Apply Thomas D's patch for SAVE_IPSET in the debian shorewall-init script

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Update the Build document
2014-08-14 09:49:18 -07:00 · 2014-08-14 08:03:31 -07:00 · 2014-08-11 08:30:44 -07:00 · 2014-08-10 12:15:08 -07:00 · 2014-08-10 09:50:21 -07:00 · 2014-08-10 08:09:31 -07:00
401 changed files with 11303 additions and 4405 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -1,16 +1,17 @@
 #!/bin/bash
 #
-#     Shorewall Packet Filtering Firewall RPM configuration program - V4.5
+#     Shorewall Packet Filtering Firewall RPM configuration program - V4.6
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#     (c) 2012,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #     (c) 2012 - Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
 #
 #       This program is part of Shorewall.
 #
 #	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
+#	it under the terms of the GNU General Public License as published by the
-#	as published by the Free Software Foundation.
+#       Free Software Foundation, either version 2 of the license or, at your
 #       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -18,8 +19,7 @@
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #       Usage: ./configure [ <option>=<setting> ] ...
 #
@@ -95,13 +95,13 @@ vendor=${params[HOST]}
 if [ -z "$vendor" ]; then
    if [ -f /etc/os-release ]; then
-	eval $(cat /etc/os-release | grep ^ID)
+	eval $(cat /etc/os-release | grep ^ID=)
 	case $ID in
-	    fedora)
+	    fedora|rhel)
 		vendor=redhat
 		;;
-	    debian)
+	    debian|ubuntu)
 		vendor=debian
 		;;
 	    opensuse)
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -2,15 +2,16 @@
 #
 #     Shorewall Packet Filtering Firewall RPM configuration program - V4.5
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#     (c) 2012, 2014 - Tom Eastep (teastep@shorewall.net)
 #
 #     (c) 2012 - Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
 #
 #       This program is part of Shorewall.
 #
 #	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
+#	it under the terms of the GNU General Public License as published by the
-#	as published by the Free Software Foundation.
+#       Free Software Foundation, either version 2 of the license or, at your
 #       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -18,8 +19,7 @@
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #       Usage: ./configure.pl <option>=<setting> ...
 #
@@ -58,16 +58,18 @@ my $rcfilename;
 unless ( defined $vendor ) {
    if ( -f '/etc/os-release' ) {
-	my $id = `cat /etc/os-release | grep ^ID`;
+	my $id = `cat /etc/os-release | grep ^ID=`;
 	chomp $id;
 	$id =~ s/ID=//;
-	if ( $id eq 'fedora' ) {
+	if ( $id eq 'fedora' || $id eq 'rhel' ) {
 	    $vendor = 'redhat';
 	} elsif ( $id eq 'opensuse' ) {
 	    $vendor = 'suse';
 	} elsif ( $id eq 'ubuntu' ) {
 	    $vendor = 'debian';
 	} else {
 	    $vendor = $id;
 	}
@@ -98,7 +100,7 @@ if ( defined $vendor ) {
    } elsif ( `uname` =~ '^Darwin' ) {
 	$vendor = 'apple';
 	$rcfilename = 'shorewallrc.apple';
-    } elsif ( `uname` =~ '^Cygwin' ) {
+    } elsif ( `uname` =~ /^Cygwin/i ) {
 	$vendor = 'cygwin';
 	$rcfilename = 'shorewallrc.cygwin';
    } else {
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -2,24 +2,24 @@
 #
 # Script to install Shoreline Firewall Core Modules
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
+#       This program is part of Shorewall.
 #       it under the terms of Version 2 of the GNU General Public License
 #       as published by the Free Software Foundation.
 #
-#       This program is distributed in the hope that it will be useful,
+#	This program is free software; you can redistribute it and/or modify
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	it under the terms of the GNU General Public License as published by the
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       Free Software Foundation, either version 2 of the license or, at your
-#       GNU General Public License for more details.
+#       option, any later version.
 #
-#       You should have received a copy of the GNU General Public License
+#	This program is distributed in the hope that it will be useful,
-#       along with this program; if not, write to the Free Software
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 VERSION=xxx #The Build script inserts the actual version
@@ -187,7 +187,7 @@ INSTALLD='-D'
 if [ -z "$BUILD" ]; then
    case $(uname) in
-	cygwin*)
+	cygwin*|CYGWIN*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
@@ -198,7 +198,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)
 		case $ID in
-		    fedora)
+		    fedora|rhel)
 			BUILD=redhat
 			;;
 		    debian)
@@ -393,12 +393,13 @@ if [ -z "${DESTDIR}" ]; then
 	echo 'VARDIR=${VARLIB}/${PRODUCT}' >> $file
    fi
    [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc ~/.shorewallrc
 fi
 [ $file != "${DESTDIR}${SHAREDIR}/shorewall/shorewallrc" ] && cp $file ${DESTDIR}${SHAREDIR}/shorewall/shorewallrc
 [ -z "${DESTDIR}" ] && [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc ~/.shorewallrc
 if [ ${SHAREDIR} != /usr/share ]; then
    for f in lib.*; do
 	if [ $BUILD != apple ]; then
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -1,15 +1,16 @@
 #
 # Shorewall 4.5 -- /usr/share/shorewall/lib.base
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#     (c) 1999-2014 - Tom Eastep (teastep@shorewall.net)
 #
 #     (c) 1999-2012 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
 #       This program is part of Shorewall.
 #
 #	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
+#	it under the terms of the GNU General Public License as published by the
-#	as published by the Free Software Foundation.
+#       Free Software Foundation, either version 2 of the license or, at your
 #       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -17,8 +18,7 @@
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # This library contains the code common to all Shorewall components except the
 # generated scripts.
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -1,15 +1,16 @@
 #
 # Shorewall 4.5 -- /usr/share/shorewall/lib.cli.
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#     (c) 1999-2014 - Tom Eastep (teastep@shorewall.net)
 #
 #     (c) 1999-2013 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
 #       This program is part of Shorewall.
 #
 #	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
+#	it under the terms of the GNU General Public License as published by the
-#	as published by the Free Software Foundation.
+#       Free Software Foundation, either version 2 of the license or, at your
 #       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -17,15 +18,14 @@
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # This library contains the command processing code common to /sbin/shorewall[6] and
