Fix syntax error in the generated script

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Correct issues with debugging the generated script
2012-03-06 09:14:06 -08:00 · 2012-03-05 15:55:25 -08:00 · 2012-02-29 15:04:17 -08:00 · 2012-02-25 08:28:15 -08:00 · 2012-02-25 07:51:55 -08:00 · 2012-02-25 07:40:47 -08:00
177 changed files with 3917 additions and 9160 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -1,190 +0,0 @@
 #!/bin/bash
 #
 #     Shorewall Packet Filtering Firewall RPM configuration program - V4.5
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2012 - Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License
 #	as published by the Free Software Foundation.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #       Usage: ./configure [ <option>=<setting> ] ...
 #
 #
 ################################################################################################
 #
 # Build updates this
 #
 VERSION=4.5.2.1
 case "$BASH_VERSION" in
    [4-9].*)
 	;;
    *)
 	echo "ERROR: This program requires Bash 4.0 or later" >&2
 	exit 1
 	;;
 esac
 declare -A params
 declare -A options
 getfileparams() {
    while read option; do
 	case $option in
 	    \#*)
 		;;
 	    *)
 		on=${option%=*}
 		ov=${option#*=}
 		ov=${ov%#*}
 		[ -n "$on" ] && options[${on}]="${ov}"
 		;;
 	esac
    done
    return 0
 }
 for p in $@; do
    if [ -n "${p}" ]; then
 	declare -u pn
 	pn=${p%=*}
 	pn=${pn#--}
 	pv=${p#*=}
 	if [ -n "${pn}" ]; then
 	    case ${pn} in
 		VENDOR)
 		    pn=HOST
 		    ;;
 		SHAREDSTATEDIR)
 		    pn=VARDIR
 		    ;;
 		DATADIR)
 		    pn=SHAREDIR
 		    ;;
 		SYSCONFDIR)
 		    pn=CONFDIR
 		    ;;
 	    esac
 	    params[${pn}]="${pv}"
 	else
 	    echo "ERROR: Invalid option ($p)" >&2
 	    exit 1
 	fi
    fi
 done
 vendor=${params[HOST]}
 if [ -z "$vendor" ]; then
    case `uname` in
 	Darwin)
 	    $params[HOST]=apple
 	    rcfile=shorewallrc.apple
 	    ;;
 	cygwin*)
 	    $params[HOST]=cygwin
 	    rcfile=shorewallrc.cygwin
 	    ;;
 	*)
 	    if [ -f /etc/debian_version ]; then
 		params[HOST]=debian
 		rcfile=shorewallrc.debian
 	    elif [ -f /etc/redhat-release ]; then
 		params[HOST]=redhat
 		rcfile=shorewallrc.redhat
 	    elif [ -f /etc/slackware-version ] ; then
 		params[HOST]=slackware
 		rcfile=shorewallrc.slackware
 	    elif [ -f /etc/SuSE-release ]; then
 		params[HOST]=suse
 		rcfile=shorewallrc.suse
 	    elif [ -f /etc/arch-release ] ; then
 		params[HOST]=archlinux
 		rcfile=shorewallrc.archlinux
 	    else
 		params[HOST]=linux
 		rcfile=shorewallrc.default
 	    fi
 	    ;;
    esac
    vendor=${params[HOST]}
 elif [ $vendor = linux ]; then
    rcfile=$shorewallrc.default;
 else
    rcfile=shorewallrc.$vendor
    if [ ! -f $rcfile ]; then
 	echo "ERROR: $vendor is not a recognized host type" >&2
 	exit 1
    fi
 fi
 if [ $vendor = linux ]; then
    echo "INFO: Creating a generic Linux installation - " `date`;
 else
    echo "INFO: Creating a ${vendor}-specific installation - " `date`;
 fi
 echo
 getfileparams < $rcfile || exit 1
 for p in ${!params[@]}; do
    options[${p}]="${params[${p}]}"
 done
 echo '#'                                                                 > shorewallrc
 echo "# Created by Shorewall Core version $VERSION configure - " `date` >> shorewallrc
 echo '#'                                                                >> shorewallrc
 if [ $# -gt 0 ]; then
    echo "# Input: $@" >> shorewallrc
    echo '#'           >> shorewallrc
 fi
 for on in \
    HOST \
    PREFIX \
    SHAREDIR \
    LIBEXECDIR \
    PERLLIBDIR \
    CONFDIR \
    SBINDIR \
    MANDIR \
    INITDIR \
    INITSOURCE \
    INITFILE \
    AUXINITSOURCE \
    AUXINITFILE \
    SYSTEMD \
    SYSCONFFILE \
    SYSCONFDIR \
    SPARSE \
    ANNOTATED \
    VARDIR
 do
    echo "$on=${options[${on}]}"
    echo "$on=${options[${on}]}" >> shorewallrc
 done
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -1,155 +0,0 @@
 #! /usr/bin/perl -w
 #
 #     Shorewall Packet Filtering Firewall RPM configuration program - V4.5
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2012 - Tom Eastep (teastep@shorewall.net)
 #
 #	Shorewall documentation is available at http://www.shorewall.net
 #
 #	This program is free software; you can redistribute it and/or modify
 #	it under the terms of Version 2 of the GNU General Public License
 #	as published by the Free Software Foundation.
 #
 #	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
 #	You should have received a copy of the GNU General Public License
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #       Usage: ./configure.pl <option>=<setting> ...
 #
 #
 ################################################################################################
 use strict;
 #
 # Build updates this
 #
 use constant {
    VERSION => '4.5.2.1'
 };
 my %params;
 my %options;
 my %aliases = ( VENDOR         => 'HOST',
 		SHAREDSTATEDIR => 'VARDIR',
 		DATADIR        => 'SHAREDIR',
 		SYSCONFDIR     => 'CONFDIR' );
 for ( @ARGV ) {
    die "ERROR: Invalid option specification ( $_ )" unless /^(?:--)?(\w+)=(.*)$/;
    my $pn = uc $1;
    my $pv = $2 || '';
    $pn = $aliases{$pn} if exists $aliases{$pn};
    $params{$pn} = $pv;
 }
 my $vendor = $params{HOST};
 my $rcfile;
 my $rcfilename;
 if ( defined $vendor ) {
    $rcfilename = $vendor eq 'linux' ? 'shorewallrc.default' : 'shorewallrc.' . $vendor;
    die qq("ERROR: $vendor" is not a recognized host type) unless -f $rcfilename;
 } else {
    if ( -f '/etc/debian_version' ) {
 	$vendor = 'debian';
 	$rcfilename = 'shorewallrc.debian';
    } elsif ( -f '/etc/redhat-release' ){
 	$vendor = 'redhat';
 	$rcfilename = 'shorewallrc.redhat';
    } elsif ( -f '/etc/slackware-version' ) {
 	$vendor = 'slackware';
 	$rcfilename = 'shorewallrc.slackware';
    } elsif ( -f '/etc/SuSE-release' ) {
 	$vendor = 'suse';
 	$rcfilename = 'shorewallrc.suse';
    } elsif ( -f '/etc/arch-release' ) {
 	$vendor = 'archlinux';
 	$rcfilename = 'shorewallrc.archlinux';
    } elsif ( `uname` =~ '^Darwin' ) {
 	$vendor = 'apple';
 	$rcfilename = 'shorewallrc.apple';
    } elsif ( `uname` =~ '^Cygwin' ) {
 	$vendor = 'cygwin';
 	$rcfilename = 'shorewallrc.cygwin';
    } else {
 	$vendor = 'linux';
 	$rcfilename = 'shorewallrc.default';
    }
    $params{HOST} = $vendor;
 }
 my @localtime = localtime;
 my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
 if ( $vendor eq 'linux' ) {
    printf "INFO: Creating a generic Linux installation - %s %2d %04d %02d:%02d:%02d\n\n", $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
 } else {
    printf "INFO: Creating a %s-specific installation - %s %2d %04d %02d:%02d:%02d\n\n", $vendor, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];;
 }
 open $rcfile, '<', $rcfilename or die "Unable to open $rcfilename for input: $!";
 while ( <$rcfile> ) {
    s/\s*#.*//;
    unless ( /^\s*$/ ) {
 	chomp;
 	die "ERROR: Invalid entry ($_) in $rcfilename, line $." unless /\s*(\w+)=(.*)/;
 	$options{$1} = $2;
    }
 }
 close $rcfile;
 while ( my ( $p, $v ) = each %params ) {
    $options{$p} = ${v};
 }
 my $outfile;
 open $outfile, '>', 'shorewallrc' or die "Can't open 'shorewallrc' for output: $!";
 printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d %04d %02d:%02d:%02d\n#\n", VERSION, $abbr[$localtime[4]], $localtime[3], 1900 + $localtime[5] , @localtime[2,1,0];
 print  $outfile "# Input: @ARGV\n#\n" if @ARGV;
 for ( qw/ HOST
 	  PREFIX
 	  SHAREDIR
 	  LIBEXECDIR
 	  PERLLIBDIR
 	  CONFDIR
 	  SBINDIR
 	  MANDIR
 	  INITDIR
 	  INITSOURCE
 	  INITFILE
 	  AUXINITSOURCE
 	  AUXINITFILE
 	  SYSTEMD
 	  SYSCONFFILE
 	  SYSCONFDIR
 	  SPARSE
 	  ANNOTATED
 	  VARDIR / ) {
    my $val = $options{$_} || '';
    print          "$_=$val\n";
    print $outfile "$_=$val\n";
 }
 close $outfile;
 1;
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -27,18 +27,14 @@ VERSION=xxx #The Build script inserts the actual version
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <configuration-file> ] "
+    echo "usage: $ME"
    echo "       $ME -v"
    echo "       $ME -h"
    echo "       $ME -s"
    echo "       $ME -f"
    exit $1
 }
 fatal_error()
 {
    echo "   ERROR: $@" >&2
    exit 1
 }
 split() {
    local ifs
    ifs=$IFS
@@ -91,16 +87,69 @@ install_file() # $1 = source $2 = target $3 = mode
    run_install $T $OWNERSHIP -m $3 $1 ${2}
 }
-require()
+[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
 {
    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
 }
 cd "$(dirname $0)"
 #
 # Parse the run line
 #
 # ARGS is "yes" if we've already parsed an argument
 #
 T="-T"
 [ -n "${LIBEXEC:=/usr/share}" ]
 [ -n "${PERLLIB:=/usr/share/shorewall}" ]
 MACHOST=
 case "$LIBEXEC" in
    /*)
 	;;
    *)
 	LIBEXEC=/usr/${LIBEXEC}
 	;;
 esac
 case "$PERLLIB" in
    /*)
 	;;
    *)
 	PERLLIB=/usr/${PERLLIB}
 	;;
 esac
 INSTALLD='-D'
 case $(uname) in
    CYGWIN*)
 	if [ -z "$DESTDIR" ]; then
 	    DEST=
 	    INIT=
 	fi
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	CYGWIN=Yes
 	;;
    Darwin)
 	if [ -z "$DESTDIR" ]; then
 	    DEST=
 	    INIT=
 	fi
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=wheel
 	MAC=Yes
        MACHOST=Yes
 	INSTALLD=
 	T=
 	;;
    *)
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=root
 	;;
 esac
 OWNERSHIP="-o $OWNER -g $GROUP"
 finished=0
 while [ $finished -eq 0 ]; do
@@ -119,6 +168,14 @@ while [ $finished -eq 0 ]; do
 			echo "Shorewall Firewall Installer Version $VERSION"
 			exit 0
 			;;
 		    a*)
 			ANNOTATED=Yes
 			option=${option#a}
 			;;
 		    p*)
 			ANNOTATED=
 			option=${option#p}
 			;;
 		    *)
 			usage 1
 			;;
@@ -128,237 +185,102 @@ while [ $finished -eq 0 ]; do
 	    shift
 	    ;;
 	*)
 	    [ -n "$option" ] && usage 1
 	    finished=1
 	    ;;
    esac
 done
-#
+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
 	. ./shorewallrc
 	file=./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
 	file=~/.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
 	file=/usr/share/shorewall/shorewallrc
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
 elif [ $# -eq 1 ]; then
    file=$1
    case $file in
 	/*|.*)
 	    ;;
 	*)
 	    file=./$file || exit 1
 	    ;;
    esac
    . $file
 else
    usage 1
 fi
 for var in SHAREDIR LIBEXECDIR PERLLIBDIR CONFDIR SBINDIR VARDIR; do
    require $var
 done
 [ "${INITFILE}" != 'none/' ] && require INITSOURCE && require INITDIR
 T="-T"
 INSTALLD='-D'
 if [ -z "$BUILD" ]; then
    case $(uname) in
 	cygwin*)
 	    BUILD=cygwin
 	    ;;
 	Darwin)
 	    BUILD=apple
 	    ;;
 	*)
 	    if [ -f /etc/debian_version ]; then
 		BUILD=debian
 	    elif [ -f /etc/redhat-release ]; then
 		BUILD=redhat
 	    elif [ -f /etc/slackware-version ] ; then
 		BUILD=slackware
 	    elif [ -f /etc/SuSE-release ]; then
 		BUILD=suse
 	    elif [ -f /etc/arch-release ] ; then
 		BUILD=archlinux
 	    else
 		BUILD=linux
 	    fi
 	    ;;
    esac
 fi
 case $BUILD in
    cygwin*)
 	if [ -z "$DESTDIR" ]; then
 	    DEST=
 	    INIT=
 	fi
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;
    apple)
 	if [ -z "$DESTDIR" ]; then
 	    DEST=
 	    INIT=
 	    SPARSE=Yes
 	fi
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=wheel
 	INSTALLD=
 	T=
 	;;
    *)
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=root
 	;;
 esac
 OWNERSHIP="-o $OWNER -g $GROUP"
 #
 # Determine where to install the firewall script
 #
 [ -n "$HOST" ] || HOST=$BUILD
 case "$HOST" in
    cygwin)
 	echo "Installing Cygwin-specific configuration..."
 	;;
    apple)
 	echo "Installing Mac-specific configuration...";
 	;;
    debian|redhat|slackware|archlinux|linux|suse)
 	;;
    *)
 	echo "ERROR: Unknown HOST \"$HOST\"" >&2
 	exit 1;
 	;;
 esac
 if [ -z "$file" ]; then
    if $HOST = linux; then
 	file=shorewallrc.default
    else
 	file=shorewallrc.${HOST}
    fi
    echo "You have not specified a configuration file and ~/.shorewallrc does not exist" >&2
    echo "Shorewall-core $VERSION has determined that the $file configuration is appropriate for your system" >&2
    echo "Please review the settings in that file. If you wish to change them, make a copy and modify the copy" >&2
    echo "Then re-run install.sh passing either $file or the name of your modified copy" >&2
    echo "" >&2
    echo "Example:" >&2
    echo "" >&2
    echo "   ./install.sh $file" &>2
 fi
 if [ -n "$DESTDIR" ]; then
-    if [ $BUILD != cygwin ]; then
+    if [ -z "$CYGWIN" ]; then
 	if [ `id -u` != 0 ] ; then
 	    echo "Not setting file owner/group permissions, not running as root."
 	    OWNERSHIP=""
 	fi
    fi
    install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
    CYGWIN=
    MAC=
 else
    if [ -n "$CYGWIN" ]; then
 	echo "Installing Cygwin-specific configuration..."
    elif [ -n "$MAC" ]; then
 	echo "Installing Mac-specific configuration..."
    else
 	if [ -f /etc/debian_version ]; then
 	    echo "Installing Debian-specific configuration..."
 	    DEBIAN=yes
 	elif [ -f /etc/redhat-release ]; then
 	    echo "Installing Redhat/Fedora-specific configuration..."
 	    FEDORA=yes
 	elif [ -f /etc/slackware-version ] ; then
 	    echo "Installing Slackware-specific configuration..."
 	    DEST="/etc/rc.d"
 	    MANDIR="/usr/man"
 	    SLACKWARE=yes
 	elif [ -f /etc/arch-release ] ; then
 	    echo "Installing ArchLinux-specific configuration..."
 	    DEST="/etc/rc.d"
 	    INIT="shorewall"
 	    ARCHLINUX=yes
 	fi
    fi
 fi
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"
 echo "Installing Shorewall Core Version $VERSION"
 #
-# Create directories
+# Create /usr/share/shorewall
 #
-mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall
+mkdir -p ${DESTDIR}${LIBEXEC}/shorewall
-chmod 755 ${DESTDIR}${LIBEXECDIR}/shorewall
+chmod 755 ${DESTDIR}/usr/share/shorewall
 mkdir -p ${DESTDIR}${SHAREDIR}/shorewall
 chmod 755 ${DESTDIR}${SHAREDIR}/shorewall
 mkdir -p ${DESTDIR}${CONFDIR}
 chmod 755 ${DESTDIR}${CONFDIR}
 if [ -n "${SYSCONFDIR}" ]; then
    mkdir -p ${DESTDIR}${SYSCONFDIR}
    chmod 755 ${DESTDIR}${SYSCONFDIR}
 fi
 if [ -n "${SYSTEMD}" ]; then
    mkdir -p ${DESTDIR}${SYSTEMD}
    chmod 755 ${DESTDIR}${SYSTEMD}
 fi
 mkdir -p ${DESTDIR}${SBINDIR}
 chmod 755 ${DESTDIR}${SBINDIR}
 mkdir -p ${DESTDIR}${MANDIR}
 chmod 755 ${DESTDIR}${MANDIR}
 if [ -n "${INITFILE}" ]; then
    mkdir -p ${DESTDIR}${INITDIR}
    chmod 755 ${DESTDIR}${INITDIR}
    if [ -n "$AUXINITSOURCE" -a -f "$AUXINITSOURCE" ]; then
 	install_file $AUXINITSOURCE ${DESTDIR}${INITDIR}/$AUXINITFILE 0544
 	[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$AUXINITFILE
 	echo  "$Product script installed in ${DESTDIR}${INITDIR}/$AUXINITFILE"
    fi
 fi
 #
 # Note: ${VARDIR} is created at run-time since it has always been
 #       a relocatable directory on a per-product basis
 #
 # Install wait4ifup
 #
-install_file wait4ifup ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup 0755
+install_file wait4ifup ${DESTDIR}${LIBEXEC}/shorewall/wait4ifup 0755
 echo
-echo "wait4ifup installed in ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup"
+echo "wait4ifup installed in ${DESTDIR}${LIBEXEC}/shorewall/wait4ifup"
 #
 # Install the libraries
 #
 for f in lib.* ; do
-    install_file $f ${DESTDIR}${SHAREDIR}/shorewall/$f 0644
+    install_file $f ${DESTDIR}/usr/share/shorewall/$f 0644
-    echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/shorewall/$f"
+    echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/shorewall/$f"
 done
 if [ -z "$MACHOST" ]; then
    eval sed -i \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
    eval sed -i \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
 else
    eval sed -i \'\' -e \'s\|g_libexec=.\*\|g_libexec=$LIBEXEC\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
    eval sed -i \'\' -e \'s\|g_perllib=.\*\|g_perllib=$PERLLIB\|\' ${DESTDIR}/usr/share/shorewall/lib.cli
 fi
 #
 # Symbolically link 'functions' to lib.base
 #
-ln -sf lib.base ${DESTDIR}${SHAREDIR}/shorewall/functions
+ln -sf lib.base ${DESTDIR}/usr/share/shorewall/functions
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}${SHAREDIR}/shorewall/coreversion
+echo "$VERSION" > ${DESTDIR}/usr/share/shorewall/coreversion
-chmod 644 ${DESTDIR}${SHAREDIR}/shorewall/coreversion
+chmod 644 ${DESTDIR}/usr/share/shorewall/coreversion
 [ $file != "${SHAREDIR}/shorewall/shorewallrc" ] && cp $file ${DESTDIR}${SHAREDIR}/shorewall/shorewallrc
 [ -z "${DESTDIR}" ] && [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc ~/.shorewallrc
 if [ ${SHAREDIR} != /usr/share ]; then
    for f in lib.*; do
 	if [ $BUILD != apple ]; then
 	    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SHAREDIR}/shorewall/$f
 	else
 	    eval sed -i \'\' -e \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SHAREDIR}/shorewall/$f
 	fi
    done
 fi
 #
 #  Report Success
 #
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -27,57 +27,50 @@
 #   and /usr/share/shorewall[6]-lite/shorecap.
 #
-SHOREWALL_LIBVERSION=40502
+SHOREWALL_LIBVERSION=40500
-SHOREWALL_CAPVERSION=40504
+SHOREWALL_CAPVERSION=40501
 [ -n "${g_program:=shorewall}" ]
 if [ -z "$g_readrc" ]; then
    #
    # This is modified by the installer when ${SHAREDIR} != /usr/share
    #
    . /usr/share/shorewall/shorewallrc
    g_libexec="$LIBEXECDIR"
    g_sharedir="$SHAREDIR"/$g_program
    g_sbindir="$SBINDIR"
    g_perllib="$PERLLIBDIR"
    g_vardir="$VARDIR"
    g_confdir="$CONFDIR"/$g_program
    g_readrc=1
 fi
 g_basedir=${SHAREDIR}/shorewall
 case $g_program in
    shorewall)
 	SHAREDIR=/usr/share/shorewall
 	CONFDIR=/etc/shorewall
 	g_product="Shorewall"
 	g_family=4
 	g_tool=
 	g_basedir=/usr/share/shorewall
 	g_lite=
 	;;
    shorewall6)
 	SHAREDIR=/usr/share/shorewall6
 	CONFDIR=/etc/shorewall6
 	g_product="Shorewall6"
 	g_family=6
 	g_tool=
 	g_basedir=/usr/share/shorewall
 	g_lite=
 	;;
    shorewall-lite)
 	SHAREDIR=/usr/share/shorewall-lite
 	CONFDIR=/etc/shorewall-lite
 	g_product="Shorewall Lite"
 	g_family=4
 	g_tool=iptables
 	g_basedir=/usr/share/shorewall-lite
 	g_lite=Yes
 	;;
    shorewall6-lite)
 	SHAREDIR=/usr/share/shorewall6-lite
 	CONFDIR=/etc/shorewall6-lite
 	g_product="Shorewall6 Lite"
 	g_family=6
 	g_tool=ip6tables
 	g_basedir=/usr/share/shorewall6-lite
 	g_lite=Yes
 	;;
 esac
 VARDIR=${VARDIR}/${g_program}
 #
 # Conditionally produce message
 #
@@ -193,7 +186,7 @@ mutex_off()
    rm -f ${LOCKFILE:=${VARDIR}/lock}
 }
-[ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
+[ -z "$LEFTSHIFT" ] && . /usr/share/shorewall/lib.common
 #
 # Validate an IP address
@@ -351,7 +344,7 @@ ip_vlsm() {
 #
 ensure_config_path() {
    local F
-    F=${g_sharedir}/configpath
+    F=${SHAREDIR}/configpath
    if [ -z "$CONFIG_PATH" ]; then
 	[ -f $F ] || { echo "   ERROR: $F does not exist"; exit 2; }
 	. $F
@@ -462,14 +455,14 @@ mktempfile() {
    else
 	case "$MKTEMP" in
 	    BSD)
-		mktemp ${TMPDIR:-/tmp}/shorewall.XXXXXX
+		mktemp /tmp/shorewall.XXXXXX
 		;;
 	    STD)
 		mktemp -t shorewall.XXXXXX
 		;;
 	    None)
-		rm -f ${TMPDIR:-/tmp}/shorewall-$$
+		rm -f /tmp/shorewall-$$
-		> ${TMPDIR:-}/shorewall-$$ && echo ${TMPDIR:-/tmp}/shorewall-$$
+		> /tmp/shorewall-$$ && echo /tmp/shorewall-$$
 		;;
 	    *)
 		error_message "ERROR:Internal error in mktempfile"
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -23,25 +23,7 @@
 # This library contains the command processing code common to /sbin/shorewall[6] and
 # /sbin/shorewall[6]-lite.
 #
-
+. /usr/share/shorewall/lib.base
 if [ -z "$g_readrc" ]; then
    #
    # This is modified by the installer when ${SHAREDIR} <> /usr/share
    #
    . /usr/share/shorewall/shorewallrc
    g_libexec="$LIBEXECDIR"
    g_sharedir="$SHAREDIR"/$g_program
    g_sbindir="$SBINDIR"
    g_perllib="$PERLLIBDIR"
    g_vardir="$VARDIR"
    g_confdir="$CONFDIR"/$g_program
    g_readrc=1
 fi
 . ${SHAREDIR}/shorewall/lib.base
 #
 # Fatal Error
 #
@@ -456,28 +438,16 @@ sort_routes() {
    done | sort -r | while read dest rest; do echo $rest; done
 }
 #
 # Isolate the table in the routing rules being read from stdin.
 # Piping through sed to remove trailing whitespace works around
 # recent 'features' in dash and ip.
 #
 find_tables() {
    sed -r 's/[[:space:]]+$//' | while read rule; do
 	echo ${rule##* }
    done
 }
 #
 # Show routing configuration
 #
 show_routing() {
    local rule
    local table
    if [ -n "$(ip -$g_family rule list)" ]; then
 	heading "Routing Rules"
 	ip -$g_family rule list
-	ip -$g_family rule list | find_tables | sort -u | while read table; do
+	ip -$g_family rule list | while read rule; do
 	    echo ${rule##* }
 	done | sort -u | while read table; do
 	    heading "Table $table:"
 	    if [ $g_family -eq 6 ]; then
 		ip -$g_family -o route list table $table | fgrep -v cache
@@ -573,11 +543,11 @@ version_command() {
    [ $# -gt 0 ] && usage 1
    if [ -n "$all" ]; then
-	echo "shorewall-core: $(cat $g_sharedir/coreversion)"
+	echo "shorewall-core: $(cat /usr/share/shorewall/coreversion)"
 	for product in shorewall shorewall6 shorewall-lite shorewall6-lite shorewall-init; do
-	    if [ -f ${SHAREDIR}/$product/version ]; then
+	    if [ -f /usr/share/$product/version ]; then
-		echo "$product: $(cat ${SHAREDIR}/$product/version)"
+		echo "$product: $(cat /usr/share/$product/version)"
 	    fi
 	done
    else
@@ -867,20 +837,16 @@ show_command() {
 	    show_routing
 	    ;;
 	config)
-	    . ${g_sharedir}/configpath
+	    . ${SHAREDIR}/configpath
 	    if [ -n "$g_filemode" ]; then
 		echo "CONFIG_PATH=$CONFIG_PATH"
 		echo "VARDIR=$VARDIR"
 		echo "LIBEXEC=$g_libexec"
-		echo "SBINDIR=$g_sbindir"
+		[ -n "$g_lite" ] && ${VARDIR} ne /var/lib/$program && echo "LITEDIR=${VARDIR}"
 		echo "CONFDIR=${CONFDIR}"
 		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR=${VARDIR}"
 	    else
 		echo "Default CONFIG_PATH is $CONFIG_PATH"
 		echo "Default VARDIR is /var/lib/$g_program"
 		echo "LIBEXEC is $g_libexec"
 		echo "SBINDIR is $g_sbindir"
 		echo "CONFDIR is ${CONFDIR}"
 		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR is ${VARDIR}"
 	    fi
 	    ;;
@@ -941,10 +907,10 @@ show_command() {
 			    echo "forwardUPnP         # Allow traffic that upnpd has redirected from"
 			    echo "rejNotSyn           # Silently Reject Non-syn TCP packets"
-			    if [ -f ${g_confdir}/actions ]; then
+			    if [ -f ${CONFDIR}/actions ]; then
-				cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^\#|^$'
+				cat ${SHAREDIR}/actions.std ${CONFDIR}/actions | grep -Ev '^\#|^$'
 			    else
-				grep -Ev '^\#|^$' ${g_sharedir}/actions.std
+				grep -Ev '^\#|^$' ${SHAREDIR}/actions.std
 			    fi
 			    return
@@ -1142,11 +1108,11 @@ do_dump_command() {
    echo "$g_product $SHOREWALL_VERSION Dump at $g_hostname - $(date)"
    echo
-    if [ $g_family -eq 6 ] && [ -f ${SHAREDIR}/shorewall/version ]; then
+    if [ $g_family -eq 6 ] && [ -f /usr/share/shorewall/version ]; then
-	echo "   Shorewall $(cat ${SHAREDIR}/shorewall/version)"
+	echo "   Shorewall $(cat /usr/share/shorewall/version)"
 	echo
    fi
-    show_status
+    
    show_reset
    host=$(echo $g_hostname | sed 's/\..*$//')
    $g_tool -L $g_ipt_options
@@ -1942,7 +1908,6 @@ determine_capabilities() {
    IPRANGE_MATCH=
    RECENT_MATCH=
    OWNER_MATCH=
    OWNER_NAME_MATCH=
    IPSET_MATCH=
    OLD_IPSET_MATCH=
    IPSET_V5=
@@ -1992,9 +1957,6 @@ determine_capabilities() {
    CT_TARGET=
    STATISTIC_MATCH=
    IMQ_TARGET=
    DSCP_MATCH=
    DSCP_TARGET=
    GEOIP_MATCH=
    chain=fooX$$
@@ -2082,11 +2044,6 @@ determine_capabilities() {
    qt $g_tool -A $chain -m recent --update -j ACCEPT     && RECENT_MATCH=Yes
    qt $g_tool -A $chain -m owner --uid-owner 0 -j ACCEPT && OWNER_MATCH=Yes
    local name
    name=$(id -un 2> /dev/null)
    [ -n "$name" ] && qt $g_tool -A $chain -m owner --uid-owner $name -j ACCEPT && OWNER_NAME_MATCH=Yes
    if qt $g_tool -A $chain -m connmark --mark 2  -j ACCEPT; then
 	CONNMARK_MATCH=Yes
 	qt $g_tool -A $chain -m connmark --mark 2/0xFF -j ACCEPT && XCONNMARK_MATCH=Yes
@@ -2124,14 +2081,10 @@ determine_capabilities() {
 	qt $g_tool -t mangle -A $chain -j CLASSIFY --set-class 1:1 && CLASSIFY_TARGET=Yes
 	qt $g_tool -t mangle -A $chain -j IPMARK --addr src && IPMARK_TARGET=Yes
 	qt $g_tool -t mangle -A $chain -p tcp -j TPROXY --on-port 0 --tproxy-mark 1 && TPROXY_TARGET=Yes
 	qt $g_tool -t mangle -A $chain -j IMQ --todev 0 && IMQ_TARGET=Yes
 	qt $g_tool -t mangle -A $chain -m dscp --dscp 0 && DSCP_MATCH=Yes
 	qt $g_tool -t mangle -A $chain -j DSCP --set-dscp 0 && DSCP_TARGET=Yes
 	qt $g_tool -t mangle -F $chain
 	qt $g_tool -t mangle -X $chain
 	qt $g_tool -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
 	qt $g_tool -t mangle -A $chain -j IMQ --todev 0 && IMQ_TARGET=Yes
    fi
    qt $g_tool -t raw	    -L -n && RAW_TABLE=Yes
@@ -2203,7 +2156,6 @@ determine_capabilities() {
    qt $g_tool -A $chain -j NFLOG && NFLOG_TARGET=Yes
    qt $g_tool -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
    qt $g_tool -A $chain -m statistic --mode nth --every 2 --packet 1 && STATISTIC_MATCH=Yes
    qt $g_tool -A $chain -m geoip --src-cc US && GEOIP_MATCH=Yes
    if [ $g_family -eq 4 ]; then
 	qt $g_tool -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes
@@ -2251,83 +2203,79 @@ report_capabilities() {
    if [ $VERBOSITY -gt 1 ]; then
 	echo "$g_product has detected the following iptables/netfilter capabilities:"
-	report_capability "NAT (NAT_ENABLED)" $NAT_ENABLED
+	report_capability "NAT" $NAT_ENABLED
-	report_capability "Packet Mangling (MANGLE_ENABLED)" $MANGLE_ENABLED
+	report_capability "Packet Mangling" $MANGLE_ENABLED
-	report_capability "Multi-port Match (MULTIPORT)" $MULTIPORT
+	report_capability "Multi-port Match" $MULTIPORT
-	[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match (XMULIPORT)" $XMULTIPORT
+	[ -n "$MULTIPORT" ] && report_capability "Extended Multi-port Match" $XMULTIPORT
-	report_capability "Connection Tracking Match (CONNTRACK_MATCH)" $CONNTRACK_MATCH
+	report_capability "Connection Tracking Match" $CONNTRACK_MATCH
 	if [ -n "$CONNTRACK_MATCH" ]; then
-	    report_capability "Extended Connection Tracking Match Support (NEW_CONNTRACK_MATCH)" $NEW_CONNTRACK_MATCH
+	    report_capability "Extended Connection Tracking Match Support" $NEW_CONNTRACK_MATCH
-	    [ -n "$OLD_CONNTRACK_MATCH" ] && report_capability "Old Connection Tracking Match Syntax (OLD_CONNTRACK_MATCH)" $OLD_CONNTRACK_MATCH
+	    [ -n "$OLD_CONNTRACK_MATCH" ] && report_capability "Old Connection Tracking Match Syntax" $OLD_CONNTRACK_MATCH
 	fi
-	report_capability "Packet Type Match (USEPKTTYPE)" $USEPKTTYPE
+	report_capability "Packet Type Match" $USEPKTTYPE
-	report_capability "Policy Match (POLICY_MATCH)" $POLICY_MATCH
+	report_capability "Policy Match" $POLICY_MATCH
-	report_capability "Physdev Match (PHYSDEV_MATCH)" $PHYSDEV_MATCH
+	report_capability "Physdev Match" $PHYSDEV_MATCH
-	report_capability "Physdev-is-bridged Support (PHYSDEV_BRIDGE)" $PHYSDEV_BRIDGE
+	report_capability "Physdev-is-bridged Support" $PHYSDEV_BRIDGE
-	report_capability "Packet length Match (LENGTH_MATCH)" $LENGTH_MATCH
+	report_capability "Packet length Match" $LENGTH_MATCH
-	report_capability "IP range Match(IPRANGE_MATCH)" $IPRANGE_MATCH
+	report_capability "IP range Match" $IPRANGE_MATCH
-	report_capability "Recent Match (RECENT_MATCH)" $RECENT_MATCH
+	report_capability "Recent Match" $RECENT_MATCH
-	report_capability "Owner Match (OWNER_MATCH)" $OWNER_MATCH
+	report_capability "Owner Match" $OWNER_MATCH
 	report_capability "Owner Name Match (OWNER_NAME_MATCH)" $OWNER_NAME_MATCH
 	if [ -n "$IPSET_MATCH" ]; then
-	    report_capability "Ipset Match (IPSET_MATCH)" $IPSET_MATCH
+	    report_capability "Ipset Match" $IPSET_MATCH
-	    [ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match (OLD_IPSET_MATCH)" $OLD_IPSET_MATCH
+	    [ -n "$OLD_IPSET_MATCH" ] && report_capability "OLD_Ipset Match" $OLD_IPSET_MATCH
 	fi
-	report_capability "CONNMARK Target (CONNMARK)" $CONNMARK
+	report_capability "CONNMARK Target" $CONNMARK
-	[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target (XCONNMARK)" $XCONNMARK
+	[ -n "$CONNMARK" ] && report_capability "Extended CONNMARK Target" $XCONNMARK
-	report_capability "Connmark Match (CONNMARK_MATCH)" $CONNMARK_MATCH
+	report_capability "Connmark Match" $CONNMARK_MATCH
-	[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match (XCONNMARK_MATCH)" $XCONNMARK_MATCH
+	[ -n "$CONNMARK_MATCH" ] && report_capability "Extended Connmark Match" $XCONNMARK_MATCH
-	report_capability "Raw Table (RAW_TABLE)" $RAW_TABLE
+	report_capability "Raw Table" $RAW_TABLE
-	report_capability "Rawpost Table (RAWPOST_TABLE)" $RAWPOST_TABLE
+	report_capability "Rawpost Table" $RAWPOST_TABLE
-	report_capability "IPP2P Match (IPP2P_MATCH)" $IPP2P_MATCH
+	report_capability "IPP2P Match" $IPP2P_MATCH
-	[ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax (OLD_IPP2P_MATCH)" $OLD_IPP2P_MATCH
+	[ -n "$OLD_IPP2P_MATCH" ] && report_capability "Old IPP2P Match Syntax" $OLD_IPP2P_MATCH
-	report_capability "CLASSIFY Target (CLASSIFY_TARGET)" $CLASSIFY_TARGET
+	report_capability "CLASSIFY Target" $CLASSIFY_TARGET
-	report_capability "Extended REJECT (ENHANCED_REJECT)" $ENHANCED_REJECT
+	report_capability "Extended REJECT" $ENHANCED_REJECT
-	report_capability "Repeat match (KLUDGEFREE)" $KLUDGEFREE
+	report_capability "Repeat match" $KLUDGEFREE
-	report_capability "MARK Target (MARK)" $MARK
+	report_capability "MARK Target" $MARK
-	[ -n "$MARK" ] && report_capability "Extended MARK Target (XMARK)" $XMARK
+	[ -n "$MARK" ] && report_capability "Extended MARK Target" $XMARK
-	[ -n "$XMARK" ] && report_capability "Extended MARK Target 2 (EXMARK)" $EXMARK
+	[ -n "$XMARK" ] && report_capability "Extended MARK Target 2" $EXMARK
-	report_capability "Mangle FORWARD Chain (MANGLE_FORWARD)" $MANGLE_FORWARD
+	report_capability "Mangle FORWARD Chain" $MANGLE_FORWARD
-	report_capability "Comments (COMMENTS)" $COMMENTS
+	report_capability "Comments" $COMMENTS
-	report_capability "Address Type Match (ADDRTYPE)" $ADDRTYPE
+	report_capability "Address Type Match" $ADDRTYPE
-	report_capability "TCPMSS Match (TCPMSS_MATCH)" $TCPMSS_MATCH
+	report_capability "TCPMSS Match" $TCPMSS_MATCH
-	report_capability "Hashlimit Match (HASHLIMIT_MATCH)" $HASHLIMIT_MATCH
+	report_capability "Hashlimit Match" $HASHLIMIT_MATCH
-	[ -n "$OLD_HL_MATCH" ] && report_capability "Old Hashlimit Match (OLD_HL_MATCH)" $OLD_HL_MATCH
+	[ -n "$OLD_HL_MATCH" ] && report_capability "Old Hashlimit Match" $OLD_HL_MATCH
-	report_capability "NFQUEUE Target (NFQUEUE_TARGET)" $NFQUEUE_TARGET
+	report_capability "NFQUEUE Target" $NFQUEUE_TARGET
-	report_capability "Realm Match (REALM_MATCH)" $REALM_MATCH
+	report_capability "Realm Match" $REALM_MATCH
-	report_capability "Helper Match (HELPER_MATCH)" $HELPER_MATCH
+	report_capability "Helper Match" $HELPER_MATCH
-	report_capability "Connlimit Match (CONNLIMIT_MATCH)" $CONNLIMIT_MATCH
+	report_capability "Connlimit Match" $CONNLIMIT_MATCH
-	report_capability "Time Match (TIME_MATCH)" $TIME_MATCH
+	report_capability "Time Match" $TIME_MATCH
-	report_capability "Goto Support (GOTO_TARGET)" $GOTO_TARGET
+	report_capability "Goto Support" $GOTO_TARGET
-	report_capability "LOGMARK Target (LOGMARK_TARGET)" $LOGMARK_TARGET
+	report_capability "LOGMARK Target" $LOGMARK_TARGET
-	report_capability "IPMARK Target (IPMARK_TARGET)" $IPMARK_TARGET
+	report_capability "IPMARK Target" $IPMARK_TARGET
-	report_capability "LOG Target (LOG_TARGET)" $LOG_TARGET
+	report_capability "LOG Target" $LOG_TARGET
-	report_capability "ULOG Target (ULOG_TARGET)" $ULOG_TARGET
+	report_capability "ULOG Target" $ULOG_TARGET
-	report_capability "NFLOG Target (NFLOG_TARGET)" $NFLOG_TARGET
+	report_capability "NFLOG Target" $NFLOG_TARGET
-	report_capability "Persistent SNAT (PERSISTENT_SNAT)" $PERSISTENT_SNAT
+	report_capability "Persistent SNAT" $PERSISTENT_SNAT
-	report_capability "TPROXY Target (TPROXY_TARGET)" $TPROXY_TARGET
+	report_capability "TPROXY Target" $TPROXY_TARGET
-	report_capability "FLOW Classifier (FLOW_FILTER)" $FLOW_FILTER
+	report_capability "FLOW Classifier" $FLOW_FILTER
-	report_capability "fwmark route mask (FWMARK_RT_MASK)" $FWMARK_RT_MASK
+	report_capability "fwmark route mask" $FWMARK_RT_MASK
-	report_capability "Mark in any table (MARK_ANYWHERE)" $MARK_ANYWHERE
+	report_capability "Mark in any table" $MARK_ANYWHERE
-	report_capability "Header Match (HEADER_MATCH)" $HEADER_MATCH
+	report_capability "Header Match" $HEADER_MATCH
-        report_capability "ACCOUNT Target (ACCOUNT_TARGET)" $ACCOUNT_TARGET
+        report_capability "ACCOUNT Target" $ACCOUNT_TARGET
-	report_capability "AUDIT Target (AUDIT_TARGET)" $AUDIT_TARGET
+	report_capability "AUDIT Target" $AUDIT_TARGET
-	report_capability "ipset V5 (IPSET_V5)" $IPSET_V5
+	report_capability "ipset V5" $IPSET_V5
-	report_capability "Condition Match (CONDITION_MATCH)" $CONDITION_MATCH
+	report_capability "Condition Match" $CONDITION_MATCH
-	report_capability "Statistic Match (STATISTIC_MATCH)" $STATISTIC_MATCH
+	report_capability "Statistic Match" $STATISTIC_MATCH
-	report_capability "IMQ Target (IMQ_TARGET)" $IMQ_TARGET
+	report_capability "IMQ Target" $IMQ_TARGET
 	report_capability "DSCP Match (DSCP_MATCH)" $DSCP_MATCH
 	report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET
 	report_capability "Geo IP match" $GEOIP_MATCH
 	if [ $g_family -eq 4 ]; then
-	    report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
+	    report_capability "iptables -S" $IPTABLES_S
 	else
-	    report_capability "ip6tables -S (IPTABLES_S)" $IPTABLES_S
+	    report_capability "ip6tables -S" $IPTABLES_S
 	fi
-	report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
+	report_capability "Basic Filter" $BASIC_FILTER
-	report_capability "CT Target (CT_TARGET)" $CT_TARGET
+	report_capability "CT Target" $CT_TARGET
    fi
    [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -2358,7 +2306,6 @@ report_capabilities1() {
    report_capability1 IPRANGE_MATCH
    report_capability1 RECENT_MATCH
    report_capability1 OWNER_MATCH
    report_capability1 OWNER_NAME_MATCH
    report_capability1 IPSET_MATCH
    report_capability1 OLD_IPSET_MATCH
    report_capability1 CONNMARK
@@ -2407,15 +2354,14 @@ report_capabilities1() {
    report_capability1 CT_TARGET
    report_capability1 STATISTIC_MATCH
    report_capability1 IMQ_TARGET
    report_capability1 DSCP_MATCH
    report_capability1 DSCP_TARGET
    report_capability1 GEOIP_MATCH
    echo CAPVERSION=$SHOREWALL_CAPVERSION
    echo KERNELVERSION=$KERNELVERSION
 }
-show_status() {
+status_command() {
    echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)"
    echo
    if product_is_started ; then
 	echo "$g_product is running"
 	status=0
@@ -2435,12 +2381,6 @@ show_status() {
 	state=Unknown
    fi
    echo "State:$state"
 }
 status_command() {
    echo "${g_product}-$SHOREWALL_VERSION Status at $g_hostname - $(date)"
    echo
    show_status
    echo
    exit $status
 }
@@ -2996,12 +2936,14 @@ shorewall_cli() {
    g_annotate=
    g_recovering=
    g_timestamp=
    g_libexec=/usr/share
    g_perllib=/usr/share/shorewall
    g_shorewalldir=
    VERBOSE=
    VERBOSITY=
-    [ -n "$g_lite" ] || . ${g_basedir}/lib.cli-std
+    [ -n "$g_lite" ] || . /usr/share/shorewall/lib.cli-std
    finished=0
@@ -3106,7 +3048,7 @@ shorewall_cli() {
    PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
    MUTEX_TIMEOUT=
-    [ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir
+    [ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir
    [ -n "${VARDIR:=/var/lib/$g_program}" ]
@@ -3116,7 +3058,7 @@ shorewall_cli() {
    g_firewall=${VARDIR}/firewall
-    version_file=${g_sharedir}/version
+    version_file=$SHAREDIR/version
    if [ -f $version_file ]; then
 	SHOREWALL_VERSION=$(cat $version_file)
    else
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -676,7 +676,7 @@ find_file()
 		fi
 	    done
-	    echo ${g_confdir}/$1
+	    echo ${CONFDIR}/$1
 	    ;;
    esac
 }
--- a/Shorewall-core/shorewallrc.apple
+++ b/Shorewall-core/shorewallrc.apple
@@ -1,20 +0,0 @@
 #
 # Apple OS X Shorewall 4.5 rc file
 #
 BUILD=apple
 HOST=apple
 PREFIX=/usr                            #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share               #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share             #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/share/shorewall   #Directory to install Shorewall Perl module directory
 CONFDIR=/etc                           #Directory where subsystem configurations are installed
 SBINDIR=/sbin                          #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man                 #Directory where manpages are installed.
