Compensate for silly RHEL bug

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Add the HELPER column to the rules files.
2012-08-19 06:43:25 -07:00 · 2012-08-18 12:05:42 -07:00 · 2012-08-18 08:00:56 -07:00 · 2012-08-17 14:24:52 -07:00 · 2012-08-16 15:49:33 -07:00 · 2012-08-16 14:46:48 -07:00
135 changed files with 6910 additions and 2586 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -81,9 +81,6 @@ for p in $@; do
 		DATADIR)
 		    pn=SHAREDIR
 		    ;;
 		SYSCONFDIR)
 		    pn=CONFDIR
 		    ;;
 	    esac
 	    params[${pn}]="${pv}"
@@ -132,7 +129,7 @@ if [ -z "$vendor" ]; then
    vendor=${params[HOST]}
 elif [ $vendor = linux ]; then
-    rcfile=$shorewallrc.default;
+    rcfile=shorewallrc.default;
 else
    rcfile=shorewallrc.$vendor
    if [ ! -f $rcfile ]; then
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -39,8 +39,7 @@ my %options;
 my %aliases = ( VENDOR         => 'HOST',
 		SHAREDSTATEDIR => 'VARDIR',
-		DATADIR        => 'SHAREDIR',
+		DATADIR        => 'SHAREDIR' );
 		SYSCONFDIR     => 'CONFDIR' );
 for ( @ARGV ) {
    die "ERROR: Invalid option specification ( $_ )" unless /^(?:--)?(\w+)=(.*)$/;
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -28,7 +28,7 @@
 #
 SHOREWALL_LIBVERSION=40502
-SHOREWALL_CAPVERSION=40504
+SHOREWALL_CAPVERSION=40507
 [ -n "${g_program:=shorewall}" ]
@@ -130,71 +130,6 @@ combine_list()
    echo $o
 }
 #
 # Call this function to assert mutual exclusion with Shorewall. If you invoke the
 # /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as
 # the first argument. Example "shorewall nolock refresh"
 #
 # This function uses the lockfile utility from procmail if it exists.
 # Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the
 # behavior of lockfile.
 #
 mutex_on()
 {
    local try
    try=0
    local lockf
    lockf=${LOCKFILE:=${VARDIR}/lock}
    local lockpid
    MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
    if [ $MUTEX_TIMEOUT -gt 0 ]; then
 	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
 	if [ -f $lockf ]; then
 	    lockpid=`cat ${lockf} 2> /dev/null`
 	    if [ -z "$lockpid" -o $lockpid = 0 ]; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} removed"
 	    elif ! qt ps p ${lockpid}; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
 	    fi
 	fi
 	if qt mywhich lockfile; then
 	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
 	    chmod u+w ${lockf}
 	    echo $$ > ${lockf}
 	    chmod u-w ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1
 		try=$((${try} + 1))
 	    done
 	    if  [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
 	        # Create the lockfile
 		echo $$ > ${lockf}
 	    else
 		echo "Giving up on lock file ${lockf}" >&2
 	    fi
 	fi
    fi
 }
 #
 # Call this function to release mutual exclusion
 #
 mutex_off()
 {
    rm -f ${LOCKFILE:=${VARDIR}/lock}
 }
 [ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
 #
 # Validate an IP address
 #
@@ -323,6 +258,8 @@ ip_range_explicit() {
    done
 }
 [ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
 #
 # Netmask to VLSM
 #
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -615,6 +615,20 @@ show_connections_filter() {
    fi
 }
 show_nfacct() {
    if [ -n "$NFACCT" -a ! -x "$NFACCT" ]; then
 	error_message "WARNING: NFACCT=$NFACCT does not exist or is not executable"
 	NFACCT=
    else
 	NFACCT=$(mywhich nfacct)
 	[ -n "$NFACCT" ] || echo "No NF Accounting defined (nfacct not found)"
    fi
    if [ -n "$NFACCT" ]; then
 	$NFACCT list
 	echo
    fi
 }
 #
 # Show Command Executor
 #
@@ -920,6 +934,12 @@ show_command() {
 	    echo
 	    [ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks;
 	    ;;
 	nfacct)
 	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION NF Accounting at $g_hostname - $(date)"
 	    echo
 	    show_nfacct
 	    ;;
 	*)
 	    case "$g_program" in
 		*-lite)
@@ -1202,6 +1222,9 @@ do_dump_command() {
 	perip_accounting
    fi
    heading "NF Accounting"
    show_nfacct
    if qt mywhich setkey; then
 	heading "PFKEY SPD"
 	setkey -DP
@@ -1995,6 +2018,23 @@ determine_capabilities() {
    DSCP_MATCH=
    DSCP_TARGET=
    GEOIP_MATCH=
    RPFILTER_MATCH=
    NFACCT_MATCH=