 # /sbin/shorewall[6]-lite. In Shorewall and Shorewall6, the lib.cli-std library is 
 # loaded after this one and replaces some of the functions declared here.
 #
-SHOREWALL_CAPVERSION=40515
+SHOREWALL_CAPVERSION=40600
 [ -n "${g_program:=shorewall}" ]
@@ -252,7 +252,15 @@ show_classifiers() {
 	if [ -n "$qdisc" ]; then
 	    echo Device $device:
-	    tc -s filter ls dev $device
+	    qt tc -s filter ls root dev $device && tc -s filter ls root dev $device | grep -v '^$'
 	    tc filter show dev $device
 	    tc class show dev $device | fgrep 'leaf ' | fgrep -v ' hfsc' | sed 's/^.*leaf //;s/ .*//' | while read class; do
 		if [ -n "$class" ]; then
 		    echo
 		    echo Node $class
 		    tc filter show dev $device parent $class
 		fi
 	    done
 	    echo
 	fi
    }
@@ -263,6 +271,19 @@ show_classifiers() {
 }
 #
 # Display blacklist chains
 #
 show_bl() {
    $g_tool -L $g_ipt_options | \
 	awk 'BEGIN           {prnt=0; };
            /^$/             {if (prnt == 1) print ""; prnt=0; };
            /Chain .*~ /     {prnt=1; };
            /Chain dynamic / {prnt=1; };
            {if (prnt == 1)  print; };
            END {if (prnt == 1 ) print "" };'
 }
 #
 # Watch the Firewall Log
 #
@@ -559,7 +580,7 @@ show_routing() {
 	ip -$g_family rule list | find_tables | sort -u | while read table; do
 	    heading "Table $table:"
 	    if [ $g_family -eq 6 ]; then
-		ip -$g_family -o route list table $table | fgrep -v cache | sort_routes
+		ip -$g_family -o route list table $table | grep -vF cache | sort_routes
 	    else
 		ip -4 -o route list table $table | sort_routes
 	    fi
@@ -572,7 +593,7 @@ show_routing() {
    else
 	heading "Routing Table"
 	if [ $g_family -eq 6 ]; then
-	    ip -$g_family -o route list | fgrep -v cache | sort_routes
+	    ip -$g_family -o route list | grep -vF cache | sort_routes
 	else
 	    ip -4 -o route list table $table | sort_routes
 	fi
@@ -582,7 +603,7 @@ show_routing() {
 determine_ipset_version() {
    local setname
-    if [ -z "$IPSET" -o $IPSET = ipset ]; then
+    if [ -z "$IPSET" -o "$IPSET" = "ipset" ]; then
 	IPSET=$(mywhich ipset)
 	[ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
    fi
@@ -680,7 +701,7 @@ version_command() {
 	    fi
 	done
-	if [ -f $g_firewall ]; then
+	if [ "$(id -u)" -eq 0 -a -f $g_firewall ]; then
 	    echo $g_echo_n "$g_firewall was compiled by Shorewall version "
 	    $g_firewall version
 	fi
@@ -1182,6 +1203,12 @@ show_command() {
 	    echo
 	    show_events
 	    ;;
 	bl|blacklists)
 	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION blacklist chains at $g_hostname - $(date)"
 	    echo
 	    show_bl;
 	    ;;
 	*)
 	    case "$g_program" in
 		*-lite)
@@ -1546,7 +1573,7 @@ do_dump_command() {
 }
 dump_command() {
-    do_dump_command | dump_filter
+    do_dump_command $@ | dump_filter
 }
 #
@@ -1896,6 +1923,8 @@ add_command() {
 		ipset=6_${zone}_${interface};
 	    fi
 	    ipset=$(echo $ipset | sed 's/./_/g');
 	    if ! qt $IPSET -L $ipset; then
 		fatal_error "Zone $zone, interface $interface does not have a dynamic host list"
 	    fi
@@ -1984,6 +2013,8 @@ delete_command() {
 		ipset=6_${zone}_${interface};
 	    fi
 	    ipset=$(echo $ipset | sed 's/./_/g');
 	    if ! qt $IPSET -L $ipset -n; then
 		fatal_error "Zone $zone, interface $interface does not have a dynamic host list"
 	    fi
@@ -2260,10 +2291,13 @@ determine_capabilities() {
    PHYSDEV_BRIDGE=
    IPRANGE_MATCH=
    RECENT_MATCH=
    REAP_OPTION=
    OWNER_MATCH=
    OWNER_NAME_MATCH=
    IPSET_MATCH=
    OLD_IPSET_MATCH=
    IPSET_MATCH_NOMATCH=
    IPSET_MATCH_COUNTERS=
    IPSET_V5=
    CONNMARK=
    XCONNMARK=
@@ -2308,6 +2342,7 @@ determine_capabilities() {
    CONDITION_MATCH=
    IPTABLES_S=
    BASIC_FILTER=
    BASIC_EMATCH=
    CT_TARGET=
    STATISTIC_MATCH=
    IMQ_TARGET=
@@ -2429,7 +2464,11 @@ determine_capabilities() {
 	fi
    fi
-    qt $g_tool -A $chain -m recent --update -j ACCEPT     && RECENT_MATCH=Yes
+    if qt $g_tool -A $chain -m recent --update -j ACCEPT; then
 	RECENT_MATCH=Yes
 	qt $g_tool -A $chain -m recent --rcheck --seconds 10 --reap && REAP_OPTION=Yes
    fi
    qt $g_tool -A $chain -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes
    local name
@@ -2547,6 +2586,8 @@ determine_capabilities() {
 	    if [ -n "$have_ipset" ]; then
 		if qt $g_tool -A $chain -m set --match-set $chain src -j ACCEPT; then
 		    qt $g_tool -A $chain -m set --match-set $chain src --return-nomatch  -j ACCEPT && IPSET_MATCH_NOMATCH=Yes
 		    qt $g_tool -A $chain -m set --match-set $chain src --packets-lt 100  -j ACCEPT && IPSET_MATCH_COUNTERS=Yes
 		    qt $g_tool -F $chain
 		    IPSET_MATCH=Yes
 		elif qt $g_tool -A $chain -m set --set $chain src -j ACCEPT; then
@@ -2630,8 +2671,15 @@ determine_capabilities() {
    qt $g_tool -F $chain1
    qt $g_tool -X $chain1
-    [ -n "$TC" ] && $TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
+    if [ -n "$TC" ]; then
-    [ -n "$TC" ] && $TC filter add basic help 2>&1 | grep -q ^Usage && BASIC_FILTER=Yes
+	$TC filter add flow help 2>&1 | grep -q ^Usage && FLOW_FILTER=Yes
 	if $TC filter add basic help 2>&1 | grep -q ^Usage; then
 	    BASIC_FILTER=Yes
 	    $TC filter add basic help 2>&1 | egrep -q match && BASIC_EMATCH=Yes
 	fi
    fi
    [ -n "$IP" ] && $IP rule add help 2>&1 | grep -q /MASK && FWMARK_RT_MASK=Yes
    CAPVERSION=$SHOREWALL_CAPVERSION
@@ -2676,11 +2724,14 @@ report_capabilities_unsorted() {
    report_capability "Packet length Match (LENGTH_MATCH)" $LENGTH_MATCH
    report_capability "IP range Match(IPRANGE_MATCH)" $IPRANGE_MATCH
    report_capability "Recent Match (RECENT_MATCH)" $RECENT_MATCH
    [ -n "$RECENT_MATCH" ] && report_capability 'Recent Match "--reap" option (REAP_OPTION)' $REAP_OPTION
    report_capability "Owner Match (OWNER_MATCH)" $OWNER_MATCH
    report_capability "Owner Name Match (OWNER_NAME_MATCH)" $OWNER_NAME_MATCH
    if [ -n "$IPSET_MATCH" ]; then
 	report_capability "Ipset Match (IPSET_MATCH)" $IPSET_MATCH
-	[ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match (OLD_IPSET_MATCH)" $OLD_IPSET_MATCH
+	[ -n "$OLD_IPSET_MATCH" ]     && report_capability "OLD_Ipset Match (OLD_IPSET_MATCH)"           $OLD_IPSET_MATCH
 	[ -n "$IPSET_MATCH_NOMATCH" ] && report_capability "Ipset Match Nomatch (IPSET_MATCH_NOMATCH)"   $IPSET_MATCH_NOMATCH
 	[ -n "$IPSET_MATCH_NOMATCH" ] && report_capability "Ipset Match Counters (IPSET_MATCH_COUNTERS)" $IPSET_MATCH_COUNTERS
    fi
    report_capability "CONNMARK Target (CONNMARK)" $CONNMARK
    [ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target (XCONNMARK)" $XCONNMARK
@@ -2759,6 +2810,7 @@ report_capabilities_unsorted() {
    fi
    report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
    report_capability "Basic Ematch (BASIC_EMATCH)" $BASIC_EMATCH
    report_capability "CT Target (CT_TARGET)" $CT_TARGET
    echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
@@ -2797,10 +2849,13 @@ report_capabilities_unsorted1() {
    report_capability1 LENGTH_MATCH
    report_capability1 IPRANGE_MATCH
    report_capability1 RECENT_MATCH
    report_capability1 REAP_OPTION
    report_capability1 OWNER_MATCH
    report_capability1 OWNER_NAME_MATCH
    report_capability1 IPSET_MATCH
    report_capability1 OLD_IPSET_MATCH
    report_capability1 IPSET_MATCH_NOMATCH
    report_capability1 IPSET_MATCH_COUNTERS
    report_capability1 CONNMARK
    report_capability1 XCONNMARK
    report_capability1 CONNMARK_MATCH
@@ -2844,6 +2899,7 @@ report_capabilities_unsorted1() {
    report_capability1 CONDITION_MATCH
    report_capability1 IPTABLES_S
    report_capability1 BASIC_FILTER
    report_capability1 BASIC_EMATCH
    report_capability1 CT_TARGET
    report_capability1 STATISTIC_MATCH
    report_capability1 IMQ_TARGET
@@ -2906,19 +2962,83 @@ show_status() {
    fi
    if [ $VERBOSITY -ge 1 ]; then 
 	echo "State:$state"
 	if [ -f $g_firewall ]; then
-	    echo $g_echo_n "$g_firewall was compiled by Shorewall version "
+	    state="$state ($g_firewall compiled by Shorewall version $($g_firewall version))"
 	    $g_firewall version
 	fi
 	echo "State:$state"
 	echo
    fi
 }
 interface_status() {
    case $(cat $1) in
 	0)
 	    echo Enabled
 	    ;;
 	1)
 	    echo Disabled
 	    ;;
 	*)
 	    echo Unknown
 	    ;;
    esac
 }
 show_interfaces() {
    local f
    local interface
    local printed
    for f in ${VARDIR}/*.status; do
 	interface=$(basename $f)
 	echo "   Interface ${interface%.status} is $(interface_status $f)"
 	printed=Yes
    done
    [ -n "$printed" ] && echo
 }
 status_command() {
     local finished
    finished=0
    local option
    local interfaces
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
 	case $option in
 	    -*)
 		option=${option#-}
 		while [ -n "$option" ]; do
 		    case $option in
 			-)
 			    finished=1
 			    option=
 			    ;;
 			i*)
 			    interfaces=Yes
 			    option=${option#i}
 			    ;;
 			*)
 			    usage 1
 			    ;;
 		    esac
 		done
 		shift
 		;;
 	    *)
 		finished=1
 		;;
 	esac
    done
    [ $# -eq 0 ] || usage 1
    [ $VERBOSITY -ge 1 ] && echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)" && echo
    show_status
-    [ $VERBOSITY -ge 1 ] && echo
+    [ -n "$interfaces" ] && show_interfaces
    exit $status
 }
@@ -3395,6 +3515,14 @@ restart_command() {
    return $rc
 }
 run_command() {
    if [ -x ${VARDIR}/firewall ] ; then
 	run_it ${VARDIR}/firewall $g_debugging $@
    else
 	fatal_error "${VARDIR}/firewall does not exist or is not executable"
    fi
 }
 #
 # Give Usage Information
 #
@@ -3408,7 +3536,7 @@ usage() # $1 = exit status
    echo "   delete <interface>[:<host-list>] ... <zone>"
    echo "   disable <interface>"
    echo "   drop <address> ..."
