => \&Goto_Target,
      HASHLIMIT_MATCH => \&Hashlimit_Match,
      HEADER_MATCH => \&Header_Match,
@@ -3199,7 +3409,7 @@ sub determine_capabilities() {
 	$capabilities{IMQ_TARGET}      = detect_capability( 'IMQ_TARGET' );
 	$capabilities{DSCP_MATCH}      = detect_capability( 'DSCP_MATCH' );
 	$capabilities{DSCP_TARGET}     = detect_capability( 'DSCP_TARGET' );
-
+	$capabilities{GEOIP_MATCH}     = detect_capability( 'GEOIP_MATCH' );
 	qt1( "$iptables -F $sillyname" );
 	qt1( "$iptables -X $sillyname" );
@@ -3245,7 +3455,7 @@ sub ensure_config_path() {
 	add_param( CONFDIR => $globals{CONFDIR} );
-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {
 	    if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*?)\s*$/ ) {
 		my ($var, $val) = ($1, $2);
 		$config{$var} = ( $val =~ /\"([^\"]*)\"$/ ? $1 : $val ) if exists $config{$var};
@@ -3313,10 +3523,10 @@ sub update_config_file( $ ) {
    #
    # Establish default values for the mark layout items
    #
-    $config{TC_BITS}         = ( $wide ? 14 : 8 )             unless supplied $config{TC_BITS};
+    $config{TC_BITS}         = ( $wide ? 14 : 8 )             unless defined $config{TC_BITS};
-    $config{MASK_BITS}       = ( $wide ? 16 : 8 )             unless supplied $config{MASK_BITS};
+    $config{MASK_BITS}       = ( $wide ? 16 : 8 )             unless defined $config{MASK_BITS};
-    $config{PROVIDER_OFFSET} = ( $high ? $wide ? 16 : 8 : 0 ) unless supplied $config{PROVIDER_OFFSET};
+    $config{PROVIDER_OFFSET} = ( $high ? $wide ? 16 : 8 : 0 ) unless defined $config{PROVIDER_OFFSET};
-    $config{PROVIDER_BITS}   = 8                              unless supplied $config{PROVIDER_BITS};
+    $config{PROVIDER_BITS}   = 8                              unless defined $config{PROVIDER_BITS};
    my $fn;
@@ -3324,7 +3534,7 @@ sub update_config_file( $ ) {
 	#
 	# Debian or derivative
 	#
-	$fn = $annotate ? "/usr/share/doc/${product}/default-config/${product}.conf.annotated" : "/usr/share/doc/${product}/default-config/${product}.conf";
+	$fn = $annotate ? "$shorewallrc{SHAREDIR}/doc/${product}/default-config/${product}.conf.annotated" : "$shorewallrc{SHAREDIR}/doc/${product}/default-config/${product}.conf";
    } else {
 	#
 	# The rest of the World
@@ -3443,7 +3653,7 @@ sub process_shorewall_conf( $$ ) {
 	    #
 	    # Don't expand shell variables or allow embedded scripting
 	    #
-	    while ( read_a_line1 ) {
+	    while ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE  | CHECK_GUNK ) ) {
 		if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*?)\s*$/ ) {
 		    my ($var, $val) = ($1, $2);
@@ -3483,7 +3693,7 @@ sub process_shorewall_conf( $$ ) {
 # Process the records in the capabilities file
 #
 sub read_capabilities() {
-    while ( read_a_line1 ) {
+    while ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE  | CHECK_GUNK ) ) {
 	if ( $currentline =~ /^([a-zA-Z]\w*)=(.*)$/ ) {
 	    my ($var, $val) = ($1, $2);
 	    unless ( exists $capabilities{$var} ) {
@@ -3804,6 +4014,13 @@ sub get_configuration( $$$ ) {
    $globals{STATEMATCH} = '-m conntrack --ctstate' if have_capability 'CONNTRACK_MATCH';
    #
    # The following is not documented as it is not likely useful to the user base in general 
    # Going forward, it allows me to create a configuration that will work on multiple
    # Shorewall versions.        TME
    #
    $config{VERSION} = sprintf "%d%02d%02d", $1, $2, $3 if $globals{VERSION} =~ /^(\d+)\.(\d+)\.(\d+)/;
    if ( my $rate = $config{LOGLIMIT} ) {
 	my $limit;
@@ -4022,9 +4239,10 @@ sub get_configuration( $$$ ) {
 	$globals{ZONE_OFFSET}     = $config{PROVIDER_BITS};
    }
-    fatal_error 'Invalid Packet Mark layout' if $config{ZONE_BITS} + $globals{ZONE_OFFSET} > 31;
+    fatal_error 'Invalid Packet Mark layout' if $config{ZONE_BITS} + $globals{ZONE_OFFSET} > 30;
    $globals{EXCLUSION_MASK} = 1 << ( $globals{ZONE_OFFSET} + $config{ZONE_BITS} );
    $globals{TPROXY_MARK}    = $globals{EXCLUSION_MASK} << 1;
    $globals{PROVIDER_MIN}   = 1 << $config{PROVIDER_OFFSET};
    $globals{TC_MAX}         = make_mask( $config{TC_BITS} );
@@ -4038,10 +4256,10 @@ sub get_configuration( $$$ ) {
    }
    if ( ( my $userbits = $config{PROVIDER_OFFSET} - $config{TC_BITS} ) > 0 ) {
 	$globals{USER_MASK} = make_mask( $userbits ) << $config{TC_BITS};
 	$globals{USER_BITS} = $userbits;
    } else {
-	$globals{USER_MASK} = 0;
+	$globals{USER_MASK} = $globals{USER_BITS} = 0;
    }
    if ( supplied ( $val = $config{ZONE2ZONE} ) ) {
@@ -4268,7 +4486,7 @@ sub append_file( $;$$ ) {
    $indent = '' if $unindented;
-    unless ( $user_exit =~ m(^/usr/share/shorewall6?/) ) {
+    unless ( $user_exit =~ m(^$shorewallrc{SHAREDIR}/shorewall6?/) ) {
 	if ( -f $user_exit ) {
 	    if ( $nomsg ) {
 		#
@@ -4327,8 +4545,9 @@ sub run_user_exit1( $ ) {
 	#
 	push_open $file;
-	if ( read_a_line1 ) {
+	if ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE  | CHECK_GUNK ) ) {
 	    close_file;
 	    pop_open;
 	    my $command = qq(package Shorewall::User;\n# line 1 "$file"\n) . `cat $file`;
@@ -4358,8 +4577,9 @@ sub run_user_exit2( $$ ) {
 	#
 	push_open $file;
-	if ( read_a_line1 ) {
+	if ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE  | CHECK_GUNK ) ) {
 	    close_file;
 	    pop_open;
 	    unless (my $return = eval `cat $file` ) {
 		fatal_error "Couldn't parse $file: $@" if $@;
@@ -4457,7 +4677,7 @@ sub dump_mark_layout() {
 	     $globals{TC_MASK} );
    dumpout( "User",
-	     $globals{USER_MASK},
+	     $globals{USER_BITS},
 	     $globals{TC_MAX} + 1,
 	     $globals{USER_MASK},
 	     $globals{USER_MASK} );
@@ -4479,6 +4699,12 @@ sub dump_mark_layout() {
 	     $globals{EXCLUSION_MASK},
 	     $globals{EXCLUSION_MASK},
 	     $globals{EXCLUSION_MASK} );
    dumpout( "TProxy",
 	     1,
 	     $globals{TPROXY_MARK},
 	     $globals{TPROXY_MARK},
 	     $globals{TPROXY_MARK} );
 }
 END {
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -79,7 +79,7 @@ sub process_tos() {
 		       }
 		   );
-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {
 	    my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) = split_line 'tos file entry', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 } ;
@@ -149,9 +149,9 @@ sub setup_ecn()
 			   warning_message 'ECN will not be applied to forwarded packets' unless have_capability 'MANGLE_FORWARD';
 		       } );
-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {
-	    my ($interface, $hosts ) = split_line 'ecn file entry', { interface => 0, hosts => 1 };
+	    my ($interface, $hosts ) = split_line1 'ecn file entry', { interface => 0, host => 1, hosts => 1 }, {}, 2;
 	    fatal_error 'INTERFACE must be specified' if $interface eq '-';
 	    fatal_error "Unknown interface ($interface)" unless known_interface $interface;
@@ -227,7 +227,7 @@ sub setup_blacklist() {
 	    first_entry "$doing $fn...";
-	    while ( read_a_line ) {
+	    while ( read_a_line ( NORMAL_READ ) ) {
 		if ( $first_entry ) {
 		    unless  ( @$zones || @$zones1 ) {
@@ -346,7 +346,7 @@ sub remove_blacklist( $ ) {
    open $newfile, '>', "$fn.new" or fatal_error "Unable to open $fn.new for output: $!";
-    while ( read_a_line(1,1,0) ) {
+    while ( read_a_line( EMBEDDED_ENABLED | EXPAND_VARIABLES ) ) {
 	my ( $rule, $comment ) = split '#', $currentline, 2;
 	if ( $rule =~ /blacklist/ ) {
@@ -396,7 +396,7 @@ sub convert_blacklist() {
 	first_entry "Converting $fn...";
-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {
 	    my ( $networks, $protocol, $ports, $options ) = split_line 'blacklist file', { networks => 0, proto => 1, port => 2, options => 3 };
 	    if ( $options eq '-' ) {
@@ -468,7 +468,7 @@ sub convert_blacklist() {
 		open $blrules, '>',  $fn1 or fatal_error "Unable to open $fn1: $!";
 		print $blrules <<'EOF';
 #
-# Shorewall version 5 - Blacklist Rules File
+# Shorewall version 4.5 - Blacklist Rules File
 #
 # For information about entries in this file, type "man shorewall-blrules"
 #
@@ -554,7 +554,7 @@ sub process_routestopped() {
 	first_entry "$doing $fn...";
-	while ( read_a_line ) {
+	while ( read_a_line ( NORMAL_READ ) ) {
 	    my ($interface, $hosts, $options , $proto, $ports, $sports ) =
 		split_line 'routestopped file', { interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 };
@@ -749,7 +749,7 @@ sub add_common_rules ( $ ) {
 	my $interfaceref = find_interface $interface;
-	unless ( $interfaceref->{options}{ignore} ) {
+	unless ( $interfaceref->{options}{ignore} & NO_SFILTER ) {
 	    my @filters = @{$interfaceref->{filter}};
@@ -1097,7 +1097,7 @@ sub setup_mac_lists( $ ) {
 	    first_entry "$doing $fn...";
-	    while ( read_a_line ) {
+	    while ( read_a_line( NORMAL_READ ) ) {
 		my ( $original_disposition, $interface, $mac, $addresses  ) = split_line1 'maclist file', { disposition => 0, interface => 1, mac => 2, addresses => 3 };
@@ -1316,9 +1316,15 @@ sub handle_loopback_traffic() {
    my @rule;
    if ( @zones > 1 ) {
 	#
 	# We have a vserver zone -- route output through a separate chain
 	#
 	$outchainref = new_standard_chain 'loopback';
 	add_ijump $filter_table->{OUTPUT}, j => $outchainref, o => 'lo';
    } else {
 	#
 	# Only the firewall -- just use the OUTPUT chain
 	#
 	$outchainref = $filter_table->{OUTPUT};
 	@rule = ( o => 'lo');
    }
@@ -1327,7 +1333,9 @@ sub handle_loopback_traffic() {
 	my $z1ref            = find_zone( $z1 );
 	my $type1            = $z1ref->{type};
 	my $natref           = $nat_table->{dnat_chain $z1};
-
+	#
 	# Add jumps in the 'output' chain to the rules chains
 	#
 	if ( $type1 == FIREWALL ) {
 	    for my $z2 ( @zones ) {
 		my $chain = rules_target( $z1, $z2 );
@@ -1341,6 +1349,9 @@ sub handle_loopback_traffic() {
 	}
 	if ( $natref && $natref->{referenced} ) {
 	    #
 	    # There are DNAT rules with this zone as the source --  add jumps from the nat OUTPUT chain
 	    #
 	    my $source_hosts_ref = defined_zone( $z1 )->{hosts};
 	    for my $typeref ( values %{$source_hosts_ref} ) {
@@ -1403,11 +1414,12 @@ sub add_interface_jumps {
 	if ( $interfaceref->{options}{port} ) {
 	    my $bridge = $interfaceref->{bridge};
 	    add_ijump ( $filter_table->{forward_chain $bridge},
 			j => 'ACCEPT',
 			imatch_source_dev( $interface, 1),
 			imatch_dest_dev( $interface, 1)
-		     ) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge};
+		     ) unless $interfaceref->{nets};
 	    add_ijump( $filter_table->{forward_chain $bridge} ,
 		       j => $forwardref ,
@@ -1442,56 +1454,30 @@ sub add_interface_jumps {
    handle_loopback_traffic;
 }
 # Generate the rules matrix.
 #
-# Stealing a comment from the Burroughs B6700 MCP Operating System source, "generate_matrix makes a sow's ear out of a silk purse".
+# Do the initial matrix processing for a complex zone
 #
-# The biggest disadvantage of the zone-policy-rule model used by Shorewall is that it doesn't scale well as the number of zones increases (Order N**2 where N = number of zones).
+sub handle_complex_zone( $$ ) {
-# A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this function and the rules that it generates.
+    my ( $zone, $zoneref ) = @_;
-#
+
-# The function traverses the full "source-zone by destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table and 
+    our %input_jump_added;
-# nat-table rules.
+    our %output_jump_added;
-#
+    our %forward_jump_added;
-sub generate_matrix() {
+    our %ipsec_jump_added;
    my @interfaces = ( all_interfaces );
    #
-    # Should this be the real PREROUTING chain?
+    # Complex zone or we have more than two off-firewall zones -- Shorewall::Rules::classic_blacklist created a zone forwarding chain
    #
    my $preroutingref = ensure_chain 'nat', 'dnat';
    my $fw       = firewall_zone;
    my @zones    = off_firewall_zones;
    my @vservers = vserver_zones;
    my $notrackref = $raw_table->{notrack_chain $fw};
    my @state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
    my $interface_jumps_added = 0;
    our %input_jump_added   = ();
    our %output_jump_added  = ();
    our %forward_jump_added = ();
    my  %ipsec_jump_added   = ();
    progress_message2 'Generating Rule Matrix...';
    progress_message  '  Handling complex zones...';
    #
    # Special processing for complex configurations
    #
    for my $zone ( @zones ) {
 	my $zoneref = find_zone( $zone );
 	next if  @zones <= 2 && ! $zoneref->{complex};
 	#
 	# Complex zone or we have more than one non-firewall zone -- process_rules created a zone forwarding chain
    #
    my $frwd_ref = $filter_table->{zone_forward_chain( $zone )};
    assert( $frwd_ref, $zone );
    #
    # Add Zone mark if any
    #
    add_ijump( $frwd_ref , j => 'MARK --set-mark ' . in_hex( $zoneref->{mark} ) . '/' . in_hex( $globals{ZONE_MASK} ) ) if $zoneref->{mark};
    if ( have_ipsec ) {
 	#
-	    # Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the
+	# Prior to KLUDGEFREE, policy match could only match an 'in' or an 'out' policy (but not both), so we place the
 	# '--pol ipsec --dir in' rules at the front of the (interface) forwarding chains. Otherwise, decrypted packets
 	# can match '--pol none --dir out' rules and send the packets down the wrong rules chain.
 	#
@@ -1504,32 +1490,57 @@ sub generate_matrix() {
 	    my $interfaceref = find_interface $interface;
 	    if ( use_forward_chain( $interface, $sourcechainref ) ) {
 		#
 		# Use the interface forward chain
 		#
 		if ( $interfaceref->{ports} && $interfaceref->{options}{bridge} ) {
 		    #
 		    # This is a bridge with ports
 		    #
 		    @interfacematch = imatch_source_dev $interface;
 		    #
 		    # Copy the rules from the interface forward chain to the zone forward chain unless they have already been copied
 		    #
 		    copy_rules( $sourcechainref, $frwd_ref, 1 ) unless $ipsec_jump_added{$zone}++;
 		    #
 		    # Jump directly from FORWARD to the zone forward chain
 		    #
 		    $sourcechainref = $filter_table->{FORWARD};
 		} elsif ( $interfaceref->{options}{port} ) {
 		    #
 		    # The forwarding chain for a bridge with ports is always used -- use physdev match for this interface
 		    #
 		    add_ijump( $filter_table->{ forward_chain $interfaceref->{bridge} } ,
 			       j => $sourcechainref ,
 			       imatch_source_dev( $interface , 1 ) )
 			unless $forward_jump_added{$interface}++;
 		} else {
 		    #
 		    # Add jump from FORWARD to the intrface forward chain
 		    #
 		    add_ijump $filter_table->{FORWARD} , j => $sourcechainref, imatch_source_dev( $interface ) unless $forward_jump_added{$interface}++;
 		}
 	    } else {
 		if ( $interfaceref->{options}{port} ) {
 		    #
 		    # The forwarding chain for a bridge with ports is always used -- use physdev match
 		    #
 		    $sourcechainref = $filter_table->{ forward_chain $interfaceref->{bridge} };
 		    @interfacematch = imatch_source_dev $interface, 1;
 		} else {
 		    $sourcechainref = $filter_table->{FORWARD};
 		    @interfacematch = imatch_source_dev $interface;
 		}
-
+		#
 		# copy any rules from the interface forward chain to the zone forward chain
 		#
 		move_rules( $filter_table->{forward_chain $interface} , $frwd_ref );
 	    }
 	    my $arrayref = $source_ref->{$interface};
-
+	    #
 	    # Now add the jumps from the source chain (interface forward or FORWARD) to the zone forward chain
 	    #
 	    for my $hostref ( @{$arrayref} ) {
 		my @ipsec_match = match_ipsec_in $zone , $hostref;
 		for my $net ( @{$hostref->{hosts}} ) {
@@ -1544,41 +1555,24 @@ sub generate_matrix() {
 	    }
 	}
    }
-    }
+}
 #
 # The passed zone is a sub-zone. We need to determine if
 #
 #   a) A parent zone defines DNAT/REDIRECT or notrack rules; and
 #   b) The current zone has a CONTINUE policy to some other zone.
 #
 # If a) but not b), then we must avoid sending packets from this
 # zone through the DNAT/REDIRECT or notrack chain for the parent.
 # 
 sub handle_nested_zone( $$ ) {
    my ( $zone, $zoneref ) = @_;
    #
-    # NOTRACK from firewall
+    # Function returns this 3-tuple
    #
-    add_ijump $raw_table->{OUTPUT}, j => $notrackref if $notrackref->{referenced};
+    my ( $nested, $parenthasnat, $parenthasnotrack ) = ( 1, 0, 0 );
    #
    # Main source-zone matrix-generation loop
    #
    progress_message '  Entering main matrix-generation loop...';
    for my $zone ( @zones ) {
 	my $zoneref          = find_zone( $zone );
 	my $source_hosts_ref = $zoneref->{hosts};
 	my $chain1           = rules_target firewall_zone , $zone;
 	my $chain2           = rules_target $zone, firewall_zone;
 	my $type             = $zoneref->{type};
 	my $frwd_ref         = $filter_table->{zone_forward_chain $zone};
 	my $chain            = 0;
 	my $dnatref          = ensure_chain 'nat' , dnat_chain( $zone );
 	my $notrackref       = ensure_chain 'raw' , notrack_chain( $zone );
 	my $nested           = @{$zoneref->{parents}};
 	my $parenthasnat     = 0;
 	my $parenthasnotrack = 0;
 	if ( $nested ) {
 	    #
 	    # This is a sub-zone. We need to determine if
 	    #
 	    #   a) A parent zone defines DNAT/REDIRECT or notrack rules; and
 	    #   b) The current zone has a CONTINUE policy to some other zone.
 	    #
 	    # If a) but not b), then we must avoid sending packets from this
 	    # zone through the DNAT/REDIRECT or notrack chain for the parent.
 	    #
    for my $parent ( @{$zoneref->{parents}} ) {
 	my $ref1 = $nat_table->{dnat_chain $parent} || {};
 	my $ref2 = $raw_table->{notrack_chain $parent} || {};
@@ -1604,78 +1598,102 @@ sub generate_matrix() {
 	#
 	$nested = 0;
    }
 	}
 	#
 	# Take care of PREROUTING, INPUT and OUTPUT jumps
 	#
 	for my $typeref ( values %$source_hosts_ref ) {
 	    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
 		my $arrayref = $typeref->{$interface};
 		my $interfaceref = find_interface $interface;
 		my $isport = $interfaceref->{options}{port};
 		my $bridge = $interfaceref->{bridge};
-		if ( get_physical( $interface ) eq '+' ) {
+    ( $nested, $parenthasnat, $parenthasnotrack );
-		    #
+}
 		    # Insert the interface-specific jumps before this one which is not interface-specific
 		    #
 		    add_interface_jumps(@interfaces) unless $interface_jumps_added++;
 		}
-		for my $hostref ( @$arrayref ) {
+#
-		    my @ipsec_in_match  = match_ipsec_in  $zone , $hostref;
+# Add output jump to the passed zone:interface:hostref:net
-		    my @ipsec_out_match = match_ipsec_out $zone , $hostref;
+#
-		    my $exclusions = $hostref->{exclusions};
+sub add_output_jumps( $$$$$$$ ) {
    my ( $zone, $interface, $hostref, $net, $exclusions, $isport, $bridge, ) = @_;
-		    for my $net ( @{$hostref->{hosts}} ) {
+    our @vservers;
-			my @dest   = imatch_dest_net $net;
+    our %output_jump_added;
-			if ( $chain1 && ! ( zone_type( $zone) & BPORT ) ) {
+    my $chain1            = rules_target firewall_zone , $zone;
    my $chain1ref         = $filter_table->{$chain1};
    my $nextchain         = dest_exclusion( $exclusions, $chain1 );
    my $outputref;
    my $interfacechainref = $filter_table->{output_chain $interface};
    my @interfacematch;
    my $use_output        = 0;
    my @dest              = imatch_dest_net $net;
    my @ipsec_out_match   = match_ipsec_out $zone , $hostref;
    if ( @vservers || use_output_chain( $interface, $interfacechainref ) || ( @{$interfacechainref->{rules}} && ! $chain1ref ) ) {
 	#
 	# - There are vserver zones (so OUTPUT will have multiple source; or
 	# - We must use the interface output chain; or
 	# - There are rules in the interface chain and none in the rules chain
 	#
 	#   In any of these cases use the inteface output chain
 	#
 	$outputref = $interfacechainref;
 	if ( $isport ) {
 	    #
 	    # It is a bridge port zone -- use the bridges output chain and match the physdev
 	    #
 	    add_ijump( $filter_table->{ output_chain $bridge },
 		       j => $outputref ,
 		       imatch_dest_dev( $interface, 1 ) )
 		unless $output_jump_added{$interface}++;
 	} else {
 	    #
 	    # Not a bridge -- match the input interface
 	    #
 	    add_ijump $filter_table->{OUTPUT}, j => $outputref, imatch_dest_dev( $interface ) unless $output_jump_added{$interface}++;
 	}
 	$use_output = 1;
 	unless ( lc $net eq IPv6_LINKLOCAL ) {
-				    for my $vzone ( vserver_zones ) {
+	    #
 	    # Generate output rules for the vservers
 	    #
 	    for my $vzone ( @vservers ) {
 		generate_source_rules ( $outputref, $vzone, $zone, @dest );
 	    }
 	}
    } elsif ( $isport ) {
 	#
 	# It is a bridge port zone -- use the bridges output chain and match the physdev
 	#
 	$outputref = $filter_table->{ output_chain $bridge };
 	@interfacematch = imatch_dest_dev $interface, 1;
    } else {
 	#
 	# Just put the jump in the OUTPUT chain
 	#
 	$outputref = $filter_table->{OUTPUT};
 	@interfacematch = imatch_dest_dev $interface;
    }
-
+    #
    #  Add the jump
    # 
    add_ijump $outputref , j => $nextchain, @interfacematch, @dest, @ipsec_out_match;
-
+    #
    #  Add jump for broadcast
    #
    add_ijump( $outputref , j => $nextchain, @interfacematch, d => '255.255.255.255' , @ipsec_out_match )
 	if $family == F_IPV4 && $hostref->{options}{broadcast};
-
+    #
    # Move the rules from the interface output chain if we didn't use it
    #
    move_rules( $interfacechainref , $chain1ref ) unless $use_output;
-			}
+}
-			clearrule;
+#
 # Add prerouting jumps from the passed zone:interface:hostref:net
 #
 sub add_prerouting_jumps( $$$$$$$$ ) {
    my ( $zone, $interface, $hostref, $net, $exclusions, $nested, $parenthasnat, $parenthasnotrack ) = @_;
-			next if $hostref->{options}{destonly};
+    my $dnatref         = $nat_table->{dnat_chain( $zone )};
    my $preroutingref   = $nat_table->{PREROUTING};
    my $notrackref      = ensure_chain 'raw' , notrack_chain( $zone );
    my @ipsec_in_match  = match_ipsec_in  $zone , $hostref;
    my @source = imatch_source_net $net;
@@ -1690,13 +1708,6 @@ sub generate_matrix() {
 		   @source,
 		   @ipsec_in_match );
 			    if ( get_physical( $interface ) eq '+' ) {
 				#
 				# The jump from the PREROUTING chain to dnat may not have been added above
 				# 
 				addnatjump 'PREROUTING', 'dnat' unless $preroutingref->{references}{PREROUTING};
 			    }
 	check_optimization( $dnatref ) if @source;
    }
@@ -1707,7 +1718,6 @@ sub generate_matrix() {
 	#
 	add_ijump $raw_table->{PREROUTING}, j => source_exclusion( $exclusions, $notrackref), imatch_source_dev( $interface), @source, @ipsec_in_match;
    }
    #
    # If this zone has parents with DNAT/REDIRECT or notrack rules and there are no CONTINUE polcies with this zone as the source
    # then add a RETURN jump for this source network.
@@ -1716,90 +1726,157 @@ sub generate_matrix() {
 	add_ijump $preroutingref,           j => 'RETURN', imatch_source_dev( $interface), @source, @ipsec_in_match if $parenthasnat;
 	add_ijump $raw_table->{PREROUTING}, j => 'RETURN', imatch_source_dev( $interface), @source, @ipsec_in_match if $parenthasnotrack;
    }
 }
 #
 # Add input jump from the passed zone:interface:hostref:net
 #
 sub add_input_jumps( $$$$$$$$ ) {
    my ( $zone, $interface, $hostref, $net, $exclusions, $frwd_ref, $isport, $bridge ) = @_;
    our @vservers;
    our %input_jump_added;
    my $chain2            = rules_target $zone, firewall_zone;
    my $chain2ref         = $filter_table->{$chain2};
    my $inputchainref;
    my $interfacechainref = $filter_table->{input_chain $interface};
    my @interfacematch;
    my $use_input;
    my @source            = imatch_source_net $net;
    my @ipsec_in_match    = match_ipsec_in  $zone , $hostref;
    if ( @vservers || use_input_chain( $interface, $interfacechainref ) || ! $chain2 || ( @{$interfacechainref->{rules}} && ! $chain2ref ) ) {
 	#
 	# - There are vserver zones (so INPUT will have multiple destinations; or
 	# - We must use the interface input chain; or
 	# - The zone->firewall policy is CONTINUE; or
 	# - There are rules in the interface chain and none in the rules chain
 	#
 	#   In any of these cases use the inteface input chain
 	#
 	$inputchainref = $interfacechainref;
 	if ( $isport ) {
 	    #
 	    # It is a bridge port zone -- use the bridges input chain and match the physdev
 	    #
 	    add_ijump( $filter_table->{ input_chain $bridge },
 		       j => $inputchainref ,
 		       imatch_source_dev($interface, 1) )
 		unless $input_jump_added{$interface}++;
 	} else {
 	    #
 	    # Not a bridge -- match the input interface
 	    #
 	    add_ijump $filter_table->{INPUT}, j => $inputchainref, imatch_source_dev($interface) unless $input_jump_added{$interface}++;
 	}
 	$use_input = 1;
 	unless ( lc $net eq IPv6_LINKLOCAL ) {
 	    #
 	    # Generate input rules for the vservers
 	    #
 	    for my $vzone ( @vservers ) {
 		my $target = rules_target( $zone, $vzone );
 		generate_dest_rules( $inputchainref, $target, $vzone, @source, @ipsec_in_match ) if $target;
 	    }
 	}
    } elsif ( $isport ) {
 	#
 	# It is a bridge port zone -- use the bridges input chain and match the physdev
 	#
 	$inputchainref = $filter_table->{ input_chain $bridge };
 	@interfacematch = imatch_source_dev $interface, 1;
    } else {
 	#
 	# Just put the jump in the INPUT chain
 	#
 	$inputchainref = $filter_table->{INPUT};
 	@interfacematch = imatch_source_dev $interface;
    }
    if ( $chain2 ) {
 	#
 	# Add the jump from the input chain to the rules chain
 	#
 	add_ijump $inputchainref, j => source_exclusion( $exclusions, $chain2 ), @interfacematch, @source, @ipsec_in_match;
 	move_rules( $interfacechainref , $chain2ref ) unless $use_input;
    }
 }
 #
 # This function is called when there is forwarding and this net isn't IPSEC protected. It adds the jump for this net to the zone forwarding chain.
