Revert 83a8c7eda3

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Additional simplification of evaluate_expression()
2012-07-09 10:58:15 -07:00 · 2012-07-08 07:48:27 -07:00 · 2012-07-08 07:36:15 -07:00 · 2012-07-07 09:47:10 -07:00 · 2012-07-07 08:02:57 -07:00 · 2012-07-07 07:55:17 -07:00
90 changed files with 3771 additions and 2011 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -81,9 +81,6 @@ for p in $@; do
 		DATADIR)
 		    pn=SHAREDIR
 		    ;;
-		SYSCONFDIR)
-		    pn=CONFDIR
-		    ;;
 	    esac

 	    params[${pn}]="${pv}"
@@ -132,7 +129,7 @@ if [ -z "$vendor" ]; then

    vendor=${params[HOST]}
 elif [ $vendor = linux ]; then
-    rcfile=$shorewallrc.default;
+    rcfile=shorewallrc.default;
 else
    rcfile=shorewallrc.$vendor
    if [ ! -f $rcfile ]; then
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -39,8 +39,7 @@ my %options;

 my %aliases = ( VENDOR         => 'HOST',
 		SHAREDSTATEDIR => 'VARDIR',
-		DATADIR        => 'SHAREDIR',
-		SYSCONFDIR     => 'CONFDIR' );
+		DATADIR        => 'SHAREDIR' );

 for ( @ARGV ) {
    die "ERROR: Invalid option specification ( $_ )" unless /^(?:--)?(\w+)=(.*)$/;
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -130,71 +130,6 @@ combine_list()
    echo $o
 }

-#
-# Call this function to assert mutual exclusion with Shorewall. If you invoke the
-# /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as
-# the first argument. Example "shorewall nolock refresh"
-#
-# This function uses the lockfile utility from procmail if it exists.
-# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the
-# behavior of lockfile.
-#
-mutex_on()
-{
-    local try
-    try=0
-    local lockf
-    lockf=${LOCKFILE:=${VARDIR}/lock}
-    local lockpid
-
-    MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
-
-    if [ $MUTEX_TIMEOUT -gt 0 ]; then
-
-	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
-
-	if [ -f $lockf ]; then
-	    lockpid=`cat ${lockf} 2> /dev/null`
-	    if [ -z "$lockpid" -o $lockpid = 0 ]; then
-		rm -f ${lockf}
-		error_message "WARNING: Stale lockfile ${lockf} removed"
-	    elif ! qt ps p ${lockpid}; then
-		rm -f ${lockf}
-		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
-	    fi
-	fi
-
-	if qt mywhich lockfile; then
-	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
-	    chmod u+w ${lockf}
-	    echo $$ > ${lockf}
-	    chmod u-w ${lockf}
-	else
-	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
-		sleep 1
-		try=$((${try} + 1))
-	    done
-
-	    if  [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
-	        # Create the lockfile
-		echo $$ > ${lockf}
-	    else
-		echo "Giving up on lock file ${lockf}" >&2
-	    fi
-	fi
-    fi
-}
-
-#
-# Call this function to release mutual exclusion
-#
-mutex_off()
-{
-    rm -f ${LOCKFILE:=${VARDIR}/lock}
-}
-
-[ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
-
 #
 # Validate an IP address
 #
@@ -323,6 +258,8 @@ ip_range_explicit() {
    done
 }

+[ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
+
 #
 # Netmask to VLSM
 #
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -717,3 +717,69 @@ truncate() # $1 = length
 {
    cut -b -${1}
 }
+
+#
+# Call this function to assert mutual exclusion with Shorewall. If you invoke the
+# /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as
+# the first argument. Example "shorewall nolock refresh"
+#
+# This function uses the lockfile utility from procmail if it exists.
+# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the
+# behavior of lockfile.
+#
+mutex_on()
+{
+    local try
+    try=0
+    local lockf
+    lockf=${LOCKFILE:=${VARDIR}/lock}
+    local lockpid
+
+    MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
+
+    if [ $MUTEX_TIMEOUT -gt 0 ]; then
+
+	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
+
+	if [ -f $lockf ]; then
+	    lockpid=`cat ${lockf} 2> /dev/null`
+	    if [ -z "$lockpid" -o $lockpid = 0 ]; then
+		rm -f ${lockf}
+		error_message "WARNING: Stale lockfile ${lockf} removed"
+	    elif [ $lockpid -eq $$ ]; then
+                return 0
+	    elif ! qt ps p ${lockpid}; then
+		rm -f ${lockf}
+		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
+	    fi
+	fi
+
+	if qt mywhich lockfile; then
+	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
+	    chmod u+w ${lockf}
+	    echo $$ > ${lockf}
+	    chmod u-w ${lockf}
+	else
+	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
+		sleep 1
+		try=$((${try} + 1))
+	    done
+
+	    if  [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
+	        # Create the lockfile
+		echo $$ > ${lockf}
+	    else
+		echo "Giving up on lock file ${lockf}" >&2
+	    fi
+	fi
+    fi
+}
+
+#
+# Call this function to release mutual exclusion
+#
+mutex_off()
+{
+    rm -f ${LOCKFILE:=${VARDIR}/lock}
+}
+
--- a/Shorewall-init/ifupdown.sh
+++ b/Shorewall-init/ifupdown.sh
@@ -106,15 +106,11 @@ if [ -f /etc/debian_version ]; then
 	    else
 		exit 0
 	    fi
-
-	    case "$PHASE" in
-		pre-*)
-		    exit 0
-		    ;;
-	    esac
 	    ;;
    esac
 elif [ -f /etc/SuSE-release ]; then
+    PHASE=''
+
    case $0 in
 	/etc/ppp*)
 	    #
@@ -146,6 +142,8 @@ else
    #
    # Assume RedHat/Fedora/CentOS/Foobar/...
    #
+    PHASE=''
+
    case $0 in
 	/etc/ppp*)
 	    INTERFACE="$1"
@@ -186,20 +184,12 @@ else
    esac
 fi

+[ -n "$LOGFILE" ] || LOGFILE=/dev/null
+
 for PRODUCT in $PRODUCTS; do
-    #
-    # For backward compatibility, lib.base appends the product name to VARDIR
-    # Save it here and restore it below
-    #
-    save_vardir=${VARDIR}
    if [ -x $VARDIR/$PRODUCT/firewall ]; then
-	  ( . ${SHAREDIR}/shorewall/lib.base
-	    mutex_on
-	    ${VARDIR}/firewall -V0 $COMMAND $INTERFACE || echo_notdone
-	    mutex_off
-	  )
+	  ( ${VARDIR}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
    fi
-    VARDIR=${save_vardir}
 done

 exit 0
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -260,6 +260,11 @@ else
    first_install="Yes"
 fi

+if [ -n "$DESTDIR" ]; then
+    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
+    chmod 755 ${DESTDIR}${CONFDIR}/logrotate.d
+fi
+
 #
 # Install the Firewall Script
 #
@@ -295,6 +300,14 @@ fi
 mkdir -p ${DESTDIR}/usr/share/shorewall-init
 chmod 755 ${DESTDIR}/usr/share/shorewall-init

+#
+# Install logrotate file
+#
+if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
+    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT
+    echo "Logrotate file installed as ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT"
+fi
+
 #
 # Create the version file
 #
@@ -312,7 +325,7 @@ fi
 if [ $HOST = debian ]; then
    if [ -n "${DESTDIR}" ]; then
 	mkdir -p ${DESTDIR}/etc/network/if-up.d/
-	mkdir -p ${DESTDIR}/etc/network/if-post-down.d/
+	mkdir -p ${DESTDIR}/etc/network/if-down.d/
    fi

    if [ ! -f ${DESTDIR}/etc/default/shorewall-init ]; then
@@ -347,7 +360,7 @@ fi

 cp ifupdown.sh ifupdown

-d[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown
+[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown

 mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init

@@ -360,6 +373,7 @@ fi
 case $HOST in
    debian)
 	install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
+	install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544
 	install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
 	;;
    suse)
@@ -382,7 +396,7 @@ if [ -z "$DESTDIR" ]; then
    if [ -n "$first_install" ]; then
 	if [ $HOST = debian ]; then
 	    
-	    update-rc.d shorewall-init defaults
+	    update-rc.d shorewall-init enable

 	    echo "Shorewall Init will start automatically at boot"
 	else
--- a/Shorewall-init/logrotate
+++ b/Shorewall-init/logrotate
@@ -0,0 +1,5 @@
+/var/log/shorewall-ifupdown.log {
+  missingok
+  notifempty
+  create 0600 root root
+}
--- a/Shorewall-init/sysconfig
+++ b/Shorewall-init/sysconfig
@@ -16,3 +16,8 @@ IFUPDOWN=0
 # during 'start' and will save them there during 'stop'.
 #
 SAVE_IPSETS=""
+#
+# Where Up/Down events get logged
+#
+LOGFILE=/var/log/shorewall-ifupdown.log
+
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -403,6 +403,7 @@ echo "Common functions linked through ${DESTDIR}${SHAREDIR}/$PRODUCT/functions"
 #

 install_file shorecap ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap 0755
+[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${LIBEXECDIR}/$PRODUCT/shorecap

 echo
 echo "Capability file builder installed in ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap"
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -45,17 +45,22 @@
 #    used during firewall compilation, then the generated firewall program will likewise not
 #    require Shorewall to be installed.

-SHAREDIR=/usr/share/shorewall-lite
-VARDIR=/var/lib/shorewall-lite
-CONFDIR=/etc/shorewall-lite
-g_program=shorewall-lite
-g_product="Shorewall Lite"
-g_family=4
-g_base=shorewall
-g_basedir=/usr/share/shorewall-lite

-. /usr/share/shorewall-lite/lib.base
-. /usr/share/shorewall/lib.cli
+g_program=shorewall-lite
+
+#
+# This is modified by the installer when ${SHAREDIR} != /usr/share
+#
+. /usr/share/shorewall/shorewallrc
+
+g_libexec="$LIBEXECDIR"
+g_sharedir="$SHAREDIR"/shorewall-lite
+g_sbindir="$SBINDIR"
+g_vardir="$VARDIR"
+g_confdir="$CONFDIR"/shorewall-lite
+g_readrc=1
+
+. ${SHAREDIR}/shorewall/lib.cli
 . /usr/share/shorewall-lite/configpath

 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
--- a/Shorewall/Macros/macro.mDNS
+++ b/Shorewall/Macros/macro.mDNS
@@ -1,9 +1,11 @@
 #
-# Shorewall version 4 - Multicast DNS Macro
+# Shorewall version 4 - Multicast DNS Macro -- this macro assumes that only
+#                       the DEST zone sends mDNS queries. If both zones send
+#                       queries, use the mDNSbi macro.
 #
 # /usr/share/shorewall/macro.mDNS
 #
-#	This macro handles multicast DNS traffic.
+#	This macro handles multicast DNS traffic
 #
 ###############################################################################
 #ACTION	SOURCE	DEST			PROTO	DEST	SOURCE	RATE	USER/
--- a/Shorewall/Macros/macro.mDNSbi
+++ b/Shorewall/Macros/macro.mDNSbi
@@ -0,0 +1,16 @@
+#
+# Shorewall version 4 - Bi-directional Multicast DNS Macro.
+#
+# /usr/share/shorewall/macro.mDNSbi
+#
+#	This macro handles multicast DNS traffic
+#
+###############################################################################
+#ACTION	SOURCE	DEST			PROTO	DEST	SOURCE	RATE	USER/
+#						PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	224.0.0.251		udp	5353
+PARAM	-	-			udp	32768:	5353
+PARAM	-	224.0.0.251		2
+PARAM	DEST	SOURCE:224.0.0.251	udp	5353
+PARAM	DEST	SOURCE			udp	32768:	5353
+PARAM	DEST	SOURCE:224.0.0.251	2
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -817,11 +817,11 @@ sub compiler {
 	    #
 	    # Optimize Policy Chains
 	    #
-	    optimize_policy_chains if $optimize & 6 == 2; # Level 2 but not 4
+	    optimize_policy_chains if ( $optimize & OPTIMIZE_POLICY_MASK2n4 ) == OPTIMIZE_POLICY_MASK; # Level 2 but not 4
 	    #
 	    # More Optimization
 	    #
-	    optimize_ruleset if $config{OPTIMIZE} & 0x1C;
+	    optimize_ruleset if $config{OPTIMIZE} & OPTIMIZE_RULESET_MASK;
 	}

 	enable_script;
@@ -877,16 +877,16 @@ sub compiler {

 	    optimize_level0;

-	    if ( $config{OPTIMIZE} & OPTIMIZE_MASK ) {
+	    if ( ( my $optimize = $config{OPTIMIZE} & OPTIMIZE_MASK ) ) {
 		progress_message2 'Optimizing Ruleset...';
 		#
 		# Optimize Policy Chains
 		#
-		optimize_policy_chains if $config{OPTIMIZE} & OPTIMIZE_POLICY_MASK;
+		optimize_policy_chains if ( $optimize & OPTIMIZE_POLICY_MASK2n4 ) == OPTIMIZE_POLICY_MASK; # Level 2 but not 4
 		#
 		# Ruleset Optimization
 		#
-		optimize_ruleset if $config{OPTIMIZE} & OPTIMIZE_RULESET_MASK;
+		optimize_ruleset if $optimize & OPTIMIZE_RULESET_MASK;
 	    }

 	    enable_script if $debug;
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -308,6 +308,10 @@ my  %capdesc = ( NAT_ENABLED     => 'NAT',
 		 DSCP_MATCH      => 'DSCP Match',
 		 DSCP_TARGET     => 'DSCP Target',
 		 GEOIP_MATCH     => 'GeoIP Match' ,
+		 #
+		 # Constants
+		 #
+		 LOG_OPTIONS     => 'Log Options',
 		 CAPVERSION      => 'Capability Version',
 		 KERNELVERSION   => 'Kernel Version',
 	       );
@@ -447,6 +451,12 @@ my $omitting;
 my @ifstack;
 my $ifstack;
 #
+# Entries on the ifstack are a 4-tuple:
+#
+#    [0] - Keyword (IF, ELSEIF, ELSE or ENDIF)
+#    [1] - True if the outermost IF evaluated to false
+#    [2] - True if the the last unterminated IF evaluated to false
+#
 # From .shorewallrc
 #
 our %shorewallrc;
@@ -515,7 +525,7 @@ sub initialize( $;$ ) {
 		    KLUDGEFREE => '',
 		    STATEMATCH => '-m state --state',
 		    UNTRACKED  => 0,
-		    VERSION    => "4.4.22.1",
+		    VERSION    => "4.5.6",
 		    CAPVERSION => 40504 ,
 		  );
    #
@@ -750,6 +760,7 @@ sub initialize( $;$ ) {
 	       DSCP_TARGET => undef,
 	       GEOIP_MATCH => undef,
 	       CAPVERSION => undef,
+	       LOG_OPTIONS => 1,
 	       KERNELVERSION => undef,
 	       );
    #
@@ -1646,62 +1657,128 @@ sub close_file() {
 }

 #
-# Process an ?IF, ?ELSE or ?END directive
+# Process an ?IF, ?ELSIF, ?ELSE or ?END directive
 #
 sub have_capability( $ );

-sub process_conditional( $$$ ) {
-    my ( $omitting, $line, $linenumber ) = @_;
+#
+# Report an error from process_conditional()
+#
+sub cond_error( $$$ ) {
+    $currentfilename   = $_[1];
+    $currentlinenumber = $_[2];
+    fatal_error $_[0];
+}

-    print "CD===> $currentline\n" if $debug;
+#
+# Evaluate an expression in an ?IF or ?ELSIF directive
+#
+sub evaluate_expression( $$$ ) {
+    my ( $expression , $filename , $linenumber ) = @_;
+    my $val;
+    my $count = 0;

-    fatal_error "Invalid compiler directive ($line)" unless $line =~ /^\s*\?(IF\s+|ELSE|ENDIF)(.*)$/;
+    #                         $1      $2   $3      -     $4
+    while ( $expression =~ m( ^(.*?) \$({)? (\w+) (?(2)}) (.*)$ )x ) {
+	my ( $first, $var, $rest ) = ( $1, $3, $4);

-    my ($keyword, $rest) = ( $1, $2 );
-
-    if ( supplied $rest ) {
-	$rest =~ s/#.*//;
-	$rest =~ s/\s*$//;
-    } else {
-	$rest = '';
+	$val = ( exists $ENV{$var}     ? $ENV{$var}    :
+		 exists $params{$var}  ? $params{$var} :
+		 exists $config{$var}  ? $config{$var} :
+		 exists $capdesc{$var} ? have_capability( $var ) : 0 );
+	$val = 0 unless defined $val;
+	$val = "'$val'" unless $val =~ /^-?\d+$/;
+	$expression = join( '', $first, $val || 0, $rest );
+	cond_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
    }

-    my ( $lastkeyword, $prioromit, $lastomit, $lastlinenumber ) = @ifstack ? @{$ifstack[-1]} : ('', 0, 0, 0 );
+    #                         $1      $2   $3      -     $4
+    while ( $expression =~ m( ^(.*?) __({)? (\w+) (?(2)}) (.*)$ )x ) {
+	my ( $first, $cap, $rest ) = ( $1, $3, $4);

-    if ( $keyword =~ /^IF/ ) {
-	fatal_error "Missing IF variable" unless $rest;
-	my $invert = $rest =~ s/^!\s*//;
-
-	fatal_error "Invalid IF variable ($rest)" unless ($rest =~ s/^\$// || $rest =~ /^__/ ) && $rest =~ /^\w+$/;
-
-	push @ifstack, [ 'IF', $omitting, $omitting, $linenumber ];
-
-	if ( $rest eq '__IPV6' ) {
-	    $omitting = $family == F_IPV4;
-	} elsif ( $rest eq '__IPV4' ) {
-	    $omitting = $family == F_IPV6;
+	if ( exists $capdesc{$cap} ) {
+	    $val = have_capability( $cap )
+	} elsif ( $cap =~ /^IPV([46])$/ ) {
+	    $val = ( $family == $1 );
 	} else {
-	    my $cap = $rest;
-
-	    $cap =~ s/^__//;
-
-	    $omitting = ! ( exists $ENV{$rest}    ? $ENV{$rest}    :
-			    exists $params{$rest} ? $params{$rest} :
-			    exists $config{$rest} ? $config{$rest} :
-			    exists $capdesc{$cap} ? have_capability( $cap ) : 0 );
+	    cond_error "Unknown capability ($cap)", $filename, $linenumber;
 	}

-	$omitting = ! $omitting if $invert;
+	$expression = join( '', $first, $val || 0, $rest );
+    }

-	$omitting ||= $lastomit; #?IF cannot transition from omitting -> not omitting
-    } elsif ( $keyword eq 'ELSE' ) {
-	fatal_error "Invalid ?ELSE" unless $rest eq '';
-	fatal_error "?ELSE has no matching ?IF" unless @ifstack > $ifstack && $lastkeyword eq 'IF';
-	$omitting = ! $omitting unless $lastomit;
-	$ifstack[-1] = [ 'ELSE', $prioromit, $omitting, $lastlinenumber ];
+    $expression =~ s/^\s*(.+)\s*$/$1/;
+
+    unless ( $expression =~ /^\d+$/ ) {
+	#
+	# Not a simple one-term expression -- compile it
+	#
+	$val = eval qq(package Shorewall::User;\nuse strict;\n# line $linenumber "$filename"\n$expression);
+
+	unless ( $val ) {
+	    cond_error( "Couldn't parse expression: $@" , $filename, $linenumber ) if $@;
+	    cond_error( "Undefined expression" , $filename, $linenumber ) unless defined $val;
+	}
+    }
+
+    $val;
+}
+
+#
+# Each entry in @ifstack consists of a 4-tupple
+#
+# [0] = The keyword (IF,ELSIF or ELSE)
+# [1] = True if we were already omitting at the last IF directive
+# [2] = True if we have included any block of the current IF...ELSEIF....ELSEIF... sequence.
+# [3] = The line number of the directive
+#
+sub process_conditional( $$$$ ) {
+    my ( $omitting, $line, $filename, $linenumber ) = @_;
+
+    print "CD===> $line\n" if $debug;
+
+    cond_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF)(.*)$/;
+
+    my ($keyword, $expression) = ( $1, $2 );
+
+    if ( supplied $expression ) {
+	$expression =~ s/#.*//;
+	$expression =~ s/\s*$//;
    } else {
-	fatal_error "Invalid ?ENDIF" unless $rest eq '';
-	fatal_error q(Unexpected "?ENDIF" without matching ?IF or ?ELSE) if @ifstack <= $ifstack;
+	$expression = '';
+    }
+
+    my ( $lastkeyword, $prioromit, $included, $lastlinenumber ) = @ifstack ? @{$ifstack[-1]} : ('', 0, 0, 0 );
+
+    if ( $keyword =~ /^IF/ ) {
+	cond_error( "Missing IF expression" , $filename, $linenumber ) unless $expression;
+	my $nextomitting = $omitting || ! evaluate_expression( $expression , $filename, $linenumber );
+	push @ifstack, [ 'IF', $omitting, ! $nextomitting, $linenumber ];
+	$omitting = $nextomitting;
+    } elsif ( $keyword =~ /^ELSIF/ ) {
+	cond_error( "?ELSIF has no matching ?IF" , $filename, $linenumber ) unless @ifstack > $ifstack && $lastkeyword =~ /IF/;
+	cond_error( "Missing IF expression" , $filename, $linenumber ) unless $expression;
+	if ( $omitting && ! $included ) {
+	    #
+	    # We can only change to including if we were previously omitting
+	    #
+	    $omitting = $prioromit || ! evaluate_expression( $expression , $filename, $linenumber );
+	    $included = ! $omitting;
+	} else {
+	    #
+	    # We have already included -- so we don't want to include this part
+	    #
+	    $omitting = 1;
+	}
+	$ifstack[-1] = [ 'ELSIF', $prioromit, $included, $lastlinenumber ];
+    } elsif ( $keyword eq 'ELSE' ) {
+	cond_error( "Invalid ?ELSE" , $filename, $linenumber ) unless $expression eq '';
+	cond_error( "?ELSE has no matching ?IF" , $filename, $linenumber ) unless @ifstack > $ifstack && $lastkeyword =~ /IF/;
+	$omitting = $included || ! $omitting unless $prioromit;
+	$ifstack[-1] = [ 'ELSE', $prioromit, 1, $lastlinenumber ];
+    } else {
+	cond_error( "Invalid ?ENDIF" , $filename, $linenumber ) unless $expression eq '';
+	cond_error( q(Unexpected "?ENDIF" without matching ?IF or ?ELSE) , $filename, $linenumber ) if @ifstack <= $ifstack;
 	$omitting = $prioromit;
 	pop @ifstack;
    }
@@ -1731,7 +1808,7 @@ sub copy( $ ) {
 	    $lineno++;

 	    if ( /^\s*\?/ ) {
-		$omitting = process_conditional( $omitting, $_, $lineno );
+		$omitting = process_conditional( $omitting, $_, $file, $lineno );
 		next;
 	    }