-    echo "   dump [ -x ]"
+    echo "   dump [ -x ] [ -l ] [ -m ]"
    echo "   enable <interface>"
    echo "   forget [ <file name> ]"
    echo "   help"
@@ -3426,10 +3554,12 @@ usage() # $1 = exit status
    echo "   reset [ <chain> ... ]"
    echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
    echo "   restore [ -n ] [ <file name> ]"
    echo "   run <command> [ <parameter> ... ]"
    echo "   save [ <file name> ]"
    echo "   [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
    echo "   [ show | list | ls ] [ -f ] capabilities"
    echo "   [ show | list | ls ] arptables"
    echo "   [ show | list | ls ] [ -x ] {bl|blacklists}"
    echo "   [ show | list | ls ] classifiers"
    echo "   [ show | list | ls ] config"
    echo "   [ show | list | ls ] connections"
@@ -3452,7 +3582,8 @@ usage() # $1 = exit status
    echo "   [ show | list | ls ] zones"
    echo "   start [ -f ] [ -p ] [ <directory> ]"
    echo "   stop"
-    echo "   status"
+    echo "   status [ -i ]"
    echo "   run <function> [ function ... ]"
    echo "   version [ -a ]"
    echo
    exit $1
@@ -3499,6 +3630,9 @@ shorewall_cli() {
    g_conditional=
    g_file=
    g_doing="Compiling"
    g_directives=
    g_inline=
    g_tcrules=
    VERBOSE=
    VERBOSITY=1
@@ -3694,16 +3828,21 @@ shorewall_cli() {
 		fatal_error "$g_product is not running"
 	    fi
 	    ;;
 	run)
 	    [ $# -gt 1 ] || fatal_error "Missing function name"
 	    get_config Yes
 	    run_command $@
 	    ;;
 	show|list|ls)
 	    get_config Yes No Yes
    	    shift
    	    show_command $@
 	    ;;
 	status)
 	    [ $# -eq 1 ] || usage 1
 	    [ "$(id -u)" != 0 ] && fatal_error "The status command may only be run by root"
 	    get_config
-	    status_command
+	    shift
 	    status_command $@
 	    ;;
 	dump)
 	    get_config Yes No Yes
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -1,15 +1,16 @@
 #
 # Shorewall 4.5 -- /usr/share/shorewall/lib.common.
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#     (c) 2010-2014 - Tom Eastep (teastep@shorewall.net)
 #
 #     (c) 2010-2012 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
 #       This program is part of Shorewall.
 #
 #	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
+#	it under the terms of the GNU General Public License as published by the
-#	as published by the Free Software Foundation.
+#       Free Software Foundation, either version 2 of the license or, at your
 #       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -17,8 +18,7 @@
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # The purpose of this library is to hold those functions used by both the CLI and by the
 # generated firewall scripts. To avoid versioning issues, it is copied into generated
@@ -172,6 +172,7 @@ run_it() {
 error_message() # $* = Error Message
 {
   echo "   $@" >&2
   return 1
 }
 #
@@ -605,7 +606,7 @@ find_first_interface_address() # $1 = interface
 	#
 	# get the line of output containing the first IP address
 	#
-	addr=$(${IP:-ip} -f inet6 addr show dev $1 2> /dev/null | fgrep 'inet6 ' | fgrep -v 'scope link' | head -n1)
+	addr=$(${IP:-ip} -f inet6 addr show dev $1 2> /dev/null | grep -F 'inet6 ' | grep -vF 'scope link' | head -n1)
 	#
 	# If there wasn't one, bail out now
 	#
@@ -634,7 +635,7 @@ find_first_interface_address_if_any() # $1 = interface
 	#
 	# get the line of output containing the first IP address
 	#
-	addr=$(${IP:-ip} -f inet6 addr show dev $1 2> /dev/null | fgrep 'inet6 ' | fgrep -v 'scope link' | head -n1)
+	addr=$(${IP:-ip} -f inet6 addr show dev $1 2> /dev/null | grep -F 'inet6 ' | grep -vF 'scope link' | head -n1)
 	#
 	# Strip off the trailing VLSM mask (or the peer IP in case of a P-t-P link)
 	# along with everything else on the line
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -2,24 +2,24 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#     (c) 2000-2014 - Tom Eastep (teastep@shorewall.net)
 #
 #     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://www.shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
+#       This program is part of Shorewall.
 #       it under the terms of Version 2 of the GNU General Public License
 #       as published by the Free Software Foundation.
 #
-#       This program is distributed in the hope that it will be useful,
+#	This program is free software; you can redistribute it and/or modify
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	it under the terms of the GNU General Public License as published by the
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       Free Software Foundation, either version 2 of the license or, at your
-#       GNU General Public License for more details.
+#       option, any later version.
 #
-#       You should have received a copy of the GNU General Public License
+#	This program is distributed in the hope that it will be useful,
-#       along with this program; if not, write to the Free Software
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 #    Usage:
 #
--- a/Shorewall-core/wait4ifup
+++ b/Shorewall-core/wait4ifup
@@ -2,17 +2,18 @@
 #
 #     Shorewall interface helper utility - V4.2
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#     (c) 2007,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #     (c) 2007 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file is installed in /usr/share/shorewall/wait4ifup
 #
 #	Shorewall documentation is available at http://www.shorewall.net
 #
 #       This program is part of Shorewall.
 #
 #	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
+#	it under the terms of the GNU General Public License as published by the
-#	as published by the Free Software Foundation.
+#       Free Software Foundation, either version 2 of the license or, at your
 #       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -20,8 +21,7 @@
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #	If an error occurs while starting or restarting the firewall, the
 #	firewall is automatically stopped.
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -36,6 +36,8 @@
 #                    bringing up the network
 ### END INIT INFO
 . /lib/lsb/init-functions
 export VERBOSITY=0
 if [ "$(id -u)" != "0" ]
@@ -103,24 +105,35 @@ shorewall_start () {
  for PRODUCT in $PRODUCTS; do
      setstatedir
-      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+      if [ -x ${STATEDIR}/firewall ]; then
          #
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  ( 
-	      if ! ${STATEDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
+	      if ! ${STATEDIR}/firewall status > /dev/null 2>&1; then
-		  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} stop || echo_notdone
+		  ${STATEDIR}/firewall ${OPTIONS} stop || echo_notdone
 	      else
 		  echo_notdone
 	      fi
 	  )
      else
-	  echo echo_notdone
+	  echo_notdone
      fi
  done
  echo "done."