 #
 sub add_forward_jump( $$$$$$$$ ) {
    my ( $zone, $interface, $hostref, $net, $exclusions, $frwd_ref, $isport, $bridge ) = @_;
    our %forward_jump_added;
    my @source            = imatch_source_net $net;
    my @ipsec_in_match    = match_ipsec_in  $zone , $hostref;
 			if ( $frwd_ref && $hostref->{ipsec} ne 'ipsec' ) {
    my $ref = source_exclusion( $exclusions, $frwd_ref );
    my $forwardref = $filter_table->{forward_chain $interface};
    if ( use_forward_chain $interface, $forwardref ) {
 	#
 	# We must use the interface forwarding chain -- add the jump from the interface forward chain to the zone forward chain.
 	#
 	add_ijump $forwardref , j => $ref, @source, @ipsec_in_match;
 	if ( $isport ) {
 	    #
 	    # It is a bridge port zone -- use the bridges input chain and match the physdev
 	    #
 	    add_ijump( $filter_table->{ forward_chain $bridge } ,
 		       j => $forwardref ,
 		       imatch_source_dev( $interface , 1 ) )
 		unless $forward_jump_added{$interface}++;
 	} else {
 	    #
 	    # Not a bridge -- match the input interface
 	    #
 	    add_ijump $filter_table->{FORWARD} , j => $forwardref, imatch_source_dev( $interface ) unless $forward_jump_added{$interface}++;
 	}
    } else {
 	if ( $isport ) {
 	    #
 	    # It is a bridge port zone -- use the bridges input chain and match the physdev
 	    #
 	    add_ijump( $filter_table->{ forward_chain $bridge } ,
 		       j => $ref ,
 		       imatch_source_dev( $interface, 1 ) ,
 		       @source,
 		       @ipsec_in_match );
 	} else {
 	    #
 	    # Not a bridge -- match the input interface
 	    #
 	    add_ijump $filter_table->{FORWARD} , j => $ref, imatch_source_dev( $interface ) , @source, @ipsec_in_match;
 	}
 	move_rules ( $forwardref , $frwd_ref );
    }
-			}
+}
 		    }
 		}
 	    }
 	}
-	#
+#
-	#                           F O R W A R D I N G
+# Generate the list of destination zones from the passed source zone when optimization level 1 is selected
-	#
+#
-	my @dest_zones;
+# - Drop zones where the policy to that zone is 'NONE'
 # - Drop this zone if it has only one interface without 'routeback'
 # - Drop BPORT zones that are not on the same bridge
 # - Eliminate duplicate zones that have the same '2all' (-all) rules chain.
 #
 sub optimize1_zones( $$@ ) {
    my $zone    = shift;
    my $zoneref = shift;
    my $last_chain = '';
-
+    my @dest_zones;
 	if ( $config{OPTIMIZE} & 1 ) {
    my @temp_zones;
-	    for my $zone1 ( @zones )  {
+    for my $zone1 ( @_ )  {
 	my $zone1ref = find_zone( $zone1 );
 	my $policy = $filter_table->{rules_chain( ${zone}, ${zone1} )}->{policy};
@@ -1839,12 +1916,137 @@ sub generate_matrix() {
 	push @dest_zones, @temp_zones;
 	$last_chain = '';
    }
    ( $last_chain, @dest_zones );
 }
 # Generate the rules matrix.
 #
 # Stealing a comment from the Burroughs B6700 MCP Operating System source, "generate_matrix makes a sow's ear out of a silk purse".
 #
 # The biggest disadvantage of the zone-policy-rule model used by Shorewall is that it doesn't scale well as the number of zones increases (Order N**2 where N = number of zones).
 # A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this function and the rules that it generates.
 #
 # The function traverses the full "source-zone by destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table and
 # nat-table rules.
 #
 sub generate_matrix() {
    my @interfaces = ( all_interfaces );
    #
    # Should this be the real PREROUTING chain?
    #
    my @zones     = off_firewall_zones;
    our @vservers = vserver_zones;
    my $interface_jumps_added = 0;
    our %input_jump_added   = ();
    our %output_jump_added  = ();
    our %forward_jump_added = ();
    our %ipsec_jump_added   = ();
    progress_message2 'Generating Rule Matrix...';
    progress_message  '  Handling complex zones...';
    #
    # Special processing for configurations with more than 2 off-firewall zones or with other special considerations like IPSEC.
    # Don't be tempted to move this logic into the zone loop below -- it won't work.
    #
    for my $zone ( @zones ) {
 	my $zoneref = find_zone( $zone );
 	if ( @zones > 2 || $zoneref->{complex} ) {
 	    handle_complex_zone( $zone, $zoneref );
 	} else {
 	    new_standard_chain zone_forward_chain( $zone ) if @zones > 1;
 	}
    }
    #
    # NOTRACK from firewall
    #
    if ( ( my $notrackref = $raw_table->{notrack_chain(firewall_zone)}) ) {
 	add_ijump $raw_table->{OUTPUT}, j => $notrackref if $notrackref->{referenced};
    }
    #
    # Main source-zone matrix-generation loop
    #
    progress_message '  Entering main matrix-generation loop...';
    for my $zone ( @zones ) {
 	my $zoneref          = find_zone( $zone );
 	my $source_hosts_ref = $zoneref->{hosts};
 	my $frwd_ref         = $filter_table->{zone_forward_chain $zone};
 	my $nested           = @{$zoneref->{parents}};
 	my $parenthasnat     = 0;
 	my $parenthasnotrack = 0;
 	#
 	# Create the zone's dnat chain
 	#
 	ensure_chain 'nat', dnat_chain( $zone );
 	( $nested, $parenthasnat, $parenthasnotrack) = handle_nested_zone( $zone, $zoneref ) if $nested;
 	#
 	# Take care of PREROUTING, INPUT and OUTPUT jumps
 	#
 	for my $typeref ( values %$source_hosts_ref ) {
 	    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
 		if ( get_physical( $interface ) eq '+' ) {
 		    #
 		    # Insert the interface-specific jumps before this one which is not interface-specific
 		    #
 		    add_interface_jumps(@interfaces) unless $interface_jumps_added++;
 		}
 		my $interfaceref  = find_interface $interface;
 		my $isport        = $interfaceref->{options}{port};
 		my $bridge        = $interfaceref->{bridge};
 		for my $hostref ( @{$typeref->{$interface}} ) {
 		    my $exclusions = $hostref->{exclusions};
 		    for my $net ( @{$hostref->{hosts}} ) {
 			#
 			# OUTPUT
 			#
 			if ( rules_target( firewall_zone, $zone ) && ! ( zone_type( $zone) & BPORT ) ) {
 			    #
 			    # Policy from the firewall to this zone is not 'CONTINUE' and this isn't a bport zone
 			    #
 			    add_output_jumps( $zone, $interface, $hostref, $net, $exclusions, $isport, $bridge );
 			}
 			clearrule;
 			unless( $hostref->{options}{destonly} ) {
 			    #
 			    # PREROUTING
 			    #
 			    add_prerouting_jumps( $zone, $interface, $hostref, $net, $exclusions, $nested, $parenthasnat, $parenthasnotrack );
 			    #
 			    # INPUT
 			    #
 			    add_input_jumps( $zone, $interface, $hostref, $net, $exclusions, $frwd_ref, $isport, $bridge );
 			    #
 			    # FORWARDING Jump for non-IPSEC host group
 			    #
 			    add_forward_jump( $zone, $interface, $hostref, $net, $exclusions, $frwd_ref, $isport, $bridge ) if $frwd_ref && $hostref->{ipsec} ne 'ipsec';
 			}
 		    } # Subnet Loop
 		} # Hostref Loop
 	    } # Interface Loop
 	} #Type Loop
 	if ( $frwd_ref ) {
 	    #
 	    #                                            F O R W A R D I N G
 	    #
 	    my @dest_zones;
 	    my $last_chain = '';
 	    if ( $config{OPTIMIZE} & 1 ) {
 		( $last_chain , @dest_zones ) = optimize1_zones($zone, $zoneref, @zones );
 	    } else {
 		@dest_zones =  @zones ;
 	    }
 	    #
 	# Here it is -- THE BIG UGLY!!!!!!!!!!!!
 	#
 	    # We now loop through the destination zones creating jumps to the rules chain for each source/dest combination.
 	    # @dest_zones is the list of destination zones that we need to handle from this source zone
 	    #
@@ -1869,10 +2071,6 @@ sub generate_matrix() {
 		my $chainref = $filter_table->{$chain}; #Will be null if $chain is a Netfilter Built-in target like ACCEPT
 	    if ( $frwd_ref ) {
 		#
 		# Simple case -- the source zone has it's own forwarding chain
 		#
 		for my $typeref ( values %{$zone1ref->{hosts}} ) {
 		    for my $interface ( sort { interface_number( $a ) <=> interface_number( $b ) } keys %$typeref ) {
 			for my $hostref ( @{$typeref->{$interface}} ) {
@@ -1887,81 +2085,6 @@ sub generate_matrix() {
 			}
 		    }
 		}
 	    } else {
 		#
 		# More compilcated case. If the interface is associated with a single simple zone, we try to combine the interface's forwarding chain with the rules chain
 		#
 		for my $typeref ( values %$source_hosts_ref ) {
 		    for my $interface ( keys %$typeref ) {
 			my $interfaceref = find_interface $interface;
 			my $chain3ref;
 			my @match_source_dev;
 			my $forwardchainref = $filter_table->{forward_chain $interface};
 			if ( use_forward_chain( $interface , $forwardchainref ) || ( @{$forwardchainref->{rules} } && ! $chainref ) ) {
 			    #
 			    # Either we must use the interface's forwarding chain or that chain has rules and we have nowhere to move them
 			    #
 			    $chain3ref = $forwardchainref;
 			    if ( $interfaceref->{options}{port} ) {
 				add_ijump( $filter_table->{ forward_chain $interfaceref->{bridge} } ,
 					   j => $chain3ref,
 					   imatch_source_dev( $interface , 1 ) )
 				    unless $forward_jump_added{$interface}++;
 			    } else {
 				add_ijump $filter_table->{FORWARD} , j => $chain3ref, imatch_source_dev( $interface ) unless $forward_jump_added{$interface}++;
 			    }
 			} else {
 			    #
 			    # Don't use the interface's forward chain -- move any rules in that chain to this rules chain
 			    #
 			    if ( $interfaceref->{options}{port} ) {
 				$chain3ref  = $filter_table->{ forward_chain $interfaceref->{bridge} };
 				@match_source_dev = imatch_source_dev $interface, 1;
 			    } else {
 				$chain3ref  = $filter_table->{FORWARD};
 				@match_source_dev = imatch_source_dev $interface;
 			    }
 			    move_rules $forwardchainref, $chainref;
 			}
 			for my $hostref ( @{$typeref->{$interface}} ) {
 			    next if $hostref->{options}{destonly};
 			    my $excl3ref = source_exclusion( $hostref->{exclusions}, $chain3ref );
 			    for my $net ( @{$hostref->{hosts}} ) {
 				for my $type1ref ( values %{$zone1ref->{hosts}} ) {
 				    for my $interface1 ( keys %$type1ref ) {
 					my $array1ref = $type1ref->{$interface1};
 					for my $host1ref ( @$array1ref ) {
 					    next if $host1ref->{options}{sourceonly};
 					    my @ipsec_out_match = match_ipsec_out $zone1 , $host1ref;
 					    my $dest_exclusion  = dest_exclusion( $host1ref->{exclusions}, $chain );
 					    for my $net1 ( @{$host1ref->{hosts}} ) {
 						unless ( $interface eq $interface1 && $net eq $net1 && ! $host1ref->{options}{routeback} ) {
 						    #
 						    # We defer evaluation of the source net match to accomodate systems without $capabilities{KLUDEFREE};
 						    #
 						    add_ijump(
 							      $excl3ref ,
 							      j => $dest_exclusion,
 							      @match_source_dev,
 							      imatch_dest_dev($interface1),
 							      imatch_source_net($net),
 							      imatch_dest_net($net1),
 							      @ipsec_out_match
 							     );
 						}
 					    }
 					}
 				    }
 				}
 			    }
 			}
 		    }
 		}
 	    }
 	    }
 	    #
 	    #                                      E N D   F O R W A R D I N G
@@ -1969,7 +2092,8 @@ sub generate_matrix() {
 	    # Now add an unconditional jump to the last unique policy-only chain determined above, if any
 	    #
 	    add_ijump $frwd_ref , g => $last_chain if $frwd_ref && $last_chain;
-    }
+	} # Forwarding required
    } # Source Zone Loop
    progress_message '  Finishing matrix...';
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -35,7 +35,11 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule ) ] );
 our @EXPORT_OK = ();
 Exporter::export_ok_tags('rules');
 our $VERSION = 'MODULEVERSION';
 my @addresses_to_add;
@@ -54,8 +58,8 @@ sub initialize() {
 #
 sub process_one_masq( )
 {
-    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition ) = 
+    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest ) =
-	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8 };
+	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9 };
    if ( $interfacelist eq 'COMMENT' ) {
 	process_comment;
@@ -233,7 +237,7 @@ sub process_one_masq( )
 		     $baserule . $rule ,
 		     $networks ,
 		     $destnets ,
-		     '' ,
+		     $origdest ,
 		     $target ,
 		     '' ,
 		     '' ,
@@ -276,7 +280,7 @@ sub setup_masq()
 	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } );
-	process_one_masq while read_a_line;
+	process_one_masq while read_a_line( NORMAL_READ );
 	clear_comment;
    }
@@ -373,7 +377,7 @@ sub setup_nat() {
 	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } );
-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {
 	    my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 'nat file', { external => 0, interface => 1, internal => 2, allints => 3, local => 4 };
@@ -409,7 +413,7 @@ sub setup_netmap() {
 	first_entry "$doing $fn...";
-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {
 	    my ( $type, $net1, $interfacelist, $net2, $net3, $proto, $dport, $sport ) = split_line 'netmap file', { type => 0, net1 => 1, interface => 2, net2 => 3, net3 => 4, proto => 5, dport => 6, sport => 7 };
@@ -514,6 +518,226 @@ sub setup_netmap() {
 }
 #
 # Called from process_rule1 to add a rule to the NAT table
 #
 sub handle_nat_rule( $$$$$$$$$$$$ ) {
    my ( $dest,           # <server>[:port]
 	 $proto,          # Protocol
 	 $ports,          # Destination port list
 	 $origdest,       # Original Destination
 	 $action_target,  # If the target is an action, the name of the log action chain to jump to
 	 $action,         # The Action
 	 $sourceref,      # Reference to the Source Zone's table entry in the Zones module
 	 $action_chain,   # Name of the action chain if the rule is in an action
 	 $rule,           # Matches 
 	 $source,         # Source Address
 	 $loglevel,       # [<level>[:<tag>]]
 	 $log_action,     # Action name to include in the log message
       ) = @_;
    my ( $server, $serverport , $origdstports ) = ( '', '', '' );
    my $randomize = $dest =~ s/:random$// ? ' --random' : '';
    #
    # Isolate server port
    #
    if ( $dest =~ /^(.*)(?::(.+))$/ ) {
 	#
 	# Server IP and Port
 	#
 	$server = $1;      # May be empty
 	$serverport = $2;  # Not Empty due to RE
 	$origdstports = validate_port( $proto, $ports )	if $ports && $ports ne '-' && port_count( $ports ) == 1;
 	if ( $serverport =~ /^(\d+)-(\d+)$/ ) {
 	    #
 	    # Server Port Range
 	    #
 	    fatal_error "Invalid port range ($serverport)" unless $1 < $2;
 	    my @ports = ( $1, $2 );
 	    $_ = validate_port( proto_name( $proto ), $_) for ( @ports );
 	    ( $ports = $serverport ) =~ tr/-/:/;
 	} else {
 	    $serverport = $ports = validate_port( proto_name( $proto ), $serverport );
 	}
    } elsif ( $dest ne ':' ) {
 	#
 	# Simple server IP address (may be empty or "-")
 	#
 	$server = $dest;
    }
    #
    # Generate the target
    #
    my $target = '';
    if ( $action eq 'REDIRECT' ) {
 	fatal_error "A server IP address ($server) may not be specified in a REDIRECT rule" if $server;
 	$target  = 'REDIRECT';
 	$target .= " --to-port $serverport" if $serverport;
 	if ( $origdest eq '' || $origdest eq '-' ) {
 	    $origdest = ALLIP;
 	} elsif ( $origdest eq 'detect' ) {
 	    fatal_error 'ORIGINAL DEST "detect" is invalid in an action' if $action_chain;
 	    if ( $config{DETECT_DNAT_IPADDRS} ) {
 		my $interfacesref = $sourceref->{interfaces};
 		my @interfaces = keys %$interfacesref;
 		$origdest = @interfaces ? "detect:@interfaces" : ALLIP;
 	    } else {
 		$origdest = ALLIP;
 	    }
 	}
    } elsif ( $action_target ) {
 	fatal_error "A server port ($serverport) is not allowed in $action rule" if $serverport;
 	$target = $action_target;
    } else {
 	if ( $server eq '' ) {
 	    fatal_error "A server and/or port must be specified in the DEST column in $action rules" unless $serverport;
 	} elsif ( $server =~ /^(.+)-(.+)$/ ) {
 	    validate_range( $1, $2 );
 	} else {
 	    unless ( $server eq ALLIP ) {
 		my @servers = validate_address $server, 1;
 		$server = join ',', @servers;
 	    }
 	}
 	if ( $action eq 'DNAT' ) {
 	    $target = $action;
 	    if ( $server ) {
 		$serverport = ":$serverport" if $serverport;
 		for my $serv ( split /,/, $server ) {
 		    $target .= " --to-destination ${serv}${serverport}";
 		}
 	    } else {
 		$target .= " --to-destination :$serverport";
 	    }
 	}
 	unless ( $origdest && $origdest ne '-' && $origdest ne 'detect' ) {
 	    if ( ! $action_chain && $config{DETECT_DNAT_IPADDRS} ) {
 		my $interfacesref = $sourceref->{interfaces};
 		my @interfaces = keys %$interfacesref;
 		$origdest = @interfaces ? "detect:@interfaces" : ALLIP;
 	    } else {
 		$origdest = ALLIP;
 	    }
 	}
    }
    $target .= $randomize;
    #
    # And generate the nat table rule(s)
    #
    expand_rule ( ensure_chain ('nat' ,
 				( $action_chain ?
 				  $action_chain :
 				  ( $sourceref->{type} == FIREWALL ? 'OUTPUT' : 
 				    dnat_chain $sourceref->{name} ) ) ),
 		  PREROUTE_RESTRICT ,
 		  $rule ,
 		  $source ,
 		  $origdest ,
 		  '' ,
 		  $target ,
 		  $loglevel ,
 		  $log_action ,
 		  $serverport ? do_proto( $proto, '', '' ) : '',
 		);
    ( $ports, $origdstports, $server );
 }
 #
 # Called from process_rule1() to handle the nat table part of the NONAT and ACCEPT+ actions
 #
 sub handle_nonat_rule( $$$$$$$$$$ ) {
    my ( $action, $source, $dest, $origdest, $sourceref, $inaction, $chain, $loglevel, $log_action, $rule ) = @_;
    my $sourcezone = $sourceref->{name};
    #
    # NONAT or ACCEPT+ may not specify a destination interface
    #
    fatal_error "Invalid DEST ($dest) in $action rule" if $dest =~ /:/;
    $origdest = '' unless $origdest and $origdest ne '-';
    if ( $origdest eq 'detect' ) {
 	my $interfacesref = $sourceref->{interfaces};
 	my $interfaces = [ ( keys %$interfacesref ) ];
 	$origdest = $interfaces ? "detect:@$interfaces" : ALLIP;
    }
    my $tgt = 'RETURN';
    my $nonat_chain;
    my $chn;
    if ( $inaction ) {
 	$nonat_chain = ensure_chain( 'nat', $chain );
    } elsif ( $sourceref->{type} == FIREWALL ) {
 	$nonat_chain = $nat_table->{OUTPUT};
    } else {
 	$nonat_chain = ensure_chain( 'nat', dnat_chain( $sourcezone ) );
 	my @interfaces = keys %{zone_interfaces $sourcezone};
 	for ( @interfaces ) {
 	    my $ichain = input_chain $_;
 	    if ( $nat_table->{$ichain} ) {
 		#
 		# Static NAT is defined on this interface
 		#
 		$chn = new_chain( 'nat', newnonatchain ) unless $chn;
 		add_ijump $chn, j => $nat_table->{$ichain}, @interfaces > 1 ? imatch_source_dev( $_ )  : ();