    AMANDA_HELPER=
    FTP_HELPER=
    FTP0_HELPER=
    IRC_HELPER=
    IRC0_HELPER=
    NETBIOS_NS_HELPER=
    H323_HELPER=
    PPTP_HELPER=
    SANE_HELPER=
    SANE0_HELPER=
    SIP_HELPER=
    SIP0_HELPER=
    SNMP_HELPER=
    TFTP_HELPER=
    TFTP0_HELPER=
    chain=fooX$$
@@ -2107,6 +2147,19 @@ determine_capabilities() {
    qt $g_tool -A $chain -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes
    if [ -n "$NFACCT" -a ! -x "$NFACCT" ]; then
 	error_message "WARNING: NFACCT=$NFACCT does not exist or is not executable"
 	NFACCT=
    else
 	NFACCT=$(mywhich nfacct)
    fi
    if [ -n "$NFACCT" ] && qt $NFACCT add $chain; then
 	qt $g_tool -A $chain -m nfacct --nfacct-name $chain && NFACCT_MATCH=Yes
 	qt $g_tool -D $chain -m nfacct --nfacct-name $chain
 	qt $NFACCT del $chain
    fi
    if [ -n "$MANGLE_ENABLED" ]; then
 	qt $g_tool -t mangle -N $chain
@@ -2127,6 +2180,7 @@ determine_capabilities() {
 	qt $g_tool -t mangle -A $chain -j IMQ --todev 0 && IMQ_TARGET=Yes
 	qt $g_tool -t mangle -A $chain -m dscp --dscp 0 && DSCP_MATCH=Yes
 	qt $g_tool -t mangle -A $chain -j DSCP --set-dscp 0 && DSCP_TARGET=Yes
 	qt $g_tool -t mangle -A $chain -m rpfilter && RPFILTER_MATCH=Yes
 	qt $g_tool -t mangle -F $chain
 	qt $g_tool -t mangle -X $chain
@@ -2134,15 +2188,36 @@ determine_capabilities() {
 	qt $g_tool -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
    fi
-    qt $g_tool -t raw	    -L -n && RAW_TABLE=Yes
+    qt $g_tool -t raw	  -L -n && RAW_TABLE=Yes
    qt $g_tool -t rawpost -L -n && RAWPOST_TABLE=Yes
    if [ -n "$RAW_TABLE" ]; then
 	qt $g_tool -t raw -N $chain
 	qt $g_tool -t raw -A $chain -j CT --notrack && CT_TARGET=Yes
 	qt $g_tool -t raw -N $chain
 	qt $g_tool -t raw -F $chain
 	qt $g_tool -t raw -X $chain
 	qt $g_tool -t raw -N $chain
 	if qt $g_tool -t raw -A $chain -j CT --notrack; then
 	    CT_TARGET=Yes;
 	    qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda     && AMANDA_HELPER=Yes
 	    qt $g_tool -t raw -A $chain -p tcp --dport 21    -j CT --helper ftp        && FTP_HELPER=Yes
 	    qt $g_tool -t raw -A $chain -p tcp --dport 21    -j CT --helper ftp-0      && FTP0_HELPER=Yes
 	    qt $g_tool -t raw -A $chain -p udp --dport 1719  -j CT --helper RAS        && H323_HELPER=Yes
 	    qt $g_tool -t raw -A $chain -p tcp --dport 6667  -j CT --helper irc        && IRC_HELPER=Yes
 	    qt $g_tool -t raw -A $chain -p tcp --dport 6667  -j CT --helper irc-0      && IRC0_HELPER=Yes
 	    qt $g_tool -t raw -A $chain -p udp --dport 137   -j CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes
 	    qt $g_tool -t raw -A $chain -p tcp --dport 1729  -j CT --helper pptp       && PPTP_HELPER=Yes
 	    qt $g_tool -t raw -A $chain -p tcp --dport 6566  -j CT --helper sane       && SANE_HELPER=Yes
 	    qt $g_tool -t raw -A $chain -p tcp --dport 6566  -j CT --helper sane-0     && SANE0_HELPER=Yes
 	    qt $g_tool -t raw -A $chain -p udp --dport 5060  -j CT --helper sip        && SIP_HELPER=Yes
 	    qt $g_tool -t raw -A $chain -p udp --dport 5060  -j CT --helper sip-0      && SIP0_HELPER=Yes
 	    qt $g_tool -t raw -A $chain -p udp --dport 161   -j CT --helper snmp       && SNMP_HELPER=Yes
 	    qt $g_tool -t raw -A $chain -p udp --dport 69    -j CT --helper tftp       && TFTP_HELPER=Yes
 	    qt $g_tool -t raw -A $chain -p udp --dport 69    -j CT --helper tftp-0     && TFTP0_HELPER=Yes
 	fi
 	qt $g_tool -t raw -F $chain
 	qt $g_tool -t raw -X $chain	   
    fi
    if qt mywhich ipset; then
@@ -2160,10 +2235,10 @@ determine_capabilities() {
 	    if [ -n "$have_ipset" ]; then
 		if qt $g_tool -A $chain -m set --match-set $chain src -j ACCEPT; then
-		    qt $g_tool -D $chain -m set --match-set $chain src -j ACCEPT
+		    qt $g_tool -F $chain
 		    IPSET_MATCH=Yes
 		elif qt $g_tool -A $chain -m set --set $chain src -j ACCEPT; then
-		    qt $g_tool -D $chain -m set --set $chain src -j ACCEPT
+		    qt $g_tool -F $chain
 		    IPSET_MATCH=Yes
 		    OLD_IPSET_MATCH=Yes
 		fi
@@ -2172,10 +2247,10 @@ determine_capabilities() {
 	elif qt ipset -N $chain hash:ip family inet6; then
 	    IPSET_V5=Yes
 	    if qt $g_tool -A $chain -m set --match-set $chain src -j ACCEPT; then