@@ -1784,7 +1861,7 @@ sub copy1( $ ) {
 		chomp;

 		if ( /^\s*\?/ ) {
-		    $omitting = process_conditional( $omitting, $_, $currentlinenumber );
+		    $omitting = process_conditional( $omitting, $_, $currentfilename, $currentlinenumber );
 		    next;
 		}

@@ -1915,7 +1992,7 @@ EOF
 		chomp;

 		if ( /^\s*\?/ ) {
-		    $omitting = process_conditional( $omitting, $_, $lineno );
+		    $omitting = process_conditional( $omitting, $_, $file, $lineno );
 		    next;
 		}

@@ -2051,7 +2128,7 @@ sub embedded_shell( $ ) {
 	my $last = 0;

 	while ( read_a_line( PLAIN_READ ) ) {
-	    last if $last = $currentline =~ s/^\s*END(\s+SHELL)?\s*;?//;
+	    last if $last = $currentline =~ s/^\s*\??END(\s+SHELL)?\s*(?:;\s*)?$//;
 	    $command .= "$currentline\n";
 	}

@@ -2085,12 +2162,14 @@ sub embedded_perl( $ ) {
 	my $last = 0;

 	while ( read_a_line( PLAIN_READ ) ) {
-	    last if $last = $currentline =~ s/^\s*END(\s+PERL)?\s*;?//;
+	    last if $last = $currentline =~ s/^\s*\??END(\s+PERL)?\s*(?:;\s*)?//;
 	    $command .= "$currentline\n";
 	}

 	fatal_error ( "Missing END PERL" ) unless $last;
 	fatal_error ( "Invalid END PERL directive" ) unless $currentline =~ /^\s*$/;
+    } else {
+	$currentline = '';
    }

    $embedded++;
@@ -2264,10 +2343,21 @@ sub read_a_line($) {
 	$currentlinenumber = 0;

 	while ( <$currentfile> ) {
+	    chomp;
+	    #
+	    # Handle conditionals
+	    #
+	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF)/ ) {
+		$omitting = process_conditional( $omitting, $_, $currentfilename, $. );
+		next;
+	    }
+
+	    if ( $omitting ) {
+		print "OMIT=> $_\n" if $debug;
+		next;
+	    }

 	    $currentlinenumber = $. unless $currentlinenumber;
-
-	    chomp;
 	    #
 	    # Suppress leading whitespace in certain continuation lines
 	    #
@@ -2282,31 +2372,16 @@ sub read_a_line($) {
 	    #
 	    chop $currentline, next if ($currentline .= $_) =~ /\\$/;
 	    #
-	    # Handle conditionals
-	    #
-	    if ( $currentline =~ /^\s*\?(?:IF|ELSE|ENDIF)/ ) {
-		$omitting = process_conditional( $omitting, $currentline, $currentlinenumber );
-		$currentline='';
-		next;
-	    }
-
-	    if ( $omitting ) {
-		print "OMIT=> $currentline\n" if $debug;
-		$currentline='';
-		$currentlinenumber = 0;
-		next;
-	    }
-	    #
 	    # Must check for shell/perl before doing variable expansion
 	    #
 	    if ( $options & EMBEDDED_ENABLED ) {
-		if ( $currentline =~ s/^\s*(BEGIN\s+)?SHELL\s*;?// ) {
+		if ( $currentline =~ s/^\s*\??(BEGIN\s+)SHELL\s*;?// || $currentline =~ s/^\s*\??SHELL\s*// ) {
 		    handle_first_entry if $first_entry;
 		    embedded_shell( $1 );
 		    next;
 		}

-		if ( $currentline =~ s/^\s*(BEGIN\s+)?PERL\s*\;?// ) {
+		if ( $currentline =~ s/^\s*\??(BEGIN\s+)PERL\s*;?// || $currentline =~ s/^\s*\??PERL\s*// ) {
 		    handle_first_entry if $first_entry;
 		    embedded_perl( $1 );
 		    next;
@@ -2455,6 +2530,22 @@ sub level_error( $ ) {
    fatal_error "Invalid log level ($_[0])";
 }

+my %logoptions = ( tcp_sequence         => '--log-tcp-sequence',
+		   ip_options           => '--log-ip-options',
+		   tcp_options          => '--log-tcp-options',
+		   uid                  => '--log-uid',
+		   macdecode            => '--log-macdecode',
+		   #
+		   # Because a level can pass through validate_level() more than once,
+		   # the full option names are also included here.
+		   #
+		   '--log-tcp-sequence' => '--log-tcp-sequence',
+		   '--log-ip-options'   => '--log-ip-options',
+		   '--log-tcp-options'  => '--log-tcp-options',
+		   '--log-uid'          => '--log-uid',
+		   '--log-macdecode'    => '--log-macdecode',
+		 );
+
 sub validate_level( $ ) {
    my $rawlevel = $_[0];
    my $level    = uc $rawlevel;
@@ -2465,17 +2556,44 @@ sub validate_level( $ ) {
 	my $qualifier;

 	unless ( $value =~ /^[0-7]$/ ) {
-	    level_error( $level ) unless $level =~ /^([A-Za-z0-7]+)(.*)$/ && defined( $value = $validlevels{$1} );
-	    $qualifier = $2;
+	    } if ( $value =~ /^([0-7])(.*)$/ ) {
+		$value = $1;
+		$qualifier = $2;
+	    } elsif ( $value =~ /^([A-Za-z0-7]+)(.*)$/ ) {
+	        level_error( $level) unless defined( $value = $validlevels{$1} );
+		$qualifier = $2;
 	}

 	if ( $value =~ /^[0-7]$/ ) {
 	    #
 	    # Syslog Level
 	    #
-	    level_error( $rawlevel ) if supplied $qualifier;
+	    if ( supplied $qualifier ) {
+		my $options = '';
+		my %options;
+
+		level_error ( $rawlevel ) unless $qualifier =~ /^\((.*)\)$/;
+
+		for ( split_list lc $1, "log options" ) {
+		    my $option = $logoptions{$_};
+		    fatal_error "Unknown LOG option ($_)" unless $option;
+
+		    unless ( $options{$option} ) {
+			if ( $options ) {
+			    $options = join( ',', $options, $option );
+			} else {
+			    $options = $option;
+			}
+
+			$options{$option} = 1;
+		    }
+		}
+
+		$value .= "($options)" if $options;
+	    }

 	    require_capability ( 'LOG_TARGET' , "Log level $level", 's' );
+
 	    return $value;
 	}

@@ -3896,6 +4014,13 @@ sub get_configuration( $$$ ) {

    $globals{STATEMATCH} = '-m conntrack --ctstate' if have_capability 'CONNTRACK_MATCH';

+    #
+    # The following is not documented as it is not likely useful to the user base in general 
+    # Going forward, it allows me to create a configuration that will work on multiple
+    # Shorewall versions.        TME
+    #
+    $config{VERSION} = sprintf "%d%02d%02d", $1, $2, $3 if $globals{VERSION} =~ /^(\d+)\.(\d+)\.(\d+)/;
+
    if ( my $rate = $config{LOGLIMIT} ) {
 	my $limit;

@@ -4131,10 +4256,10 @@ sub get_configuration( $$$ ) {
    }

    if ( ( my $userbits = $config{PROVIDER_OFFSET} - $config{TC_BITS} ) > 0 ) {
-
 	$globals{USER_MASK} = make_mask( $userbits ) << $config{TC_BITS};
+	$globals{USER_BITS} = $userbits;
    } else {
-	$globals{USER_MASK} = 0;
+	$globals{USER_MASK} = $globals{USER_BITS} = 0;
    }

    if ( supplied ( $val = $config{ZONE2ZONE} ) ) {
@@ -4552,7 +4677,7 @@ sub dump_mark_layout() {
 	     $globals{TC_MASK} );

    dumpout( "User",
-	     $globals{USER_MASK},
+	     $globals{USER_BITS},
 	     $globals{TC_MAX} + 1,
 	     $globals{USER_MASK},
 	     $globals{USER_MASK} );
@@ -4574,6 +4699,12 @@ sub dump_mark_layout() {
 	     $globals{EXCLUSION_MASK},
 	     $globals{EXCLUSION_MASK},
 	     $globals{EXCLUSION_MASK} );
+
+    dumpout( "TProxy",
+	     1,
+	     $globals{TPROXY_MARK},
+	     $globals{TPROXY_MARK},
+	     $globals{TPROXY_MARK} );
 }

 END {
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -35,7 +35,11 @@ use strict;

 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
+our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule ) ] );
 our @EXPORT_OK = ();
+
+Exporter::export_ok_tags('rules');
+
 our $VERSION = 'MODULEVERSION';

 my @addresses_to_add;
@@ -54,8 +58,8 @@ sub initialize() {
 #
 sub process_one_masq( )
 {
-    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition ) =
-	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8 };
+    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest ) =
+	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9 };

    if ( $interfacelist eq 'COMMENT' ) {
 	process_comment;
@@ -233,7 +237,7 @@ sub process_one_masq( )
 		     $baserule . $rule ,
 		     $networks ,
 		     $destnets ,
-		     '' ,
+		     $origdest ,
 		     $target ,
 		     '' ,
 		     '' ,
@@ -514,6 +518,226 @@ sub setup_netmap() {

 }

+#
+# Called from process_rule1 to add a rule to the NAT table
+#
+sub handle_nat_rule( $$$$$$$$$$$$ ) {
+    my ( $dest,           # <server>[:port]
+	 $proto,          # Protocol
+	 $ports,          # Destination port list
+	 $origdest,       # Original Destination
+	 $action_target,  # If the target is an action, the name of the log action chain to jump to
+	 $action,         # The Action
+	 $sourceref,      # Reference to the Source Zone's table entry in the Zones module
+	 $action_chain,   # Name of the action chain if the rule is in an action
+	 $rule,           # Matches 
+	 $source,         # Source Address
+	 $loglevel,       # [<level>[:<tag>]]
+	 $log_action,     # Action name to include in the log message
+       ) = @_;
+
+    my ( $server, $serverport , $origdstports ) = ( '', '', '' );
+    my $randomize = $dest =~ s/:random$// ? ' --random' : '';
+
+    #
+    # Isolate server port
+    #
+    if ( $dest =~ /^(.*)(?::(.+))$/ ) {
+	#
+	# Server IP and Port
+	#
+	$server = $1;      # May be empty
+	$serverport = $2;  # Not Empty due to RE
+
+	$origdstports = validate_port( $proto, $ports )	if $ports && $ports ne '-' && port_count( $ports ) == 1;
+
+	if ( $serverport =~ /^(\d+)-(\d+)$/ ) {
+	    #
+	    # Server Port Range
+	    #
+	    fatal_error "Invalid port range ($serverport)" unless $1 < $2;
+	    my @ports = ( $1, $2 );
+	    $_ = validate_port( proto_name( $proto ), $_) for ( @ports );
+	    ( $ports = $serverport ) =~ tr/-/:/;
+	} else {
+	    $serverport = $ports = validate_port( proto_name( $proto ), $serverport );
+	}
+    } elsif ( $dest ne ':' ) {
+	#
+	# Simple server IP address (may be empty or "-")
+	#
+	$server = $dest;
+    }
+    #
+    # Generate the target
+    #
+    my $target = '';
+
+    if ( $action eq 'REDIRECT' ) {
+	fatal_error "A server IP address ($server) may not be specified in a REDIRECT rule" if $server;
+	$target  = 'REDIRECT';
+	$target .= " --to-port $serverport" if $serverport;
+	if ( $origdest eq '' || $origdest eq '-' ) {
+	    $origdest = ALLIP;
+	} elsif ( $origdest eq 'detect' ) {
+	    fatal_error 'ORIGINAL DEST "detect" is invalid in an action' if $action_chain;
+
+	    if ( $config{DETECT_DNAT_IPADDRS} ) {
+		my $interfacesref = $sourceref->{interfaces};
+		my @interfaces = keys %$interfacesref;
+		$origdest = @interfaces ? "detect:@interfaces" : ALLIP;
+	    } else {
+		$origdest = ALLIP;
+	    }
+	}
+    } elsif ( $action_target ) {
+	fatal_error "A server port ($serverport) is not allowed in $action rule" if $serverport;
+	$target = $action_target;
+    } else {
+	if ( $server eq '' ) {
+	    fatal_error "A server and/or port must be specified in the DEST column in $action rules" unless $serverport;
+	} elsif ( $server =~ /^(.+)-(.+)$/ ) {
+	    validate_range( $1, $2 );
+	} else {
+	    unless ( $server eq ALLIP ) {
+		my @servers = validate_address $server, 1;
+		$server = join ',', @servers;
+	    }
+	}
+
+	if ( $action eq 'DNAT' ) {
+	    $target = $action;
+	    if ( $server ) {
+		$serverport = ":$serverport" if $serverport;
+		for my $serv ( split /,/, $server ) {
+		    $target .= " --to-destination ${serv}${serverport}";
+		}
+	    } else {
+		$target .= " --to-destination :$serverport";
+	    }
+	}
+
+	unless ( $origdest && $origdest ne '-' && $origdest ne 'detect' ) {
+	    if ( ! $action_chain && $config{DETECT_DNAT_IPADDRS} ) {
+		my $interfacesref = $sourceref->{interfaces};
+		my @interfaces = keys %$interfacesref;
+		$origdest = @interfaces ? "detect:@interfaces" : ALLIP;
+	    } else {
+		$origdest = ALLIP;
+	    }
+	}
+    }
+
+    $target .= $randomize;
+    #
+    # And generate the nat table rule(s)
+    #
+    expand_rule ( ensure_chain ('nat' ,
+				( $action_chain ?
+				  $action_chain :
+				  ( $sourceref->{type} == FIREWALL ? 'OUTPUT' : 
+				    dnat_chain $sourceref->{name} ) ) ),
+		  PREROUTE_RESTRICT ,
+		  $rule ,
+		  $source ,
+		  $origdest ,
+		  '' ,
+		  $target ,
+		  $loglevel ,
+		  $log_action ,
+		  $serverport ? do_proto( $proto, '', '' ) : '',
+		);
+
+    ( $ports, $origdstports, $server );
+}
+
+#
+# Called from process_rule1() to handle the nat table part of the NONAT and ACCEPT+ actions
+#
+sub handle_nonat_rule( $$$$$$$$$$ ) {
+    my ( $action, $source, $dest, $origdest, $sourceref, $inaction, $chain, $loglevel, $log_action, $rule ) = @_;
+
+    my $sourcezone = $sourceref->{name};
+    #
+    # NONAT or ACCEPT+ may not specify a destination interface
+    #
+    fatal_error "Invalid DEST ($dest) in $action rule" if $dest =~ /:/;
+
+    $origdest = '' unless $origdest and $origdest ne '-';
+
+    if ( $origdest eq 'detect' ) {
+	my $interfacesref = $sourceref->{interfaces};
+	my $interfaces = [ ( keys %$interfacesref ) ];
+	$origdest = $interfaces ? "detect:@$interfaces" : ALLIP;
+    }
+
+    my $tgt = 'RETURN';
+
+    my $nonat_chain;
+
+    my $chn;
+
+    if ( $inaction ) {
+	$nonat_chain = ensure_chain( 'nat', $chain );
+    } elsif ( $sourceref->{type} == FIREWALL ) {
+	$nonat_chain = $nat_table->{OUTPUT};
+    } else {
+	$nonat_chain = ensure_chain( 'nat', dnat_chain( $sourcezone ) );
+
+	my @interfaces = keys %{zone_interfaces $sourcezone};
+
+	for ( @interfaces ) {
+	    my $ichain = input_chain $_;
+
+	    if ( $nat_table->{$ichain} ) {
+		#
+		# Static NAT is defined on this interface
+		#
+		$chn = new_chain( 'nat', newnonatchain ) unless $chn;
+		add_ijump $chn, j => $nat_table->{$ichain}, @interfaces > 1 ? imatch_source_dev( $_ )  : ();
+	    }
+	}
+
+	if ( $chn ) {
+	    #
+	    # Call expand_rule() to correctly handle logging. Because
+	    # the 'logname' argument is passed, expand_rule() will
+	    # not create a separate logging chain but will rather emit
+	    # any logging rule in-line.
+	    #
+	    expand_rule( $chn,
+			 PREROUTE_RESTRICT,
+			 '', # Rule
+			 '', # Source
+			 '', # Dest
+			 '', # Original dest
+			 'ACCEPT',
+			 $loglevel,
+			 $log_action,
+			 '',
+			 dnat_chain( $sourcezone  ) );
+	    $loglevel = '';
+	    $tgt = $chn->{name};
+	} else {
+	    $tgt = 'ACCEPT';
+	}
+    }
+
+    set_optflags( $nonat_chain, DONT_MOVE | DONT_OPTIMIZE ) if $tgt eq 'RETURN';
+
+    expand_rule( $nonat_chain ,
+		 PREROUTE_RESTRICT ,
+		 $rule ,
+		 $source ,
+		 $dest ,
+		 $origdest ,
+		 $tgt,
+		 $loglevel ,
+		 $log_action ,
+		 '',
+	       );
+}
+
 sub add_addresses () {
    if ( @addresses_to_add ) {
 	my @addrs = @addresses_to_add;
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -39,7 +39,9 @@ our @EXPORT = qw( process_providers
 		  @routemarked_interfaces
 		  handle_stickiness
 		  handle_optional_interfaces
+		  compile_updown
 		  setup_load_distribution
+		  have_providers
 	       );
 our @EXPORT_OK = qw( initialize lookup_provider );
 our $VERSION = '4.4_24';
@@ -60,9 +62,11 @@ my  @load_interfaces;

 my $balancing;
 my $fallback;
+my $metrics;
 my $first_default_route;
 my $first_fallback_route;
 my $maxload;
+my $tproxies;

 my %providers;

@@ -95,9 +99,11 @@ sub initialize( $ ) {
    @load_interfaces        = ();
    $balancing              = 0;
    $fallback               = 0;
+    $metrics                = 0;
    $first_default_route    = 1;
    $first_fallback_route   = 1;
    $maxload                = 0;
+    $tproxies               = 0;

    %providers  = ( local   => { number => LOCAL_TABLE   , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
 		    main    => { number => MAIN_TABLE    , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
@@ -461,10 +467,11 @@ sub process_a_provider() {
    }

    if ( $local ) {
-	fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none';
-	fatal_error "'track' not valid with 'local'"          if $track;
-	fatal_error "DUPLICATE not valid with 'local'"        if $duplicate ne '-';
+	fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'none';
+	fatal_error "'track' not valid with 'local'"           if $track;
+	fatal_error "DUPLICATE not valid with 'local'"         if $duplicate ne '-';
    } elsif ( $tproxy ) {
+	fatal_error "Only one 'tproxy' provider is allowed"    if $tproxies++;
 	fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'none';
 	fatal_error "'track' not valid with 'tproxy'"          if $track;
 	fatal_error "DUPLICATE not valid with 'tproxy'"        if $duplicate ne '-';
@@ -695,19 +702,20 @@ CEOF
 	emit '';
 	if ( $gateway ) {
 	    if ( $family == F_IPV4 ) {
-		emit qq(run_ip route replace $gateway dev $physical table ) . DEFAULT_TABLE;
+		emit qq(run_ip route replace $gateway/32 dev $physical table ) . DEFAULT_TABLE;
 		emit qq(run_ip route replace default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
 	    } else {
 		emit qq(qt \$IP -6 route del default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
 		emit qq(run_ip route add default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
 	    }
 	    emit qq(echo "qt \$IP -$family route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_${table}_routing);
+	    emit qq(echo "qt \$IP -4  route del $gateway/32 dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_${table}_routing) if $family == F_IPV4;
 	} else {
 	    emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $physical metric $number);
 	    emit qq(echo "qt \$IP -$family route del default dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_${table}_routing);
 	}

-	$fallback = 1;
+	$metrics = 1;
    }

    emit( qq(\n) ,
@@ -1153,14 +1161,16 @@ sub finish_providers() {

 	emit( "    progress_message \"Fallback route '\$(echo \$FALLBACK_ROUTE | sed 's/\$\\s*//')' Added\"",
 	      'else',
-	      '#',
-	      '# We don\'t have any \'fallback\' providers so we delete any default routes in the default table',
-	      '#',
-	      "    while qt \$IP -$family route del default table " . DEFAULT_TABLE . '; do true; done',
+	      '    #',
+	      '    # We don\'t have any \'fallback\' providers so we delete any default routes in the default table',
+	      '    #',
+	      '    delete_default_routes ' . DEFAULT_TABLE,
 	      'fi',
 	      '' );
    } elsif ( $config{USE_DEFAULT_RT} ) {
-	emit "while qt \$IP -$family route del default table " . DEFAULT_TABLE . '; do true; done';
+	emit( 'delete_default_routes ' . DEFAULT_TABLE,
+	      ''
+	    );
    }

    unless ( $config{KEEP_RT_TABLES} ) {
@@ -1198,6 +1208,8 @@ sub process_providers( $ ) {
    }

    if ( $providers ) {
+	fatal_error q(Either all 'fallback' providers must specify a weight or non of them can specify a weight) if $fallback && $metrics;
+
 	my $fn = open_file( 'route_rules' );

 	if ( $fn ){
@@ -1269,6 +1281,7 @@ EOF
            startup_error "$g_interface is not an optional provider or provider interface"
            ;;
    esac
+
 }

 #
@@ -1309,6 +1322,10 @@ EOF

 }

+sub have_providers() {
+    return our $providers;
+}
+
 sub setup_providers() {
    our $providers;