 	    }
 	}
 	if ( $chn ) {
 	    #
 	    # Call expand_rule() to correctly handle logging. Because
 	    # the 'logname' argument is passed, expand_rule() will
 	    # not create a separate logging chain but will rather emit
 	    # any logging rule in-line.
 	    #
 	    expand_rule( $chn,
 			 PREROUTE_RESTRICT,
 			 '', # Rule
 			 '', # Source
 			 '', # Dest
 			 '', # Original dest
 			 'ACCEPT',
 			 $loglevel,
 			 $log_action,
 			 '',
 			 dnat_chain( $sourcezone  ) );
 	    $loglevel = '';
 	    $tgt = $chn->{name};
 	} else {
 	    $tgt = 'ACCEPT';
 	}
    }
    set_optflags( $nonat_chain, DONT_MOVE | DONT_OPTIMIZE ) if $tgt eq 'RETURN';
    expand_rule( $nonat_chain ,
 		 PREROUTE_RESTRICT ,
 		 $rule ,
 		 $source ,
 		 $dest ,
 		 $origdest ,
 		 $tgt,
 		 $loglevel ,
 		 $log_action ,
 		 '',
 	       );
 }
 sub add_addresses () {
    if ( @addresses_to_add ) {
 	my @addrs = @addresses_to_add;
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -39,7 +39,9 @@ our @EXPORT = qw( process_providers
 		  @routemarked_interfaces
 		  handle_stickiness
 		  handle_optional_interfaces
 		  compile_updown
 		  setup_load_distribution
 		  have_providers
 	       );
 our @EXPORT_OK = qw( initialize lookup_provider );
 our $VERSION = '4.4_24';
@@ -60,9 +62,11 @@ my  @load_interfaces;
 my $balancing;
 my $fallback;
 my $metrics;
 my $first_default_route;
 my $first_fallback_route;
 my $maxload;
 my $tproxies;
 my %providers;
@@ -95,9 +99,11 @@ sub initialize( $ ) {
    @load_interfaces        = ();
    $balancing              = 0;
    $fallback               = 0;
    $metrics                = 0;
    $first_default_route    = 1;
    $first_fallback_route   = 1;
    $maxload                = 0;
    $tproxies               = 0;
    %providers  = ( local   => { number => LOCAL_TABLE   , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
 		    main    => { number => MAIN_TABLE    , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
@@ -396,8 +402,8 @@ sub process_a_provider() {
 	$gateway = '';
    }
-    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $local , $load ) =
+    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load ) =
-	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0      , 0 );
+	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0 );
    unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
@@ -435,7 +441,12 @@ sub process_a_provider() {
 		$default = -1;
 		$default_balance = 0;
 	    } elsif ( $option eq 'local' ) {
-		$local = 1;
+		warning_message q(The 'local' provider option is deprecated in favor of 'tproxy');
 		$local = $tproxy = 1;
 		$track  = 0           if $config{TRACK_PROVIDERS};
 		$default_balance = 0  if $config{USE_DEFAULT_RT};
 	    } elsif ( $option eq 'tproxy' ) {
 		$tproxy = 1;
 		$track  = 0           if $config{TRACK_PROVIDERS};
 		$default_balance = 0  if $config{USE_DEFAULT_RT};
 	    } elsif ( $option =~ /^load=(0?\.\d{1,8})/ ) {
@@ -459,7 +470,13 @@ sub process_a_provider() {
 	fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'none';
 	fatal_error "'track' not valid with 'local'"           if $track;
 	fatal_error "DUPLICATE not valid with 'local'"         if $duplicate ne '-';
-	fatal_error "MARK required with 'local'"              unless $mark;
+    } elsif ( $tproxy ) {
 	fatal_error "Only one 'tproxy' provider is allowed"    if $tproxies++;
 	fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'none';
 	fatal_error "'track' not valid with 'tproxy'"          if $track;
 	fatal_error "DUPLICATE not valid with 'tproxy'"        if $duplicate ne '-';
 	fatal_error "MARK not allowed with 'tproxy'"           if $mark ne '-';
 	$mark = $globals{TPROXY_MARK};
    }
    my $val = 0;
@@ -471,6 +488,10 @@ sub process_a_provider() {
 	require_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' );
 	if ( $tproxy && ! $local ) {
 	    $val = $globals{TPROXY_MARK};
 	    $pref = 1;
 	} else {
 	    $val = numeric_value $mark;
 	    fatal_error "Invalid Mark Value ($mark)" unless defined $val && $val;
@@ -485,10 +506,11 @@ sub process_a_provider() {
 		fatal_error "Duplicate mark value ($mark)" if numeric_value( $providerref->{mark} ) == $val;
 	    }
 	$pref = 10000 + $number - 1;
 	    $lastmark = $val;
 	    $pref = 10000 + $number - 1;
 	}
    }
    unless ( $loose ) {
@@ -527,6 +549,7 @@ sub process_a_provider() {
 			   duplicate   => $duplicate ,
 			   address     => $address ,
 			   local       => $local ,
 			   tproxy      => $tproxy ,
 			   load        => $load ,
 			   rules       => [] ,
 			   routes      => [] ,
@@ -579,6 +602,7 @@ sub add_a_provider( $$ ) {
    my $duplicate   = $providerref->{duplicate};
    my $address     = $providerref->{address};
    my $local       = $providerref->{local};
    my $tproxy      = $providerref->{tproxy};
    my $load        = $providerref->{load};
    my $dev         = chain_base $physical;
@@ -600,7 +624,7 @@ sub add_a_provider( $$ ) {
 	$provider_interfaces{$interface} = $table;
 	if ( $gatewaycase eq 'none' ) {
-	    if ( $local ) {
+	    if ( $tproxy ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $number";
 	    } else {
 		emit "run_ip route add default dev $physical table $number";
@@ -608,7 +632,8 @@ sub add_a_provider( $$ ) {
 	}
    }
-    emit( qq(echo $load > \${VARDIR}/${physical}_load) ) if $load;
+    emit( "echo $load > \${VARDIR}/${physical}_load",
 	  'echo ' . in_hex( $mark ) . '/' . in_hex( $globals{PROVIDER_MASK} ) . " > \${VARDIR}/${physical}_mark" ) if $load;
    emit( '',
 	  "cat <<EOF >> \${VARDIR}/undo_${table}_routing" );
@@ -618,6 +643,7 @@ sub add_a_provider( $$ ) {
    emit_unindented '        ;;';
    emit_unindented '    *)';
    emit_unindented "        rm -f \${VARDIR}/${physical}_load" if $load;
    emit_unindented "        rm -f \${VARDIR}/${physical}_mark" if $load;
    emit_unindented <<"CEOF", 1;
        rm -f \${VARDIR}/${physical}.status
        ;;
@@ -630,12 +656,13 @@ CEOF
    setup_interface_proc( $interface );
    if ( $mark ne '-' ) {
-	my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : '';
+	my $hexmark = in_hex( $mark );
 	my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex( $globals{ $tproxy && ! $local ? 'TPROXY_MARK' : 'PROVIDER_MASK' } ) : '';
-	emit ( "qt \$IP -$family rule del fwmark ${mark}${mask}" ) if $config{DELETE_THEN_ADD};
+	emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $config{DELETE_THEN_ADD};
-	emit ( "run_ip rule add fwmark ${mark}${mask} pref $pref table $number",
+	emit ( "run_ip rule add fwmark ${hexmark}${mask} pref $pref table $number",
-	       "echo \"qt \$IP -$family rule del fwmark ${mark}${mask}\" >> \${VARDIR}/undo_${table}_routing"
+	       "echo \"qt \$IP -$family rule del fwmark ${hexmark}${mask}\" >> \${VARDIR}/undo_${table}_routing"
 	     );
    }
@@ -675,19 +702,20 @@ CEOF
 	emit '';
 	if ( $gateway ) {
 	    if ( $family == F_IPV4 ) {
-		emit qq(run_ip route replace $gateway dev $physical table ) . DEFAULT_TABLE;
+		emit qq(run_ip route replace $gateway/32 dev $physical table ) . DEFAULT_TABLE;
 		emit qq(run_ip route replace default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
 	    } else {
 		emit qq(qt \$IP -6 route del default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
 		emit qq(run_ip route add default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
 	    }
 	    emit qq(echo "qt \$IP -$family route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_${table}_routing);
 	    emit qq(echo "qt \$IP -4  route del $gateway/32 dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_${table}_routing) if $family == F_IPV4;
 	} else {
 	    emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $physical metric $number);
 	    emit qq(echo "qt \$IP -$family route del default dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_${table}_routing);
 	}
-	$fallback = 1;
+	$metrics = 1;
    }
    emit( qq(\n) ,
@@ -695,7 +723,7 @@ CEOF
 	  qq(    qt \$IP -6 rule add from all table ) . DEFAULT_TABLE . qq( prio 32767\n) ,
 	  qq(fi) ) if $family == F_IPV6;
-    unless ( $local ) {
+    unless ( $tproxy ) {
 	emit '';
 	if ( $loose ) {
@@ -759,7 +787,7 @@ CEOF
 		if ( $gateway ) {
 		    emit qq(add_gateway "via $gateway dev $physical $realm" ) . $tbl;
 		} else {
-		    emit qq(add_gateway "nexthop dev $physical $realm" ) . $tbl;
+		    emit qq(add_gateway "dev $physical $realm" ) . $tbl;
 		}
 	    }
 	    	} else {
@@ -861,7 +889,8 @@ CEOF
 		  "qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface};
 	}
-	emit( "progress_message2 \"   Provider $table ($number) stopped\"" );
+	emit( "echo 1 > \${VARDIR}/${physical}.status",
 	      "progress_message2 \"   Provider $table ($number) stopped\"" );
 	pop_indent;
@@ -928,7 +957,7 @@ sub add_an_rtrule( ) {
 	    validate_net ( $source, 0 );
 	    $source = "from $source";
 	} else {
-	    $source = "iif $source";
+	    $source = 'iif ' . physical_name $source;
 	}
    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ||  $source =~  /^(.+?):\[(.+)\]\s*$/ ) {
 	my ($interface, $source ) = ($1, $2);
@@ -939,7 +968,7 @@ sub add_an_rtrule( ) {
 	validate_net ( $source, 0 );
 	$source = "from $source";
    } else {
-	$source = "iif $source";
+	$source = 'iif ' . physical_name $source;
    }
    my $mark = '';
@@ -1024,8 +1053,8 @@ sub setup_null_routing() {
    emit "> \${VARDIR}/undo_rfc1918_routing\n";
    for ( rfc1918_networks ) {
 	emit( qq(if ! \$IP -4 route ls | grep -q '^$_.* dev '; then),
-	      qq(    run_ip route replace unreachable $_),
+	      qq(    run_ip route replace blackhole $_),
-	      qq(    echo "qt \$IP -4 route del unreachable $_" >> \${VARDIR}/undo_rfc1918_routing),
+	      qq(    echo "qt \$IP -4 route del blackhole $_" >> \${VARDIR}/undo_rfc1918_routing),
 	      qq(fi\n) );
    }
 }
@@ -1114,6 +1143,10 @@ sub finish_providers() {
 	       '# We don\'t have any \'balance\' providers so we restore any default route that we\'ve saved',
 	       '#',
 	       "restore_default_route $config{USE_DEFAULT_RT}" ,
 	       '#',
 	       '# And delete any routes in the \'balance\' table',
 	       '#',
 	       "qt \$IP -$family route del default table " . BALANCE_TABLE,
 	       '' );
    }
@@ -1127,10 +1160,17 @@ sub finish_providers() {
 	}
 	emit( "    progress_message \"Fallback route '\$(echo \$FALLBACK_ROUTE | sed 's/\$\\s*//')' Added\"",
 	      'else',
 	      '    #',
 	      '    # We don\'t have any \'fallback\' providers so we delete any default routes in the default table',
 	      '    #',
 	      '    delete_default_routes ' . DEFAULT_TABLE,
 	      'fi',
 	      '' );
    } elsif ( $config{USE_DEFAULT_RT} ) {
-	emit "qt \$IP -$family route del default table " . DEFAULT_TABLE;
+	emit( 'delete_default_routes ' . DEFAULT_TABLE,
 	      ''
 	    );
    }
    unless ( $config{KEEP_RT_TABLES} ) {
@@ -1164,10 +1204,12 @@ sub process_providers( $ ) {
    if ( my $fn = open_file 'providers' ) {
 	first_entry "$doing $fn...";
-	process_a_provider, $providers++ while read_a_line;
+	process_a_provider, $providers++ while read_a_line( NORMAL_READ );
    }
    if ( $providers ) {
 	fatal_error q(Either all 'fallback' providers must specify a weight or non of them can specify a weight) if $fallback && $metrics;
 	my $fn = open_file( 'route_rules' );
 	if ( $fn ){
@@ -1183,7 +1225,7 @@ sub process_providers( $ ) {
 	    emit '';
-	    add_an_rtrule while read_a_line;
+	    add_an_rtrule while read_a_line( NORMAL_READ );
 	}
 	$fn = open_file 'routes';
@@ -1191,7 +1233,7 @@ sub process_providers( $ ) {
 	if ( $fn ) {
 	    first_entry "$doing $fn...";
 	    emit '';
-	    add_a_route while read_a_line;
+	    add_a_route while read_a_line( NORMAL_READ );
 	}
    }
@@ -1239,6 +1281,7 @@ EOF
            startup_error "$g_interface is not an optional provider or provider interface"
            ;;
    esac
 }
 #
@@ -1279,6 +1322,10 @@ EOF
 }
 sub have_providers() {
    return our $providers;
 }
 sub setup_providers() {
    our $providers;
@@ -1324,6 +1371,228 @@ sub setup_providers() {
 }
 #
 # Emit the updown() function
 #
 sub compile_updown() {
    emit( '',
 	  '#',
 	  '# Handle the "up" and "down" commands',
 	  '#',
 	  'updown() # $1 = interface',
 	  '{',
 	);
    push_indent;
    emit( 'local state',
 	  'state=cleared',
 	  ''
 	);
    emit 'progress_message3 "$g_product $COMMAND triggered by $1"';
    emit '';
    if ( $family == F_IPV4 ) {
 	emit 'if shorewall_is_started; then';
    } else {
 	emit 'if shorewall6_is_started; then';
    }
    emit( '    state=started',
 	  'elif [ -f ${VARDIR}/state ]; then',
 	  '    case "$(cat ${VARDIR}/state)" in',
 	  '        Stopped*)',
 	  '            state=stopped',
 	  '            ;;',
 	  '        Cleared*)',
 	  '            ;;',
 	  '        *)',
 	  '            state=unknown',
 	  '            ;;',
 	  '    esac',
 	  'else',
 	  '    state=unknown',
 	  'fi',
 	  ''
 	);
    emit( 'case $1 in' );
    push_indent;
    my $ignore   = find_interfaces_by_option 'ignore', 1;
    my $required = find_interfaces_by_option 'required';
    my $optional = find_interfaces_by_option 'optional';
    if ( @$ignore ) {
 	my $interfaces = join '|', map get_physical( $_ ), @$ignore;
 	$interfaces =~ s/\+/*/g;
 	emit( "$interfaces)",
 	      '    progress_message3 "$COMMAND on interface $1 ignored"',
 	      '    exit 0',
 	      '    ;;'
 	    );
    }
    my @nonshared = ( grep $providers{$_}->{optional},
 		      sort( { $providers{$a}->{number} <=> $providers{$b}->{number} } values %provider_interfaces ) );
    if ( @nonshared ) {
 	my $interfaces = join( '|', map $providers{$_}->{physical}, @nonshared );
 	emit "$interfaces)";
 	push_indent;
 	emit( q(if [ "$state" = started ]; then) ,
 	      q(    if [ "$COMMAND" = up ]; then) , 
 	      q(        progress_message3 "Attempting enable on interface $1") ,
 	      q(        COMMAND=enable) ,
 	      q(        detect_configuration),        
 	      q(        enable_provider $1),
 	      q(    elif [ "$PHASE" != post-down ]; then # pre-down or not Debian) ,
 	      q(        progress_message3 "Attempting disable on interface $1") ,
 	      q(        COMMAND=disable) ,
 	      q(        detect_configuration),        
 	      q(        disable_provider $1) ,
 	      q(    fi) ,
 	      q(elif [ "$COMMAND" = up ]; then) ,
 	      q(    echo 0 > ${VARDIR}/${1}.status) ,
 	      q(    COMMAND=start),
 	      q(    progress_message3 "$g_product attempting start") ,
 	      q(    detect_configuration),
 	      q(    define_firewall),
 	      q(else),
 	      q(    progress_message3 "$COMMAND on interface $1 ignored") ,
 	      q(fi) ,
 	      q(;;) );
 	pop_indent;
    }
    if ( @$required ) {
 	my $interfaces = join '|', map get_physical( $_ ), @$required;
 	my $wildcard = ( $interfaces =~ s/\+/*/g );
 	emit( "$interfaces)",
 	      '    if [ "$COMMAND" = up ]; then' );
 	if ( $wildcard ) {
 	    emit( '        if [ "$state" = started ]; then',
 		  '            COMMAND=restart',
 		  '        else',
 		  '            COMMAND=start',
 		  '        fi' );
 	} else {
 	    emit( '        COMMAND=start' );
 	}
 	emit( '        progress_message3 "$g_product attempting $COMMAND"',
 	      '        detect_configuration',
 	      '        define_firewall',
 	      '    elif [ "$PHASE" != pre-down ]; then # Not Debian pre-down phase'
 	    );
 	push_indent;
 	if ( $wildcard ) {
 	    emit( '    if [ "$state" = started ]; then',
 		  '        progress_message3 "$g_product attempting restart"',
 		  '        COMMAND=restart',
 		  '        detect_configuration',
 		  '        define_firewall',
 		  '    fi' );
 	} else {
 	    emit( '    COMMAND=stop',
 		  '    progress_message3 "$g_product attempting stop"',
 		  '    detect_configuration',
 		  '    stop_firewall' );
 	}
 	pop_indent;
 	emit( '    fi',
 	      '    ;;'
 	    );
    }
    if ( @$optional ) {
 	my @interfaces = map( get_physical( $_ ), grep( ! $provider_interfaces{$_} , @$optional ) );
 	my $interfaces = join '|', @interfaces;
 	if ( $interfaces ) {
 	    if ( $interfaces =~ s/\+/*/g || @interfaces > 1 ) {
 		emit( "$interfaces)",
 		      '    if [ "$COMMAND" = up ]; then',
 		      '        echo 0 > ${VARDIR}/${1}.state',
 		      '    else',
 		      '        echo 1 > ${VARDIR}/${1}.state',
 		      '    fi' );
 	    } else {
 		emit( "$interfaces)",
 		      '    if [ "$COMMAND" = up ]; then',
 		      "        echo 0 > \${VARDIR}/$interfaces.state",
 		      '    else',
 		      "        echo 1 > \${VARDIR}/$interfaces.state",
 		      '    fi' );
 	    }
 	    emit( '',
 		  '    if [ "$state" = started ]; then',
 		  '        COMMAND=restart',
 		  '        progress_message3 "$g_product attempting restart"',
 		  '        detect_configuration',
 		  '        define_firewall',
 		  '    elif [ "$state" = stopped ]; then',
 		  '        COMMAND=start',
 		  '        progress_message3 "$g_product attempting start"',
 		  '        detect_configuration',
 		  '        define_firewall',
 		  '    else',
 		  '        progress_message3 "$COMMAND on interface $1 ignored"',
 		  '    fi',
 		  '    ;;',
 		);
 	}
    }
    if ( my @plain_interfaces = all_plain_interfaces ) {			
 	my $interfaces = join ( '|', @plain_interfaces );
 	$interfaces =~ s/\+/*/g;
 	emit( "$interfaces)",
 	      '    case $state in',
 	      '        started)',
 	      '            COMMAND=restart',
 	      '            progress_message3 "$g_product attempting restart"',
 	      '            detect_configuration',
 	      '            define_firewall',
 	      '            ;;',
 	      '        *)',
 	      '            progress_message3 "$COMMAND on interface $1 ignored"',
 	      '            ;;',
 	      '    esac',
 	    );
    }
    pop_indent;
    emit( 'esac' );
    pop_indent;
    emit( '}',
 	  '',
 	);
 }
 sub lookup_provider( $ ) {
    my $provider    = $_[0];
    my $providerref = $providers{ $provider };
--- a/Shorewall/Perl/Shorewall/Proxyarp.pm
+++ b/Shorewall/Perl/Shorewall/Proxyarp.pm
@@ -120,7 +120,7 @@ sub setup_proxy_arp() {
 	my ( %set, %reset );
-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {
 	    my ( $address, $interface, $external, $haveroute, $persistent ) =
 		split_line $file_opt . 'file ', { address => 0, interface => 1, external => 2, haveroute => 3, persistent => 4 };
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -130,7 +130,7 @@ sub setup_notrack() {
 	my $nonEmpty = 0;
-	while ( read_a_line ) {	    
+	while ( read_a_line( NORMAL_READ ) ) {
 	    my ( $source, $dest, $proto, $ports, $sports, $user );
 	    if ( $format == 1 ) {
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -33,6 +33,7 @@ use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::Chains qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
 use Shorewall::Nat qw(:rules);
 use Scalar::Util 'reftype';
 use strict;
@@ -529,7 +530,7 @@ sub process_policies()
    if ( my $fn = open_file 'policy' ) {
 	first_entry "$doing $fn...";
-	process_a_policy while read_a_line;
+	process_a_policy while read_a_line( NORMAL_READ );
    } else {
 	fatal_error q(The 'policy' file does not exist or has zero size);
    }
@@ -1394,7 +1395,7 @@ sub process_actions() {
    for my $file ( qw/actions.std actions/ ) {
 	open_file $file;
-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {
 	    my ( $action ) = split_line 'action file' , { action => 0 };
 	    if ( $action =~ /:/ ) {
@@ -1454,7 +1455,7 @@ sub process_action( $) {
 	push_comment( '' );
-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {
 	    my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition );
@@ -1547,7 +1548,7 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {
    push_open $macrofile;
-    while ( read_a_line ) {
+    while ( read_a_line( NORMAL_READ ) ) {
 	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition );
@@ -1589,7 +1590,7 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {
 	my $actiontype = $targets{$action} || find_macro( $action );
-	fatal_error "Invalid Action ($mtarget) in macro" unless $actiontype & ( ACTION +  STANDARD + NATRULE +  MACRO );
+	fatal_error "Invalid Action ($mtarget) in macro" unless $actiontype & ( ACTION +  STANDARD + NATRULE + MACRO + CHAIN );
 	if ( $msource ) {
 	    if ( $msource eq '-' ) {
@@ -1666,7 +1667,7 @@ sub verify_audit($;$$) {
 # Similarly, if a new action tuple is encountered, this function is called recursively for each rule in the action
 # body. In this latter case, a reference to the tuple's chain is passed in the first ($chainref) argument.
 #
-sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
+sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
    my ( $chainref,   #reference to Action Chain if we are being called from process_action(); undef otherwise
 	 $target,
 	 $current_param,
@@ -1688,7 +1689,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
    my ( $action, $loglevel)    = split_action $target;
    my ( $basictarget, $param ) = get_target_param $action;
    my $rule = '';
-    my $optimize = $wildcard ? ( $basictarget =~ /!$/ ? 0 : $config{OPTIMIZE} & 1 ) : 0;
+    my $optimize = $wildcard ? ( $basictarget =~ /!$/ ? 0 : $config{OPTIMIZE} & 5 ) : 0;
    my $inaction = '';
    my $normalized_target;
    my $normalized_action;
@@ -1757,7 +1758,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
    #
    # We can now dispense with the postfix character
    #
-    fatal_error "The +, - and ! modifiers are not allowed in the blrules file" if $action =~ s/[\+\-!]$// && $blacklist;
+    fatal_error "The +, - and ! modifiers are not allowed in the blrules file" if $action =~ s/[-+!]$// && $blacklist;
    #
    # Handle actions
    #
@@ -1805,7 +1806,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 	$bt =~ s/[-+!]$//;
-	my %functions = ( ACCEPT => sub() { $action = 'RETURN' if $blacklist; } ,
+	my %functions =
 	    ( ACCEPT => sub() { $action = 'RETURN' if $blacklist; } ,
 	      REDIRECT => sub () {
 		  my $z = $actiontype & NATONLY ? '' : firewall_zone;
@@ -1920,7 +1922,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
    #
    # Take care of chain
    #
-    my ( $chain, $policy );
+    my $chain;
    if ( $inaction ) {
        #
@@ -1944,7 +1946,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 	    # Ensure that the chain exists but don't mark it as referenced until after optimization is checked
 	    #
 	    $chainref  = ensure_chain 'filter', $chain;
-	    $policy   = $chainref->{policy};
+	    my $policy = $chainref->{policy};
 	    if ( $policy eq 'NONE' ) {
 		return 0 if $wildcard;
@@ -1953,10 +1955,10 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 	    #
 	    # Handle Optimization
 	    #
-	    if ( $optimize > 0 && $section eq 'NEW' ) {
+	    if ( $optimize == 1 && $section eq 'NEW' ) {
 		my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel};
 		if ( $loglevel ne '' ) {
-		    return 0 if $target eq "${policy}:$loglevel}";
+		    return 0 if $target eq "${policy}:${loglevel}";
 		} else {
 		    return 0 if $basictarget eq $policy;
 		}
@@ -2030,132 +2032,29 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
    # Generate NAT rule(s), if any
    #
    if ( $actiontype & NATRULE ) {
 	my ( $server, $serverport );
 	my $randomize = $dest =~ s/:random$// ? ' --random' : '';
 	require_capability( 'NAT_ENABLED' , "$basictarget rules", '' );
 	#
-	# Isolate server port
+	# Add the appropriate rule to the nat table
 	#
-	if ( $dest =~ /^(.*)(:(.+))$/ ) {
+	( $ports,
-	    #
+	  $origdstports,
-	    # Server IP and Port
+	  $dest ) = handle_nat_rule( $dest,
-	    #
+				     $proto,
-	    $server = $1;      # May be empty
+				     $ports,
-	    $serverport = $3;  # Not Empty due to RE
+				     $origdest,
-	    $origdstports = $ports;
+				     ( $actiontype & ACTION ) ? $usedactions{$normalized_target}->{name} : '',
-
+				     $action,
-	    if ( $origdstports && $origdstports ne '-' && port_count( $origdstports ) == 1 ) {
+				     $sourceref,
-		$origdstports = validate_port( $proto, $origdstports );
+				     $inaction ? $chain : '',
-	    } else {
+				     $rule,
-		$origdstports = '';
+				     $source,
-	    }
+				     ( $actiontype & ACTION ) ? '' : $loglevel,
-
+				     $log_action
 	    if ( $serverport =~ /^(\d+)-(\d+)$/ ) {
 		#
 		# Server Port Range
 		#
 		fatal_error "Invalid port range ($serverport)" unless $1 < $2;
 		my @ports = ( $1, $2 );
 		$_ = validate_port( proto_name( $proto ), $_) for ( @ports );
 		( $ports = $serverport ) =~ tr/-/:/;
 	    } else {
 		$serverport = $ports = validate_port( proto_name( $proto ), $serverport );
 	    }
 	} elsif ( $dest eq ':' ) {
 	    #
 	    # Rule with no server IP or port ( zone:: )
 	    #
 	    $server = $serverport = '';
 	} else {
 	    #
 	    # Simple server IP address (may be empty or "-")
 	    #
 	    $server = $dest;
 	    $serverport = '';
 	}
 	#
 	# Generate the target
 	#
 	my $target = '';
 	if ( $actiontype  & REDIRECT ) {
 	    fatal_error "A server IP address ($server) may not be specified in a REDIRECT rule" if $server;
 	    $target  = 'REDIRECT';
 	    $target .= " --to-port $serverport" if $serverport;
 	    if ( $origdest eq '' || $origdest eq '-' ) {
 		$origdest = ALLIP;
 	    } elsif ( $origdest eq 'detect' ) {
 		fatal_error 'ORIGINAL DEST "detect" is invalid in an action' if $inaction;
 		if ( $config{DETECT_DNAT_IPADDRS} && $sourcezone ne firewall_zone ) {
 		    my $interfacesref = $sourceref->{interfaces};
 		    my @interfaces = keys %$interfacesref;
 		    $origdest = @interfaces ? "detect:@interfaces" : ALLIP;
 		} else {
 		    $origdest = ALLIP;
 		}
 	    }
 	} elsif ( $actiontype & ACTION ) {
 	    fatal_error "A server port ($serverport) is not allowed in $action rule" if $serverport;
 	    $target = $usedactions{$normalized_target}->{name};
 	    $loglevel = '';
 	} else {
 	    if ( $server eq '' ) {
 		fatal_error "A server and/or port must be specified in the DEST column in $action rules" unless $serverport;
 	    } elsif ( $server =~ /^(.+)-(.+)$/ ) {
 		validate_range( $1, $2 );
 	    } else {
 		unless ( ( $actiontype & ACTION ) && $server eq ALLIP ) {
 		    my @servers = validate_address $server, 1;
 		    $server = join ',', @servers;
 		}
 	    }
 	    if ( $action eq 'DNAT' ) {
 		$target = 'DNAT';
 		if ( $server ) {
 		    $serverport = ":$serverport" if $serverport;
 		    for my $serv ( split /,/, $server ) {
 			$target .= " --to-destination ${serv}${serverport}";
 		    }
 		} else {
 		    $target .= " --to-destination :$serverport";
 		}
 	    }
 	    unless ( $origdest && $origdest ne '-' && $origdest ne 'detect' ) {
 		if ( ! $inaction && $config{DETECT_DNAT_IPADDRS} && $sourcezone ne firewall_zone ) {
 		    my $interfacesref = $sourceref->{interfaces};
 		    my @interfaces = keys %$interfacesref;
 		    $origdest = @interfaces ? "detect:@interfaces" : ALLIP;
 		} else {
 		    $origdest = ALLIP;
 		}
 	    }
 	}
 	$target .= $randomize;
 	#
 	# And generate the nat table rule(s)
 	#
 	expand_rule ( ensure_chain ('nat' , $inaction ? $chain : $sourceref->{type} == FIREWALL ? 'OUTPUT' : dnat_chain $sourcezone ),
 		      PREROUTE_RESTRICT ,
 		      $rule ,
 		      $source ,
 		      $origdest ,
 		      '' ,
 		      $target ,
 		      $loglevel ,
 		      $log_action ,
 		      $serverport ? do_proto( $proto, '', '' ) : '',
 				   );		 
 	#
 	# After NAT:
 	#   - the destination port will be the server port ($ports) -- we did that above
-	#   - the destination IP   will be the server IP   ($dest)