 INITDIR=                               #Unused on OS X
 INITFILE=                              #Unused on OS X
 INITSOURCE=                            #Unused on OS X
 ANNOTATED=                             #Unused on OS X
 SYSTEMD=                               #Unused on OS X
 SYSCONFDIR=                            #Unused on OS X
 SPARSE=Yes                             #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
 VARDIR=/var/lib                        #Unused on OS X
--- a/Shorewall-core/shorewallrc.archlinux
+++ b/Shorewall-core/shorewallrc.archlinux
@@ -1,20 +0,0 @@
 #
 # Archlinux Shorewall 4.5 rc file
 #
 BUILD=archlinux
 HOST=archlinux
 PREFIX=/usr                            #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share               #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share             #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/share/shorewall   #Directory to install Shorewall Perl module directory
 CONFDIR=/etc                           #Directory where subsystem configurations are installed
 SBINDIR=/sbin                          #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man                 #Directory where manpages are installed.
 INITDIR=/etc/rc.d                      #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                      #Name of the product's installed SysV init script
 INITSOURCE=init.sh                     #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                             #If non-zero, annotated configuration files are installed
 SYSCONFDIR=                            #Directory where SysV init parameter files are installed
 SYSTEMD=                               #Directory where .service files are installed (systems running systemd only)
 SPARSE=                                #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARDIR=/var/lib                        #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.cygwin
+++ b/Shorewall-core/shorewallrc.cygwin
@@ -1,20 +0,0 @@
 #
 # Cygwin Shorewall 4.5 rc file
 #
 BUILD=cygwin
 HOST=cygwin
 PREFIX=/usr                           #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share              #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share            #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/share/shorewall  #Directory to install Shorewall Perl module directory
 CONFDIR=/etc                          #Directory where subsystem configurations are installed
 SBINDIR=/bin                          #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man                #Directory where manpages are installed.
 INITDIR=/etc/init.d                   #Unused on Cygwin
 INITFILE=                             #Unused on Cygwin
 INITSOURCE=                           #Unused on Cygwin
 ANNOTATED=                            #Unused on Cygwin
 SYSTEMD=                              #Unused on Cygwin
 SYSCONFDIR=                           #Unused on Cygwin
 SPARSE=Yes                            #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
 VARDIR=/var/lib                       #Unused on Cygwin
--- a/Shorewall-core/shorewallrc.debian
+++ b/Shorewall-core/shorewallrc.debian
@@ -1,21 +0,0 @@
 #
 # Debian Shorewall 4.5 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=debian
 PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share              #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/share/shorewall    #Directory to install Shorewall Perl module directory
 CONFDIR=/etc                            #Directory where subsystem configurations are installed
 SBINDIR=/sbin                           #Directory where system administration programs are installed
 MANDIR=${PREFIX}/share/man              #Directory where manpages are installed.
 INITDIR=/etc/init.d                     #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.debian.sh               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
 SYSCONFFILE=default.debian              #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=/etc/default                 #Directory where SysV init parameter files are installed
 SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes                              #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARDIR=/var/lib                         #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.default
+++ b/Shorewall-core/shorewallrc.default
@@ -1,21 +0,0 @@
 #
 # Default Shorewall 4.5 rc file
 #
 HOST=linux                              #Generic Linux
 BUILD=                                  #Default is to detect the build system
 PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share              #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/share/shorewall    #Directory to install Shorewall Perl module directory
 CONFDIR=/etc                            #Directory where subsystem configurations are installed
 SBINDIR=/sbin                           #Directory where system administration programs are installed
 MANDIR=${PREFIX}/man                    #Directory where manpages are installed.
 INITDIR=etc/init.d                      #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.sh                      #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
 SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
 SYSCONFFILE=                            #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                             #Directory where SysV init parameter files are installed
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARDIR=/var/lib                         #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.redhat
+++ b/Shorewall-core/shorewallrc.redhat
@@ -1,21 +0,0 @@
 #
 # RedHat/FedoraShorewall 4.5 rc file
 #
 BUILD=                                  #Default is to detect the build system
 HOST=redhat
 PREFIX=/usr                             #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share                #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/libexec            #Directory for executable scripts.
 PERLLIBDIR=/usr/share/perl5/vendor_perl #Directory to install Shorewall Perl module directory
 CONFDIR=/etc                            #Directory where subsystem configurations are installed
 SBINDIR=/sbin                           #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man                  #Directory where manpages are installed.
 INITDIR=/etc/rc.d/init.d                #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.fedora.sh               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
 SYSTEMD=/lib/systemd/system             #Directory where .service files are installed (systems running systemd only)
 SYSCONFFILE=sysconfig                   #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT
 SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter files are installed
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARDIR=/var/lib                         #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.slackware
+++ b/Shorewall-core/shorewallrc.slackware
@@ -1,22 +0,0 @@
 #
 # Slackware Shorewall 4.5 rc file
 #
 BUILD=slackware
 HOST=slackware
 PREFIX=/usr                                #Top-level directory for shared files, libraries, etc.
 SHAREDIR=${PREFIX}/share                   #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/share                 #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/share/shorewall       #Directory to install Shorewall Perl module directory
 CONFDIR=/etc                               #Directory where subsystem configurations are installed
 SBINDIR=/sbin                              #Directory where system administration programs are installed
 MANDIR=${PREFIX}/man                       #Directory where manpages are installed.
 INITDIR=/etc/rc.d                          #Directory where SysV init scripts are installed.
 AUXINITSOURCE=init.slackware.firewall.sh   #Name of the distributed file to be installed as the SysV init script
 AUXINITFILE=rc.firewall                    #Name of the product's installed SysV init script
 INITSOURCE=init.slackware.$PRODUCT.sh      #Name of the distributed file to be installed as a second SysV init script
 INITFILE=rc.$PRODUCT                       #Name of the product's installed second init script
 SYSTEMD=                                   #Name of the directory where .service files are installed (systems running systemd only)
 SYSCONFFILE=                               #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                                #Name of the directory where SysV init parameter files are installed.
 ANNOTATED=                                 #If non-empty, install annotated configuration files
 VARDIR=/var/lib                            #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.suse
+++ b/Shorewall-core/shorewallrc.suse
@@ -1,21 +0,0 @@
 #
 # SuSE Shorewall 4.5 rc file
 #
 BUILD=                                                #Default is to detect the build system
 HOST=suse
 PREFIX=/usr                                           #Top-level directory for shared files, libraries, etc.
 CONFDIR=/etc                                          #Directory where subsystem configurations are installed
 SHAREDIR=${PREFIX}/share                              #Directory for arch-neutral files.
 LIBEXECDIR=${PREFIX}/lib                              #Directory for executable scripts.
 PERLLIBDIR=${PREFIX}/lib/perl5/vendor_perl/5.14.2     #Directory to install Shorewall Perl module directory
 SBINDIR=/sbin                                         #Directory where system administration programs are installed
 MANDIR=${SHAREDIR}/man/                               #Directory where manpages are installed.
 INITDIR=/etc/init.d                                   #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                                     #Name of the product's SysV init script
 INITSOURCE=init.sh                                    #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                                            #If non-zero, annotated configuration files are installed
 SYSTEMD=                                              #Directory where .service files are installed (systems running systemd only)
 SYSCONFFILE=                                          #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=/etc/sysconfig/                            #Directory where SysV init parameter files are installed
 SPARSE=                                               #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
 VARDIR=/var/lib                                       #Directory where persistent product data is stored.
--- a/Shorewall-core/uninstall.sh
+++ b/Shorewall-core/uninstall.sh
@@ -31,7 +31,7 @@ VERSION=xxx #The Build script inserts the actual version
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <shorewallrc file> ]"
+    echo "usage: $ME"
    exit $1
 }
@@ -60,37 +60,8 @@ remove_file() # $1 = file to restore
    fi
 }
-#
+if [ -f /usr/share/shorewall/coreversion ]; then
-# Read the RC file
+    INSTALLED_VERSION="$(cat /usr/share/shorewall/coreversion)"
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
 	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
 	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
 elif [ $# -eq 1 ]; then
    file=$1
    case $file in
 	/*|.*)
 	    ;;
 	*)
 	    file=./$file
 	    ;;
    esac
    . $file
 else
    usage 1
 fi
 if [ -f ${SHAREDIR}/shorewall/coreversion ]; then
    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall/coreversion)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
 	echo "WARNING: Shorewall Core Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
@@ -101,9 +72,12 @@ else
    VERSION=""
 fi
 [ -n "${LIBEXEC:=/usr/share}" ]
 [ -n "${PERLLIB:=/usr/share/shorewall}" ]
 echo "Uninstalling Shorewall Core $VERSION"
-rm -rf ${SHAREDIR}/shorewall
+rm -rf /usr/share/shorewall
 echo "Shorewall Core Uninstalled"
--- a/Shorewall-init/ifupdown.sh
+++ b/Shorewall-init/ifupdown.sh
@@ -71,11 +71,6 @@ Debian_SuSE_ppp() {
 IFUPDOWN=0
 PRODUCTS=
 #
 # The installer may alter this
 #
 . /usr/share/shorewall/shorewallrc
 if [ -f /etc/default/shorewall-init ]; then
    . /etc/default/shorewall-init
 elif [ -f /etc/sysconfig/shorewall-init ]; then
@@ -187,19 +182,15 @@ else
 fi
 for PRODUCT in $PRODUCTS; do
-    #
+    VARDIR=/var/lib/$PRODUCT
-    # For backward compatibility, lib.base appends the product name to VARDIR
+    [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir
-    # Save it here and restore it below
+    if [ -x $VARDIR/firewall ]; then
-    #
+	  ( . /usr/share/$PRODUCT/lib.base
    save_vardir=${VARDIR}
    if [ -x $VARDIR/$PRODUCT/firewall ]; then
 	  ( . ${SHAREDIR}/shorewall/lib.base
 	    mutex_on
 	    ${VARDIR}/firewall -V0 $COMMAND $INTERFACE || echo_notdone
 	    mutex_off
 	  )
    fi
    VARDIR=${save_vardir}
 done
 exit 0
--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -1,10 +1,10 @@
 #!/bin/sh
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2010,2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       On most distributions, this file should be called /etc/init.d/shorewall.
 #
@@ -62,15 +62,10 @@ not_configured () {
 	exit 0
 }
 #
 # The installer may alter this
 #
 . /usr/share/shorewall/shorewallrc
 # check if shorewall-init is configured or not
-if [ -f "$SYSCONFDIR/shorewall-init" ]
+if [ -f "/etc/default/shorewall-init" ]
 then
-	. $SYSCONFDIR/shorewall-init
+	. /etc/default/shorewall-init
 	if [ -z "$PRODUCTS" ]
 	then
 		not_configured
--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -13,15 +13,6 @@
 # Description:       Place the firewall in a safe state at boot time
 #                    prior to bringing up the network.  
 ### END INIT INFO
 #determine where the files were installed
 if [ -f ~/.shorewallrc ]; then
    . ~/.shorewallrc || exit 1
 else
    SBINDIR=/sbin
    SYSCONFDIR=/etc/default
    VARDIR=/var/lib
 fi
 prog="shorewall-init"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/shorewall-init"
@@ -53,8 +44,10 @@ start () {
    echo -n "Initializing \"Shorewall-based firewalls\": "
    for product in $PRODUCTS; do
-	if [ -x ${VARDIR}/$product/firewall ]; then
+	vardir=/var/lib/$product
-	    ${VARDIR}/$product/firewall stop 2>&1 | $logger
+	[ -f /etc/$product/vardir ] && . /etc/$product/vardir 
 	if [ -x ${vardir}/firewall ]; then
 	    ${vardir}/firewall stop 2>&1 | $logger
 	    retval=${PIPESTATUS[0]}
 	    [ retval -ne 0 ] && break
 	fi
@@ -77,8 +70,10 @@ stop () {
    echo -n "Clearing \"Shorewall-based firewalls\": "
    for product in $PRODUCTS; do
-	if [ -x ${VARDIR}/$product/firewall ]; then
+	vardir=/var/lib/$product
-	    ${VARDIR}/$product/firewall clear 2>&1 | $logger
+	[ -f /etc/$product/vardir ] && . /etc/$product/vardir 
 	if [ -x ${vardir}/firewall ]; then
 	    ${vardir}/firewall clear 2>&1 | $logger
 	    retval=${PIPESTATUS[0]}
 	    [ retval -ne 0 ] && break
 	fi
--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -1,9 +1,9 @@
 #! /bin/bash
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.4
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2010,2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010 - Tom Eastep (teastep@shorewall.net)
 #
 #       On most distributions, this file should be called /etc/init.d/shorewall.
 #
@@ -53,11 +53,6 @@ else
 	exit 0
 fi
 #
 # The installer may alter this
 #
 . /usr/share/shorewall/shorewallrc
 # Initialize the firewall
 shorewall_start () {
  local PRODUCT
@@ -65,8 +60,10 @@ shorewall_start () {
  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      VARDIR=/var/lib/$PRODUCT
      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
      if [ -x ${VARDIR}/firewall ]; then
-	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+	  if ! /sbin/$PRODUCT status > /dev/null 2>&1; then
 	      ${VARDIR}/firewall stop || echo_notdone
 	  fi
      fi
@@ -86,6 +83,8 @@ shorewall_stop () {
  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      VARDIR=/var/lib/$PRODUCT
      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
      if [ -x ${VARDIR}/firewall ]; then
 	  ${VARDIR}/firewall clear || exit 1
      fi
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -28,18 +28,12 @@ VERSION=xxx #The Build script inserts the actual version.
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <configuration-file> ]"
+    echo "usage: $ME"
    echo "       $ME -v"
    echo "       $ME -h"
    exit $1
 }
 fatal_error() 
 {
    echo "   ERROR: $@" >&2
    exit 1
 }
 split() {
    local ifs
    ifs=$IFS
@@ -82,9 +76,9 @@ cant_autostart()
    echo  "WARNING: Unable to configure shorewall init to start automatically at boot" >&2
 }
-require() 
+delete_file() # $1 = file to delete
 {
-    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
+    rm -f $1
 }
 install_file() # $1 = source $2 = target $3 = mode
@@ -92,201 +86,154 @@ install_file() # $1 = source $2 = target $3 = mode
    run_install $T $OWNERSHIP -m $3 $1 ${2}
 }
-cd "$(dirname $0)"
+[ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
 PRODUCT=shorewall-init
 # DEST is the SysVInit script directory
 # INIT is the name of the script in the $DEST directory
 # ARGS is "yes" if we've already parsed an argument
 #
-# Parse the run line
+ARGS=""
 #
 finished=0
-while [ $finished -eq 0 ] ; do
+if [ -z "$DEST" ] ; then
 	DEST="/etc/init.d"
 fi
 if [ -z "$INIT" ] ; then
 	INIT="shorewall-init"
 fi
 while [ $# -gt 0 ] ; do
    case "$1" in
-	-*)
+	-h|help|?)
 	    option=${option#-}
 	    while [ -n "$option" ]; do
 		case $option in
 		    h)
 	    usage 0
 	    ;;
-		    v)
+        -v)
-			echo "Shorewall-init Firewall Installer Version $VERSION"
+	    echo "Shorewall Init Installer Version $VERSION"
 	    exit 0
 	    ;;
 	*)
 	    usage 1
 	    ;;
    esac
 	    done
    shift
-	    ;;
+    ARGS="yes"
 	*)
 	    finished=1
 	    ;;
    esac
 done
 #
 # Read the RC file
 #
 if [ $# -eq 0 ]; then
    #
    # Load packager's settings if any
    #
    if [ -f ./shorewallrc ]; then
 	. ./shorewallrc || exit 1
 	file=~/.shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
 	file=./.shorewallrc
     else
 	fatal_error "No configuration file specified and ~/.shorewallrc not found"
    fi
 elif [ $# -eq 1 ]; then
    file=$1
    case $file in
 	/*|.*)
 	    ;;
 	*)
 	    file=./$file
 	    ;;
    esac
    . $file
 else
    usage 1
 fi
 for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARDIR; do
    require $var
 done
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-if [ -z "$BUILD" ]; then
+[ -n "${LIBEXEC:=/usr/share}" ]
-    case $(uname) in
+
-	cygwin*)
+case "$LIBEXEC" in
-	    BUILD=cygwin
+    /*)
 	    ;;
 	Darwin)
 	    BUILD=apple
 	;;
    *)
-	    if [ -f /etc/debian_version ]; then
+	LIBEXEC=/usr/${LIBEXEC}
 		BUILD=debian
 	    elif [ -f /etc/redhat-release ]; then
 		BUILD=redhat
 	    elif [ -f /etc/SuSE-release ]; then
 		BUILD=suse
 	    elif [ -f /etc/slackware-version ] ; then
 		BUILD=slackware
 	    elif [ -f /etc/arch-release ] ; then
 		BUILD=archlinux
 	    else
 		BUILD=linux
 	    fi
 	;;
 esac
 fi
-[ -n "$OWNER" ] || OWNER=$(id -un)
+#
-[ -n "$GROUP" ] || GROUP=$(id -gn)
+# Determine where to install the firewall script
 #
-case $BUILD in
+case $(uname) in
-    apple)
+    Darwin)
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=wheel
 	T=
 	;;	
    debian|redhat|suse|slackware|archlinux)
 	;;
    *)
-	[ -n "$BUILD" ] && echo "ERROR: Unknown BUILD environment ($BUILD)" >&2 || echo "ERROR: Unknown BUILD environment"
+	[ -z "$OWNER" ] && OWNER=root
-	exit 1
+	[ -z "$GROUP" ] && GROUP=root
 	;;
 esac
 OWNERSHIP="-o $OWNER -g $GROUP"
 [ -n "$HOST" ] || HOST=$BUILD
 case "$HOST" in
    debian)
 	echo "Installing Debian-specific configuration..."
 	;;
    redhat|redhat)
 	echo "Installing Redhat/Fedora-specific configuration..."
 	;;
    slackware)
 	echo "Shorewall-init is currently not supported on Slackware" >&2
 	exit 1
 	;;
    archlinux)
 	echo "Shorewall-init is currently not supported on Arch Linux" >&2
 	exit 1
 	;;
    suse|suse)
 	echo "Installing SuSE-specific configuration..."
 	;;
    linux)
 	echo "ERROR: Shorewall-init is not supported on this system" >&2
 	;;
    *)
 	echo "ERROR: Unsupported HOST distribution: \"$HOST\"" >&2
 	exit 1;
 	;;
 esac
 [ -z "$TARGET" ] && TARGET=$HOST
 if [ -n "$DESTDIR" ]; then
    if [ `id -u` != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
 	OWNERSHIP=""
    fi
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
+    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
 elif [ -f /etc/debian_version ]; then
    DEBIAN=yes
 elif [ -f /etc/SuSE-release ]; then
    SUSE=Yes
 elif [ -f /etc/redhat-release ]; then
    FEDORA=Yes
 elif [ -f /etc/slackware-version ] ; then
    echo "Shorewall-init is currently not supported on Slackware" >&2
    exit 1
 #   DEST="/etc/rc.d"
 #   INIT="rc.firewall"
 elif [ -f /etc/arch-release ] ; then
    echo "Shorewall-init is currently not supported on Arch Linux" >&2
    exit 1
 #   DEST="/etc/rc.d"
 #   INIT="shorewall-init"
 #   ARCHLINUX=yes
 elif [ -d /etc/sysconfig/network-scripts/ ]; then
    #
    # Assume RedHat-based
    #
    REDHAT=Yes
 else
    echo "Unknown distribution: Shorewall-init support is not available" >&2
    exit 1
 fi
 if [ -z "$DESTDIR" ]; then
    if [ -f /lib/systemd/system ]; then
 	SYSTEMD=Yes
    fi
 elif [ -n "$SYSTEMD" ]; then
    mkdir -p ${DESTDIR}/lib/systemd/system
 fi
 #
 # Change to the directory containing this script
 #
 cd "$(dirname $0)"
 echo "Installing Shorewall Init Version $VERSION"
 #
 # Check for /usr/share/shorewall-init/version
 #
-if [ -f ${DESTDIR}${SHAREDIR}/shorewall-init/version ]; then
+if [ -f ${DESTDIR}/usr/share/shorewall-init/version ]; then
    first_install=""
 else
    first_install="Yes"
 fi
 #
-# Install the Firewall Script
+# Install the Init Script
 #
-if [ -n "$INITFILE" ]; then
+if [ -z "$SYSTEMD" ]; then
-    install_file $INITSOURCE ${DESTDIR}${INITDIR}/$INITFILE 0544
+    if [ -n "$DEBIAN" ]; then
-    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${INITDIR}/$INITFILE
+	install_file init.debian.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
-    
+    elif [ -n "$FEDORA" ]; then
-    if [ -n "${AUXINITSOURCE}" ]; then
+	install_file init.fedora.sh ${DESTDIR}/etc/init.d/shorewall-init 0544
-	install_file $INITSOURCE ${DESTDIR}${INITDIR}/$AUXINITFILE 0544
+    #elif [ -n "$ARCHLINUX" ]; then
-    fi
+    #    install_file init.archlinux.sh ${DESTDIR}${DEST}/$INIT 0544
-
+    else
-    echo  "Shorewall-init script installed in ${DESTDIR}${INITDIR}/$INITFILE"
+	install_file init.sh ${DESTDIR}${DEST}/$INIT 0544
    fi
    echo  "Shorewall Init script installed in ${DESTDIR}${DEST}/$INIT"
 else
    #
    # Install the .service file
    #
-if [ -n "$SYSTEMD" ]; then
+    run_install $OWNERSHIP -m 600 shorewall-init.service ${DESTDIR}/lib/systemd/system/shorewall-init.service
-    mkdir -p ${DESTDIR}${SYSTEMD}
+    echo "Service file installed as ${DESTDIR}/lib/systemd/system/shorewall-init.service"
    run_install $OWNERSHIP -m 600 shorewall-init.service ${DESTDIR}${SYSTEMD}/shorewall-init.service
    echo "Service file installed as ${DESTDIR}${SYSTEMD}/shorewall-init.service"
    if [ -n "$DESTDIR" ]; then
-	mkdir -p ${DESTDIR}${SBINDIR}
+	mkdir -p ${DESTDIR}/sbin/
-        chmod 755 ${DESTDIR}${SBINDIR}
+	chmod 755 ${DESTDIR}/sbin/
 	run_install $OWNERSHIP -m 600 shorewall-init ${DESTDIR}/sbin/shorewall-init
 	echo "CLI installed as ${DESTDIR}/lib/systemd/system/shorewall-init.service"
    fi
    run_install $OWNERSHIP -m 700 shorewall-init ${DESTDIR}${SBINDIR}/shorewall-init
    echo "CLI installed as ${DESTDIR}${SBINDIR}/shorewall-init"
 fi
 #
@@ -306,10 +253,10 @@ chmod 644 ${DESTDIR}/usr/share/shorewall-init/version
 #
 if [ -z "$DESTDIR" ]; then
    rm -f /usr/share/shorewall-init/init
-    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/shorewall-init/init
+    ln -s ${DEST}/${INIT} /usr/share/shorewall-init/init
 fi
-if [ $HOST = debian ]; then
+if [ -n "$DEBIAN" ]; then
    if [ -n "${DESTDIR}" ]; then
 	mkdir -p ${DESTDIR}/etc/network/if-up.d/
 	mkdir -p ${DESTDIR}/etc/network/if-post-down.d/
@@ -324,20 +271,20 @@ if [ $HOST = debian ]; then
    fi
 else
    if [ -n "$DESTDIR" ]; then
-	mkdir -p ${DESTDIR}${SYSCONFDIR}
+	mkdir -p ${DESTDIR}/etc/sysconfig
 	if [ -z "$RPM" ]; then
-	    if [ $HOST = suse ]; then
+	    if [ -n "$SUSE" ]; then
 		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-up.d
-		mkdir -p ${DESTDIR}${SYSCONFDIR}/network/if-down.d
+		mkdir -p ${DESTDIR}/etc/sysconfig/network/if-down.d
 	    else
 		mkdir -p ${DESTDIR}/etc/NetworkManager/dispatcher.d
 	    fi
 	fi
    fi
-    if [ -d ${DESTDIR}${SYSCONFDIR} -a ! -f ${DESTDIR}${SYSCONFDIR}/shorewall-init ]; then
+    if [ -d ${DESTDIR}/etc/sysconfig -a ! -f ${DESTDIR}/etc/sysconfig/shorewall-init ]; then
-	install_file sysconfig ${DESTDIR}${SYSCONFDIR}/shorewall-init 0644
+	install_file sysconfig ${DESTDIR}/etc/sysconfig/shorewall-init 0644
    fi 
 fi
@@ -345,42 +292,32 @@ fi
 # Install the ifupdown script
 #
-cp ifupdown.sh ifupdown
+mkdir -p ${DESTDIR}${LIBEXEC}/shorewall-init
-d[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown
+install_file ifupdown.sh ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown 0544
 mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
 install_file ifupdown ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown 0544
 if [ -d ${DESTDIR}/etc/NetworkManager ]; then
-    install_file ifupdown ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
+    install_file ifupdown.sh ${DESTDIR}/etc/NetworkManager/dispatcher.d/01-shorewall 0544
 fi
-case $HOST in
+if [ -n "$DEBIAN" ]; then
-    debian)
+    install_file ifupdown.sh ${DESTDIR}/etc/network/if-up.d/shorewall 0544
-	install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
+    install_file ifupdown.sh ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
-	install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
+elif [ -n "$SUSE" ]; then
-	;;
+    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-up.d/shorewall 0544
-    suse)
+    install_file ifupdown.sh ${DESTDIR}/etc/sysconfig/network/if-down.d/shorewall 0544
-	if [ -z "$RPM" ]; then
+elif [ -n "$REDHAT" ]; then
-	    install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-up.d/shorewall 0544
+    if [ -f ${DESTDIR}/sbin/ifup-local -o -f ${DESTDIR}/sbin/ifdown-local ]; then
-	    install_file ifupdown ${DESTDIR}${SYSCONFDIR}/network/if-down.d/shorewall 0544
+	echo "WARNING: /sbin/ifup-local and/or /sbin/ifdown-local already exist; up/down events will not be handled"
    else
 	install_file ifupdown.sh ${DESTDIR}/sbin/ifup-local 0544
 	install_file ifupdown.sh ${DESTDIR}/sbin/ifdown-local 0544
    fi
 	;;
    redhat)
 	if [ -f ${DESTDIR}${SBINDIR}/ifup-local -o -f ${DESTDIR}${SBINDIR}/ifdown-local ]; then
 	    echo "WARNING: ${SBINDIR}/ifup-local and/or ${SBINDIR}/ifdown-local already exist; up/down events will not be handled"
 	elif [ -z "$DESTDIR" ]; then
 	    install_file ifupdown ${DESTDIR}${SBINDIR}/ifup-local 0544
 	    install_file ifupdown ${DESTDIR}${SBINDIR}/ifdown-local 0544
 fi
 	;;
 esac
 if [ -z "$DESTDIR" ]; then
    if [ -n "$first_install" ]; then
-	if [ $HOST = debian ]; then
+	if [ -n "$DEBIAN" ]; then
 	    update-rc.d shorewall-init defaults
@@ -390,54 +327,51 @@ if [ -z "$DESTDIR" ]; then
 		if systemctl enable shorewall-init; then
 		    echo "Shorewall Init will start automatically at boot"
 		fi
-	    elif [ -x ${SBINDIR}/insserv -o -x /usr${SBINDIR}/insserv ]; then
+	    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
-		if insserv ${INITDIR}/shorewall-init ; then
+		if insserv /etc/init.d/shorewall-init ; then
 		    echo "Shorewall Init will start automatically at boot"
 		else
 		    cant_autostart
 		fi
-	    elif [ -x ${SBINDIR}/chkconfig -o -x /usr${SBINDIR}/chkconfig ]; then
+	    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 		if chkconfig --add shorewall-init ; then
 		    echo "Shorewall Init will start automatically in run levels as follows:"
 		    chkconfig --list shorewall-init
 		else
 		    cant_autostart
 		fi
-	    elif [ -x ${SBINDIR}/rc-update ]; then
+	    elif [ -x /sbin/rc-update ]; then
 		if rc-update add shorewall-init default; then
 		    echo "Shorewall Init will start automatically at boot"
 		else
 		    cant_autostart
 		fi
-	    else
+	    elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
 		cant_autostart
 	    fi
 	fi
    fi
 else
    if [ -n "$first_install" ]; then
-	if [ $HOST = debian ]; then
+	if [ -n "$DEBIAN" ]; then
 	    if [ -n "${DESTDIR}" ]; then
 		mkdir -p ${DESTDIR}/etc/rcS.d
 	    fi
-	    ln -sf ../init.d/shorewall-init ${DESTDIR}${CONFDIR}/rcS.d/S38shorewall-init
+	    ln -sf ../init.d/shorewall-init ${DESTDIR}/etc/rcS.d/S38shorewall-init
 	    echo "Shorewall Init will start automatically at boot"
 	fi
    fi
 fi
 [ -z "${DESTDIR}" ] && [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc .
 if [ -f ${DESTDIR}/etc/ppp ]; then
-    case $HOST in
+    if [ -n "$DEBIAN" ] -o -n "$SUSE" ]; then
 	debian|suse)
 	for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
 	    mkdir -p ${DESTDIR}/etc/ppp/$directory #SuSE doesn't create the IPv6 directories
-		cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown ${DESTDIR}${CONFDIR}/ppp/$directory/shorewall
+	    cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown ${DESTDIR}/etc/ppp/$directory/shorewall
 	done
-	    ;;
+    elif [ -n "$REDHAT" ]; then
 	redhat)
 	#
 	# Must use the dreaded ip_xxx.local file
 	#
@@ -445,18 +379,18 @@ if [ -f ${DESTDIR}/etc/ppp ]; then
 	    FILE=${DESTDIR}/etc/ppp/$file
 	    if [ -f $FILE ]; then
 		if fgrep -q Shorewall-based $FILE ; then
-			cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown $FILE
+		    cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown $FILE
 		else
 		    echo "$FILE already exists -- ppp devices will not be handled"
 		    break
 		fi
 	    else
-		    cp -fp ${DESTDIR}${LIBEXECDIR}/shorewall-init/ifupdown $FILE
+		cp -fp ${DESTDIR}${LIBEXEC}/shorewall-init/ifupdown $FILE
 	    fi
 	done
 	    ;;
    esac
    fi
 fi
 #
 #  Report Success
 #
--- a/Shorewall-init/shorewall-init
+++ b/Shorewall-init/shorewall-init
@@ -23,14 +23,15 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #########################################################################################
-#
+if [ "$(id -u)" != "0" ]
-# This is modified by the installer when ${SHAREDIR} <> /usr/share
+then
-#
+  echo "You must be root to start, stop or restart \"Shorewall \"."