@@ -1354,6 +1371,228 @@ sub setup_providers() {

 }

+#
+# Emit the updown() function
+#
+sub compile_updown() {
+    emit( '',
+	  '#',
+	  '# Handle the "up" and "down" commands',
+	  '#',
+	  'updown() # $1 = interface',
+	  '{',
+	);
+
+    push_indent;
+
+    emit( 'local state',
+	  'state=cleared',
+	  ''
+	);
+
+    emit 'progress_message3 "$g_product $COMMAND triggered by $1"';
+    emit '';
+
+    if ( $family == F_IPV4 ) {
+	emit 'if shorewall_is_started; then';
+    } else {
+	emit 'if shorewall6_is_started; then';
+    }
+
+    emit( '    state=started',
+	  'elif [ -f ${VARDIR}/state ]; then',
+	  '    case "$(cat ${VARDIR}/state)" in',
+	  '        Stopped*)',
+	  '            state=stopped',
+	  '            ;;',
+	  '        Cleared*)',
+	  '            ;;',
+	  '        *)',
+	  '            state=unknown',
+	  '            ;;',
+	  '    esac',
+	  'else',
+	  '    state=unknown',
+	  'fi',
+	  ''
+	);
+
+    emit( 'case $1 in' );
+
+    push_indent;
+
+    my $ignore   = find_interfaces_by_option 'ignore', 1;
+    my $required = find_interfaces_by_option 'required';
+    my $optional = find_interfaces_by_option 'optional';
+
+    if ( @$ignore ) {
+	my $interfaces = join '|', map get_physical( $_ ), @$ignore;
+
+	$interfaces =~ s/\+/*/g;
+
+	emit( "$interfaces)",
+	      '    progress_message3 "$COMMAND on interface $1 ignored"',
+	      '    exit 0',
+	      '    ;;'
+	    );
+    }
+
+    my @nonshared = ( grep $providers{$_}->{optional},
+		      sort( { $providers{$a}->{number} <=> $providers{$b}->{number} } values %provider_interfaces ) );
+
+    if ( @nonshared ) {
+	my $interfaces = join( '|', map $providers{$_}->{physical}, @nonshared );
+
+	emit "$interfaces)";
+
+	push_indent;
+
+	emit( q(if [ "$state" = started ]; then) ,
+	      q(    if [ "$COMMAND" = up ]; then) , 
+	      q(        progress_message3 "Attempting enable on interface $1") ,
+	      q(        COMMAND=enable) ,
+	      q(        detect_configuration),        
+	      q(        enable_provider $1),
+	      q(    elif [ "$PHASE" != post-down ]; then # pre-down or not Debian) ,
+	      q(        progress_message3 "Attempting disable on interface $1") ,
+	      q(        COMMAND=disable) ,
+	      q(        detect_configuration),        
+	      q(        disable_provider $1) ,
+	      q(    fi) ,
+	      q(elif [ "$COMMAND" = up ]; then) ,
+	      q(    echo 0 > ${VARDIR}/${1}.status) ,
+	      q(    COMMAND=start),
+	      q(    progress_message3 "$g_product attempting start") ,
+	      q(    detect_configuration),
+	      q(    define_firewall),
+	      q(else),
+	      q(    progress_message3 "$COMMAND on interface $1 ignored") ,
+	      q(fi) ,
+	      q(;;) );
+
+	pop_indent;
+    }
+
+    if ( @$required ) {
+	my $interfaces = join '|', map get_physical( $_ ), @$required;
+
+	my $wildcard = ( $interfaces =~ s/\+/*/g );
+
+	emit( "$interfaces)",
+	      '    if [ "$COMMAND" = up ]; then' );
+
+	if ( $wildcard ) {
+	    emit( '        if [ "$state" = started ]; then',
+		  '            COMMAND=restart',
+		  '        else',
+		  '            COMMAND=start',
+		  '        fi' );
+	} else {
+	    emit( '        COMMAND=start' );
+	}
+
+	emit( '        progress_message3 "$g_product attempting $COMMAND"',
+	      '        detect_configuration',
+	      '        define_firewall',
+	      '    elif [ "$PHASE" != pre-down ]; then # Not Debian pre-down phase'
+	    );
+
+	push_indent;
+
+	if ( $wildcard ) {
+
+	    emit( '    if [ "$state" = started ]; then',
+		  '        progress_message3 "$g_product attempting restart"',
+		  '        COMMAND=restart',
+		  '        detect_configuration',
+		  '        define_firewall',
+		  '    fi' );
+
+	} else {
+	    emit( '    COMMAND=stop',
+		  '    progress_message3 "$g_product attempting stop"',
+		  '    detect_configuration',
+		  '    stop_firewall' );
+	}
+
+	pop_indent;
+
+	emit( '    fi',
+	      '    ;;'
+	    );
+    }
+
+    if ( @$optional ) {
+	my @interfaces = map( get_physical( $_ ), grep( ! $provider_interfaces{$_} , @$optional ) );
+	my $interfaces = join '|', @interfaces;
+
+	if ( $interfaces ) {
+	    if ( $interfaces =~ s/\+/*/g || @interfaces > 1 ) {
+		emit( "$interfaces)",
+		      '    if [ "$COMMAND" = up ]; then',
+		      '        echo 0 > ${VARDIR}/${1}.state',
+		      '    else',
+		      '        echo 1 > ${VARDIR}/${1}.state',
+		      '    fi' );
+	    } else {
+		emit( "$interfaces)",
+		      '    if [ "$COMMAND" = up ]; then',
+		      "        echo 0 > \${VARDIR}/$interfaces.state",
+		      '    else',
+		      "        echo 1 > \${VARDIR}/$interfaces.state",
+		      '    fi' );
+	    }
+
+	    emit( '',
+		  '    if [ "$state" = started ]; then',
+		  '        COMMAND=restart',
+		  '        progress_message3 "$g_product attempting restart"',
+		  '        detect_configuration',
+		  '        define_firewall',
+		  '    elif [ "$state" = stopped ]; then',
+		  '        COMMAND=start',
+		  '        progress_message3 "$g_product attempting start"',
+		  '        detect_configuration',
+		  '        define_firewall',
+		  '    else',
+		  '        progress_message3 "$COMMAND on interface $1 ignored"',
+		  '    fi',
+		  '    ;;',
+		);
+	}
+    }
+
+    if ( my @plain_interfaces = all_plain_interfaces ) {			
+	my $interfaces = join ( '|', @plain_interfaces );
+
+	$interfaces =~ s/\+/*/g;
+	
+	emit( "$interfaces)",
+	      '    case $state in',
+	      '        started)',
+	      '            COMMAND=restart',
+	      '            progress_message3 "$g_product attempting restart"',
+	      '            detect_configuration',
+	      '            define_firewall',
+	      '            ;;',
+	      '        *)',
+	      '            progress_message3 "$COMMAND on interface $1 ignored"',
+	      '            ;;',
+	      '    esac',
+	    );
+    }
+
+    pop_indent;
+
+    emit( 'esac' );
+
+    pop_indent;
+
+    emit( '}',
+	  '',
+	);
+}
+
 sub lookup_provider( $ ) {
    my $provider    = $_[0];
    my $providerref = $providers{ $provider };
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -33,6 +33,7 @@ use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::Chains qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
+use Shorewall::Nat qw(:rules);
 use Scalar::Util 'reftype';

 use strict;
@@ -1666,7 +1667,7 @@ sub verify_audit($;$$) {
 # Similarly, if a new action tuple is encountered, this function is called recursively for each rule in the action
 # body. In this latter case, a reference to the tuple's chain is passed in the first ($chainref) argument.
 #
-sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
+sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
    my ( $chainref,   #reference to Action Chain if we are being called from process_action(); undef otherwise
 	 $target,
 	 $current_param,
@@ -1685,7 +1686,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 	 $condition,
 	 $wildcard ) = @_;

-    my ( $action, $loglevel) = split_action $target;
+    my ( $action, $loglevel)    = split_action $target;
    my ( $basictarget, $param ) = get_target_param $action;
    my $rule = '';
    my $optimize = $wildcard ? ( $basictarget =~ /!$/ ? 0 : $config{OPTIMIZE} & 5 ) : 0;
@@ -1757,7 +1758,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
    #
    # We can now dispense with the postfix character
    #
-    fatal_error "The +, - and ! modifiers are not allowed in the blrules file" if $action =~ s/[\+\-!]$// && $blacklist;
+    fatal_error "The +, - and ! modifiers are not allowed in the blrules file" if $action =~ s/[-+!]$// && $blacklist;
    #
    # Handle actions
    #
@@ -1805,32 +1806,33 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {

 	$bt =~ s/[-+!]$//;

-	my %functions = ( ACCEPT => sub() { $action = 'RETURN' if $blacklist; } ,
+	my %functions =
+	    ( ACCEPT => sub() { $action = 'RETURN' if $blacklist; } ,
+	      
+	      REDIRECT => sub () {
+		  my $z = $actiontype & NATONLY ? '' : firewall_zone;
+		  if ( $dest eq '-' ) {
+		      $dest = $inaction ? '' : join( '', $z, '::' , $ports =~ /[:,]/ ? '' : $ports );
+		  } elsif ( $inaction ) {
+		      $dest = ":$dest";
+		  } else {
+		      $dest = join( '', $z, '::', $dest ) unless $dest =~ /^[^\d].*:/;
+		  }
+	      } ,

-			  REDIRECT => sub () {
-			      my $z = $actiontype & NATONLY ? '' : firewall_zone;
-			      if ( $dest eq '-' ) {
-				  $dest = $inaction ? '' : join( '', $z, '::' , $ports =~ /[:,]/ ? '' : $ports );
-			      } elsif ( $inaction ) {
-				  $dest = ":$dest";
-			      } else {
-				  $dest = join( '', $z, '::', $dest ) unless $dest =~ /^[^\d].*:/;
-			      }
-			  } ,
+	      REJECT => sub { $action = 'reject'; } ,

-			  REJECT => sub { $action = 'reject'; } ,
+	      CONTINUE => sub { $action = 'RETURN'; } ,

-			  CONTINUE => sub { $action = 'RETURN'; } ,
+	      WHITELIST => sub {
+		  fatal_error "'WHITELIST' may only be used in the blrules file" unless $blacklist;
+		  $action = 'RETURN';
+	      } ,

-			  WHITELIST => sub {
-			      fatal_error "'WHITELIST' may only be used in the blrules file" unless $blacklist;
-			      $action = 'RETURN';
-			  } ,
+	      COUNT => sub { $action = ''; } ,

-			  COUNT => sub { $action = ''; } ,
-
-			  LOG => sub { fatal_error 'LOG requires a log level' unless supplied $loglevel; } ,
-		     );
+	      LOG => sub { fatal_error 'LOG requires a log level' unless supplied $loglevel; } ,
+	    );

 	my $function = $functions{ $bt };

@@ -1920,7 +1922,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
    #
    # Take care of chain
    #
-    my ( $chain, $policy );
+    my $chain;

    if ( $inaction ) {
        #
@@ -1943,8 +1945,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 	    #
 	    # Ensure that the chain exists but don't mark it as referenced until after optimization is checked
 	    #
-	    $chainref = ensure_chain 'filter', $chain;
-	    $policy   = $chainref->{policy};
+	    $chainref  = ensure_chain 'filter', $chain;
+	    my $policy = $chainref->{policy};

 	    if ( $policy eq 'NONE' ) {
 		return 0 if $wildcard;
@@ -1956,7 +1958,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 	    if ( $optimize == 1 && $section eq 'NEW' ) {
 		my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel};
 		if ( $loglevel ne '' ) {
-		    return 0 if $target eq "${policy}:$loglevel}";
+		    return 0 if $target eq "${policy}:${loglevel}";
 		} else {
 		    return 0 if $basictarget eq $policy;
 		}
@@ -2019,8 +2021,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 	if ( $config{FASTACCEPT} ) {
 	    fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" unless
 		$section eq 'BLACKLIST' ||
-		( $section eq 'RELATED' && ( $config{RELATED_DISPOSITION} ne 'ACCEPT' || $config{RELATED_LOG_LEVEL} ) )
-	}
+		    ( $section eq 'RELATED' && ( $config{RELATED_DISPOSITION} ne 'ACCEPT' || $config{RELATED_LOG_LEVEL} ) )
+		}

 	fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT );
 	$rule .= "$globals{STATEMATCH} $section " unless $section eq 'ALL' || $blacklist;
@@ -2030,132 +2032,29 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
    # Generate NAT rule(s), if any
    #
    if ( $actiontype & NATRULE ) {
-	my ( $server, $serverport );
-	my $randomize = $dest =~ s/:random$// ? ' --random' : '';
-
 	require_capability( 'NAT_ENABLED' , "$basictarget rules", '' );
 	#
-	# Isolate server port
+	# Add the appropriate rule to the nat table
 	#
-	if ( $dest =~ /^(.*)(:(.+))$/ ) {
-	    #
-	    # Server IP and Port
-	    #
-	    $server = $1;      # May be empty
-	    $serverport = $3;  # Not Empty due to RE
-	    $origdstports = $ports;
-
-	    if ( $origdstports && $origdstports ne '-' && port_count( $origdstports ) == 1 ) {
-		$origdstports = validate_port( $proto, $origdstports );
-	    } else {
-		$origdstports = '';
-	    }
-
-	    if ( $serverport =~ /^(\d+)-(\d+)$/ ) {
-		#
-		# Server Port Range
-		#
-		fatal_error "Invalid port range ($serverport)" unless $1 < $2;
-		my @ports = ( $1, $2 );
-		$_ = validate_port( proto_name( $proto ), $_) for ( @ports );
-		( $ports = $serverport ) =~ tr/-/:/;
-	    } else {
-		$serverport = $ports = validate_port( proto_name( $proto ), $serverport );
-	    }
-	} elsif ( $dest eq ':' ) {
-	    #
-	    # Rule with no server IP or port ( zone:: )
-	    #
-	    $server = $serverport = '';
-	} else {
-	    #
-	    # Simple server IP address (may be empty or "-")
-	    #
-	    $server = $dest;
-	    $serverport = '';
-	}
-
-	#
-	# Generate the target
-	#
-	my $target = '';
-
-	if ( $actiontype  & REDIRECT ) {
-	    fatal_error "A server IP address ($server) may not be specified in a REDIRECT rule" if $server;
-	    $target  = 'REDIRECT';
-	    $target .= " --to-port $serverport" if $serverport;
-	    if ( $origdest eq '' || $origdest eq '-' ) {
-		$origdest = ALLIP;
-	    } elsif ( $origdest eq 'detect' ) {
-		fatal_error 'ORIGINAL DEST "detect" is invalid in an action' if $inaction;
-
-		if ( $config{DETECT_DNAT_IPADDRS} && $sourcezone ne firewall_zone ) {
-		    my $interfacesref = $sourceref->{interfaces};
-		    my @interfaces = keys %$interfacesref;
-		    $origdest = @interfaces ? "detect:@interfaces" : ALLIP;
- 		} else {
-		    $origdest = ALLIP;
-		}
-	    }
-	} elsif ( $actiontype & ACTION ) {
-	    fatal_error "A server port ($serverport) is not allowed in $action rule" if $serverport;
-	    $target = $usedactions{$normalized_target}->{name};
-	    $loglevel = '';
-	} else {
-	    if ( $server eq '' ) {
-		fatal_error "A server and/or port must be specified in the DEST column in $action rules" unless $serverport;
-	    } elsif ( $server =~ /^(.+)-(.+)$/ ) {
-		validate_range( $1, $2 );
-	    } else {
-		unless ( $server eq ALLIP ) {
-		    my @servers = validate_address $server, 1;
-		    $server = join ',', @servers;
-		}
-	    }
-
-	    if ( $action eq 'DNAT' ) {
-		$target = 'DNAT';
-		if ( $server ) {
-		    $serverport = ":$serverport" if $serverport;
-		    for my $serv ( split /,/, $server ) {
-			$target .= " --to-destination ${serv}${serverport}";
-		    }
-		} else {
-		    $target .= " --to-destination :$serverport";
-		}
-	    }
-
-	    unless ( $origdest && $origdest ne '-' && $origdest ne 'detect' ) {
-		if ( ! $inaction && $config{DETECT_DNAT_IPADDRS} && $sourcezone ne firewall_zone ) {
-		    my $interfacesref = $sourceref->{interfaces};
-		    my @interfaces = keys %$interfacesref;
-		    $origdest = @interfaces ? "detect:@interfaces" : ALLIP;
-		} else {
-		    $origdest = ALLIP;
-		}
-	    }
-	}
-
-	$target .= $randomize;
-
-	#
-	# And generate the nat table rule(s)
-	#
-	expand_rule ( ensure_chain ('nat' , $inaction ? $chain : $sourceref->{type} == FIREWALL ? 'OUTPUT' : dnat_chain $sourcezone ),
-		      PREROUTE_RESTRICT ,
-		      $rule ,
-		      $source ,
-		      $origdest ,
-		      '' ,
-		      $target ,
-		      $loglevel ,
-		      $log_action ,
-		      $serverport ? do_proto( $proto, '', '' ) : '',
-		    );
+	( $ports,
+	  $origdstports,
+	  $dest ) = handle_nat_rule( $dest,
+				     $proto,
+				     $ports,
+				     $origdest,
+				     ( $actiontype & ACTION ) ? $usedactions{$normalized_target}->{name} : '',
+				     $action,
+				     $sourceref,
+				     $inaction ? $chain : '',
+				     $rule,
+				     $source,
+				     ( $actiontype & ACTION ) ? '' : $loglevel,
+				     $log_action
+				   );		 
 	#
 	# After NAT:
 	#   - the destination port will be the server port ($ports) -- we did that above
-	#   - the destination IP   will be the server IP   ($dest)
+	#   - the destination IP will be the server IP   ($dest)  -- also done above
 	#   - there will be no log level (we log NAT rules in the nat table rather than in the filter table).
 	#   - the target will be ACCEPT.
 	#
@@ -2168,89 +2067,24 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 			  do_condition( $condition )
 			);
 	    $loglevel = '';
-	    $dest     = $server;
 	    $action   = 'ACCEPT';
 	    $origdest = ALLIP if  $origdest =~ /[+]/;
 	}
    } elsif ( $actiontype & NONAT ) {
 	#
-	# NONAT or ACCEPT+ -- May not specify a destination interface
+	# NONAT or ACCEPT+
 	#
-	fatal_error "Invalid DEST ($dest) in $action rule" if $dest =~ /:/;
-
-	$origdest = '' unless $origdest and $origdest ne '-';
-
-	if ( $origdest eq 'detect' ) {
-	    my $interfacesref = $sourceref->{interfaces};
-	    my $interfaces = [ ( keys %$interfacesref ) ];
-	    $origdest = $interfaces ? "detect:@$interfaces" : ALLIP;
-	}
-
-	my $tgt = 'RETURN';
-
-	my $nonat_chain;
-
-	my $chn;
-
-	if ( $inaction ) {
-	    $nonat_chain = ensure_chain( 'nat', $chain );
-	} elsif ( $sourceref->{type} == FIREWALL ) {
-	    $nonat_chain = $nat_table->{OUTPUT};
-	} else {
-	    $nonat_chain = ensure_chain( 'nat', dnat_chain( $sourcezone ) );
-
-	    my @interfaces = keys %{zone_interfaces $sourcezone};
-
-	    for ( @interfaces ) {
-		my $ichain = input_chain $_;
-
-		if ( $nat_table->{$ichain} ) {
-		    #
-		    # Static NAT is defined on this interface
-		    #
-		    $chn = new_chain( 'nat', newnonatchain ) unless $chn;
-		    add_ijump $chn, j => $nat_table->{$ichain}, @interfaces > 1 ? imatch_source_dev( $_ )  : ();
-		}
-	    }
-
-	    if ( $chn ) {
-		#
-		# Call expand_rule() to correctly handle logging. Because
-		# the 'logname' argument is passed, expand_rule() will
-		# not create a separate logging chain but will rather emit
-		# any logging rule in-line.
-		#
-		expand_rule( $chn,
-			     PREROUTE_RESTRICT,
-			     '', # Rule
-			     '', # Source
-			     '', # Dest
-			     '', # Original dest
-			     'ACCEPT',
-			     $loglevel,
-			     $log_action,
-			     '',
-			     dnat_chain( $sourcezone  ) );
-		$loglevel = '';
-		$tgt = $chn->{name};
-	    } else {
-		$tgt = 'ACCEPT';
-	    }
-	}
-
-	set_optflags( $nonat_chain, DONT_MOVE | DONT_OPTIMIZE ) if $tgt eq 'RETURN';
-
-	expand_rule( $nonat_chain ,
-		     PREROUTE_RESTRICT ,
-		     $rule ,
-		     $source ,
-		     $dest ,
-		     $origdest ,
-		     $tgt,
-		     $loglevel ,
-		     $log_action ,
-		     '',
-		   );
+	handle_nonat_rule( $action,
+			   $source,
+			   $dest,
+			   $origdest,
+			   $sourceref,
+			   $inaction,
+			   $chain,
+			   $loglevel,
+			   $log_action,
+			   $rule
+			 );
    }

    #
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -853,6 +853,8 @@ sub process_simple_device() {
    progress_message "  Simple tcdevice \"$currentline\" $done.";
 }

+my %validlinklayer = ( ethernet => 1, atm => 1, adsl => 1 );
+
 sub validate_tc_device( ) {
    my ( $device, $inband, $outband , $options , $redirected ) = split_line 'tcdevices', { interface => 0, in_bandwidth => 1, out_bandwidth => 2, options => 3, redirect => 4 };

@@ -887,7 +889,8 @@ sub validate_tc_device( ) {
    fatal_error "Duplicate INTERFACE ($device)"    if $tcdevices{$device};
    fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;

-    my ( $classify, $pfifo, $flow, $qdisc )  = (0, 0, '', 'htb' );
+    my ( $classify, $pfifo, $flow, $qdisc, $linklayer, $overhead, $mtu, $mpu, $tsize ) = 
+	(0,         0,      '',    'htb',  '',         0,         0,    0,    0);

    if ( $options ne '-' ) {
 	for my $option ( split_list1 $options, 'option' ) {
@@ -903,6 +906,25 @@ sub validate_tc_device( ) {
 		$qdisc = 'hfsc';
 	    } elsif ( $option eq 'htb' ) {
 		$qdisc = 'htb';
+	    } elsif ( $option =~ /^linklayer=([a-z]+)$/ ) {
+		$linklayer = $1;
+		fatal_error "Invalid linklayer ($linklayer)" unless $validlinklayer{ $linklayer };
+	    } elsif ( $option =~ /^overhead=(.+)$/ ) {
+		$overhead = numeric_value( $1 );
+		fatal_error "Invalid overhead ($1)" unless defined $overhead;
+		fatal_error q('overhead' requires 'linklayer') unless $linklayer; 
+	    } elsif ( $option =~ /^mtu=(.+)$/ ) {
+		$mtu = numeric_value( $1 );
+		fatal_error "Invalid mtu ($1)" unless defined $mtu;
+		fatal_error q('mtu' requires 'linklayer') unless $linklayer; 
+	    } elsif ( $option =~ /^mpu=(.+)$/ ) {
+		$mpu = numeric_value( $1 );
+		fatal_error "Invalid mpu ($1)" unless defined $mpu;
+		fatal_error q('mpu' requires 'linklayer') unless $linklayer;
+	    } elsif ( $option =~ /^tsize=(.+)$/ ) {
+		$tsize = numeric_value( $1 );
+		fatal_error "Invalid tsize ($1)" unless defined $tsize;
+		fatal_error q('tsize' requires 'linklayer') unless $linklayer; 
 	    } else {
 		fatal_error "Unknown device option ($option)";
 	    }
@@ -941,7 +963,12 @@ sub validate_tc_device( ) {
 			    guarantee     => 0,
 			    name          => $device,
 			    physical      => physical_name $device,
-			    filters       => []
+			    filters       => [],
+			    linklayer     => $linklayer,
+			    overhead      => $overhead,
+			    mtu           => $mtu,
+			    mpu           => $mpu,
+			    tsize         => $tsize,
 			  } ,

    push @tcdevices, $device;
@@ -975,7 +1002,7 @@ sub convert_delay( $ ) {
    my $delay = shift;

    return 0 unless $delay;
-    return $1 if $delay =~ /^(\d+)(ms)?$/;
+    return $1 if $delay =~ /^(\d+(\.\d+)?)(ms)?$/;
    fatal_error "Invalid Delay ($delay)";
 }