-		qt $g_tool -D $chain -m set --match-set $chain src -j ACCEPT
+		qt $g_tool -F $chain
 		IPSET_MATCH=Yes
 	    elif qt $g_tool -A $chain -m set --set $chain src -j ACCEPT; then
-		qt $g_tool -D $chain -m set --set $chain src -j ACCEPT
+		qt $g_tool -F $chain
 		IPSET_MATCH=Yes
 		OLD_IPSET_MATCH=Yes
 	    fi
@@ -2193,7 +2268,28 @@ determine_capabilities() {
    fi
    qt $g_tool -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
    qt $g_tool -A $chain -m realm --realm 4 && REALM_MATCH=Yes
-    qt $g_tool -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
+
    #
    # -m helper doesn't verify the existence of the specified helper :-(
    #
    if qt $g_tool -A $chain -p tcp --dport 21 -m helper --helper ftp; then
 	HELPER_MATCH=Yes
 	if [ -z "$CT_TARGET" ]; then
 	    AMANDA_HELPER=Yes
 	    FTP_HELPER=Yes
 	    FTP_HELPER=Yes
 	    H323_HELPER=Yes
 	    IRC_HELPER=Yes
 	    NS_HELPER=Yes
 	    PPTP_HELPER=Yes
 	    SANE_HELPER=Yes
 	    SIP_HELPER=Yes
 	    SNMP_HELPER=Yes
 	    TFTP_HELPER=Yes
 	fi
    fi
    qt $g_tool -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes
    qt $g_tool -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
    qt $g_tool -A $chain -g $chain1 && GOTO_TARGET=Yes
@@ -2319,6 +2415,23 @@ report_capabilities() {
 	report_capability "DSCP Match (DSCP_MATCH)" $DSCP_MATCH
 	report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET
 	report_capability "Geo IP match" $GEOIP_MATCH
 	report_capability "RPFilter match" $RPFILTER_MATCH
 	report_capability "NFAcct match" $NFACCT_MATCH
 	report_capability "Amanda Helper" $AMANDA_HELPER
 	report_capability "FTP Helper" $FTP_HELPER
 	report_capability "FTP-0 Helper" $FTP0_HELPER
 	report_capability "IRC Helper" $IRC_HELPER
 	report_capability "IRC-0 Helper" $IRC0_HELPER
 	report_capability "Netbios_ns Helper" $NETBIOS_NS_HELPER
 	report_capability "H323 Helper" $H323_HELPER
 	report_capability "PPTP Helper" $PPTP_HELPER
 	report_capability "SANE Helper" $SANE_HELPER
 	report_capability "SANE-0 Helper" $SANE0_HELPER
 	report_capability "SIP Helper" $SIP_HELPER
 	report_capability "SIP-0 Helper" $SIP0_HELPER
 	report_capability "SNMP Helper" $SNMP_HELPER
 	report_capability "TFTP Helper" $TFTP_HELPER
 	report_capability "TFTP-0 Helper" $TFTP0_HELPER
 	if [ $g_family -eq 4 ]; then
 	    report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
@@ -2328,6 +2441,9 @@ report_capabilities() {
 	report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
 	report_capability "CT Target (CT_TARGET)" $CT_TARGET
 	echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
 	echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
    fi
    [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -2410,6 +2526,23 @@ report_capabilities1() {
    report_capability1 DSCP_MATCH
    report_capability1 DSCP_TARGET
    report_capability1 GEOIP_MATCH
    report_capability1 RPFILTER_MATCH
    report_capability1 NFACCT_MATCH
    report_capability1 AMANDA_HELPER
    report_capability1 FTP_HELPER
    report_capability1 FTP0_HELPER
    report_capability1 IRC_HELPER
    report_capability1 IRC0_HELPER
    report_capability1 NETBIOS_NS_HELPER
    report_capability1 H323_HELPER
    report_capability1 PPTP_HELPER
    report_capability1 SANE_HELPER
    report_capability1 SANE0_HELPER
    report_capability1 SIP_HELPER
    report_capability1 SIP0_HELPER
    report_capability1 SNMP_HELPER
    report_capability1 TFTP_HELPER
    report_capability1 TFTP0_HELPER
    echo CAPVERSION=$SHOREWALL_CAPVERSION
    echo KERNELVERSION=$KERNELVERSION
@@ -2946,9 +3079,16 @@ usage() # $1 = exit status
    echo "   show connections"
    echo "   show filters"
    echo "   show ip"
    if [ $g_family -eq 4 ]; then
 	echo "   show ipa"
    fi
    echo "   show [ -m ] log [<regex>]"
-    echo "   show [ -x ] mangle|nat|raw|rawpost|routing"
+    echo "   show [ -x ] mangle|nat|raw|rawpost"
    echo "   show nfacct"
    echo "   show policies"
    echo "   show routing"
    echo "   show tc [ device ]"
    echo "   show vardir"
    echo "   show zones"
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -717,3 +717,69 @@ truncate() # $1 = length