-. /usr/share/shorewall/shorewallrc
+  exit 1
 fi
 # check if shorewall-init is configured or not
-if [ -f "$SYSCONFDIR/shorewall-init" ]; then
+if [ -f "/etc/sysconfig/shorewall-init" ]; then
-    . $SYSCONFDIR/shorewall-init
+    . /etc/sysconfig/shorewall-init
    if [ -z "$PRODUCTS" ]; then
        echo "ERROR: No products configured" >&2
 	exit 1
@@ -47,6 +48,8 @@ shorewall_start () {
  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
      VARDIR=/var/lib/$PRODUCT
      [ -f /etc/$PRODUCT/vardir ] && . /etc/$PRODUCT/vardir 
      if [ -x ${VARDIR}/firewall ]; then
 	  if ! /sbin/$PRODUCT status > /dev/null 2>&1; then
 	      ${VARDIR}/firewall stop || exit 1
@@ -54,10 +57,6 @@ shorewall_start () {
      fi
  done
  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
      ipset -R < "$SAVE_IPSETS"
  fi
  return 0
 }
@@ -75,13 +74,6 @@ shorewall_stop () {
      fi
  done
  if [ -n "$SAVE_IPSETS" ]; then
      mkdir -p $(dirname "$SAVE_IPSETS")
      if ipset -S > "${SAVE_IPSETS}.tmp"; then
 	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
      fi
  fi
  return 0
 }
--- a/Shorewall-init/uninstall.sh
+++ b/Shorewall-init/uninstall.sh
@@ -31,7 +31,7 @@ VERSION=xxx  #The Build script inserts the actual version
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <shorewallrc file> ]"
+    echo "usage: $ME"
    exit $1
 }
@@ -40,27 +40,6 @@ qt()
    "$@" >/dev/null 2>&1
 }
 split() {
    local ifs
    ifs=$IFS
    IFS=:
    set -- $1
    echo $*
    IFS=$ifs
 }
 mywhich() {
    local dir
    for dir in $(split $PATH); do
 	if [ -x $dir/$1 ]; then
 	    return 0
 	fi
    done
    return 2
 }
 remove_file() # $1 = file to restore
 {
    if [ -f $1 -o -L $1 ] ; then
@@ -69,37 +48,8 @@ remove_file() # $1 = file to restore
    fi
 }
-#
+if [ -f /usr/share/shorewall-init/version ]; then
-# Read the RC file
+    INSTALLED_VERSION="$(cat /usr/share/shorewall-init/version)"
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
 	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
 	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
 elif [ $# -eq 1 ]; then
    file=$1
    case $file in
 	/*|.*)
 	    ;;
 	*)
 	    file=./$file
 	    ;;
    esac
    . $file || exit 1
 else
    usage 1
 fi
 if [ -f ${SHAREDIR}/shorewall-init/version ]; then
    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall-init/version)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
 	echo "WARNING: Shorewall Init Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
@@ -110,55 +60,56 @@ else
    VERSION=""
 fi
-[ -n "${LIBEXEC:=${SHAREDIR}}" ]
+[ -n "${LIBEXEC:=/usr/share}" ]
 echo "Uninstalling Shorewall Init $VERSION"
-INITSCRIPT=${CONFDIR}/init.d/shorewall-init
+INITSCRIPT=/etc/init.d/shorewall-init
-if [ -f "$INITSCRIPT" ]; then
+if [ -n "$INITSCRIPT" ]; then
-    if mywhich updaterc.d ; then
+    if [ -x /usr/sbin/updaterc.d ]; then
 	updaterc.d shorewall-init remove
-    elif mywhich insserv ; then
+    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
        insserv -r $INITSCRIPT
-    elif mywhich chkconfig ; then
+    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 	chkconfig --del $(basename $INITSCRIPT)
-    elif mywhich systemctl ; then
+    elif [ -x /sbin/systemctl ]; then
 	systemctl disable shorewall-init
    else
 	rm -f /etc/rc*.d/*$(basename $INITSCRIPT)
    fi
    remove_file $INITSCRIPT
 fi
-[ "$(readlink -m -q ${SBINDIR}/ifup-local)"   = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifup-local
+[ "$(readlink -m -q /sbin/ifup-local)"   = /usr/share/shorewall-init ] && remove_file /sbin/ifup-local
-[ "$(readlink -m -q ${SBINDIR}/ifdown-local)" = ${SHAREDIR}/shorewall-init ] && remove_file ${SBINDIR}/ifdown-local
+[ "$(readlink -m -q /sbin/ifdown-local)" = /usr/share/shorewall-init ] && remove_file /sbin/ifdown-local
-remove_file ${CONFDIR}/default/shorewall-init
+remove_file /etc/default/shorewall-init
-remove_file ${CONFDIR}/sysconfig/shorewall-init
+remove_file /etc/sysconfig/shorewall-init
-remove_file ${CONFDIR}/NetworkManager/dispatcher.d/01-shorewall
+remove_file /etc/NetworkManager/dispatcher.d/01-shorewall
-remove_file ${CONFDIR}/network/if-up.d/shorewall
+remove_file /etc/network/if-up.d/shorewall
-remove_file ${CONFDIR}/network/if-down.d/shorewall
+remove_file /etc/network/if-down.d/shorewall
-remove_file ${CONFDIR}/sysconfig/network/if-up.d/shorewall
+remove_file /etc/sysconfig/network/if-up.d/shorewall
-remove_file ${CONFDIR}/sysconfig/network/if-down.d/shorewall
+remove_file /etc/sysconfig/network/if-down.d/shorewall
 remove_file /lib/systemd/system/shorewall.service
-[ -n "$SYSTEMD" ] && remove_file ${SYSTEMD}/shorewall.service
+if [ -d /etc/ppp ]; then
 if [ -d ${CONFDIR}/ppp ]; then
    for directory in ip-up.d ip-down.d ipv6-up.d ipv6-down.d; do
-	remove_file ${CONFDIR}/ppp/$directory/shorewall
+	remove_file /etc/ppp/$directory/shorewall
    done
    for file in if-up.local if-down.local; do
-	if fgrep -q Shorewall-based ${CONFDIR}/ppp/$FILE; then
+	if fgrep -q Shorewall-based /etc/ppp/$FILE; then
-	    remove_file ${CONFDIR}/ppp/$FILE
+	    remove_file /etc/ppp/$FILE
 	fi
    done
 fi
-rm -rf ${SHAREDIR}/shorewall-init
+rm -rf /usr/share/shorewall-init
 rm -rf ${LIBEXEC}/shorewall-init
 echo "Shorewall Init Uninstalled"
--- a/Shorewall-lite/Makefile
+++ b/Shorewall-lite/Makefile
@@ -3,16 +3,16 @@ VARDIR=$(shell /sbin/shorewall-lite show vardir)
 SHAREDIR=/usr/share/shorewall-lite
 RESTOREFILE?=.restore
-all: $(VARDIR)/$(RESTOREFILE)
+all: $(VARDIR)/${RESTOREFILE}
-$(VARDIR)/$(RESTOREFILE): $(VARDIR)/firewall
+$(VARDIR)/${RESTOREFILE}: $(VARDIR)/firewall
 	@/sbin/shorewall-lite -q save >/dev/null; \
 	if \
 	    /sbin/shorewall-lite -q restart >/dev/null 2>&1; \
 	then \
 	    /sbin/shorewall-lite -q save >/dev/null; \
 	else \
-	    /sbin/shorewall-lite -q restart 2>&1 | tail >&2; exit 1; \
+	    /sbin/shorewall-lite -q restart 2>&1 | tail >&2; \
 	fi
 # EOF
--- a/Shorewall-lite/init.debian.sh
+++ b/Shorewall-lite/init.debian.sh
@@ -57,23 +57,17 @@ not_configured () {
 	exit 0
 }
 #
 # The installer may alter this
 #
 . /usr/share/shorewall/shorewallrc
 # parse the shorewall params file in order to use params in
 # /etc/default/shorewall
-
+if [ -f "/etc/shorewall-lite/params" ]
 if [ -f "$CONFDIR/shorewall-lite/params" ]
 then
-	. $CONFDIR/shorewall-lite/params
+	. /etc/shorewall-lite/params
 fi
 # check if shorewall is configured or not
-if [ -f "$SYSCONFDIR/shorewall-lite" ]
+if [ -f "/etc/default/shorewall-lite" ]
 then
-	. $SYSCONFDIR/shorewall-lite
+	. /etc/default/shorewall-lite
 	SRWL_OPTS="$SRWL_OPTS $OPTIONS"
 	if [ "$startup" != "1" ]
 	then
--- a/Shorewall-lite/init.fedora.sh
+++ b/Shorewall-lite/init.fedora.sh
@@ -20,21 +20,16 @@
 # Source function library.
 . /etc/rc.d/init.d/functions
 #
 # The installer may alter this
 #
 . /usr/share/shorewall/shorewallrc
 prog="shorewall-lite"
-shorewall="${SBINDIR}/$prog"
+shorewall="/sbin/$prog"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/$prog"
 # Get startup options (override default)
 OPTIONS=
-if [ -f ${SYSCONFDIR}/$prog ]; then
+if [ -f /etc/sysconfig/$prog ]; then
-    . ${SYSCONFDIR}/$prog
+    . /etc/sysconfig/$prog
 fi
 start() {
--- a/Shorewall-lite/init.sh
+++ b/Shorewall-lite/init.sh
@@ -1,11 +1,11 @@
 #!/bin/sh
 RCDLINKS="2,S41 3,S41 6,K41"
 #
-#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.1
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007 - Tom Eastep (teastep@shorewall.net)
 #
 #	On most distributions, this file should be called /etc/init.d/shorewall.
 #
@@ -61,14 +61,10 @@ usage() {
 # Get startup options (override default)
 ################################################################################
 OPTIONS=
-
+if [ -f /etc/sysconfig/shorewall ]; then
-#
+    . /etc/sysconfig/shorewall
-# The installer may alter this
+elif [ -f /etc/default/shorewall ] ; then
-#
+    . /etc/default/shorewall
 . /usr/share/shorewall/shorewallrc
 if [ -f ${SYSCONFDIR}/shorewall-lite ]; then
    . ${SYSCONFDIR}/shorewall-lite
 fi
 SHOREWALL_INIT_SCRIPT=1
@@ -80,13 +76,13 @@ command="$1"
 case "$command" in
    start)
-	exec ${SBINDIR}/shorewall-lite $OPTIONS start $STARTOPTIONS
+	exec /sbin/shorewall-lite $OPTIONS start $STARTOPTIONS
 	;;
    restart|reload)
-	exec ${SBINDIR}/shorewall-lite $OPTIONS restart $RESTARTOPTIONS
+	exec /sbin/shorewall-lite $OPTIONS restart $RESTARTOPTIONS
 	;;
    status|stop)
-	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $@
+	exec /sbin/shorewall-lite $OPTIONS $command $@
 	;;
    *)
 	usage
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -27,18 +27,12 @@ VERSION=xxx #The Build script inserts the actual version
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <configuration-file> ]"
+    echo "usage: $ME"
    echo "       $ME -v"
    echo "       $ME -h"
    exit $1
 }
 fatal_error()
 {
    echo "   ERROR: $@" >&2
    exit 1
 }
 split() {
    local ifs
    ifs=$IFS
@@ -91,11 +85,6 @@ install_file() # $1 = source $2 = target $3 = mode
    run_install $T $OWNERSHIP -m $3 $1 ${2}
 }
 require()
 {
    eval [ -n "\$$1" ] || fatal_error "Required option $1 not set"
 }
 #
 # Change to the directory containing this script
 #
@@ -109,22 +98,28 @@ else
    Product="Shorewall6 Lite"
 fi
 [ -n "$DESTDIR" ] || DESTDIR="$PREFIX"
 #
 # Parse the run line
 #
-finished=0
+# DEST is the SysVInit script directory
 # INIT is the name of the script in the $DEST directory
 #
 if [ -z "$DEST" ] ; then
 	DEST="/etc/init.d"
 fi
-while [ $finished -eq 0 ] ; do
+if [ -z "$INIT" ] ; then
 	INIT="$PRODUCT"
 fi
 while [ $# -gt 0 ] ; do
    case "$1" in
-	-*)
+	-h|help|?)
 	    option=${option#-}
 	    while [ -n "$option" ]; do
 		case $option in
 		    h)
 	    usage 0
 	    ;;
-		    v)
+        -v)
 	    echo "$Product Firewall Installer Version $VERSION"
 	    exit 0
 	    ;;
@@ -132,93 +127,39 @@ while [ $finished -eq 0 ] ; do
 	    usage 1
 	    ;;
    esac
 	    done
    shift
 	    ;;
 	*)
 	    finished=1
 	    ;;
    esac
 done
-#
+PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
-# Read the RC file
+
-#
+[ -n "${LIBEXEC:=/usr/share}" ]
-if [ $# -eq 0 ]; then
+
-    if [ -f ./shorewallrc ]; then
+case "$LIBEXEC" in
-	. ./shorewallrc || exit 1
+    /*)
 	file=./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
 elif [ $# -eq 1 ]; then
    file=$1
    case $file in
 	/*|.*)
 	;;
    *)
-	    file=./$file
+	LIBEXEC=/usr/${LIBEXEC}
 	;;
 esac
    . $file
 else
    usage 1
 fi
 for var in SHAREDIR LIBEXECDIRDIRDIR CONFDIR SBINDIR VARDIR; do
    require $var
 done
 PATH=${SBINDIR}:/bin:/usr${SBINDIR}:/usr/bin:/usr/local/bin:/usr/local${SBINDIR}
 #
 # Determine where to install the firewall script
 #
-cygwin=
+CYGWIN=
 INSTALLD='-D'
 INITFILE=$PRODUCT
 T='-T'
 if [ -z "$BUILD" ]; then
 case $(uname) in
-	cygwin*)
+    CYGWIN*)
-	    BUILD=cygwin
+	if [ -z "$DESTDIR" ]; then
-	    ;;
+	    DEST=
-	Darwin)
+	    INIT=
 	    BUILD=apple
 	    ;;
 	*)
 	    if [ -f ${CONFDIR}/debian_version ]; then
 		BUILD=debian
 	    elif [ -f ${CONFDIR}/redhat-release ]; then
 		BUILD=redhat
 	    elif [ -f ${CONFDIR}/SuSE-release ]; then
 		BUILD=suse
 	    elif [ -f ${CONFDIR}/slackware-version ] ; then
 		BUILD=slackware
 	    elif [ -f ${CONFDIR}/arch-release ] ; then
 		BUILD=archlinux
 	    else
 		BUILD=linux
 	    fi
 	    ;;
    esac
 	fi
 case $BUILD in
    cygwin*)
 	OWNER=$(id -un)
 	GROUP=$(id -gn)
 	;;
-    apple)
+    Darwin)
 	[ -z "$OWNER" ] && OWNER=root
 	[ -z "$GROUP" ] && GROUP=wheel
 	INSTALLD=
 	T=
 	;;	   
@@ -230,53 +171,28 @@ esac
 OWNERSHIP="-o $OWNER -g $GROUP"
 [ -n "$HOST" ] || HOST=$BUILD
 case "$HOST" in
    cygwin)
 	echo "$PRODUCT is not supported on Cygwin" >&2
 	exit 1
 	;;
    apple)
 	echo "$PRODUCT is not supported on OS X" >&2
 	exit 1
 	;;
    debian)
 	echo "Installing Debian-specific configuration..."
 	;;
    redhat)
 	echo "Installing Redhat/Fedora-specific configuration..."
 	;;
    slackware)
 	echo "Installing Slackware-specific configuration..."
 	;;
    archlinux)
 	echo "Installing ArchLinux-specific configuration..."
 	;;
    linux|suse)
 	;;
    *)
 	echo "ERROR: Unknown HOST \"$HOST\"" >&2
 	exit 1;
 	;;
 esac
 [ -z "$INITDIR" ] && INITDIR="${CONFDIR}/init.d"
 if [ -n "$DESTDIR" ]; then
    if [ `id -u` != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
 	OWNERSHIP=""
    fi
-    install -d $OWNERSHIP -m 755 ${DESTDIR}/${SBINDIR}
+    install -d $OWNERSHIP -m 755 ${DESTDIR}/sbin
-    install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
+    install -d $OWNERSHIP -m 755 ${DESTDIR}${DEST}
-
+elif [ -d /etc/apt -a -e /usr/bin/dpkg ]; then
-    if [ -n "$SYSTEMD" ]; then
+    DEBIAN=yes
-	mkdir -p ${DESTDIR}/lib/systemd/system
+elif [ -f /etc/redhat-release ]; then
-	INITFILE=
+    FEDORA=yes
 elif [ -f /etc/slackware-version ] ; then
    DEST="/etc/rc.d"
    INIT="rc.firewall"
 elif [ -f /etc/arch-release ] ; then
      DEST="/etc/rc.d"
      INIT="$PRODUCT"
      ARCHLINUX=yes
 fi
-else
+
 if [ -z "$DESTDIR" ]; then
    if [ ! -f /usr/share/shorewall/coreversion ]; then
 	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
 	exit 1
@@ -284,34 +200,35 @@ else
    if [ -f /lib/systemd/system ]; then
 	SYSTEMD=Yes
 	INITFILE=
    fi
 elif [ -n "$SYSTEMD" ]; then
    mkdir -p ${DESTDIR}/lib/systemd/system
 fi
 echo "Installing $Product Version $VERSION"
 #
-# Check for ${CONFDIR}/$PRODUCT
+# Check for /etc/$PRODUCT
 #
-if [ -z "$DESTDIR" -a -d ${CONFDIR}/$PRODUCT ]; then
+if [ -z "$DESTDIR" -a -d /etc/$PRODUCT ]; then
    if [ ! -f /usr/share/shorewall/coreversion ]; then
 	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
 	exit 1
    fi
-    [ -f ${CONFDIR}/$PRODUCT/shorewall.conf ] && \
+    [ -f /etc/$PRODUCT/shorewall.conf ] && \
-	mv -f ${CONFDIR}/$PRODUCT/shorewall.conf ${CONFDIR}/$PRODUCT/$PRODUCT.conf
+	mv -f /etc/$PRODUCT/shorewall.conf /etc/$PRODUCT/$PRODUCT.conf
 else
-    rm -rf ${DESTDIR}${CONFDIR}/$PRODUCT
+    rm -rf ${DESTDIR}/etc/$PRODUCT
    rm -rf ${DESTDIR}/usr/share/$PRODUCT
    rm -rf ${DESTDIR}/var/lib/$PRODUCT
-    [ "$LIBEXECDIR" = /usr/share ] || rm -rf ${DESTDIR}/usr/share/$PRODUCT/wait4ifup ${DESTDIR}/usr/share/$PRODUCT/shorecap
+    [ "$LIBEXEC" = /usr/share ] || rm -rf /usr/share/$PRODUCT/wait4ifup /usr/share/$PRODUCT/shorecap
 fi
 #
-# Check for ${SBINDIR}/$PRODUCT
+# Check for /sbin/$PRODUCT
 #
-if [ -f ${DESTDIR}${SBINDIR}/$PRODUCT ]; then
+if [ -f ${DESTDIR}/sbin/$PRODUCT ]; then
    first_install=""
 else
    first_install="Yes"
@@ -319,111 +236,113 @@ fi
 delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules
-install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0544
+install_file $PRODUCT ${DESTDIR}/sbin/$PRODUCT 0544
-echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
+echo "$Product control program installed in ${DESTDIR}/sbin/$PRODUCT"
 #
-# Create ${CONFDIR}/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
+# Install the Firewall Script
 #
-mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
+if [ -n "$DEBIAN" ]; then
    install_file init.debian.sh ${DESTDIR}/etc/init.d/$PRODUCT 0544
 elif [ -n "$FEDORA" ]; then
    install_file init.fedora.sh ${DESTDIR}/etc/init.d/$PRODUCT 0544
 elif [ -n "$ARCHLINUX" ]; then
    install_file init.archlinux.sh ${DESTDIR}/${DEST}/$INIT 0544
 else
    install_file init.sh ${DESTDIR}/${DEST}/$INIT 0544
 fi
 echo  "$Product script installed in ${DESTDIR}${DEST}/$INIT"
 #
 # Create /etc/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
 #
 mkdir -p ${DESTDIR}/etc/$PRODUCT
 mkdir -p ${DESTDIR}/usr/share/$PRODUCT
-mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
+mkdir -p ${DESTDIR}${LIBEXEC}/$PRODUCT
 mkdir -p ${DESTDIR}/var/lib/$PRODUCT
-chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
+chmod 755 ${DESTDIR}/etc/$PRODUCT
 chmod 755 ${DESTDIR}/usr/share/$PRODUCT
 if [ -n "$DESTDIR" ]; then
-    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
+    mkdir -p ${DESTDIR}/etc/logrotate.d
-    chmod 755 ${DESTDIR}${CONFDIR}/logrotate.d
+    chmod 755 ${DESTDIR}/etc/logrotate.d
    mkdir -p ${DESTDIR}${INITDIR}
    chmod 755 ${DESTDIR}${INITDIR}
 fi
 if [ -n "$INITFILE" ]; then
    initfile="${DESTDIR}/${INITDIR}/${INITFILE}"
    install_file ${INITSOURCE} "$initfile" 0544
    [ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' "$initfile"
    echo  "$Product init script installed in $initfile"
 fi
 #
 # Install the .service file
 #
 if [ -n "$SYSTEMD" ]; then
-    run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}/${SYSTEMD}/$PRODUCT.service
+    run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}/lib/systemd/system/$PRODUCT.service
    echo "Service file installed as ${DESTDIR}/lib/systemd/system/$PRODUCT.service"
 fi
 #
 # Install the config file
 #
-if [ ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf ]; then
+if [ ! -f ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf ]; then
-   install_file $PRODUCT.conf ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf 0744
+   install_file $PRODUCT.conf ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf 0744
-   echo "Config file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf"
+   echo "Config file installed as ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf"
 fi
-if [ $HOST = archlinux ] ; then
+if [ -n "$ARCHLINUX" ] ; then
-   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}${CONFDIR}/$PRODUCT/$PRODUCT.conf
+   sed -e 's!LOGFILE=/var/log/messages!LOGFILE=/var/log/messages.log!' -i ${DESTDIR}/etc/$PRODUCT/$PRODUCT.conf
 fi
 #
 # Install the  Makefile
 #
-run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}${CONFDIR}/$PRODUCT
+run_install $OWNERSHIP -m 0600 Makefile ${DESTDIR}/etc/$PRODUCT
-[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${CONFDIR}/$PRODUCT/Makefile
+echo "Makefile installed as ${DESTDIR}/etc/$PRODUCT/Makefile"
 [ $SBINDIR = /sbin ]       || eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\'       ${DESTDIR}/${CONFDIR}/$PRODUCT/Makefile
 echo "Makefile installed as ${DESTDIR}${CONFDIR}/$PRODUCT/Makefile"
 #
 # Install the default config path file
 #
-install_file configpath ${DESTDIR}${SHAREDIR}/$PRODUCT/configpath 0644
+install_file configpath ${DESTDIR}/usr/share/$PRODUCT/configpath 0644
-echo "Default config path file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/configpath"
+echo "Default config path file installed as ${DESTDIR}/usr/share/$PRODUCT/configpath"
 #
 # Install the libraries
 #
 for f in lib.* ; do
    if [ -f $f ]; then
-	install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
+	install_file $f ${DESTDIR}/usr/share/$PRODUCT/$f 0644
-	echo "Library ${f#*.} file installed as ${DESTDIR}/${SHAREDIR}/$PRODUCT/$f"
+	echo "Library ${f#*.} file installed as ${DESTDIR}/usr/share/$PRODUCT/$f"
    fi
 done
-ln -sf lib.base ${DESTDIR}${SHAREDIR}/$PRODUCT/functions
+ln -sf lib.base ${DESTDIR}/usr/share/$PRODUCT/functions
-echo "Common functions linked through ${DESTDIR}${SHAREDIR}/$PRODUCT/functions"
+echo "Common functions linked through ${DESTDIR}/usr/share/$PRODUCT/functions"
 #
 # Install Shorecap
 #
-install_file shorecap ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap 0755
+install_file shorecap ${DESTDIR}${LIBEXEC}/$PRODUCT/shorecap 0755
 echo
-echo "Capability file builder installed in ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap"
+echo "Capability file builder installed in ${DESTDIR}${LIBEXEC}/$PRODUCT/shorecap"
 #
 # Install the Modules files
 #
 if [ -f modules ]; then
-    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}${SHAREDIR}/$PRODUCT
+    run_install $OWNERSHIP -m 0600 modules ${DESTDIR}/usr/share/$PRODUCT
-    echo "Modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/modules"
+    echo "Modules file installed as ${DESTDIR}/usr/share/$PRODUCT/modules"
 fi
 if [ -f helpers ]; then
-    run_install $OWNERSHIP -m 0600 helpers ${DESTDIR}${SHAREDIR}/$PRODUCT
+    run_install $OWNERSHIP -m 0600 helpers ${DESTDIR}/usr/share/$PRODUCT
-    echo "Helper modules file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/helpers"
+    echo "Helper modules file installed as ${DESTDIR}/usr/share/$PRODUCT/helpers"
 fi
 for f in modules.*; do
-    run_install $OWNERSHIP -m 0644 $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f
+    run_install $OWNERSHIP -m 0644 $f ${DESTDIR}/usr/share/$PRODUCT/$f
-    echo "Module file $f installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
+    echo "Module file $f installed as ${DESTDIR}/usr/share/$PRODUCT/$f"
 done
 #
@@ -433,18 +352,18 @@ done
 if [ -d manpages ]; then
    cd manpages
-    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${SHAREDIR}/man/man5/ ${DESTDIR}${SHAREDIR}/man/man8/
+    [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}/usr/share/man/man5/ ${DESTDIR}/usr/share/man/man8/
    for f in *.5; do
 	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${SHAREDIR}/man/man5/$f.gz
+	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}/usr/share/man/man5/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}${SHAREDIR}/man/man5/$f.gz"
+	echo "Man page $f.gz installed to ${DESTDIR}/usr/share/man/man5/$f.gz"
    done
    for f in *.8; do
 	gzip -c $f > $f.gz
-	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}${SHAREDIR}/man/man8/$f.gz
+	run_install $T $INSTALLD $OWNERSHIP -m 0644 $f.gz ${DESTDIR}/usr/share/man/man8/$f.gz
-	echo "Man page $f.gz installed to ${DESTDIR}${SHAREDIR}/man/man8/$f.gz"
+	echo "Man page $f.gz installed to ${DESTDIR}/usr/share/man/man8/$f.gz"
    done
    cd ..
@@ -452,81 +371,75 @@ if [ -d manpages ]; then
    echo "Man Pages Installed"
 fi
-if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
+if [ -d ${DESTDIR}/etc/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT
+    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}/etc/logrotate.d/$PRODUCT
-    echo "Logrotate file installed as ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT"
+    echo "Logrotate file installed as ${DESTDIR}/etc/logrotate.d/$PRODUCT"
 fi
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}${SHAREDIR}/$PRODUCT/version
+echo "$VERSION" > ${DESTDIR}/usr/share/$PRODUCT/version
-chmod 644 ${DESTDIR}${SHAREDIR}/$PRODUCT/version
+chmod 644 ${DESTDIR}/usr/share/$PRODUCT/version
 #
 # Remove and create the symbolic link to the init script
 #
 if [ -z "$DESTDIR" ]; then
-    rm -f ${SHAREDIR}/$PRODUCT/init
+    rm -f /usr/share/$PRODUCT/init
-    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/$PRODUCT/init
+    ln -s ${DEST}/${INIT} /usr/share/$PRODUCT/init
 fi
-delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.common
+delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.common
-delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.cli
+delete_file ${DESTDIR}/usr/share/$PRODUCT/lib.cli
-delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/wait4ifup
+delete_file ${DESTDIR}/usr/share/$PRODUCT/wait4ifup
-if [ -n "$SYSCONFFILE" -a ! -f ${DESTDIR}${SYSCONFDIR}/${PRODUCT} ]; then
+if [ -z "$DESTDIR" ]; then
    if [ ${DESTDIR} ]; then
 	mkdir -p ${DESTDIR}${SYSCONFDIR}
 	chmod 755 ${DESTDIR}${SYSCONFDIR}
    fi
    run_install $OWNERSHIP -m 0644 default.debian ${DESTDIR}${SYSCONFDIR}/${PRODUCT}
    echo "$SYSCONFFILE installed in ${DESTDIR}${SYSCONFDIR}/${PRODUCT}"
 fi
 if [ ${SHAREDIR} != /usr/share ]; then
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SHAREDIR}/${PRODUCT}/lib.base
    eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${SBINDIR}/$PRODUCT
 fi
 if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
    if mywhich update-rc.d ; then
 	echo "$PRODUCT will start automatically at boot"
 	echo "Set startup=1 in ${SYSCONFDIR}/$PRODUCT to enable"
    touch /var/log/$PRODUCT-init.log
-	perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' ${CONFDIR}/${PRODUCT}/${PRODUCT}.conf
+
-	update-rc.d $PRODUCT enable defaults
+    if [ -n "$first_install" ]; then
-    elif [ -n "$SYSTEMD" ]; then
+	if [ -n "$DEBIAN" ]; then
 	    run_install $OWNERSHIP -m 0644 default.debian /etc/default/$PRODUCT
 	    update-rc.d $PRODUCT defaults
 	    if [ -x /sbin/insserv ]; then
 		insserv /etc/init.d/$PRODUCT
 	    else
 		ln -s ../init.d/$PRODUCT /etc/rcS.d/S40$PRODUCT
 	    fi
 	    echo "$Product will start automatically at boot"
 	else
 	    if [ -n "$SYSTEMD" ]; then
 		if systemctl enable $PRODUCT; then
 		    echo "$Product will start automatically at boot"
 		fi
-    elif mywhich insserv; then
+	    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
-	if insserv ${INITDIR}/${INITFILE} ; then
+		if insserv /etc/init.d/$PRODUCT ; then
-	    echo "$PRODUCT will start automatically at boot"
+		    echo "$Product will start automatically at boot"
 	    echo "Set STARTUP_ENABLED=Yes in ${CONFDIR}/$PRODUCT/${PRODUCT}.conf to enable"
 		else
 		    cant_autostart
 		fi
-    elif mywhich chkconfig; then
+	    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 		if chkconfig --add $PRODUCT ; then
-	    echo "$PRODUCT will start automatically in run levels as follows:"
+		    echo "$Product will start automatically in run levels as follows:"
 	    echo "Set STARTUP_ENABLED=Yes in ${CONFDIR}/$PRODUCT/${PRODUCT}.conf to enable"
 		    chkconfig --list $PRODUCT
 		else
 		    cant_autostart
 		fi
-    elif mywhich rc-update ; then
+	    elif [ -x /sbin/rc-update ]; then
 		if rc-update add $PRODUCT default; then
-	    echo "$PRODUCT will start automatically at boot"
+		    echo "$Product will start automatically at boot"
 	    echo "Set STARTUP_ENABLED=Yes in ${CONFDIR}/$PRODUCT/$PRODUCT.conf to enable"
 		else
 		    cant_autostart
 		fi
-    elif [ "$INITFILE" != rc.${PRODUCT} ]; then #Slackware starts this automatically
+	    elif [ "$INIT" != rc.firewall ]; then #Slackware starts this automatically
 		cant_autostart
 	    fi
 	fi
    fi
 fi
 #
 #  Report Success
--- a/Shorewall-lite/lib.base
+++ b/Shorewall-lite/lib.base
@@ -24,10 +24,11 @@
 g_program=shorewall-lite
 g_family=4
 #
 # This may be altered by the installer
 #
 g_basedir=/usr/share/shorewall
-. ${g_basedir}/lib.base
+[ -n "${VARDIR:=/var/lib/$g_program}" ]
 [ -n "${SHAREDIR:=/usr/share/$g_program}" ]
 [ -n "${CONFDIR:=/etc/$g_program}" ]
 . /usr/share/shorewall/lib.base
--- a/Shorewall-lite/manpages/shorewall-lite-vardir.xml
+++ b/Shorewall-lite/manpages/shorewall-lite-vardir.xml
@@ -1,6 +1,4 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
  <refmeta>
    <refentrytitle>shorewall-lite-vardir</refentrytitle>
@@ -36,28 +34,6 @@
    directory. If you add this file, you should copy the files from
    <filename>/var/lib/shorewall-lite</filename> to the new directory before
    performing a <command>shorewall-lite restart</command>.</para>
    <note>
      <para>Beginning with Shorewall 4.5.2, use of this file is deprecated in
      favor of specifying VARDIR in the <filename>shorewallrc</filename> file
      used during installation of Shorewall Core. While the name of the
      variable remains VARDIR, the meaning is slightly different. When set in
      shorewallrc, Shorewall Lite, will create a directory under the specified
      path name to hold state information.</para>
      <para>Example:</para>
      <blockquote>
        <para>VARDIR=<filename><filename>/opt/var/lib/</filename></filename></para>
        <para>The state directory for Shorewall Lite will be
        /opt/var/lib/shorewall-lite/.</para>
      </blockquote>
      <para> When VARDIR is set in /etc/shorewall-lite/vardir, Shorewall Lite
      will save its state in the <replaceable>directory</replaceable>
      specified.</para>
    </note>
  </refsect1>
  <refsect1>
--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -27,18 +27,6 @@
 ################################################################################################
 g_program=shorewall-lite
-#
+. /usr/share/shorewall/lib.cli
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc
 g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR"/shorewall-lite
 g_sbindir="$SBINDIR"
 g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall-lite
 g_readrc=1
 . ${SHAREDIR}/shorewall/lib.cli
 shorewall_cli $@
--- a/Shorewall-lite/uninstall.sh
+++ b/Shorewall-lite/uninstall.sh
@@ -31,7 +31,7 @@ VERSION=xxx  #The Build script inserts the actual version
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <shorewallrc file> ]"
+    echo "usage: $ME"
    exit $1
 }
@@ -40,25 +40,16 @@ qt()
    "$@" >/dev/null 2>&1
 }
-split() {
+restore_file() # $1 = file to restore
-    local ifs
+{
-    ifs=$IFS
+    if [ -f ${1}-shorewall.bkout ]; then
-    IFS=:
+	if (mv -f ${1}-shorewall-lite.bkout $1); then
-    set -- $1
+	    echo
-    echo $*
+	    echo "$1 restored"
-    IFS=$ifs
+        else
-}
+	    exit 1
-
+        fi
 mywhich() {
    local dir
    for dir in $(split $PATH); do
 	if [ -x $dir/$1 ]; then
 	    return 0
    fi
    done
    return 2
 }
 remove_file() # $1 = file to restore
@@ -69,37 +60,8 @@ remove_file() # $1 = file to restore
    fi
 }
-#
+if [ -f /usr/share/shorewall-lite/version ]; then
-# Read the RC file
+    INSTALLED_VERSION="$(cat /usr/share/shorewall-lite/version)"
 #
 if [ $# -eq 0 ]; then
    if [ -f ./shorewallrc ]; then
 	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
 	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
 elif [ $# -eq 1 ]; then
    file=$1
    case $file in
 	/*|.*)
 	    ;;
 	*)
 	    file=./$file
 	    ;;
    esac
    . $file
 else
    usage 1
 fi
 if [ -f ${SHAREDIR}/shorewall-lite/version ]; then
    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall-lite/version)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
 	echo "WARNING: Shorewall Lite Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
@@ -110,40 +72,49 @@ else
    VERSION=""
 fi
 [ -n "${LIBEXEC:=/usr/share}" ]
 echo "Uninstalling Shorewall Lite $VERSION"
-if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall ]; then
+if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall ]; then
-   shorewall-lite clear
+   /sbin/shorewall-lite clear
 fi
-if [ -L ${SHAREDIR}/shorewall-lite/init ]; then
+if [ -L /usr/share/shorewall-lite/init ]; then
-    FIREWALL=$(readlink -m -q ${SHAREDIR}/shorewall-lite/init)
+    FIREWALL=$(readlink -m -q /usr/share/shorewall-lite/init)
-elIF [ -n "$INITFILE" ]; then
+else
-    FIREWALL=${INITDIR}/${INITFILE}
+    FIREWALL=/etc/init.d/shorewall-lite
 fi
-if [ -f "$FIREWALL" ]; then
+if [ -n "$FIREWALL" ]; then
-    if mywhich updaterc.d ; then
+    if [ -x /usr/sbin/updaterc.d ]; then
 	updaterc.d shorewall-lite remove
-    elif if mywhich insserv ; then
+    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
        insserv -r $FIREWALL
-    elif [ mywhich chkconfig ; then
+    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 	chkconfig --del $(basename $FIREWALL)
-    elif mywhich systemctl ; then
+    elif [ -x /sbin/systemctl ]; then
 	systemctl disable shorewall-lite
    else
 	rm -f /etc/rc*.d/*$(basename $FIREWALL)
    fi
    remove_file $FIREWALL
    rm -f ${FIREWALL}-*.bkout
 fi
-rm -f ${SBINDIR}/shorewall-lite
+rm -f /sbin/shorewall-lite
 rm -f /sbin/shorewall-lite-*.bkout
-rm -rf ${SBINDIR}/shorewall-lite
+rm -rf /etc/shorewall-lite
-rm -rf ${VARDIR}/shorewall-lite
+rm -rf /etc/shorewall-lite-*.bkout
-rm -rf ${SHAREDIR}/shorewall-lite
+rm -rf /var/lib/shorewall-lite
 rm -rf /var/lib/shorewall-lite-*.bkout
 rm -rf /usr/share/shorewall-lite
 rm -rf ${LIBEXEC}/shorewall-lite
-rm -f  ${CONFDIR}/logrotate.d/shorewall-lite
+rm -rf /usr/share/shorewall-lite-*.bkout
-[ -n "$SYSTEMD" ] && rm -f  ${SYSTEMD}/shorewall-lite.service
+rm -f  /etc/logrotate.d/shorewall-lite
 rm -f  /lib/systemd/system/shorewall-lite.service
 echo "Shorewall Lite Uninstalled"
--- a/Shorewall/Macros/macro.Amanda
+++ b/Shorewall/Macros/macro.Amanda
@@ -11,7 +11,6 @@
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	10080
 PARAM	-	-	tcp	10080
 #
 # You may also need this rule.  With AMANDA 2.4.4 on Linux kernel 2.6,
 # it should not be necessary to use this.  The ip_conntrack_amanda
--- a/Shorewall/Macros/macro.BLACKLIST
+++ b/Shorewall/Macros/macro.BLACKLIST
@@ -1,15 +0,0 @@
 #
 # Shorewall version 4 - blacklist Macro
 #
 # /usr/share/shorewall/macro.blacklist
 #
 #	This macro handles blacklisting using BLACKLIST_DISPOSITION and BLACKLIST_LOGLEVEL
 #
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 ?IF $BLACKLIST_LOGLEVEL
 blacklog
 ?ELSE
 $BLACKLIST_DISPOSITION
 ?ENDIF
--- a/Shorewall/Makefile
+++ b/Shorewall/Makefile
@@ -2,22 +2,20 @@
 VARDIR=$(shell /sbin/shorewall show vardir)
 CONFDIR=/etc/shorewall
 RESTOREFILE?=firewall
 all: $(VARDIR)/${RESTOREFILE}
-all: $(VARDIR)/$(RESTOREFILE)
+$(VARDIR)/${RESTOREFILE}: $(CONFDIR)/*
 $(VARDIR)/$(RESTOREFILE): $(CONFDIR)/*
 	@/sbin/shorewall -q save >/dev/null; \
 	if \
 	    /sbin/shorewall -q restart >/dev/null 2>&1; \
 	then \
 	    /sbin/shorewall -q save >/dev/null; \
 	else \
-	    /sbin/shorewall -q restart 2>&1 | tail >&2; exit 1; \
+	    /sbin/shorewall -q restart 2>&1 | tail >&2; \
 	fi
 clean:
 	@rm -f $(CONFDIR)/*~ $(CONFDIR)/.*~
 .PHONY: clean
 # EOF
--- a/Shorewall/Perl/.includepath
+++ b/Shorewall/Perl/.includepath
@@ -0,0 +1,3 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <includepath />
--- a/Shorewall/Perl/.project
+++ b/Shorewall/Perl/.project
@@ -0,0 +1,17 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <projectDescription>
 	<name>Shorewall</name>
 	<comment></comment>
 	<projects>
 	</projects>
 	<buildSpec>
 		<buildCommand>
 			<name>org.epic.perleditor.perlbuilder</name>
 			<arguments>
 			</arguments>
 		</buildCommand>
 	</buildSpec>
 	<natures>
 		<nature>org.epic.perleditor.perlnature</nature>
 	</natures>
 </projectDescription>
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -322,7 +322,7 @@ sub process_accounting_rule( ) {
 	}
    }
-    set_optflags( $chainref, DONT_OPTIMIZE ) if $target eq 'RETURN';
+    dont_optimize( $chainref ) if $target eq 'RETURN';
    if ( $jumpchainref ) {
 	if ( $asection ) {
@@ -394,7 +394,7 @@ sub setup_accounting() {
 	my $nonEmpty = 0;
-	$nonEmpty |= process_accounting_rule while read_a_line( NORMAL_READ );
+	$nonEmpty |= process_accounting_rule while read_a_line;
 	clear_comment;
@@ -407,7 +407,7 @@ sub setup_accounting() {
 		}
 		if ( $tableref->{accounting} ) {
-		    set_optflags( 'accounting' , DONT_OPTIMIZE );
+		    dont_optimize( 'accounting' );
 		    for my $chain ( qw/INPUT FORWARD/ ) {
 			insert_ijump( $tableref->{$chain}, j => 'accounting', 0 );
 		    }
@@ -429,7 +429,7 @@ sub setup_accounting() {
 		    insert_ijump( $tableref->{POSTROUTING}, j => 'accountpost', 0 );
 		}
 	    } elsif ( $tableref->{accounting} ) {
-		set_optflags( 'accounting' , DONT_OPTIMIZE );
+		dont_optimize( 'accounting' );
 		for my $chain ( qw/INPUT FORWARD OUTPUT/ ) {
 		    insert_ijump( $tableref->{$chain}, j => 'accounting', 0 );
 		}
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -54,10 +54,10 @@ my $family;
 #
 # Initilize the package-globals in the other modules
 #
-sub initialize_package_globals( $$ ) {
+sub initialize_package_globals( $ ) {
-    Shorewall::Config::initialize($family, $_[1]);
+    Shorewall::Config::initialize($family);
    Shorewall::Chains::initialize ($family, 1, $export );
-    Shorewall::Zones::initialize ($family, $_[0]);
+    Shorewall::Zones::initialize ($family, shift);
    Shorewall::Nat::initialize;
    Shorewall::Providers::initialize($family);
    Shorewall::Tc::initialize($family);
@@ -71,7 +71,7 @@ sub initialize_package_globals( $$ ) {
 #
 # First stage of script generation.
 #
-#    Copy lib.core and lib.common to the generated script.
+#    Copy prog.header, lib.core and lib.common to the generated script.