@@ -1004,6 +1031,18 @@ sub dev_by_number( $ ) {
    ( $dev , $devref );
 }

+use constant { RED_INTEGER => 1, RED_FLOAT => 2, RED_NONE => 3 };
+
+my %validredoptions = ( min         => RED_INTEGER,
+			max         => RED_INTEGER,
+			limit       => RED_INTEGER,
+			burst       => RED_INTEGER,
+			avpkt       => RED_INTEGER,
+			bandwidth   => RED_INTEGER,
+			probability => RED_FLOAT,
+			ecn         => RED_NONE,
+		      );
+
 sub validate_tc_class( ) {
    my ( $devclass, $mark, $rate, $ceil, $prio, $options ) =
 	split_line 'tcclasses file', { interface => 0, mark => 1, rate => 2, ceil => 3, prio => 4, options => 5 };
@@ -1013,6 +1052,7 @@ sub validate_tc_class( ) {
    my $occurs = 1;
    my $parentclass = 1;
    my $parentref;
+    my $lsceil = 0;

    fatal_error 'INTERFACE must be specified' if $devclass eq '-';
    fatal_error 'CEIL must be specified'      if $ceil eq '-';
@@ -1059,22 +1099,18 @@ sub validate_tc_class( ) {
    my $markval = 0;

    if ( $mark ne '-' ) {
-	if ( $devref->{classify} ) {
-	    warning_message "INTERFACE $device has the 'classify' option - MARK value ($mark) ignored";
+	fatal_error "MARK may not be specified when TC_BITS=0" unless $config{TC_BITS};
+
+	$markval = numeric_value( $mark );
+	fatal_error "Invalid MARK ($markval)" unless defined $markval;
+
+	fatal_error "Invalid Mark ($mark)" unless $markval <= $globals{TC_MAX};
+
+	if ( $classnumber ) {
+	    fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
 	} else {
-	    fatal_error "MARK may not be specified when TC_BITS=0" unless $config{TC_BITS};
-
-	    $markval = numeric_value( $mark );
-	    fatal_error "Invalid MARK ($markval)" unless defined $markval;
-
-	    fatal_error "Invalid Mark ($mark)" unless $markval <= $globals{TC_MAX};
-
-	    if ( $classnumber ) {
-		fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
-	    } else {
-		$classnumber = $config{TC_BITS} >= 14 ? $devref->{nextclass}++ : hex_value( $devnum . $markval );
-		fatal_error "Duplicate MARK ($mark)" if $tcref->{$classnumber};
-	    }
+	    $classnumber = $config{TC_BITS} >= 14 ? $devref->{nextclass}++ : hex_value( $devnum . $markval );
+	    fatal_error "Duplicate MARK ($mark)" if $tcref->{$classnumber};
 	}
    } else {
 	fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
@@ -1089,7 +1125,9 @@ sub validate_tc_class( ) {
 	my $parentnum = in_hexp $parentclass;
 	fatal_error "Unknown Parent class ($parentnum)" unless $parentref && $parentref->{occurs} == 1;
 	fatal_error "The class ($parentnum) specifies UMAX and/or DMAX; it cannot serve as a parent" if $parentref->{dmax};
-	fatal_error "The class ($parentnum) specifies flow; it cannot serve as a parent"             if $parentref->{flow};
+	fatal_error "The class ($parentnum) specifies 'flow'; it cannot serve as a parent"           if $parentref->{flow};
+	fatal_error "The class ($parentnum) specifies 'red'; it cannot serve as a parent "           if $parentref->{red};
+	fatal_error "The class ($parentnum) has an 'ls' curve; it cannot serve as a parent "         if $parentref->{lsceil};
 	fatal_error "The default class ($parentnum) may not have sub-classes"                        if ( $devref->{default} || 0 ) == $parentclass;
 	$parentref->{leaf} = 0;
 	$ratemax  = $parentref->{rate};
@@ -1100,16 +1138,27 @@ sub validate_tc_class( ) {

    my ( $umax, $dmax ) = ( '', '' );

+    if ( $ceil =~ /^(.+):(.+)/ ) {
+	fatal_error "An LS rate may only be specified for HFSC classes" unless $devref->{qdisc} eq 'hfsc';
+	$lsceil = $1;
+	$ceil   = $2;
+    }
+
    if ( $devref->{qdisc} eq 'hfsc' ) {
-	( my $trate , $dmax, $umax , my $rest ) = split ':', $rate , 4;
+	if ( $rate eq '-' ) {
+	    fatal_error 'A RATE must be supplied' unless $lsceil;
+	    $rate = 0;
+	} else {
+	    ( my $trate , $dmax, $umax , my $rest ) = split ':', $rate , 4;

-	fatal_error "Invalid RATE ($rate)" if defined $rest;
+	    fatal_error "Invalid RATE ($rate)" if defined $rest;

-	$rate = convert_rate ( $ratemax, $trate, 'RATE', $ratename );
-	$dmax = convert_delay( $dmax );
-	$umax = convert_size( $umax );
-	fatal_error "DMAX must be specified when UMAX is specified" if $umax && ! $dmax;
-	$parentclass ||= 1;
+	    $rate = convert_rate ( $ratemax, $trate, 'RATE', $ratename );
+	    $dmax = convert_delay( $dmax );
+	    $umax = convert_size( $umax );
+	    fatal_error "DMAX must be specified when UMAX is specified" if $umax && ! $dmax;
+	    $parentclass ||= 1;
+	}
    } else {
 	$rate = convert_rate ( $ratemax, $rate, 'RATE' , $ratename );
    }
@@ -1126,7 +1175,8 @@ sub validate_tc_class( ) {
 			       rate      => $rate ,
 			       umax      => $umax ,
 			       dmax      => $dmax ,
-			       ceiling   => convert_rate( $ceilmax, $ceil, 'CEIL' , $ceilname ) ,
+			       ceiling   => $ceil   = ( supplied $ceil   ? convert_rate( $ceilmax, $ceil,   'CEIL'  , $ceilname ) : 0 ),
+			       lsceil    => $lsceil = ( $lsceil          ? convert_rate( $ceilmax, $lsceil, 'LSCEIL', $ceilname ) : 0 ),
 			       priority  => $prio eq '-' ? 1 : $prio ,
 			       mark      => $markval ,
 			       flow      => '' ,
@@ -1140,7 +1190,9 @@ sub validate_tc_class( ) {

    $tcref = $tcref->{$classnumber};

-    fatal_error "RATE ($tcref->{rate}) exceeds CEIL ($tcref->{ceiling})" if $tcref->{rate} > $tcref->{ceiling};
+    fatal_error "RATE ($rate) exceeds CEIL ($ceil)" if $rate && $ceil && $rate > $ceil;
+
+    my ( $red, %redopts ) = ( 0, ( avpkt => 1000 ) );

    unless ( $options eq '-' ) {
 	for my $option ( split_list1 "\L$options", 'option' ) {
@@ -1165,9 +1217,11 @@ sub validate_tc_class( ) {
 		push @{$tcref->{tos}}, $option;
 	    } elsif ( $option =~ /^flow=(.*)$/ ) {
 		fatal_error "The 'flow' option is not allowed with 'pfifo'" if $tcref->{pfifo};
+		fatal_error "The 'flow' option is not allowed with 'red'"   if $tcref->{red};
 		$tcref->{flow} = process_flow $1;
 	    } elsif ( $option eq 'pfifo' ) {
-		fatal_error "The 'pfifo'' option is not allowed with 'flow='" if $tcref->{flow};
+		fatal_error "The 'pfifo' option is not allowed with 'flow='" if $tcref->{flow};
+		fatal_error "The 'pfifo' option is not allowed with 'red='"  if $tcref->{red};
 		$tcref->{pfifo} = 1;
 	    } elsif ( $option =~ /^occurs=(\d+)$/ ) {
 		my $val = $1;
@@ -1188,6 +1242,57 @@ sub validate_tc_class( ) {
 		warning_message "limit ignored with pfifo queuing" if $tcref->{pfifo};
 		fatal_error "Invalid limit ($1)" if $1 < 3 || $1 > 128;
 		$tcref->{limit} = $1;
+	    } elsif ( $option =~ s/^red=// ) {
+		fatal_error "The 'red=' option is not allowed with 'flow='" if $tcref->{flow};
+		fatal_error "The 'red=' option is not allowed with 'pfifo'" if $tcref->{pfifo};
+		$tcref->{red} = 1;
+		my $opttype;
+
+		for my $redopt ( split_list( $option , q('red' option list) ) ) {
+		    #
+		    #                            $2  ----------------------
+		    #              $1  ------       | $3 -------           |
+		    #                 |      |      |   |       |          |
+		    if ( $redopt =~ /^([a-z]+) (?:= (   ([01]?\.)?(\d{1,8})) )?$/x ) {
+			fatal_error "Invalid RED option ($1)" unless $opttype = $validredoptions{$1};
+			if ( $2 ) {
+			    #
+			    # '=<value>' supplied
+			    #
+			    fatal_error "The $1 option does not take a value" if $opttype == RED_NONE;
+			    if ( $3 ) {
+				#
+				# fractional value
+				#
+				fatal_error "The $1 option requires an integer value"  if $opttype == RED_INTEGER;
+				fatal_error "The value of $1 must be <= 1" if $2 > 1;
+			    } else {
+				#
+				# Integer value
+				#
+				fatal_error "The $1 option requires a value 0 <= value <= 1" if $opttype == RED_FLOAT;
+			    }
+			} else {
+			    #
+			    # No value supplied
+			    #
+			    fatal_error "The $1 option requires a value" unless $opttype == RED_NONE;
+			}
+
+			$redopts{$1} = $2;
+		    } else {
+			fatal_error "Invalid RED option specification ($redopt)";
+		    }
+		}
+
+		for ( qw/ limit min max avpkt burst probability / ) {
+		    fatal_error "The $_ 'red' option is required" unless $redopts{$_};
+		}
+
+		fatal_error "The 'max' red option must be at least 2 * 'min'"   unless $redopts{max}   >= 2 * $redopts{min};
+		fatal_error "The 'limit' red option must be at least 2 * 'max'" unless $redopts{limit} >= 2 * $redopts{min};
+		$redopts{ecn} = 1 if exists $redopts{ecn};
+		$tcref->{redopts} = \%redopts;
 	    } else {
 		fatal_error "Unknown option ($option)";
 	    }
@@ -1219,6 +1324,8 @@ sub validate_tc_class( ) {
 					       occurs   => 0,
 					       parent   => $parentclass,
 					       limit    => $tcref->{limit},
+					       red      => $tcref->{red},
+					       redopts  => $tcref->{redopts},
 					     };
 	push @tcclasses, "$device:$classnumber";
    };
@@ -1550,7 +1657,6 @@ sub process_tc_priority() {
 					   $interface eq '-' &&
 					   $helper    eq '-' );

-
    my $val = numeric_value $band;

    fatal_error "Invalid PRIORITY ($band)" unless $val && $val <= 3;
@@ -1642,7 +1748,7 @@ sub process_tcpri() {
 			);

 	    add_ijump( $mangle_table->{tcpost} ,
-		       j    => 'CONNMARK --save-mark --ctmask '    . in_hex( $globals{TC_MASK} ),
+		       j    => 'CONNMARK --save-mark --mask '    . in_hex( $globals{TC_MASK} ),
 		       mark => '! --mark 0/' . in_hex( $globals{TC_MASK} )
 		     );
 	}
@@ -1711,11 +1817,22 @@ sub process_traffic_shaping() {
 		   "${dev}_mtu1=\$(get_device_mtu1 $device)"
 		 );

+	    my $stab;
+
+	    if ( $devref->{linklayer} ) {
+		$stab =  "stab linklayer $devref->{linklayer} overhead $devref->{overhead} ";
+		$stab .= "mtu $devref->{mtu} "     if $devref->{mtu};
+		$stab .= "mpu $devref->{mpu} "     if $devref->{mpu};
+		$stab .= "tsize $devref->{tsize} " if $devref->{tsize};
+	    } else {
+		$stab = '';
+	    }
+
 	    if ( $devref->{qdisc} eq 'htb' ) {
-		emit ( "run_tc qdisc add dev $device root handle $devnum: htb default $defmark r2q $r2q" ,
+		emit ( "run_tc qdisc add dev $device ${stab}root handle $devnum: htb default $defmark r2q $r2q" ,
 		       "run_tc class add dev $device parent $devnum: classid $devnum:1 htb rate $devref->{out_bandwidth} \$${dev}_mtu1" );
 	    } else {
-		emit ( "run_tc qdisc add dev $device root handle $devnum: hfsc default $defmark" ,
+		emit ( "run_tc qdisc add dev $device ${stab}root handle $devnum: hfsc default $defmark" ,
 		       "run_tc class add dev $device parent $devnum: classid $devnum:1 hfsc sc rate $devref->{out_bandwidth} ul rate $devref->{out_bandwidth}" );
 	    }

@@ -1739,8 +1856,9 @@ sub process_traffic_shaping() {
 	    handle_in_bandwidth( $device, $devref->{in_bandwidth} );

 	    for my $rdev ( @{$devref->{redirected}} ) {
-		emit ( "run_tc qdisc add dev $rdev handle ffff: ingress" );
-		emit( "run_tc filter add dev $rdev parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" );
+		my $phyrdev = get_physical( $rdev );
+		emit ( "run_tc qdisc add dev $phyrdev handle ffff: ingress" );
+		emit( "run_tc filter add dev $phyrdev parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" );
 	    }

 	    for my $class ( @tcclasses ) {
@@ -1761,10 +1879,12 @@ sub process_traffic_shaping() {
 		my $mark     = $tcref->{mark};
 		my $devicenumber  = in_hexp $devref->{number};
 		my $classid  = join( ':', $devicenumber, $classnum);
-		my $rate     = "$tcref->{rate}kbit";
+		my $rawrate  = $tcref->{rate};
+		my $rate     = "${rawrate}kbit";
+		my $lsceil   = $tcref->{lsceil};
 		my $quantum  = calculate_quantum $rate, calculate_r2q( $devref->{out_bandwidth} );

-		$classids{$classid}=$device;
+		$classids{$classid}=$devname;

 		my $priority = $tcref->{priority} << 8;
 		my $parent   = in_hexp $tcref->{parent};
@@ -1775,23 +1895,50 @@ sub process_traffic_shaping() {
 		    emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum" );
 		} else {
 		    my $dmax = $tcref->{dmax};
+		    my $rule = "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc";

 		    if ( $dmax ) {
 			my $umax = $tcref->{umax} ? "$tcref->{umax}b" : "\${${dev}_mtu}b";
-			emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc sc umax $umax dmax ${dmax}ms rate $rate ul rate $tcref->{ceiling}kbit" );
+			$rule .= " sc umax $umax dmax ${dmax}ms";
+			$rule .= " rate $rate" if $rawrate;
 		    } else {
-			emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc sc rate $rate ul rate $tcref->{ceiling}kbit" );
+			$rule .= " sc rate $rate" if $rawrate;
 		    }
+
+		    $rule .= " ls rate ${lsceil}kbit" if $lsceil;
+		    $rule .= " ul rate $tcref->{ceiling}kbit" if $tcref->{ceiling};
+
+		    emit $rule;
 		}

-		if ( $tcref->{leaf} && ! $tcref->{pfifo} ) {
-		    1 while $devnums[++$sfq];
+		if ( $tcref->{leaf} ) {
+		    if ( $tcref->{red} ) {
+			1 while $devnums[++$sfq];
+			$sfqinhex = in_hexp( $sfq);

-		    $sfqinhex = in_hexp( $sfq);
-		    if ( $devref->{qdisc} eq 'htb' ) {
-			emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq quantum \$quantum limit $tcref->{limit} perturb 10" );
-		    } else {
-			emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq limit $tcref->{limit} perturb 10" );
+			my ( $options, $redopts ) = ( '', $tcref->{redopts} );
+
+			while ( my ( $option, $type ) = each %validredoptions ) {
+			    if ( my $value = $redopts->{$option} ) {
+				if ( $type == RED_NONE ) {
+				    $options = join( ' ', $options, $option ) if $value;
+				} else {
+				    $options = join( ' ', $options, $option, $value );
+				}
+			    }
+			}
+
+			emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: red${options}" );
+
+		    } elsif ( $tcref->{leaf} && ! $tcref->{pfifo} ) {
+			1 while $devnums[++$sfq];
+
+			$sfqinhex = in_hexp( $sfq);
+			if ( $devref->{qdisc} eq 'htb' ) {
+			    emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq quantum \$quantum limit $tcref->{limit} perturb 10" );
+			} else {
+			    emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq limit $tcref->{limit} perturb 10" );
+			}
 		    }
 		}
 		#
@@ -1855,14 +2002,14 @@ sub process_traffic_shaping() {
 		my $devicenumber  = in_hexp $devref->{number};
 		my $classid  = join( ':', $devicenumber, $classnum);

-		$classids{$classid}=$device;
+		$classids{$classid}=$devname;
 	    }
 	}
    }
 }

 #
-# Validate the TC configuration storing basic information in %tcdevices and %tcdevices
+# Validate the TC configuration storing basic information in %tcdevices and %tcclasses (complex TC only)
 #
 sub process_tc() {
    if ( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' ) {
@@ -2010,10 +2157,10 @@ sub setup_tc() {
 	append_file $globals{TC_SCRIPT};
    } else {
 	process_tcpri if $config{TC_ENABLED} eq 'Simple';
-	setup_traffic_shaping unless $config{TC_ENABLED} eq 'Shared';
+	setup_traffic_shaping if @tcdevices && $config{TC_ENABLED} ne 'Shared';
    }

-    if ( $config{TC_ENABLED} ) {
+    if ( $config{MANGLE_ENABLED} ) {
 	our  @tccmd = ( { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
 			  target    => 'CONNMARK --save-mark --mask' ,
 			  mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK,
@@ -2107,9 +2254,7 @@ sub setup_tc() {
 	    clear_comment;

 	}
-    }

-    if ( $config{MANGLE_ENABLED} ) {
 	if ( my $fn = open_file 'secmarks' ) {

 	    first_entry "$doing $fn...";
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -41,6 +41,8 @@ our @EXPORT = qw( NOTHING
 		  IP
 		  BPORT
 		  IPSEC
+		  NO_UPDOWN
+		  NO_SFILTER

 		  determine_zones
 		  zone_report
@@ -62,6 +64,7 @@ our @EXPORT = qw( NOTHING
 		  validate_interfaces_file
 		  all_interfaces
 		  all_real_interfaces
+		  all_plain_interfaces
 		  all_bridges
 		  interface_number
 		  find_interface
@@ -72,6 +75,7 @@ our @EXPORT = qw( NOTHING
 		  port_to_bridge
 		  source_port_to_bridge
 		  interface_is_optional
+		  interface_is_required
 		  find_interfaces_by_option
 		  find_interfaces_by_option1
 		  get_interface_option
@@ -80,7 +84,6 @@ our @EXPORT = qw( NOTHING
 		  set_interface_provider
 		  interface_zones
 		  verify_required_interfaces
-		  compile_updown
 		  validate_hosts_file
 		  find_hosts_by_option
 		  find_zone_hosts_by_option
@@ -173,6 +176,7 @@ my  %reservedName = ( all => 1,
 #                                     number      => <ordinal position in the interfaces file>
 #                                     physical    => <physical interface name>
 #                                     base        => <shell variable base representing this interface>
+#                                     provider    => <Provider Name, if interface is associated with a provider>
 #                                     zones       => { zone1 => 1, ... }
 #                                   }
 #                 }
@@ -219,11 +223,14 @@ use constant { SIMPLE_IF_OPTION   => 1,
 	       IF_OPTION_WILDOK   => 64
 	   };

+use constant { NO_UPDOWN   => 1, 
+	       NO_SFILTER  => 2 };
+
 my %validinterfaceoptions;

 my %defaultinterfaceoptions = ( routefilter => 1 , wait => 60 );

-my %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 );
+my %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN );

 my %validhostoptions;

@@ -281,6 +288,7 @@ sub initialize( $$ ) {
 				  bridge      => SIMPLE_IF_OPTION,
 				  detectnets  => OBSOLETE_IF_OPTION,
 				  dhcp        => SIMPLE_IF_OPTION,
+				  ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				  maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  logmartians => BINARY_IF_OPTION,
 				  nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
@@ -316,6 +324,7 @@ sub initialize( $$ ) {
 	%validinterfaceoptions = (  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
 				    dhcp        => SIMPLE_IF_OPTION,
+				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				    maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -483,7 +492,8 @@ sub process_zone( \$ ) {

    my $complex = 0;

-    my $zoneref = $zones{$zone} = { type       => $type,
+    my $zoneref = $zones{$zone} = { name       => $zone,
+				    type       => $type,
 				    parents    => \@parents,
 				    bridge     => '',
 				    options    => { in_out  => parse_zone_option_list( $options , $type, $complex , IN_OUT ) ,
@@ -565,6 +575,7 @@ sub determine_zones()
 		for ( @{$zones{$zone}{children}} ) {
 		    next ZONE unless $ordered{$_};
 		}
+
 		$ordered{$zone} = 1;
 		push @zones, $zone;
 		redo PUSHED;
@@ -572,7 +583,7 @@ sub determine_zones()
 	}
    }

-    assert( scalar @zones == scalar @z );
+    assert( @zones == @z );

 }

@@ -1029,7 +1040,7 @@ sub process_interface( $$ ) {

    if ( $options eq 'ignore' ) {
 	fatal_error "Ignored interfaces may not be associated with a zone" if $zone;
-	$options{ignore} = 1;
+	$options{ignore} = NO_UPDOWN | NO_SFILTER;
 	$options = '-';
    }