+	#   - the destination IP will be the server IP   ($dest)  -- also done above
 	#   - there will be no log level (we log NAT rules in the nat table rather than in the filter table).
 	#   - the target will be ACCEPT.
 	#
@@ -2168,88 +2067,23 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 			  do_condition( $condition )
 			);
 	    $loglevel = '';
 	    $dest     = $server;
 	    $action   = 'ACCEPT';
 	    $origdest = ALLIP if  $origdest =~ /[+]/;
 	}
    } elsif ( $actiontype & NONAT ) {
 	#
-	# NONAT or ACCEPT+ -- May not specify a destination interface
+	# NONAT or ACCEPT+
 	#
-	fatal_error "Invalid DEST ($dest) in $action rule" if $dest =~ /:/;
+	handle_nonat_rule( $action,
-
+			   $source,
-	$origdest = '' unless $origdest and $origdest ne '-';
+			   $dest,
-
+			   $origdest,
-	if ( $origdest eq 'detect' ) {
+			   $sourceref,
-	    my $interfacesref = $sourceref->{interfaces};
+			   $inaction,
-	    my $interfaces = [ ( keys %$interfacesref ) ];
+			   $chain,
 	    $origdest = $interfaces ? "detect:@$interfaces" : ALLIP;
 	}
 	my $tgt = 'RETURN';
 	my $nonat_chain;
 	my $chn;
 	if ( $inaction ) {
 	    $nonat_chain = ensure_chain( 'nat', $chain );
 	} elsif ( $sourceref->{type} == FIREWALL ) {
 	    $nonat_chain = $nat_table->{OUTPUT};
 	} else {
 	    $nonat_chain = ensure_chain( 'nat', dnat_chain( $sourcezone ) );
 	    my @interfaces = keys %{zone_interfaces $sourcezone};
 	    for ( @interfaces ) {
 		my $ichain = input_chain $_;
 		if ( $nat_table->{$ichain} ) {
 		    #
 		    # Static NAT is defined on this interface
 		    #
 		    $chn = new_chain( 'nat', newnonatchain ) unless $chn;
 		    add_ijump $chn, j => $nat_table->{$ichain}, @interfaces > 1 ? imatch_source_dev( $_ )  : ();
 		}
 	    }
 	    if ( $chn ) {
 		#
 		# Call expand_rule() to correctly handle logging. Because
 		# the 'logname' argument is passed, expand_rule() will
 		# not create a separate logging chain but will rather emit
 		# any logging rule in-line.
 		#
 		expand_rule( $chn,
 			     PREROUTE_RESTRICT,
 			     '', # Rule
 			     '', # Source
 			     '', # Dest
 			     '', # Original dest
 			     'ACCEPT',
 			   $loglevel,
 			   $log_action,
-			     '',
+			   $rule
 			     dnat_chain( $sourcezone  ) );
 		$loglevel = '';
 		$tgt = $chn->{name};
 	    } else {
 		$tgt = 'ACCEPT';
 	    }
 	}
 	set_optflags( $nonat_chain, DONT_MOVE | DONT_OPTIMIZE ) if $tgt eq 'RETURN';
 	expand_rule( $nonat_chain ,
 		     PREROUTE_RESTRICT ,
 		     $rule ,
 		     $source ,
 		     $dest ,
 		     $origdest ,
 		     $tgt,
 		     $loglevel ,
 		     $log_action ,
 		     '',
 			 );
    }
@@ -2567,7 +2401,7 @@ sub process_rules( $ ) {
 		     }
 		   );
-	process_rule while read_a_line;
+	process_rule while read_a_line( NORMAL_READ );
    }
    $section = '';
@@ -2585,7 +2419,7 @@ sub process_rules( $ ) {
 	first_entry "$doing $fn...";
-	process_rule while read_a_line;
+	process_rule while read_a_line( NORMAL_READ );
 	clear_comment;
    }
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -163,13 +163,17 @@ my  @tcclasses;
 my  %tcclasses;
 my  %restrictions = ( tcpre      => PREROUTE_RESTRICT ,
 		      PREROUTING => PREROUTE_RESTRICT ,
 		      tcpost     => POSTROUTE_RESTRICT ,
 		      tcfor      => NO_RESTRICT ,
 		      tcin       => INPUT_RESTRICT ,
-		      tcout      => OUTPUT_RESTRICT );
+		      tcout      => OUTPUT_RESTRICT ,
 		    );
 my $family;
 my $divertref; # DIVERT chain
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
@@ -191,21 +195,24 @@ sub initialize( $ ) {
    $devnum    = 0;
    $sticky    = 0;
    $ipp2p     = 0;
    $divertref = 0;
 }
 sub process_tc_rule( ) {
    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp );
    if ( $family == F_IPV4 ) {
 	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp ) =
-	    split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13 };
+	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13 }, { COMMENT => 0, FORMAT => 2 } , 14;
 	$headers = '-';
    } else {
 	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp ) =
-	    split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 };
+	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 },  { COMMENT => 0, FORMAT => 2 }, 15;
    }
    our @tccmd;
    our $format;
    fatal_error 'MARK must be specified' if $originalmark eq '-';
    if ( $originalmark eq 'COMMENT' ) {
@@ -213,6 +220,15 @@ sub process_tc_rule( ) {
 	return;
    }
    if ( $originalmark eq 'FORMAT' ) {
 	if ( $source =~ /^([12])$/ ) {
 	    $format = $1;
 	    return;
 	}
 	fatal_error "Invalid FORMAT ($source)";
    }
    my ( $mark, $designator, $remainder ) = split( /:/, $originalmark, 3 );
    fatal_error "Invalid MARK ($originalmark)" unless supplied $mark;
@@ -242,6 +258,7 @@ sub process_tc_rule( ) {
    my $restriction = 0;
    my $cmd;
    my $rest;
    my $matches = '';
    my %processtcc = ( sticky => sub() {
 			                  if ( $chain eq 'tcout' ) {
@@ -294,23 +311,57 @@ sub process_tc_rule( ) {
 					  $target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
 				      },
 		       DIVERT => sub() {
 			                  fatal_error "Invalid MARK ($originalmark)"               unless $format == 2;
 			                  fatal_error "Invalid DIVERT specification( $cmd/$rest )" if $rest;
 					  $chain = 'PREROUTING';
 					  $mark = in_hex( $globals{TPROXY_MARK} ) . '/' . in_hex( $globals{TPROXY_MARK} );
 					  unless ( $divertref ) {
 					      $divertref = new_chain( 'mangle', 'divert' );
 					      add_ijump( $divertref , j => 'MARK', targetopts => "--set-mark $mark"  );
 					      add_ijump( $divertref , j => 'ACCEPT' );
 					  }
 					  $target = 'divert';
 					  $matches = '! --tcp-flags FIN,SYN,RST,ACK SYN  -m socket --transparent ';
 				      },					      
 		       TPROXY => sub() {
 			                  require_capability( 'TPROXY_TARGET', 'Use of TPROXY', 's');
 			                  fatal_error "Invalid TPROXY specification( $cmd/$rest )" if $rest;
-					  $chain = 'tcpre';
+					  $chain = 'PREROUTING';
 					  $cmd =~ /TPROXY\((.+?)\)$/;
 					  my $params = $1;
 					  my ( $port, $ip, $bad );
 					  if ( $format == 1 ) {
 					      fatal_error "Invalid TPROXY specification( $cmd )" unless defined $params;
-					  ( $mark, my $port, my $ip, my $bad ) = split ',', $params;
+					      ( $mark, $port, $ip, $bad ) = split_list $params, 'Parameter';
 					      fatal_error "Invalid TPROXY specification( $cmd )" if defined $bad;
 					      warning_message "TPROXY is deprecated in a format-1 tcrules file";
 					  } else {
 					      if ( $params ) {
 						  ( $port, $ip, $bad ) = split_list $params, 'Parameter';
 						  fatal_error "Invalid TPROXY specification( $cmd )" if defined $bad;
 					      } else {
 						  fatal_error "Invalid TPROXY specification ($cmd)" unless $cmd eq 'TPROXY' || $cmd eq 'TPROXY()';
 					      }
 					      $mark = in_hex( $globals{TPROXY_MARK} ) . '/' . in_hex( $globals{TPROXY_MARK} );
 					  }
 					  if ( $port ) {
 					      $port = validate_port( 'tcp', $port );
 					  } else {
@@ -530,7 +581,7 @@ sub process_tc_rule( ) {
    if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
 				     $restrictions{$chain} | $restriction,
-				     do_proto( $proto, $ports, $sports) .
+				     do_proto( $proto, $ports, $sports) . $matches .
 				     do_user( $user ) .
 				     do_test( $testval, $globals{TC_MASK} ) .
 				     do_length( $length ) .
@@ -539,7 +590,7 @@ sub process_tc_rule( ) {
 				     do_helper( $helper ) .
 				     do_headers( $headers ) .
 				     do_probability( $probability ) .
-				     do_dscp( $dscp ),
+				     do_dscp( $dscp ) ,
 				     $source ,
 				     $dest ,
 				     '' ,
@@ -802,6 +853,8 @@ sub process_simple_device() {
    progress_message "  Simple tcdevice \"$currentline\" $done.";
 }
 my %validlinklayer = ( ethernet => 1, atm => 1, adsl => 1 );
 sub validate_tc_device( ) {
    my ( $device, $inband, $outband , $options , $redirected ) = split_line 'tcdevices', { interface => 0, in_bandwidth => 1, out_bandwidth => 2, options => 3, redirect => 4 };
@@ -836,7 +889,8 @@ sub validate_tc_device( ) {
    fatal_error "Duplicate INTERFACE ($device)"    if $tcdevices{$device};
    fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;
-    my ( $classify, $pfifo, $flow, $qdisc )  = (0, 0, '', 'htb' );
+    my ( $classify, $pfifo, $flow, $qdisc, $linklayer, $overhead, $mtu, $mpu, $tsize ) = 
 	(0,         0,      '',    'htb',  '',         0,         0,    0,    0);
    if ( $options ne '-' ) {
 	for my $option ( split_list1 $options, 'option' ) {
@@ -852,6 +906,25 @@ sub validate_tc_device( ) {
 		$qdisc = 'hfsc';
 	    } elsif ( $option eq 'htb' ) {
 		$qdisc = 'htb';
 	    } elsif ( $option =~ /^linklayer=([a-z]+)$/ ) {
 		$linklayer = $1;
 		fatal_error "Invalid linklayer ($linklayer)" unless $validlinklayer{ $linklayer };
 	    } elsif ( $option =~ /^overhead=(.+)$/ ) {
 		$overhead = numeric_value( $1 );
 		fatal_error "Invalid overhead ($1)" unless defined $overhead;
 		fatal_error q('overhead' requires 'linklayer') unless $linklayer; 
 	    } elsif ( $option =~ /^mtu=(.+)$/ ) {
 		$mtu = numeric_value( $1 );
 		fatal_error "Invalid mtu ($1)" unless defined $mtu;
 		fatal_error q('mtu' requires 'linklayer') unless $linklayer; 
 	    } elsif ( $option =~ /^mpu=(.+)$/ ) {
 		$mpu = numeric_value( $1 );
 		fatal_error "Invalid mpu ($1)" unless defined $mpu;
 		fatal_error q('mpu' requires 'linklayer') unless $linklayer;
 	    } elsif ( $option =~ /^tsize=(.+)$/ ) {
 		$tsize = numeric_value( $1 );
 		fatal_error "Invalid tsize ($1)" unless defined $tsize;
 		fatal_error q('tsize' requires 'linklayer') unless $linklayer; 
 	    } else {
 		fatal_error "Unknown device option ($option)";
 	    }
@@ -890,7 +963,12 @@ sub validate_tc_device( ) {
 			    guarantee     => 0,
 			    name          => $device,
 			    physical      => physical_name $device,
-			    filters       => []
+			    filters       => [],
 			    linklayer     => $linklayer,
 			    overhead      => $overhead,
 			    mtu           => $mtu,
 			    mpu           => $mpu,
 			    tsize         => $tsize,
 			  } ,
    push @tcdevices, $device;
@@ -924,7 +1002,7 @@ sub convert_delay( $ ) {
    my $delay = shift;
    return 0 unless $delay;
-    return $1 if $delay =~ /^(\d+)(ms)?$/;
+    return $1 if $delay =~ /^(\d+(\.\d+)?)(ms)?$/;
    fatal_error "Invalid Delay ($delay)";
 }
@@ -953,6 +1031,18 @@ sub dev_by_number( $ ) {
    ( $dev , $devref );
 }
 use constant { RED_INTEGER => 1, RED_FLOAT => 2, RED_NONE => 3 };
 my %validredoptions = ( min         => RED_INTEGER,
 			max         => RED_INTEGER,
 			limit       => RED_INTEGER,
 			burst       => RED_INTEGER,
 			avpkt       => RED_INTEGER,
 			bandwidth   => RED_INTEGER,
 			probability => RED_FLOAT,
 			ecn         => RED_NONE,
 		      );
 sub validate_tc_class( ) {
    my ( $devclass, $mark, $rate, $ceil, $prio, $options ) =
 	split_line 'tcclasses file', { interface => 0, mark => 1, rate => 2, ceil => 3, prio => 4, options => 5 };
@@ -962,6 +1052,7 @@ sub validate_tc_class( ) {
    my $occurs = 1;
    my $parentclass = 1;
    my $parentref;
    my $lsceil = 0;
    fatal_error 'INTERFACE must be specified' if $devclass eq '-';
    fatal_error 'CEIL must be specified'      if $ceil eq '-';
@@ -1008,9 +1099,6 @@ sub validate_tc_class( ) {
    my $markval = 0;
    if ( $mark ne '-' ) {
 	if ( $devref->{classify} ) {
 	    warning_message "INTERFACE $device has the 'classify' option - MARK value ($mark) ignored";
 	} else {
 	fatal_error "MARK may not be specified when TC_BITS=0" unless $config{TC_BITS};
 	$markval = numeric_value( $mark );
@@ -1024,7 +1112,6 @@ sub validate_tc_class( ) {
 	    $classnumber = $config{TC_BITS} >= 14 ? $devref->{nextclass}++ : hex_value( $devnum . $markval );
 	    fatal_error "Duplicate MARK ($mark)" if $tcref->{$classnumber};
 	}
 	}
    } else {
 	fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
 	$markval = '-';
@@ -1038,7 +1125,9 @@ sub validate_tc_class( ) {
 	my $parentnum = in_hexp $parentclass;
 	fatal_error "Unknown Parent class ($parentnum)" unless $parentref && $parentref->{occurs} == 1;
 	fatal_error "The class ($parentnum) specifies UMAX and/or DMAX; it cannot serve as a parent" if $parentref->{dmax};
-	fatal_error "The class ($parentnum) specifies flow; it cannot serve as a parent"             if $parentref->{flow};
+	fatal_error "The class ($parentnum) specifies 'flow'; it cannot serve as a parent"           if $parentref->{flow};
 	fatal_error "The class ($parentnum) specifies 'red'; it cannot serve as a parent "           if $parentref->{red};
 	fatal_error "The class ($parentnum) has an 'ls' curve; it cannot serve as a parent "         if $parentref->{lsceil};
 	fatal_error "The default class ($parentnum) may not have sub-classes"                        if ( $devref->{default} || 0 ) == $parentclass;
 	$parentref->{leaf} = 0;
 	$ratemax  = $parentref->{rate};
@@ -1049,7 +1138,17 @@ sub validate_tc_class( ) {
    my ( $umax, $dmax ) = ( '', '' );
    if ( $ceil =~ /^(.+):(.+)/ ) {
 	fatal_error "An LS rate may only be specified for HFSC classes" unless $devref->{qdisc} eq 'hfsc';
 	$lsceil = $1;
 	$ceil   = $2;
    }
    if ( $devref->{qdisc} eq 'hfsc' ) {
 	if ( $rate eq '-' ) {
 	    fatal_error 'A RATE must be supplied' unless $lsceil;
 	    $rate = 0;
 	} else {
 	    ( my $trate , $dmax, $umax , my $rest ) = split ':', $rate , 4;
 	    fatal_error "Invalid RATE ($rate)" if defined $rest;
@@ -1059,6 +1158,7 @@ sub validate_tc_class( ) {
 	    $umax = convert_size( $umax );
 	    fatal_error "DMAX must be specified when UMAX is specified" if $umax && ! $dmax;
 	    $parentclass ||= 1;
 	}
    } else {
 	$rate = convert_rate ( $ratemax, $rate, 'RATE' , $ratename );
    }
@@ -1075,7 +1175,8 @@ sub validate_tc_class( ) {
 			       rate      => $rate ,
 			       umax      => $umax ,
 			       dmax      => $dmax ,
-			       ceiling   => convert_rate( $ceilmax, $ceil, 'CEIL' , $ceilname ) ,
+			       ceiling   => $ceil   = ( supplied $ceil   ? convert_rate( $ceilmax, $ceil,   'CEIL'  , $ceilname ) : 0 ),
 			       lsceil    => $lsceil = ( $lsceil          ? convert_rate( $ceilmax, $lsceil, 'LSCEIL', $ceilname ) : 0 ),
 			       priority  => $prio eq '-' ? 1 : $prio ,
 			       mark      => $markval ,
 			       flow      => '' ,
@@ -1089,7 +1190,9 @@ sub validate_tc_class( ) {
    $tcref = $tcref->{$classnumber};
-    fatal_error "RATE ($tcref->{rate}) exceeds CEIL ($tcref->{ceiling})" if $tcref->{rate} > $tcref->{ceiling};
+    fatal_error "RATE ($rate) exceeds CEIL ($ceil)" if $rate && $ceil && $rate > $ceil;
    my ( $red, %redopts ) = ( 0, ( avpkt => 1000 ) );
    unless ( $options eq '-' ) {
 	for my $option ( split_list1 "\L$options", 'option' ) {
@@ -1114,9 +1217,11 @@ sub validate_tc_class( ) {
 		push @{$tcref->{tos}}, $option;
 	    } elsif ( $option =~ /^flow=(.*)$/ ) {
 		fatal_error "The 'flow' option is not allowed with 'pfifo'" if $tcref->{pfifo};
 		fatal_error "The 'flow' option is not allowed with 'red'"   if $tcref->{red};
 		$tcref->{flow} = process_flow $1;
 	    } elsif ( $option eq 'pfifo' ) {
-		fatal_error "The 'pfifo'' option is not allowed with 'flow='" if $tcref->{flow};
+		fatal_error "The 'pfifo' option is not allowed with 'flow='" if $tcref->{flow};
 		fatal_error "The 'pfifo' option is not allowed with 'red='"  if $tcref->{red};
 		$tcref->{pfifo} = 1;
 	    } elsif ( $option =~ /^occurs=(\d+)$/ ) {
 		my $val = $1;
@@ -1137,6 +1242,57 @@ sub validate_tc_class( ) {
 		warning_message "limit ignored with pfifo queuing" if $tcref->{pfifo};
 		fatal_error "Invalid limit ($1)" if $1 < 3 || $1 > 128;
 		$tcref->{limit} = $1;
 	    } elsif ( $option =~ s/^red=// ) {
 		fatal_error "The 'red=' option is not allowed with 'flow='" if $tcref->{flow};
 		fatal_error "The 'red=' option is not allowed with 'pfifo'" if $tcref->{pfifo};
 		$tcref->{red} = 1;
 		my $opttype;
 		for my $redopt ( split_list( $option , q('red' option list) ) ) {
 		    #
 		    #                            $2  ----------------------
 		    #              $1  ------       | $3 -------           |
 		    #                 |      |      |   |       |          |
 		    if ( $redopt =~ /^([a-z]+) (?:= (   ([01]?\.)?(\d{1,8})) )?$/x ) {
 			fatal_error "Invalid RED option ($1)" unless $opttype = $validredoptions{$1};
 			if ( $2 ) {
 			    #
 			    # '=<value>' supplied
 			    #
 			    fatal_error "The $1 option does not take a value" if $opttype == RED_NONE;
 			    if ( $3 ) {
 				#
 				# fractional value
 				#
 				fatal_error "The $1 option requires an integer value"  if $opttype == RED_INTEGER;
 				fatal_error "The value of $1 must be <= 1" if $2 > 1;
 			    } else {
 				#
 				# Integer value
 				#
 				fatal_error "The $1 option requires a value 0 <= value <= 1" if $opttype == RED_FLOAT;
 			    }
 			} else {
 			    #
 			    # No value supplied
 			    #
 			    fatal_error "The $1 option requires a value" unless $opttype == RED_NONE;
 			}
 			$redopts{$1} = $2;
 		    } else {
 			fatal_error "Invalid RED option specification ($redopt)";
 		    }
 		}
 		for ( qw/ limit min max avpkt burst probability / ) {
 		    fatal_error "The $_ 'red' option is required" unless $redopts{$_};
 		}
 		fatal_error "The 'max' red option must be at least 2 * 'min'"   unless $redopts{max}   >= 2 * $redopts{min};
 		fatal_error "The 'limit' red option must be at least 2 * 'max'" unless $redopts{limit} >= 2 * $redopts{min};
 		$redopts{ecn} = 1 if exists $redopts{ecn};
 		$tcref->{redopts} = \%redopts;
 	    } else {
 		fatal_error "Unknown option ($option)";
 	    }
@@ -1168,6 +1324,8 @@ sub validate_tc_class( ) {
 					       occurs   => 0,
 					       parent   => $parentclass,
 					       limit    => $tcref->{limit},
 					       red      => $tcref->{red},
 					       redopts  => $tcref->{redopts},
 					     };
 	push @tcclasses, "$device:$classnumber";
    };
@@ -1455,7 +1613,7 @@ sub process_tcfilters() {
 	first_entry( "$doing $fn..." );
-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {
 	    if ( $currentline =~ /^\s*IPV4\s*$/ ) {
 		Shorewall::IPAddrs::initialize( $family = F_IPV4 ) unless $family == F_IPV4;
 	    } elsif ( $currentline =~ /^\s*IPV6\s*$/ ) {
@@ -1499,7 +1657,6 @@ sub process_tc_priority() {
 					   $interface eq '-' &&
 					   $helper    eq '-' );
    my $val = numeric_value $band;
    fatal_error "Invalid PRIORITY ($band)" unless $val && $val <= 3;
@@ -1555,7 +1712,7 @@ sub process_tcinterfaces() {
    if ( $fn ) {
 	first_entry "$doing $fn...";
-	process_simple_device while read_a_line;
+	process_simple_device while read_a_line( NORMAL_READ );
    }
 }
@@ -1573,7 +1730,7 @@ sub process_tcpri() {
 		warning_message "There are entries in $fn1 but $fn was empty" unless @tcdevices || $family == F_IPV6;
 	    };
-	process_tc_priority while read_a_line;
+	process_tc_priority while read_a_line( NORMAL_READ );
 	clear_comment;
@@ -1584,8 +1741,14 @@ sub process_tcpri() {
 			  mark => '--mark 0/'   . in_hex( $globals{TC_MASK} )
 			);
 	    insert_irule( $mangle_table->{tcpost} ,
 			  j => 'RETURN', 
 			  1 ,
 			  mark => '! --mark 0/' . in_hex( $globals{TC_MASK} ) ,
 			);
 	    add_ijump( $mangle_table->{tcpost} ,
-		       j    => 'CONNMARK --save-mark --ctmask '    . in_hex( $globals{TC_MASK} ),
+		       j    => 'CONNMARK --save-mark --mask '    . in_hex( $globals{TC_MASK} ),
 		       mark => '! --mark 0/' . in_hex( $globals{TC_MASK} )
 		     );
 	}
@@ -1604,7 +1767,7 @@ sub process_traffic_shaping() {
    if ( $fn ) {
 	first_entry "$doing $fn...";
-	validate_tc_device while read_a_line;
+	validate_tc_device while read_a_line( NORMAL_READ );
    }
    $devnum = $devnum > 10 ? 10 : 1;
@@ -1614,7 +1777,7 @@ sub process_traffic_shaping() {
    if ( $fn ) {
 	first_entry "$doing $fn...";
-	validate_tc_class while read_a_line;
+	validate_tc_class while read_a_line( NORMAL_READ );
    }
    process_tcfilters;
@@ -1654,11 +1817,22 @@ sub process_traffic_shaping() {
 		   "${dev}_mtu1=\$(get_device_mtu1 $device)"
 		 );
 	    my $stab;
 	    if ( $devref->{linklayer} ) {
 		$stab =  "stab linklayer $devref->{linklayer} overhead $devref->{overhead} ";
 		$stab .= "mtu $devref->{mtu} "     if $devref->{mtu};
 		$stab .= "mpu $devref->{mpu} "     if $devref->{mpu};
 		$stab .= "tsize $devref->{tsize} " if $devref->{tsize};
 	    } else {
 		$stab = '';
 	    }
 	    if ( $devref->{qdisc} eq 'htb' ) {
-		emit ( "run_tc qdisc add dev $device root handle $devnum: htb default $defmark r2q $r2q" ,
+		emit ( "run_tc qdisc add dev $device ${stab}root handle $devnum: htb default $defmark r2q $r2q" ,
 		       "run_tc class add dev $device parent $devnum: classid $devnum:1 htb rate $devref->{out_bandwidth} \$${dev}_mtu1" );
 	    } else {
-		emit ( "run_tc qdisc add dev $device root handle $devnum: hfsc default $defmark" ,
+		emit ( "run_tc qdisc add dev $device ${stab}root handle $devnum: hfsc default $defmark" ,
 		       "run_tc class add dev $device parent $devnum: classid $devnum:1 hfsc sc rate $devref->{out_bandwidth} ul rate $devref->{out_bandwidth}" );