  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
      echo -n "Restoring ipsets: "
      if ! ipset -R < "$SAVE_IPSETS"; then
 	  echo_notdone
      fi
      echo "done."
  fi
  return 0
 }
@@ -133,13 +146,27 @@ shorewall_stop () {
  for PRODUCT in $PRODUCTS; do
      setstatedir
-      if [ -x ${STATEDIR}/$PRODUCT/firewall ]; then
+      if [ -x ${STATEDIR}/firewall ]; then
-	  ${STATEDIR}/$PRODUCT/firewall ${OPTIONS} clear || echo_notdone
+	  ${STATEDIR}/firewall ${OPTIONS} clear || echo_notdone
      fi
  done
  echo "done."
  if [ -n "$SAVE_IPSETS" ]; then
      echo "Saving ipsets: "
      mkdir -p $(dirname "$SAVE_IPSETS")
      if ipset -S > "${SAVE_IPSETS}.tmp"; then
 	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
      else
 	  echo_notdone
      fi
      echo "done."
  fi
  return 0
 }
--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -1,22 +1,24 @@
 #! /bin/bash
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#     (c) 2010,2012-2014 - Tom Eastep (teastep@shorewall.net)
 #
 #     (c) 2010,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       On most distributions, this file should be called /etc/init.d/shorewall.
 #
-#       Complete documentation is available at http://shorewall.net
+#       This program is part of Shorewall.
 #
-#       This program is free software; you can redistribute it and/or modify
+#	This program is free software; you can redistribute it and/or modify
-#       it under the terms of Version 2 of the GNU General Public License
+#	it under the terms of the GNU General Public License as published by the
-#       as published by the Free Software Foundation.
+#       Free Software Foundation, either version 2 of the license or, at your
 #       option, any later version.
 #
-#       This program is distributed in the hope that it will be useful,
+#	This program is distributed in the hope that it will be useful,
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-#       GNU General Public License for more details.
+#	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 #       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -2,21 +2,25 @@
 #
 # Script to install Shoreline Firewall Init
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#     (c) 2000-20114 - Tom Eastep (teastep@shorewall.net)
 #
 #     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
 #     (c) 2010 - Roberto C. Sanchez (roberto@connexer.com)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
+#       This program is part of Shorewall.
 #       it under the terms of Version 2 of the GNU General Public License
 #       as published by the Free Software Foundation.
 #
-#       This program is distributed in the hope that it will be useful,
+#	This program is free software; you can redistribute it and/or modify
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	it under the terms of the GNU General Public License as published by the
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       Free Software Foundation, either version 2 of the license or, at your
-#       GNU General Public License for more details.
+#       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 #       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
@@ -59,7 +63,6 @@ mywhich() {
    for dir in $(split $PATH); do
 	if [ -x $dir/$1 ]; then
 	    echo $dir/$1
 	    return 0
 	fi
    done
@@ -185,18 +188,15 @@ if [ -z "$BUILD" ]; then
 	    ;;
 	*)
 	    if [ -f /etc/os-release ]; then
-		eval $(cat /etc/os-release | grep ^ID)
+		eval $(cat /etc/os-release | grep ^ID=)
 		case $ID in
-		    fedora)
+		    fedora|rhel)
 			BUILD=redhat
 			;;
-		    debian)
+		    debian|ubuntu)
 			BUILD=debian
 			;;
 		    gentoo)
 			BUILD=gentoo
 			;;
 		    opensuse)
 			BUILD=suse
 			;;
@@ -206,6 +206,8 @@ if [ -z "$BUILD" ]; then
 		esac
 	    elif [ -f /etc/debian_version ]; then
 		BUILD=debian
 	    elif [ -f /etc/ubuntu_version ]; then
 		BUILD=debian
 	    elif [ -f /etc/gentoo-release ]; then
 		BUILD=gentoo
 	    elif [ -f /etc/redhat-release ]; then
@@ -320,7 +322,7 @@ fi
 if [ -n "$SYSTEMD" ]; then
    mkdir -p ${DESTDIR}${SYSTEMD}
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    run_install $OWNERSHIP -m 600 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
    if [ -n "$DESTDIR" ]; then
@@ -433,7 +435,7 @@ case $HOST in
 	    install_local=
 	    if [ -f ${SBINDIR}/ifup-local -o -f ${SBINDIR}/ifdown-local ]; then
-		if ! fgrep -q Shorewall-based ${SBINDIR}/ifup-local || ! fgrep -q Shorewall-based ${SBINDIR}/ifdown-local; then
+		if ! grep -qF Shorewall-based ${SBINDIR}/ifup-local || ! grep -qF Shorewall-based ${SBINDIR}/ifdown-local; then
 		    echo "WARNING: ${SBINDIR}/ifup-local and/or ${SBINDIR}/ifdown-local already exist; up/down events will not be handled"
 		else
 		    install_local=Yes
@@ -459,8 +461,13 @@ if [ -z "$DESTDIR" ]; then
 		else
 		    cant_autostart
 		fi
-	    elif rc-update add $PRODUCT default; then
+	    elif mywhich update-rc.d ; then
-		echo "Shorewall Init will start automatically at boot"
+		if update-rc.d $PRODUCT enable; then
 		    echo "$PRODUCT will start automatically at boot"
 		    echo "Set startup=1 in ${CONFDIR}/default/$PRODUCT to enable"
 		else
 		    cant_autostart
 		fi
 	    else
 		cant_autostart
 	    fi
@@ -527,7 +534,7 @@ if [ -f ${DESTDIR}/etc/ppp ]; then
 	    for file in ip-up.local ip-down.local; do
 		FILE=${DESTDIR}/etc/ppp/$file
 		if [ -f $FILE ]; then
-		    if fgrep -q Shorewall-based $FILE ; then
+		    if grep -qF Shorewall-based $FILE ; then
 			cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown $FILE
 		    else
 			echo "$FILE already exists -- ppp devices will not be handled"
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -1,26 +1,26 @@
 #! /bin/bash
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#     (c) 2012-2014 - Tom Eastep (teastep@shorewall.net)
 #
 #     (c) 2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       On most distributions, this file should be called /etc/init.d/shorewall.
 #
 #       Complete documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
+#       This program is part of Shorewall.
 #       it under the terms of Version 2 of the GNU General Public License
 #       as published by the Free Software Foundation.
 #
-#       This program is distributed in the hope that it will be useful,
+#	This program is free software; you can redistribute it and/or modify
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	it under the terms of the GNU General Public License as published by the
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       Free Software Foundation, either version 2 of the license or, at your
-#       GNU General Public License for more details.
+#       option, any later version.
 #
-#       You should have received a copy of the GNU General Public License
+#	This program is distributed in the hope that it will be useful,
-#       along with this program; if not, write to the Free Software
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 #########################################################################################
 # set the STATEDIR variable
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -2,24 +2,24 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#     (c) 2000-2014 - Tom Eastep (teastep@shorewall.net)
 #
 #     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
-#       This program is free software; you can redistribute it and/or modify
+#       This program is part of Shorewall.
 #       it under the terms of Version 2 of the GNU General Public License
 #       as published by the Free Software Foundation.
 #
-#       This program is distributed in the hope that it will be useful,
+#	This program is free software; you can redistribute it and/or modify
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	it under the terms of the GNU General Public License as published by the
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       Free Software Foundation, either version 2 of the license or, at your
-#       GNU General Public License for more details.
+#       option, any later version.
 #
-#       You should have received a copy of the GNU General Public License
+#	This program is distributed in the hope that it will be useful,
-#       along with this program; if not, write to the Free Software
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 #    Usage:
 #
@@ -153,7 +153,7 @@ if [ -d ${CONFDIR}/ppp ]; then
    done
    for file in if-up.local if-down.local; do
-	if fgrep -q Shorewall-based ${CONFDIR}/ppp/$FILE; then
+	if grep -qF Shorewall-based ${CONFDIR}/ppp/$FILE; then
 	    remove_file ${CONFDIR}/ppp/$FILE
 	fi
    done
--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@@ -11,7 +11,7 @@
 #                    /etc/shorewall-lite
 ### END INIT INFO
-
+. /lib/lsb/init-functions
 SRWL=/sbin/shorewall-lite
 SRWL_OPTS="-tvv"
--- a/Shorewall-lite/init.sh
+++ b/Shorewall-lite/init.sh
@@ -3,17 +3,18 @@ RCDLINKS="2,S41 3,S41 6,K41"
 #
 #     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012 - Tom Eastep (teastep@shorewall.net)
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
 #	Complete documentation is available at http://shorewall.net
 #
 #       This program is part of Shorewall.
 #
 #	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
+#	it under the terms of the GNU General Public License as published by the
-#	as published by the Free Software Foundation.