@@ -1149,7 +1160,16 @@ sub process_interface( $$ ) {
 	    }
 	}

-	fatal_error "Invalid combination of interface options" if $options{required} && $options{optional};
+	fatal_error "Invalid combination of interface options"
+	    if ( ( $options{required} && $options{optional} ) ||
+		 ( $options{required} && $options{ignore}   ) ||
+		 ( $options{optional} && $options{ignore}   ) );
+
+	if ( supplied( my $ignore = $options{ignore} ) ) {
+	    fatal_error "Invalid value ignore=0" if ! $ignore;
+	} else {
+	    $options{ignore} = 0;
+	}

 	if ( $netsref eq 'dynamic' ) {
 	    my $ipset = $family == F_IPV4 ? "${zone}_" . chain_base $physical : "6_${zone}_" . chain_base $physical;
@@ -1171,6 +1191,10 @@ sub process_interface( $$ ) {
 	# No options specified -- auto-detect bridge
 	#
 	$hostoptionsref->{routeback} = $options{routeback} = is_a_bridge( $physical ) unless $export;
+	#
+	# And give the 'ignore' option a defined value
+	#
+	$options{ignore} ||= 0;
    }

    $physical{$physical} = $interfaces{$interface} = { name       => $interface ,
@@ -1416,11 +1440,65 @@ sub interface_is_optional($) {
    $optionsref && $optionsref->{optional};
 }

+#
+# Return the 'required' setting of the passed interface
+#
+sub interface_is_required($) {
+    my $optionsref = $interfaces{$_[0]}{options};
+    $optionsref && $optionsref->{required};
+}
+
+#
+# Return true if the interface is 'plain'
+#
+sub interface_is_plain($) {
+    my $interfaceref = $interfaces{$_[0]};
+    my $optionsref   = $interfaceref->{options};
+
+    $interfaceref->{bridge} eq $interfaceref->{name} && ! ( $optionsref && ( $optionsref->{required} || $optionsref->{optional} || $optionsref->{ignore} ) )
+}
+
+#
+# Return a minimal list of physical interfaces that are neither ignored, optional, required nor a bridge port.
+#
+sub all_plain_interfaces() {
+    my @plain1 = map get_physical($_), grep $_ ne '%vserver%' && interface_is_plain( $_ ), @interfaces;
+    my @plain2;
+    my @wild1;
+    my @wild2;
+   
+    for ( @plain1 ) {
+	if ( /\+$/ ) {
+	    return ( '+' ) if $_ eq '+';
+	    push @wild1, $_;
+	    chop;
+	    push @wild2, $_;
+	} else {
+	    push @plain2, $_;
+	}
+    }
+
+    return @plain2 unless @wild1;
+
+    @plain1 = ();
+
+NAME:
+    for my $name ( @plain2) {
+	for ( @wild2 ) {
+	    next NAME if substr( $name, 0, length( $_ ) ) eq $_;
+	}
+
+	push @plain1, $name;
+    }
+
+    ( @plain1, @wild1 );
+}
+
 #
 # Returns reference to array of interfaces with the passed option
 #
-sub find_interfaces_by_option( $ ) {
-    my $option = $_[0];
+sub find_interfaces_by_option( $;$ ) {
+    my ( $option , $nonzero ) = @_;
    my @ints = ();

    for my $interface ( @interfaces ) {
@@ -1429,7 +1507,11 @@ sub find_interfaces_by_option( $ ) {
 	next unless $interfaceref->{root};

 	my $optionsref = $interfaceref->{options};
-	if ( $optionsref && defined $optionsref->{$option} ) {
+	if ( $nonzero ) {
+	    if ( $optionsref && $optionsref->{$option} ) {
+		push @ints , $interface
+	    }
+	} elsif ( $optionsref && defined $optionsref->{$option} ) {
 	    push @ints , $interface
 	}
    }
@@ -1540,16 +1622,16 @@ sub verify_required_interfaces( $ ) {
 		my $physical = get_physical $interface;

 		if ( $physical =~ /\+$/ ) {
-		    my $base = uc chain_base $physical;
-
 		    $physical =~ s/\+$/*/;

-		    emit( 'for interface in $(find_all_interfaces); do',
+		    emit( "waittime=$wait",
+			  '',
+			  'for interface in $(find_all_interfaces); do',
 			  '    case $interface in',
 			  "        $physical)",
-			  "            waittime=$wait",
 			  '            while [ $waittime -gt 0 ]; do',
 			  '                interface_is_usable $interface && break',
+			  '                sleep 1',
 			  '                waittime=$(($waittime - 1))',
 			  '            done',
 			  '            ;;',
@@ -1562,8 +1644,8 @@ sub verify_required_interfaces( $ ) {
 		    emit qq(    waittime=$wait);
 		    emit  '';
 		    emit  q(    while [ $waittime -gt 0 ]; do);
-		    emit qq(        interface_is_usable $physical && break);
 		    emit  q(        sleep 1);
+		    emit qq(        interface_is_usable $physical && break);
 		    emit   '        waittime=$(($waittime - 1))';
 		    emit  q(    done);
 		    emit  q(fi);
@@ -1634,175 +1716,6 @@ sub verify_required_interfaces( $ ) {
    $returnvalue;
 }

-#
-# Emit the updown() function
-#
-sub compile_updown() {
-    emit( '',
-	  '#',
-	  '# Handle the "up" and "down" commands',
-	  '#',
-	  'updown() # $1 = interface',
-	  '{',
-	);
-
-    push_indent;
-
-    emit( 'local state',
-	  'state=cleared',
-	  '' );
-
-    emit 'progress_message3 "$g_product $COMMAND triggered by $1"';
-    emit '';
-
-    if ( $family == F_IPV4 ) {
-	emit 'if shorewall_is_started; then';
-    } else {
-	emit 'if shorewall6_is_started; then';
-    }
-
-    emit( '    state=started',
-	  'elif [ -f ${VARDIR}/state ]; then',
-	  '    case "$(cat ${VARDIR}/state)" in',
-	  '        Stopped*)',
-	  '            state=stopped',
-	  '            ;;',
-	  '        Cleared*)',
-	  '            ;;',
-	  '        *)',
-	  '            state=unknown',
-	  '            ;;',
-	  '    esac',
-	  'else',
-	  '    state=unknown',
-	  'fi',
-	  ''
-	);
-
-    emit( 'case $1 in' );
-
-    push_indent;
-
-    my $ignore   = find_interfaces_by_option 'ignore';
-    my $required = find_interfaces_by_option 'required';
-    my $optional = find_interfaces_by_option 'optional';
-
-    if ( @$ignore ) {
-	my $interfaces = join '|', map $interfaces{$_}->{physical}, @$ignore;
-
-	$interfaces =~ s/\+/*/g;
-
-	emit( "$interfaces)",
-	      '    progress_message3 "$COMMAND on interface $1 ignored"',
-	      '    exit 0',
-	      '    ;;'
-	    );
-    }
-
-    if ( @$required ) {
-	my $interfaces = join '|', map $interfaces{$_}->{physical}, @$required;
-
-	my $wildcard = ( $interfaces =~ s/\+/*/g );
-
-	emit( "$interfaces)",
-	      '    if [ "$COMMAND" = up ]; then' );
-
-	if ( $wildcard ) {
-	    emit( '        if [ "$state" = started ]; then',
-		  '            COMMAND=restart',
-		  '        else',
-		  '            COMMAND=start',
-		  '        fi' );
-	} else {
-	    emit( '        COMMAND=start' );
-	}
-
-	emit( '        progress_message3 "$g_product attempting $COMMAND"',
-	      '        detect_configuration',
-	      '        define_firewall' );
-
-	if ( $wildcard ) {
-	    emit( '    elif [ "$state" = started ]; then',
-		  '        progress_message3 "$g_product attempting restart"',
-		  '        COMMAND=restart',
-		  '        detect_configuration',
-		  '        define_firewall' );
-	} else {
-	    emit( '    else',
-		  '        COMMAND=stop',
-		  '        progress_message3 "$g_product attempting stop"',
-		  '        detect_configuration',
-		  '        stop_firewall' );
-	}
-
-	emit( '    fi',
-	      '    ;;'
-	    );
-    }
-
-    if ( @$optional ) {
-	my @interfaces = map $interfaces{$_}->{physical}, @$optional;
-	my $interfaces = join '|', @interfaces;
-
-	if ( $interfaces =~ s/\+/*/g || @interfaces > 1 ) {
-	    emit( "$interfaces)",
-		  '    if [ "$COMMAND" = up ]; then',
-		  '        echo 0 > ${VARDIR}/${1}.state',
-		  '    else',
-		  '        echo 1 > ${VARDIR}/${1}.state',
-		  '    fi' );
-	} else {
-	    emit( "$interfaces)",
-		  '    if [ "$COMMAND" = up ]; then',
-		  "        echo 0 > \${VARDIR}/$interfaces.state",
-		  '    else',
-		  "        echo 1 > \${VARDIR}/$interfaces.state",
-		  '    fi' );
-	}
-
-	emit( '',
-	      '    if [ "$state" = started ]; then',
-	      '        COMMAND=restart',
-	      '        progress_message3 "$g_product attempting restart"',
-	      '        detect_configuration',
-	      '        define_firewall',
-	      '    elif [ "$state" = stopped ]; then',
-	      '        COMMAND=start',
-	      '        progress_message3 "$g_product attempting start"',
-	      '        detect_configuration',
-	      '        define_firewall',
-	      '    else',
-	      '        progress_message3 "$COMMAND on interface $1 ignored"',
-	      '    fi',
-	      '    ;;',
-	    );
-    }
-
-    emit( "*)",
-	  '    case $state in',
-	  '        started)',
-	  '            COMMAND=restart',
-	  '            progress_message3 "$g_product attempting restart"',
-	  '            detect_configuration',
-	  '            define_firewall',
-	  '            ;;',
-	  '        *)',
-	  '            progress_message3 "$COMMAND on interface $1 ignored"',
-	  '            ;;',
-	  '    esac',
-	);
-
-    pop_indent;
-
-    emit( 'esac' );
-
-    pop_indent;
-
-    emit( '}',
-	  '',
-	);
-}
-
 #
 # Process a record in the hosts file
 #
--- a/Shorewall/Perl/lib.core
+++ b/Shorewall/Perl/lib.core
@@ -182,7 +182,6 @@ get_routed_networks() # $1 = interface name, $2-n = Fatal error message

    [ $g_family -eq 4 ] && mask=32 || mask=128

-
    $IP -$g_family route show dev $1 2> /dev/null |
 	while read address rest; do
 	    case "$address" in
@@ -340,6 +339,16 @@ replace_default_route() # $1 = USE_DEFAULT_RT
    fi
 }

+#
+# Delete default routes with metric 0 from the passed routing table
+#
+delete_default_routes() # $1 = table number
+{
+    $IP -$g_family route ls table $1 | fgrep default | fgrep -v metric | while read route; do
+	qt $IP -$g_family route del $route
+    done
+} 
+
 restore_default_route() # $1 = USE_DEFAULT_RT
 {
    local result
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -348,7 +348,9 @@ case "$COMMAND" in
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
-	updown $1
+	mutex_on
+	( updown $1 )
+	mutex_off
 	status=0
 	;;
    enable)
--- a/Shorewall/Samples/Universal/rules
+++ b/Shorewall/Samples/Universal/rules
@@ -13,6 +13,6 @@
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
-
+Invalid(DROP)	net		$FW		tcp
 SSH(ACCEPT)	net		$FW
 Ping(ACCEPT)	net		$FW
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -170,7 +170,7 @@ MUTEX_TIMEOUT=60

 NULL_ROUTE_RFC1918=No

-OPTIMIZE=15
+OPTIMIZE=31

 OPTIMIZE_ACCOUNTING=No

--- a/Shorewall/Samples/one-interface/interfaces
+++ b/Shorewall/Samples/one-interface/interfaces
@@ -14,4 +14,4 @@
 FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            dhcp,tcpflags,logmartians,nosmurfs
+net     eth0            dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0
--- a/Shorewall/Samples/one-interface/rules
+++ b/Shorewall/Samples/one-interface/rules
@@ -18,6 +18,10 @@
 #SECTION RELATED
 SECTION NEW

+# Drop packets in the INVALID state
+
+Invalid(DROP)  net    	        $FW		tcp
+
 # Drop Ping from the "bad" net zone.. and prevent your log from being flooded..

 Ping(DROP)	net		$FW
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -181,7 +181,7 @@ MUTEX_TIMEOUT=60

 NULL_ROUTE_RFC1918=No

-OPTIMIZE=1
+OPTIMIZE=31

 OPTIMIZE_ACCOUNTING=No

--- a/Shorewall/Samples/three-interfaces/interfaces
+++ b/Shorewall/Samples/three-interfaces/interfaces
@@ -14,6 +14,6 @@
 FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            tcpflags,dhcp,nosmurfs,routefilter,logmartians
+net     eth0            tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0
 loc     eth1            tcpflags,nosmurfs,routefilter,logmartians
 dmz     eth2            tcpflags,nosmurfs,routefilter,logmartians
--- a/Shorewall/Samples/three-interfaces/masq
+++ b/Shorewall/Samples/three-interfaces/masq
@@ -10,8 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
-##############################################################################
-#INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
+################################################################################################################
+#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
+#											GROUP		DEST
 eth0			10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
--- a/Shorewall/Samples/three-interfaces/rules
+++ b/Shorewall/Samples/three-interfaces/rules
@@ -20,7 +20,7 @@ SECTION NEW

 #       Don't allow connection pickup from the net
 #
-Invalid(DROP)	net		all
+Invalid(DROP)	net		all		tcp
 #
 #	Accept DNS connections from the firewall to the Internet
 #
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -179,7 +179,7 @@ MUTEX_TIMEOUT=60

 NULL_ROUTE_RFC1918=No

-OPTIMIZE=1
+OPTIMIZE=31

 OPTIMIZE_ACCOUNTING=No

--- a/Shorewall/Samples/two-interfaces/interfaces
+++ b/Shorewall/Samples/two-interfaces/interfaces
@@ -14,5 +14,5 @@
 FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians
+net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
 loc     eth1            tcpflags,nosmurfs,routefilter,logmartians
--- a/Shorewall/Samples/two-interfaces/masq
+++ b/Shorewall/Samples/two-interfaces/masq
@@ -10,8 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
-###############################################################################
-#INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
+################################################################################################################
+#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
+#											GROUP		DEST
 eth0			10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
--- a/Shorewall/Samples/two-interfaces/rules
+++ b/Shorewall/Samples/two-interfaces/rules
@@ -20,7 +20,7 @@ SECTION NEW

 #       Don't allow connection pickup from the net
 #
-Invalid(DROP)	net		all
+Invalid(DROP)	net		all		tcp
 #
 #	Accept DNS connections from the firewall to the network
 #
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -182,7 +182,7 @@ MUTEX_TIMEOUT=60

 NULL_ROUTE_RFC1918=No

-OPTIMIZE=1
+OPTIMIZE=31

 OPTIMIZE_ACCOUNTING=No

--- a/Shorewall/action.Broadcast
+++ b/Shorewall/action.Broadcast
@@ -31,7 +31,7 @@ FORMAT 2

 DEFAULTS DROP,-

-BEGIN PERL;
+?BEGIN PERL;

 use Shorewall::IPAddrs;
 use Shorewall::Config;
@@ -70,4 +70,4 @@ add_jump $chainref, $target, 0, '-d 224.0.0.0/4 ';

 1;

-END PERL;
+?END PERL;
--- a/Shorewall/action.Drop
+++ b/Shorewall/action.Drop
@@ -36,7 +36,7 @@ FORMAT 2
 # The following magic provides different defaults for $2 thru $5, when $1 is
 # 'audit'.
 #
-BEGIN PERL;
+?BEGIN PERL;
 use Shorewall::Config;

 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
@@ -54,7 +54,7 @@ if ( defined $p1 ) {

 1;

-END PERL;
+?END PERL;

 DEFAULTS -,REJECT,DROP,ACCEPT,DROP

--- a/Shorewall/action.DropSmurfs
+++ b/Shorewall/action.DropSmurfs
@@ -13,7 +13,7 @@ FORMAT 2

 DEFAULTS -

-BEGIN PERL;
+?BEGIN PERL;
 use strict;
 use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
 use Shorewall::Chains;
@@ -77,7 +77,7 @@ if ( $family == F_IPV4 ) {
    add_ijump( $chainref, g => $target, s => IPv6_MULTICAST );
 }

-END PERL;
+?END PERL;



--- a/Shorewall/action.Invalid
+++ b/Shorewall/action.Invalid
@@ -31,7 +31,7 @@ FORMAT 2

 DEFAULTS DROP,-

-BEGIN PERL;
+?BEGIN PERL;

 use Shorewall::IPAddrs;
 use Shorewall::Config;
@@ -53,4 +53,4 @@ allow_optimize( $chainref );

 1;

-END PERL;
+?END PERL;
--- a/Shorewall/action.NotSyn
+++ b/Shorewall/action.NotSyn
@@ -31,7 +31,7 @@ FORMAT 2

 DEFAULTS DROP,-

-BEGIN PERL;
+?BEGIN PERL;

 use Shorewall::IPAddrs;
 use Shorewall::Config;
@@ -53,4 +53,4 @@ allow_optimize( $chainref );

 1;

-END PERL;
+?END PERL;
--- a/Shorewall/action.RST
+++ b/Shorewall/action.RST
@@ -31,7 +31,7 @@ FORMAT 2

 DEFAULTS DROP,-

-BEGIN PERL;
+?BEGIN PERL;

 use Shorewall::Config;
 use Shorewall::Chains;
@@ -52,4 +52,4 @@ allow_optimize( $chainref );

 1;

-END PERL;
+?END PERL;
--- a/Shorewall/action.Reject
+++ b/Shorewall/action.Reject
@@ -32,7 +32,7 @@ FORMAT 2
 # The following magic provides different defaults for $2 thru $5, when $1 is
 # 'audit'.
 #
-BEGIN PERL;
+?BEGIN PERL;
 use Shorewall::Config;

 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
@@ -50,7 +50,7 @@ if ( defined $p1 ) {

 1;

-END PERL;
+?END PERL;

 DEFAULTS -,REJECT,REJECT,ACCEPT,DROP

--- a/Shorewall/action.TCPFlags
+++ b/Shorewall/action.TCPFlags
@@ -13,12 +13,11 @@ FORMAT 2

 DEFAULTS DROP,-

-BEGIN PERL;
+?BEGIN PERL;
 use strict;
 use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
 use Shorewall::Chains;

-
 my ( $disposition, $audit ) = get_action_params( 2 );

 my $chainref        = get_action_chain;
@@ -55,7 +54,7 @@ add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,RST SYN,RST';
 add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,FIN SYN,FIN';
 add_ijump $chainref , g => $disposition, p => 'tcp --syn --sport 0';

-END PERL;
+?END PERL;



--- a/Shorewall/configfiles/masq
+++ b/Shorewall/configfiles/masq
@@ -6,6 +6,6 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-masq.html
 #
-######################################################################################################
-#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH
-#											GROUP
+################################################################################################################
+#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
+#											GROUP		DEST
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=xxx       #The Build script inserts the actual version
+VERSION=4.5.5       #The Build script inserts the actual version

 #
 # Change to the directory containing this script
@@ -244,32 +244,6 @@ esac

 OWNERSHIP="-o $OWNER -g $GROUP"

-#
-# Determine where to install the firewall script
-#
-
-if [ $PRODUCT = shorewall -a "$BUILD" = "$HOST" ]; then
-    #
-    # Fix up 'use Digest::' if SHA is installed
-    #
-    if ! perl -e 'use Digest::SHA;' 2> /dev/null ; then
-	if perl -e 'use Digest::SHA1;' 2> /dev/null ; then
-	    sed -i 's/Digest::SHA/Digest::SHA1/' Perl/Shorewall/Chains.pm
-	else
-	    echo "ERROR: Shorewall $VERSION requires either Digest::SHA or Digest::SHA1" >&2
-	    exit 1
-	fi
-    fi
-    #
-    # Verify that Perl and all required modules are installed
-    #
-    if ! perl -c Perl/compiler.pl; then
-	echo "ERROR: $Product $VERSION requires Perl which either is not installed or is not able to compile the Shorewall Perl code" >&2
-	echo "       Try perl -c $PWD/Perl/compiler.pl" >&2
-	exit 1
-    fi
-fi
-
 case "$HOST" in
    cygwin)
 	echo "Installing Cygwin-specific configuration..."
@@ -300,6 +274,51 @@ case "$HOST" in
 	;;
 esac

+if [ $PRODUCT = shorewall ]; then
+    if [ -n "$DIGEST" ]; then
+	#
+	# The user specified which digest to use
+	#
+	if [ "$DIGEST" != SHA ]; then
+	    if [ "$BUILD" = "$HOST" ] && ! eval perl -e \'use Digest::$DIGEST\;\' 2> /dev/null ; then
+		echo "ERROR: Perl compilation with Digest::$DIGEST failed" >&2
+		exit 1;
+	    fi
+
+	    eval sed -i \'s/Digest::SHA/Digest::$DIGEST/\' Perl/Shorewall/Chains.pm
+	fi
+    elif [ "$BUILD" = "$HOST" ]; then
+        #
+        # Fix up 'use Digest::' if SHA1 is installed
+        #
+	DIGEST=SHA
+	if ! perl -e 'use Digest::SHA;' 2> /dev/null ; then
+	    if perl -e 'use Digest::SHA1;' 2> /dev/null ; then
+		sed -i 's/Digest::SHA/Digest::SHA1/' Perl/Shorewall/Chains.pm
+		DIGEST=SHA1
+	    else
+		echo "ERROR: Shorewall $VERSION requires either Digest::SHA or Digest::SHA1" >&2
+		exit 1
+	    fi
+	fi
+    fi
+
+    if [ "$BUILD" = "$HOST" ]; then
+        #
+        # Verify that Perl and all required modules are installed
+        #
+	echo "Compiling the Shorewall Perl Modules with Digest::$DIGEST"
+
+	if ! perl -c Perl/compiler.pl; then
+	    echo "ERROR: $Product $VERSION requires Perl which either is not installed or is not able to compile the Shorewall Perl code" >&2
+	    echo "       Try perl -c $PWD/Perl/compiler.pl" >&2
+	    exit 1
+	fi
+    else
+	echo "Using Digest::$DIGEST"
+    fi
+fi
+
 if [ $BUILD != cygwin ]; then
    if [ `id -u` != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
@@ -990,9 +1009,9 @@ cd ..
 #
 # Install the libraries
 #
-for f in lib.* ; do
+for f in lib.* Perl/lib.*; do
    if [ -f $f ]; then
-	install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
+	install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$(basename $f) 0644
 	echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
    fi
 done
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -181,7 +181,7 @@ get_config() {
 	if [ "$2" = Yes ]; then
 	    case $STARTUP_ENABLED in
 		No|no|NO)
-		    echo "   ERROR: $g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${CONFDIR}/${g_program}.conf" >&2
+		    echo "   ERROR: $g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${g_confdir}/${g_program}.conf" >&2
 		    exit 2
 		    ;;
 		Yes|yes|YES)
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -343,13 +343,22 @@ loc     eth2            -</programlisting>
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">ignore</emphasis></term>
+              <term><emphasis role="bold">ignore[=1]</emphasis></term>