 #    Generate the various user-exit jacket functions.
 #
 #    Note: This function is not called when $command eq 'check'. So it must have no side effects other
@@ -89,7 +89,13 @@ sub generate_script_1( $ ) {
 	    emit "#!$config{SHOREWALL_SHELL}\n#\n# Compiled firewall script generated by Shorewall $globals{VERSION} - $date\n#";
-	    copy  $globals{SHAREDIRPL} . '/lib.core', 0;
+	    if ( $family == F_IPV4 ) {
 		copy $globals{SHAREDIRPL} . 'prog.header';
 	    } else {
 		copy $globals{SHAREDIRPL} . 'prog.header6';
 	    }
 	    copy2 $globals{SHAREDIRPL} . '/lib.core', 0;
 	    copy2 $globals{SHAREDIRPL} . '/lib.common', 0;
 	}
@@ -148,9 +154,7 @@ sub generate_script_2() {
 	   '    #',
 	   '    # Be sure that umask is sane',
 	   '    #',
-	   '    umask 077' );
+	   '    umask 077',
    emit ( '',
 	   '    #',
 	   '    # These variables are required by the library functions called in this script',
 	   '    #'
@@ -158,63 +162,61 @@ sub generate_script_2() {
    push_indent;
    if ( $shorewallrc{TEMPDIR} ) {
 	emit( '',
 	      qq(TMPDIR="$shorewallrc{TEMPDIR}") ,
 	      q(export TMPDIR) );
    }
    if ( $family == F_IPV4 ) {
 	emit( 'g_family=4' );
 	if ( $export ) {
-	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall-lite),
+	    emit ( 'SHAREDIR=/usr/share/shorewall-lite',
 		   'CONFDIR=/etc/shorewall-lite',
 		   'g_product="Shorewall Lite"',
 		   'g_program=shorewall-lite',
 		   'g_basedir=/usr/share/shorewall-lite',
 		   qq(CONFIG_PATH="$shorewallrc{CONFDIR}/shorewall-lite:$shorewallrc{SHAREDIR}/shorewall-lite") ,
 		 );
 	} else {
-	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall),
+	    emit ( 'SHAREDIR=/usr/share/shorewall',
 		   'CONFDIR=/etc/shorewall',
 		   'g_product=Shorewall',
 		   'g_program=shorewall',
 		   'g_basedir=/usr/share/shorewall',
 		   qq(CONFIG_PATH="$config{CONFIG_PATH}") ,
 		 );
 	}
    } else {
 	emit( 'g_family=6' );
 	if ( $export ) {
-	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall6-lite),
+	    emit ( 'SHAREDIR=/usr/share/shorewall6-lite',
 		   'CONFDIR=/etc/shorewall6-lite',
 		   'g_product="Shorewall6 Lite"',
 		   'g_program=shorewall6-lite',
 		   'g_basedir=/usr/share/shorewall6',
 		   qq(CONFIG_PATH="$shorewallrc{CONFDIR}/shorewall6-lite:$shorewallrc{SHAREDIR}/shorewall6-lite") ,
 		 );
 	} else {
-	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall6),
+	    emit ( 'SHAREDIR=/usr/share/shorewall6',
 		   'CONFDIR=/etc/shorewall6',
 		   'g_product=Shorewall6',
 		   'g_program=shorewall6',
-		   'g_basedir=/usr/share/shorewall',
+		   'g_basedir=/usr/share/shorewall'
 		   qq(CONFIG_PATH="$config{CONFIG_PATH}") ,
 		 );
 	}
    }
-    emit( '[ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir' );
+    emit( '[ -f ${CONFDIR}/vardir ] && . ${CONFDIR}/vardir' );
    if ( $family == F_IPV4 ) {
 	if ( $export ) {
-	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall-lite}" ]' );
+	    emit ( 'CONFIG_PATH="/etc/shorewall-lite:/usr/share/shorewall-lite"' ,
 		   '[ -n "${VARDIR:=/var/lib/shorewall-lite}" ]' );
 	} else {
-	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall}" ]' );
+	    emit ( qq(CONFIG_PATH="$config{CONFIG_PATH}") ,
 		   '[ -n "${VARDIR:=/var/lib/shorewall}" ]' );
 	}
    } else {
 	if ( $export ) {
-	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall6-lite}" ]' );
+	    emit ( 'CONFIG_PATH="/etc/shorewall6-lite:/usr/share/shorewall6-lite"' ,
 		   '[ -n "${VARDIR:=/var/lib/shorewall6-lite}" ]' );
 	} else {
-	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall6}" ]' );
+	    emit ( qq(CONFIG_PATH="$config{CONFIG_PATH}") ,
 		   '[ -n "${VARDIR:=/var/lib/shorewall6}" ]' );
 	}
    }
@@ -354,7 +356,7 @@ sub generate_script_3($) {
 	    emit 'cat > ${VARDIR}/.modules << EOF';
 	    open_file $fn;
-	    emit_unindented $currentline while read_a_line( NORMAL_READ );
+	    emit_unindented $currentline while read_a_line;
 	    emit_unindented 'EOF';
 	    emit '', 'reload_kernel_modules < ${VARDIR}/.modules';
@@ -545,8 +547,8 @@ EOF
 #
 sub compiler {
-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc ) =
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , ''          , '');
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , '');
    $export = 0;
    $test   = 0;
@@ -584,7 +586,6 @@ sub compiler {
 		  convert       => { store => \$convert,       validate=> \&validate_boolean    } ,
 		  annotate      => { store => \$annotate,      validate=> \&validate_boolean    } ,
 		  config_path   => { store => \$config_path } ,
 		  shorewallrc   => { store => \$shorewallrc } ,
 		);
    #
    #                               P A R A M E T E R    P R O C E S S I N G
@@ -602,7 +603,7 @@ sub compiler {
    #
    # Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals
    #
-    initialize_package_globals( $update, $shorewallrc );
+    initialize_package_globals( $update );
    set_config_path( $config_path ) if $config_path;
@@ -708,6 +709,10 @@ sub compiler {
    # Proxy Arp/Ndp
    #
    setup_proxy_arp;
    #
    # Handle MSS settings in the zones file
    #
    setup_zone_mss;
    if ( $scriptfilename || $debug ) {
 	emit 'return 0';
@@ -812,12 +817,12 @@ sub compiler {
 	optimize_level0;
-	if ( ( my $optimize = $config{OPTIMIZE} ) & 0x1E ) {
+	if ( $config{OPTIMIZE} & 0x1E ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
 	    # Optimize Policy Chains
 	    #
-	    optimize_policy_chains if $optimize & 6 == 2; # Level 2 but not 4
+	    optimize_policy_chains if $config{OPTIMIZE} & 2;
 	    #
 	    # More Optimization
 	    #
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -76,7 +76,6 @@ our @EXPORT = qw( ALLIPv4
 		  proto_name
 		  validate_port
 		  validate_portpair
 		  validate_portpair1
 		  validate_port_list
 		  validate_icmp
 		  validate_icmp6
@@ -372,7 +371,6 @@ sub validate_port( $$ ) {
 sub validate_portpair( $$ ) {
    my ($proto, $portpair) = @_;
    my $what;
    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/:/:/ > 1;
@@ -381,57 +379,16 @@ sub validate_portpair( $$ ) {
    my @ports = split /:/, $portpair, 2;
-    my $protonum = resolve_proto( $proto ) || 0;
+    $_ = validate_port( $proto, $_) for ( grep $_, @ports );
    $_ = validate_port( $protonum, $_) for grep $_, @ports;
    if ( @ports == 2 ) {
 	$what = 'port range';
 	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
    } else {
 	$what = 'port';
    }
    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
 	defined $protonum && ( $protonum == TCP  ||
 			       $protonum == UDP  ||
 			       $protonum == SCTP ||
 			       $protonum == DCCP );
    join ':', @ports;
 }
 sub validate_portpair1( $$ ) {
    my ($proto, $portpair) = @_;
    my $what;
    fatal_error "Invalid port range ($portpair)" if $portpair =~ tr/-/-/ > 1;
    $portpair = "0$portpair"       if substr( $portpair,  0, 1 ) eq ':';
    $portpair = "${portpair}65535" if substr( $portpair, -1, 1 ) eq ':';
    my @ports = split /-/, $portpair, 2;
    my $protonum = resolve_proto( $proto ) || 0;
    $_ = validate_port( $protonum, $_) for grep $_, @ports;
    if ( @ports == 2 ) {
 	$what = 'port range';
 	fatal_error "Invalid port range ($portpair)" unless $ports[0] < $ports[1];
    } else {
 	$what = 'port';
    }
    fatal_error "Using a $what ( $portpair ) requires PROTO TCP, UDP, SCTP or DCCP" unless
 	defined $protonum && ( $protonum == TCP  ||
 			       $protonum == UDP  ||
 			       $protonum == SCTP ||
 			       $protonum == DCCP );
    join '-', @ports;
 }
 sub validate_port_list( $$ ) {
    my $result = '';
    my ( $proto, $list ) = @_;
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -67,25 +67,33 @@ sub process_tos() {
    my $chain    = have_capability( 'MANGLE_FORWARD' ) ? 'fortos'  : 'pretos';
    my $stdchain = have_capability( 'MANGLE_FORWARD' ) ? 'FORWARD' : 'PREROUTING';
    my %tosoptions = ( 'minimize-delay'       => 0x10 ,
 		       'maximize-throughput'  => 0x08 ,
 		       'maximize-reliability' => 0x04 ,
 		       'minimize-cost'        => 0x02 ,
 		       'normal-service'       => 0x00 );
    if ( my $fn = open_file 'tos' ) {
 	my $first_entry = 1;
 	my ( $pretosref, $outtosref );
-	first_entry( sub { progress_message2 "$doing $fn...";
+	first_entry( sub { progress_message2 "$doing $fn..."; $pretosref = ensure_chain 'mangle' , $chain; $outtosref = ensure_chain 'mangle' , 'outtos'; } );
 			   warning_message "Use of the tos file is deprecated in favor of the TOS target in tcrules";
 			   $pretosref = ensure_chain 'mangle' , $chain;
 			   $outtosref = ensure_chain 'mangle' , 'outtos';
 		       }
 		   );
-	while ( read_a_line( NORMAL_READ ) ) {
+	while ( read_a_line ) {
 	    my ($src, $dst, $proto, $ports, $sports , $tos, $mark ) = split_line 'tos file entry', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, tos => 5, mark => 6 } ;
 	    $first_entry = 0;
-	    $tos = decode_tos( $tos , 1 );
+	    fatal_error 'A value must be supplied in the TOS column' if $tos eq '-';
 	    if ( defined ( my $tosval = $tosoptions{"\L$tos"} ) ) {
 		$tos = $tosval;
 	    } else {
 		my $val = numeric_value( $tos );
 		fatal_error "Invalid TOS value ($tos)" unless defined( $val ) && $val < 0x1f;
 	    }
 	    my $chainref;
@@ -121,7 +129,7 @@ sub process_tos() {
 		$src ,
 		$dst ,
 		'' ,
-		'TOS' . $tos ,
+		"TOS --set-tos $tos" ,
 		'' ,
 		'TOS' ,
 		'';
@@ -149,9 +157,9 @@ sub setup_ecn()
 			   warning_message 'ECN will not be applied to forwarded packets' unless have_capability 'MANGLE_FORWARD';
 		       } );
-	while ( read_a_line( NORMAL_READ ) ) {
+	while ( read_a_line ) {
-	    my ($interface, $hosts ) = split_line1 'ecn file entry', { interface => 0, host => 1, hosts => 1 }, {}, 2;
+	    my ($interface, $hosts ) = split_line 'ecn file entry', { interface => 0, hosts => 1 };
 	    fatal_error 'INTERFACE must be specified' if $interface eq '-';
 	    fatal_error "Unknown interface ($interface)" unless known_interface $interface;
@@ -208,8 +216,8 @@ sub setup_blacklist() {
    # for 'refresh' to work properly.
    #
    if ( @$zones || @$zones1 ) {
-	$chainref  = set_optflags( new_standard_chain( 'blacklst' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones;
+	$chainref  = dont_delete new_standard_chain 'blacklst' if @$zones;
-	$chainref1 = set_optflags( new_standard_chain( 'blackout' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones1;
+	$chainref1 = dont_delete new_standard_chain 'blackout' if @$zones1;
 	if ( supplied $level ) {
 	    $target = ensure_blacklog_chain ( $target, $disposition, $level, $audit );
@@ -227,7 +235,7 @@ sub setup_blacklist() {
 	    first_entry "$doing $fn...";
-	    while ( read_a_line ( NORMAL_READ ) ) {
+	    while ( read_a_line ) {
 		if ( $first_entry ) {
 		    unless  ( @$zones || @$zones1 ) {
@@ -346,7 +354,7 @@ sub remove_blacklist( $ ) {
    open $newfile, '>', "$fn.new" or fatal_error "Unable to open $fn.new for output: $!";
-    while ( read_a_line( EMBEDDED_ENABLED | EXPAND_VARIABLES ) ) {
+    while ( read_a_line(1,1,0) ) {
 	my ( $rule, $comment ) = split '#', $currentline, 2;
 	if ( $rule =~ /blacklist/ ) {
@@ -396,7 +404,7 @@ sub convert_blacklist() {
 	first_entry "Converting $fn...";
-	while ( read_a_line( NORMAL_READ ) ) {
+	while ( read_a_line ) {
 	    my ( $networks, $protocol, $ports, $options ) = split_line 'blacklist file', { networks => 0, proto => 1, port => 2, options => 3 };
 	    if ( $options eq '-' ) {
@@ -468,7 +476,7 @@ sub convert_blacklist() {
 		open $blrules, '>',  $fn1 or fatal_error "Unable to open $fn1: $!";
 		print $blrules <<'EOF';
 #
-# Shorewall version 4.5 - Blacklist Rules File
+# Shorewall version 5 - Blacklist Rules File
 #
 # For information about entries in this file, type "man shorewall-blrules"
 #
@@ -554,7 +562,7 @@ sub process_routestopped() {
 	first_entry "$doing $fn...";
-	while ( read_a_line ( NORMAL_READ ) ) {
+	while ( read_a_line ) {
 	    my ($interface, $hosts, $options , $proto, $ports, $sports ) =
 		split_line 'routestopped file', { interface => 0, hosts => 1, options => 2, proto => 3, dport => 4, sport => 5 };
@@ -687,9 +695,9 @@ sub add_common_rules ( $ ) {
    my $rejectref = $filter_table->{reject};
    if ( $config{DYNAMIC_BLACKLIST} ) {
-	add_rule_pair( set_optflags( new_standard_chain( 'logdrop' )  , DONT_OPTIMIZE | DONT_DELETE ), '' , 'DROP'   , $level );
+	add_rule_pair dont_delete( new_standard_chain( 'logdrop' ) ),   '' , 'DROP'   , $level ;
-	add_rule_pair( set_optflags( new_standard_chain( 'logreject' ), DONT_OPTIMIZE | DONT_DELETE ), '' , 'reject' , $level );
+	add_rule_pair dont_delete( new_standard_chain( 'logreject' ) ), '' , 'reject' , $level ;
-	$dynamicref =  set_optflags( new_standard_chain( 'dynamic' ) ,  DONT_OPTIMIZE );
+	$dynamicref = dont_optimize( new_standard_chain( 'dynamic' ) );
 	add_commands( $dynamicref, '[ -f ${VARDIR}/.dynamic ] && cat ${VARDIR}/.dynamic >&3' );
    }
@@ -919,13 +927,6 @@ sub add_common_rules ( $ ) {
 		       p =>  "udp --dport $ports" ,
 		       imatch_dest_dev( $interface ) )
 		if get_interface_option( $interface, 'bridge' );
 	    unless ( $family == F_IPV6 || get_interface_option( $interface, 'allip' ) ) {
 		add_ijump( $filter_table->{input_chain( $interface ) } ,
 			   j => 'ACCEPT' ,
 			   p => "udp --dport $ports" ,
 			   s => NILIPv4 . '/32' );
 	    }
 	}
    }
@@ -993,7 +994,7 @@ sub add_common_rules ( $ ) {
 	if ( @$list ) {
 	    progress_message2 "$doing UPnP";
-	    $chainref = set_optflags( new_nat_chain( 'UPnP' ), DONT_OPTIMIZE );
+	    $chainref = dont_optimize new_nat_chain( 'UPnP' );
 	    add_commands( $chainref, '[ -s /${VARDIR}/.UPnP ] && cat ${VARDIR}/.UPnP >&3' );
@@ -1012,10 +1013,9 @@ sub add_common_rules ( $ ) {
 	    for $interface ( @$list ) {
 		my $chainref = $filter_table->{input_option_chain $interface};
 		my $base     = uc chain_base get_physical $interface;
-		my $optional = interface_is_optional( $interface );
+		my $variable = get_interface_gateway $interface;
 		my $variable = get_interface_gateway( $interface, ! $optional );
-		if ( $optional ) {
+		if ( interface_is_optional $interface ) {
 		    add_commands( $chainref,
 				  qq(if [ -n "SW_\$${base}_IS_USABLE" -a -n "$variable" ]; then) );
 		    incr_cmd_level( $chainref );
@@ -1097,7 +1097,7 @@ sub setup_mac_lists( $ ) {
 	    first_entry "$doing $fn...";
-	    while ( read_a_line( NORMAL_READ ) ) {
+	    while ( read_a_line ) {
 		my ( $original_disposition, $interface, $mac, $addresses  ) = split_line1 'maclist file', { disposition => 0, interface => 1, mac => 2, addresses => 3 };
@@ -1403,12 +1403,11 @@ sub add_interface_jumps {
 	if ( $interfaceref->{options}{port} ) {
 	    my $bridge = $interfaceref->{bridge};
 	    add_ijump ( $filter_table->{forward_chain $bridge},
 			j => 'ACCEPT',
 			imatch_source_dev( $interface, 1),
 			imatch_dest_dev( $interface, 1)
-		     ) unless $interfaceref->{nets};
+		     ) unless $interfaceref->{nets} || ! $interfaceref->{options}{bridge};
 	    add_ijump( $filter_table->{forward_chain $bridge} ,
 		       j => $forwardref , 
@@ -1477,26 +1476,22 @@ sub generate_matrix() {
    progress_message  '  Handling complex zones...';
    #
-    # Special processing for configurations with more than 2 off-firewall zones or with other special considerations like IPSEC.
+    # Special processing for complex configurations
    #
    for my $zone ( @zones ) {
 	my $zoneref = find_zone( $zone );
-	next if  @zones <= 2 && ! $zoneref->{complex};
+	next if  @zones <= 2 && ! $zoneref->{options}{complex};
 	#
-	# Complex zone or we have more than two off-firewall zones -- Shorewall::Rules::classic_blacklist created a zone forwarding chain
+	# Complex zone or we have more than one non-firewall zone -- process_rules created a zone forwarding chain
 	#
 	my $frwd_ref = $filter_table->{zone_forward_chain( $zone )};
 	assert( $frwd_ref, $zone );
 	#
 	# Add Zone mark if any
 	#
 	add_ijump( $frwd_ref , j => 'MARK --set-mark ' . in_hex( $zoneref->{mark} ) . '/' . in_hex( $globals{ZONE_MASK} ) ) if $zoneref->{mark};
 	if ( have_ipsec ) {
 	    #
-	    # Prior to KLUDGEFREE, policy match could only match an 'in' or an 'out' policy (but not both), so we place the
+	    # Because policy match only matches an 'in' or an 'out' policy (but not both), we have to place the
 	    # '--pol ipsec --dir in' rules at the front of the (interface) forwarding chains. Otherwise, decrypted packets
 	    # can match '--pol none --dir out' rules and send the packets down the wrong rules chain.
 	    #
@@ -1514,9 +1509,6 @@ sub generate_matrix() {
 			copy_rules( $sourcechainref, $frwd_ref, 1 ) unless $ipsec_jump_added{$zone}++;
 			$sourcechainref = $filter_table->{FORWARD};
 		    } elsif ( $interfaceref->{options}{port} ) {
 			#
 			# The forwarding chain for a bridge with ports is always used
 			#
 			add_ijump( $filter_table->{ forward_chain $interfaceref->{bridge} } ,
 				   j => $sourcechainref ,
 				   imatch_source_dev( $interface , 1 ) )
@@ -1526,9 +1518,6 @@ sub generate_matrix() {
 		    }
 		} else {
 		    if ( $interfaceref->{options}{port} ) {
 			#
 			# The forwarding chain for a bridge with ports is always used
 			#
 			$sourcechainref = $filter_table->{ forward_chain $interfaceref->{bridge} };
 			@interfacematch = imatch_source_dev $interface, 1;
 		    } else {
@@ -1571,12 +1560,13 @@ sub generate_matrix() {
 	my $source_hosts_ref = $zoneref->{hosts};
 	my $chain1           = rules_target firewall_zone , $zone;
 	my $chain2           = rules_target $zone, firewall_zone;
 	my $complex          = $zoneref->{options}{complex} || 0;
 	my $type             = $zoneref->{type};
 	my $frwd_ref         = $filter_table->{zone_forward_chain $zone};
 	my $chain            = 0;
 	my $dnatref          = ensure_chain 'nat' , dnat_chain( $zone );
 	my $notrackref       = ensure_chain 'raw' , notrack_chain( $zone );
-	my $nested           = @{$zoneref->{parents}};
+	my $nested           = $zoneref->{options}{nested};
 	my $parenthasnat     = 0;
 	my $parenthasnotrack = 0;
@@ -1854,6 +1844,8 @@ sub generate_matrix() {
 	    @dest_zones =  @zones ;
 	}
 	#
 	# Here it is -- THE BIG UGLY!!!!!!!!!!!!
 	#
 	# We now loop through the destination zones creating jumps to the rules chain for each source/dest combination.
 	# @dest_zones is the list of destination zones that we need to handle from this source zone
 	#
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -54,8 +54,8 @@ sub initialize() {
 #
 sub process_one_masq( )
 {
-    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition ) =
+    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user ) = 
-	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8 };
+	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7 };
    if ( $interfacelist eq 'COMMENT' ) {
 	process_comment;
@@ -88,7 +88,7 @@ sub process_one_masq( )
 	$interfacelist = $1;
    } elsif ( $interfacelist =~ /^([^:]+):([^:]*)$/ ) {
 	my ( $one, $two ) = ( $1, $2 );
-	if ( $2 =~ /\./ || $2 =~ /^%/ ) {
+	if ( $2 =~ /\./ ) {
 	    $interfacelist = $one;
 	    $destnets = $two;
 	}
@@ -117,9 +117,9 @@ sub process_one_masq( )
    }
    #
-    # Handle Protocol, Ports and Condition
+    # Handle Protocol and Ports
    #
-    $baserule .= do_proto( $proto, $ports, '' ) . do_condition( $condition );
+    $baserule .= do_proto $proto, $ports, '';
    #
    # Handle Mark
    #
@@ -195,7 +195,7 @@ sub process_one_masq( )
 			    if ( $conditional = conditional_rule( $chainref, $addr ) ) {
 				$addrlist .= '--to-source ' . get_interface_address $1;
 			    } else {
-				$addrlist .= '--to-source ' . record_runtime_address( '&', $1 );
+				$addrlist .= '--to-source ' . record_runtime_address $1;
 			    }
 			} elsif ( $addr =~ /^.*\..*\..*\./ ) {
 			    $target = 'SNAT ';
@@ -210,7 +210,9 @@ sub process_one_masq( )
 			} else {
 			    my $ports = $addr; 
 			    $ports =~ s/^://;
-			    validate_portpair1( $proto, $ports );
+			    my $portrange = $ports;
 			    $portrange =~ s/-/:/;
 			    validate_portpair( $proto, $portrange );
 			    $addrlist .= "--to-ports $ports ";
 			    $exceptionrule = do_proto( $proto, '', '' );
 			}
@@ -276,7 +278,7 @@ sub setup_masq()
 	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty masq file' , 's'; } );
-	process_one_masq while read_a_line( NORMAL_READ );
+	process_one_masq while read_a_line;
 	clear_comment;
    }
@@ -373,7 +375,7 @@ sub setup_nat() {
 	first_entry( sub { progress_message2 "$doing $fn..."; require_capability 'NAT_ENABLED' , 'a non-empty nat file' , 's'; } );
-	while ( read_a_line( NORMAL_READ ) ) {
+	while ( read_a_line ) {
 	    my ( $external, $interfacelist, $internal, $allints, $localnat ) = split_line1 'nat file', { external => 0, interface => 1, internal => 2, allints => 3, local => 4 };
@@ -409,7 +411,7 @@ sub setup_netmap() {
 	first_entry "$doing $fn...";
-	while ( read_a_line( NORMAL_READ ) ) {
+	while ( read_a_line ) {
 	    my ( $type, $net1, $interfacelist, $net2, $net3, $proto, $dport, $sport ) = split_line 'netmap file', { type => 0, net1 => 1, interface => 2, net2 => 3, net3 => 4, proto => 5, dport => 6, sport => 7 };
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -160,7 +160,9 @@ sub setup_route_marking() {
 	    my $chainref2 = new_chain( 'mangle', load_chain( $physical ) );
-	    set_optflags( $chainref2, DONT_OPTIMIZE | DONT_MOVE | DONT_DELETE );
+	    dont_optimize $chainref2;
 	    dont_move     $chainref2;
 	    dont_delete   $chainref2;
  	    add_ijump ( $chainref1,
 			j => $chainref2 ,
@@ -396,8 +398,8 @@ sub process_a_provider() {
 	$gateway = '';
    }
-    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load ) =
+    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $local , $load ) =
-	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0 );
+	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0      , 0 );
    unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
@@ -435,12 +437,7 @@ sub process_a_provider() {
 		$default = -1;
 		$default_balance = 0;
 	    } elsif ( $option eq 'local' ) {
-		warning_message q(The 'local' provider option is deprecated in favor of 'tproxy');
+		$local = 1;
 		$local = $tproxy = 1;
 		$track  = 0           if $config{TRACK_PROVIDERS};
 		$default_balance = 0  if $config{USE_DEFAULT_RT};
 	    } elsif ( $option eq 'tproxy' ) {
 		$tproxy = 1;
 		$track = 0           if $config{TRACK_PROVIDERS};
 		$default_balance = 0 if $config{USE_DEFAULT_RT};
 	    } elsif ( $option =~ /^load=(0?\.\d{1,8})/ ) {
@@ -464,12 +461,7 @@ sub process_a_provider() {
 	fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none';
 	fatal_error "'track' not valid with 'local'"          if $track;
 	fatal_error "DUPLICATE not valid with 'local'"        if $duplicate ne '-';
-    } elsif ( $tproxy ) {
+	fatal_error "MARK required with 'local'"              unless $mark;
 	fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'none';
 	fatal_error "'track' not valid with 'tproxy'"          if $track;
 	fatal_error "DUPLICATE not valid with 'tproxy'"        if $duplicate ne '-';
 	fatal_error "MARK not allowed with 'tproxy'"           if $mark ne '-';
 	$mark = $globals{TPROXY_MARK};
    }
    my $val = 0;
@@ -481,10 +473,6 @@ sub process_a_provider() {
 	require_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' );
 	if ( $tproxy && ! $local ) {
 	    $val = $globals{TPROXY_MARK};
 	    $pref = 1;
 	} else {
 	$val = numeric_value $mark;
 	fatal_error "Invalid Mark Value ($mark)" unless defined $val && $val;
@@ -499,10 +487,9 @@ sub process_a_provider() {
 	    fatal_error "Duplicate mark value ($mark)" if numeric_value( $providerref->{mark} ) == $val;
 	}
 	    $lastmark = $val;
 	$pref = 10000 + $number - 1;
-	}
+
 	$lastmark = $val;
    }
@@ -542,7 +529,6 @@ sub process_a_provider() {
 			   duplicate   => $duplicate ,
 			   address     => $address ,
 			   local       => $local ,
 			   tproxy      => $tproxy ,
 			   load        => $load ,
 			   rules       => [] ,
 			   routes      => [] ,
@@ -595,7 +581,6 @@ sub add_a_provider( $$ ) {
    my $duplicate   = $providerref->{duplicate};
    my $address     = $providerref->{address};
    my $local       = $providerref->{local};
    my $tproxy      = $providerref->{tproxy};
    my $load        = $providerref->{load};
    my $dev         = chain_base $physical;
@@ -617,7 +602,7 @@ sub add_a_provider( $$ ) {
 	$provider_interfaces{$interface} = $table;
 	if ( $gatewaycase eq 'none' ) {
-	    if ( $tproxy ) {
+	    if ( $local ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $number";
 	    } else {
 		emit "run_ip route add default dev $physical table $number";
@@ -625,8 +610,7 @@ sub add_a_provider( $$ ) {
 	}
    }
-    emit( "echo $load > \${VARDIR}/${physical}_load",
+    emit( qq(echo $load > \${VARDIR}/${physical}_load) ) if $load;
 	  'echo ' . in_hex( $mark ) . '/' . in_hex( $globals{PROVIDER_MASK} ) . " > \${VARDIR}/${physical}_mark" ) if $load;
    emit( '', 
 	  "cat <<EOF >> \${VARDIR}/undo_${table}_routing" );
@@ -636,7 +620,6 @@ sub add_a_provider( $$ ) {
    emit_unindented '        ;;';
    emit_unindented '    *)';
    emit_unindented "        rm -f \${VARDIR}/${physical}_load" if $load;
    emit_unindented "        rm -f \${VARDIR}/${physical}_mark" if $load;
    emit_unindented <<"CEOF", 1;
        rm -f \${VARDIR}/${physical}.status
        ;;
@@ -649,13 +632,12 @@ CEOF
    setup_interface_proc( $interface );
    if ( $mark ne '-' ) {
-	my $hexmark = in_hex( $mark );
+	my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : '';
 	my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex( $globals{ $tproxy && ! $local ? 'TPROXY_MARK' : 'PROVIDER_MASK' } ) : '';
-	emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $config{DELETE_THEN_ADD};
+	emit ( "qt \$IP -$family rule del fwmark ${mark}${mask}" ) if $config{DELETE_THEN_ADD};
-	emit ( "run_ip rule add fwmark ${hexmark}${mask} pref $pref table $number",
+	emit ( "run_ip rule add fwmark ${mark}${mask} pref $pref table $number",
-	       "echo \"qt \$IP -$family rule del fwmark ${hexmark}${mask}\" >> \${VARDIR}/undo_${table}_routing"
+	       "echo \"qt \$IP -$family rule del fwmark ${mark}${mask}\" >> \${VARDIR}/undo_${table}_routing"
 	     );
    }
@@ -715,7 +697,7 @@ CEOF
 	  qq(    qt \$IP -6 rule add from all table ) . DEFAULT_TABLE . qq( prio 32767\n) ,
 	  qq(fi) ) if $family == F_IPV6;
-    unless ( $tproxy ) {
+    unless ( $local ) {
 	emit '';
 	if ( $loose ) {
@@ -779,7 +761,7 @@ CEOF
 		if ( $gateway ) {
 		    emit qq(add_gateway "via $gateway dev $physical $realm" ) . $tbl;
 		} else {
-		    emit qq(add_gateway "dev $physical $realm" ) . $tbl;
+		    emit qq(add_gateway "nexthop dev $physical $realm" ) . $tbl;
 		}
 	    }
 	    	} else {
@@ -881,8 +863,7 @@ CEOF
 		  "qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface};
 	}
-	emit( "echo 1 > \${VARDIR}/${physical}.status",
+	emit( "progress_message2 \"   Provider $table ($number) stopped\"" );
 	      "progress_message2 \"   Provider $table ($number) stopped\"" );
 	pop_indent;
@@ -937,7 +918,7 @@ sub add_an_rtrule( ) {
    if ( $source eq '-' ) {
 	$source = 'from ' . ALLIP;
    } elsif ( $source =~ s/^&// ) {
-	$source = 'from ' . record_runtime_address '&', $source;
+	$source = 'from ' . record_runtime_address $source;
    } elsif ( $family == F_IPV4 ) {
 	if ( $source =~ /:/ ) {
 	    ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
@@ -949,7 +930,7 @@ sub add_an_rtrule( ) {
 	    validate_net ( $source, 0 );
 	    $source = "from $source";
 	} else {
-	    $source = 'iif ' . physical_name $source;
+	    $source = "iif $source";
 	}
    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ||  $source =~  /^(.+?):\[(.+)\]\s*$/ ) {
 	my ($interface, $source ) = ($1, $2);
@@ -960,7 +941,7 @@ sub add_an_rtrule( ) {
 	validate_net ( $source, 0 );
 	$source = "from $source";
    } else {
-	$source = 'iif ' . physical_name $source;
+	$source = "iif $source";
    }
    my $mark = '';
@@ -1042,11 +1023,11 @@ sub add_a_route( ) {
 sub setup_null_routing() {
    save_progress_message "Null Routing the RFC 1918 subnets";
-    emit "> \${VARDIR}/undo_rfc1918_routing\n";
+    emit "> \${VARDIR}undo_rfc1918_routing\n";
    for ( rfc1918_networks ) {
 	emit( qq(if ! \$IP -4 route ls | grep -q '^$_.* dev '; then),
-	      qq(    run_ip route replace blackhole $_),
+	      qq(    run_ip route replace unreachable $_),
-	      qq(    echo "qt \$IP -4 route del blackhole $_" >> \${VARDIR}/undo_rfc1918_routing),
+	      qq(    echo "qt \$IP -4 route del unreachable $_" >> \${VARDIR}/undo_rfc1918_routing),
 	      qq(fi\n) );
    }
 }
@@ -1135,10 +1116,6 @@ sub finish_providers() {
 	       '# We don\'t have any \'balance\' providers so we restore any default route that we\'ve saved',
 	       '#',
 	       "restore_default_route $config{USE_DEFAULT_RT}" ,
 	       '#',
 	       '# And delete any routes in the \'balance\' table',
 	       '#',
 	       "qt \$IP -$family route del default table " . BALANCE_TABLE,
 	       '' );
    }
@@ -1152,15 +1129,10 @@ sub finish_providers() {
 	}
 	emit( "    progress_message \"Fallback route '\$(echo \$FALLBACK_ROUTE | sed 's/\$\\s*//')' Added\"",
 	      'else',
 	      '#',
 	      '# We don\'t have any \'fallback\' providers so we delete any default routes in the default table',
 	      '#',
 	      "    while qt \$IP -$family route del default table " . DEFAULT_TABLE . '; do true; done',
 	      'fi',
 	      '' );
    } elsif ( $config{USE_DEFAULT_RT} ) {
-	emit "while qt \$IP -$family route del default table " . DEFAULT_TABLE . '; do true; done';
+	emit "qt \$IP -$family route del default table " . DEFAULT_TABLE;
    }
    unless ( $config{KEEP_RT_TABLES} ) {
@@ -1194,7 +1166,7 @@ sub process_providers( $ ) {
    if ( my $fn = open_file 'providers' ) {
 	first_entry "$doing $fn..."; 
-	process_a_provider, $providers++ while read_a_line( NORMAL_READ );
+	process_a_provider, $providers++ while read_a_line;
    }
    if ( $providers ) {
@@ -1213,7 +1185,7 @@ sub process_providers( $ ) {
 	    emit '';
-	    add_an_rtrule while read_a_line( NORMAL_READ );
+	    add_an_rtrule while read_a_line;
 	}
 	$fn = open_file 'routes';
@@ -1221,7 +1193,7 @@ sub process_providers( $ ) {
 	if ( $fn ) {
 	    first_entry "$doing $fn...";
 	    emit '';
-	    add_a_route while read_a_line( NORMAL_READ );
+	    add_a_route while read_a_line;
 	}
    }
--- a/Shorewall/Perl/Shorewall/Proxyarp.pm
+++ b/Shorewall/Perl/Shorewall/Proxyarp.pm
@@ -120,7 +120,7 @@ sub setup_proxy_arp() {
 	my ( %set, %reset );
-	while ( read_a_line( NORMAL_READ ) ) {
+	while ( read_a_line ) {
 	    my ( $address, $interface, $external, $haveroute, $persistent ) =
 		split_line $file_opt . 'file ', { address => 0, interface => 1, external => 2, haveroute => 3, persistent => 4 };
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -130,7 +130,7 @@ sub setup_notrack() {
 	my $nonEmpty = 0;
-	while ( read_a_line( NORMAL_READ ) ) {
+	while ( read_a_line ) {	    
 	    my ( $source, $dest, $proto, $ports, $sports, $user );
 	    if ( $format == 1 ) {
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -529,7 +529,7 @@ sub process_policies()
    if ( my $fn = open_file 'policy' ) {
 	first_entry "$doing $fn...";
-	process_a_policy while read_a_line( NORMAL_READ );
+	process_a_policy while read_a_line;
    } else {
 	fatal_error q(The 'policy' file does not exist or has zero size);
    }
@@ -963,7 +963,7 @@ sub createlogactionchain( $$$$$ ) {
    unless ( $targets{$action} & BUILTIN ) {
-	set_optflags( $chainref, DONT_OPTIMIZE );
+	dont_optimize $chainref;
 	my $file = find_file $chain;
@@ -997,7 +997,7 @@ sub createsimpleactionchain( $ ) {
    unless ( $targets{$action} & BUILTIN ) {
-	set_optflags( $chainref, DONT_OPTIMIZE );
+	dont_optimize $chainref;
 	my $file = find_file $action;
@@ -1306,7 +1306,7 @@ sub allowInvalid ( $$$$ ) {
 }
 sub forwardUPnP ( $$$$ ) {
-    my $chainref = set_optflags( 'forwardUPnP', DONT_OPTIMIZE );
+    my $chainref = dont_optimize 'forwardUPnP';
    add_commands( $chainref , '[ -f ${VARDIR}/.forwardUPnP ] && cat ${VARDIR}/.forwardUPnP >&3' );
 }
@@ -1394,7 +1394,7 @@ sub process_actions() {
    for my $file ( qw/actions.std actions/ ) {
 	open_file $file;
-	while ( read_a_line( NORMAL_READ ) ) {
+	while ( read_a_line ) {
 	    my ( $action ) = split_line 'action file' , { action => 0 };
 	    if ( $action =~ /:/ ) {
@@ -1454,7 +1454,7 @@ sub process_action( $) {
 	push_comment( '' );
-	while ( read_a_line( NORMAL_READ ) ) {
+	while ( read_a_line ) {
 	    my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition );
@@ -1547,7 +1547,7 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {
    push_open $macrofile;
-    while ( read_a_line( NORMAL_READ ) ) {
+    while ( read_a_line ) {
 	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition );
@@ -1589,7 +1589,7 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {
 	my $actiontype = $targets{$action} || find_macro( $action );
-	fatal_error "Invalid Action ($mtarget) in macro" unless $actiontype & ( ACTION +  STANDARD + NATRULE + MACRO + CHAIN );
+	fatal_error "Invalid Action ($mtarget) in macro" unless $actiontype & ( ACTION +  STANDARD + NATRULE +  MACRO );
 	if ( $msource ) {
 	    if ( $msource eq '-' ) {
@@ -2238,7 +2238,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 	    }
 	}
-	set_optflags( $nonat_chain, DONT_MOVE | DONT_OPTIMIZE ) if $tgt eq 'RETURN';
+	dont_move( dont_optimize( $nonat_chain ) ) if $tgt eq 'RETURN';
 	expand_rule( $nonat_chain ,
 		     PREROUTE_RESTRICT ,
@@ -2262,7 +2262,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 	    $action = $usedactions{$normalized_target}{name};
 	    $loglevel = '';
 	} else {
-	    set_optflags( $chainref , DONT_MOVE | DONT_OPTIMIZE ) if $action eq 'RETURN';
+	    dont_move( dont_optimize ( $chainref ) ) if $action eq 'RETURN';
 	}
 	if ( $origdest ) {
@@ -2458,12 +2458,6 @@ sub process_rule ( ) {
    progress_message qq(   Rule "$thisline" $done);
 }
 sub intrazone_allowed( $$ ) {
    my ( $zone, $zoneref ) = @_;
    $zoneref->{complex} && $filter_table->{rules_chain( $zone, $zone )}{policy} ne 'NONE';
 }
 #
 # Add jumps to the blacklst and blackout chains
 #
@@ -2476,7 +2470,7 @@ sub classic_blacklist() {
    for my $zone ( @zones ) {
 	my $zoneref = find_zone( $zone );
-	my $simple  =  @zones <= 2 && ! $zoneref->{complex};
+	my $simple  =  @zones <= 2 && ! $zoneref->{options}{complex};
 	if ( $zoneref->{options}{in}{blacklist} ) {