+#       Free Software Foundation, either version 2 of the license or, at your
 #       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -21,8 +22,7 @@ RCDLINKS="2,S41 3,S41 6,K41"
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #	If an error occurs while starting or restarting the firewall, the
 #	firewall is automatically stopped.
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -2,24 +2,24 @@
 #
 # Script to install Shoreline Firewall Lite
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.net
 #
-#       This program is free software; you can redistribute it and/or modify
+#       This program is part of Shorewall.
 #       it under the terms of Version 2 of the GNU General Public License
 #       as published by the Free Software Foundation.
 #
-#       This program is distributed in the hope that it will be useful,
+#	This program is free software; you can redistribute it and/or modify
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	it under the terms of the GNU General Public License as published by the
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       Free Software Foundation, either version 2 of the license or, at your
-#       GNU General Public License for more details.
+#       option, any later version.
 #
-#       You should have received a copy of the GNU General Public License
+#	This program is distributed in the hope that it will be useful,
-#       along with this program; if not, write to the Free Software
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 VERSION=xxx #The Build script inserts the actual version
@@ -195,7 +195,7 @@ T='-T'
 if [ -z "$BUILD" ]; then
    case $(uname) in
-	cygwin*)
+	cygwin*|CYGWIN*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
@@ -206,7 +206,7 @@ if [ -z "$BUILD" ]; then
 		eval $(cat /etc/os-release | grep ^ID)
 		case $ID in
-		    fedora)
+		    fedora|rhel)
 			BUILD=redhat
 			;;
 		    debian)
@@ -242,7 +242,7 @@ if [ -z "$BUILD" ]; then
 fi
 case $BUILD in
-    cygwin*)
+    cygwin*|CYGWIN*)
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;
@@ -383,7 +383,7 @@ fi
 if [ -n "$SYSTEMD" ]; then
    mkdir -p ${DESTDIR}${SYSTEMD}
    [ -z "$SERVICEFILE" ] && SERVICEFILE=$PRODUCT.service
-    run_install $OWNERSHIP -m 600 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    run_install $OWNERSHIP -m 644 $SERVICEFILE ${DESTDIR}${SYSTEMD}/$PRODUCT.service
    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
    echo "Service file $SERVICEFILE installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
 fi
@@ -552,6 +552,12 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
 	else
 	    cant_autostart
 	fi
    elif mywhich update-rc.d ; then
 	echo "$PRODUCT will start automatically at boot"
 	echo "Set startup=1 in ${CONFDIR}/default/$PRODUCT to enable"
 	touch /var/log/$PRODUCT-init.log
 	perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' ${CONFDIR}/$PRODUCT/$PRODUCT.conf
 	update-rc.d $PRODUCT enable
    elif mywhich rc-update ; then
 	if rc-update add $PRODUCT default; then
 	    echo "$PRODUCT will start automatically at boot"
--- a/Shorewall-lite/lib.base
+++ b/Shorewall-lite/lib.base
@@ -1,15 +1,16 @@
 #
 # Shorewall 4.4 -- /usr/share/shorewall-lite/lib.base
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#     (c) 2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #     (c) 2011 - Tom Eastep (teastep@shorewall.net)
 #
 #	Complete documentation is available at http://shorewall.net
 #
-#	This program is free software; you can redisribute it and/or modify
+#       This program is part of Shorewall.
-#	it under the terms of Version 2 of the GNU General Public License
+#
-#	as published by the Free Software Foundation.
+#	This program is free software; you can redistribute it and/or modify
 #	it under the terms of the GNU General Public License as published by the
 #       Free Software Foundation, either version 2 of the license or, at your
 #       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -17,8 +18,7 @@
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # This library contains the code common to all Shorewall components.
--- a/Shorewall-lite/manpages/shorewall-lite-vardir.xml
+++ b/Shorewall-lite/manpages/shorewall-lite-vardir.xml
@@ -6,6 +6,8 @@
    <refentrytitle>shorewall-lite-vardir</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
@@ -54,7 +56,7 @@
        /opt/var/lib/shorewall-lite/.</para>
      </blockquote>
-      <para> When VARDIR is set in /etc/shorewall-lite/vardir, Shorewall Lite
+      <para>When VARDIR is set in /etc/shorewall-lite/vardir, Shorewall Lite
      will save its state in the <replaceable>directory</replaceable>
      specified.</para>
    </note>
--- a/Shorewall-lite/manpages/shorewall-lite.conf.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.conf.xml
@@ -6,6 +6,8 @@
    <refentrytitle>shorewall-lite.conf</refentrytitle>
    <manvolnum>5</manvolnum>
    <refmiscinfo>Configuration Files</refmiscinfo>
  </refmeta>
  <refnamediv>
--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@@ -6,6 +6,8 @@
    <refentrytitle>shorewall-lite</refentrytitle>
    <manvolnum>8</manvolnum>
    <refmiscinfo>Administrative Commands</refmiscinfo>
  </refmeta>
  <refnamediv>
@@ -315,6 +317,21 @@
      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="plain"><option>run</option></arg>
      <arg choice="plain">function</arg>
      <arg><replaceable>parameter ...</replaceable></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
@@ -350,6 +367,20 @@
      rep="repeat"><replaceable>chain</replaceable></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>
      <arg>-<replaceable>options</replaceable></arg>
      <arg choice="opt"><option>show | list | ls </option></arg>
      <arg><option>-x</option></arg>
      <arg choice="plain"><option>{bl|blacklists}</option></arg>
    </cmdsynopsis>
    <cmdsynopsis>
      <command>shorewall-lite</command>
@@ -463,7 +494,8 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg choice="plain"><option>status</option></arg>
+      <arg choice="plain"><arg
      choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -805,6 +837,23 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">run</emphasis></term>
        <listitem>
          <para>Added in Shorewall 4.6.3. Executes
          <replaceable>command</replaceable> in the context of the generated
          script passing the supplied <replaceable>parameter</replaceable>s.
          Normally, the <replaceable>command</replaceable> will be a function
          declared in <filename>lib.private</filename>.</para>
          <para>Before executing the <replaceable>command</replaceable>, the
          script will detect the configuration, setting all SW_* variables and
          will run your <filename>init</filename> extension script with
          $COMMAND = 'run'.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">save</emphasis></term>
@@ -827,6 +876,19 @@
          arguments:</para>
          <variablelist>
            <varlistentry>
              <term><emphasis role="bold">bl|blacklists</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
                along with any chains produced by entries in
                shorewall-blrules(5).The <emphasis role="bold">-x</emphasis>
                option is passed directly through to iptables and causes
                actual packet and byte counts to be displayed. Without this
                option, those counts are abbreviated.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">capabilities</emphasis></term>
@@ -1071,6 +1133,10 @@
        <listitem>
          <para>Produces a short report about the state of the
          Shorewall-configured firewall.</para>
          <para>The <option>-i </option>option was added in Shorewall 4.6.2
          and causes the status of each optional or provider interface to be
          displayed.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -2,17 +2,18 @@
 #
 #     Shorewall Lite Packet Filtering Firewall Capabilities Detector
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#     (c) 2006,2007,2008,2009,2010,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #     (c) 2006,2007,2008,2009,2010 - Tom Eastep (teastep@shorewall.net)
 #
 #	This file should be placed in /sbin/shorewall.
 #
 #	Shorewall documentation is available at http://shorewall.sourceforge.net
 #
 #       This program is part of Shorewall.
 #
 #	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
+#	it under the terms of the GNU General Public License as published by the
-#	as published by the Free Software Foundation.
+#       Free Software Foundation, either version 2 of the license or, at your
 #       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -20,9 +21,7 @@
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #
 #   This program may be used to create a /etc/shorewall/capabilities file for
 #   use in compiling Shorewall firewalls on another system.
--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -2,16 +2,17 @@
 #
 #     Shorewall Lite Packet Filtering Firewall Control Program - V4.5
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014 -
 #
 #     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011 -
 #         Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
 #
 #       This program is part of Shorewall.
 #
 #	This program is free software; you can redistribute it and/or modify
-#	it under the terms of Version 2 of the GNU General Public License
+#	it under the terms of the GNU General Public License as published by the
-#	as published by the Free Software Foundation.