 {
    cut -b -${1}
 }
 #
 # Call this function to assert mutual exclusion with Shorewall. If you invoke the
 # /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as
 # the first argument. Example "shorewall nolock refresh"
 #
 # This function uses the lockfile utility from procmail if it exists.
 # Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the
 # behavior of lockfile.
 #
 mutex_on()
 {
    local try
    try=0
    local lockf
    lockf=${LOCKFILE:=${VARDIR}/lock}
    local lockpid
    MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
    if [ $MUTEX_TIMEOUT -gt 0 ]; then
 	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
 	if [ -f $lockf ]; then
 	    lockpid=`cat ${lockf} 2> /dev/null`
 	    if [ -z "$lockpid" -o $lockpid = 0 ]; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} removed"
 	    elif [ $lockpid -eq $$ ]; then
                return 0
 	    elif ! qt ps p ${lockpid}; then
 		rm -f ${lockf}
 		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
 	    fi
 	fi
 	if qt mywhich lockfile; then
 	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
 	    chmod u+w ${lockf}
 	    echo $$ > ${lockf}
 	    chmod u-w ${lockf}
 	else
 	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
 		sleep 1
 		try=$((${try} + 1))
 	    done
 	    if  [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
 	        # Create the lockfile
 		echo $$ > ${lockf}
 	    else
 		echo "Giving up on lock file ${lockf}" >&2
 	    fi
 	fi
    fi
 }
 #
 # Call this function to release mutual exclusion
 #
 mutex_off()
 {
    rm -f ${LOCKFILE:=${VARDIR}/lock}
 }
--- a/Shorewall-init/ifupdown.sh
+++ b/Shorewall-init/ifupdown.sh
@@ -106,15 +106,11 @@ if [ -f /etc/debian_version ]; then
 	    else
 		exit 0
 	    fi
 	    case "$PHASE" in
 		pre-*)
 		    exit 0
 		    ;;
 	    esac
 	    ;;
    esac
 elif [ -f /etc/SuSE-release ]; then
    PHASE=''
    case $0 in
 	/etc/ppp*)
 	    #
@@ -146,6 +142,8 @@ else
    #
    # Assume RedHat/Fedora/CentOS/Foobar/...
    #
    PHASE=''
    case $0 in
 	/etc/ppp*)
 	    INTERFACE="$1"
@@ -186,20 +184,12 @@ else
    esac
 fi
 [ -n "$LOGFILE" ] || LOGFILE=/dev/null
 for PRODUCT in $PRODUCTS; do
    #
    # For backward compatibility, lib.base appends the product name to VARDIR
    # Save it here and restore it below
    #
    save_vardir=${VARDIR}
    if [ -x $VARDIR/$PRODUCT/firewall ]; then
-	  ( . ${SHAREDIR}/shorewall/lib.base
+	  ( ${VARDIR}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
 	    mutex_on
 	    ${VARDIR}/firewall -V0 $COMMAND $INTERFACE || echo_notdone
 	    mutex_off
 	  )
    fi
    VARDIR=${save_vardir}
 done
 exit 0
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -260,6 +260,11 @@ else
    first_install="Yes"
 fi
 if [ -n "$DESTDIR" ]; then
    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
    chmod 755 ${DESTDIR}${CONFDIR}/logrotate.d
 fi
 #
 # Install the Firewall Script
 #
@@ -292,27 +297,35 @@ fi
 #
 # Create /usr/share/shorewall-init if needed
 #
-mkdir -p ${DESTDIR}/usr/share/shorewall-init
+mkdir -p ${DESTDIR}${SHAREDIR}/shorewall-init
-chmod 755 ${DESTDIR}/usr/share/shorewall-init
+chmod 755 ${DESTDIR}${SHAREDIR}/shorewall-init
 #
 # Install logrotate file
 #
 if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT
    echo "Logrotate file installed as ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT"
 fi
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall-init/version
+echo "$VERSION" > ${DESTDIR}/${SHAREDIR}/shorewall-init/version
-chmod 644 ${DESTDIR}/usr/share/shorewall-init/version
+chmod 644 ${DESTDIR}${SHAREDIR}/shorewall-init/version
 #
 # Remove and create the symbolic link to the init script
 #
 if [ -z "$DESTDIR" ]; then
-    rm -f /usr/share/shorewall-init/init
+    rm -f ${SHAREDIR}/shorewall-init/init
    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/shorewall-init/init
 fi
 if [ $HOST = debian ]; then
    if [ -n "${DESTDIR}" ]; then
 	mkdir -p ${DESTDIR}/etc/network/if-up.d/
-	mkdir -p ${DESTDIR}/etc/network/if-post-down.d/
+	mkdir -p ${DESTDIR}/etc/network/if-down.d/
    fi
    if [ ! -f ${DESTDIR}/etc/default/shorewall-init ]; then
@@ -347,7 +360,7 @@ fi
 cp ifupdown.sh ifupdown
-d[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown
+[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown
 mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init
@@ -360,6 +373,7 @@ fi
 case $HOST in
    debian)
 	install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
 	install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544
 	install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
 	;;
    suse)
@@ -382,12 +396,12 @@ if [ -z "$DESTDIR" ]; then
    if [ -n "$first_install" ]; then
 	if [ $HOST = debian ]; then
-	    update-rc.d shorewall-init defaults
+	    update-rc.d shorewall-init enable
 	    echo "Shorewall Init will start automatically at boot"
 	else
 	    if [ -n "$SYSTEMD" ]; then
-		if systemctl enable shorewall-init; then
+		if systemctl enable shorewall-init.service; then
 		    echo "Shorewall Init will start automatically at boot"