 	    }
@@ -1682,8 +1856,9 @@ sub process_traffic_shaping() {
 	    handle_in_bandwidth( $device, $devref->{in_bandwidth} );
 	    for my $rdev ( @{$devref->{redirected}} ) {
-		emit ( "run_tc qdisc add dev $rdev handle ffff: ingress" );
+		my $phyrdev = get_physical( $rdev );
-		emit( "run_tc filter add dev $rdev parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" );
+		emit ( "run_tc qdisc add dev $phyrdev handle ffff: ingress" );
 		emit( "run_tc filter add dev $phyrdev parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" );
 	    }
 	    for my $class ( @tcclasses ) {
@@ -1704,10 +1879,12 @@ sub process_traffic_shaping() {
 		my $mark     = $tcref->{mark};
 		my $devicenumber  = in_hexp $devref->{number};
 		my $classid  = join( ':', $devicenumber, $classnum);
-		my $rate     = "$tcref->{rate}kbit";
+		my $rawrate  = $tcref->{rate};
 		my $rate     = "${rawrate}kbit";
 		my $lsceil   = $tcref->{lsceil};
 		my $quantum  = calculate_quantum $rate, calculate_r2q( $devref->{out_bandwidth} );
-		$classids{$classid}=$device;
+		$classids{$classid}=$devname;
 		my $priority = $tcref->{priority} << 8;
 		my $parent   = in_hexp $tcref->{parent};
@@ -1718,16 +1895,42 @@ sub process_traffic_shaping() {
 		    emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum" );
 		} else {
 		    my $dmax = $tcref->{dmax};
 		    my $rule = "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc";
 		    if ( $dmax ) {
 			my $umax = $tcref->{umax} ? "$tcref->{umax}b" : "\${${dev}_mtu}b";
-			emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc sc umax $umax dmax ${dmax}ms rate $rate ul rate $tcref->{ceiling}kbit" );
+			$rule .= " sc umax $umax dmax ${dmax}ms";
 			$rule .= " rate $rate" if $rawrate;
 		    } else {
-			emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc sc rate $rate ul rate $tcref->{ceiling}kbit" );
+			$rule .= " sc rate $rate" if $rawrate;
 		    }
 		    $rule .= " ls rate ${lsceil}kbit" if $lsceil;
 		    $rule .= " ul rate $tcref->{ceiling}kbit" if $tcref->{ceiling};
 		    emit $rule;
 		}
 		if ( $tcref->{leaf} ) {
 		    if ( $tcref->{red} ) {
 			1 while $devnums[++$sfq];
 			$sfqinhex = in_hexp( $sfq);
 			my ( $options, $redopts ) = ( '', $tcref->{redopts} );
 			while ( my ( $option, $type ) = each %validredoptions ) {
 			    if ( my $value = $redopts->{$option} ) {
 				if ( $type == RED_NONE ) {
 				    $options = join( ' ', $options, $option ) if $value;
 				} else {
 				    $options = join( ' ', $options, $option, $value );
 				}
 			    }
 			}
-		if ( $tcref->{leaf} && ! $tcref->{pfifo} ) {
+			emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: red${options}" );
 		    } elsif ( $tcref->{leaf} && ! $tcref->{pfifo} ) {
 			1 while $devnums[++$sfq];
 			$sfqinhex = in_hexp( $sfq);
@@ -1737,6 +1940,7 @@ sub process_traffic_shaping() {
 			    emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq limit $tcref->{limit} perturb 10" );
 			}
 		    }
 		}
 		#
 		# add filters
 		#
@@ -1798,14 +2002,14 @@ sub process_traffic_shaping() {
 		my $devicenumber  = in_hexp $devref->{number};
 		my $classid  = join( ':', $devicenumber, $classnum);
-		$classids{$classid}=$device;
+		$classids{$classid}=$devname;
 	    }
 	}
    }
 }
 #
-# Validate the TC configuration storing basic information in %tcdevices and %tcdevices
+# Validate the TC configuration storing basic information in %tcdevices and %tcclasses (complex TC only)
 #
 sub process_tc() {
    if ( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' ) {
@@ -1953,19 +2157,19 @@ sub setup_tc() {
 	append_file $globals{TC_SCRIPT};
    } else {
 	process_tcpri if $config{TC_ENABLED} eq 'Simple';
-	setup_traffic_shaping unless $config{TC_ENABLED} eq 'Shared';
+	setup_traffic_shaping if @tcdevices && $config{TC_ENABLED} ne 'Shared';
    }
-    if ( $config{TC_ENABLED} ) {
+    if ( $config{MANGLE_ENABLED} ) {
 	our  @tccmd = ( { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
 			  target    => 'CONNMARK --save-mark --mask' ,
-			  mark      => SMALLMARK ,
+			  mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK,
 			  mask      => in_hex( $globals{TC_MASK} ) ,
 			  connmark  => 1
 			} ,
 			{ match     => sub ( $ ) { $_[0] eq 'RESTORE' },
 			  target    => 'CONNMARK --restore-mark --mask' ,
-			  mark      => SMALLMARK ,
+			  mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK ,
 			  mask      => in_hex( $globals{TC_MASK} ) ,
 			  connmark  => 1
 			} ,
@@ -2002,6 +2206,11 @@ sub setup_tc() {
 			  mark      => HIGHMARK,
 			  mask      => '',
 			  connmark  => '' },
 			{ match     => sub( $ ) { $_[0] =~ /^DIVERT/ },
 			  target    => 'DIVERT',
 			  mark      => HIGHMARK,
 			  mask      => '',
 			  connmark  => '' },
 			{ match     => sub( $ ) { $_[0] =~ /^TTL/ },
 			  target    => 'TTL',
 			  mark      => NOMARK,
@@ -2036,20 +2245,21 @@ sub setup_tc() {
 	if ( my $fn = open_file 'tcrules' ) {
 	    our $format = 1;
 	    first_entry "$doing $fn...";
-	    process_tc_rule while read_a_line;
+	    process_tc_rule while read_a_line( NORMAL_READ );
 	    clear_comment;
-	}
+
 	}
    if ( $config{MANGLE_ENABLED} ) {
 	if ( my $fn = open_file 'secmarks' ) {
 	    first_entry "$doing $fn...";
-	    process_secmark_rule while read_a_line;
+	    process_secmark_rule while read_a_line( NORMAL_READ );
 	    clear_comment;
 	}
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -2,7 +2,6 @@
 # Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Tunnels.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
@@ -126,9 +125,9 @@ sub setup_tunnels() {
    sub setup_pptp_server {
 	my ($inchainref, $outchainref, $kind, $source, $dest ) = @_;
-	add_tunnel_rule $inchainref,  p => 47, @$dest;
+	add_tunnel_rule $inchainref,  p => 47, @$source;
-	add_tunnel_rule $outchainref, p => 47, @$source;
+	add_tunnel_rule $outchainref, p => 47, @$dest;
-	add_tunnel_rule $inchainref,  p => 'tcp --dport 1723', @$dest
+	add_tunnel_rule $inchainref,  p => 'tcp --dport 1723', @$source
 	}
    sub setup_one_openvpn {
@@ -234,7 +233,7 @@ sub setup_tunnels() {
    }
    sub setup_one_tunnel($$$$) {
-	my ( $kind , $zone, $gateway, $gatewayzones ) = @_;
+	my ( $kind , $zone, $gateways, $gatewayzones ) = @_;
 	my $zonetype = zone_type( $zone );
@@ -243,8 +242,14 @@ sub setup_tunnels() {
 	my $inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
 	my $outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
-	$gateway = ALLIP if $gateway eq '-';
+	$gateways = ALLIP if $gateways eq '-';
 	my ( $net, $excl ) = handle_network_list( $gateways , 'src' );
 	( $net, $excl )    = handle_network_list( $gateways , 'dst' );
 	fatal_error "Exclusion is not allowed in the GATEWAYS column" if $excl;
 	for my $gateway ( split_list $gateways, 'GATEWAYS' ) {
 	    my @source = imatch_source_net $gateway;
 	    my @dest   = imatch_dest_net   $gateway;
@@ -272,6 +277,7 @@ sub setup_tunnels() {
 	    fatal_error "Tunnels of type $type are not supported" unless $tunnelref;
 	    $tunnelref->{function}->( $inchainref, $outchainref, @{$tunnelref->{params}} );
 	}
 	progress_message "   Tunnel \"$currentline\" $done";
    }
@@ -283,16 +289,16 @@ sub setup_tunnels() {
 	first_entry "$doing $fn...";
-	while ( read_a_line ) {
+	while ( read_a_line( NORMAL_READ ) ) {
-	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateway_zone => 3 };
+	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateways => 2, gateway_zone => 3 , gateway_zones => 3 }, undef, 4;
 	    fatal_error 'TYPE must be specified' if $kind eq '-';
 	    fatal_error 'ZONE must be specified' if $zone eq '-';
 	    if ( $kind eq 'COMMENT' ) {
 		process_comment;
 	    } else {
 		fatal_error 'ZONE must be specified' if $zone eq '-';
 		setup_one_tunnel $kind, $zone, $gateway, $gatewayzones;
 	    }
 	}
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -41,6 +41,8 @@ our @EXPORT = qw( NOTHING
 		  IP
 		  BPORT
 		  IPSEC
 		  NO_UPDOWN
 		  NO_SFILTER
 		  determine_zones
 		  zone_report
@@ -62,6 +64,7 @@ our @EXPORT = qw( NOTHING
 		  validate_interfaces_file
 		  all_interfaces
 		  all_real_interfaces
 		  all_plain_interfaces
 		  all_bridges
 		  interface_number
 		  find_interface
@@ -72,6 +75,7 @@ our @EXPORT = qw( NOTHING
 		  port_to_bridge
 		  source_port_to_bridge
 		  interface_is_optional
 		  interface_is_required
 		  find_interfaces_by_option
 		  find_interfaces_by_option1
 		  get_interface_option
@@ -80,7 +84,6 @@ our @EXPORT = qw( NOTHING
 		  set_interface_provider
 		  interface_zones
 		  verify_required_interfaces
 		  compile_updown
 		  validate_hosts_file
 		  find_hosts_by_option
 		  find_zone_hosts_by_option
@@ -173,6 +176,7 @@ my  %reservedName = ( all => 1,
 #                                     number      => <ordinal position in the interfaces file>
 #                                     physical    => <physical interface name>
 #                                     base        => <shell variable base representing this interface>
 #                                     provider    => <Provider Name, if interface is associated with a provider>
 #                                     zones       => { zone1 => 1, ... }
 #                                   }
 #                 }
@@ -219,11 +223,14 @@ use constant { SIMPLE_IF_OPTION   => 1,
 	       IF_OPTION_WILDOK   => 64
 	   };
 use constant { NO_UPDOWN   => 1, 
 	       NO_SFILTER  => 2 };
 my %validinterfaceoptions;
 my %defaultinterfaceoptions = ( routefilter => 1 , wait => 60 );
-my %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 );
+my %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN );
 my %validhostoptions;
@@ -281,6 +288,7 @@ sub initialize( $$ ) {
 				  bridge      => SIMPLE_IF_OPTION,
 				  detectnets  => OBSOLETE_IF_OPTION,
 				  dhcp        => SIMPLE_IF_OPTION,
 				  ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				  maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  logmartians => BINARY_IF_OPTION,
 				  nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
@@ -316,6 +324,7 @@ sub initialize( $$ ) {
 	%validinterfaceoptions = (  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				    maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -483,7 +492,8 @@ sub process_zone( \$ ) {
    my $complex = 0;
-    my $zoneref = $zones{$zone} = { type       => $type,
+    my $zoneref = $zones{$zone} = { name       => $zone,
 				    type       => $type,
 				    parents    => \@parents,
 				    bridge     => '',
 				    options    => { in_out  => parse_zone_option_list( $options , $type, $complex , IN_OUT ) ,
@@ -545,7 +555,7 @@ sub determine_zones()
    if ( my $fn = open_file 'zones' ) {
 	first_entry "$doing $fn...";
-	push @z, process_zone( $ip ) while read_a_line;
+	push @z, process_zone( $ip ) while read_a_line( NORMAL_READ );
    } else {
 	fatal_error q(The 'zones' file does not exist or has zero size);
    }
@@ -565,6 +575,7 @@ sub determine_zones()
 		for ( @{$zones{$zone}{children}} ) {
 		    next ZONE unless $ordered{$_};
 		}
 		$ordered{$zone} = 1;
 		push @zones, $zone;
 		redo PUSHED;
@@ -572,7 +583,7 @@ sub determine_zones()
 	}
    }
-    assert( scalar @zones == scalar @z );
+    assert( @zones == @z );
 }
@@ -934,7 +945,7 @@ sub process_interface( $$ ) {
 	    return;
 	}
-	fatal_error "Invalid FORMAT ($1)";
+	fatal_error "Invalid FORMAT ($originalinterface)";
    }
    if ( $zone eq '-' ) {
@@ -1029,7 +1040,7 @@ sub process_interface( $$ ) {
    if ( $options eq 'ignore' ) {
 	fatal_error "Ignored interfaces may not be associated with a zone" if $zone;
-	$options{ignore} = 1;
+	$options{ignore} = NO_UPDOWN | NO_SFILTER;
 	$options = '-';
    }
@@ -1149,7 +1160,16 @@ sub process_interface( $$ ) {
 	    }
 	}
-	fatal_error "Invalid combination of interface options" if $options{required} && $options{optional};
+	fatal_error "Invalid combination of interface options"
 	    if ( ( $options{required} && $options{optional} ) ||
 		 ( $options{required} && $options{ignore}   ) ||
 		 ( $options{optional} && $options{ignore}   ) );
 	if ( supplied( my $ignore = $options{ignore} ) ) {
 	    fatal_error "Invalid value ignore=0" if ! $ignore;
 	} else {
 	    $options{ignore} = 0;
 	}
 	if ( $netsref eq 'dynamic' ) {
 	    my $ipset = $family == F_IPV4 ? "${zone}_" . chain_base $physical : "6_${zone}_" . chain_base $physical;
@@ -1171,6 +1191,10 @@ sub process_interface( $$ ) {
 	# No options specified -- auto-detect bridge
 	#
 	$hostoptionsref->{routeback} = $options{routeback} = is_a_bridge( $physical ) unless $export;
 	#
 	# And give the 'ignore' option a defined value
 	#
 	$options{ignore} ||= 0;
    }
    $physical{$physical} = $interfaces{$interface} = { name       => $interface ,
@@ -1214,7 +1238,7 @@ sub validate_interfaces_file( $ ) {
    if ( my $fn = open_file 'interfaces' ) {
 	first_entry "$doing $fn...";
-	push @ifaces, process_interface( $nextinum++, $export ) while read_a_line;
+	push @ifaces, process_interface( $nextinum++, $export ) while read_a_line( NORMAL_READ );
    } else {
 	fatal_error q(The 'interfaces' file does not exist or has zero size);
    }
@@ -1416,11 +1440,65 @@ sub interface_is_optional($) {
    $optionsref && $optionsref->{optional};
 }
 #
 # Return the 'required' setting of the passed interface
 #
 sub interface_is_required($) {
    my $optionsref = $interfaces{$_[0]}{options};
    $optionsref && $optionsref->{required};
 }
 #
 # Return true if the interface is 'plain'
 #
 sub interface_is_plain($) {
    my $interfaceref = $interfaces{$_[0]};
    my $optionsref   = $interfaceref->{options};
    $interfaceref->{bridge} eq $interfaceref->{name} && ! ( $optionsref && ( $optionsref->{required} || $optionsref->{optional} || $optionsref->{ignore} ) )
 }
 #
 # Return a minimal list of physical interfaces that are neither ignored, optional, required nor a bridge port.
 #
 sub all_plain_interfaces() {
    my @plain1 = map get_physical($_), grep $_ ne '%vserver%' && interface_is_plain( $_ ), @interfaces;
    my @plain2;
    my @wild1;
    my @wild2;
    for ( @plain1 ) {
 	if ( /\+$/ ) {
 	    return ( '+' ) if $_ eq '+';
 	    push @wild1, $_;
 	    chop;
 	    push @wild2, $_;
 	} else {
 	    push @plain2, $_;
 	}
    }
    return @plain2 unless @wild1;
    @plain1 = ();
 NAME:
    for my $name ( @plain2) {
 	for ( @wild2 ) {
 	    next NAME if substr( $name, 0, length( $_ ) ) eq $_;
 	}
 	push @plain1, $name;
    }
    ( @plain1, @wild1 );
 }
 #
 # Returns reference to array of interfaces with the passed option
 #
-sub find_interfaces_by_option( $ ) {
+sub find_interfaces_by_option( $;$ ) {
-    my $option = $_[0];
+    my ( $option , $nonzero ) = @_;
    my @ints = ();
    for my $interface ( @interfaces ) {
@@ -1429,7 +1507,11 @@ sub find_interfaces_by_option( $ ) {
 	next unless $interfaceref->{root};
 	my $optionsref = $interfaceref->{options};
-	if ( $optionsref && defined $optionsref->{$option} ) {
+	if ( $nonzero ) {
 	    if ( $optionsref && $optionsref->{$option} ) {
 		push @ints , $interface
 	    }
 	} elsif ( $optionsref && defined $optionsref->{$option} ) {
 	    push @ints , $interface
 	}
    }
@@ -1540,16 +1622,16 @@ sub verify_required_interfaces( $ ) {
 		my $physical = get_physical $interface;
 		if ( $physical =~ /\+$/ ) {
 		    my $base = uc chain_base $physical;
 		    $physical =~ s/\+$/*/;
-		    emit( 'for interface in $(find_all_interfaces); do',
+		    emit( "waittime=$wait",
 			  '',
 			  'for interface in $(find_all_interfaces); do',
 			  '    case $interface in',
 			  "        $physical)",
 			  "            waittime=$wait",
 			  '            while [ $waittime -gt 0 ]; do',
 			  '                interface_is_usable $interface && break',
 			  '                sleep 1',
 			  '                waittime=$(($waittime - 1))',
 			  '            done',
 			  '            ;;',
@@ -1562,8 +1644,8 @@ sub verify_required_interfaces( $ ) {
 		    emit qq(    waittime=$wait);
 		    emit  '';
 		    emit  q(    while [ $waittime -gt 0 ]; do);
 		    emit qq(        interface_is_usable $physical && break);
 		    emit  q(        sleep 1);
 		    emit qq(        interface_is_usable $physical && break);
 		    emit   '        waittime=$(($waittime - 1))';
 		    emit  q(    done);
 		    emit  q(fi);
@@ -1634,181 +1716,12 @@ sub verify_required_interfaces( $ ) {
    $returnvalue;
 }
 #
 # Emit the updown() function
 #
 sub compile_updown() {
    emit( '',
 	  '#',
 	  '# Handle the "up" and "down" commands',
 	  '#',
 	  'updown() # $1 = interface',
 	  '{',
 	);
    push_indent;
    emit( 'local state',
 	  'state=cleared',
 	  '' );
    emit 'progress_message3 "$g_product $COMMAND triggered by $1"';
    emit '';
    if ( $family == F_IPV4 ) {
 	emit 'if shorewall_is_started; then';
    } else {
 	emit 'if shorewall6_is_started; then';
    }
    emit( '    state=started',
 	  'elif [ -f ${VARDIR}/state ]; then',
 	  '    case "$(cat ${VARDIR}/state)" in',
 	  '        Stopped*)',
 	  '            state=stopped',
 	  '            ;;',
 	  '        Cleared*)',
 	  '            ;;',
 	  '        *)',
 	  '            state=unknown',
 	  '            ;;',
 	  '    esac',
 	  'else',
 	  '    state=unknown',
 	  'fi',
 	  ''
 	);
    emit( 'case $1 in' );
    push_indent;
    my $ignore   = find_interfaces_by_option 'ignore';
    my $required = find_interfaces_by_option 'required';
    my $optional = find_interfaces_by_option 'optional';
    if ( @$ignore ) {
 	my $interfaces = join '|', map $interfaces{$_}->{physical}, @$ignore;
 	$interfaces =~ s/\+/*/g;
 	emit( "$interfaces)",
 	      '    progress_message3 "$COMMAND on interface $1 ignored"',
 	      '    exit 0',
 	      '    ;;'
 	    );
    }
    if ( @$required ) {
 	my $interfaces = join '|', map $interfaces{$_}->{physical}, @$required;
 	my $wildcard = ( $interfaces =~ s/\+/*/g );
 	emit( "$interfaces)",
 	      '    if [ "$COMMAND" = up ]; then' );
 	if ( $wildcard ) {
 	    emit( '        if [ "$state" = started ]; then',
 		  '            COMMAND=restart',
 		  '        else',
 		  '            COMMAND=start',
 		  '        fi' );
 	} else {
 	    emit( '        COMMAND=start' );
 	}
 	emit( '        progress_message3 "$g_product attempting $COMMAND"',
 	      '        detect_configuration',
 	      '        define_firewall' );
 	if ( $wildcard ) {
 	    emit( '    elif [ "$state" = started ]; then',
 		  '        progress_message3 "$g_product attempting restart"',
 		  '        COMMAND=restart',
 		  '        detect_configuration',
 		  '        define_firewall' );
 	} else {
 	    emit( '    else',
 		  '        COMMAND=stop',
 		  '        progress_message3 "$g_product attempting stop"',
 		  '        detect_configuration',
 		  '        stop_firewall' );
 	}
 	emit( '    fi',
 	      '    ;;'
 	    );
    }
    if ( @$optional ) {
 	my @interfaces = map $interfaces{$_}->{physical}, @$optional;
 	my $interfaces = join '|', @interfaces; 
 	if ( $interfaces =~ s/\+/*/g || @interfaces > 1 ) {
 	    emit( "$interfaces)",
 		  '    if [ "$COMMAND" = up ]; then',
 		  '        echo 0 > ${VARDIR}/${1}.state',
 		  '    else',
 		  '        echo 1 > ${VARDIR}/${1}.state',
 		  '    fi' );
 	} else {
 	    emit( "$interfaces)",
 		  '    if [ "$COMMAND" = up ]; then',
 		  "        echo 0 > \${VARDIR}/$interfaces.state",
 		  '    else',
 		  "        echo 1 > \${VARDIR}/$interfaces.state",
 		  '    fi' );
 	}
 	emit( '',
 	      '    if [ "$state" = started ]; then',
 	      '        COMMAND=restart',
 	      '        progress_message3 "$g_product attempting restart"',
 	      '        detect_configuration',
 	      '        define_firewall',
 	      '    elif [ "$state" = stopped ]; then',
 	      '        COMMAND=start',
 	      '        progress_message3 "$g_product attempting start"',
 	      '        detect_configuration',
 	      '        define_firewall',
 	      '    else',
 	      '        progress_message3 "$COMMAND on interface $1 ignored"',
 	      '    fi',
 	      '    ;;',
 	    );
    }
    emit( "*)",
 	  '    case $state in',
 	  '        started)',
 	  '            COMMAND=restart',
 	  '            progress_message3 "$g_product attempting restart"',
 	  '            detect_configuration',
 	  '            define_firewall',
 	  '            ;;',
 	  '        *)',
 	  '            progress_message3 "$COMMAND on interface $1 ignored"',
 	  '            ;;',
 	  '    esac',
 	);
    pop_indent;
    emit( 'esac' );
    pop_indent;
    emit( '}',
 	  '',
 	);
 }
 #
 # Process a record in the hosts file
 #
 sub process_host( ) {
    my $ipsec = 0;
-    my ($zone, $hosts, $options ) = split_line 'hosts file', { zone => 0, hosts => 1, options => 2 };
+    my ($zone, $hosts, $options ) = split_line1 'hosts file', { zone => 0, host => 1, hosts => 1, options => 2 }, {}, 3;
    fatal_error 'ZONE must be specified'  if $zone eq '-';
    fatal_error 'HOSTS must be specified' if $hosts eq '-';
@@ -1935,7 +1848,7 @@ sub validate_hosts_file()
    if ( my $fn = open_file 'hosts' ) {
 	first_entry "$doing $fn...";
-	$ipsec |= process_host while read_a_line;
+	$ipsec |= process_host while read_a_line( NORMAL_READ );
    }
    $have_ipsec = $ipsec || haveipseczones;