 	    my $blackref = $filter_table->{blacklst};
@@ -2490,7 +2484,7 @@ sub classic_blacklist() {
 		    my $ruleschain    = rules_chain( $zone, $zone1 );
 		    my $ruleschainref = $filter_table->{$ruleschain};
-		    if ( $zone ne $zone1 || intrazone_allowed( $zone, $zoneref ) ) {
+		    if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
 			add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
 		    }
 		}
@@ -2507,7 +2501,7 @@ sub classic_blacklist() {
 		my $ruleschain    = rules_chain( $zone1, $zone );
 		my $ruleschainref = $filter_table->{$ruleschain};
-		if ( ( $zone ne $zone1 || intrazone_allowed( $zone, $zoneref ) ) ) {
+		if ( ( $zone ne $zone1 || $ruleschainref->{referenced} ) && $ruleschainref->{policy} ne 'NONE' ) {
 		    add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
 		}
 	    }
@@ -2567,25 +2561,20 @@ sub process_rules( $ ) {
 		     }
 		   );
-	process_rule while read_a_line( NORMAL_READ );
+	process_rule while read_a_line;
    }
    $section = '';
    add_interface_options( $blrules );
    #
    # Handle MSS settings in the zones file
    #
    setup_zone_mss;
    $fn = open_file 'rules';
    if ( $fn ) {
 	first_entry "$doing $fn...";
-	process_rule while read_a_line( NORMAL_READ );
+	process_rule while read_a_line;
 	clear_comment;
    }
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -163,17 +163,13 @@ my  @tcclasses;
 my  %tcclasses;
 my  %restrictions = ( tcpre      => PREROUTE_RESTRICT ,
 		      PREROUTING => PREROUTE_RESTRICT ,
 		      tcpost     => POSTROUTE_RESTRICT ,
 		      tcfor      => NO_RESTRICT ,
 		      tcin       => INPUT_RESTRICT ,
-		      tcout      => OUTPUT_RESTRICT ,
+		      tcout      => OUTPUT_RESTRICT );
 		    );
 my $family;
 my $divertref; # DIVERT chain
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
@@ -195,24 +191,21 @@ sub initialize( $ ) {
    $devnum = 0;
    $sticky = 0;
    $ipp2p  = 0;
    $divertref = 0;
 }
 sub process_tc_rule( ) {
-    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp );
+    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability );
    if ( $family == F_IPV4 ) {
-	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp ) =
+	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability ) =
-	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13 }, { COMMENT => 0, FORMAT => 2 } , 14;
+	    split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 };
 	$headers = '-';
    } else {
-	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp ) =
+	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability ) = 
-	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 },  { COMMENT => 0, FORMAT => 2 }, 15;
+	    split_line1 'tcrules file', { mark => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 };
    }
    our @tccmd;
    our $format;
    fatal_error 'MARK must be specified' if $originalmark eq '-';
    if ( $originalmark eq 'COMMENT' ) {
@@ -220,15 +213,6 @@ sub process_tc_rule( ) {
 	return;
    }
    if ( $originalmark eq 'FORMAT' ) {
 	if ( $source =~ /^([12])$/ ) {
 	    $format = $1;
 	    return;
 	}
 	fatal_error "Invalid FORMAT ($source)";
    }
    my ( $mark, $designator, $remainder ) = split( /:/, $originalmark, 3 );
    fatal_error "Invalid MARK ($originalmark)" unless supplied $mark;
@@ -255,192 +239,6 @@ sub process_tc_rule( ) {
    my $device   = '';
    my $fw       = firewall_zone;
    my $list;
    my $restriction = 0;
    my $cmd;
    my $rest;
    my $matches = '';
    my %processtcc = ( sticky => sub() {
 			                  if ( $chain eq 'tcout' ) {
 					      $target = 'sticko';
 					  } else {
 					      fatal_error "SAME rules are only allowed in the PREROUTING and OUTPUT chains" if $chain ne 'tcpre';
 					  }
 					  $restriction = DESTIFACE_DISALLOW;
 					  ensure_mangle_chain($target);
 					  $sticky++;
 				      },
 		       IPMARK => sub() {
 			                  my ( $srcdst, $mask1, $mask2, $shift ) = ('src', 255, 0, 0 );
 					  require_capability 'IPMARK_TARGET', 'IPMARK', 's';
 					  if ( $cmd =~ /^IPMARK\((.+?)\)$/ ) {
 					      my $params = $1;
 					      my $val;
 					      my ( $sd, $m1, $m2, $s , $bad ) = split ',', $params;
 					      fatal_error "Invalid IPMARK parameters ($params)" if $bad;
 					      fatal_error "Invalid IPMARK parameter ($sd)" unless ( $sd eq 'src' || $sd eq 'dst' );
 					      $srcdst = $sd;
 					      if ( supplied $m1 ) {
 						  $val = numeric_value ($m1);
 						  fatal_error "Invalid Mask ($m1)" unless defined $val && $val && $val <= 0xffffffff;
 						  $mask1 = in_hex ( $val & 0xffffffff );
 					      }
 					      if ( supplied $m2 ) {
 						  $val = numeric_value ($m2);
 						  fatal_error "Invalid Mask ($m2)" unless defined $val && $val <= 0xffffffff;
 						  $mask2 = in_hex ( $val & 0xffffffff );
 					      }
 					      if ( defined $s ) {
 						  $val = numeric_value ($s);
 						  fatal_error "Invalid Shift Bits ($s)" unless defined $val && $val >= 0 && $val < 128;
 						  $shift = $s;
 					      }
 					  } else {
 					      fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless $cmd eq 'IPMARK';
 					  }
 					  $target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
 				      },
 		       DIVERT => sub() {
 			                  fatal_error "Invalid MARK ($originalmark)"               unless $format == 2;
 			                  fatal_error "Invalid DIVERT specification( $cmd/$rest )" if $rest;
 					  $chain = 'PREROUTING';
 					  $mark = in_hex( $globals{TPROXY_MARK} ) . '/' . in_hex( $globals{TPROXY_MARK} );
 					  unless ( $divertref ) {
 					      $divertref = new_chain( 'mangle', 'divert' );
 					      add_ijump( $divertref , j => 'MARK', targetopts => "--set-mark $mark"  );
 					      add_ijump( $divertref , j => 'ACCEPT' );
 					  }
 					  $target = 'divert';
 					  $matches = '! --tcp-flags FIN,SYN,RST,ACK SYN  -m socket --transparent ';
 				      },					      
 		       TPROXY => sub() {
 			                  require_capability( 'TPROXY_TARGET', 'Use of TPROXY', 's');
 			                  fatal_error "Invalid TPROXY specification( $cmd/$rest )" if $rest;
 					  $chain = 'PREROUTING';
 					  $cmd =~ /TPROXY\((.+?)\)$/;
 					  my $params = $1;
 					  my ( $port, $ip, $bad );
 					  if ( $format == 1 ) {
 					      fatal_error "Invalid TPROXY specification( $cmd )" unless defined $params;
 					      ( $mark, $port, $ip, $bad ) = split_list $params, 'Parameter';
 					      fatal_error "Invalid TPROXY specification( $cmd )" if defined $bad;
 					      warning_message "TPROXY is deprecated in a format-1 tcrules file";
 					  } else {
 					      if ( $params ) {
 						  ( $port, $ip, $bad ) = split_list $params, 'Parameter';
 						  fatal_error "Invalid TPROXY specification( $cmd )" if defined $bad;
 					      } else {
 						  fatal_error "Invalid TPROXY specification ($cmd)" unless $cmd eq 'TPROXY' || $cmd eq 'TPROXY()';
 					      }
 					      $mark = in_hex( $globals{TPROXY_MARK} ) . '/' . in_hex( $globals{TPROXY_MARK} );
 					  }
 					  if ( $port ) {
 					      $port = validate_port( 'tcp', $port );
 					  } else {
 					      $port = 0;
 					  }
 					  $target .= " --on-port $port";
 					  if ( supplied $ip ) {
 					      if ( $family == F_IPV6 ) {
 						  $ip = $1 if $ip =~ /^\[(.+)\]$/ || $ip =~ /^<(.+)>$/;
 					      }
 					      validate_address $ip, 1;
 					      $target .= " --on-ip $ip";
 					  }
 					  $target .= ' --tproxy-mark';
 				      },
 		       TTL => sub() {
 			                  fatal_error "TTL is not supported in IPv6 - use HL instead" if $family == F_IPV6;
 					  fatal_error "Invalid TTL specification( $cmd/$rest )" if $rest;
 					  fatal_error "Chain designator $designator not allowed with TTL" if $designator && ! ( $designator eq 'F' );
 					  $chain = 'tcfor';
 					  $cmd =~ /^TTL\(([-+]?\d+)\)$/;
 					  my $param =  $1;
 					  fatal_error "Invalid TTL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
 					  if ( $1 =~ /^\+/ ) {
 					      $target .= " --ttl-inc $param";
 					  } elsif ( $1 =~ /\-/ ) {
 					      $target .= " --ttl-dec $param";
 					  } else {
 					      $target .= " --ttl-set $param";
 					  }
 				      },
 		       HL => sub() {
 			                  fatal_error "HL is not supported in IPv4 - use TTL instead" if $family == F_IPV4;
 					  fatal_error "Invalid HL specification( $cmd/$rest )" if $rest;
 					  fatal_error "Chain designator $designator not allowed with HL" if $designator && ! ( $designator eq 'F' );
 					  $chain = 'tcfor';
 					  $cmd =~ /^HL\(([-+]?\d+)\)$/;
 					  my $param =  $1;
 					  fatal_error "Invalid HL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
 					  if ( $1 =~ /^\+/ ) {
 					      $target .= " --hl-inc $param";
 					  } elsif ( $1 =~ /\-/ ) {
 					      $target .= " --hl-dec $param";
 					  } else {
 					      $target .= " --hl-set $param";
 					  }
 				      },
 		       IMQ => sub() {
 			                  assert( $cmd =~ /^IMQ\((\d+)\)$/ );
 					  require_capability 'IMQ_TARGET', 'IMQ', 's';
 					  $target .= " --todev $1";
 				      },
 		       DSCP => sub() {
 			                  assert( $cmd =~ /^DSCP\((\w+)\)$/ );
 					  require_capability 'DSCP_TARGET', 'The DSCP action', 's';
 					  my $dscp = numeric_value( $1 );
 					  $dscp = $dscpmap{$1} unless defined $dscp;
 					  fatal_error( "Invalid DSCP ($1)" ) unless defined $dscp && $dscp <= 0x38 && ! ( $dscp & 1 );
 					  $target .= ' --set-dscp ' . in_hex( $dscp );
 				      },
 		       TOS => sub() {
 			                  assert( $cmd =~ /^TOS\((.+)\)$/ );
 					  $target .= decode_tos( $1 , 2 );
 				      },
 		     );
    if ( $source ) {
 	if ( $source eq $fw ) {
@@ -514,15 +312,12 @@ sub process_tc_rule( ) {
 	}
    }
-    if ( $mark =~ /^TOS/ ) {
+    my ($cmd, $rest) = split( '/', $mark, 2 );
 	$cmd = $mark;
 	$rest = '';
    } else {
 	($cmd, $rest) = split( '/', $mark, 2 );
    }
    $list = '';
    my $restriction = 0;
    unless ( $classid ) {
      MARK:
 	{
@@ -541,8 +336,134 @@ sub process_tc_rule( ) {
 			$mark =~ s/^[|&]//;
 		    }
-		    if ( my $f = $processtcc{$target} ) {
+		    if ( $target eq 'sticky' ) {
-			$f->();
+			if ( $chain eq 'tcout' ) {
 			    $target = 'sticko';
 			} else {
 			    fatal_error "SAME rules are only allowed in the PREROUTING and OUTPUT chains" if $chain ne 'tcpre';
 			}
 			$restriction = DESTIFACE_DISALLOW;
 			ensure_mangle_chain($target);
 			$sticky++;
 		    } elsif ( $target eq 'IPMARK' ) {
 			my ( $srcdst, $mask1, $mask2, $shift ) = ('src', 255, 0, 0 );
 			require_capability 'IPMARK_TARGET', 'IPMARK', 's';
 			if ( $cmd =~ /^IPMARK\((.+?)\)$/ ) {
 			    my $params = $1;
 			    my $val;
 			    my ( $sd, $m1, $m2, $s , $bad ) = split ',', $params;
 			    fatal_error "Invalid IPMARK parameters ($params)" if $bad;
 			    fatal_error "Invalid IPMARK parameter ($sd)" unless ( $sd eq 'src' || $sd eq 'dst' );
 			    $srcdst = $sd;
 			    if ( supplied $m1 ) {
 				$val = numeric_value ($m1);
 				fatal_error "Invalid Mask ($m1)" unless defined $val && $val && $val <= 0xffffffff;
 				$mask1 = in_hex ( $val & 0xffffffff );
 			    }
 			    if ( supplied $m2 ) {
 				$val = numeric_value ($m2);
 				fatal_error "Invalid Mask ($m2)" unless defined $val && $val <= 0xffffffff;
 				$mask2 = in_hex ( $val & 0xffffffff );
 			    }
 			    if ( defined $s ) {
 				$val = numeric_value ($s);
 				fatal_error "Invalid Shift Bits ($s)" unless defined $val && $val >= 0 && $val < 128;
 				$shift = $s;
 			    }			    
 			} else {
 			    fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless $cmd eq 'IPMARK';
 			}
 			$target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
 		    } elsif ( $target eq 'TPROXY' ) {
 			require_capability( 'TPROXY_TARGET', 'Use of TPROXY', 's');
 			fatal_error "Invalid TPROXY specification( $cmd/$rest )" if $rest;
 			$chain = 'tcpre';
 			$cmd =~ /TPROXY\((.+?)\)$/;
 			my $params = $1;
 			fatal_error "Invalid TPROXY specification( $cmd )" unless defined $params;
 			( $mark, my $port, my $ip, my $bad ) = split ',', $params;
 			fatal_error "Invalid TPROXY specification( $cmd )" if defined $bad;
 			if ( $port ) {
 			    $port = validate_port( 'tcp', $port );
 			} else {
 			    $port = 0;
 			}
 			$target .= " --on-port $port";
 			if ( supplied $ip ) {
 			    if ( $family == F_IPV6 ) {
 				$ip = $1 if $ip =~ /^\[(.+)\]$/ || $ip =~ /^<(.+)>$/;
 			    }
 			    validate_address $ip, 1;
 			    $target .= " --on-ip $ip";
 			}
 			$target .= ' --tproxy-mark';
 		    } elsif ( $target eq 'TTL' ) {
 			fatal_error "TTL is not supported in IPv6 - use HL instead" if $family == F_IPV6;
 			fatal_error "Invalid TTL specification( $cmd/$rest )" if $rest;
 			fatal_error "Chain designator $designator not allowed with TTL" if $designator && ! ( $designator eq 'F' );
 			$chain = 'tcfor';
 			$cmd =~ /^TTL\(([-+]?\d+)\)$/;
 			my $param =  $1;
 			fatal_error "Invalid TTL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
 			if ( $1 =~ /^\+/ ) {
 			    $target .= " --ttl-inc $param";
 			} elsif ( $1 =~ /\-/ ) {
 			    $target .= " --ttl-dec $param";
 			} else {
 			    $target .= " --ttl-set $param";
 			}
 		    } elsif ( $target eq 'HL' ) {
 			fatal_error "HL is not supported in IPv4 - use TTL instead" if $family == F_IPV4;
 			fatal_error "Invalid HL specification( $cmd/$rest )" if $rest;
 			fatal_error "Chain designator $designator not allowed with HL" if $designator && ! ( $designator eq 'F' );
 			$chain = 'tcfor';
 			$cmd =~ /^HL\(([-+]?\d+)\)$/;
 			my $param =  $1;
 			fatal_error "Invalid HL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
 			if ( $1 =~ /^\+/ ) {
 			    $target .= " --hl-inc $param";
 			} elsif ( $1 =~ /\-/ ) {
 			    $target .= " --hl-dec $param";
 			} else {
 			    $target .= " --hl-set $param";
 			}
 		    } elsif ( $target eq 'IMQ' ) {
 			assert( $cmd =~ /^IMQ\((\d+)\)$/ );
 			require_capability 'IMQ_TARGET', 'IMQ', 's';
 			$target .= " --todev $1";
 		    }
 		    if ( $rest ) {
@@ -581,7 +502,7 @@ sub process_tc_rule( ) {
    if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
 				     $restrictions{$chain} | $restriction,
-				     do_proto( $proto, $ports, $sports) . $matches .
+				     do_proto( $proto, $ports, $sports) .
 				     do_user( $user ) .
 				     do_test( $testval, $globals{TC_MASK} ) .
 				     do_length( $length ) .
@@ -589,8 +510,7 @@ sub process_tc_rule( ) {
 				     do_connbytes( $connbytes ) .
 				     do_helper( $helper ) .
 				     do_headers( $headers ) .
-				     do_probability( $probability ) .
+				     do_probability( $probability ) ,
 				     do_dscp( $dscp ) ,
 				     $source ,
 				     $dest ,
 				     '' ,
@@ -935,7 +855,7 @@ sub validate_tc_device( ) {
 			    pfifo         => $pfifo,
 			    tablenumber   => 1 ,
 			    redirected    => \@redirected,
-			    default       => undef,
+			    default       => 0,
 			    nextclass     => 2,
 			    qdisc         => $qdisc,
 			    guarantee     => 0,
@@ -1078,7 +998,6 @@ sub validate_tc_class( ) {
 	}
    } else {
 	fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
 	$markval = '-';
    }
    if ( $parentclass != 1 ) {
@@ -1090,7 +1009,7 @@ sub validate_tc_class( ) {
 	fatal_error "Unknown Parent class ($parentnum)" unless $parentref && $parentref->{occurs} == 1;
 	fatal_error "The class ($parentnum) specifies UMAX and/or DMAX; it cannot serve as a parent" if $parentref->{dmax};
 	fatal_error "The class ($parentnum) specifies flow; it cannot serve as a parent"             if $parentref->{flow};
-	fatal_error "The default class ($parentnum) may not have sub-classes"                        if ( $devref->{default} || 0 ) == $parentclass;
+	fatal_error "The default class ($parentnum) may not have sub-classes"                        if $devref->{default} == $parentclass;
 	$parentref->{leaf} = 0;
 	$ratemax  = $parentref->{rate};
 	$ratename = q(the parent class's RATE);
@@ -1195,11 +1114,9 @@ sub validate_tc_class( ) {
    }
    unless ( $devref->{classify} || $occurs > 1 ) {
 	if ( $mark ne '-' ) {
 	fatal_error "Missing MARK" if $mark eq '-';
 	warning_message "Class NUMBER ignored -- INTERFACE $device does not have the 'classify' option"	if $devclass =~ /:/;
    }
    }
    $tcref->{flow}  = $devref->{flow}  unless $tcref->{flow};
    $tcref->{pfifo} = $devref->{pfifo} unless $tcref->{flow} || $tcref->{pfifo};
@@ -1506,7 +1423,7 @@ sub process_tcfilters() {
 	first_entry( "$doing $fn..." );
-	while ( read_a_line( NORMAL_READ ) ) {
+	while ( read_a_line ) {
 	    if ( $currentline =~ /^\s*IPV4\s*$/ ) {
 		Shorewall::IPAddrs::initialize( $family = F_IPV4 ) unless $family == F_IPV4;
 	    } elsif ( $currentline =~ /^\s*IPV6\s*$/ ) {
@@ -1606,7 +1523,7 @@ sub process_tcinterfaces() {
    if ( $fn ) {
 	first_entry "$doing $fn...";
-	process_simple_device while read_a_line( NORMAL_READ );
+	process_simple_device while read_a_line;
    }
 }
@@ -1624,7 +1541,7 @@ sub process_tcpri() {
 		warning_message "There are entries in $fn1 but $fn was empty" unless @tcdevices || $family == F_IPV6;
 	    };
-	process_tc_priority while read_a_line( NORMAL_READ );
+	process_tc_priority while read_a_line;
 	clear_comment;
@@ -1635,12 +1552,6 @@ sub process_tcpri() {
 			  mark => '--mark 0/'   . in_hex( $globals{TC_MASK} )
 			);
 	    insert_irule( $mangle_table->{tcpost} ,
 			  j => 'RETURN', 
 			  1 ,
 			  mark => '! --mark 0/' . in_hex( $globals{TC_MASK} ) ,
 			);
 	    add_ijump( $mangle_table->{tcpost} ,
 		       j    => 'CONNMARK --save-mark --ctmask '    . in_hex( $globals{TC_MASK} ),
 		       mark => '! --mark 0/' . in_hex( $globals{TC_MASK} ) 
@@ -1661,7 +1572,7 @@ sub process_traffic_shaping() {
    if ( $fn ) {
 	first_entry "$doing $fn...";
-	validate_tc_device while read_a_line( NORMAL_READ );
+	validate_tc_device while read_a_line;
    }
    $devnum = $devnum > 10 ? 10 : 1;
@@ -1671,7 +1582,7 @@ sub process_traffic_shaping() {
    if ( $fn ) {
 	first_entry "$doing $fn...";
-	validate_tc_class while read_a_line( NORMAL_READ );
+	validate_tc_class while read_a_line;
    }
    process_tcfilters;
@@ -1685,7 +1596,7 @@ sub process_traffic_shaping() {
 	my $devnum  = in_hexp $devref->{number};
 	my $r2q     = int calculate_r2q $devref->{out_bandwidth};
-	fatal_error "No default class defined for device $devname" unless defined $devref->{default};
+	fatal_error "No default class defined for device $devname" unless $devref->{default};
 	my $device = physical_name $devname;
@@ -1797,7 +1708,7 @@ sub process_traffic_shaping() {
 		#
 		# add filters
 		#
-		unless ( $mark eq '-' ) {
+		unless ( $devref->{classify} ) {
 		    emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid" if $tcref->{occurs} == 1;
 		}
@@ -2016,13 +1927,13 @@ sub setup_tc() {
    if ( $config{TC_ENABLED} ) {
 	our  @tccmd = ( { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
 			  target    => 'CONNMARK --save-mark --mask' ,
-			  mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK,
+			  mark      => SMALLMARK ,
 			  mask      => in_hex( $globals{TC_MASK} ) ,
 			  connmark  => 1
 			} ,
 			{ match     => sub ( $ ) { $_[0] eq 'RESTORE' },
 			  target    => 'CONNMARK --restore-mark --mask' ,
-			  mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK ,
+			  mark      => SMALLMARK ,
 			  mask      => in_hex( $globals{TC_MASK} ) ,
 			  connmark  => 1
 			} ,
@@ -2059,11 +1970,6 @@ sub setup_tc() {
 			  mark      => HIGHMARK,
 			  mask      => '',
 			  connmark  => '' },
 			{ match     => sub( $ ) { $_[0] =~ /^DIVERT/ },
 			  target    => 'DIVERT',
 			  mark      => HIGHMARK,
 			  mask      => '',
 			  connmark  => '' },
 			{ match     => sub( $ ) { $_[0] =~ /^TTL/ },
 			  target    => 'TTL',
 			  mark      => NOMARK,
@@ -2082,30 +1988,15 @@ sub setup_tc() {
 			  mask      => '',
 			  connmark  => 0
 			},
 			{ match     => sub( $ ) { $_[0] =~ /^DSCP\(\w+\)$/ },
 			  target    => 'DSCP',
 			  mark      => NOMARK,
 			  mask      => '',
 			  connmark  => 0
 			},
 			{ match     => sub( $ ) { $_[0] =~ /^TOS\(.+\)$/ },
 			  target    => 'TOS',
 			  mark      => NOMARK,
 			  mask      => '',
 			  connmark  => 0
 			},
 		      );
 	if ( my $fn = open_file 'tcrules' ) {
 	    our $format = 1;
 	    first_entry "$doing $fn...";
-	    process_tc_rule while read_a_line( NORMAL_READ );
+	    process_tc_rule while read_a_line;
 	    clear_comment;
 	}
    }
@@ -2114,7 +2005,7 @@ sub setup_tc() {
 	    first_entry "$doing $fn...";
-	    process_secmark_rule while read_a_line( NORMAL_READ );
+	    process_secmark_rule while read_a_line;
 	    clear_comment;
 	}
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -234,7 +234,7 @@ sub setup_tunnels() {
    }
    sub setup_one_tunnel($$$$) {
-	my ( $kind , $zone, $gateways, $gatewayzones ) = @_;
+	my ( $kind , $zone, $gateway, $gatewayzones ) = @_;
 	my $zonetype = zone_type( $zone );
@@ -243,14 +243,8 @@ sub setup_tunnels() {
 	my $inchainref  = ensure_rules_chain( rules_chain( ${zone}, ${fw} ) );
 	my $outchainref = ensure_rules_chain( rules_chain( ${fw}, ${zone} ) );
-	$gateways = ALLIP if $gateways eq '-';
+	$gateway = ALLIP if $gateway eq '-';
 	my ( $net, $excl ) = handle_network_list( $gateways , 'src' );
 	( $net, $excl )    = handle_network_list( $gateways , 'dst' );
 	fatal_error "Exclusion is not allowed in the GATEWAYS column" if $excl;
 	for my $gateway ( split_list $gateways, 'GATEWAYS' ) {
 	my @source = imatch_source_net $gateway;
 	my @dest   = imatch_dest_net   $gateway;
@@ -278,7 +272,6 @@ sub setup_tunnels() {
 	fatal_error "Tunnels of type $type are not supported" unless $tunnelref;
 	$tunnelref->{function}->( $inchainref, $outchainref, @{$tunnelref->{params}} );
 	}
 	progress_message "   Tunnel \"$currentline\" $done";
    }
@@ -290,16 +283,16 @@ sub setup_tunnels() {
 	first_entry "$doing $fn...";
-	while ( read_a_line( NORMAL_READ ) ) {
+	while ( read_a_line ) {
-	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateways => 2, gateway_zone => 3 , gateway_zones => 3 }, undef, 4;
+	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateway_zone => 3 };
 	    fatal_error 'TYPE must be specified' if $kind eq '-';
 	    fatal_error 'ZONE must be specified' if $zone eq '-';
 	    if ( $kind eq 'COMMENT' ) {
 		process_comment;
 	    } else {
 		fatal_error 'ZONE must be specified' if $zone eq '-';
 		setup_one_tunnel $kind, $zone, $gateway, $gatewayzones;
 	    }
 	}
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -83,7 +83,6 @@ our @EXPORT = qw( NOTHING
 		  compile_updown
 		  validate_hosts_file
 		  find_hosts_by_option
 		  find_zone_hosts_by_option
 		  find_zones_by_option
 		  all_ipsets
 		  have_ipsec
@@ -115,9 +114,10 @@ use constant { IN_OUT     => 1,
 #     @zones contains the ordered list of zones with sub-zones appearing before their parents.
 #
 #     %zones{<zone1> => {type = >      <zone type>       FIREWALL, IP, IPSEC, BPORT;
-#                        complex =>    0|1
+#                        options =>    { complex => 0|1
 #                                        nested  => 0|1
 #                                        super   => 0|1
-#                        options =>    { in_out  => < policy match string >
+#                                        in_out  => < policy match string >
 #                                        in      => < policy match string >
 #                                        out     => < policy match string >
 #                                      }
@@ -227,25 +227,6 @@ my %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 );
 my %validhostoptions;
 my %validzoneoptions = ( mss          => NUMERIC,
 			 nomark       => NOTHING,
 			 blacklist    => NOTHING,
 			 strict       => NOTHING,
 			 next         => NOTHING,
 			 reqid        => NUMERIC,
 			 spi          => NUMERIC,
 			 proto        => IPSECPROTO,
 			 mode         => IPSECMODE,
 			 "tunnel-src" => NETWORK,
 			 "tunnel-dst" => NETWORK,
 		       );
 use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
 #
 # Hash of options that have their own key in the returned hash.
 #
 my %zonekey = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW, nomark => NOFW | IN_OUT_ONLY );
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
@@ -309,7 +290,6 @@ sub initialize( $$ ) {
 			     broadcast => 1,
 			     destonly => 1,
 			     sourceonly => 1,
 			     mss => 1,
 			    );
 	%zonetypes = ( 1 => 'firewall', 2 => 'ipv4', 4 => 'bport4', 8 => 'ipsec4', 16 => 'vserver' );
    } else {
@@ -336,7 +316,6 @@ sub initialize( $$ ) {
 			     maclist => 1,
 			     routeback => 1,
 			     tcpflags => 1,
 			     mss => 1,
 			    );
 	%zonetypes = ( 1 => 'firewall', 2 => 'ipv6', 4 => 'bport6', 8 => 'ipsec4', 16 => 'vserver' );
    }
@@ -350,6 +329,25 @@ sub initialize( $$ ) {
 #
 sub parse_zone_option_list($$\$$)
 {
    my %validoptions = ( mss          => NUMERIC,
 			 nomark       => NOTHING,
 			 blacklist    => NOTHING,
 			 strict       => NOTHING,
 			 next         => NOTHING,
 			 reqid        => NUMERIC,
 			 spi          => NUMERIC,
 			 proto        => IPSECPROTO,
 			 mode         => IPSECMODE,
 			 "tunnel-src" => NETWORK,
 			 "tunnel-dst" => NETWORK,
 		       );
    use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
    #
    # Hash of options that have their own key in the returned hash.
    #
    my %key = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW, nomark => NOFW | IN_OUT_ONLY );
    my ( $list, $zonetype, $complexref, $column ) = @_;
    my %h;
    my $options = '';
@@ -369,7 +367,7 @@ sub parse_zone_option_list($$\$$)
 		$e   = $1;
 	    }
-	    $fmt = $validzoneoptions{$e};
+	    $fmt = $validoptions{$e};
 	    fatal_error "Invalid Option ($e)" unless $fmt;
@@ -380,7 +378,7 @@ sub parse_zone_option_list($$\$$)
 		fatal_error "Invalid value ($val) for option \"$e\"" unless $val =~ /^($fmt)$/;
 	    }
-	    my $key = $zonekey{$e};
+	    my $key = $key{$e};
 	    if ( $key ) {
 		fatal_error "Option '$e' not permitted with this zone type " if $key & NOFW && ($zonetype & ( FIREWALL | VSERVER) );
@@ -405,13 +403,13 @@ sub parse_zone_option_list($$\$$)
 #
 # Set the super option on the passed zoneref and propagate to its parents
 #
-sub set_super( $ ); #required for recursion
+sub set_super( $ );
 sub set_super( $ ) {
    my $zoneref = shift;
-    unless ( $zoneref->{super} ) {
+    unless ( $zoneref->{options}{super} ) {
-	$zoneref->{super} = 1;
+	$zoneref->{options}{super} = 1;
 	set_super( $zones{$_} ) for @{$zoneref->{parents}};
    }
 }
@@ -489,9 +487,10 @@ sub process_zone( \$ ) {
 				    options    => { in_out  => parse_zone_option_list( $options , $type, $complex , IN_OUT ) ,
 						    in      => parse_zone_option_list( $in_options , $type , $complex , IN ) ,
 						    out     => parse_zone_option_list( $out_options , $type , $complex , OUT ) ,
 						  } ,
 				    super      => 0 ,
 						    complex => ( $type & IPSEC || $complex ) ,
 						    nested  => @parents > 0 ,
 						    super   => 0 ,
 						  } ,
 				    interfaces => {} ,
 				    children   => [] ,
 				    hosts      => {}
@@ -507,7 +506,7 @@ sub process_zone( \$ ) {
 		fatal_error "Zone mark overflow - please increase the setting of ZONE_BITS" if $zonemark >= $zonemarklimit;
 		$mark      = $zonemark;
 		$zonemark += $zonemarkincr;
-		$zoneref->{complex} = 1;
+		$zoneref->{options}{complex} = 1;
 	    }
 	}
@@ -518,6 +517,7 @@ sub process_zone( \$ ) {
 	}
    }
    if ( $zoneref->{options}{in_out}{blacklist} ) {
 	for ( qw/in out/ ) {
 	    unless ( $zoneref->{options}{$_}{blacklist} ) {
@@ -545,7 +545,7 @@ sub determine_zones()
    if ( my $fn = open_file 'zones' ) {
 	first_entry "$doing $fn...";
-	push @z, process_zone( $ip ) while read_a_line( NORMAL_READ );
+	push @z, process_zone( $ip ) while read_a_line;
    } else {
 	fatal_error q(The 'zones' file does not exist or has zero size);
    }
@@ -769,24 +769,20 @@ sub add_group_to_zone($$$$$)
    my $gtype = $type & IPSEC ? 'ipsec' : 'ip';
-    $hostsref     = ( $zoneref->{hosts}      ||= {} );
+    $hostsref     = ( $zoneref->{hosts}           || ( $zoneref->{hosts} = {} ) );
-    $typeref      = ( $hostsref->{$gtype}    ||= {} );
+    $typeref      = ( $hostsref->{$gtype}         || ( $hostsref->{$gtype} = {} ) );
-    $interfaceref = ( $typeref->{$interface} ||= [] );
+    $interfaceref = ( $typeref->{$interface}      || ( $typeref->{$interface} = [] ) );
    fatal_error "Duplicate Host Group ($interface:" . ALLIP . ") in zone $zone" if $allip && @$interfaceref;
-    $zoneref->{complex} = 1 if @$interfaceref || @newnetworks > 1 || @exclusions || $options->{routeback};
+    $zoneref->{options}{complex} = 1 if @$interfaceref || ( @newnetworks > 1 ) || ( @exclusions ) || $options->{routeback};
    push @{$interfaceref}, { options => $options,
 			     hosts   => \@newnetworks,
 			     ipsec   => $type & IPSEC ? 'ipsec' : 'none' ,
 			     exclusions => \@exclusions };
-    if ( $type != IPSEC ) {
+    $interfaces{$interface}{options}{routeback} ||= ( $type != IPSEC && $options->{routeback} );
 	my $optref = $interfaces{$interface}{options};
 	$optref->{routeback} ||= $options->{routeback};
 	$optref->{allip}     ||= $allip;
    }
 }
 #
@@ -842,7 +838,7 @@ sub all_parent_zones() {
 }
 sub complex_zones() {
-    grep( $zones{$_}{complex} , @zones );
+    grep( $zones{$_}{options}{complex} , @zones );
 }
 sub vserver_zones() {
@@ -916,26 +912,9 @@ sub process_interface( $$ ) {
    my ( $nextinum, $export ) = @_;
    my $netsref   = '';
    my $filterref = [];
-    my ($zone, $originalinterface, $bcasts, $options );
+    my ($zone, $originalinterface, $bcasts, $options ) = split_line 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 };
    my $zoneref;
    my $bridge = '';
    our $format;
    if ( $format == 1 ) {
 	($zone, $originalinterface, $bcasts, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, broadcast => 2, options => 3 }, { COMMENT => 0, FORMAT => 2 };
    } else {
 	($zone, $originalinterface, $options ) = split_line1 'interfaces file', { zone => 0, interface => 1, options => 2 }, { COMMENT => 0, FORMAT => 2 };
 	$bcasts = '-';
    }
    if ( $zone eq 'FORMAT' ) {
 	if ( $originalinterface =~ /^([12])$/ ) {
 	    $format = $1;
 	    return;
 	}
 	fatal_error "Invalid FORMAT ($originalinterface)";
    }
    if ( $zone eq '-' ) {
 	$zone = '';
@@ -1207,14 +1186,13 @@ sub process_interface( $$ ) {
 #
 sub validate_interfaces_file( $ ) {
    my $export = shift;
    our $format = 1;
    my @ifaces;
    my $nextinum = 1;
    if ( my $fn = open_file 'interfaces' ) {
 	first_entry "$doing $fn...";
-	push @ifaces, process_interface( $nextinum++, $export ) while read_a_line( NORMAL_READ );
+	push @ifaces, process_interface( $nextinum++, $export ) while read_a_line;
    } else {
 	fatal_error q(The 'interfaces' file does not exist or has zero size);
    }
@@ -1808,7 +1786,7 @@ sub compile_updown() {
 #
 sub process_host( ) {
    my $ipsec = 0;
-    my ($zone, $hosts, $options ) = split_line1 'hosts file', { zone => 0, host => 1, hosts => 1, options => 2 }, {}, 3;
+    my ($zone, $hosts, $options ) = split_line 'hosts file', { zone => 0, hosts => 1, options => 2 };
    fatal_error 'ZONE must be specified'  if $zone eq '-';
    fatal_error 'HOSTS must be specified' if $hosts eq '-';
@@ -1842,7 +1820,7 @@ sub process_host( ) {
    }
    if ( $hosts =~ /^!?\+/ ) {
-	$zoneref->{complex} = 1;
+	$zoneref->{options}{complex} = 1;
 	fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/;
 	fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^!?\+[a-zA-Z][-\w]*$/;
    }
@@ -1866,16 +1844,12 @@ sub process_host( ) {
 	    if ( $option eq 'ipsec' ) {
 		require_capability 'POLICY_MATCH' , q(The 'ipsec' option), 's';
 		$type = IPSEC;
-		$zoneref->{complex} = 1;
+		$zoneref->{options}{complex} = 1;
 		$ipsec = $interfaceref->{ipsec} = 1;
 	    } elsif ( $option eq 'norfc1918' ) {
 		warning_message "The 'norfc1918' host option is no longer supported"
 	    } elsif ( $option eq 'blacklist' ) {
 		$zoneref->{options}{in}{blacklist} = 1;
 	    } elsif ( $option =~ /^mss=(\d+)$/ ) {
 		fatal_error "Invalid mss ($1)" unless $1 >= 500;
 		$options{mss} = $1;
 		$zoneref->{options}{complex} = 1;
 	    } elsif ( $validhostoptions{$option}) {
 		fatal_error qq(The "$option" option is not allowed with Vserver zones) if $type & VSERVER && ! ( $validhostoptions{$option} & IF_OPTION_VSERVER );
 		$options{$option} = 1;
@@ -1935,12 +1909,13 @@ sub validate_hosts_file()
    if ( my $fn = open_file 'hosts' ) {
 	first_entry "$doing $fn...";
-	$ipsec |= process_host while read_a_line( NORMAL_READ );
+	$ipsec |= process_host while read_a_line;
    }
    $have_ipsec = $ipsec || haveipseczones;
-    $_->{complex} ||= ( keys %{$_->{interfaces}} > 1 ) for values %zones;
+    $_->{options}{complex} ||= ( keys %{$_->{interfaces}} > 1 ) for values %zones;
 }
 #
@@ -1952,7 +1927,7 @@ sub have_ipsec() {
 #
 # Returns a reference to a array of host entries. Each entry is a
-# reference to an array containing ( interface , polciy match type {ipsec|none} , network , exclusions, value );
+# reference to an array containing ( interface , polciy match type {ipsec|none} , network , exclusions );
 #
 sub find_hosts_by_option( $ ) {
    my $option = $_[0];
@@ -1962,9 +1937,9 @@ sub find_hosts_by_option( $ ) {
 	while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
 	    while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
 		for my $host ( @{$arrayref} ) {
-		    if ( my $value = $host->{options}{$option} ) {
+		    if ( $host->{options}{$option} ) {
 			for my $net ( @{$host->{hosts}} ) {
-			    push @hosts, [ $interface, $host->{ipsec} , $net , $host->{exclusions}, $value ];
+			    push @hosts, [ $interface, $host->{ipsec} , $net , $host->{exclusions}];
 			}
 		    }
 		}
@@ -1981,30 +1956,6 @@ sub find_hosts_by_option( $ ) {
    \@hosts;
 }
 #
 # As above but for a single zone
 #
 sub find_zone_hosts_by_option( $$ ) {
    my ($zone, $option ) = @_;
    my @hosts;
    unless ( $zones{$zone}{type} & FIREWALL ) {
 	while ( my ($type, $interfaceref) = each %{$zones{$zone}{hosts}} ) {
 	    while ( my ( $interface, $arrayref) = ( each %{$interfaceref} ) ) {
 		for my $host ( @{$arrayref} ) {
 		    if ( my $value = $host->{options}{$option} ) {
 			for my $net ( @{$host->{hosts}} ) {
 			    push @hosts, [ $interface, $host->{ipsec} , $net , $host->{exclusions}, $value ];
 			}
 		    }
 		}
 	    }
 	}
    }
    \@hosts;