 		fi
 	    elif [ -x ${SBINDIR}/insserv -o -x /usr${SBINDIR}/insserv ]; then
--- a/Shorewall-init/logrotate
+++ b/Shorewall-init/logrotate
@@ -0,0 +1,5 @@
 /var/log/shorewall-ifupdown.log {
  missingok
  notifempty
  create 0600 root root
 }
--- a/Shorewall-init/sysconfig
+++ b/Shorewall-init/sysconfig
@@ -16,3 +16,8 @@ IFUPDOWN=0
 # during 'start' and will save them there during 'stop'.
 #
 SAVE_IPSETS=""
 #
 # Where Up/Down events get logged
 #
 LOGFILE=/var/log/shorewall-ifupdown.log
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -303,8 +303,8 @@ if [ -z "$DESTDIR" -a -d ${CONFDIR}/$PRODUCT ]; then
 	mv -f ${CONFDIR}/$PRODUCT/shorewall.conf ${CONFDIR}/$PRODUCT/$PRODUCT.conf
 else
    rm -rf ${DESTDIR}${CONFDIR}/$PRODUCT
-    rm -rf ${DESTDIR}/usr/share/$PRODUCT
+    rm -rf ${DESTDIR}${SHAREDIR}/$PRODUCT
-    rm -rf ${DESTDIR}/var/lib/$PRODUCT
+    rm -rf ${DESTDIR}${VARDIR}/$PRODUCT
    [ "$LIBEXECDIR" = /usr/share ] || rm -rf ${DESTDIR}/usr/share/$PRODUCT/wait4ifup ${DESTDIR}/usr/share/$PRODUCT/shorecap
 fi
@@ -327,9 +327,9 @@ echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
 # Create ${CONFDIR}/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
 #
 mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
-mkdir -p ${DESTDIR}/usr/share/$PRODUCT
+mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
-mkdir -p ${DESTDIR}/var/lib/$PRODUCT
+mkdir -p ${DESTDIR}${VARDIR}/$PRODUCT
 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
 chmod 755 ${DESTDIR}/usr/share/$PRODUCT
@@ -403,6 +403,7 @@ echo "Common functions linked through ${DESTDIR}${SHAREDIR}/$PRODUCT/functions"
 #
 install_file shorecap ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap 0755
 [ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${LIBEXECDIR}/$PRODUCT/shorecap
 echo
 echo "Capability file builder installed in ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap"
@@ -498,7 +499,7 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
 	perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' ${CONFDIR}/${PRODUCT}/${PRODUCT}.conf
 	update-rc.d $PRODUCT enable defaults
    elif [ -n "$SYSTEMD" ]; then
-	if systemctl enable $PRODUCT; then
+	if systemctl enable ${PRODUCT}.service; then
 	    echo "$Product will start automatically at boot"
 	fi
    elif mywhich insserv; then
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -45,17 +45,22 @@
 #    used during firewall compilation, then the generated firewall program will likewise not
 #    require Shorewall to be installed.
 SHAREDIR=/usr/share/shorewall-lite
 VARDIR=/var/lib/shorewall-lite
 CONFDIR=/etc/shorewall-lite
 g_program=shorewall-lite
 g_product="Shorewall Lite"
 g_family=4
 g_base=shorewall
 g_basedir=/usr/share/shorewall-lite
-. /usr/share/shorewall-lite/lib.base
+g_program=shorewall-lite
-. /usr/share/shorewall/lib.cli
+
 #
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc
 g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR"/shorewall-lite
 g_sbindir="$SBINDIR"
 g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall-lite
 g_readrc=1
 . ${SHAREDIR}/shorewall/lib.cli
 . /usr/share/shorewall-lite/configpath
 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
--- a/Shorewall/Macros/macro.Amanda
+++ b/Shorewall/Macros/macro.Amanda
@@ -8,9 +8,16 @@
 #	files from those nodes.
 #
 ###############################################################################
 FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	udp	10080
+
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __AMANDA_HELPER )
 PARAM	-	-	udp	10080 ; helper=amanda
 ?else
 PARAM	-	-	udp	10080
 ?endif
 PARAM	-	-	tcp	10080
 #
 # You may also need this rule.  With AMANDA 2.4.4 on Linux kernel 2.6,
--- a/Shorewall/Macros/macro.BLACKLIST
+++ b/Shorewall/Macros/macro.BLACKLIST
@@ -8,8 +8,8 @@
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-?IF $BLACKLIST_LOGLEVEL
+?if $BLACKLIST_LOGLEVEL
 blacklog
-?ELSE
+?else
 $BLACKLIST_DISPOSITION
-?ENDIF
+?endif
--- a/Shorewall/Macros/macro.FTP
+++ b/Shorewall/Macros/macro.FTP
@@ -6,6 +6,11 @@
 #	This macro handles FTP traffic.
 #
 ###############################################################################
 FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	tcp	21
+?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER  )