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -37,6 +37,7 @@
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
 #         --preview                   # Preview the ruleset.
 #         --shorewallrc=<path>        # Path to shorewallrc file.
 #         --config_path=<path-list>   # Search path for config files
 #
 use strict;
@@ -65,7 +66,7 @@ sub usage( $ ) {
    [ --annotate ]
    [ --update ]
    [ --convert ]
-    [ --shorewallrc ]
+    [ --shorewallrc=<pathname> ]
    [ --config_path=<path-list> ]
 ';
--- a/Shorewall/Perl/lib.core
+++ b/Shorewall/Perl/lib.core
@@ -171,28 +171,6 @@ interface_is_up() {
    [ -n "$($IP -$g_family link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
 }
 #
 # Determine if interface is usable from a Netfilter perspective
 #
 interface_is_usable() # $1 = interface
 {
    [ "$1" = lo ] && return 0
    interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && run_isusable_exit $1
 }
 #
 # Find interface addresses--returns the set of addresses assigned to the passed
 # device
 #
 find_interface_addresses() # $1 = interface
 {
    if [ $g_family -eq 4 ]; then
 	$IP -f inet addr show $1 2> /dev/null | grep inet\  | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
    else
 	$IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
    fi
 }
 #
 #  echo the list of networks routed out of a given interface
 #
@@ -204,7 +182,6 @@ get_routed_networks() # $1 = interface name, $2-n = Fatal error message
    [ $g_family -eq 4 ] && mask=32 || mask=128
    $IP -$g_family route show dev $1 2> /dev/null |
 	while read address rest; do
 	    case "$address" in
@@ -362,6 +339,16 @@ replace_default_route() # $1 = USE_DEFAULT_RT
    fi
 }
 #
 # Delete default routes with metric 0 from the passed routing table
 #
 delete_default_routes() # $1 = table number
 {
    $IP -$g_family route ls table $1 | fgrep default | fgrep -v metric | while read route; do
 	qt $IP -$g_family route del $route
    done
 } 
 restore_default_route() # $1 = USE_DEFAULT_RT
 {
    local result
@@ -594,6 +581,7 @@ distribute_load() {
    local interface
    local totalload
    local load
    local mark
    local maxload
    maxload=$1
@@ -605,6 +593,8 @@ distribute_load() {
 	if interface_up $interface; then
 	    load=$(cat ${VARDIR}/${interface}_load)
 	    eval ${interface}_load=$load
 	    mark=$(cat ${VARDIR}/${interface}_mark)
 	    eval ${interface}_mark=$mark
 	    totalload=$( bc <<EOF
 scale=8
 $totalload + $load
@@ -617,6 +607,7 @@ EOF
 	for interface in $@; do
 	    qt $g_tool -t mangle -F ~$interface
 	    eval load=\$${interface}_load
 	    eval mark=\$${interface}_mark
 	    if [ -n "$load" ]; then
 		load=$(bc <<EOF
@@ -629,7 +620,7 @@ scale=8
 $totalload - $load
 EOF
 )
-		run_iptables -t mangle -A ~$interface -m statistic --mode random --probability $load
+		run_iptables -t mangle -A ~$interface -m statistic --mode random --probability $load -j MARK --set-mark $mark
 	    fi
 	done
    fi
@@ -639,9 +630,37 @@ EOF
 #################################################################################
 #                        IPv4-specific Functions
 #################################################################################
 #
 # Determine if interface is usable from a Netfilter perspective
 #
 interface_is_usable() # $1 = interface
 {
    local status;
    status=0
    if [ "$1" != lo ]; then
 	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ]; then
 	    [ "$COMMAND" = enable ] || run_isusable_exit $1
 	    status=$?
 	else
 	    status=1
 	fi
    fi
    return $status
 }
 #
 # Find interface addresses--returns the set of addresses assigned to the passed device
 #
 find_interface_addresses() # $1 = interface
 {
    $IP -f inet addr show $1 2> /dev/null | grep inet\  | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
 }
 #
 # Find the value 'weight' in the passed arguments then echo the next value
 #
 find_weight() {
    while [ $# -gt 1 ]; do
 	[ "x$1" = xweight ] && echo $2 && return
@@ -1012,6 +1031,34 @@ get_all_bcasts()
 #################################################################################
 #                        IPv6-specific Functions
 #################################################################################
 #
 # Determine if interface is usable from a Netfilter perspective
 #
 interface_is_usable() # $1 = interface
 {
    local status;
    status=0
    if [ "$1" != lo ]; then
 	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ]; then
 	    [ "$COMMAND" = enable ] || run_isusable_exit $1
 	    status=$?
 	else
 	    status=1
 	fi
    fi
    return $status
 }
 #
 # Find interface addresses--returns the set of addresses assigned to the passed device
 #
 find_interface_addresses() # $1 = interface
 {
    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
 }
 #
 # Get all interface addresses with VLSMs
 #
--- a/Shorewall/Perl/macro.BLACKLIST
+++ b/Shorewall/Perl/macro.BLACKLIST
@@ -1,11 +0,0 @@
 #
 # Shorewall version 4 - blacklist Macro
 #
 # /usr/share/shorewall/macro.blacklist
 #
 #	This macro handles blacklisting using BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 $BLACKLIST_DISPOSITION:$BLACKLIST_LOGLEVEL
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -235,8 +235,8 @@ case "$COMMAND" in
 	    status=2
 	elif checkkernelversion; then
 	    if [ $# -eq 1 ]; then
-		$IP6TABLES -Z
+		$g_tool -Z
-		$IP6TABLES -t mangle -Z
+		$g_tool -t mangle -Z
 		date > ${VARDIR}/restarted
 		status=0
 		progress_message3 "$g_product Counters Reset"
@@ -245,7 +245,7 @@ case "$COMMAND" in
 		status=0
 		for chain in $@; do
 		    if chain_exists $chain; then
-			if qt $IP6TABLES -Z $chain; then
+			if qt $g_tool-Z $chain; then
 			    progress_message3 "Filter $chain Counters Reset"
 			else
 			    error_message "ERROR: Reset of chain $chain failed"
@@ -348,7 +348,9 @@ case "$COMMAND" in
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
-	updown $1
+	mutex_on
 	( updown $1 )
 	mutex_off
 	status=0
 	;;
    enable)
--- a/Shorewall/Samples/LICENSE
+++ b/Shorewall/Samples/LICENSE
@@ -55,7 +55,7 @@ modified by someone else and passed on, the recipients should know
 that what they have is not the original version, so that the original
 author's reputation will not be affected by problems that might be
 introduced by others.
-
+
  Finally, software patents pose a constant threat to the existence of
 any free program.  We wish to make sure that a company cannot
 effectively restrict the users of a free program by obtaining a
@@ -111,7 +111,7 @@ modification follow.  Pay close attention to the difference between a
 "work based on the library" and a "work that uses the library".  The
 former contains code derived from the library, whereas the latter must
 be combined with the library in order to run.
-
+
 		  GNU LESSER GENERAL PUBLIC LICENSE
   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
@@ -158,7 +158,7 @@ Library.
  You may charge a fee for the physical act of transferring a copy,
 and you may at your option offer warranty protection in exchange for a
 fee.
-
+
  2. You may modify your copy or copies of the Library or any portion
 of it, thus forming a work based on the Library, and copy and
 distribute such modifications or work under the terms of Section 1
@@ -216,7 +216,7 @@ instead of to this License.  (If a newer version than version 2 of the
 ordinary GNU General Public License has appeared, then you can specify
 that version instead if you wish.)  Do not make any other change in
 these notices.
-
+
  Once this change is made in a given copy, it is irreversible for
 that copy, so the ordinary GNU General Public License applies to all
 subsequent copies and derivative works made from that copy.
@@ -267,7 +267,7 @@ Library will still fall under Section 6.)
 distribute the object code for the work under the terms of Section 6.
 Any executables containing that work also fall under Section 6,
 whether or not they are linked directly with the Library itself.
-
+
  6. As an exception to the Sections above, you may also combine or
 link a "work that uses the Library" with the Library to produce a
 work containing portions of the Library, and distribute that work
@@ -329,7 +329,7 @@ restrictions of other proprietary libraries that do not normally
 accompany the operating system.  Such a contradiction means you cannot
 use both them and the Library together in an executable that you
 distribute.
-
+
  7. You may place library facilities that are a work based on the
 Library side-by-side in a single library together with other library
 facilities not covered by this License, and distribute such a combined
@@ -370,7 +370,7 @@ subject to these terms and conditions.  You may not impose any further
 restrictions on the recipients' exercise of the rights granted herein.
 You are not responsible for enforcing compliance by third parties with
 this License.
-
+
  11. If, as a consequence of a court judgment or allegation of patent
 infringement or for any other reason (not limited to patent issues),
 conditions are imposed on you (whether by court order, agreement or
@@ -422,7 +422,7 @@ conditions either of that version or of any later version published by
 the Free Software Foundation.  If the Library does not specify a
 license version number, you may choose any version ever published by
 the Free Software Foundation.
-
+
  14. If you wish to incorporate parts of the Library into other free
 programs whose distribution conditions are incompatible with these,
 write to the author to ask for permission.  For software which is
@@ -456,7 +456,7 @@ SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
 DAMAGES.
 		     END OF TERMS AND CONDITIONS
-
+
           How to Apply These Terms to Your New Libraries
  If you develop a new library, and you want it to be of the greatest
--- a/Shorewall/Samples/Universal/interfaces
+++ b/Shorewall/Samples/Universal/interfaces
@@ -7,6 +7,8 @@
 # http://www.shorewall.net/manpages/shorewall-interfaces.html
 #
 ###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
+FORMAT 2
-	lo		-		ignore
+###############################################################################
-net	all		-		dhcp,physical=+,routeback,optional
+#ZONE	INTERFACE	OPTIONS
 -	lo		ignore
 net	all		dhcp,physical=+,routeback,optional
--- a/Shorewall/Samples/Universal/rules
+++ b/Shorewall/Samples/Universal/rules
@@ -13,6 +13,6 @@
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
-
+Invalid(DROP)	net		$FW		tcp
 SSH(ACCEPT)	net		$FW
 Ping(ACCEPT)	net		$FW
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -55,12 +55,16 @@ TCP_FLAGS_LOG_LEVEL=info
 CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
 GEOIPDIR=/usr/share/xt_geoip/LE
 IPTABLES=
 IP=
 IPSET=
 LOCKFILE=
 MODULESDIR=
 PERL=/usr/bin/perl
@@ -166,7 +170,7 @@ MUTEX_TIMEOUT=60
 NULL_ROUTE_RFC1918=No
-OPTIMIZE=15
+OPTIMIZE=31
 OPTIMIZE_ACCOUNTING=No
--- a/Shorewall/Samples/one-interface/interfaces
+++ b/Shorewall/Samples/one-interface/interfaces
@@ -11,5 +11,7 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 ###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
+FORMAT 2
-net     eth0            detect          dhcp,tcpflags,logmartians,nosmurfs
+###############################################################################
 #ZONE	INTERFACE	OPTIONS
 net     eth0            dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0
--- a/Shorewall/Samples/one-interface/rules
+++ b/Shorewall/Samples/one-interface/rules
@@ -18,6 +18,10 @@
 #SECTION RELATED
 SECTION NEW
 # Drop packets in the INVALID state
 Invalid(DROP)  net    	        $FW		tcp
 # Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
 Ping(DROP)	net		$FW
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -66,12 +66,16 @@ TCP_FLAGS_LOG_LEVEL=info
 CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
 GEOIPDIR=/usr/share/xt_geoip/LE
 IPTABLES=
 IP=
 IPSET=
 LOCKFILE=
 MODULESDIR=
 PERL=/usr/bin/perl
@@ -177,7 +181,7 @@ MUTEX_TIMEOUT=60
 NULL_ROUTE_RFC1918=No
-OPTIMIZE=1
+OPTIMIZE=31
 OPTIMIZE_ACCOUNTING=No
--- a/Shorewall/Samples/three-interfaces/interfaces
+++ b/Shorewall/Samples/three-interfaces/interfaces
@@ -11,7 +11,9 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 ###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
+FORMAT 2
-net     eth0            detect          tcpflags,dhcp,nosmurfs,routefilter,logmartians
+###############################################################################
-loc     eth1            detect          tcpflags,nosmurfs,routefilter,logmartians
+#ZONE	INTERFACE	OPTIONS
-dmz     eth2            detect		tcpflags,nosmurfs,routefilter,logmartians
+net     eth0            tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0
 loc     eth1            tcpflags,nosmurfs,routefilter,logmartians
 dmz     eth2            tcpflags,nosmurfs,routefilter,logmartians
--- a/Shorewall/Samples/three-interfaces/masq
+++ b/Shorewall/Samples/three-interfaces/masq
@@ -10,8 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
-##############################################################################
+################################################################################################################
-#INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
+#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
 #											GROUP		DEST
 eth0			10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
--- a/Shorewall/Samples/three-interfaces/rules
+++ b/Shorewall/Samples/three-interfaces/rules
@@ -20,7 +20,7 @@ SECTION NEW
 #       Don't allow connection pickup from the net
 #
-Invalid(DROP)	net		all
+Invalid(DROP)	net		all		tcp
 #
 #	Accept DNS connections from the firewall to the Internet
 #
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -64,12 +64,16 @@ TCP_FLAGS_LOG_LEVEL=info
 CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
 GEOIPDIR=/usr/share/xt_geoip/LE
 IPTABLES=
 IP=
 IPSET=
 LOCKFILE=
 MODULESDIR=
 PERL=/usr/bin/perl
@@ -175,7 +179,7 @@ MUTEX_TIMEOUT=60
 NULL_ROUTE_RFC1918=No
-OPTIMIZE=1
+OPTIMIZE=31
 OPTIMIZE_ACCOUNTING=No
--- a/Shorewall/Samples/two-interfaces/interfaces
+++ b/Shorewall/Samples/two-interfaces/interfaces
@@ -11,6 +11,8 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 ###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
+FORMAT 2
-net     eth0            detect          dhcp,tcpflags,nosmurfs,routefilter,logmartians
+###############################################################################
-loc     eth1            detect          tcpflags,nosmurfs,routefilter,logmartians
+#ZONE	INTERFACE	OPTIONS
 net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
 loc     eth1            tcpflags,nosmurfs,routefilter,logmartians
--- a/Shorewall/Samples/two-interfaces/masq
+++ b/Shorewall/Samples/two-interfaces/masq
@@ -10,8 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
-###############################################################################
+################################################################################################################
-#INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
+#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
 #											GROUP		DEST
 eth0			10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
--- a/Shorewall/Samples/two-interfaces/rules
+++ b/Shorewall/Samples/two-interfaces/rules
@@ -20,7 +20,7 @@ SECTION NEW
 #       Don't allow connection pickup from the net
 #
-Invalid(DROP)	net		all
+Invalid(DROP)	net		all		tcp
 #
 #	Accept DNS connections from the firewall to the network
 #
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -67,12 +67,16 @@ TCP_FLAGS_LOG_LEVEL=info
 CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
 GEOIPDIR=/usr/share/xt_geoip/LE
 IPTABLES=
 IP=
 IPSET=
 LOCKFILE=
 MODULESDIR=
 PERL=/usr/bin/perl
@@ -178,7 +182,7 @@ MUTEX_TIMEOUT=60
 NULL_ROUTE_RFC1918=No
-OPTIMIZE=1
+OPTIMIZE=31
 OPTIMIZE_ACCOUNTING=No
--- a/Shorewall/action.Broadcast
+++ b/Shorewall/action.Broadcast
@@ -31,7 +31,7 @@ FORMAT 2
 DEFAULTS DROP,-
-BEGIN PERL;
+?BEGIN PERL;
 use Shorewall::IPAddrs;
 use Shorewall::Config;
@@ -70,4 +70,4 @@ add_jump $chainref, $target, 0, '-d 224.0.0.0/4 ';
 1;
-END PERL;
+?END PERL;
--- a/Shorewall/action.Drop
+++ b/Shorewall/action.Drop
@@ -36,7 +36,7 @@ FORMAT 2
 # The following magic provides different defaults for $2 thru $5, when $1 is
 # 'audit'.
 #
-BEGIN PERL;
+?BEGIN PERL;
 use Shorewall::Config;
 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
@@ -54,7 +54,7 @@ if ( defined $p1 ) {
 1;
-END PERL;
+?END PERL;
 DEFAULTS -,REJECT,DROP,ACCEPT,DROP
--- a/Shorewall/action.DropSmurfs
+++ b/Shorewall/action.DropSmurfs
@@ -13,7 +13,7 @@ FORMAT 2
 DEFAULTS -
-BEGIN PERL;
+?BEGIN PERL;
 use strict;
 use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
 use Shorewall::Chains;
@@ -77,7 +77,7 @@ if ( $family == F_IPV4 ) {
    add_ijump( $chainref, g => $target, s => IPv6_MULTICAST );
 }
-END PERL;
+?END PERL;
--- a/Shorewall/action.Invalid
+++ b/Shorewall/action.Invalid
@@ -31,7 +31,7 @@ FORMAT 2
 DEFAULTS DROP,-
-BEGIN PERL;
+?BEGIN PERL;
 use Shorewall::IPAddrs;
 use Shorewall::Config;
@@ -53,4 +53,4 @@ allow_optimize( $chainref );
 1;
-END PERL;
+?END PERL;
--- a/Shorewall/action.NotSyn
+++ b/Shorewall/action.NotSyn
@@ -31,7 +31,7 @@ FORMAT 2
 DEFAULTS DROP,-
-BEGIN PERL;
+?BEGIN PERL;
 use Shorewall::IPAddrs;
 use Shorewall::Config;
@@ -53,4 +53,4 @@ allow_optimize( $chainref );
 1;
-END PERL;
+?END PERL;
--- a/Shorewall/action.RST
+++ b/Shorewall/action.RST
@@ -0,0 +1,55 @@
 #
 # Shorewall 4 - RST Action
 #
 #    /usr/share/shorewall/action.RST
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
 #       as published by the Free Software Foundation.
 #
 #       This program is distributed in the hope that it will be useful,
 #       but WITHOUT ANY WARRANTY; without even the implied warranty of
 #       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #       GNU General Public License for more details.
 #
 #       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #   RST[([<action>|-[,{audit|-}])]
 #
 #       Default action is DROP
 #
 ##########################################################################################
 FORMAT 2
 DEFAULTS DROP,-
 ?BEGIN PERL;
 use Shorewall::Config;
 use Shorewall::Chains;
 my ( $action, $audit ) = get_action_params( 2 );
 fatal_error "Invalid parameter ($audit) to action NotSyn"   if supplied $audit && $audit ne 'audit';
 fatal_error "Invalid parameter ($action) to action NotSyn"  unless $action =~ /^(?:ACCEPT|DROP)$/;
 my $chainref         = get_action_chain;
 my ( $level, $tag )  = get_action_logging;
 my $target           = require_audit ( $action , $audit );
 log_rule_limit $level, $chainref, 'RST' , $action, '', $tag, 'add', '-p 6 --tcp-flags RST RST ' if $level ne '';
 add_jump $chainref , $target, 0, '-p 6 --tcp-flags RST RST, ';
 allow_optimize( $chainref );
 1;
 ?END PERL;
--- a/Shorewall/action.Reject
+++ b/Shorewall/action.Reject
@@ -32,7 +32,7 @@ FORMAT 2
 # The following magic provides different defaults for $2 thru $5, when $1 is
 # 'audit'.
 #
-BEGIN PERL;
+?BEGIN PERL;
 use Shorewall::Config;
 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
@@ -50,7 +50,7 @@ if ( defined $p1 ) {
 1;
-END PERL;
+?END PERL;
 DEFAULTS -,REJECT,REJECT,ACCEPT,DROP
--- a/Shorewall/action.TCPFlags
+++ b/Shorewall/action.TCPFlags
@@ -13,12 +13,11 @@ FORMAT 2
 DEFAULTS DROP,-
-BEGIN PERL;
+?BEGIN PERL;
 use strict;
 use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
 use Shorewall::Chains;
 my ( $disposition, $audit ) = get_action_params( 2 );
 my $chainref        = get_action_chain;
@@ -55,7 +54,7 @@ add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,RST SYN,RST';
 add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,FIN SYN,FIN';
 add_ijump $chainref , g => $disposition, p => 'tcp --syn --sport 0';
-END PERL;
+?END PERL;
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -41,4 +41,5 @@ DropSmurfs          # Drop smurf packets
 Invalid             # Handles packets in the INVALID conntrack state
 NotSyn              # Handles TCP packets which do not have SYN=1 and ACK=0
 Reject		    # Default Action for REJECT policy
 RST		    # Handle packets with RST set
 TCPFlags            # Handle bad flag combinations.
--- a/Shorewall/configfiles/interfaces
+++ b/Shorewall/configfiles/interfaces
@@ -7,8 +7,6 @@
 # http://www.shorewall.net/manpages/shorewall-interfaces.html
 #
 ###############################################################################
 FORMAT 1
 #ZONE	INTERFACE	BROADCAST	OPTIONS
 FORMAT 2
 ###############################################################################
 #ZONE		INTERFACE		OPTIONS
--- a/Shorewall/configfiles/masq
+++ b/Shorewall/configfiles/masq
@@ -6,6 +6,6 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-masq.html
 #
-######################################################################################################
+################################################################################################################
-#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH
+#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
-#											GROUP
+#											GROUP		DEST
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -55,12 +55,16 @@ TCP_FLAGS_LOG_LEVEL=info
 CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
 GEOIPDIR=/usr/share/xt_geoip/LE
 IPTABLES=
 IP=
 IPSET=
 LOCKFILE=
 MODULESDIR=
 PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
--- a/Shorewall/configfiles/tcrules
+++ b/Shorewall/configfiles/tcrules
@@ -10,6 +10,8 @@
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
 ##########################################################################################################################################
 FORMAT 2
 ##########################################################################################################################################
 #ACTION	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER    PROBABILITY DSCP
 #						PORT(S)	PORT(S)
--- a/Shorewall/configfiles/tunnels
+++ b/Shorewall/configfiles/tunnels
@@ -7,5 +7,5 @@
 # http://www.shorewall.net/manpages/shorewall-tunnels.html
 #
 ###############################################################################
-#TYPE			ZONE	GATEWAY		GATEWAY
+#TYPE			ZONE	GATEWAY(S)			GATEWAY
-#						ZONE
+#								ZONE(S)
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=xxx       #The Build script inserts the actual version
+VERSION=4.5.5       #The Build script inserts the actual version
 #
 # Change to the directory containing this script
@@ -244,21 +244,6 @@ esac
 OWNERSHIP="-o $OWNER -g $GROUP"
 #
 # Determine where to install the firewall script
 #
 if [ $PRODUCT = shorewall -a -z "${DESTDIR}" ]; then
    #
    # Verify that Perl is installed
    #
    if ! perl -c Perl/compiler.pl; then
 	echo "ERROR: $Product $VERSION requires Perl which either is not installed or is not able to compile the $Product Perl code" >&2
 	echo "       Try perl -c $PWD/Perl/compiler.pl" >&2
 	exit 1
    fi
 fi
 case "$HOST" in
    cygwin)
 	echo "Installing Cygwin-specific configuration..."