 }
 #
 # Returns a reference to a list of zones with the passed in/out option
 #
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -37,7 +37,6 @@
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
 #         --preview                   # Preview the ruleset.
 #         --shorewallrc=<path>        # Path to shorewallrc file.
 #         --config_path=<path-list>   # Search path for config files
 #
 use strict;
@@ -66,7 +65,6 @@ sub usage( $ ) {
    [ --annotate ]
    [ --update ]
    [ --convert ]
    [ --shorewallrc=<pathname> ]
    [ --config_path=<path-list> ]
 ';
@@ -93,7 +91,6 @@ my $annotate      = 0;
 my $update        = 0;
 my $convert       = 0;
 my $config_path   = '';
 my $shorewallrc   = '';
 Getopt::Long::Configure ('bundling');
@@ -125,7 +122,6 @@ my $result = GetOptions('h'               => \$help,
 			'update'          => \$update,
 			'convert'         => \$convert,
 			'config_path=s'   => \$config_path,
 			'shorewallrc=s'   => \$shorewallrc,
 		       );
 usage(1) unless $result && @ARGV < 2;
@@ -148,5 +144,4 @@ compiler( script          => $ARGV[0] || '',
 	  convert         => $convert,
 	  annotate        => $annotate,
 	  config_path     => $config_path,
 	  shorewallrc     => $shorewallrc
 	);
--- a/Shorewall/Perl/getparams
+++ b/Shorewall/Perl/getparams
@@ -33,19 +33,7 @@ else
    g_program=shorewall
 fi
-#
+. /usr/share/shorewall/lib.cli
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc
 g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR"/shorewall
 g_sbindir="$SBINDIR"
 g_perllib="$PERLLIBDIR"
 g_confdir="$CONFDIR"/shorewall
 g_readrc=1
 . $g_sharedir/lib.cli
 CONFIG_PATH="$2"
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -235,8 +235,8 @@ case "$COMMAND" in
 	    status=2
 	elif checkkernelversion; then
 	    if [ $# -eq 1 ]; then
-		$g_tool -Z
+		$IP6TABLES -Z
-		$g_tool -t mangle -Z
+		$IP6TABLES -t mangle -Z
 		date > ${VARDIR}/restarted
 		status=0
 		progress_message3 "$g_product Counters Reset"
@@ -245,7 +245,7 @@ case "$COMMAND" in
 		status=0
 		for chain in $@; do
 		    if chain_exists $chain; then
-			if qt $g_tool-Z $chain; then
+			if qt $IP6TABLES -Z $chain; then
 			    progress_message3 "Filter $chain Counters Reset"
 			else
 			    error_message "ERROR: Reset of chain $chain failed"
--- a/Shorewall/Perl/prog.header
+++ b/Shorewall/Perl/prog.header
@@ -0,0 +1,402 @@
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 1999-2011 - Tom Eastep (teastep@shorewall.net)
 #
 #	Options are:
 #
 #	    -n				  Don't alter Routing
 #	    -v and -q			  Standard Shorewall Verbosity control
 #           -t                            Timestamp progress messages
 #           -p                            Purge conntrack table
 #           -r                            Recover from failed start/restart
 #           -V <verbosity>                Set verbosity level explicitly
 #           -R <restore>                  Overrides RESTOREFILE setting
 #
 #	Commands are:
 #
 #	   start			  Starts the firewall
 #          refresh                        Refresh the firewall
 #	   restart			  Restarts the firewall
 #	   reload			  Reload the firewall
 #	   clear			  Removes all firewall rules
 #	   stop				  Stops the firewall
 #	   status			  Displays firewall status
 #	   version			  Displays the version of Shorewall that
 #	   				  generated this program
 #
 ################################################################################
 # Functions imported from /usr/share/shorewall/prog.header
 ################################################################################
 #
 # Find the value 'weight' in the passed arguments then echo the next value
 #
 find_weight() {
    while [ $# -gt 1 ]; do
 	[ "x$1" = xweight ] && echo $2 && return
 	shift
    done
 }
 #
 # Find the interfaces that have a route to the passed address - the default
 # route is not used.
 #
 find_rt_interface() {
    $IP -4 route list | while read addr rest; do
 	case $addr in
 	    */*)
 		in_network ${1%/*} $addr && echo $(find_device $rest)
 		;;
 	    default)
 		;;
 	    *)
 		if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then
 		    echo $(find_device $rest)
 		fi
 		;;
 	esac
    done
 }
 #
 # Echo the name of the interface(s) that will be used to send to the
 # passed address
 #
 find_interface_by_address() {
    local dev
    dev="$(find_rt_interface $1)"
    local first
    local rest
    [ -z "$dev" ] && dev=$(find_default_interface)
    [ -n "$dev" ] && echo $dev
 }
 #
 #  echo the list of networks routed out of a given interface
 #
 get_routed_networks() # $1 = interface name, $2-n = Fatal error message
 {
    local address
    local rest
    $IP -4 route show dev $1 2> /dev/null |
 	while read address rest; do
 	    case "$address" in
 		default)
 		    if [ $# -gt 1 ]; then
 			shift
 			fatal_error "$@"
 		    else
 			echo "WARNING: default route ignored on interface $1" >&2
 		    fi
 		    ;;
 		multicast|broadcast|prohibit|nat|throw|nexthop)
 		    ;;
 		*)
 		    [ "$address" = "${address%/*}" ] && address="${address}/32"
 		    echo $address
 		    ;;
 	    esac
        done
 }
 #
 # Get the broadcast addresses associated with an interface
 #
 get_interface_bcasts() # $1 = interface
 {
    local addresses
    addresses=
    $IP -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
 }
 #
 # Delete IP address
 #
 del_ip_addr() # $1 = address, $2 = interface
 {
    [ $(find_first_interface_address_if_any $2) = $1 ] || qtnoin $IP addr del $1 dev $2
 }
 # Add IP Aliases
 #
 add_ip_aliases() # $* = List of addresses
 {
    local local
    local addresses
    local external
    local interface
    local inet
    local cidr
    local rest
    local val
    local arping
    arping=$(mywhich arping)
    address_details()
    {
 	#
 	# Folks feel uneasy if they don't see all of the same
 	# decoration on these IP addresses that they see when their
 	# distro's net config tool adds them. In an attempt to reduce
 	# the anxiety level, we have the following code which sets
 	# the VLSM and BRD from an existing address in the same networks
 	#
 	# Get all of the lines that contain inet addresses with broadcast
 	#
 	$IP -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do
 	    case $cidr in
 		*/*)
 		    if in_network $external $cidr; then
 			echo "/${cidr#*/} brd $(broadcastaddress $cidr)"
 			break
 		    fi
 		    ;;
 	    esac
 	done
    }
    do_one()
    {
 	val=$(address_details)
 	$IP addr add ${external}${val} dev $interface $label
 	[ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external
 	echo "$external $interface" >> $VARDIR/nat
 	[ -n "$label" ] && label="with $label"
 	progress_message "   IP Address $external added to interface $interface $label"
    }
    progress_message "Adding IP Addresses..."
    while [ $# -gt 0 ]; do
 	external=$1
 	interface=$2
 	label=
 	if [ "$interface" != "${interface%:*}" ]; then
 	    label="${interface#*:}"
 	    interface="${interface%:*}"
 	    label="label $interface:$label"
 	fi
 	shift 2
 	list_search $external $(find_interface_addresses $interface) || do_one
    done
 }
 #
 # Detect the gateway through a PPP or DHCP-configured interface
 #
 detect_dynamic_gateway() { # $1 = interface
    local interface
    interface=$1
    local GATEWAYS
    GATEWAYS=
    local gateway
    gateway=$(run_findgw_exit $1);
    if [ -z "$gateway" ]; then
 	gateway=$( find_peer $($IP addr list $interface ) )
    fi
    if [ -z "$gateway" -a -f /var/lib/dhcpcd/dhcpcd-${1}.info ]; then
 	eval $(grep ^GATEWAYS=  /var/lib/dhcpcd/dhcpcd-${1}.info 2> /dev/null)
 	[ -n "$GATEWAYS" ] && GATEWAYS=${GATEWAYS%,*} && gateway=$GATEWAYS
    fi
    if [ -z "$gateway" -a -f /var/lib/dhcp/dhclient-${1}.lease ]; then
 	gateway=$(grep 'option routers' /var/lib/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done)
    fi
    [ -n "$gateway" ] && echo $gateway
 }
 #
 # Detect the gateway through an interface
 #
 detect_gateway() # $1 = interface
 {
    local interface
    interface=$1
    local gateway
    #
    # First assume that this is some sort of dynamic interface
    #
    gateway=$( detect_dynamic_gateway $interface )
    #
    # Maybe there's a default route through this gateway already
    #
    [ -n "$gateway" ] || gateway=$(find_gateway $($IP -4 route list dev $interface | grep ^default))
    #
    # Last hope -- is there a load-balancing route through the interface?
    #
    [ -n "$gateway" ] || gateway=$(find_nexthop $interface)
    #
    # Be sure we found one
    #
    [ -n "$gateway" ] && echo $gateway
 }
 #
 # Disable IPV6
 #
 disable_ipv6() {
    local foo
    foo="$($IP -f inet6 addr list 2> /dev/null)"
    if [ -n "$foo" ]; then
 	if [ -x "$IP6TABLES" ]; then
 	    $IP6TABLES -P FORWARD DROP
 	    $IP6TABLES -P INPUT DROP
 	    $IP6TABLES -P OUTPUT DROP
 	    $IP6TABLES -F
 	    $IP6TABLES -X
 	    $IP6TABLES -A OUTPUT -o lo -j ACCEPT
 	    $IP6TABLES -A INPUT -i lo -j ACCEPT
 	else
 	    error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
 	fi
    fi
 }
 #
 # Add an additional gateway to the default route
 #
 add_gateway() # $1 = Delta $2 = Table Number
 {
    local route
    local weight
    local delta
    local dev
    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/default //; s/[\]//g'`
    if [ -z "$route" ]; then
 	run_ip route add default scope global table $2 $1
    else
 	delta=$1
 	if ! echo $route | fgrep -q ' nexthop '; then
 	    route=`echo $route | sed 's/via/nexthop via/'`
 	    dev=$(find_device $route)
 	    if [ -f ${VARDIR}/${dev}_weight ]; then
 		weight=`cat ${VARDIR}/${dev}_weight`
 		route="$route weight $weight"
 	    fi
 	fi
 	run_ip route replace default scope global table $2 $route $delta
    fi
 }
 #
 # Remove a gateway from the default route
 #
 delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
 {
    local route
    local gateway
    local dev
    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
    gateway=$1
    if [ -n "$route" ]; then
 	if echo $route | fgrep -q ' nexthop '; then
 	    gateway="nexthop $gateway"
 	    eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
 	    run_ip route replace table $2 $route
 	else
 	    dev=$(find_device $route)
 	    [ "$dev" = "$3" ] && run_ip route delete default table $2
 	fi
    fi
 }
 #
 # Determine the MAC address of the passed IP through the passed interface
 #
 find_mac() # $1 = IP address, $2 = interface
 {
    if interface_is_usable $2 ; then
 	qt ping -nc 1 -t 2 -I $2 $1
 	local result
 	result=$($IP neigh list |  awk "/^$1 / {print \$5}")
 	case $result in
 	    \<*\>)
 		;;
 	    *)
 		[ -n "$result" ] && echo $result
 		;;
 	esac
    fi
 }
 #
 # Clear Proxy Arp
 #
 delete_proxyarp() {
    if [ -f ${VARDIR}/proxyarp ]; then
 	while read address interface external haveroute; do
 	    qtnoin $IP -4 neigh del proxy $address dev $external
 	    [ -z "${haveroute}${g_noroutes}" ] && qtnoin $IP -4 route del $address/32 dev $interface
 	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
 	    [ -f $f ] && echo 0 > $f
 	done < ${VARDIR}/proxyarp
 	rm -f ${VARDIR}/proxyarp
    fi
 }
 #
 # Remove all Shorewall-added rules
 #
 clear_firewall() {
    stop_firewall
    setpolicy INPUT ACCEPT
    setpolicy FORWARD ACCEPT
    setpolicy OUTPUT ACCEPT
    run_iptables -F
    qt $IPTABLES -t raw -F
    echo 1 > /proc/sys/net/ipv4/ip_forward
    if [ -n "$DISABLE_IPV6" ]; then
 	if [ -x $IP6TABLES ]; then
    	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
 	    $IP6TABLES -P OUTPUT  ACCEPT 2> /dev/null
 	    $IP6TABLES -P FORWARD ACCEPT 2> /dev/null
 	fi
    fi
    run_clear_exit
    set_state "Cleared"
    logger -p kern.info "$g_product Cleared"
 }
 #
 # Get a list of all configured broadcast addresses on the system
 #
 get_all_bcasts()
 {
    $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
 }
 ################################################################################
 # End of functions in /usr/share/shorewall/prog.header
 ################################################################################
--- a/Shorewall/Perl/prog.header6
+++ b/Shorewall/Perl/prog.header6
@@ -0,0 +1,311 @@
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 1999-2011- Tom Eastep (teastep@shorewall.net)
 #
 #	Options are:
 #
 #	    -n				  Don't alter Routing
 #	    -v and -q			  Standard Shorewall Verbosity control
 #           -t                            Timestamp progress messages
 #           -p                            Purge conntrack table
 #           -r                            Recover from failed start/restart
 #           -V <verbosity>                Set verbosity level explicitly
 #           -R <restore>                  Overrides RESTOREFILE setting
 #
 #	Commands are:
 #
 #	   start			  Starts the firewall
 #          refresh                        Refresh the firewall
 #	   restart			  Restarts the firewall
 #	   reload			  Reload the firewall
 #	   clear			  Removes all firewall rules
 #	   stop				  Stops the firewall
 #	   status			  Displays firewall status
 #	   version			  Displays the version of Shorewall that
 #	   				  generated this program
 #
 ################################################################################
 # Functions imported from /usr/share/shorewall/prog.header6
 ################################################################################
 #
 # Get all interface addresses with VLSMs
 #
 find_interface_full_addresses() # $1 = interface
 {
    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
 }
 #
 # Normalize an IPv6 Address by compressing out consecutive zero elements
 #
 normalize_address() # $1 = valid IPv6 Address
 {
    local address
    address=$1
    local j
    while true; do
 	case $address in
 	    ::*)
 		address=0$address
 		;;
 	    *::*)
 		list_count $(split $address)
 		j=$?
 		if [ $j -eq 7 ]; then
 		    address=${address%::*}:0:${address#*::}
 		elif [ $j -eq 8 ]; then
 		    $address=${address%::*}:${address#*::}
 		    break 2
 		else
 		    address=${address%::*}:0::${address#*::}
 		fi
 		;;
 	    *)
 		echo $address
 		break 2
 		;;
 	esac
    done
 }
 #
 # Reads correctly-formed and fully-qualified host and subnet addresses from STDIN. For each
 # that defines a /120 or larger network, it sends to STDOUT:
 #
 #    The corresponding subnet-router anycast address (all host address bits are zero)
 #    The corresponding anycast addresses defined by RFC 2526 (the last 128 addresses in the subnet)
 #
 convert_to_anycast() {
    local address
    local badress
    local vlsm
    local host
    local o
    local m
    m=
    local z
    z=65535
    local l
    while read address; do
 	case $address in
 	    2*|3*)
 		vlsm=${address#*/}
 		vlsm=${vlsm:=128}
 		if [ $vlsm -le 120 ]; then
 	            #
 	            # Defines a viable subnet -- first get the subnet-router anycast address
 	            #
 		    host=$((128 - $vlsm))
 		    address=$(normalize_address ${address%/*})
 		    while [ $host -ge 16 ]; do
 			address=${address%:*}
 			host=$(($host - 16))
 		    done
 		    if [ $host -gt 0 ]; then
 			#
 			# VLSM is not a multiple of 16
 			#
 			host=$((16 - $host))
 			o=$((0x${address##*:}))
 			m=0
 			while [ $host -gt 0 ]; do
 			    m=$((($m >> 1) | 0x8000))
 			    z=$(($z >> 1))
 			    host=$(($host - 1))
 			done
 			o=$(($o & $m))
 			badress=${address%:*}
 			address=$badress:$(printf %04x $o)
 			z=$(($o | $z))
 			if [ $vlsm -gt 112 ]; then
 			    z=$(($z & 0xff80))
 			fi
 			badress=$badress:$(printf %04x $z)
 		    else
 			badress=$address
 		    fi
 		    #
 		    # Note: at this point $address and $badress are the same except possibly for
 		    #       the contents of the last half-word
 		    #
 		    list_count $(split $address)
 		    l=$?
 		    #
 		    # Now generate the anycast addresses defined by RFC 2526
 		    #
 		    if [ $l -lt 8 ]; then
 			#
 			# The subnet-router address
 			#
 			echo $address::
 		    	while [ $l -lt 8 ]; do
 			    badress=$badress:ffff
 			    l=$(($l + 1 ))
 			done
 		    else
 			#
 			# The subnet-router address
 			#
 			echo $address
 		    fi
 		    #
 		    # And the RFC 2526 addresses
 		    #
 		    echo $badress/121
 		fi
 		;;
 	esac
    done
 }
 #
 # Generate a list of anycast addresses for a given interface
 #
 get_interface_acasts() # $1 = interface
 {
    local addresses
    addresses=
    find_interface_full_addresses $1 | convert_to_anycast | sort -u
 }
 #
 # Get a list of all configured anycast addresses on the system
 #
 get_all_acasts()
 {
    find_interface_full_addresses | convert_to_anycast | sort -u
 }
 #
 # Detect the gateway through an interface
 #
 detect_gateway() # $1 = interface
 {
    local interface
    interface=$1
    #
    # First assume that this is some sort of point-to-point interface
    #
    gateway=$( find_peer $($IP -6 addr list $interface ) )
    #
    # Maybe there's a default route through this gateway already
    #
    [ -n "$gateway" ] || gateway=$(find_gateway $($IP -6 route list dev $interface | grep '^default'))
    #
    # Last hope -- is there a load-balancing route through the interface?
    #
    [ -n "$gateway" ] || gateway=$(find_nexthop $interface)
    #
    # Be sure we found one
    #
    [ -n "$gateway" ] && echo $gateway
 }
 #
 # Add an additional gateway to the default route
 #
 add_gateway() # $1 = Delta $2 = Table Number
 {
    local route
    local weight
    local delta
    local dev
    run_ip route add default scope global table $2 $1
 }
 #
 # Remove a gateway from the default route
 #
 delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
 {
    local route
    local gateway
    local dev
    route=`$IP -6 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
    gateway=$1
    dev=$(find_device $route)
    [ "$dev" = "$3" ] && run_ip route delete default table $2
 }
 #
 # Determine how to do "echo -e"
 #
 find_echo() {
    local result
    result=$(echo "a\tb")
    [ ${#result} -eq 3 ] && { echo echo; return; }
    result=$(echo -e "a\tb")
    [ ${#result} -eq 3 ] && { echo "echo -e"; return; }
    result=$(which echo)
    [ -n "$result" ] && { echo "$result -e"; return; }
    echo echo
 }
 #
 # Clear Proxy NDP
 #
 delete_proxyndp() {
    if [ -f ${VARDIR}/proxyndp ]; then
 	while read address interface external haveroute; do
 	    qt $IP -6 neigh del proxy $address dev $external
 	    [ -z "${haveroute}${g_noroutes}" ] && qt $IP -6 route del $address/128 dev $interface
 	    f=/proc/sys/net/ipv6/conf/$interface/proxy_ndp
 	    [ -f $f ] && echo 0 > $f
 	done < ${VARDIR}/proxyndp
 	rm -f ${VARDIR}/proxyndp
    fi
 }
 #
 # Remove all Shorewall-added rules
 #
 clear_firewall() {
    stop_firewall
    setpolicy INPUT ACCEPT
    setpolicy FORWARD ACCEPT
    setpolicy OUTPUT ACCEPT
    run_iptables -F
    qt $IP6TABLES -t raw -F
    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
    run_clear_exit
    set_state "Cleared"
    logger -p kern.info "$g_product Cleared"
 }
 ################################################################################
 # End of functions imported from /usr/share/shorewall/prog.header6
 ################################################################################
--- a/Shorewall/Samples/LICENSE
+++ b/Shorewall/Samples/LICENSE
@@ -55,7 +55,7 @@ modified by someone else and passed on, the recipients should know
 that what they have is not the original version, so that the original
 author's reputation will not be affected by problems that might be
 introduced by others.
-
+
  Finally, software patents pose a constant threat to the existence of
 any free program.  We wish to make sure that a company cannot
 effectively restrict the users of a free program by obtaining a
@@ -111,7 +111,7 @@ modification follow.  Pay close attention to the difference between a
 "work based on the library" and a "work that uses the library".  The
 former contains code derived from the library, whereas the latter must
 be combined with the library in order to run.
-
+
 		  GNU LESSER GENERAL PUBLIC LICENSE
   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
@@ -158,7 +158,7 @@ Library.
  You may charge a fee for the physical act of transferring a copy,
 and you may at your option offer warranty protection in exchange for a
 fee.
-
+
  2. You may modify your copy or copies of the Library or any portion
 of it, thus forming a work based on the Library, and copy and
 distribute such modifications or work under the terms of Section 1
@@ -216,7 +216,7 @@ instead of to this License.  (If a newer version than version 2 of the
 ordinary GNU General Public License has appeared, then you can specify
 that version instead if you wish.)  Do not make any other change in
 these notices.
-
+
  Once this change is made in a given copy, it is irreversible for
 that copy, so the ordinary GNU General Public License applies to all
 subsequent copies and derivative works made from that copy.
@@ -267,7 +267,7 @@ Library will still fall under Section 6.)
 distribute the object code for the work under the terms of Section 6.
 Any executables containing that work also fall under Section 6,
 whether or not they are linked directly with the Library itself.
-
+
  6. As an exception to the Sections above, you may also combine or
 link a "work that uses the Library" with the Library to produce a
 work containing portions of the Library, and distribute that work
@@ -329,7 +329,7 @@ restrictions of other proprietary libraries that do not normally
 accompany the operating system.  Such a contradiction means you cannot
 use both them and the Library together in an executable that you
 distribute.
-
+
  7. You may place library facilities that are a work based on the
 Library side-by-side in a single library together with other library
 facilities not covered by this License, and distribute such a combined
@@ -370,7 +370,7 @@ subject to these terms and conditions.  You may not impose any further
 restrictions on the recipients' exercise of the rights granted herein.
 You are not responsible for enforcing compliance by third parties with
 this License.
-
+
  11. If, as a consequence of a court judgment or allegation of patent
 infringement or for any other reason (not limited to patent issues),
 conditions are imposed on you (whether by court order, agreement or
@@ -422,7 +422,7 @@ conditions either of that version or of any later version published by
 the Free Software Foundation.  If the Library does not specify a
 license version number, you may choose any version ever published by
 the Free Software Foundation.
-
+
  14. If you wish to incorporate parts of the Library into other free
 programs whose distribution conditions are incompatible with these,
 write to the author to ask for permission.  For software which is
@@ -456,7 +456,7 @@ SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
 DAMAGES.
 		     END OF TERMS AND CONDITIONS
-
+
           How to Apply These Terms to Your New Libraries
  If you develop a new library, and you want it to be of the greatest
--- a/Shorewall/Samples/Universal/interfaces
+++ b/Shorewall/Samples/Universal/interfaces
@@ -7,8 +7,6 @@
 # http://www.shorewall.net/manpages/shorewall-interfaces.html
 #
 ###############################################################################
-FORMAT 2
+#ZONE	INTERFACE	BROADCAST	OPTIONS
-###############################################################################
+-	lo		-		ignore
-#ZONE	INTERFACE	OPTIONS
+net	all		-		dhcp,physical=+,routeback,optional
 -	lo		ignore
 net	all		dhcp,physical=+,routeback,optional
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -53,9 +53,7 @@ TCP_FLAGS_LOG_LEVEL=info
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
-CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
+CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
 GEOIPDIR="/usr/share/xt_geoip/LE"
 IPTABLES=
@@ -63,8 +61,6 @@ IP=
 IPSET=
 LOCKFILE=
 MODULESDIR=
 PERL=/usr/bin/perl
@@ -142,8 +138,6 @@ FORWARD_CLEAR_MARK=
 IMPLICIT_CONTINUE=No
 IPSET_WARNINGS=Yes
 IP_FORWARDING=On
 KEEP_RT_TABLES=No
--- a/Shorewall/Samples/one-interface/interfaces
+++ b/Shorewall/Samples/one-interface/interfaces
@@ -11,7 +11,5 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 ###############################################################################
-FORMAT 2
+#ZONE	INTERFACE	BROADCAST	OPTIONS
-###############################################################################
+net     eth0            detect          dhcp,tcpflags,logmartians,nosmurfs
 #ZONE	INTERFACE	OPTIONS
 net     eth0            dhcp,tcpflags,logmartians,nosmurfs
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -64,9 +64,7 @@ TCP_FLAGS_LOG_LEVEL=info
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
-CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
+CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
 GEOIPDIR="/usr/share/xt_geoip/LE"
 IPTABLES=
@@ -74,8 +72,6 @@ IP=
 IPSET=
 LOCKFILE=
 MODULESDIR=
 PERL=/usr/bin/perl
@@ -153,8 +149,6 @@ FORWARD_CLEAR_MARK=
 IMPLICIT_CONTINUE=No
 IPSET_WARNINGS=Yes
 IP_FORWARDING=Off
 KEEP_RT_TABLES=No
--- a/Shorewall/Samples/three-interfaces/interfaces
+++ b/Shorewall/Samples/three-interfaces/interfaces
@@ -11,9 +11,7 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 ###############################################################################
-FORMAT 2
+#ZONE	INTERFACE	BROADCAST	OPTIONS
-###############################################################################
+net     eth0            detect          tcpflags,dhcp,nosmurfs,routefilter,logmartians
-#ZONE	INTERFACE	OPTIONS
+loc     eth1            detect          tcpflags,nosmurfs,routefilter,logmartians
-net     eth0            tcpflags,dhcp,nosmurfs,routefilter,logmartians
+dmz     eth2            detect		tcpflags,nosmurfs,routefilter,logmartians
 loc     eth1            tcpflags,nosmurfs,routefilter,logmartians
 dmz     eth2            tcpflags,nosmurfs,routefilter,logmartians
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -62,9 +62,7 @@ TCP_FLAGS_LOG_LEVEL=info
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
-CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
+CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
 GEOIPDIR="/usr/share/xt_geoip/LE"
 IPTABLES=
@@ -72,8 +70,6 @@ IP=
 IPSET=
 LOCKFILE=
 MODULESDIR=
 PERL=/usr/bin/perl
@@ -151,8 +147,6 @@ FORWARD_CLEAR_MARK=
 IMPLICIT_CONTINUE=No
 IPSET_WARNINGS=Yes
 IP_FORWARDING=On
 KEEP_RT_TABLES=No
--- a/Shorewall/Samples/two-interfaces/interfaces
+++ b/Shorewall/Samples/two-interfaces/interfaces
@@ -11,8 +11,6 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-interfaces"
 ###############################################################################
-FORMAT 2
+#ZONE	INTERFACE	BROADCAST	OPTIONS
-###############################################################################
+net     eth0            detect          dhcp,tcpflags,nosmurfs,routefilter,logmartians
-#ZONE	INTERFACE	OPTIONS
+loc     eth1            detect          tcpflags,nosmurfs,routefilter,logmartians
 net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians
 loc     eth1            tcpflags,nosmurfs,routefilter,logmartians
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -65,9 +65,7 @@ TCP_FLAGS_LOG_LEVEL=info
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
-CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall
+CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
 GEOIPDIR="/usr/share/xt_geoip/LE"
 IPTABLES=
@@ -75,8 +73,6 @@ IP=
 IPSET=
 LOCKFILE=
 MODULESDIR=
 PERL=/usr/bin/perl
@@ -154,8 +150,6 @@ FORWARD_CLEAR_MARK=
 IMPLICIT_CONTINUE=No
 IPSET_WARNINGS=Yes
 IP_FORWARDING=On
 KEEP_RT_TABLES=No
--- a/Shorewall/action.Invalid
+++ b/Shorewall/action.Invalid
@@ -49,7 +49,7 @@ my $target           = require_audit ( $action , $audit );
 log_rule_limit $level, $chainref, 'Invalid' , $action, '', $tag, 'add', "$globals{STATEMATCH} INVALID " if $level ne '';
 add_jump $chainref , $target, 0, "$globals{STATEMATCH} INVALID ";
-allow_optimize( $chainref );
+$chainref->{dont_optimize} = 0;
 1;
--- a/Shorewall/action.NotSyn
+++ b/Shorewall/action.NotSyn
@@ -49,7 +49,7 @@ my $target           = require_audit ( $action , $audit );
 log_rule_limit $level, $chainref, 'NotSyn' , $action, '', $tag, 'add', '-p 6 ! --syn ' if $level ne '';
 add_jump $chainref , $target, 0, '-p 6 ! --syn ';
-allow_optimize( $chainref );
+$chainref->{dont_optimize} = 0;
 1;
--- a/Shorewall/action.RST
+++ b/Shorewall/action.RST
@@ -1,55 +0,0 @@
 #
 # Shorewall 4 - RST Action
 #
 #    /usr/share/shorewall/action.RST
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
 #     (c) 2012 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
 #       This program is free software; you can redistribute it and/or modify
 #       it under the terms of Version 2 of the GNU General Public License
 #       as published by the Free Software Foundation.
 #
 #       This program is distributed in the hope that it will be useful,
 #       but WITHOUT ANY WARRANTY; without even the implied warranty of
 #       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #       GNU General Public License for more details.
 #
 #       You should have received a copy of the GNU General Public License
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 #   RST[([<action>|-[,{audit|-}])]
 #
 #       Default action is DROP
 #
 ##########################################################################################
 FORMAT 2
 DEFAULTS DROP,-
 BEGIN PERL;
 use Shorewall::Config;
 use Shorewall::Chains;
 my ( $action, $audit ) = get_action_params( 2 );
 fatal_error "Invalid parameter ($audit) to action NotSyn"   if supplied $audit && $audit ne 'audit';
 fatal_error "Invalid parameter ($action) to action NotSyn"  unless $action =~ /^(?:ACCEPT|DROP)$/;
 my $chainref         = get_action_chain;
 my ( $level, $tag )  = get_action_logging;
 my $target           = require_audit ( $action , $audit );
 log_rule_limit $level, $chainref, 'RST' , $action, '', $tag, 'add', '-p 6 --tcp-flags RST RST ' if $level ne '';
 add_jump $chainref , $target, 0, '-p 6 --tcp-flags RST RST, ';
 allow_optimize( $chainref );
 1;
 END PERL;
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -41,5 +41,4 @@ DropSmurfs          # Drop smurf packets
 Invalid             # Handles packets in the INVALID conntrack state
 NotSyn              # Handles TCP packets which do not have SYN=1 and ACK=0
 Reject		    # Default Action for REJECT policy
 RST		    # Handle packets with RST set
 TCPFlags            # Handle bad flag combinations.
--- a/Shorewall/configfiles/interfaces
+++ b/Shorewall/configfiles/interfaces
@@ -7,6 +7,4 @@
 # http://www.shorewall.net/manpages/shorewall-interfaces.html
 #
 ###############################################################################
-FORMAT 2
+#ZONE	INTERFACE	BROADCAST	OPTIONS
 ###############################################################################
 #ZONE		INTERFACE		OPTIONS
--- a/Shorewall/configfiles/masq
+++ b/Shorewall/configfiles/masq
@@ -6,6 +6,6 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-masq.html
 #
-######################################################################################################
+#############################################################################################
-#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH
+#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/
 #											GROUP
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -53,9 +53,7 @@ TCP_FLAGS_LOG_LEVEL=info
 #	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
 ###############################################################################
-CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
+CONFIG_PATH="/etc/shorewall:/usr/share/shorewall"
 GEOIPDIR="/usr/share/xt_geoip/LE"
 IPTABLES=
@@ -63,8 +61,6 @@ IP=
 IPSET=
 LOCKFILE=
 MODULESDIR=
 PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
@@ -142,8 +138,6 @@ FORWARD_CLEAR_MARK=
 IMPLICIT_CONTINUE=No
 IPSET_WARNINGS=Yes
 IP_FORWARDING=On
 KEEP_RT_TABLES=No
--- a/Shorewall/configfiles/tcrules
+++ b/Shorewall/configfiles/tcrules
@@ -9,9 +9,7 @@
 #
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
-##########################################################################################################################################
+######################################################################################################################################
-FORMAT 2
+#MARK	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER    PROBABILITY
 ##########################################################################################################################################
 #ACTION	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER    PROBABILITY DSCP
 #						PORT(S)	PORT(S)
--- a/Shorewall/configfiles/tos
+++ b/Shorewall/configfiles/tos
@@ -4,5 +4,5 @@
 # For information about entries in this file, type "man shorewall-tos"
 #
 ###############################################################################
-#SOURCE		DEST		PROTOCOL	DEST	SOURCE	TOS	MARK
+#SOURCE		DEST		PROTOCOL	SOURCE	DEST	TOS	MARK
 #						PORTS	PORTS
--- a/Shorewall/configfiles/tunnels
+++ b/Shorewall/configfiles/tunnels
@@ -7,5 +7,5 @@
 # http://www.shorewall.net/manpages/shorewall-tunnels.html
 #
 ###############################################################################
-#TYPE			ZONE	GATEWAY(S)			GATEWAY
+#TYPE			ZONE	GATEWAY		GATEWAY
-#								ZONE(S)
+#						ZONE
--- a/Shorewall/configpath
+++ b/Shorewall/configpath
@@ -10,4 +10,4 @@
 #	/usr/share/shorewall/configfiles/. This prevents 'compile -e'
 #	from trying to use configuration information from /etc/shorewall.
-CONFIG_PATH=${CONFDIR}:${SHAREDIR}/shorewall
+CONFIG_PATH=${CONFDIR}:/usr/share/shorewall
--- a/Shorewall/init.debian.sh
+++ b/Shorewall/init.debian.sh
@@ -11,6 +11,7 @@
 ### END INIT INFO
 SRWL=/sbin/shorewall
 SRWL_OPTS="-tvv"
 WAIT_FOR_IFUP=/usr/share/shorewall/wait4ifup
@@ -53,15 +54,10 @@ not_configured () {
 	exit 0
 }
 #
 # The installer may alter this
 #
 . /usr/share/shorewall/shorewallrc
 # check if shorewall is configured or not
-if [ -f "${SYSCONFDIR}/shorewall" ]
+if [ -f "/etc/default/shorewall" ]
 then
-	. ${SYSCONFDIR}/shorewall
+	. /etc/default/shorewall
 	SRWL_OPTS="$SRWL_OPTS $OPTIONS"
 	if [ "$startup" != "1" ]
 	then
--- a/Shorewall/init.fedora.sh
+++ b/Shorewall/init.fedora.sh
@@ -20,21 +20,16 @@
 # Source function library.
 . /etc/rc.d/init.d/functions
 #
 # The installer may alter this
 #
 . /usr/share/shorewall/shorewallrc
 prog="shorewall"
-shorewall="${SBINDIR}/$prog"
+shorewall="/sbin/$prog"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/$prog"
 # Get startup options (override default)
 OPTIONS=
-if [ -f ${SYSCONFDIR}/$prog ]; then
+if [ -f /etc/sysconfig/$prog ]; then
-    . ${SYSCONFDIR}/$prog
+    . /etc/sysconfig/$prog
 fi
 start() {
--- a/Shorewall/init.sh
+++ b/Shorewall/init.sh
@@ -54,7 +54,7 @@ RCDLINKS="2,S41 3,S41 6,K41"
 # Give Usage Information						       #
 ################################################################################
 usage() {
-    echo "Usage: $0 start|stop|reload|restart|status" >&2
+    echo "Usage: $0 start|stop|reload|restart|status"
    exit 1
 }
@@ -62,14 +62,10 @@ usage() {
 # Get startup options (override default)
 ################################################################################
 OPTIONS="-v0"
-
+if [ -f /etc/sysconfig/shorewall ]; then
-#
+    . /etc/sysconfig/shorewall
-# The installer may alter this
+elif [ -f /etc/default/shorewall ] ; then
-#
+    . /etc/default/shorewall
 . /usr/share/shorewall/shorewallrc
 if [ -f ${SYSCONFDIR}/shorewall ]; then
    . ${SYSCONFDIR}/shorewall
 fi
 export SHOREWALL_INIT_SCRIPT=1
@@ -82,13 +78,13 @@ shift
 case "$command" in
    start)
-	exec $SBINDIR/shorewall $OPTIONS start $STARTOPTIONS
+	exec /sbin/shorewall $OPTIONS start $STARTOPTIONS
 	;;
    restart|reload)
-	exec $SBINDIR/shorewall $OPTIONS restart $RESTARTOPTIONS
+	exec /sbin/shorewall $OPTIONS restart $RESTARTOPTIONS
 	;;
    status|stop)
-	exec $SBINDIR/shorewall $OPTIONS $command
+	exec /sbin/shorewall $OPTIONS $command
 	;;
    *)
 	usage
--- a/Shorewall-core/init.slackware.firewall.sh
+++ b/Shorewall-core/init.slackware.firewall.sh
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -34,8 +34,6 @@ get_config() {
    ensure_config_path
    if [ "$1" = Yes ]; then
 	params=$(find_file params)
@@ -241,7 +239,7 @@ get_config() {
 	LOG_VERBOSITY=-1
    fi
-    if [ -n "$SHOREWALL_SHELL" -a -z "$g_export" ]; then
+    if [ -n "$SHOREWALL_SHELL" ]; then
 	if [ ! -x "$SHOREWALL_SHELL" ]; then
 	    echo "   WARNING: The program specified in SHOREWALL_SHELL does not exist or is not executable; falling back to /bin/sh" >&2
 	    SHOREWALL_SHELL=/bin/sh
@@ -362,8 +360,6 @@ uptodate() {
 #
 compiler() {
    local pc
    local shorewallrc
    pc=$g_libexec/shorewall/compiler.pl
    if [ $(id -u) -ne 0 ]; then
@@ -378,7 +374,7 @@ compiler() {
    #
    # Get the config from $g_shorewalldir
    #
-    [ -n "$g_shorewalldir" -a "$g_shorewalldir" != ${g_confdir} ] && get_config
+    [ -n "$g_shorewalldir" -a "$g_shorewalldir" != /etc/$g_program ] && get_config
    case $COMMAND in
 	*start|try|refresh)
@@ -399,14 +395,7 @@ compiler() {
    [ "$1" = nolock ] && shift;
    shift
-    if [ -n "$g_export" ]; then
+    options="--verbose=$VERBOSITY --family=$g_family --config_path=$CONFIG_PATH"
 	shorewallrc=$(find_file shorewallrc)
 	[ -f "$shorewallrc" ] || fatal_error "Compiling for export requires a shorewallrc file"
    else
 	shorewallrc="${g_basedir}/shorewallrc"
    fi
    options="--verbose=$VERBOSITY --family=$g_family --config_path=$CONFIG_PATH --shorewallrc=${shorewallrc}"
    [ -n "$STARTUP_LOG" ] && options="$options --log=$STARTUP_LOG"
    [ -n "$LOG_VERBOSITY" ] && options="$options --log_verbosity=$LOG_VERBOSITY";
    [ -n "$g_export" ] && options="$options --export"
@@ -508,10 +497,6 @@ start_command() {
 			    AUTOMAKE=
 			    option=${option#c}
 			    ;;			    
 			T*)
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -884,10 +869,6 @@ restart_command() {
 			    g_purge=Yes
 			    option=${option%p}
 			    ;;
 			T*)
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -972,27 +953,6 @@ refresh_command() {
 			    finished=1
 			    option=
 			    ;;
 			d*)
 			    g_debug=Yes
 			    option=${option#d}
 			    ;;
 			n*)
 			    g_noroutes=Yes
 			    option=${option#n}
 			    ;;
 			T*)
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
 			D)
 			    if [ $# -gt 1 ]; then
 				g_shorewalldir="$2"
 				option=
 				shift
 			    else
 				fatal_error "ERROR: the -D option requires a directory name"
 			    fi
 			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -1337,10 +1297,6 @@ reload_command() # $* = original arguments less the command.
    root=root
    local libexec
    libexec=/usr/share
    local confdir
    confdir=/etc
    local sbindir
    sbindir=/sbin
    litedir=/var/lib/${g_program}-lite
@@ -1370,10 +1326,6 @@ reload_command() # $* = original arguments less the command.
 			    option=
 			    shift
 			    ;;
 			T*)
 			    g_confess=Yes
 			    option=${option#T}
 			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -1401,11 +1353,11 @@ reload_command() # $* = original arguments less the command.