 PARAM	-	-	tcp	21 ; helper=ftp
 ?else
 PARAM	-	-	tcp	21
 ?endif
--- a/Shorewall/Macros/macro.IRC
+++ b/Shorewall/Macros/macro.IRC
@@ -6,6 +6,12 @@
 #	This macro handles IRC traffic (Internet Relay Chat).
 #
 ###############################################################################
 FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	tcp	6667
+
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __IRC_HELPER  )
 PARAM	-	-	tcp	6667 ; helper=irc
 ?else
 PARAM	-	-	tcp	6667
 ?endif
--- a/Shorewall/Macros/macro.PPtP
+++ b/Shorewall/Macros/macro.PPtP
@@ -6,8 +6,14 @@
 #	This macro handles PPTP traffic.
 #
 ###############################################################################
 ?FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	47
 PARAM	DEST	SOURCE	47
-PARAM	-	-	tcp	1723
+
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __PPTP_HELPER )
 PARAM	-	-	tcp	1723 ; helper=pptp
 ?else
 PARAM	-	-	tcp	1723
 ?endif
--- a/Shorewall/Macros/macro.SANE
+++ b/Shorewall/Macros/macro.SANE
@@ -6,9 +6,16 @@
 #	This macro handles SANE network scanning.
 #
 ###############################################################################
 FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	tcp	6566
+
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __SANE_HELPER )
 PARAM	-	-	tcp	6566 ; helper=sane
 ?else
 PARAM	-	-	tcp	6566
 ?endif
 #
 # Kernels 2.6.23+ has nf_conntrack_sane module which will handle
 # sane data connection.
--- a/Shorewall/Macros/macro.SIP
+++ b/Shorewall/Macros/macro.SIP
@@ -0,0 +1,17 @@
 #
 # Shorewall version 4 - SIP Macro
 #
 # /usr/share/shorewall/macro.SIP
 #
 #	This macro handles SIP traffic.
 #
 ###############################################################################
 FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __SIP_HELPER  )
 PARAM	-	-	udp	5060 ; helper=sip
 ?else
 PARAM	-	-	udp	5060
 ?endif
--- a/Shorewall/Macros/macro.SMB
+++ b/Shorewall/Macros/macro.SMB
@@ -10,9 +10,17 @@
 #	between hosts you fully trust.
 #
 ###############################################################################
 FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	135,445
-PARAM	-	-	udp	137:139
+
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
 PARAM	-	-	udp	137 ; helper=netbios-ns
 PARAM	-	-	udp	138:139
 ?else
 PARAM	-	-	udp	137:139
 ?endif
 PARAM	-	-	udp	1024:	137
 PARAM	-	-	tcp	135,139,445
--- a/Shorewall/Macros/macro.SMBBI
+++ b/Shorewall/Macros/macro.SMBBI
@@ -10,13 +10,28 @@
 #	allow SMB traffic between hosts you fully trust.
 #
 ###############################################################################
 FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	135,445
-PARAM	-	-	udp	137:139
+
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
 PARAM	-	-	udp	137 ; helper=netbios-ns
 PARAM	-	-	udp	138:139
 ?else
 PARAM	-	-	udp	137:139
 ?endif
 PARAM	-	-	udp	1024:	137
 PARAM	-	-	tcp	135,139,445
 PARAM	DEST	SOURCE	udp	135,445
-PARAM	DEST	SOURCE	udp	137:139
+
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
 PARAM	DEST	SOURCE	udp	137 ; helper=netbios-ns
 PARAM	DEST	SOURCE	udp	138:139
 ?else
 PARAM	DEST	SOURCE	udp	137:139
 ?endif
 PARAM	DEST	SOURCE	udp	1024:	137
 PARAM	DEST	SOURCE	tcp	135,139,445
--- a/Shorewall/Macros/macro.SNMP
+++ b/Shorewall/Macros/macro.SNMP
@@ -6,7 +6,15 @@
 #	This macro handles SNMP traffic (including traps).
 #
 ###############################################################################
 FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	udp	161:162
+
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __SNMP_HELPER )
 PARAM	-	-  	udp     161 ; helper=snmp
 PARAM	-	-	udp	162
 ?else
 PARAM	-	-	udp	161:162
 ?endif
 PARAM	-	-	tcp	161
--- a/Shorewall/Macros/macro.TFTP
+++ b/Shorewall/Macros/macro.TFTP
@@ -8,6 +8,12 @@
 #	Internet.
 #
 ###############################################################################
 FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	udp	69
+
 ?if ( __CT_TARGET && ! $AUTOHELPERS && __TFTP_HELPER )
 PARAM	-	-	udp	69 ; helper=tftp
 ?else
 PARAM	-	-	udp	69
 ?endif
--- a/Shorewall/Macros/macro.mDNS
+++ b/Shorewall/Macros/macro.mDNS
@@ -1,9 +1,11 @@
 #
-# Shorewall version 4 - Multicast DNS Macro
+# Shorewall version 4 - Multicast DNS Macro -- this macro assumes that only
 #                       the DEST zone sends mDNS queries. If both zones send
 #                       queries, use the mDNSbi macro.
 #
 # /usr/share/shorewall/macro.mDNS
 #
-#	This macro handles multicast DNS traffic.