              <listitem>
                <para>When specified, causes the generated script to ignore
                up/down events from Shorewall-init for this device.
                Additionally, the option exempts the interface from hairpin
-                filtering.</para>
+                filtering. When '=1' is omitted, the ZONE column must contain
+                '-' and <option>ignore</option> must be the only
+                OPTION.</para>
+
+                <para>Beginning with Shorewall 4.5.5, may be specified as
+                '<option>ignore=1</option>' which only causes the generated
+                script to ignore up/down events from Shorewall-init; hairpin
+                filtering is still applied. In this case, the above
+                restrictions on the ZONE and OPTIONS columns are
+                lifted.</para>
              </listitem>
            </varlistentry>

--- a/Shorewall/manpages/shorewall-masq.xml
+++ b/Shorewall/manpages/shorewall-masq.xml
@@ -509,6 +509,22 @@
          restart</command>.</para>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">ORIGINAL DEST</emphasis> (origdest) -
+        [<emphasis
+        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
+
+        <listitem>
+          <para>(Optional) Added in Shorewall 4.5.6. This column may be
+          included and may contain one or more addresses (host or network)
+          separated by commas. Address ranges are not allowed. When this
+          column is supplied, rules are generated that require that the
+          original destination address matches one of the listed addresses. It
+          is useful for specifying that SNAT should occur only for connections
+          that were acted on by a DNAT when they entered the firewall.</para>
+        </listitem>
+      </varlistentry>
    </variablelist>
  </refsect1>

--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@@ -280,7 +280,8 @@
                url="http://www.shorewall.net/Shorewall_Squid_Usage.html">http://www.shorewall.net/Shorewall_Squid_Usage.html</ulink>.
                When specified, the MARK, DUPLICATE and GATEWAY columns should
                be empty, INTERFACE should be set to 'lo' and
-                <option>tproxy</option> should be the only OPTION.</para>
+                <option>tproxy</option> should be the only OPTION. Only one
+                <option>tproxy</option> provider is allowed.</para>
              </listitem>
            </varlistentry>
          </variablelist>
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -1084,8 +1084,7 @@
      <varlistentry>
        <term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
        role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
-        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
-        role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
+        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>]</term>

        <listitem>
          <para>This optional column may only be non-empty if the SOURCE is
@@ -1126,15 +1125,11 @@
            </varlistentry>

            <varlistentry>
-              <term>+upnpd</term>
+              <term>2001-2099</term>

              <listitem>
-                <para>program named upnpd</para>
-
-                <important>
-                  <para>The ability to specify a program name was removed from
-                  Netfilter in kernel version 2.6.14.</para>
-                </important>
+                <para>UIDs 2001 through 2099 (Shorewall 4.5.6 and
+                later)</para>
              </listitem>
            </varlistentry>
          </variablelist>
@@ -1588,7 +1583,10 @@
    url="http://www.shorewall.net/ipsets.html">http://www.shorewall.net/ipsets.html</ulink></para>

    <para><ulink
-    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
+    <para><ulink
+    url="http://www.shorewall.net/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink></para>

    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorweall-blrules(5), shorewall-hosts(5),
--- a/Shorewall/manpages/shorewall-tcclasses.xml
+++ b/Shorewall/manpages/shorewall-tcclasses.xml
@@ -11,7 +11,7 @@
  <refnamediv>
    <refname>tcclasses</refname>

-    <refpurpose>Shorewall file to define HTB classes</refpurpose>
+    <refpurpose>Shorewall file to define HTB and HFSC classes</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
@@ -166,8 +166,8 @@
          marking the traffic you want to fit in the classes defined in here.
          Must be specified as '-' if the <emphasis
          role="bold">classify</emphasis> option is given for the interface in
-          <ulink
-          url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)</para>
+          <ulink url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
+          and you are running Shorewall 4.5.5 or earlier.</para>

          <para>You can use the same marks for different interfaces.</para>
        </listitem>
@@ -175,7 +175,7 @@

      <varlistentry>
        <term><emphasis role="bold">RATE</emphasis> -
-        <emphasis>rate</emphasis>[:<emphasis>dmax</emphasis>[:<emphasis>umax</emphasis>]]</term>
+        {-|<emphasis>rate</emphasis>[:<emphasis>dmax</emphasis>[:<emphasis>umax</emphasis>]]}</term>

        <listitem>
          <para>The minimum bandwidth this class should get, when the traffic
@@ -185,11 +185,12 @@
          class exceed the CEIL of the parent class, things don't work
          well.</para>

-          <para>When using the HFSC queuing discipline, leaf classes may
-          specify <replaceable>dmax</replaceable>, the maximum delay in
-          milliseconds that the first queued packet for this class should
-          experience. May be expressed as an integer, optionally followed by
-          'ms' with no intervening white space (e.g., 10ms).</para>
+          <para>When using the HFSC queuing discipline, this column specify
+          the real-time (RT) service curve. leaf classes may specify
+          <replaceable>dmax</replaceable>, the maximum delay in milliseconds
+          that the first queued packet for this class should experience. May
+          be expressed as an integer, optionally followed by 'ms' with no
+          intervening white space (e.g., 10ms).</para>

          <para>HFSC leaf classes may also specify
          <replaceable>umax</replaceable>, the largest packet expected in this
@@ -198,12 +199,18 @@
          followed by 'b' with no intervening white space (e.g., 800b).
          <replaceable>umax</replaceable> may only be given if
          <replaceable>dmax</replaceable> is also given.</para>
+
+          <para>Beginning with Shorewall 4.5.6, HFSC classes may omit this
+          column (e.g, '-' in the column), provided that an
+          <replaceable>lsrate</replaceable> is specified (see CEIL below).
+          These rates are used to arbitrate between classes of the same
+          priority.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">CEIL</emphasis> -
-        <emphasis>rate</emphasis></term>
+        [<emphasis>lsrate</emphasis>:]<emphasis>rate</emphasis></term>

        <listitem>
          <para>The maximum bandwidth this class is allowed to use when the
@@ -214,6 +221,9 @@
          here for setting the maximum bandwidth to the RATE of the parent
          class, or the OUT-BANDWIDTH of the device if there is no parent
          class.</para>
+
+          <para>Beginning with Shorewall 4.5.6, you can also specify an
+          <replaceable>lsrate</replaceable> (link sharing rate).</para>
        </listitem>
      </varlistentry>

@@ -253,7 +263,7 @@
                <para>This is the default class for that interface where all
                traffic should go, that is not classified otherwise.</para>

-                <para></para>
+                <para/>

                <note>
                  <para>You must define <emphasis
@@ -310,7 +320,7 @@
                limited to 64 bytes because we want only packets WITHOUT
                payload to match.</para>

-                <para></para>
+                <para/>

                <note>
                  <para>This option is only valid for ONE class per
@@ -430,6 +440,121 @@
                assumed.</para>
              </listitem>
            </varlistentry>
+
+            <varlistentry>
+              <term>red=(<replaceable>redoption</replaceable>=<replaceable>value</replaceable>,
+              ...)</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.6. When specified on a leaf
+                class, causes the class to use the RED (Random Early
+                Detection) queuing discipline rather than SFQ. See tc-red (8)
+                for additional information.</para>
+
+                <para>Allowable redoptions are:</para>
+
+                <variablelist>
+                  <varlistentry>
+                    <term>min <replaceable>min</replaceable></term>
+
+                    <listitem>
+                      <para>Average queue size at which marking becomes a
+                      possibility.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>max <replaceable>max</replaceable></term>
+
+                    <listitem>
+                      <para>At this average queue size, the marking
+                      probability is maximal. Must be at least twice
+                      <replaceable>min</replaceable> to prevent synchronous
+                      retransmits, higher for low
+                      <replaceable>min</replaceable>.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>probability
+                    <replaceable>probability</replaceable></term>
+
+                    <listitem>
+                      <para>Maximum probability for marking, specified as a
+                      floating point number from 0.0 to 1.0. Suggested values
+                      are 0.01 or 0.02 (1 or 2%, respectively).</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>limit <replaceable>limit</replaceable></term>
+
+                    <listitem>
+                      <para>Hard limit on the real (not average) queue size in
+                      bytes. Further packets are dropped. Should be set higher
+                      than
+                      <replaceable>max</replaceable>+<replaceable>burst</replaceable>.
+                      It is advised to set this a few times higher than
+                      <replaceable>max</replaceable>. Shorewall requires that
+                      <replaceable>limit</replaceable> be at least twice
+                      <replaceable>min</replaceable>.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>burst <replaceable>burst</replaceable></term>
+
+                    <listitem>
+                      <para>Used for determining how fast the average queue
+                      size is influenced by the real queue size. Larger values
+                      make the calculation more sluggish, allowing longer
+                      bursts of traffic before marking starts. Real life
+                      experiments support the following guide‐line:
+                      (<replaceable>min</replaceable>+<replaceable>min</replaceable>+<replaceable>max</replaceable>)/(3*<replaceable>avpkt</replaceable>).</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>avpkt <replaceable>avpkt</replaceable></term>
+
+                    <listitem>
+                      <para>Optional. Specified in bytes. Used with burst to
+                      determine the time constant for average queue size
+                      calculations. 1000 is a good value and is the Shorewall
+                      default.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>bandwidth
+                    <replaceable>bandwidth</replaceable></term>
+
+                    <listitem>
+                      <para>Optional. This rate is used for calculating the
+                      average queue size after some idle time. Should be set
+                      to the bandwidth of your interface. Does not mean that
+                      RED will shape for you!</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>ecn</term>
+
+                    <listitem>
+                      <para>RED can either 'mark' or 'drop'. Explicit
+                      Congestion Notification allows RED to notify remote
+                      hosts that their rate exceeds the amount of bandwidth
+                      available. Non-ECN capable hosts can only be notified by
+                      dropping a packet. If this parameter is specified,
+                      packets which indicate that their hosts honor ECN will
+                      only be marked and not dropped, unless the queue size
+                      hits <replaceable>limit</replaceable> bytes. Needs a tc
+                      binary with RED support compiled in. Recommended.</para>
+                    </listitem>
+                  </varlistentry>
+                </variablelist>
+              </listitem>
+            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
@@ -503,6 +628,10 @@
    <para><ulink
    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

+    <para>tc-hfsc(7)</para>
+
+    <para>tc-red(8)</para>
+
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
--- a/Shorewall/manpages/shorewall-tcdevices.xml
+++ b/Shorewall/manpages/shorewall-tcdevices.xml
@@ -179,7 +179,17 @@
      <varlistentry>
        <term><emphasis role="bold">OPTIONS</emphasis> - {<emphasis
        role="bold">-</emphasis>|<emphasis
-        role="bold">{classify</emphasis>|hfsc} ,...}</term>
+        role="bold">{classify</emphasis>|<emphasis
+        role="bold">hfsc</emphasis>|<emphasis
+        role="bold">linklayer</emphasis>={<emphasis
+        role="bold">ethernet</emphasis>|<emphasis
+        role="bold">atm</emphasis>|<emphasis
+        role="bold">adsl</emphasis>}|<emphasis
+        role="bold">tsize</emphasis>=<replaceable>tsize</replaceable>|<emphasis
+        role="bold">mtu</emphasis>=<replaceable>mtu</replaceable>|<emphasis
+        role="bold">mpu</emphasis>=<replaceable>mpu</replaceable>|<emphasis
+        role="bold">overhead</emphasis>=<replaceable>overhead</replaceable>}
+        ,...}</term>

        <listitem>
          <para><option>classify</option> ― When specified, Shorewall will not
@@ -190,7 +200,34 @@
          <para><option>hfsc</option> - Shorewall normally uses the
          <firstterm>Hierarchical Token Bucket</firstterm> queuing discipline.
          When <option>hfsc</option> is specified, the <firstterm>Hierarchical
-          Fair Service Curves</firstterm> discipline is used instead.</para>
+          Fair Service Curves</firstterm> discipline is used instead (see
+          tc-hfsc (7)).</para>
+
+          <para><emphasis role="bold">linklayer</emphasis> - Added in
+          Shorewall 4.5.6. Type of link (ethernet, atm, adsl). When specified,
+          causes scheduler packet size manipulation as described in tc-stab
+          (8). When this option is given, the following options may also be
+          given after it:</para>
+
+          <blockquote>
+            <para><emphasis
+            role="bold">mtu</emphasis>=<replaceable>mtu</replaceable> - The
+            device MTU; default 2048 (will be rounded up to a power of
+            two)</para>
+
+            <para><emphasis
+            role="bold">mpu</emphasis>=<replaceable>mpubytes</replaceable> -
+            Minimum packet size used in calculations. Smaller packets will be
+            rounded up to this size</para>
+
+            <para><emphasis
+            role="bold">tsize</emphasis>=<replaceable>tablesize</replaceable>
+            - Size table entries; default is 512</para>
+
+            <para><emphasis
+            role="bold">overhead</emphasis>=<replaceable>overheadbytes</replaceable>
+            - Number of overhead bytes per packet.</para>
+          </blockquote>
        </listitem>
      </varlistentry>

@@ -240,6 +277,8 @@
  <refsect1>
    <title>See ALSO</title>

+    <para>tc-hfsc (7)</para>
+
    <para><ulink
    url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>

--- a/Shorewall/manpages/shorewall-tcfilters.xml
+++ b/Shorewall/manpages/shorewall-tcfilters.xml
@@ -35,7 +35,7 @@
        <term>IPV4</term>

        <listitem>
-          <para>Following entriess apply to IPv4.</para>
+          <para>Following entries apply to IPv4.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall6-lite/shorecap
+++ b/Shorewall6-lite/shorecap
@@ -45,17 +45,22 @@
 #    used during firewall compilation, then the generated firewall program will likewise not
 #    require Shorewall to be installed.

-SHAREDIR=/usr/share/shorewall6-lite
-VARDIR=/var/lib/shorewall6-lite
-CONFDIR=/etc/shorewall6-lite
-g_product="Shorewall6 Lite"
-g_family=6
-g_base=shorewall6
-g_basedir=/usr/share/shorewall6-lite
+g_program=shorewall6-lite

-. /usr/share/shorewall6-lite/lib.base
-. /usr/share/shorewall6/lib.cli
-. /usr/share/shorewall6-lite/configpath
+#
+# This is modified by the installer when ${SHAREDIR} != /usr/share
+#
+. /usr/share/shorewall/shorewallrc
+
+g_libexec="$LIBEXECDIR"
+g_sharedir="$SHAREDIR"/shorewall6-lite
+g_sbindir="$SBINDIR"
+g_vardir="$VARDIR"
+g_confdir="$CONFDIR"/shorewall6-lite
+g_readrc=1
+
+. ${SHAREDIR}/shorewall/lib.cli
+. ${SHAREDIR}/shorewall-lite/configpath

 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

--- a/Shorewall6/Samples6/Universal/interfaces
+++ b/Shorewall6/Samples6/Universal/interfaces
@@ -11,5 +11,5 @@ FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
 -	lo		ignore
-net	all		dhcp,physical=+,routeback
+net	all		dhcp,physical=+,routeback,sourceroute=0

--- a/Shorewall6/Samples6/Universal/rules
+++ b/Shorewall6/Samples6/Universal/rules
@@ -14,5 +14,6 @@
 #SECTION RELATED
 SECTION NEW

+Invalid(DROP)	net		$FW		tcp
 SSH(ACCEPT)	net		$FW
 Ping(ACCEPT)	net		$FW
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -155,7 +155,7 @@ MODULE_SUFFIX=ko

 MUTEX_TIMEOUT=60

-OPTIMIZE=15
+OPTIMIZE=31

 OPTIMIZE_ACCOUNTING=No

--- a/Shorewall6/Samples6/one-interface/rules
+++ b/Shorewall6/Samples6/one-interface/rules
@@ -18,6 +18,10 @@
 #SECTION RELATED
 SECTION NEW

+# Drop packets in the INVALID state
+
+Invalid(DROP)  net    	        $FW		tcp
+
 # Drop Ping from the "bad" net zone.. and prevent your log from being flooded..

 Ping(DROP)	net		$FW
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -155,7 +155,7 @@ MODULE_SUFFIX=ko

 MUTEX_TIMEOUT=60

-OPTIMIZE=1
+OPTIMIZE=31

 OPTIMIZE_ACCOUNTING=No

--- a/Shorewall6/Samples6/three-interfaces/interfaces
+++ b/Shorewall6/Samples6/three-interfaces/interfaces
@@ -14,6 +14,6 @@
 FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            tcpflags,forward=1
+net     eth0            tcpflags,forward=1,sourceroute=0
 loc     eth1            tcpflags,forward=1
 dmz     eth2            tcpflags,forward=1
--- a/Shorewall6/Samples6/three-interfaces/rules
+++ b/Shorewall6/Samples6/three-interfaces/rules
@@ -20,7 +20,7 @@ SECTION NEW

 #       Don't allow connection pickup from the net
 #
-Invalid(DROP)	net		all
+Invalid(DROP)	net		all		tcp
 #
 #	Accept DNS connections from the firewall to the Internet
 #
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -155,7 +155,7 @@ MODULE_SUFFIX=ko

 MUTEX_TIMEOUT=60

-OPTIMIZE=1
+OPTIMIZE=31

 OPTIMIZE_ACCOUNTING=No

--- a/Shorewall6/Samples6/two-interfaces/interfaces
+++ b/Shorewall6/Samples6/two-interfaces/interfaces
@@ -14,5 +14,5 @@
 FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            tcpflags,forward=1
+net     eth0            tcpflags,forward=1,sourceroute=0
 loc     eth1            tcpflags,forward=1
--- a/Shorewall6/Samples6/two-interfaces/rules
+++ b/Shorewall6/Samples6/two-interfaces/rules
@@ -20,7 +20,7 @@ SECTION NEW

 #       Don't allow connection pickup from the net
 #
-Invalid(DROP)	net		all
+Invalid(DROP)	net		all		tcp
 #
 #	Accept DNS connections from the firewall to the network
 #
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -155,7 +155,7 @@ MODULE_SUFFIX=ko

 MUTEX_TIMEOUT=60

-OPTIMIZE=1
+OPTIMIZE=31

 OPTIMIZE_ACCOUNTING=No

--- a/Shorewall6/action.Broadcast
+++ b/Shorewall6/action.Broadcast
@@ -31,7 +31,7 @@ FORMAT 2

 DEFAULTS DROP,-

-BEGIN PERL;
+?BEGIN PERL;

 use Shorewall::IPAddrs;
 use Shorewall::Config;
@@ -68,4 +68,4 @@ add_jump $chainref, $target, 0, join( ' ', '-d', IPv6_MULTICAST . ' ' );

 1;

-END PERL;
+?END PERL;
--- a/Shorewall6/action.Drop
+++ b/Shorewall6/action.Drop
@@ -36,7 +36,7 @@ FORMAT 2
 # The following magic provides different defaults for $2 thru $5, when $1 is
 # 'audit'.
 #
-BEGIN PERL;
+?BEGIN PERL;
 use Shorewall::Config;

 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
@@ -54,7 +54,7 @@ if ( defined $p1 ) {

 1;

-END PERL;
+?END PERL;

 DEFAULTS -,REJECT,DROP,ACCEPT,DROP

--- a/Shorewall6/action.Reject
+++ b/Shorewall6/action.Reject
@@ -32,7 +32,7 @@ FORMAT 2
 # The following magic provides different defaults for $2 thru $5, when $1 is
 # 'audit'.
 #
-BEGIN PERL;
+?BEGIN PERL;
 use Shorewall::Config;

 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
@@ -50,7 +50,7 @@ if ( defined $p1 ) {

 1;

-END PERL;
+?END PERL;

 DEFAULTS -,REJECT,REJECT,ACCEPT,DROP

--- a/Shorewall6/manpages/shorewall6-interfaces.xml
+++ b/Shorewall6/manpages/shorewall6-interfaces.xml
@@ -244,13 +244,22 @@ loc     eth2            -</programlisting>
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">ignore</emphasis></term>
+              <term><emphasis role="bold">ignore[=1]</emphasis></term>

              <listitem>
                <para>When specified, causes the generated script to ignore
                up/down events from Shorewall-init for this device.
                Additionally, the option exempts the interface from hairpin
-                filtering.</para>
+                filtering. When '=1' is omitted, the ZONE column must contain
+                '-' and <option>ignore</option> must be the only
+                OPTION.</para>
+
+                <para>Beginning with Shorewall 4.5.5, may be specified as
+                '<option>ignore=1</option>' which only causes the generated
+                script to ignore up/down events from Shorewall-init; hairpin
+                filtering is still applied. In this case, the above
+                restrictions on the ZONE and OPTIONS columns are
+                lifted.</para>
              </listitem>
            </varlistentry>

--- a/Shorewall6/manpages/shorewall6-providers.xml
+++ b/Shorewall6/manpages/shorewall6-providers.xml
@@ -255,7 +255,8 @@
                url="http://www.shorewall.net/Shorewall_Squid_Usage.html">http://www.shorewall.net/Shorewall_Squid_Usage.html</ulink>.
                When specified, the MARK, DUPLICATE and GATEWAY columns should
                be empty, INTERFACE should be set to 'lo' and
-                <option>tproxy</option> should be the only OPTION.</para>
+                <option>tproxy</option> should be the only OPTION. Only one
+                <option>tproxy</option> provider is allowed.</para>
              </listitem>
            </varlistentry>
          </variablelist>
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -837,8 +837,8 @@

      <varlistentry>
        <term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
-        role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
-        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>]</term>
+        role="bold">!</emphasis>][<emphasis>user-name-or-number-or-range</emphasis>][<emphasis
+        role="bold">:</emphasis><emphasis>group-name-or-number-or-range</emphasis>]</term>

        <listitem>
          <para>This optional column may only be non-empty if the SOURCE is
@@ -877,6 +877,15 @@
                group</para>
              </listitem>
            </varlistentry>
+
+            <varlistentry>
+              <term>2001-2099</term>
+
+              <listitem>
+                <para>UIDs 2001 through 2099 (Shorewall 4.5.6 and
+                later)</para>
+              </listitem>
+            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
@@ -1264,6 +1273,9 @@
  <refsect1>
    <title>See ALSO</title>