 	    ;;
    esac
-    temp=$(rsh_command ${g_program}-lite show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')
+    temp=$(rsh_command /sbin/${g_program}-lite show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //')
    [ -n "$temp" ] && litedir="$temp"
-    temp=$(rsh_command ${g_program}-lite show config 2> /dev/null | grep ^LIBEXEC | sed 's/LIBEXEC is //')
+    temp=$(rsh_command /sbin/${g_program}-lite show config 2> /dev/null | grep ^LIBEXEC | sed 's/LIBEXEC is //')
    if [ -n "$temp" ]; then
 	case $temp in
@@ -1418,14 +1370,6 @@ reload_command() # $* = original arguments less the command.
 	esac
    fi
    temp=$(rsh_command ${g_program}-lite show config 2> /dev/null | grep ^SBINDIR | sed 's/SBINDIR is //')
    [ -n "$temp" ] && sbindir="$temp"
    temp=$(rsh_command ${g_program}-lite show config 2> /dev/null | grep ^CONFDIR | sed 's/CONFDIR is //')
    [ -n "$temp" ] && confdir="$temp"
    if [ -z "$getcaps" ]; then
 	g_shorewalldir=$(resolve_file $directory)
 	ensure_config_path
@@ -1466,20 +1410,19 @@ reload_command() # $* = original arguments less the command.
    then
 	save=$(find_file save);
-	[ -f $save ] && progress_message3 "Copying $save to ${system}:${confdir}/${g_program}-lite/" && rcp_command $save ${confdir}/shorewall-lite/
+	[ -f $save ] && progress_message3 "Copying $save to ${system}:/etc/${g_program}-lite/" && rcp_command $save /etc/shorewall-lite/
 	progress_message3 "Copy complete"
 	if [ $COMMAND = reload ]; then
-	    rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp restart" && \
+	    rsh_command "/sbin/${g_program}-lite $g_debugging $verbose $timestamp restart" && \
 	    progress_message3 "System $system reloaded" || saveit=
 	else
-	    rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp start" && \
+	    rsh_command "/sbin/${g_program}-lite $g_debugging $verbose $timestamp start" && \
 	    progress_message3 "System $system loaded" || saveit=
 	fi
 	if [ -n "$saveit" ]; then
-	    rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp save" && \
+	    rsh_command "/sbin/${g_program}-lite $g_debugging $verbose $timestamp save" && \
 	    progress_message3 "Configuration on system $system saved"
 	fi
    fi
@@ -1571,7 +1514,7 @@ usage() # $1 = exit status
    echo "   allow <address> ..."
    echo "   check [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ <directory> ]"
    echo "   clear"
-    echo "   compile [ -e ] [ -p ] [ -t ] [ -d ] [ -T ] [ <directory name> ] [ <path name> ]"
+    echo "   compile [ -e ] [ -d ] [ <directory name> ] [ <path name> ]"
    echo "   delete <interface>[:<host-list>] ... <zone>"
    echo "   disable <interface>"
    echo "   drop <address> ..."
@@ -1589,7 +1532,7 @@ usage() # $1 = exit status
    fi
    echo "   iptrace <iptables match expression>"
-    echo "   load [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ <directory> ] <system>"
+    echo "   load [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
    echo "   logdrop <address> ..."
    echo "   logreject <address> ..."
    echo "   logwatch [<refresh interval>]"
@@ -1600,11 +1543,11 @@ usage() # $1 = exit status
 	echo "   noiptrace <ip6tables match expression>"
    fi
-    echo "   refresh [ -d ] [ -n ] [ -T ] [ -D <directory> ] [ <chain>... ]"
+    echo "   refresh [ <chain>... ]"
    echo "   reject <address> ..."
-    echo "   reload [ -s ] [ -c ] [ -r <root user> ] [ -T ] [ <directory> ] <system>"
+    echo "   reload [ -s ] [ -c ] [ -r <root user> ] [ <directory> ] <system>"
    echo "   reset [ <chain> ... ]"
-    echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ] [ -T ] [ <directory> ]"
+    echo "   restart [ -n ] [ -p ] [-d] [ -f ] [ -c ][ <directory> ]"
    echo "   restore [ -n ] [ <file name> ]"
    echo "   safe-restart [ -t <timeout> ] [ <directory> ]"
    echo "   safe-start [ -t <timeout> ] [ <directory> ]"
@@ -1632,7 +1575,7 @@ usage() # $1 = exit status
    echo "   show tc [ device ]"
    echo "   show vardir"
    echo "   show zones"
-    echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ -T ] [ <directory> ]"
+    echo "   start [ -f ] [ -n ] [ -p ] [ -c ] [ <directory> ]"
    echo "   status"
    echo "   stop"
    echo "   try <directory> [ <timeout> ]"
--- a/Shorewall/lib.core
+++ b/Shorewall/lib.core
@@ -1,34 +1,30 @@
 #
 # Shorewall 4.5 -- /usr/share/shorewall/lib.core.
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 1999-2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2010-2012 - Tom Eastep (teastep@shorewall.net)
 #
-#	Options are:
+#	Complete documentation is available at http://shorewall.net
 #
-#	    -n				  Don't alter Routing
+#	This program is free software; you can redistribute it and/or modify
-#	    -v and -q			  Standard Shorewall Verbosity control
+#	it under the terms of Version 2 of the GNU General Public License
-#           -t                            Timestamp progress messages
+#	as published by the Free Software Foundation.
 #           -p                            Purge conntrack table
 #           -r                            Recover from failed start/restart
 #           -V <verbosity>                Set verbosity level explicitly
 #           -R <restore>                  Overrides RESTOREFILE setting
 #
-#	Commands are:
+#	This program is distributed in the hope that it will be useful,
 #	but WITHOUT ANY WARRANTY; without even the implied warranty of
 #	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 #	GNU General Public License for more details.
 #
-#	   start			  Starts the firewall
+#	You should have received a copy of the GNU General Public License
-#          refresh                        Refresh the firewall
+#	along with this program; if not, write to the Free Software
-#	   restart			  Restarts the firewall
+#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #	   reload			  Reload the firewall
 #	   clear			  Removes all firewall rules
 #	   stop				  Stops the firewall
 #	   status			  Displays firewall status
 #	   version			  Displays the version of Shorewall that
 #	   				  generated this program
 #
-################################################################################
+# The purpose of this library is to hold those functions used by the generated
-# Functions imported from /usr/share/shorewall/lib.core
+# scripts (both IPv4 and IPv6 -- the functions that are specific to one or the other
-################################################################################
+# are found in prog.header and prog.header6).
-#                     Address family-neutral Functions
+#
-################################################################################
+#########################################################################################
 #
 # Conditionally produce message
 #
@@ -171,6 +167,28 @@ interface_is_up() {
    [ -n "$($IP -$g_family link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
 }
 #
 # Determine if interface is usable from a Netfilter perspective
 #
 interface_is_usable() # $1 = interface
 {
    [ "$1" = lo ] && return 0
    interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && run_isusable_exit $1
 }
 #
 # Find interface addresses--returns the set of addresses assigned to the passed
 # device
 #
 find_interface_addresses() # $1 = interface
 {
    if [ $g_family -eq 4 ]; then
 	$IP -f inet addr show $1 2> /dev/null | grep inet\  | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
    else
 	$IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
    fi
 }
 #
 #  echo the list of networks routed out of a given interface
 #
@@ -572,7 +590,6 @@ distribute_load() {
    local interface
    local totalload
    local load
    local mark
    local maxload
    maxload=$1
@@ -584,8 +601,6 @@ distribute_load() {
 	if interface_up $interface; then
 	    load=$(cat ${VARDIR}/${interface}_load)
 	    eval ${interface}_load=$load
 	    mark=$(cat ${VARDIR}/${interface}_mark)
 	    eval ${interface}_mark=$mark
 	    totalload=$( bc <<EOF
 scale=8
 $totalload + $load
@@ -598,7 +613,6 @@ EOF
 	for interface in $@; do
 	    qt $g_tool -t mangle -F ~$interface
 	    eval load=\$${interface}_load
 	    eval mark=\$${interface}_mark
 	    if [ -n "$load" ]; then
 		load=$(bc <<EOF
@@ -611,703 +625,8 @@ scale=8
 $totalload - $load
 EOF
 )
-		run_iptables -t mangle -A ~$interface -m statistic --mode random --probability $load -j MARK --set-mark $mark
+		run_iptables -t mangle -A ~$interface -m statistic --mode random --probability $load
 	    fi
 	done
    fi
 }
 ?IF __IPV4
 #################################################################################
 #                        IPv4-specific Functions
 #################################################################################
 #
 # Determine if interface is usable from a Netfilter perspective
 #
 interface_is_usable() # $1 = interface
 {
    local status;
    status=0
    if [ "$1" != lo ]; then
 	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ]; then
 	    [ "$COMMAND" = enable ] || run_isusable_exit $1
 	    status=$?
 	else
 	    status=1
 	fi
    fi
    return $status
 }
 #
 # Find interface addresses--returns the set of addresses assigned to the passed device
 #
 find_interface_addresses() # $1 = interface
 {
    $IP -f inet addr show $1 2> /dev/null | grep inet\  | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
 }
 #
 # Find the value 'weight' in the passed arguments then echo the next value
 #
 find_weight() {
    while [ $# -gt 1 ]; do
 	[ "x$1" = xweight ] && echo $2 && return
 	shift
    done
 }
 #
 # Find the interfaces that have a route to the passed address - the default
 # route is not used.
 #
 find_rt_interface() {
    $IP -4 route list | while read addr rest; do
 	case $addr in
 	    */*)
 		in_network ${1%/*} $addr && echo $(find_device $rest)
 		;;
 	    default)
 		;;
 	    *)
 		if [ "$addr" = "$1" -o "$addr/32" = "$1" ]; then
 		    echo $(find_device $rest)
 		fi
 		;;
 	esac
    done
 }
 #
 # Echo the name of the interface(s) that will be used to send to the
 # passed address
 #
 find_interface_by_address() {
    local dev
    dev="$(find_rt_interface $1)"
    local first
    local rest
    [ -z "$dev" ] && dev=$(find_default_interface)
    [ -n "$dev" ] && echo $dev
 }
 #
 #  echo the list of networks routed out of a given interface
 #
 get_routed_networks() # $1 = interface name, $2-n = Fatal error message
 {
    local address
    local rest
    $IP -4 route show dev $1 2> /dev/null |
 	while read address rest; do
 	    case "$address" in
 		default)
 		    if [ $# -gt 1 ]; then
 			shift
 			fatal_error "$@"
 		    else
 			echo "WARNING: default route ignored on interface $1" >&2
 		    fi
 		    ;;
 		multicast|broadcast|prohibit|nat|throw|nexthop)
 		    ;;
 		*)
 		    [ "$address" = "${address%/*}" ] && address="${address}/32"
 		    echo $address
 		    ;;
 	    esac
        done
 }
 #
 # Get the broadcast addresses associated with an interface
 #
 get_interface_bcasts() # $1 = interface
 {
    local addresses
    addresses=
    $IP -f inet addr show dev $1 2> /dev/null | grep 'inet.*brd' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
 }
 #
 # Delete IP address
 #
 del_ip_addr() # $1 = address, $2 = interface
 {
    [ $(find_first_interface_address_if_any $2) = $1 ] || qtnoin $IP addr del $1 dev $2
 }
 # Add IP Aliases
 #
 add_ip_aliases() # $* = List of addresses
 {
    local local
    local addresses
    local external
    local interface
    local inet
    local cidr
    local rest
    local val
    local arping
    arping=$(mywhich arping)
    address_details()
    {
 	#
 	# Folks feel uneasy if they don't see all of the same
 	# decoration on these IP addresses that they see when their
 	# distro's net config tool adds them. In an attempt to reduce
 	# the anxiety level, we have the following code which sets
 	# the VLSM and BRD from an existing address in the same network
 	#
 	# Get all of the lines that contain inet addresses with broadcast
 	#
 	$IP -f inet addr show $interface 2> /dev/null | grep 'inet.*brd' | while read inet cidr rest ; do
 	    case $cidr in
 		*/*)
 		    if in_network $external $cidr; then
 			echo "/${cidr#*/} brd $(broadcastaddress $cidr)"
 			break
 		    fi
 		    ;;
 	    esac
 	done
    }
    do_one()
    {
 	val=$(address_details)
 	$IP addr add ${external}${val} dev $interface $label
 	[ -n "$arping" ] && qt $arping -U -c 2 -I $interface $external
 	echo "$external $interface" >> $VARDIR/nat
 	[ -n "$label" ] && label="with $label"
 	progress_message "   IP Address $external added to interface $interface $label"
    }
    progress_message "Adding IP Addresses..."
    while [ $# -gt 0 ]; do
 	external=$1
 	interface=$2
 	label=
 	if [ "$interface" != "${interface%:*}" ]; then
 	    label="${interface#*:}"
 	    interface="${interface%:*}"
 	    label="label $interface:$label"
 	fi
 	shift 2
 	list_search $external $(find_interface_addresses $interface) || do_one
    done
 }
 #
 # Detect the gateway through a PPP or DHCP-configured interface
 #
 detect_dynamic_gateway() { # $1 = interface
    local interface
    interface=$1
    local GATEWAYS
    GATEWAYS=
    local gateway
    gateway=$(run_findgw_exit $1);
    if [ -z "$gateway" ]; then
 	gateway=$( find_peer $($IP addr list $interface ) )
    fi
    if [ -z "$gateway" -a -f /var/lib/dhcpcd/dhcpcd-${1}.info ]; then
 	eval $(grep ^GATEWAYS=  /var/lib/dhcpcd/dhcpcd-${1}.info 2> /dev/null)
 	[ -n "$GATEWAYS" ] && GATEWAYS=${GATEWAYS%,*} && gateway=$GATEWAYS
    fi
    if [ -z "$gateway" -a -f /var/lib/dhcp/dhclient-${1}.lease ]; then
 	gateway=$(grep 'option routers' /var/lib/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done)
    fi
    [ -n "$gateway" ] && echo $gateway
 }
 #
 # Detect the gateway through an interface
 #
 detect_gateway() # $1 = interface
 {
    local interface
    interface=$1
    local gateway
    #
    # First assume that this is some sort of dynamic interface
    #
    gateway=$( detect_dynamic_gateway $interface )
    #
    # Maybe there's a default route through this gateway already
    #
    [ -n "$gateway" ] || gateway=$(find_gateway $($IP -4 route list dev $interface | grep ^default))
    #
    # Last hope -- is there a load-balancing route through the interface?
    #
    [ -n "$gateway" ] || gateway=$(find_nexthop $interface)
    #
    # Be sure we found one
    #
    [ -n "$gateway" ] && echo $gateway
 }
 #
 # Disable IPV6
 #
 disable_ipv6() {
    local foo
    foo="$($IP -f inet6 addr list 2> /dev/null)"
    if [ -n "$foo" ]; then
 	if [ -x "$IP6TABLES" ]; then
 	    $IP6TABLES -P FORWARD DROP
 	    $IP6TABLES -P INPUT DROP
 	    $IP6TABLES -P OUTPUT DROP
 	    $IP6TABLES -F
 	    $IP6TABLES -X
 	    $IP6TABLES -A OUTPUT -o lo -j ACCEPT
 	    $IP6TABLES -A INPUT -i lo -j ACCEPT
 	else
 	    error_message "WARNING: DISABLE_IPV6=Yes in shorewall.conf but this system does not appear to have ip6tables"
 	fi
    fi
 }
 #
 # Add an additional gateway to the default route
 #
 add_gateway() # $1 = Delta $2 = Table Number
 {
    local route
    local weight
    local delta
    local dev
    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/default //; s/[\]//g'`
    if [ -z "$route" ]; then
 	run_ip route add default scope global table $2 $1
    else
 	delta=$1
 	if ! echo $route | fgrep -q ' nexthop '; then
 	    route=`echo $route | sed 's/via/nexthop via/'`
 	    dev=$(find_device $route)
 	    if [ -f ${VARDIR}/${dev}_weight ]; then
 		weight=`cat ${VARDIR}/${dev}_weight`
 		route="$route weight $weight"
 	    fi
 	fi
 	run_ip route replace default scope global table $2 $route $delta
    fi
 }
 #
 # Remove a gateway from the default route
 #
 delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
 {
    local route
    local gateway
    local dev
    route=`$IP -4 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
    gateway=$1
    if [ -n "$route" ]; then
 	if echo $route | fgrep -q ' nexthop '; then
 	    gateway="nexthop $gateway"
 	    eval route=\`echo $route \| sed \'s/$gateway/ /\'\`
 	    run_ip route replace table $2 $route
 	else
 	    dev=$(find_device $route)
 	    [ "$dev" = "$3" ] && run_ip route delete default table $2
 	fi
    fi
 }
 #
 # Determine the MAC address of the passed IP through the passed interface
 #
 find_mac() # $1 = IP address, $2 = interface
 {
    if interface_is_usable $2 ; then
 	qt ping -nc 1 -t 2 -I $2 $1
 	local result
 	result=$($IP neigh list |  awk "/^$1 / {print \$5}")
 	case $result in
 	    \<*\>)
 		;;
 	    *)
 		[ -n "$result" ] && echo $result
 		;;
 	esac
    fi
 }
 #
 # Clear Proxy Arp
 #
 delete_proxyarp() {
    if [ -f ${VARDIR}/proxyarp ]; then
 	while read address interface external haveroute; do
 	    qtnoin $IP -4 neigh del proxy $address dev $external
 	    [ -z "${haveroute}${g_noroutes}" ] && qtnoin $IP -4 route del $address/32 dev $interface
 	    f=/proc/sys/net/ipv4/conf/$interface/proxy_arp
 	    [ -f $f ] && echo 0 > $f
 	done < ${VARDIR}/proxyarp
 	rm -f ${VARDIR}/proxyarp
    fi
 }
 #
 # Remove all Shorewall-added rules
 #
 clear_firewall() {
    stop_firewall
    setpolicy INPUT ACCEPT
    setpolicy FORWARD ACCEPT
    setpolicy OUTPUT ACCEPT
    run_iptables -F
    qt $IPTABLES -t raw -F
    echo 1 > /proc/sys/net/ipv4/ip_forward
    if [ -n "$DISABLE_IPV6" ]; then
 	if [ -x $IP6TABLES ]; then
    	    $IP6TABLES -P INPUT   ACCEPT 2> /dev/null
 	    $IP6TABLES -P OUTPUT  ACCEPT 2> /dev/null
 	    $IP6TABLES -P FORWARD ACCEPT 2> /dev/null
 	fi
    fi
    run_clear_exit
    set_state "Cleared"
    logger -p kern.info "$g_product Cleared"
 }
 #
 # Get a list of all configured broadcast addresses on the system
 #
 get_all_bcasts()
 {
    $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
 }
 ?ELSE
 #################################################################################
 #                        IPv6-specific Functions
 #################################################################################
 #
 # Determine if interface is usable from a Netfilter perspective
 #
 interface_is_usable() # $1 = interface
 {
    local status;
    status=0
    if [ "$1" != lo ]; then
 	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ]; then
 	    [ "$COMMAND" = enable ] || run_isusable_exit $1
 	    status=$?
 	else
 	    status=1
 	fi
    fi
    return $status
 }
 #
 # Find interface addresses--returns the set of addresses assigned to the passed device
 #
 find_interface_addresses() # $1 = interface
 {
    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
 }
 #
 # Get all interface addresses with VLSMs
 #
 find_interface_full_addresses() # $1 = interface
 {
    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 ' | sed 's/\s*inet6 //;s/ scope.*//;s/ peer.*//'
 }
 #
 # Normalize an IPv6 Address by compressing out consecutive zero elements
 #
 normalize_address() # $1 = valid IPv6 Address
 {
    local address
    address=$1
    local j
    while true; do
 	case $address in
 	    ::*)
 		address=0$address
 		;;
 	    *::*)
 		list_count $(split $address)
 		j=$?
 		if [ $j -eq 7 ]; then
 		    address=${address%::*}:0:${address#*::}
 		elif [ $j -eq 8 ]; then
 		    $address=${address%::*}:${address#*::}
 		    break 2
 		else
 		    address=${address%::*}:0::${address#*::}
 		fi
 		;;
 	    *)
 		echo $address
 		break 2
 		;;
 	esac
    done
 }
 #
 # Reads correctly-formed and fully-qualified host and subnet addresses from STDIN. For each
 # that defines a /120 or larger network, it sends to STDOUT:
 #
 #    The corresponding subnet-router anycast address (all host address bits are zero)
 #    The corresponding anycast addresses defined by RFC 2526 (the last 128 addresses in the subnet)
 #
 convert_to_anycast() {
    local address
    local badress
    local vlsm
    local host
    local o
    local m
    m=
    local z
    z=65535
    local l
    while read address; do
 	case $address in
 	    2*|3*)
 		vlsm=${address#*/}
 		vlsm=${vlsm:=128}
 		if [ $vlsm -le 120 ]; then
 	            #
 	            # Defines a viable subnet -- first get the subnet-router anycast address
 	            #
 		    host=$((128 - $vlsm))
 		    address=$(normalize_address ${address%/*})
 		    while [ $host -ge 16 ]; do
 			address=${address%:*}
 			host=$(($host - 16))
 		    done
 		    if [ $host -gt 0 ]; then
 			#
 			# VLSM is not a multiple of 16
 			#
 			host=$((16 - $host))
 			o=$((0x${address##*:}))
 			m=0
 			while [ $host -gt 0 ]; do
 			    m=$((($m >> 1) | 0x8000))
 			    z=$(($z >> 1))
 			    host=$(($host - 1))
 			done
 			o=$(($o & $m))
 			badress=${address%:*}
 			address=$badress:$(printf %04x $o)
 			z=$(($o | $z))
 			if [ $vlsm -gt 112 ]; then
 			    z=$(($z & 0xff80))
 			fi
 			badress=$badress:$(printf %04x $z)
 		    else
 			badress=$address
 		    fi
 		    #
 		    # Note: at this point $address and $badress are the same except possibly for
 		    #       the contents of the last half-word
 		    #
 		    list_count $(split $address)
 		    l=$?
 		    #
 		    # Now generate the anycast addresses defined by RFC 2526
 		    #
 		    if [ $l -lt 8 ]; then
 			#
 			# The subnet-router address
 			#
 			echo $address::
 		    	while [ $l -lt 8 ]; do
 			    badress=$badress:ffff
 			    l=$(($l + 1 ))
 			done
 		    else
 			#
 			# The subnet-router address
 			#
 			echo $address
 		    fi
 		    #
 		    # And the RFC 2526 addresses
 		    #
 		    echo $badress/121
 		fi
 		;;
 	esac
    done
 }
 #
 # Generate a list of anycast addresses for a given interface
 #
 get_interface_acasts() # $1 = interface
 {
    local addresses
    addresses=
    find_interface_full_addresses $1 | convert_to_anycast | sort -u
 }
 #
 # Get a list of all configured anycast addresses on the system
 #
 get_all_acasts()
 {
    find_interface_full_addresses | convert_to_anycast | sort -u
 }
 #
 # Detect the gateway through an interface
 #
 detect_gateway() # $1 = interface
 {
    local interface
    interface=$1
    #
    # First assume that this is some sort of point-to-point interface
    #
    gateway=$( find_peer $($IP -6 addr list $interface ) )
    #
    # Maybe there's a default route through this gateway already
    #
    [ -n "$gateway" ] || gateway=$(find_gateway $($IP -6 route list dev $interface | grep '^default'))
    #
    # Last hope -- is there a load-balancing route through the interface?
    #
    [ -n "$gateway" ] || gateway=$(find_nexthop $interface)
    #
    # Be sure we found one
    #
    [ -n "$gateway" ] && echo $gateway
 }
 #
 # Add an additional gateway to the default route
 #
 add_gateway() # $1 = Delta $2 = Table Number
 {
    local route
    local weight
    local delta
    local dev
    run_ip route add default scope global table $2 $1
 }
 #
 # Remove a gateway from the default route
 #
 delete_gateway() # $! = Description of the Gateway $2 = table number $3 = device
 {
    local route
    local gateway
    local dev
    route=`$IP -6 -o route ls table $2 | grep ^default | sed 's/[\]//g'`
    gateway=$1
    dev=$(find_device $route)
    [ "$dev" = "$3" ] && run_ip route delete default table $2
 }
 #
 # Clear Proxy NDP
 #
 delete_proxyndp() {
    if [ -f ${VARDIR}/proxyndp ]; then
 	while read address interface external haveroute; do
 	    qt $IP -6 neigh del proxy $address dev $external
 	    [ -z "${haveroute}${g_noroutes}" ] && qt $IP -6 route del $address/128 dev $interface
 	    f=/proc/sys/net/ipv6/conf/$interface/proxy_ndp
 	    [ -f $f ] && echo 0 > $f
 	done < ${VARDIR}/proxyndp
 	rm -f ${VARDIR}/proxyndp
    fi
 }
 #
 # Remove all Shorewall-added rules
 #
 clear_firewall() {
    stop_firewall
    setpolicy INPUT ACCEPT
    setpolicy FORWARD ACCEPT
    setpolicy OUTPUT ACCEPT
    run_iptables -F
    qt $IP6TABLES -t raw -F
    echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
    run_clear_exit
    set_state "Cleared"
    logger -p kern.info "$g_product Cleared"
 }
 ?ENDIF
--- a/Shorewall/manpages/shorewall-accounting.xml
+++ b/Shorewall/manpages/shorewall-accounting.xml
@@ -57,17 +57,6 @@
    of them may be omitted). The first non-commentary record in the accounting
    file must be a section header when sectioning is used.</para>
    <warning>
      <para>If sections are not used, the Shorewall rules compiler cannot
      detect certain violations of netfilter restrictions. These violations
      can result in run-time errors such as the following:</para>
      <blockquote>
        <para><emphasis role="bold">iptables-restore v1.4.13: Can't use -o
        with INPUT</emphasis></para>
      </blockquote>
    </warning>
    <para>Beginning with Shorewall 4.4.20, the ACCOUNTING_TABLE setting was
    added to shorewall.conf and shorewall6.conf. That setting determines the
    Netfilter table (filter or mangle) where the accounting rules are added.
@@ -86,9 +75,12 @@
    <itemizedlist>
      <listitem>
-        <para>A jump to a user-defined accounting chain must appear before
+        <para>A jump to a user-defined accounting chain before entries that
-        entries that add rules to that chain. This eliminates loops and
+        add rules to that chain.</para>
-        unreferenced chains.</para>
+      </listitem>
      <listitem>
        <para>This eliminates loops and unreferenced chains.</para>
      </listitem>
      <listitem>
--- a/Shorewall/manpages/shorewall-blrules.xml
+++ b/Shorewall/manpages/shorewall-blrules.xml
@@ -60,31 +60,7 @@
          <variablelist>
            <varlistentry>
-              <term><emphasis role="bold">BLACKLIST</emphasis></term>
+              <term>blacklog</term>
              <listitem>
                <para>Added in Shorewall 4.5.3. This is actually a macro that
                expands as follows:</para>
                <itemizedlist>
                  <listitem>
                    <para>If BLACKLIST_LOGLEVEL is specified in <ulink
                    url="shorewall.conf.html">shorewall.conf</ulink>(5), then
                    the macro expands to <emphasis
                    role="bold">blacklog</emphasis>.</para>
                  </listitem>
                  <listitem>
                    <para>Otherwise it expands to the action specified for
                    BLACKLIST_DISPOSITION in <ulink
                    url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
                  </listitem>
                </itemizedlist>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">blacklog</emphasis></term>
              <listitem>
                <para>May only be used if BLACKLIST_LOGLEVEL is specified in
--- a/Shorewall/manpages/shorewall-hosts.xml
+++ b/Shorewall/manpages/shorewall-hosts.xml
@@ -118,6 +118,32 @@
          must have no embedded white space.</para>
          <variablelist>
            <varlistentry>
              <term><emphasis role="bold">maclist</emphasis></term>
              <listitem>
                <para>Connection requests from these hosts are compared
                against the contents of <ulink
                url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
                this option is specified, the interface must be an ethernet
                NIC or equivalent and must be up before Shorewall is
                started.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">routeback</emphasis></term>
              <listitem>
                <para>Shorewall should set up the infrastructure to pass
                packets from this/these address(es) back to themselves. This
                is necessary if hosts in this group use the services of a
                transparent proxy that is a member of the group or if DNAT is
                used to send requests originating from this group to a server
                in the group.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">blacklist</emphasis></term>
@@ -128,6 +154,48 @@
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">tcpflags</emphasis></term>
              <listitem>
                <para>Packets arriving from these hosts are checked for
                certain illegal combinations of TCP flags. Packets found to
                have such a combination of flags are handled according to the
                setting of TCP_FLAGS_DISPOSITION after having been logged
                according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">nosmurfs</emphasis></term>
              <listitem>
                <para>This option only makes sense for ports on a
                bridge.</para>
                <para>Filter packets for smurfs (packets with a broadcast
                address as the source).</para>
                <para>Smurfs will be optionally logged based on the setting of
                SMURF_LOG_LEVEL in <ulink
                url="shorewall.conf.html">shorewall.conf</ulink>(5). After
                logging, the packets are dropped.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">ipsec</emphasis></term>
              <listitem>
                <para>The zone is accessed via a kernel 2.6 ipsec SA. Note
                that if the zone named in the ZONE column is specified as an
                IPSEC zone in the <ulink
                url="shorewall-zones.html">shorewall-zones</ulink>(5) file
                then you do NOT need to specify the 'ipsec' option
                here.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">broadcast</emphasis></term>
@@ -161,86 +229,6 @@
                net(s).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">ipsec</emphasis></term>
              <listitem>
                <para>The zone is accessed via a kernel 2.6 ipsec SA. Note
                that if the zone named in the ZONE column is specified as an
                IPSEC zone in the <ulink
                url="shorewall-zones.html">shorewall-zones</ulink>(5) file
                then you do NOT need to specify the 'ipsec' option
                here.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">maclist</emphasis></term>
              <listitem>
                <para>Connection requests from these hosts are compared
                against the contents of <ulink
                url="shorewall-maclist.html">shorewall-maclist</ulink>(5). If
                this option is specified, the interface must be an ethernet
                NIC or equivalent and must be up before Shorewall is
                started.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis
              role="bold">mss</emphasis>=<replaceable>mss</replaceable></term>
              <listitem>
                <para>Added in Shorewall 4.5.2. When present, causes the TCP
                mss for new connections to/from the hosts given in the HOST(S)
                column to be clamped at the specified
                <replaceable>mss</replaceable>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">nosmurfs</emphasis></term>
              <listitem>
                <para>This option only makes sense for ports on a
                bridge.</para>
                <para>Filter packets for smurfs (packets with a broadcast
                address as the source).</para>
                <para>Smurfs will be optionally logged based on the setting of
                SMURF_LOG_LEVEL in <ulink
                url="shorewall.conf.html">shorewall.conf</ulink>(5). After
                logging, the packets are dropped.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">routeback</emphasis></term>
              <listitem>
                <para>Shorewall should set up the infrastructure to pass
                packets from this/these address(es) back to themselves. This
                is necessary if hosts in this group use the services of a
                transparent proxy that is a member of the group or if DNAT is
                used to send requests originating from this group to a server
                in the group.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">tcpflags</emphasis></term>
              <listitem>
                <para>Packets arriving from these hosts are checked for
                certain illegal combinations of TCP flags. Packets found to
                have such a combination of flags are handled according to the
                setting of TCP_FLAGS_DISPOSITION after having been logged
                according to the setting of TCP_FLAGS_LOG_LEVEL.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -27,34 +27,6 @@
    interfaces to Shorewall. The order of entries in this file is not
    significant in determining zone composition.</para>
    <para>Beginning with Shorewall 4.5.3, the interfaces file supports two
    different formats:</para>
    <variablelist>
      <varlistentry>
        <term>FORMAT 1 (default - deprecated)</term>
        <listitem>
          <para>There is a BROADCAST column which can be used to specify the
          broadcast address associated with the interface.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>FORMAT 2</term>
        <listitem>
          <para>The BROADCAST column is omitted.</para>
        </listitem>
      </varlistentry>
    </variablelist>
    <para>The format is specified by a line as follows:</para>
    <blockquote>
      <para><emphasis role="bold">FORMAT {1|2}</emphasis></para>
    </blockquote>
    <para>The columns in the file are as follows.</para>
    <variablelist>
@@ -156,8 +128,6 @@ loc     eth2            -</programlisting>
        role="bold">detect</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...}</term>
        <listitem>
          <para>Only available if FORMAT 1.</para>
          <para>If you use the special value <emphasis
          role="bold">detect</emphasis>, Shorewall will detect the broadcast
          address(es) for you if your iptables and kernel include Address Type
@@ -202,7 +172,7 @@ loc     eth2            -</programlisting>
                changed; the value assigned to the setting will be the value
                specified (if any) or 1 if no value is given.</para>
-                <para/>
+                <para></para>
                <note>
                  <para>This option does not work with a wild-card
@@ -236,7 +206,7 @@ loc     eth2            -</programlisting>
                <para>8 - do not reply for all local addresses</para>
-                <para/>
+                <para></para>
                <note>
                  <para>This option does not work with a wild-card
@@ -244,7 +214,7 @@ loc     eth2            -</programlisting>
                  the INTERFACE column.</para>
                </note>
-                <para/>
+                <para></para>
                <warning>
                  <para>Do not specify <emphasis
@@ -385,7 +355,7 @@ loc     eth2            -</programlisting>
        1
        teastep@lists:~$ </programlisting>
-                <para/>
+                <para></para>
                <note>
                  <para>This option does not work with a wild-card
@@ -659,7 +629,7 @@ loc     eth2            -</programlisting>
                changed; the value assigned to the setting will be the value
                specified (if any) or 1 if no value is given.</para>
-                <para/>
+                <para></para>
                <note>
                  <para>This option does not work with a wild-card
@@ -735,14 +705,11 @@ loc     eth2            -</programlisting>
          connected to your local network and that your local subnet is
          192.168.1.0/24. The interface gets its IP address via DHCP from
          subnet 206.191.149.192/27. You have a DMZ with subnet 192.168.2.0/24
-          using eth2. Your iptables and/or kernel do not support "Address Type
+          using eth2.</para>
          Match" and you prefer to specify broadcast addresses explicitly
          rather than having Shorewall detect them.</para>
          <para>Your entries for this setup would look like:</para>
-          <programlisting>FORMAT 1
+          <programlisting>#ZONE   INTERFACE BROADCAST        OPTIONS
 #ZONE   INTERFACE BROADCAST        OPTIONS
 net     eth0      206.191.149.223  dhcp
 loc     eth1      192.168.1.255
 dmz     eth2      192.168.2.255</programlisting>
@@ -756,11 +723,10 @@ dmz     eth2      192.168.2.255</programlisting>
          <para>The same configuration without specifying broadcast addresses
          is:</para>
-          <programlisting>FORMAT 2
+          <programlisting>#ZONE   INTERFACE BROADCAST        OPTIONS
-#ZONE   INTERFACE OPTIONS
+net     eth0      detect           dhcp
-net     eth0      dhcp
+loc     eth1      detect
-loc     eth1      
+dmz     eth2      detect</programlisting>
 dmz     eth2</programlisting>
        </listitem>
      </varlistentry>
@@ -771,8 +737,7 @@ dmz     eth2</programlisting>
          <para>You have a simple dial-in system with no ethernet
          connections.</para>
-          <programlisting>FORMAT 2
+          <programlisting>#ZONE   INTERFACE BROADCAST        OPTIONS
 #ZONE   INTERFACE OPTIONS
 net     ppp0      -</programlisting>
        </listitem>
      </varlistentry>
@@ -784,9 +749,8 @@ net     ppp0      -</programlisting>
          <para>You have a bridge with no IP address and you want to allow
          traffic through the bridge.</para>
-          <programlisting>FORMAT 2
+          <programlisting>#ZONE   INTERFACE BROADCAST        OPTIONS
-#ZONE   INTERFACE OPTIONS
+-       br0       -                routeback</programlisting>
 -       br0       routeback</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
@@ -808,9 +772,10 @@ net     ppp0      -</programlisting>
    shorewall-blacklist(5), shorewall-hosts(5), shorewall-maclist(5),
    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5),
+    shorewall-proxyarp(5), shorewall-rtrules(5),
-    shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-masq.xml
+++ b/Shorewall/manpages/shorewall-masq.xml
@@ -35,8 +35,8 @@
      <para>If you have more than one ISP link, adding entries to this file
      will <emphasis role="bold">not</emphasis> force connections to go out
      through a particular link. You must use entries in <ulink
-      url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or PREROUTING
+      url="shorewall-rtrules.html">shorewall-rtrules</ulink>(5) or
-      entries in <ulink
+      PREROUTING entries in <ulink
      url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5) to do
      that.</para>
    </warning>
@@ -88,8 +88,7 @@
          addresses to indicate that you only want to change the source IP
          address for packets being sent to those particular destinations.