+#	This macro handles multicast DNS traffic
 #
 ###############################################################################
 #ACTION	SOURCE	DEST			PROTO	DEST	SOURCE	RATE	USER/
--- a/Shorewall/Macros/macro.mDNSbi
+++ b/Shorewall/Macros/macro.mDNSbi
@@ -0,0 +1,16 @@
 #
 # Shorewall version 4 - Bi-directional Multicast DNS Macro.
 #
 # /usr/share/shorewall/macro.mDNSbi
 #
 #	This macro handles multicast DNS traffic
 #
 ###############################################################################
 #ACTION	SOURCE	DEST			PROTO	DEST	SOURCE	RATE	USER/
 #						PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	224.0.0.251		udp	5353
 PARAM	-	-			udp	32768:	5353
 PARAM	-	224.0.0.251		2
 PARAM	DEST	SOURCE:224.0.0.251	udp	5353
 PARAM	DEST	SOURCE			udp	32768:	5353
 PARAM	DEST	SOURCE:224.0.0.251	2
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -236,6 +236,11 @@ sub process_accounting_rule( ) {
 	    }
 	} elsif ( $action =~ /^NFLOG/ ) {
 	    $target = validate_level $action;
 	} elsif ( $action =~ /^NFACCT\((\w+)\)$/ ) {
 	    require_capability 'NFACCT_MATCH', 'The NFACCT action', 's';
 	    $nfobjects{$1} = 1;
 	    $target = '';
 	    $rule .= "-m nfacct --nfacct-name $1 ";
 	} else {
 	    ( $action, my $cmd ) = split /:/, $action;
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -368,6 +368,7 @@ sub generate_script_3($) {
    emit '';
    load_ipsets;
    create_nfobjects;
    if ( $family == F_IPV4 ) {
 	emit ( 'if [ "$COMMAND" = refresh ]; then' ,
@@ -665,11 +666,6 @@ sub compiler {
    #                           (Produces no output to the compiled script)
    #
    process_policies;
    #
    #                                       N O T R A C K
    #                           (Produces no output to the compiled script)
    #
    setup_notrack;
    enable_script;
@@ -709,6 +705,14 @@ sub compiler {
    #
    setup_proxy_arp;
    emit( "#\n# Disable automatic helper association on kernel 3.5.0 and later\n#" ,
 	  'if [ -f /proc/sys/net/netfilter/nf_conntrack_helper ]; then' ,
 	  '    progress_message "Disabling Kernel Automatic Helper Association"',
 	  "    echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper",
 	  'fi',
 	  ''
 	);
    if ( $scriptfilename || $debug ) {
 	emit 'return 0';
 	pop_indent;
@@ -788,6 +792,10 @@ sub compiler {
    #
    process_rules( $convert );
    #
    # Process the conntrack file
    #
    setup_conntrack;
    #
    # Add Tunnel rules.
    #
    setup_tunnels;
@@ -817,11 +825,11 @@ sub compiler {
 	    #
 	    # Optimize Policy Chains
 	    #
-	    optimize_policy_chains if $optimize & 6 == 2; # Level 2 but not 4
+	    optimize_policy_chains if ( $optimize & OPTIMIZE_POLICY_MASK2n4 ) == OPTIMIZE_POLICY_MASK; # Level 2 but not 4
 	    #
 	    # More Optimization
 	    #
-	    optimize_ruleset if $config{OPTIMIZE} & 0x1C;
+	    optimize_ruleset if $config{OPTIMIZE} & OPTIMIZE_RULESET_MASK;
 	}
 	enable_script;
@@ -877,16 +885,16 @@ sub compiler {
 	    optimize_level0;
-	    if ( $config{OPTIMIZE} & OPTIMIZE_MASK ) {
+	    if ( ( my $optimize = $config{OPTIMIZE} & OPTIMIZE_MASK ) ) {
 		progress_message2 'Optimizing Ruleset...';
 		#
 		# Optimize Policy Chains
 		#
-		optimize_policy_chains if $config{OPTIMIZE} & OPTIMIZE_POLICY_MASK;
+		optimize_policy_chains if ( $optimize & OPTIMIZE_POLICY_MASK2n4 ) == OPTIMIZE_POLICY_MASK; # Level 2 but not 4
 		#
 		# Ruleset Optimization
 		#
-		optimize_ruleset if $config{OPTIMIZE} & OPTIMIZE_RULESET_MASK;
+		optimize_ruleset if $optimize & OPTIMIZE_RULESET_MASK;
 	    }
 	    enable_script if $debug;
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -26,7 +26,7 @@
 #
 package Shorewall::IPAddrs;
 require Exporter;
-use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 numeric_value F_IPV4 F_IPV6 );
+use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 numeric_value F_IPV4 F_IPV6 :protocols );
 use Socket;
 use strict;
@@ -48,14 +48,6 @@ our @EXPORT = qw( ALLIPv4
 		  ALLIP
 		  NILIP
 		  ALL
 		  TCP
 		  UDP
 		  UDPLITE
 		  ICMP
 		  DCCP
 		  IPv6_ICMP
 		  SCTP
 		  GRE
 		  validate_address
 		  validate_net
@@ -115,14 +107,7 @@ use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       IPv6_LINK_ALLRTRS   => 'ff01::2' ,
 	       IPv6_SITE_ALLNODES  => 'ff02::1' ,
 	       IPv6_SITE_ALLRTRS   => 'ff02::2' ,
-	       ICMP                => 1,
+	   };
 	       TCP                 => 6,
 	       UDP                 => 17,
 	       DCCP                => 33,
 	       GRE                 => 47,
 	       IPv6_ICMP           => 58,