+#       Free Software Foundation, either version 2 of the license or, at your
 #       option, any later version.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
@@ -19,8 +20,7 @@
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
-#	along with this program; if not, write to the Free Software
+#	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -2,24 +2,24 @@
 #
 # Script to back uninstall Shoreline Firewall
 #
-#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#     (c) 2000-2011,2014 - Tom Eastep (teastep@shorewall.net)
 #
 #     (c) 2000-2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Shorewall documentation is available at http://shorewall.sourceforge.net
 #
-#       This program is free software; you can redistribute it and/or modify
+#       This program is part of Shorewall.
 #       it under the terms of Version 2 of the GNU General Public License
 #       as published by the Free Software Foundation.
 #
-#       This program is distributed in the hope that it will be useful,
+#	This program is free software; you can redistribute it and/or modify
-#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	it under the terms of the GNU General Public License as published by the
-#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       Free Software Foundation, either version 2 of the license or, at your
-#       GNU General Public License for more details.
+#       option, any later version.
 #
-#       You should have received a copy of the GNU General Public License
+#	This program is distributed in the hope that it will be useful,
-#       along with this program; if not, write to the Free Software
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
-#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, see <http://www.gnu.org/licenses/>.
 #
 #    Usage:
 #
--- a/Shorewall/Macros/macro.AMQP
+++ b/Shorewall/Macros/macro.AMQP
@@ -0,0 +1,14 @@
 #
 # Shorewall version 4 - AMQP Macro
 #
 # /usr/share/shorewall/macro.AMQP
 #
 #	This macro handles AMQP traffic.
 #
 ###############################################################################
 ?FORMAT 2
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	5672
 PARAM	-	-	udp	5672
--- a/Shorewall/Macros/macro.A_AllowICMPs
+++ b/Shorewall/Macros/macro.A_AllowICMPs
@@ -1,13 +1,15 @@
 #
 # Shorewall version 4 - Audited AllowICMPs Macro
 #
-# /usr/share/shorewall/macro.AAllowICMPs
+# /usr/share/shorewall/macro.A_AllowICMPs
 #
 #	This macro A_ACCEPTs needed ICMP types
 #
 ###############################################################################
-#ACTION		SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#					PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION		SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #					PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?COMMENT Needed ICMP types
--- a/Shorewall/Macros/macro.A_DropDNSrep
+++ b/Shorewall/Macros/macro.A_DropDNSrep
@@ -1,13 +1,15 @@
 #
 # Shorewall version 4 - Audited DropDNSrep Macro
 #
-# /usr/share/shorewall/macro.ADropDNSrep
+# /usr/share/shorewall/macro.A_DropDNSrep
 #
 #	This macro silently audites and drops DNS UDP replies
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?COMMENT Late DNS Replies
--- a/Shorewall/Macros/macro.A_DropUPnP
+++ b/Shorewall/Macros/macro.A_DropUPnP
@@ -1,13 +1,15 @@
 #
 # Shorewall version 4 - ADropUPnP Macro
 #
-# /usr/share/shorewall/macro.ADropUPnP
+# /usr/share/shorewall/macro.A_DropUPnP
 #
 #	This macro silently drops UPnP probes on UDP port 1900
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?COMMENT UPnP
--- a/Shorewall/Macros/macro.AllowICMPs
+++ b/Shorewall/Macros/macro.AllowICMPs
@@ -6,8 +6,10 @@
 #	This macro ACCEPTs needed ICMP types
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?COMMENT Needed ICMP types
--- a/Shorewall/Macros/macro.Amanda
+++ b/Shorewall/Macros/macro.Amanda
@@ -9,11 +9,12 @@
 #
 ###############################################################################
 ?FORMAT 2
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+###############################################################################
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __AMANDA_HELPER )
- PARAM	-	-	udp	10080 ; helper=amanda
+ PARAM	-	-	udp	10080 { helper=amanda }
 ?else
 PARAM	-	-	udp	10080
 ?endif
--- a/Shorewall/Macros/macro.Auth
+++ b/Shorewall/Macros/macro.Auth
@@ -6,6 +6,8 @@
 #	This macro handles Auth (identd) traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	113
--- a/Shorewall/Macros/macro.BGP
+++ b/Shorewall/Macros/macro.BGP
@@ -6,6 +6,8 @@
 #	This macro handles BGP4 traffic.
 #
 ###############################################################################
-#ACTION SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S) PORT(S) LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	179	# BGP4
--- a/Shorewall/Macros/macro.BLACKLIST
+++ b/Shorewall/Macros/macro.BLACKLIST
@@ -6,8 +6,10 @@
 #	This macro handles blacklisting using BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?if $BLACKLIST_LOGLEVEL
 blacklog
 ?else
--- a/Shorewall/Macros/macro.BitTorrent
+++ b/Shorewall/Macros/macro.BitTorrent
@@ -7,9 +7,12 @@
 #
 #	If you are running BitTorrent 3.2 or later, you should use the
 #	BitTorrent32 macro.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	6881:6889
 #
 # It may also be necessary to allow UDP traffic:
--- a/Shorewall/Macros/macro.BitTorrent32
+++ b/Shorewall/Macros/macro.BitTorrent32
@@ -6,8 +6,10 @@
 #	This macro handles BitTorrent traffic for BitTorrent 3.2 and later.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	6881:6999
 #
 # It may also be necessary to allow UDP traffic:
--- a/Shorewall/Macros/macro.CVS
+++ b/Shorewall/Macros/macro.CVS
@@ -6,6 +6,8 @@
 #	This macro handles connections to the CVS pserver.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	2401
--- a/Shorewall/Macros/macro.Citrix
+++ b/Shorewall/Macros/macro.Citrix
@@ -6,9 +6,11 @@
 #	This macro handles Citrix/ICA traffic (ICA, ICA Browser, CGP a.k.a.
 #	ICA Session Reliability)
 #
-####################################################################################
+###############################################################################
-#ACTION SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S) PORT(S) LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	1494	# ICA
 PARAM	-	-	udp	1604	# ICA Browser
 PARAM	-	-	tcp	2598	# CGP Session Reliabilty
--- a/Shorewall/Macros/macro.DAAP
+++ b/Shorewall/Macros/macro.DAAP
@@ -7,7 +7,9 @@
 #	The protocol is used by iTunes, Rythmbox and other similar daemons.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	3689
 PARAM	-	-	udp	3689
--- a/Shorewall/Macros/macro.DCC
+++ b/Shorewall/Macros/macro.DCC
@@ -7,6 +7,8 @@
 #	DCC is a distributed spam filtering mechanism.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	udp	6277
--- a/Shorewall/Macros/macro.DHCPfwd
+++ b/Shorewall/Macros/macro.DHCPfwd
@@ -6,7 +6,9 @@
 #	This macro (bidirectional) handles forwarded DHCP traffic
 #
 ###############################################################################
-#ACTION SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S) PORT(S) LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	udp	67:68	67:68	# DHCP
 PARAM	DEST	SOURCE	udp	67:68	67:68	# DHCP
--- a/Shorewall/Macros/macro.DNS
+++ b/Shorewall/Macros/macro.DNS
@@ -6,7 +6,9 @@
 #	This macro handles DNS traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	udp	53
 PARAM	-	-	tcp	53
--- a/Shorewall/Macros/macro.Distcc
+++ b/Shorewall/Macros/macro.Distcc
@@ -6,6 +6,8 @@
 #	This macro handles connections to the Distributed Compiler service.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	3632