          Exclusion is allowed (see <ulink
-          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)) as
+          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
          are ipset names preceded by a plus sign '+';</para>
          <para>If you wish to inhibit the action of ADD_SNAT_ALIASES for this
          entry then include the ":" but omit the digit:</para>
@@ -150,10 +149,6 @@
          <para>In that example traffic from eth1 would be masqueraded unless
          it came from 192.168.1.4 or 196.168.32.0/27</para>
          <para>The preferred way to specify the SOURCE is to supply one or
          more host or network addresses separated by comma. You may use ipset
          names preceded by a plus sign (+) to specify a set of hosts.</para>
        </listitem>
      </varlistentry>
@@ -472,43 +467,6 @@
          </variablelist>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">SWITCH -
        [!]<replaceable>switch-name</replaceable></emphasis></term>
        <listitem>
          <para>Added in Shorewall 4.5.1 and allows enabling and disabling the
          rule without requiring <command>shorewall restart</command>.</para>
          <para>The rule is enabled if the value stored in
          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
          is 1. The rule is disabled if that file contains 0 (the default). If
          '!' is supplied, the test is inverted such that the rule is enabled
          if the file contains 0. <replaceable>switch-name</replaceable> must
          begin with a letter and be composed of letters, decimal digits,
          underscores or hyphens. Switch names must be 30 characters or less
          in length.</para>
          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
          turn a switch <emphasis role="bold">on</emphasis>:</para>
          <simplelist>
            <member><command>echo 1 &gt;
            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
          </simplelist>
          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
          <simplelist>
            <member><command>echo 0 &gt;
            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
          </simplelist>
          <para>Switch settings are retained over <command>shorewall
          restart</command>.</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
@@ -590,19 +548,6 @@
          </warning>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>Example 6:</term>
        <listitem>
          <para>Connections leaving on eth0 and destined to any host defined
          in the ipset <emphasis>myset</emphasis> should have the source IP
          address changed to 206.124.146.177.</para>
          <programlisting>        #INTERFACE              SOURCE          ADDRESS
        eth0:+myset[dst]        -               206.124.146.177</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
--- a/Shorewall/manpages/shorewall-params.xml
+++ b/Shorewall/manpages/shorewall-params.xml
@@ -23,11 +23,7 @@
  <refsect1>
    <title>Description</title>
-    <para>Assign any shell variables that you need in this file. The file is
+    <para>Assign any shell variables that you need in this file.</para>
    always processed by <filename>/bin/sh</filename> or by the shell specified
    through SHOREWALL_SHELL in <ulink
    url="shorewall.conf.html">shorewall.conf</ulink> (5) so the full range of
    shell capabilities may be used.</para>
    <para>It is suggested that variable names begin with an upper case letter
    to distinguish them from variables used internally within the Shorewall
@@ -132,13 +128,12 @@ net     eth0            130.252.100.255 routefilter,norfc1918</programlisting>
    url="http://www.shorewall.net/configuration_file_basics.htm#Variables?">http://www.shorewall.net/configuration_file_basics.htm#Variables</ulink></para>
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
-    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
-    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
-    shorewall-nat(5), shorewall-netmap(5), shorewall-policy(5),
+    shorewall-netmap(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5),
+    shorewall-proxyarp(5), shorewall-rtrules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
-    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
-    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@@ -87,7 +87,8 @@
          being zero). Otherwise, the value must be between 1 and 255. Each
          provider must be assigned a unique mark value. This column may be
          omitted if you don't use packet marking to direct connections to a
-          particular provider.</para>
+          particular provider and you don't specify <option>track</option> in
          the OPTIONS column.</para>
        </listitem>
      </varlistentry>
@@ -270,19 +271,6 @@
                <filename>shorewall.conf</filename>.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">tproxy</emphasis></term>
              <listitem>
                <para>Added in Shorewall 4.5.4. Used for supporting the TPROXY
                action in shorewall-tcrules(5). See <ulink
                url="http://www.shorewall.net/Shorewall_Squid_Usage.html">http://www.shorewall.net/Shorewall_Squid_Usage.html</ulink>.
                When specified, the MARK, DUPLICATE and GATEWAY columns should
                be empty, INTERFACE should be set to 'lo' and
                <option>tproxy</option> should be the only OPTION.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -563,7 +563,7 @@
        role="bold">-</emphasis>]}<emphasis
        role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
        role="bold">:</emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
-        role="bold">+</emphasis><emphasis>ipset</emphasis>|<replaceable>^countrycode-list</replaceable>}</term>
+        role="bold">+</emphasis><emphasis>ipset</emphasis>}</term>
        <listitem>
          <para>Source hosts to which the rule applies. May be a
@@ -639,18 +639,6 @@
          url="shorewall-interfaces.html">shorewall-interfaces</ulink>
          (5).</para>
          <para>Beginning with Shorewall 4.5.4, A
          <replaceable>countrycode-list</replaceable> may be specified. A
          countrycode-list is a comma-separated list of up to 15 two-character
          ISO-3661 country codes enclosed in square brackets ('[...]') and
          preceded by a caret ('^'). When a single country code is given, the
          square brackets may be omitted. A list of country codes supported by
          Shorewall may be found at <ulink
          url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
          Specifying a <replaceable>countrycode-list</replaceable> requires
          <firstterm>GeoIP Match</firstterm> support in your iptables and
          Kernel.</para>
          <para>You may exclude certain hosts from the set already defined
          through use of an <emphasis>exclusion</emphasis> (see <ulink
          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
@@ -738,7 +726,7 @@
        role="bold">+</emphasis>][<emphasis
        role="bold">-</emphasis>]}<emphasis
        role="bold">[:{</emphasis><emphasis>interface</emphasis>|<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
-        role="bold">+</emphasis><emphasis>ipset</emphasis>|<emphasis>^countrycode-list</emphasis>}][<option>:</option><replaceable>port</replaceable>[:<emphasis
+        role="bold">+</emphasis><emphasis>ipset</emphasis>}][<option>:</option><replaceable>port</replaceable>[:<emphasis
        role="bold">random</emphasis>]]</term>
        <listitem>
@@ -756,18 +744,6 @@
          "+" to indicate that the rule is to apply to intra-zone traffic as
          well as inter-zone traffic.</para>
          <para>Beginning with Shorewall 4.5.4, A
          <replaceable>countrycode-list</replaceable> may be specified. A
          countrycode-list is a comma-separated list of up to 15 two-character
          ISO-3661 country codes enclosed in square brackets ('[...]') and
          preceded by a caret ('^'). When a single country code is given, the
          square brackets may be omitted. A list of country codes supported by
          Shorewall may be found at <ulink
          url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
          Specifying a <replaceable>countrycode-list</replaceable> requires
          <firstterm>GeoIP Match</firstterm> support in your iptables and
          Kernel.</para>
          <para>When <emphasis role="bold">none</emphasis> is used either in
          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
          role="bold">DEST</emphasis> column, the rule is ignored.</para>
@@ -806,7 +782,7 @@
            </orderedlist></para>
          <blockquote>
-            <para/>
+            <para></para>
            <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
            role="bold">+]|[-</emphasis>] is specified, the server may be
@@ -1254,18 +1230,8 @@
              <term>localtz</term>
              <listitem>
-                <para>Deprecated by the Netfilter team in favor of <emphasis
+                <para>Times are expressed in Local Civil Time
-                role="bold">kerneltz</emphasis>. Times are expressed in Local
+                (default).</para>
                Civil Time (default).</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>kerneltz</term>
              <listitem>
                <para>Added in Shorewall 4.5.2. Times are expressed in Local
                Kernel Time (requires iptables 1.4.12 or later).</para>
              </listitem>
            </varlistentry>
@@ -1559,19 +1525,6 @@
        DNAT        net             dmz:$BACKUP tcp         80           -         -          -         -         -       -             -        -          primary_down</programlisting>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>Example 13:</term>
        <listitem>
          <para>Drop all email from the <emphasis>Anonymous Proxy</emphasis>
          and <emphasis>Satellite Provider</emphasis> address ranges:</para>
          <programlisting>        #ACTION                       SOURCE           DEST           PROTO       DEST
        #                                                                         PORT(S)
        DROP                          net:^A1,A2       fw             tcp         22</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
@@ -1595,9 +1548,9 @@
    shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5),
    shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5),
    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5),
+    shorewall-proxyarp(5), shorewall-rtrules(5),
-    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
+    shorewall-routestopped(5), shorewall.conf(5), shorewall-secmarks(5),
-    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
+    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
-    shorewall-tunnels(5), shorewall-zones(5)</para>
+    shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall-tcrules.xml
+++ b/Shorewall/manpages/shorewall-tcrules.xml
@@ -38,41 +38,13 @@
      url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink>.</para>
    </important>
    <para>Beginning with Shorewall 4.5.4, the tcrules file supports two
    different formats:</para>
    <variablelist>
      <varlistentry>
        <term>FORMAT 1 (default - deprecated)</term>
        <listitem>
          <para>The older limited-function version of TPROXY is
          supported.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term>FORMAT 2</term>
        <listitem>
          <para>The newer version of TPROXY is supported.</para>
        </listitem>
      </varlistentry>
    </variablelist>
    <para>The format is specified by a line as follows:</para>
    <blockquote>
      <para><emphasis role="bold">FORMAT {1|2}</emphasis></para>
    </blockquote>
    <para>The columns in the file are as follows (where the column name is
    followed by a different name in parentheses, the different name is used in
    the alternate specification syntax).</para>
    <variablelist>
      <varlistentry>
-        <term><emphasis role="bold">ACTION</emphasis> (mark) -
+        <term><emphasis role="bold">MARK/CLASSIFY</emphasis> (mark) -
        <replaceable>mark</replaceable></term>
        <listitem>
@@ -299,8 +271,8 @@
              target allows you to work around that problem. SAME may be used
              in the PREROUTING and OUTPUT chains. When used in PREROUTING, it
              causes matching connections from an individual local system to
-              all use the same provider. For example: <programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
+              all use the same provider. For example: <programlisting>#MARK/            SOURCE         DEST         PROTO      DEST
-#                                                        PORT(S)
+#CLASSIFY                                                PORT(S)
 SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
              If a host in 192.168.1.0/24 attempts a connection on TCP port 80
              or 443 and it has sent a packet on either of those ports in the
@@ -310,8 +282,8 @@ SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
              <para>When used in the OUTPUT chain, it causes all matching
              connections to an individual remote system to all use the same
-              provider. For example:<programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
+              provider. For example:<programlisting>#MARK/            SOURCE         DEST         PROTO      DEST
-#                                                        PORT(S)
+#CLASSIFY                                                PORT(S)
 SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
              If the firewall attempts a connection on TCP port 80 or 443 and
              it has sent a packet on either of those ports in the last five
@@ -435,23 +407,9 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
              classes will have a value &gt; 256.</para>
            </listitem>
            <listitem>
              <para><emphasis role="bold">DIVERT</emphasis></para>
              <para>Added in Shorewall 4.5.4 and only available when FORMAT is
              2. Two DIVERT rule should preceed the TPROXY rule and should
              select DEST PORT tcp 80 and SOURCE PORT tcp 80 respectively
              (assuming that tcp port 80 is being proxied). DIVERT avoids
              sending packets to the TPROXY target once a socket connection to
              Squid3 has been established by TPROXY. DIVERT marks the packet
              with a unique mark and exempts it from any rules that
              follow.</para>
            </listitem>
            <listitem>
              <para><emphasis
-              role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])
+              role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[/<replaceable>mask</replaceable>][,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])</para>
              -- FORMAT 1</para>
              <para>Transparently redirects a packet without altering the IP
              header. Requires a local provider to be defined in <ulink
@@ -482,34 +440,6 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
              </itemizedlist>
            </listitem>
            <listitem>
              <para><emphasis
              role="bold">TPROXY</emphasis>([<replaceable>port</replaceable>][,<replaceable>address</replaceable>])
              -- FORMAT 2</para>
              <para>Transparently redirects a packet without altering the IP
              header. Requires a tproxy provider to be defined in <ulink
              url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
              <para>There are three parameters to TPROXY - neither is
              required:</para>
              <itemizedlist>
                <listitem>
                  <para><replaceable>port</replaceable> - the port on which
                  the proxy server is listening. If omitted, the original
                  destination port.</para>
                </listitem>
                <listitem>
                  <para><replaceable>address</replaceable> - a local (to the
                  firewall) IP address on which the proxy server is listening.
                  If omitted, the IP address of the interface on which the
                  request arrives.</para>
                </listitem>
              </itemizedlist>
            </listitem>
            <listitem>
              <para><emphasis role="bold">TTL</emphasis>([<emphasis
              role="bold">-</emphasis>|<emphasis
@@ -538,112 +468,6 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
              <replaceable>number</replaceable>. Requires IMQ Target support
              in your kernel and iptables.</para>
            </listitem>
            <listitem>
              <para><emphasis
              role="bold">DSCP</emphasis>(<replaceable>dscp</replaceable>)</para>
              <para>Added in Shorewall 4.5.1. Sets the
              <firstterm>Differentiated Services Code Point</firstterm> field
              in the IP header. The <replaceable>dscp</replaceable> value may
              be given as an even number (hex or decimal) or as the name of a
              DSCP class. Valid class names and their associated hex numeric
              values are:</para>
              <programlisting>    CS0  =&gt; 0x00
    CS1  =&gt; 0x08
    CS2  =&gt; 0x10
    CS3  =&gt; 0x18
    CS4  =&gt; 0x20
    CS5  =&gt; 0x28
    CS6  =&gt; 0x30
    CS7  =&gt; 0x38
    BE   =&gt; 0x00
    AF11 =&gt; 0x0a
    AF12 =&gt; 0x0c
    AF13 =&gt; 0x0e
    AF21 =&gt; 0x12
    AF22 =&gt; 0x14
    AF23 =&gt; 0x16
    AF31 =&gt; 0x1a
    AF32 =&gt; 0x1c
    AF33 =&gt; 0x1e
    AF41 =&gt; 0x22
    AF42 =&gt; 0x24
    AF43 =&gt; 0x26
    EF   =&gt; 0x2e</programlisting>
              <para>May be optionally followed by ':' and a capital letter
              designating the chain where classification is to occur.</para>
              <variablelist>
                <varlistentry>
                  <term>F</term>
                  <listitem>
                    <para>FORWARD chain.</para>
                  </listitem>
                </varlistentry>
                <varlistentry>
                  <term>T</term>
                  <listitem>
                    <para>POSTROUTING chain (default).</para>
                  </listitem>
                </varlistentry>
              </variablelist>
            </listitem>
            <listitem>
              <para><emphasis
              role="bold">TOS</emphasis>(<replaceable>tos</replaceable>[/<replaceable>mask</replaceable>])</para>
              <para>Added in Shorewall 4.5.1. Sets the <firstterm>Type of
              Service</firstterm> field in the IP header. The
              <replaceable>tos</replaceable> value may be given as an number
              (hex or decimal) or as the name of a TOS type. Valid type names
              and their associated hex numeric values are:</para>
              <programlisting>Minimize-Delay       =&gt; 0x10,
 Maximize-Throughput  =&gt; 0x08,
 Maximize-Reliability =&gt; 0x04,
 Minimize-Cost        =&gt; 0x02,
 Normal-Service       =&gt; 0x00</programlisting>
              <para>When <replaceable>tos</replaceable> is given as a number,
              it may be optionally followed by '/' and a
              <replaceable>mask</replaceable>. When no
              <replaceable>mask</replaceable> is given, the value 0xff is
              assumed. When <replaceable>tos</replaceable> is given as a type
              name, the <replaceable>mask</replaceable> 0x3f is
              assumed.</para>
              <para>The action performed is to zero out the bits specified by
              the <replaceable>mask</replaceable>, then set the bits specified
              by <replaceable>tos</replaceable>.</para>
              <para>May be optionally followed by ':' and a capital letter
              designating the chain where classification is to occur.</para>
              <variablelist>
                <varlistentry>
                  <term>F</term>
                  <listitem>
                    <para>FORWARD chain.</para>
                  </listitem>
                </varlistentry>
                <varlistentry>
                  <term>T</term>
                  <listitem>
                    <para>POSTROUTING chain.</para>
                  </listitem>
                </varlistentry>
              </variablelist>
            </listitem>
          </orderedlist>
        </listitem>
      </varlistentry>
@@ -670,7 +494,7 @@ Normal-Service       =&gt; 0x00</programlisting>
              MAC addresses. <emphasis role="bold">This form will not match
              traffic that originates on the firewall itself unless either
              &lt;major&gt;&lt;minor&gt; or the :T chain qualifier is used in
-              the ACTION column.</emphasis></para>
+              the MARK column.</emphasis></para>
              <para>Examples:<simplelist>
                  <member>0.0.0.0/0</member>
@@ -692,7 +516,7 @@ Normal-Service       =&gt; 0x00</programlisting>
              <para>$FW optionally followed by a colon (":") and a
              comma-separated list of host or network IP addresses. Matches
              packets originating on the firewall. May not be used with a
-              chain qualifier (:P, :F, etc.) in the ACTION column.</para>
+              chain qualifier (:P, :F, etc.) in the MARK column.</para>
            </listitem>
          </orderedlist>
@@ -1008,15 +832,15 @@ Normal-Service       =&gt; 0x00</programlisting>
          original connection was made on.</para>
          <para>Example: Mark all FTP data connections with mark
-          4:<programlisting>#ACTION   SOURCE    DEST      PROTO   PORT(S)    SOURCE  USER TEST LENGTH TOS CONNBYTES HELPER
+          4:<programlisting>#MARK/    SOURCE    DEST      PROTO   PORT(S)    SOURCE  USER TEST LENGTH TOS CONNBYTES HELPER
-#                                                PORT(S)
+#CLASSIFY                                        PORT(S)
 4:T       0.0.0.0/0 0.0.0.0/0 TCP     -          -       -    -    -      -   -         ftp</programlisting></para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">PROBABILITY</emphasis> -
-        [<replaceable>probability</replaceable>]</term>
+        [probability]</term>
        <listitem>
          <para>Added in Shorewall 4.5.0. When non-empty, requires the
@@ -1028,44 +852,6 @@ Normal-Service       =&gt; 0x00</programlisting>
          at up to 8 decimal points of precision.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">DSCP -</emphasis>
        [[!]<replaceable>dscp</replaceable>]</term>
        <listitem>
          <para>Added in Shorewall 4.5.1. When non-empty, match packets whose
          <firstterm>Differentiated Service Code Point</firstterm> field
          matches the supplied value (when '!' is given, the rule matches
          packets whose DSCP field does not match the supplied value). The
          <replaceable>dscp</replaceable> value may be given as an even number
          (hex or decimal) or as the name of a DSCP class. Valid class names
          and their associated hex numeric values are:</para>
          <programlisting>    CS0  =&gt; 0x00
    CS1  =&gt; 0x08
    CS2  =&gt; 0x10
    CS3  =&gt; 0x18
    CS4  =&gt; 0x20
    CS5  =&gt; 0x28
    CS6  =&gt; 0x30
    CS7  =&gt; 0x38
    BE   =&gt; 0x00
    AF11 =&gt; 0x0a
    AF12 =&gt; 0x0c
    AF13 =&gt; 0x0e
    AF21 =&gt; 0x12
    AF22 =&gt; 0x14
    AF23 =&gt; 0x16
    AF31 =&gt; 0x1a
    AF32 =&gt; 0x1c
    AF33 =&gt; 0x1e
    AF41 =&gt; 0x22
    AF42 =&gt; 0x24
    AF43 =&gt; 0x26
    EF   =&gt; 0x2e</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
@@ -1087,8 +873,8 @@ Normal-Service       =&gt; 0x00</programlisting>
          <para>We assume packet/connection mark 0 means unclassified.</para>
-          <programlisting>       #ACTION    SOURCE    DEST         PROTO   PORT(S)       SOURCE  USER    TEST
+          <programlisting>       #MARK/     SOURCE    DEST         PROTO   PORT(S)       SOURCE  USER    TEST
-       #                                                       PORT(S)
+       #CLASSIFY                                               PORT(S)
       1:T        0.0.0.0/0 0.0.0.0/0    icmp    echo-request
       1:T        0.0.0.0/0 0.0.0.0/0    icmp    echo-reply
       RESTORE:T  0.0.0.0/0 0.0.0.0/0    all     -             -       -       0
--- a/Shorewall/manpages/shorewall-tos.xml
+++ b/Shorewall/manpages/shorewall-tos.xml
@@ -23,9 +23,7 @@
  <refsect1>
    <title>Description</title>
-    <para>This file defines rules for setting Type Of Service (TOS). Its use
+    <para>This file defines rules for setting Type Of Service (TOS)</para>
    is deprecated, beginning in Shorewall 4.5.1, in favor of the TOS target in
    <ulink url="shorewall-tcrules.html">shorewall-tcrules</ulink> (5).</para>
    <para>The columns in the file are as follows (where the column name is
    followed by a different name in parentheses, the different name is used in
--- a/Shorewall/manpages/shorewall-tunnels.xml
+++ b/Shorewall/manpages/shorewall-tunnels.xml
@@ -125,9 +125,8 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">GATEWAY</emphasis>(S) (gateway or
+        <term><emphasis role="bold">GATEWAY</emphasis> -
-        gateways) - <emphasis>address-or-range</emphasis> <emphasis
+        <emphasis>address-or-range</emphasis></term>
        role="bold">[ , ... ]</emphasis></term>
        <listitem>
          <para>The IP address of the remote tunnel gateway. If the remote
@@ -135,17 +134,12 @@
          as <emphasis role="bold">0.0.0.0/0</emphasis>. May be specified as a
          network address and if your kernel and iptables include iprange
          match support then IP address ranges are also allowed.</para>
          <para>Beginning with Shorewall 4.5.3, a list of addresses or ranges
          may be given. Exclusion (<ulink
          url="shorewall-exclusion.html">shorewall-exclusion</ulink> (5) ) is
          not supported.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">GATEWAY ZONES</emphasis> (gateway_zone or
+        <term><emphasis role="bold">GATEWAY ZONES</emphasis> (gateway_zone) -
-        gateway_zones) - [<emphasis>zone</emphasis>[<emphasis
+        [<emphasis>zone</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>zone</emphasis>]...]</term>
        <listitem>
@@ -154,7 +148,7 @@
          comma-separated list of the names of the zones that the host might
          be in. This column only applies to IPSEC tunnels where it enables
          ISAKMP traffic to flow through the tunnel to the remote
-          gateway(s).</para>
+          gateway.</para>
        </listitem>
      </varlistentry>
    </variablelist>
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -96,7 +96,7 @@
        role="bold">none</emphasis>}</term>
        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>
@@ -106,7 +106,7 @@
        role="bold">none</emphasis>}</term>
        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>
@@ -116,7 +116,7 @@
        role="bold">none</emphasis>}</term>
        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>
@@ -126,7 +126,7 @@
        role="bold">none</emphasis>}</term>
        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>
@@ -482,7 +482,7 @@
          </itemizedlist>
          <blockquote>
-            <para/>
+            <para></para>
            <para>If CONFIG_PATH is not given or if it is set to the empty
            value then the contents of /usr/share/shorewall/configpath are
@@ -669,21 +669,6 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">GEOIPDIR</emphasis>=[<emphasis>pathname</emphasis>]</term>
        <listitem>
          <para>Added in Shorewall 4.5.4. Specifies the pathname of the
          directory containing the <firstterm>GeoIP Match</firstterm>
          database. See <ulink
          url="http://www.shorewall.net/ISOCODES.html">http://www.shorewall.net/ISOCODES.html</ulink>.
          If not specified, the default value is
          <filename>/usr/share/xt_geoip/LE</filename> which is the default
          location of the little-endian database.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">HIGH_ROUTE_MARKS=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@@ -829,7 +814,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
            </varlistentry>
          </variablelist>
-          <para/>
+          <para></para>
          <blockquote>
            <para>If this variable is not set or is given an empty value
@@ -863,29 +848,6 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">IPSET_WARNINGS=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
        <listitem>
          <para>Added in Shorewall 4.5.2. Default is Yes. When set, causes the
          rules compiler to issue a warning when:</para>
          <itemizedlist>
            <listitem>
              <para>The compiler is being run by root and an ipset specified
              in the configuration does not exists. Only one warning is issued
              for each missing ipset.</para>
            </listitem>
            <listitem>
              <para>When [src] is specified in a destination column and when
              [dst] is specified in a source column.</para>
            </listitem>
          </itemizedlist>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">IPTABLES=</emphasis>[<emphasis>pathname</emphasis>]</term>
@@ -953,19 +915,6 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">LOCKFILE</emphasis>=[<emphasis>pathname</emphasis>]</term>
        <listitem>
          <para>Specifies the name of the Shorewall lock file, used to prevent
          simultaneous state-changing commands. If not specified,
          ${VARDIR}/shorewall/lock is assumed (${VARDIR} is normally /var/lib
          but can be changed when Shorewall-core is installed -- see the
          output of <command>shorewall show vardir</command>).</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">LOG_MARTIANS=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis
@@ -1039,7 +988,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
            </listitem>
          </itemizedlist>
-          <para/>
+          <para></para>
          <blockquote>
            <para>For example, using the default LOGFORMAT, the log prefix for
@@ -1056,7 +1005,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
              control your firewall after you enable this option.</para>
            </important>
-            <para/>
+            <para></para>
            <caution>
              <para>Do not use this option if the resulting log messages will
@@ -1553,23 +1502,6 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
                  chain are appended to it.</para>
                </listitem>
              </itemizedlist>
              <para>An additional optimization was added in Shorewall 4.5.4.
              If the last rule in a chain is an unqualified jump to a simple
              target, then all immediately preceding rules with the same
              simple target are omitted.</para>
              <para>For example, consider this chain:</para>
              <programlisting>	-A fw-net -p udp --dport 67:68 -j ACCEPT
 	-A fw-net -p udp --sport 1194 -j ACCEPT
 	-A fw-net -p 41 -j ACCEPT
 	-A fw-net -j ACCEPT
 </programlisting>
              <para>Since all of the rules are jumps to the simple target
              ACCEPT, this chain is totally optimized away and jumps to the
              chain are replace with jumps to ACCEPT.</para>
            </listitem>
            <listitem>
@@ -1709,7 +1641,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        role="bold">"</emphasis></term>
        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>
@@ -2160,14 +2092,14 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
          tcrules. This was done so that tcrules could reset the packet mark
          to zero, thus allowing the packet to be routed using the 'main'
          routing table. Using the main table allowed dynamic routes (such as
-          those added for VPNs) to be effective. The rtrules file was created
+          those added for VPNs) to be effective. The rtrules file was
-          to provide a better alternative to clearing the packet mark. As a
+          created to provide a better alternative to clearing the packet mark.
-          consequence, passing these packets to PREROUTING complicates things
+          As a consequence, passing these packets to PREROUTING complicates
-          without providing any real benefit. Beginning with Shorewall 4.4.6,
+          things without providing any real benefit. Beginning with Shorewall
-          when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving through
+          4.4.6, when TRACK_PROVIDERS=Yes and TC_EXPERT=No, packets arriving
-          'tracked' interfaces will not be passed to the PREROUTING rules.
+          through 'tracked' interfaces will not be passed to the PREROUTING
-          Since TRACK_PROVIDERS was just introduced in 4.4.3, this change
+          rules. Since TRACK_PROVIDERS was just introduced in 4.4.3, this
-          should be transparent to most, if not all, users.</para>
+          change should be transparent to most, if not all, users.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall.xml
+++ b/Shorewall/manpages/shorewall.xml
@@ -283,8 +283,6 @@
      <arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
      <arg><option>-T</option></arg>
      <arg><replaceable>directory</replaceable></arg>
      <arg choice="plain"><replaceable>system</replaceable></arg>
@@ -351,9 +349,7 @@
      <arg>-<replaceable>options</replaceable></arg>
-      <arg
+      <arg choice="plain"><option>refresh</option><arg
      choice="plain"><option>refresh</option><arg><option>-n</option></arg><arg><option>-d</option></arg><arg><option>-T</option></arg><arg>-<option>D</option>
      <replaceable>directory</replaceable> </arg><arg
      rep="repeat"><replaceable>chain</replaceable></arg></arg>
    </cmdsynopsis>
@@ -385,8 +381,6 @@
      <arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
      <arg><option>-T</option></arg>
      <arg><replaceable>directory</replaceable></arg>
      <arg choice="plain"><replaceable>system</replaceable></arg>
@@ -421,8 +415,6 @@
      <arg><option>-c</option></arg>
      <arg><option>-T</option></arg>
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>
@@ -607,8 +599,6 @@
      <arg><option>-c</option></arg>
      <arg><option>-T</option></arg>
      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>
@@ -1048,10 +1038,6 @@
          <para>If <option>-r</option> is included, it specifies that the root
          user on <replaceable>system</replaceable> is named
          <replaceable>root-user-name</replaceable> rather than "root".</para>
          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>
        </listitem>
      </varlistentry>
@@ -1127,20 +1113,6 @@
          list or until an entry in the list names another table. Built-in
          chains such as FORWARD may not be refreshed.</para>
          <para>The <option>-n</option> option was added in Shorewall 4.5.3
          causes Shorewall to avoid updating the routing table(s).</para>
          <para>The <option>-d </option>option was added in Shorewall 4.5.3
          causes the compiler to run under the Perl debugger.</para>
          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>
          <para>The -<option>D</option> option was added in Shorewall 4.5.3
          and causes Shorewall to look in the given
          <emphasis>directory</emphasis> first for configuration files.</para>
          <para>Example:<programlisting><command>shorewall refresh net2fw nat:net_dnat</command> #Refresh the 'net2loc' chain in the filter table and the 'net_dnat' chain in the nat table</programlisting></para>
          <para>The <emphasis role="bold">refresh</emphasis> command has
@@ -1194,10 +1166,6 @@
          <para>If <option>-r</option> is included, it specifies that the root
          user on <replaceable>system</replaceable> is named
          <replaceable>root-user-name</replaceable> rather than "root".</para>
          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>
        </listitem>
      </varlistentry>
@@ -1242,10 +1210,6 @@
          url="shorewall.conf.html">shorewall.conf</ulink>(5). When both
          <option>-f</option> and <option>-c</option>are present, the result
          is determined by the option that appears last.</para>
          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>
        </listitem>
      </varlistentry>
@@ -1577,10 +1541,6 @@
          url="shorewall.conf.html">shorewall.conf</ulink>(5). When both
          <option>-f</option> and <option>-c</option>are present, the result
          is determined by the option that appears last.</para>
          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@@ -27,19 +27,6 @@
 ################################################################################################
 g_program=shorewall
-#
+. /usr/share/shorewall/lib.cli
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc
 g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR"/shorewall
 g_sbindir="$SBINDIR"
 g_perllib="$PERLLIBDIR"
 g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall
 g_readrc=1
 . $g_sharedir/lib.cli
 shorewall_cli $@
--- a/Shorewall/uninstall.sh
+++ b/Shorewall/uninstall.sh
@@ -31,7 +31,7 @@ VERSION=xxx #The Build script inserts the actual version
 usage() # $1 = exit status
 {
    ME=$(basename $0)
-    echo "usage: $ME [ <shorewallrc file> ]"
+    echo "usage: $ME"
    exit $1
 }
@@ -40,25 +40,16 @@ qt()
    "$@" >/dev/null 2>&1
 }
-split() {
+restore_file() # $1 = file to restore
-    local ifs
+{
-    ifs=$IFS
+    if [ -f ${1}-shorewall.bkout ]; then
-    IFS=:
+	if (mv -f ${1}-shorewall.bkout $1); then
-    set -- $1
+	    echo
-    echo $*
+	    echo "$1 restored"
-    IFS=$ifs
+        else
-}
+	    exit 1
-
+        fi
 mywhich() {
    local dir
    for dir in $(split $PATH); do
 	if [ -x $dir/$1 ]; then
 	    return 0
    fi
    done
    return 2
 }
 remove_file() # $1 = file to restore
@@ -69,34 +60,8 @@ remove_file() # $1 = file to restore
    fi
 }
-if [ $# -eq 0 ]; then
+if [ -f /usr/share/shorewall/version ]; then
-    if [ -f ./shorewallrc ]; then
+    INSTALLED_VERSION="$(cat /usr/share/shorewall/version)"
 	. ./shorewallrc
    elif [ -f ~/.shorewallrc ]; then
 	. ~/.shorewallrc || exit 1
 	file=./.shorewallrc
    elif [ -f /usr/share/shorewall/shorewallrc ]; then
 	. /usr/share/shorewall/shorewallrc
    else
 	fatal_error "No configuration file specified and /usr/share/shorewall/shorewallrc not found"
    fi
 elif [ $# -eq 1 ]; then
    file=$1
    case $file in
 	/*|.*)
 	    ;;
 	*)
 	    file=./$file
 	    ;;
    esac
    . $file
 else
    usage 1
 fi
 if [ -f ${SHAREDIR}/shorewall/version ]; then
    INSTALLED_VERSION="$(cat ${SHAREDIR}/shorewall/version)"
    if [ "$INSTALLED_VERSION" != "$VERSION" ]; then
 	echo "WARNING: Shorewall Version $INSTALLED_VERSION is installed"
 	echo "         and this is the $VERSION uninstaller."
@@ -107,33 +72,62 @@ else
    VERSION=""
 fi
 [ -n "${LIBEXEC:=/usr/share}" ]
 [ -n "${PERLLIB:=/usr/share/shorewall}" ]
 echo "Uninstalling shorewall $VERSION"
-if qt iptables -L shorewall -n && [ ! -f ${SBINDIR}/shorewall-lite ]; then
+if qt iptables -L shorewall -n && [ ! -f /sbin/shorewall-lite ]; then
-   shorewall clear
+   /sbin/shorewall clear
 fi
-rm -f ${SBINDIR}/shorewall
+if [ -L /usr/share/shorewall/init ]; then
    FIREWALL=$(readlink -m -q /usr/share/shorewall/init)
 else
    FIREWALL=/etc/init.d/shorewall
 fi
-rm -rf ${SHAREDIR}/shorewall/version
+if [ -n "$FIREWALL" ]; then
-rm -rf ${CONFDIR}/shorewall
+    if [ -x /usr/sbin/updaterc.d ]; then
-rm -rf ${VARDIR}/shorewall
+	updaterc.d shorewall remove
-rm -rf ${PERLLIB}/Shorewall/*
+    elif [ -x /sbin/insserv -o -x /usr/sbin/insserv ]; then
        insserv -r $FIREWALL
    elif [ -x /sbin/systemctl ]; then
 	systemctl disable shorewall
    elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
 	chkconfig --del $(basename $FIREWALL)
    else
 	rm -f /etc/rc*.d/*$(basename $FIREWALL)
    fi
    remove_file $FIREWALL
    rm -f ${FIREWALL}-*.bkout
 fi
 rm -f /sbin/shorewall
 rm -f /sbin/shorewall-*.bkout
 rm -rf /usr/share/shorewall/version
 rm -rf /etc/shorewall
 rm -rf /etc/shorewall-*.bkout
 rm -rf /var/lib/shorewall
 rm -rf /var/lib/shorewall-*.bkout
 rm -rf $PERLLIB}/Shorewall/*
 rm -rf ${LIBEXEC}/shorewall
-rm -rf ${SHAREDIR}/shorewall/configfiles/
+rm -rf /usr/share/shorewall/configfiles/
-rm -rf ${SHAREDIR}/shorewall/Samples/
+rm -rf /usr/share/shorewall/Samples/
-rm -rf ${SHAREDIR}/shorewall/Shorewall/
+rm -rf /usr/share/shorewall/Shorewall/
-rm -f  ${SHAREDIR}/shorewall/lib.cli-std
+rm -f  /usr/share/shorewall/lib.cli-std
-rm -f  ${SHAREDIR}/shorewall/lib.core
+rm -f  /usr/share/shorewall/lib.core
-rm -f  ${SHAREDIR}/shorewall/compiler.pl
+rm -f  /usr/share/shorewall/compiler.pl
-rm -f  ${SHAREDIR}/shorewall/prog.*
+rm -f  /usr/share/shorewall/prog.*
-rm -f  ${SHAREDIR}/shorewall/module*
+rm -f  /usr/share/shorewall/module*
-rm -f  ${SHAREDIR}/shorewall/helpers
+rm -f  /usr/share/shorewall/helpers
-rm -f  ${SHAREDIR}/shorewall/action*
+rm -f  /usr/share/shorewall/action*
-rm -f  ${SHAREDIR}/shorewall/init
+rm -f  /usr/share/shorewall/init
 rm -rf /usr/share/shorewall-*.bkout
-for f in ${MANDIR}/man5/shorewall* ${MANDIR}/man8/shorewall*; do
+for f in /usr/share/man/man5/shorewall* /usr/share/man/man8/shorewall*; do
    case $f in
 	shorewall6*|shorewall-lite*)
 	    ;;
@@ -143,10 +137,8 @@ for f in ${MANDIR}/man5/shorewall* ${MANDIR}/man8/shorewall*; do
    esac
 done
-rm -f  ${CONFDIR}/logrotate.d/shorewall
+rm -f  /etc/logrotate.d/shorewall
-
+rm -f  /lib/systemd/system/shorewall.service
 if [ -n "$SYSTEMD" ]; THEN
 rm -f  ${SYSTEMD}/shorewall.service
 echo "Shorewall Uninstalled"
--- a/Shorewall6-lite/Makefile
+++ b/Shorewall6-lite/Makefile
@@ -3,16 +3,16 @@ VARDIR=$(shell /sbin/shorewall6-lite show vardir)
 SHAREDIR=/usr/share/shorewall6-lite
 RESTOREFILE?=.restore
-all: $(VARDIR)/$(RESTOREFILE)
+all: $(VARDIR)/${RESTOREFILE}
-$(VARDIR)/$(RESTOREFILE): $(VARDIR)/firewall
+$(VARDIR)/${RESTOREFILE}: $(VARDIR)/firewall
 	@/sbin/shorewall6-lite -q save >/dev/null; \
 	if \
 	    /sbin/shorewall6-lite -q restart >/dev/null 2>&1; \
 	then \
 	    /sbin/shorewall6-lite -q save >/dev/null; \
 	else \
-	    /sbin/shorewall6-lite -q restart 2>&1 | tail >&2; exit 1; \
+	    /sbin/shorewall6-lite -q restart 2>&1 | tail >&2; \
 	fi
 # EOF
--- a/Shorewall6-lite/init.debian.sh
+++ b/Shorewall6-lite/init.debian.sh
@@ -78,11 +78,6 @@ else
 	not_configured
 fi
 #
 # The installer may alter this
 #
 . /usr/share/shorewall/shorewallrc
 # start the firewall
 shorewall6_start () {
  echo -n "Starting \"Shorewall6 Lite firewall\": "
--- a/Shorewall6-lite/init.fedora.sh
+++ b/Shorewall6-lite/init.fedora.sh
@@ -20,21 +20,16 @@
 # Source function library.
 . /etc/rc.d/init.d/functions
 #
 # The installer may alter this
 #
 . /usr/share/shorewall/shorewallrc
 prog="shorewall6-lite"
-shorewall="${SBINDIR}/$prog"
+shorewall="/sbin/$prog"
 logger="logger -i -t $prog"
 lockfile="/var/lock/subsys/$prog"
 # Get startup options (override default)
 OPTIONS=
-if [ -f ${SYSCONFDIR}/$prog ]; then
+if [ -f /etc/sysconfig/$prog ]; then
-    . ${SYSCONFDIR}/$prog
+    . /etc/sysconfig/$prog
 fi
 start() {
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tom Eastep	25760aa653	Fix syntax error in the generated script Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-03-06 09:14:06 -08:00
Tom Eastep	649f73a360	Correct issues with debugging the generated script a) Rename DEBUG to g_debug_iptablesb b) Clear all of the tables prior to handling iptables-restore input.	2012-03-05 15:55:25 -08:00
Tom Eastep	93df86c90a	Add /sbin/shorewall-init for use with service.d Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-29 15:04:17 -08:00
Tom Eastep	d4e21314d0	Update the release model web page Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-25 08:28:15 -08:00
Tom Eastep	428e67dc9e	Fix incorrect manpage Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-25 07:51:55 -08:00
Tom Eastep	d3f4f59e36	Attempt to fix incorrect manpage Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-25 07:40:47 -08:00
Roberto C. Sanchez	1983d314b8	FIx typos	2012-02-25 07:32:01 -08:00
Tom Eastep	4ae5ee20aa	Fix broken init scripts. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-21 15:24:08 -08:00
Tom Eastep	408340ada2	Merge branch '4.5.0' of ssh://shorewall.git.sourceforge.net/gitroot/shorewall/shorewall into 4.5.0	2012-02-18 13:26:01 -08:00
Tom Eastep	12b92acef1	Fix compiler crash from unknown interface Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-18 11:05:47 -08:00
Tom Eastep	966597ee9d	Correct usage text for 'update'. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-18 11:05:27 -08:00
Tom Eastep	98aa70bcae	Correct a typo in the blrules manpages Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-18 11:05:11 -08:00
Tom Eastep	71a8ffca2e	Install the correct init script on Fedora	2012-02-17 13:47:49 -08:00
Tom Eastep	eef85fbcbc	Apply Simon Mater's patch for LIBEXEC/PERLLIB Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-02-13 07:02:48 -08:00
		`@@ -0,0 +1,3 @@`
							`<?xml version="1.0" encoding="UTF-8"?>`
							`<includepath />`