+    <para><ulink
+    url="http://www.shorewall.net/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink></para>
+
    <para><ulink
    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

--- a/Shorewall6/manpages/shorewall6-tcclasses.xml
+++ b/Shorewall6/manpages/shorewall6-tcclasses.xml
@@ -11,7 +11,7 @@
  <refnamediv>
    <refname>tcclasses</refname>

-    <refpurpose>Shorewall6 file to define HTB classes</refpurpose>
+    <refpurpose>Shorewall6 file to define HTB and HFSC classes</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
@@ -163,7 +163,8 @@
          Must be specified as '-' if the <emphasis
          role="bold">classify</emphasis> option is given for the interface in
          <ulink
-          url="shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5)</para>
+          url="shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5) and
+          you are running Shorewall 4.5 5 or earlier.</para>

          <para>You can use the same marks for different interfaces.</para>
        </listitem>
@@ -171,7 +172,7 @@

      <varlistentry>
        <term><emphasis role="bold">RATE</emphasis> -
-        <emphasis>rate</emphasis>[:<emphasis>dmax</emphasis>[:<emphasis>umax</emphasis>]]</term>
+        {-|<emphasis>rate</emphasis>[:<emphasis>dmax</emphasis>[:<emphasis>umax</emphasis>]]}</term>

        <listitem>
          <para>The minimum bandwidth this class should get, when the traffic
@@ -181,11 +182,12 @@
          class exceed the CEIL of the parent class, things don't work
          well.</para>

-          <para>When using the HFSC queuing discipline, leaf classes may
-          specify <replaceable>dmax</replaceable>, the maximum delay in
-          milliseconds that the first queued packet for this class should
-          experience. May be expressed as an integer, optionally followed by
-          'ms' with no intervening white space (e.g., 10ms).</para>
+          <para>When using the HFSC queuing discipline, this column specify
+          the real-time (RT) service curve. leaf classes may specify
+          <replaceable>dmax</replaceable>, the maximum delay in milliseconds
+          that the first queued packet for this class should experience. May
+          be expressed as an integer, optionally followed by 'ms' with no
+          intervening white space (e.g., 10ms).</para>

          <para>HFSC leaf classes may also specify
          <replaceable>umax</replaceable>, the largest packet expected in this
@@ -194,12 +196,18 @@
          followed by 'b' with no intervening white space (e.g., 800b).
          <replaceable>umax</replaceable> may only be given if
          <replaceable>dmax</replaceable> is also given.</para>
+
+          <para>Beginning with Shorewall 4.5.6, HFSC classes may omit this
+          column (e.g, '-' in the column), provided that an
+          <replaceable>lsrate</replaceable> is specified (see CEIL below).
+          These rates are used to arbitrate between classes of the same
+          priority.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">CEIL</emphasis> -
-        <emphasis>rate</emphasis></term>
+        [<emphasis>lsrate</emphasis>:]<emphasis>rate</emphasis></term>

        <listitem>
          <para>The maximum bandwidth this class is allowed to use when the
@@ -210,6 +218,9 @@
          here for setting the maximum bandwidth to the RATE of the parent
          class, or the OUT-BANDWIDTH of the device if there is no parent
          class.</para>
+
+          <para>Beginning with Shorewall 4.5.6, you can also specify an
+          <replaceable>lsrate</replaceable> (link sharing rate).</para>
        </listitem>
      </varlistentry>

@@ -304,7 +315,7 @@
                limited to 64 bytes because we want only packets WITHOUT
                payload to match.</para>

-                <para></para>
+                <para/>

                <note>
                  <para>This option is only valid for ONE class per
@@ -381,6 +392,121 @@
                assumed.</para>
              </listitem>
            </varlistentry>
+
+            <varlistentry>
+              <term>red=(<replaceable>redoption</replaceable>=<replaceable>value</replaceable>,
+              ...)</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.6. When specified on a leaf
+                class, causes the class to use the RED (Random Early
+                Detection) queuing discipline rather than SFQ. See tc-red (8)
+                for additional information.</para>
+
+                <para>Allowable redoptions are:</para>
+
+                <variablelist>
+                  <varlistentry>
+                    <term>min <replaceable>min</replaceable></term>
+
+                    <listitem>
+                      <para>Average queue size at which marking becomes a
+                      possibility.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>max <replaceable>max</replaceable></term>
+
+                    <listitem>
+                      <para>At this average queue size, the marking
+                      probability is maximal. Must be at least twice
+                      <replaceable>min</replaceable> to prevent synchronous
+                      retransmits, higher for low
+                      <replaceable>min</replaceable>.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>probability
+                    <replaceable>probability</replaceable></term>
+
+                    <listitem>
+                      <para>Maximum probability for marking, specified as a
+                      floating point number from 0.0 to 1.0. Suggested values
+                      are 0.01 or 0.02 (1 or 2%, respectively).</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>limit <replaceable>limit</replaceable></term>
+
+                    <listitem>
+                      <para>Hard limit on the real (not average) queue size in
+                      bytes. Further packets are dropped. Should be set higher
+                      than
+                      <replaceable>max</replaceable>+<replaceable>burst</replaceable>.
+                      It is advised to set this a few times higher than
+                      <replaceable>max</replaceable>. Shorewall requires that
+                      <replaceable>limit</replaceable> be at least twice
+                      <replaceable>min</replaceable>.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>burst <replaceable>burst</replaceable></term>
+
+                    <listitem>
+                      <para>Used for determining how fast the average queue
+                      size is influenced by the real queue size. Larger values
+                      make the calculation more sluggish, allowing longer
+                      bursts of traffic before marking starts. Real life
+                      experiments support the following guide‐line:
+                      (<replaceable>min</replaceable>+<replaceable>min</replaceable>+<replaceable>max</replaceable>)/(3*<replaceable>avpkt</replaceable>).</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>avpkt <replaceable>avpkt</replaceable></term>
+
+                    <listitem>
+                      <para>Optional. Specified in bytes. Used with burst to
+                      determine the time constant for average queue size
+                      calculations. 1000 is a good value and is the Shorewall
+                      default.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>bandwidth
+                    <replaceable>bandwidth</replaceable></term>
+
+                    <listitem>
+                      <para>Optional. This rate is used for calculating the
+                      average queue size after some idle time. Should be set
+                      to the bandwidth of your interface. Does not mean that
+                      RED will shape for you!</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>ecn</term>
+
+                    <listitem>
+                      <para>RED can either 'mark' or 'drop'. Explicit
+                      Congestion Notification allows RED to notify remote
+                      hosts that their rate exceeds the amount of bandwidth
+                      available. Non-ECN capable hosts can only be notified by
+                      dropping a packet. If this parameter is specified,
+                      packets which indicate that their hosts honor ECN will
+                      only be marked and not dropped, unless the queue size
+                      hits <replaceable>limit</replaceable> bytes. Needs a tc
+                      binary with RED support compiled in. Recommended.</para>
+                    </listitem>
+                  </varlistentry>
+                </variablelist>
+              </listitem>
+            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
@@ -448,6 +574,10 @@
  <refsect1>
    <title>See ALSO</title>

+    <para>tc-hfsc(7)</para>
+
+    <para>tc-red(8)</para>
+
    <para><ulink
    url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>

--- a/Shorewall6/manpages/shorewall6-tcdevices.xml
+++ b/Shorewall6/manpages/shorewall6-tcdevices.xml
@@ -180,7 +180,17 @@
      <varlistentry>
        <term><emphasis role="bold">OPTIONS</emphasis> - {<emphasis
        role="bold">-</emphasis>|<emphasis
-        role="bold">{classify</emphasis>|hfsc} ,...}</term>
+        role="bold">{classify</emphasis>|<emphasis
+        role="bold">hfsc</emphasis>|<emphasis
+        role="bold">linklayer</emphasis>={<emphasis
+        role="bold">ethernet</emphasis>|<emphasis
+        role="bold">atm</emphasis>|<emphasis
+        role="bold">adsl</emphasis>}|<emphasis
+        role="bold">tsize</emphasis>=<replaceable>tsize</replaceable>|<emphasis
+        role="bold">mtu</emphasis>=<replaceable>mtu</replaceable>|<emphasis
+        role="bold">mpu</emphasis>=<replaceable>mpu</replaceable>|<emphasis
+        role="bold">overhead</emphasis>=<replaceable>overhead</replaceable>}
+        ,...}</term>

        <listitem>
          <para><option>classify</option> ― When specified, Shorewall will not
@@ -191,7 +201,34 @@
          <para><option>hfsc</option> - Shorewall normally uses the
          <firstterm>Hierarchical Token Bucket</firstterm> queuing discipline.
          When <option>hfsc</option> is specified, the <firstterm>Hierarchical
-          Fair Service Curves</firstterm> discipline is used instead.</para>
+          Fair Service Curves</firstterm> discipline is used instead(see
+          tc-hfsc (7)).</para>
+
+          <para><emphasis role="bold">linklayer</emphasis> - Added in
+          Shorewall 4.5.6. Type of link (ethernet, atm, adsl). When specified,
+          causes scheduler packet size manipulation as described in tc-stab
+          (8). When this option is given, the following options may also be
+          given after it:</para>
+
+          <blockquote>
+            <para><emphasis
+            role="bold">mtu</emphasis>=<replaceable>mtu</replaceable> - The
+            device MTU; default 2048 (will be rounded up to a power of
+            two)</para>
+
+            <para><emphasis
+            role="bold">mpu</emphasis>=<replaceable>mpubytes</replaceable> -
+            Minimum packet size used in calculations. Smaller packets will be
+            rounded up to this size</para>
+
+            <para><emphasis
+            role="bold">tsize</emphasis>=<replaceable>tablesize</replaceable>
+            - Size table entries; default is 512</para>
+
+            <para><emphasis
+            role="bold">overhead</emphasis>=<replaceable>overheadbytes</replaceable>
+            - Number of overhead bytes per packet.</para>
+          </blockquote>
        </listitem>
      </varlistentry>

@@ -242,6 +279,8 @@
  <refsect1>
    <title>See ALSO</title>

+    <para>tc-hfsc (7)</para>
+
    <para><ulink
    url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>

--- a/Shorewall6/manpages/shorewall6-tcfilters.xml
+++ b/Shorewall6/manpages/shorewall6-tcfilters.xml
@@ -35,7 +35,7 @@
        <term>IPV4</term>

        <listitem>
-          <para>Following entriess apply to IPv4.</para>
+          <para>Following entries apply to IPv4.</para>
        </listitem>
      </varlistentry>

@@ -235,6 +235,6 @@
    <para><ulink
    url="http://shorewall.net/PacketMarking.html">http://shorewall.net/PacketMarking.html</ulink></para>

-    <para></para>
+    <para/>
  </refsect1>
 </refentry>
--- a/docs/CompiledPrograms.xml
+++ b/docs/CompiledPrograms.xml
@@ -135,7 +135,8 @@

          <itemizedlist>
            <listitem>
-              <para>CONFIG_PATH=/usr/share/shorewall</para>
+              <para>Remove /etc/shorewall (/etc/shorewal6) from the setting of
+              CONFIG_PATH</para>
            </listitem>

            <listitem>
--- a/docs/Documentation_Index.xml
+++ b/docs/Documentation_Index.xml
@@ -37,15 +37,40 @@
  <section id="Frequent">
    <title>Frequently Used Articles</title>

-    <simplelist>
-      <member><ulink url="FAQ.htm">FAQs</ulink> (<ulink
-      url="FAQ_fr.html">Français</ulink>)</member>
+    <informaltable frame="none" orient="land">
+      <tgroup cols="1">
+        <tbody>
+          <row>
+            <entry><ulink url="FAQ.htm">FAQs</ulink></entry>
+          </row>

-      <member><ulink url="GettingStarted.html">Beginner
-      Documentation</ulink></member>
+          <row>
+            <entry><ulink url="Manpages.html">IPv4 Manpages</ulink></entry>
+          </row>

-      <member><ulink url="troubleshoot.htm">Troubleshooting</ulink></member>
-    </simplelist>
+          <row>
+            <entry><ulink url="Manpages6.html">IPv6 Manpages</ulink></entry>
+          </row>
+
+          <row>
+            <entry><ulink url="GettingStarted.html">Beginner
+            Documentation</ulink></entry>
+          </row>
+
+          <row>
+            <entry><ulink
+            url="troubleshoot.htm">Troubleshooting</ulink></entry>
+          </row>
+        </tbody>
+      </tgroup>
+    </informaltable>
+  </section>
+
+  <section>
+    <title>Documentation for Earlier Versions</title>
+
+    <para><ulink url="4.2/Documentation_Index.html">Shorewall 4.0/4.2
+    Documentation</ulink></para>
  </section>

  <section id="Index">
@@ -117,7 +142,8 @@
            <entry><ulink url="Audit.html">AUDIT Target
            support</ulink></entry>

-            <entry><ulink url="Manpages.html">Man Pages</ulink></entry>
+            <entry>Manpages (<ulink url="Manpages.html">IPv4</ulink>) (<ulink
+            url="Manpages6.html">IPv6</ulink>)</entry>

            <entry><ulink url="Shorewall_Squid_Usage.html">Squid with
            Shorewall</ulink></entry>
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -2150,6 +2150,17 @@ gateway:~# </programlisting>
      and configured the <emphasis>shorewall-init</emphasis> package and a
      required interface has gone down.</para>
    </section>
+
+    <section id="faq99">
+      <title>(FAQ 99) My /var/lib/shorewall-init.log shows that Shorewall is
+      running at boot but after boot 'iptables -L' shows an empty
+      configuration</title>
+
+      <para><emphasis role="bold">Answer</emphasis>: This is caused by your
+      failure to disable your distributions default iptables configuration
+      tool when you installed Shorewall. Look for a service called 'iptables'
+      that is being started after Shorewall and disable it.</para>
+    </section>
  </section>

  <section id="MultiISP">
@@ -2221,6 +2232,8 @@ We have an error talking to the kernel
      you may be able to resolve the problem by loading the <emphasis
      role="bold">act_police</emphasis> kernel module. Other kernel modules
      that you will need include:<simplelist>
+          <member>cls_basic</member>
+
          <member>cls_fw</member>

          <member>cls_u32</member>
--- a/docs/ISO-3661.xml
+++ b/docs/ISO-3661.xml
@@ -47,7 +47,7 @@
    <para>Example - Drop email from the Anonymous Proxy and Satellite Provider
    networks.</para>

-    <para><filename>/etc/shorewall/tcrules</filename>:</para>
+    <para><filename>/etc/shorewall/rules</filename>:</para>

    <programlisting>    #ACTION   	   SOURCE	 	DEST	PROTO	DEST
    #		   					PORT(S)
--- a/docs/Install.xml
+++ b/docs/Install.xml
@@ -564,14 +564,6 @@
              role="bold">sharedir</emphasis>.</para>
            </listitem>
          </varlistentry>
-
-          <varlistentry>
-            <term>sysconfdir</term>
-
-            <listitem>
-              <para>Alias for <emphasis role="bold">confdir</emphasis>.</para>
-            </listitem>
-          </varlistentry>
        </variablelist>

        <para>Note that %configure may dsgenerate option/value pairs that are
--- a/docs/NetfilterOverview.xml
+++ b/docs/NetfilterOverview.xml
@@ -77,13 +77,31 @@
          shaping.</para>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term>Raw</term>
+
+        <listitem>
+          <para>Used primarily for creating exemptions from connection
+          tracking with the NOTRACK target. Also used for stateless
+          DNAT.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>Rawpost</term>
+
+        <listitem>
+          <para>Used for stateless SNAT.</para>
+        </listitem>
+      </varlistentry>
    </variablelist>

    <para>The following diagram shows how packets traverse the various builtin
    chains within Netfilter. Note that not all table/chain combinations are
    used.</para>

-    <graphic align="center" fileref="images/Netfilter.png" />
+    <graphic align="center" fileref="images/Netfilter.png"/>

    <para><quote>Local Process</quote> means a process running on the
    Shorewall system itself.</para>
@@ -95,7 +113,7 @@

    <para>In the above diagram are boxes similar to this:</para>

-    <graphic fileref="images/Legend.png" />
+    <graphic fileref="images/Legend.png"/>

    <para>The above box gives the name of the built-in chain (<emphasis
    role="bold">INPUT</emphasis>) along with the names of the tables
--- a/docs/NewRelease.xml
+++ b/docs/NewRelease.xml
@@ -39,7 +39,7 @@

    <para>Shorewall releases are identified by three numbers separated by
    periods (e.g., 4.4.16). The first two digits (e.g., 4.4) specify the
-    <firstterm>major release number</firstterm>. The third numbere (e.g., 16)
+    <firstterm>major release number</firstterm>. The third number (e.g., 16)
    is the <firstterm>minor release number</firstterm>.</para>
  </section>

--- a/docs/OpenVZ.xml
+++ b/docs/OpenVZ.xml
@@ -151,7 +151,7 @@ vz       ipv4</programlisting>
      <programlisting>###############################################################################
 #ZONE    INTERFACE          BROADCAST      OPTIONS
 net      eth0               -              proxyarp=1
-vz       venet0             -              <emphasis role="bold">routeback,rp_filter=0</emphasis></programlisting>
+vz       venet0             -              <emphasis role="bold">routeback,arp_filter=0</emphasis></programlisting>
    </section>