@@ -289,6 +274,51 @@ case "$HOST" in
 	;;
 esac
 if [ $PRODUCT = shorewall ]; then
    if [ -n "$DIGEST" ]; then
 	#
 	# The user specified which digest to use
 	#
 	if [ "$DIGEST" != SHA ]; then
 	    if [ "$BUILD" = "$HOST" ] && ! eval perl -e \'use Digest::$DIGEST\;\' 2> /dev/null ; then
 		echo "ERROR: Perl compilation with Digest::$DIGEST failed" >&2
 		exit 1;
 	    fi
 	    eval sed -i \'s/Digest::SHA/Digest::$DIGEST/\' Perl/Shorewall/Chains.pm
 	fi
    elif [ "$BUILD" = "$HOST" ]; then
        #
        # Fix up 'use Digest::' if SHA1 is installed
        #
 	DIGEST=SHA
 	if ! perl -e 'use Digest::SHA;' 2> /dev/null ; then
 	    if perl -e 'use Digest::SHA1;' 2> /dev/null ; then
 		sed -i 's/Digest::SHA/Digest::SHA1/' Perl/Shorewall/Chains.pm
 		DIGEST=SHA1
 	    else
 		echo "ERROR: Shorewall $VERSION requires either Digest::SHA or Digest::SHA1" >&2
 		exit 1
 	    fi
 	fi
    fi
    if [ "$BUILD" = "$HOST" ]; then
        #
        # Verify that Perl and all required modules are installed
        #
 	echo "Compiling the Shorewall Perl Modules with Digest::$DIGEST"
 	if ! perl -c Perl/compiler.pl; then
 	    echo "ERROR: $Product $VERSION requires Perl which either is not installed or is not able to compile the Shorewall Perl code" >&2
 	    echo "       Try perl -c $PWD/Perl/compiler.pl" >&2
 	    exit 1
 	fi
    else
 	echo "Using Digest::$DIGEST"
    fi
 fi
 if [ $BUILD != cygwin ]; then
    if [ `id -u` != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
@@ -327,14 +357,11 @@ echo "$PRODUCT control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
 # Install the Firewall Script
 #
 if [ -n "$INITFILE" ]; then
    if [ -f "${INITSOURCE}" ]; then
 	install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
 	[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$INITFILE
    if [ -n "${AUXINITSOURCE}" ]; then
 	install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
    fi
 	echo  "$Product script installed in ${DESTDIR}${INITDIR}/$INITFILE"
    fi
 fi
 #
@@ -957,11 +984,9 @@ echo "Standard actions file installed as ${DESTDIR}${SHAREDIR}d/$PRODUCT/actions
 # Install the  Makefiles
 #
 run_install $OWNERSHIP -m 0644 Makefile-lite ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/Makefile
 [ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SHAREDIR}/$PRODUCT/configfiles/Makefile
 [ $SBINDIR = /sbin ]       || eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\'       ${DESTDIR}/${SHAREDIR}/$PRODUCT/configfiles/Makefile
 if [ -z "$SPARSE" ]; then
-    run_install $OWNERSHIP -m 0600 ${DESTDIR}/${SHAREDIR}/$PRODUCT/configfiles/Makefile ${DESTDIR}${CONFDIR}/$PRODUCT
+    run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}${CONFDIR}/$PRODUCT
    echo "Makefile installed as ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile"
 fi
 #
@@ -984,9 +1009,9 @@ cd ..
 #
 # Install the libraries
 #
-for f in lib.* ; do
+for f in lib.* Perl/lib.*; do
    if [ -f $f ]; then
-	install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
+	install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$(basename $f) 0644
 	echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
    fi
 done
@@ -1068,13 +1093,13 @@ cd manpages
 [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/
 for f in *.5; do
-    gzip -c $f > $f.gz
+    gzip -9c $f > $f.gz
    run_install $INSTALLD  -m 0644 $f.gz ${DESTDIR}${MANDIR}/man5/$f.gz
    echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz"
 done
 for f in *.8; do
-    gzip -c $f > $f.gz
+    gzip -9c $f > $f.gz
    run_install $INSTALLD  -m 0644 $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz
    echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz"
 done
@@ -1104,6 +1129,7 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
 	echo "Set startup=1 in ${CONFDIR}/default/$PRODUCT to enable"
 	touch /var/log/$PRODUCT-init.log
 	perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' ${CONFDIR}/$PRODUCT/$PRODUCT.conf
 	update-rc.d $PRODUCT enable
    elif [ -n "$SYSTEMD" ]; then
 	if systemctl enable $PRODUCT; then
 	    echo "$Product will start automatically at boot"
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -181,7 +181,7 @@ get_config() {
 	if [ "$2" = Yes ]; then
 	    case $STARTUP_ENABLED in
 		No|no|NO)
-		    echo "   ERROR: $g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${CONFDIR}/${g_program}.conf" >&2
+		    echo "   ERROR: $g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${g_confdir}/${g_program}.conf" >&2
 		    exit 2
 		    ;;
 		Yes|yes|YES)
@@ -508,6 +508,10 @@ start_command() {
 			    AUTOMAKE=
 			    option=${option#c}
 			    ;;
 			T*)
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -880,6 +884,10 @@ restart_command() {
 			    g_purge=Yes
 			    option=${option%p}
 			    ;;
 			T*)
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -964,6 +972,27 @@ refresh_command() {
 			    finished=1
 			    option=
 			    ;;
 			d*)
 			    g_debug=Yes
 			    option=${option#d}
 			    ;;
 			n*)
 			    g_noroutes=Yes
 			    option=${option#n}
 			    ;;
 			T*)
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
 			D)
 			    if [ $# -gt 1 ]; then
 				g_shorewalldir="$2"
 				option=
 				shift
 			    else
 				fatal_error "ERROR: the -D option requires a directory name"
 			    fi
 			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -1341,6 +1370,10 @@ reload_command() # $* = original arguments less the command.
 			    option=
 			    shift
 			    ;;
 			T*)
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -1538,7 +1571,7 @@ usage() # $1 = exit status
    echo "   allow <address> ..."
    echo "   check [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ <directory> ]"
    echo "   clear"
-    echo "   compile [ -e ] [ -d ] [ <directory name> ] [ <path name> ]"
+    echo "   compile [ -e ] [ -p ] [ -t ] [ -d ] [ -T ] [ <directory name> ] [ <path name> ]"
    echo "   delete <interface>[:<host-list>] ... <zone>"
    echo "   disable <interface>"
    echo "   drop <address> ..."
@@ -1556,7 +1589,7 @@ usage() # $1 = exit status
    fi
    echo "   iptrace <iptables match expression>"
-    echo "   load [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
+    echo "   load [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ <directory> ] <system>"
    echo "   logdrop <address> ..."
    echo "   logreject <address> ..."
    echo "   logwatch [<refresh interval>]"
@@ -1567,11 +1600,11 @@ usage() # $1 = exit status
 	echo "   noiptrace <ip6tables match expression>"
    fi
-    echo "   refresh [ <chain>... ]"
+    echo "   refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
    echo "   reject <address> ..."
-    echo "   reload [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
+    echo "   reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ <directory> ] <system>"
    echo "   reset [ <chain> ... ]"
-    echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ][ <directory> ]"
+    echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ <directory> ]"
    echo "   restore [ -n ] [ <file name> ]"
    echo "   safe-restart [ -t <timeout> ] [ <directory> ]"
    echo "   safe-start [ -t <timeout> ] [ <directory> ]"
@@ -1599,7 +1632,7 @@ usage() # $1 = exit status
    echo "   show tc [ device ]"
    echo "   show vardir"
    echo "   show zones"
-    echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ <directory> ]"
+    echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ <directory> ]"
    echo "   status"
    echo "   stop"
    echo "   try <directory> [ <timeout> ]"
--- a/Shorewall/manpages/shorewall-accounting.xml
+++ b/Shorewall/manpages/shorewall-accounting.xml
@@ -539,7 +539,8 @@
      <varlistentry>
        <term><emphasis role="bold">IPSEC - <emphasis>option-list</emphasis>
-        (Optional - Added in Shorewall 4.4.13 )</emphasis></term>
+        (Optional - Added in Shorewall 4.4.13 but broken until 4.5.4.1
        )</emphasis></term>
        <listitem>
          <para>The option-list consists of a comma-separated list of options
@@ -653,29 +654,52 @@
                match the rule.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">in</emphasis></term>
              <listitem>
                <para>May only be used in the FORWARD section and must be the
                first or the only item the list. Indicates that matching
                packets have been decrypted in input.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">out</emphasis></term>
              <listitem>
                <para>May only be used in the FORWARD section and must be the
                first or the only item in the list. Indicates that matching
                packets will be encrypted on output.</para>
              </listitem>
            </varlistentry>
          </variablelist>
-          <para>If this column is non-empty, then:</para>
+          <para>If this column is non-empty and sections are not used,
          then:</para>
          <itemizedlist>
            <listitem>
-              <para>A chain NAME may appearing in the ACTION column must be a
+              <para>A chain NAME appearing in the ACTION column must be a
              chain branched either directly or indirectly from the <emphasis
-              role="bold">accountin</emphasis> or <emphasis
+              role="bold">accipsecin</emphasis> or <emphasis
-              role="bold">accountout</emphasis> chain.</para>
+              role="bold">accipsecout</emphasis> chain.</para>
            </listitem>
            <listitem>
              <para>The CHAIN column must contain either <emphasis
-              role="bold">accountin</emphasis> or <emphasis
+              role="bold">accipsecin</emphasis> or <emphasis
-              role="bold">accountout</emphasis> or a chain branched either
+              role="bold">accipsecout</emphasis> or a chain branched either
              directly or indirectly from those chains.</para>
            </listitem>
          </itemizedlist>
            <listitem>
              <para>These rules will NOT appear in the <emphasis
              role="bold">accounting</emphasis> chain.</para>
            </listitem>
          </itemizedlist>
        </listitem>
      </varlistentry>
    </variablelist>
--- a/Shorewall/manpages/shorewall-blrules.xml
+++ b/Shorewall/manpages/shorewall-blrules.xml
@@ -60,7 +60,31 @@
          <variablelist>
            <varlistentry>
-              <term>blacklog</term>
+              <term><emphasis role="bold">BLACKLIST</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.5.3. This is actually a macro that
                expands as follows:</para>
                <itemizedlist>
                  <listitem>
                    <para>If BLACKLIST_LOGLEVEL is specified in <ulink
                    url="shorewall.conf.html">shorewall.conf</ulink>(5), then
                    the macro expands to <emphasis
                    role="bold">blacklog</emphasis>.</para>
                  </listitem>
                  <listitem>
                    <para>Otherwise it expands to the action specified for
                    BLACKLIST_DISPOSITION in <ulink
                    url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
                  </listitem>
                </itemizedlist>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">blacklog</emphasis></term>
              <listitem>
                <para>May only be used if BLACKLIST_LOGLEVEL is specified in
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -27,6 +27,34 @@
    interfaces to Shorewall. The order of entries in this file is not
    significant in determining zone composition.</para>
    <para>Beginning with Shorewall 4.5.3, the interfaces file supports two
    different formats:</para>
    <variablelist>
      <varlistentry>
        <term>FORMAT 1 (default - deprecated)</term>
        <listitem>
          <para>There is a BROADCAST column which can be used to specify the
          broadcast address associated with the interface.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>FORMAT 2</term>
        <listitem>
          <para>The BROADCAST column is omitted.</para>
        </listitem>
      </varlistentry>
    </variablelist>
    <para>The format is specified by a line as follows:</para>
    <blockquote>
      <para><emphasis role="bold">FORMAT {1|2}</emphasis></para>
    </blockquote>
    <para>The columns in the file are as follows.</para>
    <variablelist>
@@ -128,6 +156,8 @@ loc     eth2            -</programlisting>
        role="bold">detect</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...}</term>
        <listitem>
          <para>Only available if FORMAT 1.</para>
          <para>If you use the special value <emphasis
          role="bold">detect</emphasis>, Shorewall will detect the broadcast
          address(es) for you if your iptables and kernel include Address Type
@@ -172,7 +202,7 @@ loc     eth2            -</programlisting>
                changed; the value assigned to the setting will be the value
                specified (if any) or 1 if no value is given.</para>
-                <para></para>
+                <para/>
                <note>
                  <para>This option does not work with a wild-card
@@ -206,7 +236,7 @@ loc     eth2            -</programlisting>
                <para>8 - do not reply for all local addresses</para>
-                <para></para>
+                <para/>
                <note>
                  <para>This option does not work with a wild-card
@@ -214,7 +244,7 @@ loc     eth2            -</programlisting>
                  the INTERFACE column.</para>
                </note>
-                <para></para>
+                <para/>
                <warning>
                  <para>Do not specify <emphasis
@@ -313,13 +343,22 @@ loc     eth2            -</programlisting>
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">ignore</emphasis></term>
+              <term><emphasis role="bold">ignore[=1]</emphasis></term>
              <listitem>
                <para>When specified, causes the generated script to ignore
                up/down events from Shorewall-init for this device.
                Additionally, the option exempts the interface from hairpin
-                filtering.</para>
+                filtering. When '=1' is omitted, the ZONE column must contain
                '-' and <option>ignore</option> must be the only
                OPTION.</para>
                <para>Beginning with Shorewall 4.5.5, may be specified as
                '<option>ignore=1</option>' which only causes the generated
                script to ignore up/down events from Shorewall-init; hairpin
                filtering is still applied. In this case, the above
                restrictions on the ZONE and OPTIONS columns are
                lifted.</para>
              </listitem>
            </varlistentry>
@@ -355,7 +394,7 @@ loc     eth2            -</programlisting>
        1
        teastep@lists:~$ </programlisting>
-                <para></para>
+                <para/>
                <note>
                  <para>This option does not work with a wild-card
@@ -629,7 +668,7 @@ loc     eth2            -</programlisting>
                changed; the value assigned to the setting will be the value
                specified (if any) or 1 if no value is given.</para>
-                <para></para>
+                <para/>
                <note>
                  <para>This option does not work with a wild-card
@@ -705,11 +744,14 @@ loc     eth2            -</programlisting>
          connected to your local network and that your local subnet is
          192.168.1.0/24. The interface gets its IP address via DHCP from
          subnet 206.191.149.192/27. You have a DMZ with subnet 192.168.2.0/24
-          using eth2.</para>
+          using eth2. Your iptables and/or kernel do not support "Address Type
          Match" and you prefer to specify broadcast addresses explicitly
          rather than having Shorewall detect them.</para>
          <para>Your entries for this setup would look like:</para>
-          <programlisting>#ZONE   INTERFACE BROADCAST        OPTIONS
+          <programlisting>FORMAT 1
 #ZONE   INTERFACE BROADCAST        OPTIONS
 net     eth0      206.191.149.223  dhcp
 loc     eth1      192.168.1.255
 dmz     eth2      192.168.2.255</programlisting>
@@ -723,10 +765,11 @@ dmz     eth2      192.168.2.255</programlisting>
          <para>The same configuration without specifying broadcast addresses
          is:</para>
-          <programlisting>#ZONE   INTERFACE BROADCAST        OPTIONS
+          <programlisting>FORMAT 2
-net     eth0      detect           dhcp
+#ZONE   INTERFACE OPTIONS
-loc     eth1      detect
+net     eth0      dhcp
-dmz     eth2      detect</programlisting>
+loc     eth1      
 dmz     eth2</programlisting>
        </listitem>
      </varlistentry>
@@ -737,7 +780,8 @@ dmz     eth2      detect</programlisting>
          <para>You have a simple dial-in system with no ethernet
          connections.</para>
-          <programlisting>#ZONE   INTERFACE BROADCAST        OPTIONS
+          <programlisting>FORMAT 2
 #ZONE   INTERFACE OPTIONS
 net     ppp0      -</programlisting>
        </listitem>
      </varlistentry>
@@ -749,8 +793,9 @@ net     ppp0      -</programlisting>
          <para>You have a bridge with no IP address and you want to allow
          traffic through the bridge.</para>
-          <programlisting>#ZONE   INTERFACE BROADCAST        OPTIONS
+          <programlisting>FORMAT 2
-       br0       -                routeback</programlisting>
+#ZONE   INTERFACE OPTIONS
 -       br0       routeback</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
@@ -772,10 +817,9 @@ net     ppp0      -</programlisting>
    shorewall-blacklist(5), shorewall-hosts(5), shorewall-maclist(5),
    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
-    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
-    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-masq.xml
+++ b/Shorewall/manpages/shorewall-masq.xml
@@ -509,6 +509,22 @@
          restart</command>.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">ORIGINAL DEST</emphasis> (origdest) -
        [<emphasis
        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
        <listitem>
          <para>(Optional) Added in Shorewall 4.5.6. This column may be
          included and may contain one or more addresses (host or network)
          separated by commas. Address ranges are not allowed. When this
          column is supplied, rules are generated that require that the
          original destination address matches one of the listed addresses. It
          is useful for specifying that SNAT should occur only for connections
          that were acted on by a DNAT when they entered the firewall.</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@@ -87,8 +87,7 @@
          being zero). Otherwise, the value must be between 1 and 255. Each
          provider must be assigned a unique mark value. This column may be
          omitted if you don't use packet marking to direct connections to a
-          particular provider and you don't specify <option>track</option> in
+          particular provider.</para>
          the OPTIONS column.</para>
        </listitem>
      </varlistentry>
@@ -271,6 +270,20 @@
                <filename>shorewall.conf</filename>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">tproxy</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.5.4. Used for supporting the TPROXY
                action in shorewall-tcrules(5). See <ulink
                url="http://www.shorewall.net/Shorewall_Squid_Usage.html">http://www.shorewall.net/Shorewall_Squid_Usage.html</ulink>.
                When specified, the MARK, DUPLICATE and GATEWAY columns should
                be empty, INTERFACE should be set to 'lo' and
                <option>tproxy</option> should be the only OPTION. Only one
                <option>tproxy</option> provider is allowed.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -563,7 +563,7 @@
        role="bold">-</emphasis>]}<emphasis
        role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
        role="bold">:</emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
-        role="bold">+</emphasis><emphasis>ipset</emphasis>}</term>
+        role="bold">+</emphasis><emphasis>ipset</emphasis>|<replaceable>^countrycode-list</replaceable>}</term>
        <listitem>
          <para>Source hosts to which the rule applies. May be a
@@ -639,6 +639,18 @@
          url="shorewall-interfaces.html">shorewall-interfaces</ulink>
          (5).</para>
          <para>Beginning with Shorewall 4.5.4, A
          <replaceable>countrycode-list</replaceable> may be specified. A
          countrycode-list is a comma-separated list of up to 15 two-character
          ISO-3661 country codes enclosed in square brackets ('[...]') and
          preceded by a caret ('^'). When a single country code is given, the
          square brackets may be omitted. A list of country codes supported by
          Shorewall may be found at <ulink
          url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
          Specifying a <replaceable>countrycode-list</replaceable> requires
          <firstterm>GeoIP Match</firstterm> support in your iptables and
          Kernel.</para>
          <para>You may exclude certain hosts from the set already defined
          through use of an <emphasis>exclusion</emphasis> (see <ulink
          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
@@ -726,7 +738,7 @@
        role="bold">+</emphasis>][<emphasis
        role="bold">-</emphasis>]}<emphasis
        role="bold">[:{</emphasis><emphasis>interface</emphasis>|<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
-        role="bold">+</emphasis><emphasis>ipset</emphasis>}][<option>:</option><replaceable>port</replaceable>[:<emphasis
+        role="bold">+</emphasis><emphasis>ipset</emphasis>|<emphasis>^countrycode-list</emphasis>}][<option>:</option><replaceable>port</replaceable>[:<emphasis
        role="bold">random</emphasis>]]</term>
        <listitem>
@@ -744,6 +756,18 @@
          "+" to indicate that the rule is to apply to intra-zone traffic as
          well as inter-zone traffic.</para>
          <para>Beginning with Shorewall 4.5.4, A
          <replaceable>countrycode-list</replaceable> may be specified. A
          countrycode-list is a comma-separated list of up to 15 two-character
          ISO-3661 country codes enclosed in square brackets ('[...]') and
          preceded by a caret ('^'). When a single country code is given, the
          square brackets may be omitted. A list of country codes supported by
          Shorewall may be found at <ulink
          url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
          Specifying a <replaceable>countrycode-list</replaceable> requires
          <firstterm>GeoIP Match</firstterm> support in your iptables and
          Kernel.</para>
          <para>When <emphasis role="bold">none</emphasis> is used either in
          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
          role="bold">DEST</emphasis> column, the rule is ignored.</para>
@@ -1060,8 +1084,7 @@
      <varlistentry>
        <term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
        role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
-        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
+        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>]</term>
        role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
        <listitem>
          <para>This optional column may only be non-empty if the SOURCE is
@@ -1102,15 +1125,11 @@
            </varlistentry>
            <varlistentry>
-              <term>+upnpd</term>
+              <term>2001-2099</term>
              <listitem>
-                <para>program named upnpd</para>
+                <para>UIDs 2001 through 2099 (Shorewall 4.5.6 and
-
+                later)</para>
                <important>
                  <para>The ability to specify a program name was removed from
                  Netfilter in kernel version 2.6.14.</para>
                </important>
              </listitem>
            </varlistentry>
          </variablelist>
@@ -1535,6 +1554,19 @@
        DNAT        net             dmz:$BACKUP tcp         80           -         -          -         -         -       -             -        -          primary_down</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>Example 13:</term>
        <listitem>
          <para>Drop all email from the <emphasis>Anonymous Proxy</emphasis>
          and <emphasis>Satellite Provider</emphasis> address ranges:</para>
          <programlisting>        #ACTION                       SOURCE           DEST           PROTO       DEST
        #                                                                         PORT(S)
        DROP                          net:^A1,A2       fw             tcp         22</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
@@ -1551,7 +1583,10 @@
    url="http://www.shorewall.net/ipsets.html">http://www.shorewall.net/ipsets.html</ulink></para>
    <para><ulink
-    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
    <para><ulink
    url="http://www.shorewall.net/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink></para>
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorweall-blrules(5), shorewall-hosts(5),
--- a/Shorewall/manpages/shorewall-tcclasses.xml
+++ b/Shorewall/manpages/shorewall-tcclasses.xml
@@ -11,7 +11,7 @@
  <refnamediv>
    <refname>tcclasses</refname>
-    <refpurpose>Shorewall file to define HTB classes</refpurpose>
+    <refpurpose>Shorewall file to define HTB and HFSC classes</refpurpose>
  </refnamediv>
  <refsynopsisdiv>
@@ -166,8 +166,8 @@
          marking the traffic you want to fit in the classes defined in here.
          Must be specified as '-' if the <emphasis
          role="bold">classify</emphasis> option is given for the interface in
-          <ulink
+          <ulink url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
-          url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)</para>
+          and you are running Shorewall 4.5.5 or earlier.</para>
          <para>You can use the same marks for different interfaces.</para>
        </listitem>
@@ -175,7 +175,7 @@
      <varlistentry>
        <term><emphasis role="bold">RATE</emphasis> -
-        <emphasis>rate</emphasis>[:<emphasis>dmax</emphasis>[:<emphasis>umax</emphasis>]]</term>
+        {-|<emphasis>rate</emphasis>[:<emphasis>dmax</emphasis>[:<emphasis>umax</emphasis>]]}</term>
        <listitem>
          <para>The minimum bandwidth this class should get, when the traffic
@@ -185,11 +185,12 @@
          class exceed the CEIL of the parent class, things don't work
          well.</para>
-          <para>When using the HFSC queuing discipline, leaf classes may
+          <para>When using the HFSC queuing discipline, this column specify
-          specify <replaceable>dmax</replaceable>, the maximum delay in
+          the real-time (RT) service curve. leaf classes may specify
-          milliseconds that the first queued packet for this class should
+          <replaceable>dmax</replaceable>, the maximum delay in milliseconds
-          experience. May be expressed as an integer, optionally followed by
+          that the first queued packet for this class should experience. May
-          'ms' with no intervening white space (e.g., 10ms).</para>
+          be expressed as an integer, optionally followed by 'ms' with no
          intervening white space (e.g., 10ms).</para>
          <para>HFSC leaf classes may also specify
          <replaceable>umax</replaceable>, the largest packet expected in this
@@ -198,12 +199,18 @@
          followed by 'b' with no intervening white space (e.g., 800b).
          <replaceable>umax</replaceable> may only be given if
          <replaceable>dmax</replaceable> is also given.</para>
          <para>Beginning with Shorewall 4.5.6, HFSC classes may omit this
          column (e.g, '-' in the column), provided that an
          <replaceable>lsrate</replaceable> is specified (see CEIL below).
          These rates are used to arbitrate between classes of the same
          priority.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">CEIL</emphasis> -
-        <emphasis>rate</emphasis></term>
+        [<emphasis>lsrate</emphasis>:]<emphasis>rate</emphasis></term>
        <listitem>
          <para>The maximum bandwidth this class is allowed to use when the
@@ -214,6 +221,9 @@
          here for setting the maximum bandwidth to the RATE of the parent
          class, or the OUT-BANDWIDTH of the device if there is no parent
          class.</para>
          <para>Beginning with Shorewall 4.5.6, you can also specify an
          <replaceable>lsrate</replaceable> (link sharing rate).</para>
        </listitem>
      </varlistentry>
@@ -253,7 +263,7 @@
                <para>This is the default class for that interface where all
                traffic should go, that is not classified otherwise.</para>
-                <para></para>
+                <para/>
                <note>
                  <para>You must define <emphasis
@@ -310,7 +320,7 @@
                limited to 64 bytes because we want only packets WITHOUT
                payload to match.</para>
-                <para></para>
+                <para/>
                <note>
                  <para>This option is only valid for ONE class per
@@ -430,6 +440,121 @@
                assumed.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>red=(<replaceable>redoption</replaceable>=<replaceable>value</replaceable>,
              ...)</term>
              <listitem>
                <para>Added in Shorewall 4.5.6. When specified on a leaf
                class, causes the class to use the RED (Random Early
                Detection) queuing discipline rather than SFQ. See tc-red (8)
                for additional information.</para>
                <para>Allowable redoptions are:</para>
                <variablelist>
                  <varlistentry>
                    <term>min <replaceable>min</replaceable></term>
                    <listitem>
                      <para>Average queue size at which marking becomes a
                      possibility.</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>max <replaceable>max</replaceable></term>
                    <listitem>
                      <para>At this average queue size, the marking
                      probability is maximal. Must be at least twice
                      <replaceable>min</replaceable> to prevent synchronous
                      retransmits, higher for low
                      <replaceable>min</replaceable>.</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>probability
                    <replaceable>probability</replaceable></term>
                    <listitem>
                      <para>Maximum probability for marking, specified as a
                      floating point number from 0.0 to 1.0. Suggested values
                      are 0.01 or 0.02 (1 or 2%, respectively).</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>limit <replaceable>limit</replaceable></term>
                    <listitem>
                      <para>Hard limit on the real (not average) queue size in
                      bytes. Further packets are dropped. Should be set higher
                      than
                      <replaceable>max</replaceable>+<replaceable>burst</replaceable>.