--- a/Shorewall/Macros/macro.Drop
+++ b/Shorewall/Macros/macro.Drop
@@ -11,12 +11,14 @@
 #		Drop	net	all
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 #
-# Don't log 'auth' REJECT
+# Don't log 'auth' DROP
 #
-REJECT	-	-	tcp	113
+DROP	-	-	tcp	113
 #
 # Drop Broadcasts so they don't clutter up the log
 # (broadcasts must *not* be rejected).
--- a/Shorewall/Macros/macro.DropDNSrep
+++ b/Shorewall/Macros/macro.DropDNSrep
@@ -6,8 +6,10 @@
 #	This macro silently drops DNS UDP replies
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?COMMENT Late DNS Replies
--- a/Shorewall/Macros/macro.DropUPnP
+++ b/Shorewall/Macros/macro.DropUPnP
@@ -6,8 +6,10 @@
 #	This macro silently drops UPnP probes on UDP port 1900
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?COMMENT UPnP
--- a/Shorewall/Macros/macro.Edonkey
+++ b/Shorewall/Macros/macro.Edonkey
@@ -28,7 +28,9 @@
 #	applications such as aMule WebServer or aMuleCMD.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	4662
 PARAM	-	-	udp	4665
--- a/Shorewall/Macros/macro.FTP
+++ b/Shorewall/Macros/macro.FTP
@@ -7,10 +7,11 @@
 #
 ###############################################################################
 ?FORMAT 2
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+###############################################################################
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER  )
- PARAM	-	-	tcp	21 ; helper=ftp
+ PARAM	-	-	tcp	21 { helper=ftp }
 ?else
 PARAM	-	-	tcp	21
 ?endif
--- a/Shorewall/Macros/macro.Finger
+++ b/Shorewall/Macros/macro.Finger
@@ -7,6 +7,8 @@
 #	your finger information to internet.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	79
--- a/Shorewall/Macros/macro.GNUnet
+++ b/Shorewall/Macros/macro.GNUnet
@@ -6,8 +6,10 @@
 #	This macro handles GNUnet (secure peer-to-peer networking) traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	2086
 PARAM	-	-	udp	2086
 PARAM	-	-	tcp	1080
--- a/Shorewall/Macros/macro.GRE
+++ b/Shorewall/Macros/macro.GRE
@@ -7,7 +7,9 @@
 #	traffic (RFC 1701)
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	47	# GRE
 PARAM	DEST	SOURCE	47	# GRE
--- a/Shorewall/Macros/macro.Git
+++ b/Shorewall/Macros/macro.Git
@@ -6,6 +6,8 @@
 #	This macro handles Git traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	9418
--- a/Shorewall/Macros/macro.Gnutella
+++ b/Shorewall/Macros/macro.Gnutella
@@ -6,7 +6,9 @@
 #	This macro handles Gnutella traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	6346
 PARAM	-	-	udp	6346
--- a/Shorewall/Macros/macro.HKP
+++ b/Shorewall/Macros/macro.HKP
@@ -6,6 +6,8 @@
 #	This macro handles OpenPGP HTTP keyserver protocol traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	11371
--- a/Shorewall/Macros/macro.HTTP
+++ b/Shorewall/Macros/macro.HTTP
@@ -6,6 +6,8 @@
 #	This macro handles plaintext HTTP (WWW) traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	80
--- a/Shorewall/Macros/macro.HTTPS
+++ b/Shorewall/Macros/macro.HTTPS
@@ -6,6 +6,8 @@
 #	This macro handles HTTPS (WWW over SSL) traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	443
--- a/Shorewall/Macros/macro.ICPV2
+++ b/Shorewall/Macros/macro.ICPV2
@@ -6,6 +6,8 @@
 #	This macro handles Internet Cache Protocol V2 (Squid) traffic
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	udp	3130
--- a/Shorewall/Macros/macro.ICQ
+++ b/Shorewall/Macros/macro.ICQ
@@ -6,6 +6,8 @@
 #	This macro handles ICQ, now called AOL Instant Messenger (or AIM).
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	5190
--- a/Shorewall/Macros/macro.ILO
+++ b/Shorewall/Macros/macro.ILO
@@ -0,0 +1,23 @@
 #
 # Shorewall version 4 - ILO Macro
 #
 # /usr/share/shorewall/macro.ILO
 #
 #	This macro handles console redirection with HP ILO 2+,
 #	Use this macro to open access to your ILO interface from management
 #	workstations.
 #
 ###############################################################################
 ?FORMAT 2
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	3002		# Raw serial data
 PARAM	-	-	tcp	9300		# Shared Remote Console
 PARAM	-	-	tcp	17988		# Virtual Media
 PARAM	-	-	tcp	17990		# Console Replay
 HTTP
 HTTPS
 RDP
 SSH
 Telnet						# Remote Console/Telnet
--- a/Shorewall/Macros/macro.IMAP
+++ b/Shorewall/Macros/macro.IMAP
@@ -7,6 +7,8 @@
 #	see macro.IMAPS.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	143
--- a/Shorewall/Macros/macro.IMAPS
+++ b/Shorewall/Macros/macro.IMAPS
@@ -7,6 +7,8 @@
 #	(not recommended), see macro.IMAP.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	993
--- a/Shorewall/Macros/macro.IPIP
+++ b/Shorewall/Macros/macro.IPIP
@@ -6,7 +6,9 @@
 #	This macro (bidirectional) handles IPIP capsulation traffic
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	94	# IPIP
 PARAM	DEST	SOURCE	94	# IPIP
--- a/Shorewall/Macros/macro.IPMI
+++ b/Shorewall/Macros/macro.IPMI
@@ -0,0 +1,26 @@
 #
 # Shorewall version 4 - IPMI Macro
 #
 # /usr/share/shorewall/macro.IPMI
 #
 #	This macro handles IPMI console redirection with Asus (AMI),
 #	Dell DRAC5+ (Avocent), and Supermicro (Aten or AMI).
 #	Use this macro to open access to your IPMI interface from management
 #	workstations.
 #
 ###############################################################################
 ?FORMAT 2
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	623		# RMCP
 PARAM	-	-	tcp	3668,3669	# Virtual Media, Secure (Dell)
 PARAM	-	-	tcp	5120,5123	# CD, floppy (Asus, Aten)
 PARAM	-	-	tcp	5900,5901	# Remote Console (Aten, Dell)
 PARAM	-	-	tcp	7578		# Remote Console (AMI)
 PARAM	-	-	udp	623		# RMCP
 HTTP
 HTTPS
 SNMP
 SSH						# Serial over Lan
 Telnet
--- a/Shorewall/Macros/macro.IPP
+++ b/Shorewall/Macros/macro.IPP
@@ -6,6 +6,8 @@
 #	This macro handles Internet Printing Protocol (IPP).
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	631
--- a/Shorewall/Macros/macro.IPPbrd
+++ b/Shorewall/Macros/macro.IPPbrd
@@ -6,7 +6,10 @@
 #	This macro handles Internet Printing Protocol (IPP) broadcasts.
 #       If you also need to handle TCP 631 connections in the opposite
 #       direction, use the IPPserver Macro
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	udp	631
--- a/Shorewall/Macros/macro.IPPserver
+++ b/Shorewall/Macros/macro.IPPserver
@@ -23,7 +23,9 @@
 #		IPPserver/ACCEPT $FW loc
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	SOURCE	DEST	tcp	631
 PARAM	DEST	SOURCE	udp	631
--- a/Shorewall/Macros/macro.IPsec
+++ b/Shorewall/Macros/macro.IPsec
@@ -6,8 +6,10 @@
 #	This macro (bidirectional) handles IPsec traffic
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	udp	500	500	# IKE
 PARAM	-	-	50			# ESP
 PARAM	DEST	SOURCE	udp	500	500	# IKE
--- a/Shorewall/Macros/macro.IPsecah
+++ b/Shorewall/Macros/macro.IPsecah
@@ -7,8 +7,10 @@
 #       This is insecure. You should use ESP with encryption for security.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	udp	500	500	# IKE
 PARAM	-	-	51			# AH
 PARAM	DEST	SOURCE	udp	500	500	# IKE
--- a/Shorewall/Macros/macro.IPsecnat
+++ b/Shorewall/Macros/macro.IPsecnat
@@ -6,8 +6,10 @@
 #	This macro (bidirectional) handles IPsec traffic and Nat-Traversal
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	udp	500	# IKE
 PARAM	-	-	udp	4500	# NAT-T
 PARAM	-	-	50		# ESP
--- a/Shorewall/Macros/macro.IRC
+++ b/Shorewall/Macros/macro.IRC
@@ -7,11 +7,12 @@
 #
 ###############################################################################
 ?FORMAT 2
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+###############################################################################
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __IRC_HELPER  )