    <section>
--- a/docs/QOSExample.xml
+++ b/docs/QOSExample.xml
@@ -0,0 +1,339 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<article>
+  <!--$Id$-->
+
+  <articleinfo>
+    <title>QOS Configuration</title>
+
+    <authorgroup>
+      <author>
+        <firstname>Tom</firstname>
+
+        <surname>Eastep</surname>
+      </author>
+    </authorgroup>
+
+    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
+
+    <copyright>
+      <year>2012</year>
+
+      <holder>Thomas M. Eastep</holder>
+    </copyright>
+
+    <legalnotice>
+      <para>Permission is granted to copy, distribute and/or modify this
+      document under the terms of the GNU Free Documentation License, Version
+      1.2 or any later version published by the Free Software Foundation; with
+      no Invariant Sections, with no Front-Cover, and with no Back-Cover
+      Texts. A copy of the license is included in the section entitled
+      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
+      License</ulink></quote>.</para>
+    </legalnotice>
+  </articleinfo>
+
+  <section>
+    <title>Introduction</title>
+
+    <para>This configuration was inspired by the one in this thread on the
+    OpenWRT Forum: <ulink
+    url="https://forum.openwrt.org/viewtopic.php?pid=154533#p154533">https://forum.openwrt.org/viewtopic.php?pid=154533#p154533</ulink>.
+    The configuration has been adapted to Shorewall 4.5.6 with the following
+    changes:</para>
+
+    <orderedlist>
+      <listitem>
+        <para>The configuration uses an IFB, yet only uses firewall marks in
+        the OUTPUT and FORWARD chains to classify packets; clearly that
+        doesn't work<footnote>
+            <para>To be more precise, it doesn't work with an unpatched
+            kernel. The OpenWRT script assumes an 'act_conntrack' patch which
+            performs conntrack processing on packets before they are sent to
+            the IFB. That patch is not generally available.</para>
+          </footnote>The configuration presented here uses U32 classifiers
+        (shorewall-tcfilters(5)) to classify traffic for download shaping and
+        uses the POSTROUTING chain for upload shaping.</para>
+      </listitem>
+
+      <listitem>
+        <para>The sample uses a weak form of P2P classification; the one
+        presented below uses <ulink url="IPP2P.html">IPP2P</ulink>.</para>
+      </listitem>
+
+      <listitem>
+        <para>The OpenWRT script assumed that the uplink was ATM -- the one
+        below makes no assumption (it specifies 'ethernet' with overhead
+        '0').</para>
+      </listitem>
+    </orderedlist>
+  </section>
+
+  <section>
+    <title>/etc/shorewall/params</title>
+
+    <para>The shell variables set in the OpenWRT script are set in the
+    Shorewall params file:</para>
+
+    <programlisting>DOWNLOAD=40000 #download speed in kbit. set xx% of real download speed
+UPLOAD=7000 # set xx% of real upload speed
+
+# multiports = up to 15 ports
+# ports to be classified as bulk #set after connection mark save and after connection mark restore
+TCP_BULK="1024:" #S and D ports
+UDP_BULK="1024:" #S and D ports
+
+# Destination ports to be classified as P2P
+TCP_P2P="13769" #D ports
+UDP_P2P="13769" #D ports
+IP_P2P="192.168.0.133"
+
+# Destination ports to be classified as normal
+TCP_NORMAL="80,443,25,20,21,110,993,995" # D ports
+UDP_NORMAL=""
+
+# Destination ports to be classified as Prio (overules bulk ports)
+TCP_PRIO="22,53" #destination ports
+UDP_PRIO="22,53" #destination ports
+
+# Destination ports to be classified as VoIP (overules bulk ports)
+TCP_VOIP=""
+UDP_VOIP="18080"
+IP_VOIP="192.168.0.226" #destination and source IP
+IP_VOIP="192.168.0.226" #destination and source IP
+
+#!!!!!uplink leaf class parameters!!!!!!!!!
+
+#bulk
+UP_LS_BULK_RATE=$(($UPLOAD*5/100))
+UP_UL_BULK_RATE=$UPLOAD
+#settings leaf qdisc
+UP_BULK_RED_PROB=0.05 #red drob probability
+UP_BULK_RED_min=6250 #real limit. To limit BULK traffic
+UP_BULK_RED_min2=6250 #min for doing the calculations (burst and etc)
+UP_BULK_RED_max=$((2 * $UP_BULK_RED_min2 + $UP_BULK_RED_min))
+UP_BULK_RED_burst=$(((5 * $UP_BULK_RED_min2) / (3 * 1000)))
+UP_BULK_RED_limit=$(($UP_BULK_RED_max * 5))
+
+#P2P
+UP_LS_P2P_RATE=$(($UPLOAD * 5 / 100))
+UP_UL_P2P_RATE=$UPLOAD
+#settings leaf qdisc
+UP_P2P_RED_PROB=0.05 #red drob probability
+UP_P2P_RED_min=32000 #real limit. To limit P2P traffic
+UP_P2P_RED_min2=32000 #min for doing the calculations (burst and etc)
+UP_P2P_RED_max=$((5 * $UP_P2P_RED_min2 + $UP_P2P_RED_min))
+UP_P2P_RED_burst=$(((5 * $UP_P2P_RED_min2) / (3 * 1000)))
+UP_P2P_RED_limit=$(($UP_P2P_RED_max * 5))
+#normal class
+UP_LS_NORMAL_RATE=$(($UPLOAD * 40 / 100))
+UP_UL_NORMAL_RATE=$UPLOAD
+#settings leaf qdisc
+UP_NORMAL_RED_PROB=0.05 #red drob probability
+UP_NORMAL_RED_min=6250 #real limit. To limit NORMAL traffic
+UP_NORMAL_RED_min2=6250 #min for doing the calculations (burst and etc)
+UP_NORMAL_RED_max=$((2 * $UP_NORMAL_RED_min2 + $UP_NORMAL_RED_min))
+UP_NORMAL_RED_burst=$(((5 * $UP_NORMAL_RED_min2) / (3 * 1000)))
+UP_NORMAL_RED_limit=$(($UP_NORMAL_RED_max * 5))
+
+#prio
+UP_LS_PRIO_RATE=$(($UPLOAD*50/100))
+UP_RT_PRIO_RATE="200" #rate in kbit
+UP_RT_PRIO_UMAX="400" #lengte of the packets [byte]
+UP_RT_PRIO_DMAX="15" #delay in ms
+UP_UL_PRIO_RATE=$UPLOAD
+
+#Voip
+UP_UL_VOIP_RATE=$UPLOAD
+UP_SC_VOIP_RATE="200"
+UP_SC_VOIP_UMAX="350" #length of the voip packets [byte]
+UP_SC_VOIP_DMAX="10" #delay in ms
+
+#bulk
+DOWN_LS_BULK_RATE=$(($DOWNLOAD*5/100))
+DOWN_UL_BULK_RATE=$DOWNLOAD
+#leaf qdisc parameters
+DOWN_BULK_RED_PROB=0.05 #red drob probability
+DOWN_BULK_RED_min=62500 #real limit. To limit BULK traffic
+DOWN_BULK_RED_min2=62500 #min for doing the calculations (burst and etc)
+DOWN_BULK_RED_max=$((2 * $DOWN_BULK_RED_min2 + $DOWN_BULK_RED_min))
+DOWN_BULK_RED_burst=$(((5 * $DOWN_BULK_RED_min2) / (3 * 1000)))
+DOWN_BULK_RED_limit=$(($DOWN_BULK_RED_max * 5))
+
+
+#P2P
+DOWN_LS_P2P_RATE=$(($DOWNLOAD*5/100))
+DOWN_UL_P2P_RATE=4000
+#leaf qdisc parameters
+DOWN_P2P_RED_PROB=0.05 #red drob probability
+DOWN_P2P_RED_min=200000 #real limit. To limit P2P traffic
+DOWN_P2P_RED_min2=200000 #min for doing the calculations (burst and etc)
+DOWN_P2P_RED_max=$((2 * $DOWN_P2P_RED_min2 + $DOWN_P2P_RED_min))
+DOWN_P2P_RED_burst=$(((5 * $DOWN_P2P_RED_min2) / (3 * 1000)))
+DOWN_P2P_RED_limit=$(($DOWN_P2P_RED_max * 5))
+
+#normal class
+DOWN_LS_NORMAL_RATE=$(($DOWNLOAD*75/100))
+DOWN_UL_NORMAL_RATE=$DOWNLOAD
+
+#leaf qdisc parameters
+DOWN_NORMAL_RED_PROB=0.05 #red drob probability
+DOWN_NORMAL_RED_min=62500 #real limit. To limit NORMAL traffic
+DOWN_NORMAL_RED_min2=62500 #min for doing the calculations (burst and etc)
+DOWN_NORMAL_RED_max=$((2 * $DOWN_NORMAL_RED_min2 + $DOWN_NORMAL_RED_min))
+DOWN_NORMAL_RED_burst=$(((5 * $DOWN_NORMAL_RED_min2) / (3 * 1000)))
+DOWN_NORMAL_RED_limit=$(($DOWN_NORMAL_RED_max * 5))
+
+#prio
+DOWN_RT_PRIO_RATE="500" #rate in kbit
+DOWN_RT_PRIO_UMAX="400" #length of the packets [byte]/
+DOWN_RT_PRIO_DMAX="1.5" #delay in ms
+DOWN_UL_PRIO_RATE=$DOWNLOAD
+
+
+#Voip
+DOWN_UL_VOIP_RATE=$DOWNLOAD
+DOWN_SC_VOIP_RATE="250"
+DOWN_SC_VOIP_UMAX="350" #lengt of voip packets [byte]
+DOWN_SC_VOIP_DMAX="1.2" #delay in ms</programlisting>
+  </section>
+
+  <section>
+    <title>/etc/shorewall/init</title>
+
+    <para>The init file loads the ifb module, creating a single device:</para>
+
+    <programlisting>modprobe ifb numifbs=1
+ip link set ifb0 up</programlisting>
+  </section>
+
+  <section>
+    <title>/etc/shorewall/tcdevices</title>
+
+    <para>The tcdevices file describes the two devices:</para>
+
+    <programlisting>#NUMBER:        IN-BANDWITH     OUT-BANDWIDTH   OPTIONS         REDIRECTED
+#INTERFACE                                                      INTERFACES
+1:eth0          -               ${UPLOAD}kbit   hfsc,linklayer=ethernet,overhead=0
+2:ifb0          -               ${DOWNLOAD}kbit hfsc            eth0</programlisting>
+  </section>
+
+  <section>
+    <title>/etc/shorewall/tcclasses</title>
+
+    <para>The tcclasses file defines the class hierarchy for both
+    devices:</para>
+
+    <programlisting>#IFACE: MARK    RATE:                           CEIL                            PRIORITY        OPTIONS
+#CLASS          DMAX:UMAX
+1       1       ${UP_SC_VOIP_RATE}kbit:\
+                ${UP_SC_VOIP_DMAX}:\
+                ${UP_SC_VOIP_UMAX}              ${UP_UL_VOIP_RATE}kbit          1
+
+1       2       ${UP_RT_PRIO_RATE}kbit:\
+                ${UP_RT_PRIO_DMAX}:\
+                ${UP_RT_PRIO_UMAX}              ${UP_LS_PRIO_RATE}kbit:\
+                                                ${UP_UL_PRIO_RATE}kbit          1
+
+1       3       -                               ${UP_LS_NORMAL_RATE}kbit:\
+                                                ${UP_UL_NORMAL_RATE}kbit        1               red=(limit=$UP_NORMAL_RED_limit,\
+                                                                                                     min=$UP_NORMAL_RED_min,\
+                                                                                                     max=$UP_NORMAL_RED_max,\
+                                                                                                     burst=$UP_NORMAL_RED_burst,\
+                                                                                                     probability=$UP_NORMAL_RED_PROB,\
+                                                                                                     ecn)
+1       4       -                               ${UP_LS_P2P_RATE}kbit:\
+                                                ${UP_UL_P2P_RATE}kbit           1               red=(limit=$UP_P2P_RED_limit,\
+                                                                                                     min=$UP_P2P_RED_min,\
+                                                                                                     max=$UP_P2P_RED_max,\
+                                                                                                     burst=$UP_P2P_RED_burst,\
+                                                                                                     probability=$UP_P2P_RED_PROB,\
+                                                                                                     ecn)
+1       5       -                               ${UP_LS_BULK_RATE}kbit:\
+                                                ${UP_UL_BULK_RATE}kbit          1               default,\
+                                                                                                red=(limit=$UP_BULK_RED_limit,\
+                                                                                                     min=$UP_BULK_RED_min,\
+                                                                                                     max=$UP_BULK_RED_max,\
+                                                                                                     burst=$UP_BULK_RED_burst,\
+                                                                                                     probability=$UP_BULK_RED_PROB,\
+                                                                                                     ecn)
+
+2:10    -       ${UP_SC_VOIP_RATE}kbit:\
+                ${UP_SC_VOIP_DMAX}:\
+                ${UP_SC_VOIP_UMAX}              ${UP_UL_VOIP_RATE}kbit          1
+
+2:20    -       ${DOWN_RT_PRIO_RATE}kbit:\
+                ${DOWN_RT_PRIO_DMAX}:\
+                ${DOWN_RT_PRIO_UMAX}            ${DOWN_UL_PRIO_RATE}kbit        1
+
+2:30    -       -                               ${DOWN_LS_NORMAL_RATE}kbit:\
+                                                ${DOWN_UL_NORMAL_RATE}kbit      1               red=(limit=$DOWN_NORMAL_RED_limit,\
+                                                                                                     min=$DOWN_NORMAL_RED_min,\
+                                                                                                     max=$DOWN_NORMAL_RED_max,\
+                                                                                                     burst=$DOWN_NORMAL_RED_burst,\
+                                                                                                     probability=$DOWN_NORMAL_RED_PROB)
+2:40    -       -                               ${DOWN_LS_P2P_RATE}kbit:\
+                                                ${DOWN_UL_P2P_RATE}kbit         1               red=(limit=$DOWN_P2P_RED_limit,\
+                                                                                                     min=$DOWN_P2P_RED_min,\
+                                                                                                     max=$DOWN_P2P_RED_max,\
+                                                                                                     burst=$DOWN_P2P_RED_burst,\
+                                                                                                     probability=$DOWN_P2P_RED_PROB)
+2:50    -       -                               ${DOWN_LS_BULK_RATE}kbit:\
+                                                ${DOWN_UL_BULK_RATE}kbit        1               default,\
+                                                                                                red=(limit=$DOWN_BULK_RED_limit,\
+                                                                                                     min=$DOWN_BULK_RED_min,\
+                                                                                                     max=$DOWN_BULK_RED_max,\
+                                                                                                     burst=$DOWN_BULK_RED_burst,\
+                                                                                                     probability=$DOWN_BULK_RED_PROB)</programlisting>
+  </section>
+
+  <section>
+    <title>/etc/shorewall/tcrules</title>
+
+    <para>The tcrules file classifies upload packets:</para>
+
+    <programlisting>#MARK            SOURCE         DEST          PROTO     DEST        SOURCE     USER    TEST
+#                                                       PORT(S)     PORT(S)
+RESTORE:T        -              -             -         -           -          -       !0:C
+CONTINUE:T       -              -             -         -           -          -       !0
+2:T              -              -             icmp
+1:T              -              -             udp       $UDP_VOIP   -          -       0
+1:T              $IP_VOIP       -             -         -           -          -       0
+1:T              -              $IP_VOIP      -         -           -          -       0
+2:T              -              -             tcp       $TCP_PRIO   -          -       0
+2:T              -              -             udp       $UDP_PRIO   -          -       0
+2:T              -              -             tcp       -           $TCP_PRIO  -       0
+2:T              -              -             udp       -           $UDP_PRIO  -       0
+3:T              -              -             tcp       $TCP_NORMAL -          -       0
+4:T              -              -             ipp2p:all -           -          -       0
+5:T              -              -             tcp       $TCP_BULK   -          -       0
+5:T              -              -             tcp       -           $TCP_BULK  -       0
+5:T              -              -             udp       $UDP_BULK   -          -       0
+5:T              -              -             udp       -           $UDP_BULK  -       0
+SAVE:T           -              -             -         -           -          -      !0</programlisting>
+  </section>
+
+  <section>
+    <title>/etc/shorewall/tcfilters</title>
+
+    <para>The tcfilters file classifies download packets:</para>
+
+    <programlisting>#INTERFACE:     SOURCE  DEST    PROTO   DEST    SOURCE   TOS            LENGTH
+#CLASS                                  PORT(S) PORT(S)
+#
+# These classify download traffic
+#
+2:10            -       $MYNET  udp     -       $UDP_VOIP
+2:20            -       $MYNET  tcp     -       $TCP_PRIO
+2:20            -       $MYNET  udp     -       $UDP_PRIO
+2:20            -       $MYNET  tcp     $TCP_PRIO
+2:20            -       $MYNET  udp     $UDP_PRIO
+2:30            -       $MYNET  tcp     -       $TCP_NORMAL
+2:50            -       $MYNET  tcp     $TCP_BULK
+2:50            -       $MYNET  tcp     -       $TCP_BULK
+2:50            -       $MYNET  udp     $UDP_BULK
+2:50            -       $MYNET  tcp     -       $UDP_BULK
+</programlisting>
+  </section>
+</article>
--- a/docs/Shorewall_and_Aliased_Interfaces.xml
+++ b/docs/Shorewall_and_Aliased_Interfaces.xml
@@ -299,7 +299,7 @@ loc          ipv4</programlisting>
        <para>In <filename>/etc/shorewall/interfaces</filename>:</para>

        <programlisting>#ZONE       INTERFACE  BROADCAST                      OPTIONS
-loc         eth1       192.168.1.255,192.168.20.255   <emphasis role="bold">routeback</emphasis>   </programlisting>
+loc         eth1       -                              <emphasis role="bold">routeback</emphasis>   </programlisting>

        <para>In <filename>/etc/shorewall/rules</filename>, simply specify
        ACCEPT rules for the traffic that you want to permit.</para>
@@ -321,7 +321,7 @@ loc2         ipv4</programlisting>
        <para>In <filename>/etc/shorewall/interfaces</filename>:</para>

        <programlisting>#ZONE       INTERFACE  BROADCAST                      OPTIONS
-           eth1       192.168.1.255,192.168.20.255   </programlisting>
+-           eth1       -   </programlisting>

        <para>In <filename>/etc/shorewall/hosts</filename>:</para>

--- a/docs/configuration_file_basics.xml
+++ b/docs/configuration_file_basics.xml
@@ -1599,6 +1599,37 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting

 &lt;lines to be omitted if $variable is non-empty and non-zero&gt;

+?ENDIF</programlisting>
+
+    <para>Beginning with Shorewall 4.5.6, rather than a simple variable in ?IF
+    directives, Perl-compatible expressions are allowed (after the Shorewall
+    compiler expands all variables, the resulting expression is then evaluated
+    by Perl). Variables in the expressions are as described above.</para>
+
+    <para>Example:</para>
+
+    <programlisting>?IF $BLACKLIST_LOGLEVEL == 6 &amp;&amp; ! __LOG_OPTIONS</programlisting>
+
+    <para>Additionally, a ?ELSIF directive is supported.</para>
+
+    <para>Example:</para>
+
+    <programlisting>?IF <replaceable>expression-1
+
+</replaceable>&lt;lines to be included if expression-1 evaluates to true (non-empty and non-zero)
+
+?ELSIF <replaceable>expression1-2</replaceable>
+
+&lt;lines to be included if expression-1 evaluates to false (zero or empty) and expression-2 evaluates to true
+
+?ELSIF <replaceable>expression-3
+</replaceable>
+&lt;lines to be included if expression-1 and expression-2 both evalute to false and expression-3 evalutes to true
+
+?ELSE
+
+&lt;lines to be included if all three expressions evaluate to false.
+
 ?ENDIF</programlisting>
  </section>

@@ -1625,16 +1656,23 @@ SHELL cat /etc/shorewall/rules.d/*.rules 2&gt; /dev/null || true</programlisting

    <itemizedlist>
      <listitem>
-        <para><emphasis role="bold">PERL</emphasis> &lt;<emphasis>perl
+        <para>[<emphasis role="bold">?</emphasis>]<emphasis
+        role="bold">PERL</emphasis> &lt;<emphasis>perl
        script</emphasis>&gt;</para>
      </listitem>

      <listitem>
-        <para><emphasis role="bold">SHELL</emphasis> &lt;<emphasis>shell
+        <para>[<emphasis role="bold">?</emphasis>]<emphasis
+        role="bold">SHELL</emphasis> &lt;<emphasis>shell
        script</emphasis>&gt;</para>
      </listitem>
    </itemizedlist>

+    <note>
+      <para>The optional leading question mark (?) is allowed in Shorewall
+      4.5.5 and later.</para>
+    </note>
+
    <para>Shell scripts run in a child shell process and their output is piped
    back to the compiler which processes that output as if it were embedded at
    the point of the script.</para>
@@ -1678,14 +1716,19 @@ use Shorewall::Config ( qw/shorewall/ );</programlisting>
      </listitem>
    </orderedlist>

-    <para>Multi-line scripts use one of the following forms:<programlisting><emphasis
-          role="bold">BEGIN SHELL</emphasis>
+    <para>Multi-line scripts use one of the following forms:<programlisting>[<emphasis
+          role="bold">?</emphasis>]<emphasis role="bold">BEGIN SHELL</emphasis>
 &lt;<emphasis>shell script</emphasis>&gt;
-<emphasis role="bold">END</emphasis> [ <emphasis role="bold">SHELL</emphasis> ]</programlisting><programlisting><emphasis
-          role="bold">BEGIN PERL</emphasis> [;]
+[<emphasis role="bold">?</emphasis>]<emphasis role="bold">END</emphasis> [ <emphasis
+          role="bold">SHELL</emphasis> ]</programlisting><programlisting>[<emphasis
+          role="bold">?</emphasis>]<emphasis role="bold">BEGIN PERL</emphasis> [<emphasis
+          role="bold">;</emphasis>]
 &lt;<emphasis>perl script</emphasis>&gt;
-<emphasis role="bold">END</emphasis> [ <emphasis role="bold">PERL</emphasis> ] [<emphasis
-          role="bold">;</emphasis>]</programlisting></para>
+[<emphasis role="bold">?</emphasis>]<emphasis role="bold">END</emphasis> [ <emphasis
+          role="bold">PERL</emphasis> ] [<emphasis role="bold">;</emphasis>]</programlisting><note>
+        <para>The optional leading question mark (?) is allowed in Shorewall
+        4.5.5 and later.</para>
+      </note></para>
  </section>

  <section id="dnsnames">
--- a/docs/images/Netfilter.png
+++ b/docs/images/Netfilter.png
--- a/docs/images/Netfilter.vdx
+++ b/docs/images/Netfilter.vdx
--- a/docs/shorewall_logging.xml
+++ b/docs/shorewall_logging.xml
@@ -155,6 +155,61 @@
      If you are unsure of the level to choose, 6 (info) is a safe bet. You
      may specify levels by name or by number.</para>

+      <para>Beginning with Shorewall 4.5.5, the
+      <replaceable>level</replaceable> name or number may be optionally
+      followed by a comma-separated list of one or more<replaceable> log
+      options</replaceable>. The list is enclosed in parentheses. Log options
+      cause additional information to be included in each log message.</para>
+
+      <para>Valid log options are:</para>
+
+      <variablelist>
+        <varlistentry>
+          <term><emphasis role="bold">ip_options</emphasis></term>
+
+          <listitem>
+            <para>Log messages will include the option settings from the IP
+            header.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><emphasis role="bold">macdecode</emphasis></term>
+
+          <listitem>
+            <para>Decode the MAC address and protocol.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><emphasis role="bold">tcp_sequence</emphasis></term>
+
+          <listitem>
+            <para>Include TCP sequence numbers.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><emphasis role="bold">tcp_options</emphasis></term>
+
+          <listitem>
+            <para>Include options from the TCP header.</para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term><emphasis role="bold">uid</emphasis></term>
+
+          <listitem>
+            <para>Include the UID of the sending program; only valid for
+            packets originating on the firewall itself.</para>
+          </listitem>
+        </varlistentry>
+      </variablelist>
+
+      <para>Example: <emphasis
+      role="bold">info(tcp_options,tcp_sequence)</emphasis></para>
+
      <para>Syslogd writes log messages to files (typically in <filename
      class="directory">/var/log/</filename>*) based on their facility and
      level. The mapping of these facility/level pairs to log files is done in
@@ -278,10 +333,11 @@ ACCEPT:NFLOG(1,0,1) vpn        fw       tcp       ssh,time,631,8080 </programlis

  <section id="Contents">
    <title>Understanding the Contents of Shorewall Log Messages</title>
-	
+
    <para>For general information on the contents of Netfilter log messages,
    see <ulink
-		url="http://www.net.co.at/doc/howto/docs/iptables_netfilter_howto_de/docs/netfilter_log_format/index.html">http://www.net.co.at/doc/howto/docs/iptables_netfilter_howto_de/docs/netfilter_log_format/index.html</ulink>.</para>
+    url="http://logi.cc/en/2010/07/netfilter-log-format/">http://logi.cc/en/2010/07/netfilter-log-format/</ulink>.</para>
+
    <para>For Shorewall-specific information, see <ulink
    url="FAQ.htm#faq17">FAQ #17</ulink>.</para>
  </section>
--- a/docs/traffic_shaping.xml
+++ b/docs/traffic_shaping.xml
@@ -404,7 +404,7 @@

          <variablelist>
            <varlistentry>
-              <term>classify</term>
+              <term><emphasis role="bold">classify</emphasis></term>

              <listitem>
                <para>If specified, classification of traffic into the various
@@ -416,7 +416,7 @@
            </varlistentry>

            <varlistentry>
-              <term>hfsc</term>
+              <term><emphasis role="bold">hfsc</emphasis></term>

              <listitem>
                <para>Shorewall normally uses the <firstterm>Hierarchical
@@ -426,6 +426,58 @@
                discipline is used instead.</para>
              </listitem>
            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">linklayer</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.6. Type of link (ethernet, atm,
+                adsl). When specified, causes scheduler packet size
+                manipulation as described in tc-stab (8). When this option is
+                given, the following options may also be given after
+                it:</para>
+
+                <variablelist>
+                  <varlistentry>
+                    <term><emphasis
+                    role="bold">mtu</emphasis>=<replaceable>mtu</replaceable></term>
+
+                    <listitem>
+                      <para>The device MTU; default 2048 (will be rounded up
+                      to a power of two)</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term><emphasis
+                    role="bold">mpu</emphasis>=<replaceable>mpubytes</replaceable></term>
+
+                    <listitem>
+                      <para>Minimum packet size used in calculations. Smaller
+                      packets will be rounded up to this size</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term><emphasis
+                    role="bold">tsize</emphasis>=<replaceable>tablesize</replaceable></term>
+
+                    <listitem>
+                      <para>Size table entries; default is 512</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term><emphasis
+                    role="bold">overhead</emphasis>=<replaceable>overheadbytes</replaceable></term>
+
+                    <listitem>
+                      <para>Number of overhead bytes per packet</para>
+                    </listitem>
+                  </varlistentry>
+                </variablelist>
+              </listitem>
+            </varlistentry>
          </variablelist>
        </listitem>

@@ -740,6 +792,18 @@ ppp0           6000kbit         500kbit</programlisting>
              <emphasis>number</emphasis> must be &gt; 2 and less than 128. If
              not specified, the value 127 is assumed</para>
            </listitem>
+
+            <listitem>
+              <para>red=(<replaceable>redoption</replaceable>,...) - Added in
+              Shorewall 4.5.6. When specified on a leaf class, causes the
+              class to use the red queuing discipline rather than SFQ. See
+              tc-red (8) for additional information.</para>
+
+              <para>See <ulink
+              url="manpages/shorewall-tcdevices.html">shorewall-tcdevices</ulink>
+              (5) for a description of the allowable
+              <replaceable>redoptions</replaceable>.</para>
+            </listitem>
          </itemizedlist>
        </listitem>
      </itemizedlist>