                      It is advised to set this a few times higher than
                      <replaceable>max</replaceable>. Shorewall requires that
                      <replaceable>limit</replaceable> be at least twice
                      <replaceable>min</replaceable>.</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>burst <replaceable>burst</replaceable></term>
                    <listitem>
                      <para>Used for determining how fast the average queue
                      size is influenced by the real queue size. Larger values
                      make the calculation more sluggish, allowing longer
                      bursts of traffic before marking starts. Real life
                      experiments support the following guide‐line:
                      (<replaceable>min</replaceable>+<replaceable>min</replaceable>+<replaceable>max</replaceable>)/(3*<replaceable>avpkt</replaceable>).</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>avpkt <replaceable>avpkt</replaceable></term>
                    <listitem>
                      <para>Optional. Specified in bytes. Used with burst to
                      determine the time constant for average queue size
                      calculations. 1000 is a good value and is the Shorewall
                      default.</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>bandwidth
                    <replaceable>bandwidth</replaceable></term>
                    <listitem>
                      <para>Optional. This rate is used for calculating the
                      average queue size after some idle time. Should be set
                      to the bandwidth of your interface. Does not mean that
                      RED will shape for you!</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>ecn</term>
                    <listitem>
                      <para>RED can either 'mark' or 'drop'. Explicit
                      Congestion Notification allows RED to notify remote
                      hosts that their rate exceeds the amount of bandwidth
                      available. Non-ECN capable hosts can only be notified by
                      dropping a packet. If this parameter is specified,
                      packets which indicate that their hosts honor ECN will
                      only be marked and not dropped, unless the queue size
                      hits <replaceable>limit</replaceable> bytes. Needs a tc
                      binary with RED support compiled in. Recommended.</para>
                    </listitem>
                  </varlistentry>
                </variablelist>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
@@ -503,6 +628,10 @@
    <para><ulink
    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
    <para>tc-hfsc(7)</para>
    <para>tc-red(8)</para>
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
--- a/Shorewall/manpages/shorewall-tcdevices.xml
+++ b/Shorewall/manpages/shorewall-tcdevices.xml
@@ -179,7 +179,17 @@
      <varlistentry>
        <term><emphasis role="bold">OPTIONS</emphasis> - {<emphasis
        role="bold">-</emphasis>|<emphasis
-        role="bold">{classify</emphasis>|hfsc} ,...}</term>
+        role="bold">{classify</emphasis>|<emphasis
        role="bold">hfsc</emphasis>|<emphasis
        role="bold">linklayer</emphasis>={<emphasis
        role="bold">ethernet</emphasis>|<emphasis
        role="bold">atm</emphasis>|<emphasis
        role="bold">adsl</emphasis>}|<emphasis
        role="bold">tsize</emphasis>=<replaceable>tsize</replaceable>|<emphasis
        role="bold">mtu</emphasis>=<replaceable>mtu</replaceable>|<emphasis
        role="bold">mpu</emphasis>=<replaceable>mpu</replaceable>|<emphasis
        role="bold">overhead</emphasis>=<replaceable>overhead</replaceable>}
        ,...}</term>
        <listitem>
          <para><option>classify</option> ― When specified, Shorewall will not
@@ -190,7 +200,34 @@
          <para><option>hfsc</option> - Shorewall normally uses the
          <firstterm>Hierarchical Token Bucket</firstterm> queuing discipline.
          When <option>hfsc</option> is specified, the <firstterm>Hierarchical
-          Fair Service Curves</firstterm> discipline is used instead.</para>
+          Fair Service Curves</firstterm> discipline is used instead (see
          tc-hfsc (7)).</para>
          <para><emphasis role="bold">linklayer</emphasis> - Added in
          Shorewall 4.5.6. Type of link (ethernet, atm, adsl). When specified,
          causes scheduler packet size manipulation as described in tc-stab
          (8). When this option is given, the following options may also be
          given after it:</para>
          <blockquote>
            <para><emphasis
            role="bold">mtu</emphasis>=<replaceable>mtu</replaceable> - The
            device MTU; default 2048 (will be rounded up to a power of
            two)</para>
            <para><emphasis
            role="bold">mpu</emphasis>=<replaceable>mpubytes</replaceable> -
            Minimum packet size used in calculations. Smaller packets will be
            rounded up to this size</para>
            <para><emphasis
            role="bold">tsize</emphasis>=<replaceable>tablesize</replaceable>
            - Size table entries; default is 512</para>
            <para><emphasis
            role="bold">overhead</emphasis>=<replaceable>overheadbytes</replaceable>
            - Number of overhead bytes per packet.</para>
          </blockquote>
        </listitem>
      </varlistentry>
@@ -240,6 +277,8 @@
  <refsect1>
    <title>See ALSO</title>
    <para>tc-hfsc (7)</para>
    <para><ulink
    url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
--- a/Shorewall/manpages/shorewall-tcfilters.xml
+++ b/Shorewall/manpages/shorewall-tcfilters.xml
@@ -35,7 +35,7 @@
        <term>IPV4</term>
        <listitem>
-          <para>Following entriess apply to IPv4.</para>
+          <para>Following entries apply to IPv4.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall-tcrules.xml
+++ b/Shorewall/manpages/shorewall-tcrules.xml
@@ -38,6 +38,34 @@
      url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink>.</para>
    </important>
    <para>Beginning with Shorewall 4.5.4, the tcrules file supports two
    different formats:</para>
    <variablelist>
      <varlistentry>
        <term>FORMAT 1 (default - deprecated)</term>
        <listitem>
          <para>The older limited-function version of TPROXY is
          supported.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>FORMAT 2</term>
        <listitem>
          <para>The newer version of TPROXY is supported.</para>
        </listitem>
      </varlistentry>
    </variablelist>
    <para>The format is specified by a line as follows:</para>
    <blockquote>
      <para><emphasis role="bold">FORMAT {1|2}</emphasis></para>
    </blockquote>
    <para>The columns in the file are as follows (where the column name is
    followed by a different name in parentheses, the different name is used in
    the alternate specification syntax).</para>
@@ -407,9 +435,23 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
              classes will have a value &gt; 256.</para>
            </listitem>
            <listitem>
              <para><emphasis role="bold">DIVERT</emphasis></para>
              <para>Added in Shorewall 4.5.4 and only available when FORMAT is
              2. Two DIVERT rule should preceed the TPROXY rule and should
              select DEST PORT tcp 80 and SOURCE PORT tcp 80 respectively
              (assuming that tcp port 80 is being proxied). DIVERT avoids
              sending packets to the TPROXY target once a socket connection to
              Squid3 has been established by TPROXY. DIVERT marks the packet
              with a unique mark and exempts it from any rules that
              follow.</para>
            </listitem>
            <listitem>
              <para><emphasis
-              role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[/<replaceable>mask</replaceable>][,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])</para>
+              role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])
              -- FORMAT 1</para>
              <para>Transparently redirects a packet without altering the IP
              header. Requires a local provider to be defined in <ulink
@@ -440,6 +482,34 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
              </itemizedlist>
            </listitem>
            <listitem>
              <para><emphasis
              role="bold">TPROXY</emphasis>([<replaceable>port</replaceable>][,<replaceable>address</replaceable>])
              -- FORMAT 2</para>
              <para>Transparently redirects a packet without altering the IP
              header. Requires a tproxy provider to be defined in <ulink
              url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
              <para>There are three parameters to TPROXY - neither is
              required:</para>
              <itemizedlist>
                <listitem>
                  <para><replaceable>port</replaceable> - the port on which
                  the proxy server is listening. If omitted, the original
                  destination port.</para>
                </listitem>
                <listitem>
                  <para><replaceable>address</replaceable> - a local (to the
                  firewall) IP address on which the proxy server is listening.
                  If omitted, the IP address of the interface on which the
                  request arrives.</para>
                </listitem>
              </itemizedlist>
            </listitem>
            <listitem>
              <para><emphasis role="bold">TTL</emphasis>([<emphasis
              role="bold">-</emphasis>|<emphasis
@@ -569,7 +639,7 @@ Normal-Service       =&gt; 0x00</programlisting>
                  <term>T</term>
                  <listitem>
-                    <para>POSTROUTING chain (default).</para>
+                    <para>POSTROUTING chain.</para>
                  </listitem>
                </varlistentry>
              </variablelist>
--- a/Shorewall/manpages/shorewall-tunnels.xml
+++ b/Shorewall/manpages/shorewall-tunnels.xml
@@ -125,8 +125,9 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">GATEWAY</emphasis> -
+        <term><emphasis role="bold">GATEWAY</emphasis>(S) (gateway or
-        <emphasis>address-or-range</emphasis></term>
+        gateways) - <emphasis>address-or-range</emphasis> <emphasis
        role="bold">[ , ... ]</emphasis></term>
        <listitem>
          <para>The IP address of the remote tunnel gateway. If the remote
@@ -134,12 +135,17 @@
          as <emphasis role="bold">0.0.0.0/0</emphasis>. May be specified as a
          network address and if your kernel and iptables include iprange
          match support then IP address ranges are also allowed.</para>
          <para>Beginning with Shorewall 4.5.3, a list of addresses or ranges
          may be given. Exclusion (<ulink
          url="shorewall-exclusion.html">shorewall-exclusion</ulink> (5) ) is
          not supported.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">GATEWAY ZONES</emphasis> (gateway_zone) -
+        <term><emphasis role="bold">GATEWAY ZONES</emphasis> (gateway_zone or
-        [<emphasis>zone</emphasis>[<emphasis
+        gateway_zones) - [<emphasis>zone</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>zone</emphasis>]...]</term>
        <listitem>
@@ -148,7 +154,7 @@
          comma-separated list of the names of the zones that the host might
          be in. This column only applies to IPSEC tunnels where it enables
          ISAKMP traffic to flow through the tunnel to the remote
-          gateway.</para>
+          gateway(s).</para>
        </listitem>
      </varlistentry>
    </variablelist>
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -96,7 +96,7 @@
        role="bold">none</emphasis>}</term>
        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>
@@ -106,7 +106,7 @@
        role="bold">none</emphasis>}</term>
        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>
@@ -116,7 +116,7 @@
        role="bold">none</emphasis>}</term>
        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>
@@ -126,7 +126,7 @@
        role="bold">none</emphasis>}</term>
        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>
@@ -482,7 +482,7 @@
          </itemizedlist>
          <blockquote>
-            <para></para>
+            <para/>
            <para>If CONFIG_PATH is not given or if it is set to the empty
            value then the contents of /usr/share/shorewall/configpath are
@@ -669,6 +669,21 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">GEOIPDIR</emphasis>=[<emphasis>pathname</emphasis>]</term>
        <listitem>
          <para>Added in Shorewall 4.5.4. Specifies the pathname of the
          directory containing the <firstterm>GeoIP Match</firstterm>
          database. See <ulink
          url="http://www.shorewall.net/ISOCODES.html">http://www.shorewall.net/ISOCODES.html</ulink>.
          If not specified, the default value is
          <filename>/usr/share/xt_geoip/LE</filename> which is the default
          location of the little-endian database.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">HIGH_ROUTE_MARKS=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@@ -814,7 +829,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
            </varlistentry>
          </variablelist>
-          <para></para>
+          <para/>
          <blockquote>
            <para>If this variable is not set or is given an empty value
@@ -938,6 +953,19 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">LOCKFILE</emphasis>=[<emphasis>pathname</emphasis>]</term>
        <listitem>
          <para>Specifies the name of the Shorewall lock file, used to prevent
          simultaneous state-changing commands. If not specified,
          ${VARDIR}/shorewall/lock is assumed (${VARDIR} is normally /var/lib
          but can be changed when Shorewall-core is installed -- see the
          output of <command>shorewall show vardir</command>).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">LOG_MARTIANS=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis
@@ -1011,7 +1039,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
            </listitem>
          </itemizedlist>
-          <para></para>
+          <para/>
          <blockquote>
            <para>For example, using the default LOGFORMAT, the log prefix for
@@ -1028,7 +1056,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
              control your firewall after you enable this option.</para>
            </important>
-            <para></para>
+            <para/>
            <caution>
              <para>Do not use this option if the resulting log messages will
@@ -1525,6 +1553,23 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
                  chain are appended to it.</para>
                </listitem>
              </itemizedlist>
              <para>An additional optimization was added in Shorewall 4.5.4.
              If the last rule in a chain is an unqualified jump to a simple
              target, then all immediately preceding rules with the same
              simple target are omitted.</para>
              <para>For example, consider this chain:</para>
              <programlisting>	-A fw-net -p udp --dport 67:68 -j ACCEPT
 	-A fw-net -p udp --sport 1194 -j ACCEPT
 	-A fw-net -p 41 -j ACCEPT
 	-A fw-net -j ACCEPT
 </programlisting>
              <para>Since all of the rules are jumps to the simple target
              ACCEPT, this chain is totally optimized away and jumps to the
              chain are replace with jumps to ACCEPT.</para>
            </listitem>
            <listitem>
@@ -1664,7 +1709,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        role="bold">"</emphasis></term>
        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall.xml
+++ b/Shorewall/manpages/shorewall.xml
@@ -283,6 +283,8 @@
      <arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
      <arg><option>-T</option></arg>
      <arg><replaceable>directory</replaceable></arg>
      <arg choice="plain"><replaceable>system</replaceable></arg>
@@ -349,7 +351,9 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="plain"><option>refresh</option><arg
+      <arg
      choice="plain"><option>refresh</option><arg><option>-n</option></arg><arg><option>-d</option></arg><arg><option>-T</option></arg><arg>-<option>D</option>
      <replaceable>directory</replaceable> </arg><arg
      rep="repeat"><replaceable>chain</replaceable></arg></arg>
    </cmdsynopsis>
@@ -381,6 +385,8 @@
      <arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
      <arg><option>-T</option></arg>
      <arg><replaceable>directory</replaceable></arg>
      <arg choice="plain"><replaceable>system</replaceable></arg>
@@ -415,6 +421,8 @@
      <arg><option>-c</option></arg>
      <arg><option>-T</option></arg>
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>
@@ -599,6 +607,8 @@
      <arg><option>-c</option></arg>
      <arg><option>-T</option></arg>
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>
@@ -1038,6 +1048,10 @@
          <para>If <option>-r</option> is included, it specifies that the root
          user on <replaceable>system</replaceable> is named
          <replaceable>root-user-name</replaceable> rather than "root".</para>
          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>
        </listitem>
      </varlistentry>
@@ -1113,6 +1127,20 @@
          list or until an entry in the list names another table. Built-in
          chains such as FORWARD may not be refreshed.</para>
          <para>The <option>-n</option> option was added in Shorewall 4.5.3
          causes Shorewall to avoid updating the routing table(s).</para>
          <para>The <option>-d </option>option was added in Shorewall 4.5.3
          causes the compiler to run under the Perl debugger.</para>
          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>
          <para>The -<option>D</option> option was added in Shorewall 4.5.3
          and causes Shorewall to look in the given
          <emphasis>directory</emphasis> first for configuration files.</para>
          <para>Example:<programlisting><command>shorewall refresh net2fw nat:net_dnat</command> #Refresh the 'net2loc' chain in the filter table and the 'net_dnat' chain in the nat table</programlisting></para>
          <para>The <emphasis role="bold">refresh</emphasis> command has
@@ -1166,6 +1194,10 @@
          <para>If <option>-r</option> is included, it specifies that the root
          user on <replaceable>system</replaceable> is named
          <replaceable>root-user-name</replaceable> rather than "root".</para>
          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>
        </listitem>
      </varlistentry>
@@ -1210,6 +1242,10 @@
          url="shorewall.conf.html">shorewall.conf</ulink>(5). When both
          <option>-f</option> and <option>-c</option>are present, the result
          is determined by the option that appears last.</para>
          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>
        </listitem>
      </varlistentry>
@@ -1541,6 +1577,10 @@
          url="shorewall.conf.html">shorewall.conf</ulink>(5). When both
          <option>-f</option> and <option>-c</option>are present, the result
          is determined by the option that appears last.</para>
          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@@ -36,6 +36,7 @@ g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR"/shorewall
 g_sbindir="$SBINDIR"
 g_perllib="$PERLLIBDIR"
 g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall
 g_readrc=1
--- a/Shorewall6-lite/Makefile
+++ b/Shorewall6-lite/Makefile
@@ -3,9 +3,9 @@ VARDIR=$(shell /sbin/shorewall6-lite show vardir)
 SHAREDIR=/usr/share/shorewall6-lite
 RESTOREFILE?=.restore
-all: $(VARDIR)/${RESTOREFILE}
+all: $(VARDIR)/$(RESTOREFILE)
-$(VARDIR)/${RESTOREFILE}: $(VARDIR)/firewall
+$(VARDIR)/$(RESTOREFILE): $(VARDIR)/firewall
 	@/sbin/shorewall6-lite -q save >/dev/null; \
 	if \
 	    /sbin/shorewall6-lite -q restart >/dev/null 2>&1; \
--- a/Shorewall6-lite/shorecap
+++ b/Shorewall6-lite/shorecap
@@ -45,17 +45,22 @@
 #    used during firewall compilation, then the generated firewall program will likewise not
 #    require Shorewall to be installed.
-SHAREDIR=/usr/share/shorewall6-lite
+g_program=shorewall6-lite
 VARDIR=/var/lib/shorewall6-lite
 CONFDIR=/etc/shorewall6-lite
 g_product="Shorewall6 Lite"
 g_family=6
 g_base=shorewall6
 g_basedir=/usr/share/shorewall6-lite
-. /usr/share/shorewall6-lite/lib.base
+#
-. /usr/share/shorewall6/lib.cli
+# This is modified by the installer when ${SHAREDIR} != /usr/share
-. /usr/share/shorewall6-lite/configpath
+#
 . /usr/share/shorewall/shorewallrc
 g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR"/shorewall6-lite
 g_sbindir="$SBINDIR"
 g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall6-lite
 g_readrc=1
 . ${SHAREDIR}/shorewall/lib.cli
 . ${SHAREDIR}/shorewall-lite/configpath
 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
--- a/Shorewall6-lite/shorewall6-lite
+++ b/Shorewall6-lite/shorewall6-lite
@@ -35,7 +35,7 @@ g_program=shorewall6-lite
 g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR"/shorewall6-lite
 g_sbindir="$SBINDIR"
-g_perllib="$PERLLIBDIR"
+g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall6-lite
 g_readrc=1
--- a/Shorewall6/Makefile
+++ b/Shorewall6/Makefile
@@ -3,9 +3,9 @@ VARDIR=$(shell /sbin/shorewall6 show vardir)
 CONFDIR=/etc/shorewall6
 RESTOREFILE?=firewall
-all: $(VARDIR)/${RESTOREFILE}
+all: $(VARDIR)/$(RESTOREFILE)
-$(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
+$(VARDIR)/$(RESTOREFILE): $(CONFDIR)/*
 	@/sbin/shorewall6 -q save >/dev/null; \
 	if \
 	    /sbin/shorewall6 -q restart >/dev/null 2>&1; \
--- a/Shorewall6/Samples6/LICENSE
+++ b/Shorewall6/Samples6/LICENSE
@@ -55,7 +55,7 @@ modified by someone else and passed on, the recipients should know
 that what they have is not the original version, so that the original
 author's reputation will not be affected by problems that might be
 introduced by others.
-
+
  Finally, software patents pose a constant threat to the existence of
 any free program.  We wish to make sure that a company cannot
 effectively restrict the users of a free program by obtaining a
@@ -111,7 +111,7 @@ modification follow.  Pay close attention to the difference between a
 "work based on the library" and a "work that uses the library".  The
 former contains code derived from the library, whereas the latter must
 be combined with the library in order to run.
-
+
 		  GNU LESSER GENERAL PUBLIC LICENSE
   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
@@ -158,7 +158,7 @@ Library.
  You may charge a fee for the physical act of transferring a copy,
 and you may at your option offer warranty protection in exchange for a
 fee.
-
+
  2. You may modify your copy or copies of the Library or any portion
 of it, thus forming a work based on the Library, and copy and
 distribute such modifications or work under the terms of Section 1
@@ -216,7 +216,7 @@ instead of to this License.  (If a newer version than version 2 of the
 ordinary GNU General Public License has appeared, then you can specify
 that version instead if you wish.)  Do not make any other change in
 these notices.
-
+
  Once this change is made in a given copy, it is irreversible for
 that copy, so the ordinary GNU General Public License applies to all
 subsequent copies and derivative works made from that copy.
@@ -267,7 +267,7 @@ Library will still fall under Section 6.)
 distribute the object code for the work under the terms of Section 6.
 Any executables containing that work also fall under Section 6,
 whether or not they are linked directly with the Library itself.
-
+
  6. As an exception to the Sections above, you may also combine or
 link a "work that uses the Library" with the Library to produce a
 work containing portions of the Library, and distribute that work
@@ -329,7 +329,7 @@ restrictions of other proprietary libraries that do not normally
 accompany the operating system.  Such a contradiction means you cannot
 use both them and the Library together in an executable that you
 distribute.
-
+
  7. You may place library facilities that are a work based on the
 Library side-by-side in a single library together with other library
 facilities not covered by this License, and distribute such a combined
@@ -370,7 +370,7 @@ subject to these terms and conditions.  You may not impose any further
 restrictions on the recipients' exercise of the rights granted herein.
 You are not responsible for enforcing compliance by third parties with
 this License.
-
+
  11. If, as a consequence of a court judgment or allegation of patent
 infringement or for any other reason (not limited to patent issues),
 conditions are imposed on you (whether by court order, agreement or
@@ -422,7 +422,7 @@ conditions either of that version or of any later version published by
 the Free Software Foundation.  If the Library does not specify a
 license version number, you may choose any version ever published by
 the Free Software Foundation.
-
+
  14. If you wish to incorporate parts of the Library into other free
 programs whose distribution conditions are incompatible with these,
 write to the author to ask for permission.  For software which is
@@ -456,7 +456,7 @@ SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
 DAMAGES.
 		     END OF TERMS AND CONDITIONS
-
+
           How to Apply These Terms to Your New Libraries
  If you develop a new library, and you want it to be of the greatest
--- a/Shorewall6/Samples6/Universal/interfaces
+++ b/Shorewall6/Samples6/Universal/interfaces
@@ -7,7 +7,9 @@
 # http://www.shorewall.net/manpages/shorewall-interfaces.html
 #
 ###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
+FORMAT 2
-	lo		-		ignore
+###############################################################################
-net	all		-		dhcp,physical=+,routeback
+#ZONE	INTERFACE	OPTIONS
 -	lo		ignore
 net	all		dhcp,physical=+,routeback,sourceroute=0
--- a/Shorewall6/Samples6/Universal/rules
+++ b/Shorewall6/Samples6/Universal/rules
@@ -14,5 +14,6 @@
 #SECTION RELATED
 SECTION NEW
 Invalid(DROP)	net		$FW		tcp
 SSH(ACCEPT)	net		$FW
 Ping(ACCEPT)	net		$FW
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -54,12 +54,16 @@ TCP_FLAGS_LOG_LEVEL=info
 CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall
 GEOIPDIR=/usr/share/xt_geoip/LE
 IP6TABLES=
 IP=
 IPSET=
 LOCKFILE=
 MODULESDIR=
 PERL=/usr/bin/perl
@@ -151,7 +155,7 @@ MODULE_SUFFIX=ko
 MUTEX_TIMEOUT=60
-OPTIMIZE=15
+OPTIMIZE=31
 OPTIMIZE_ACCOUNTING=No
--- a/Shorewall6/Samples6/one-interface/interfaces
+++ b/Shorewall6/Samples6/one-interface/interfaces
@@ -11,5 +11,7 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-interfaces"
 ###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
+FORMAT 2
-net     eth0            detect          tcpflags
+###############################################################################
 #ZONE	INTERFACE	OPTIONS
 net     eth0            tcpflags
--- a/Shorewall6/Samples6/one-interface/rules
+++ b/Shorewall6/Samples6/one-interface/rules
@@ -18,6 +18,10 @@
 #SECTION RELATED
 SECTION NEW
 # Drop packets in the INVALID state
 Invalid(DROP)  net    	        $FW		tcp
 # Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
 Ping(DROP)	net		$FW
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -54,12 +54,16 @@ TCP_FLAGS_LOG_LEVEL=info
 CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall
 GEOIPDIR=/usr/share/xt_geoip/LE
 IP6TABLES=
 IP=
 IPSET=
 LOCKFILE=
 MODULESDIR=
 PERL=/usr/bin/perl
@@ -151,7 +155,7 @@ MODULE_SUFFIX=ko
 MUTEX_TIMEOUT=60
-OPTIMIZE=1
+OPTIMIZE=31
 OPTIMIZE_ACCOUNTING=No
--- a/Shorewall6/Samples6/three-interfaces/interfaces
+++ b/Shorewall6/Samples6/three-interfaces/interfaces
@@ -11,7 +11,9 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-interfaces"
 ###############################################################################
-#ZONE	INTERFACE	BROADCAST	OPTIONS
+FORMAT 2
-net     eth0            detect          tcpflags,forward=1
+###############################################################################
-loc     eth1            detect          tcpflags,forward=1
+#ZONE	INTERFACE	OPTIONS
-dmz     eth2            detect		tcpflags,forward=1
+net     eth0            tcpflags,forward=1,sourceroute=0
 loc     eth1            tcpflags,forward=1
 dmz     eth2            tcpflags,forward=1
--- a/Shorewall6/Samples6/three-interfaces/rules
+++ b/Shorewall6/Samples6/three-interfaces/rules
@@ -20,7 +20,7 @@ SECTION NEW
 #       Don't allow connection pickup from the net
 #
-Invalid(DROP)	net		all
+Invalid(DROP)	net		all		tcp
 #
 #	Accept DNS connections from the firewall to the Internet
 #
--- a/Show More
+++ b/Show More
		`@@ -1,3 +0,0 @@`
			`<?xml version="1.0" encoding="UTF-8"?>`
			`<includepath />`