- PARAM	-	-	tcp	6667 ; helper=irc
+ PARAM	-	-	tcp	6667 { helper=irc }
 ?else
 PARAM	-	-	tcp	6667
 ?endif
--- a/Shorewall/Macros/macro.JAP
+++ b/Shorewall/Macros/macro.JAP
@@ -8,8 +8,10 @@
 #	to browse anonymously!
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	8080 # HTTP port
 PARAM	-	-	tcp	6544 # HTTP port
 PARAM	-	-	tcp	6543 # InfoService port
--- a/Shorewall/Macros/macro.JabberPlain
+++ b/Shorewall/Macros/macro.JabberPlain
@@ -6,6 +6,8 @@
 #	This macro accepts Jabber traffic (plaintext).
 #
 ###############################################################################
-#TARGET	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	5222
--- a/Shorewall/Macros/macro.JabberSecure
+++ b/Shorewall/Macros/macro.JabberSecure
@@ -6,6 +6,8 @@
 #	This macro accepts Jabber traffic (ssl).
 #
 ###############################################################################
-#TARGET	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	5223
--- a/Shorewall/Macros/macro.Jabberd
+++ b/Shorewall/Macros/macro.Jabberd
@@ -6,6 +6,8 @@
 #	This macro accepts Jabberd intercommunication traffic
 #
 ###############################################################################
-#TARGET	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	5269
--- a/Shorewall/Macros/macro.Jetdirect
+++ b/Shorewall/Macros/macro.Jetdirect
@@ -6,6 +6,8 @@
 #	This macro handles HP Jetdirect printing.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	9100
--- a/Shorewall/Macros/macro.Kerberos
+++ b/Shorewall/Macros/macro.Kerberos
@@ -6,7 +6,9 @@
 #	This macro handles Kerberos traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	88
 PARAM	-	-	udp	88
--- a/Shorewall/Macros/macro.L2TP
+++ b/Shorewall/Macros/macro.L2TP
@@ -7,7 +7,9 @@
 #	(RFC 2661)
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	udp	1701	# L2TP
 PARAM	DEST	SOURCE	udp	1701	# L2TP
--- a/Shorewall/Macros/macro.LDAP
+++ b/Shorewall/Macros/macro.LDAP
@@ -11,6 +11,8 @@
 #	Consult your LDAP server documentation for details.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	389
--- a/Shorewall/Macros/macro.LDAPS
+++ b/Shorewall/Macros/macro.LDAPS
@@ -11,6 +11,8 @@
 #	Consult your LDAP server documentation for details.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	636
--- a/Shorewall/Macros/macro.MSNP
+++ b/Shorewall/Macros/macro.MSNP
@@ -6,6 +6,8 @@
 #	This macro handles MSNP (MicroSoft Notification Protocol)
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	1863
--- a/Shorewall/Macros/macro.MSSQL
+++ b/Shorewall/Macros/macro.MSSQL
@@ -6,6 +6,8 @@
 #	This macro handles MSSQL (Microsoft SQL Server)
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	1433
--- a/Shorewall/Macros/macro.Mail
+++ b/Shorewall/Macros/macro.Mail
@@ -12,8 +12,10 @@
 #	the POP3 or IMAP macros.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	25
 PARAM	-	-	tcp	465
 PARAM	-	-	tcp	587
--- a/Shorewall/Macros/macro.MongoDB
+++ b/Shorewall/Macros/macro.MongoDB
@@ -0,0 +1,13 @@
 #
 # Shorewall version 4 - MongoDB Macro
 #
 # /usr/share/shorewall/macro.MongoDB
 #
 #	This macro handles MongoDB Daemon/Router traffic.
 #
 ###############################################################################
 ?FORMAT 2
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	27017
--- a/Shorewall/Macros/macro.Munin
+++ b/Shorewall/Macros/macro.Munin
@@ -6,6 +6,8 @@
 #	This macro handles Munin networked resource monitoring traffic
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	4949
--- a/Shorewall/Macros/macro.MySQL
+++ b/Shorewall/Macros/macro.MySQL
@@ -6,6 +6,8 @@
 #	This macro handles connections to the MySQL server.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	3306
--- a/Shorewall/Macros/macro.NNTP
+++ b/Shorewall/Macros/macro.NNTP
@@ -7,6 +7,8 @@
 #	encrypted NNTP, see macro.NNTPS.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	119
--- a/Shorewall/Macros/macro.NNTPS
+++ b/Shorewall/Macros/macro.NNTPS
@@ -7,6 +7,8 @@
 #	plaintext NNTP, see macro.NNTP.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	563
--- a/Shorewall/Macros/macro.NTP
+++ b/Shorewall/Macros/macro.NTP
@@ -7,6 +7,8 @@
 #	For broadcast NTP traffic, use NTPbrd Macro.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	udp	123
--- a/Shorewall/Macros/macro.NTPbi
+++ b/Shorewall/Macros/macro.NTPbi
@@ -6,7 +6,9 @@
 #        This macro handles  bi-directional NTP (for NTP peers)
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	udp	123
 PARAM	DEST	SOURCE	udp	123
--- a/Shorewall/Macros/macro.NTPbrd
+++ b/Shorewall/Macros/macro.NTPbrd
@@ -11,7 +11,9 @@
 #	Netfilter doesn't track connections for broadcast traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-		-		udp	123
 PARAM	-		-		udp	1024:	123
--- a/Shorewall/Macros/macro.OSPF
+++ b/Shorewall/Macros/macro.OSPF
@@ -6,6 +6,8 @@
 #	This macro handles OSPF multicast traffic
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	89	# OSPF
--- a/Shorewall/Macros/macro.OpenVPN
+++ b/Shorewall/Macros/macro.OpenVPN
@@ -6,6 +6,8 @@
 #	This macro handles OpenVPN traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	udp	1194
--- a/Shorewall/Macros/macro.PCA
+++ b/Shorewall/Macros/macro.PCA
@@ -6,7 +6,9 @@
 #	This macro handles PCAnywere (tm)
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	udp	5632
 PARAM	-	-	tcp	5631
--- a/Shorewall/Macros/macro.POP3
+++ b/Shorewall/Macros/macro.POP3
@@ -7,6 +7,8 @@
 #	see macro.POP3S.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	110
--- a/Shorewall/Macros/macro.POP3S
+++ b/Shorewall/Macros/macro.POP3S
@@ -7,6 +7,8 @@
 #	see macro.POP3.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	995	# Secure POP3
--- a/Shorewall/Macros/macro.PPtP
+++ b/Shorewall/Macros/macro.PPtP
@@ -7,13 +7,14 @@
 #
 ###############################################################################
 ?FORMAT 2
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+###############################################################################
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	47
 PARAM	DEST	SOURCE	47
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __PPTP_HELPER )
- PARAM	-	-	tcp	1723 ; helper=pptp
+ PARAM	-	-	tcp	1723 { helper=pptp }
 ?else
 PARAM	-	-	tcp	1723
 ?endif
--- a/Shorewall/Macros/macro.Ping
+++ b/Shorewall/Macros/macro.Ping
@@ -6,6 +6,8 @@
 #	This macro handles 'ping' requests.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	icmp	8
--- a/Shorewall/Macros/macro.PostgreSQL
+++ b/Shorewall/Macros/macro.PostgreSQL
@@ -6,6 +6,8 @@
 #	This macro handles connections to the PostgreSQL server.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	5432
--- a/Shorewall/Macros/macro.Printer
+++ b/Shorewall/Macros/macro.Printer
@@ -6,6 +6,8 @@
 #	This macro handles Line Printer protocol printing.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	515
--- a/Shorewall/Macros/macro.Puppet
+++ b/Shorewall/Macros/macro.Puppet
@@ -7,6 +7,8 @@
 #	management system.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	8140
--- a/Shorewall/Macros/macro.RDP
+++ b/Shorewall/Macros/macro.RDP
@@ -6,6 +6,8 @@
 #	This macro handles Microsoft RDP (Remote Desktop) traffic.
 #
 ###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+?FORMAT 2
-#				PORT(S)	PORT(S)	LIMIT	GROUP
+###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
 #				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
 PARAM	-	-	tcp	3389
--- a/Shorewall/Macros/macro.RIPbi
+++ b/Shorewall/Macros/macro.RIPbi
@@ -6,8 +6,9 @@
 #        This macro handles RIP (Routing Information Protocol) - bidirectional
 #
 ###############################################################################
-#ACTION SOURCE  DEST    PROTO   DEST    SOURCE  RATE    USER/
+?FORMAT 2
-#                               PORT(S) PORT(S) LIMIT   GROUP
+###############################################################################
-PARAM   -       -       udp	520
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	ORIGIN	RATE	USER/
-PARAM   DEST    SOURCE  udp	520
+#				PORT(S)	PORT(S)	DEST	LIMIT	GROUP
-
+PARAM	-	-	udp	520
 PARAM	DEST	SOURCE	udp	520
--- a/Show More
+++ b/Show More