 	       SCTP                => 132,
 	       UDPLITE             => 136 };
 my @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -35,7 +35,11 @@ use strict;
 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
 our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule ) ] );
 our @EXPORT_OK = ();
 Exporter::export_ok_tags('rules');
 our $VERSION = 'MODULEVERSION';
 my @addresses_to_add;
@@ -54,8 +58,8 @@ sub initialize() {
 #
 sub process_one_masq( )
 {
-    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition ) =
+    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest ) =
-	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8 };
+	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9 };
    if ( $interfacelist eq 'COMMENT' ) {
 	process_comment;
@@ -233,7 +237,7 @@ sub process_one_masq( )
 		     $baserule . $rule ,
 		     $networks ,
 		     $destnets ,
-		     '' ,
+		     $origdest ,
 		     $target ,
 		     '' ,
 		     '' ,
@@ -514,6 +518,227 @@ sub setup_netmap() {
 }
 #
 # Called from process_rule1 to add a rule to the NAT table
 #
 sub handle_nat_rule( $$$$$$$$$$$$ ) {
    my ( $dest,           # <server>[:port]
 	 $proto,          # Protocol
 	 $ports,          # Destination port list
 	 $origdest,       # Original Destination
 	 $action_target,  # If the target is an action, the name of the log action chain to jump to
 	 $action,         # The Action
 	 $sourceref,      # Reference to the Source Zone's table entry in the Zones module
 	 $action_chain,   # Name of the action chain if the rule is in an action
 	 $rule,           # Matches 
 	 $source,         # Source Address
 	 $loglevel,       # [<level>[:<tag>]]
 	 $log_action,     # Action name to include in the log message
       ) = @_;
    my ( $server, $serverport , $origdstports ) = ( '', '', '' );
    my $randomize = $dest =~ s/:random$// ? ' --random' : '';
    #
    # Isolate server port
    #
    if ( $dest =~ /^(.*)(?::(.+))$/ ) {
 	#
 	# Server IP and Port
 	#
 	$server = $1;      # May be empty
 	$serverport = $2;  # Not Empty due to RE
 	$origdstports = validate_port( $proto, $ports )	if $ports && $ports ne '-' && port_count( $ports ) == 1;
 	if ( $serverport =~ /^(\d+)-(\d+)$/ ) {
 	    #
 	    # Server Port Range
 	    #
 	    fatal_error "Invalid port range ($serverport)" unless $1 < $2;
 	    my @ports = ( $1, $2 );
 	    $_ = validate_port( proto_name( $proto ), $_) for ( @ports );
 	    ( $ports = $serverport ) =~ tr/-/:/;
 	} else {
 	    $serverport = $ports = validate_port( proto_name( $proto ), $serverport );
 	}
    } elsif ( $dest ne ':' ) {
 	#
 	# Simple server IP address (may be empty or "-")
 	#
 	$server = $dest;
    }
    #
    # Generate the target
    #
    my $target = '';
    if ( $action eq 'REDIRECT' ) {
 	fatal_error "A server IP address ($server) may not be specified in a REDIRECT rule" if $server;
 	$target  = 'REDIRECT';
 	$target .= " --to-port $serverport" if $serverport;
 	if ( $origdest eq '' || $origdest eq '-' ) {
 	    $origdest = ALLIP;
 	} elsif ( $origdest eq 'detect' ) {
 	    fatal_error 'ORIGINAL DEST "detect" is invalid in an action' if $action_chain;
 	    if ( $config{DETECT_DNAT_IPADDRS} ) {
 		my $interfacesref = $sourceref->{interfaces};
 		my @interfaces = keys %$interfacesref;
 		$origdest = @interfaces ? "detect:@interfaces" : ALLIP;
 	    } else {
 		$origdest = ALLIP;
 	    }
 	}
    } elsif ( $action_target ) {
 	fatal_error "A server port ($serverport) is not allowed in $action rule" if $serverport;
 	$target = $action_target;
    } else {
 	if ( $server eq '' ) {
 	    fatal_error "A server and/or port must be specified in the DEST column in $action rules" unless $serverport;
 	} elsif ( $server =~ /^(.+)-(.+)$/ ) {
 	    validate_range( $1, $2 );
 	} else {
 	    unless ( $server eq ALLIP ) {
 		my @servers = validate_address $server, 1;
 		$server = join ',', @servers;
 	    }
 	}
 	if ( $action eq 'DNAT' ) {
 	    $target = $action;
 	    if ( $server ) {
 		$serverport = ":$serverport" if $serverport;
 		for my $serv ( split /,/, $server ) {
 		    $target .= " --to-destination ${serv}${serverport}";
 		}
 	    } else {
 		$target .= " --to-destination :$serverport";
 	    }
 	}
 	unless ( $origdest && $origdest ne '-' && $origdest ne 'detect' ) {
 	    if ( ! $action_chain && $config{DETECT_DNAT_IPADDRS} ) {
 		my $interfacesref = $sourceref->{interfaces};
 		my @interfaces = keys %$interfacesref;
 		$origdest = @interfaces ? "detect:@interfaces" : ALLIP;
 	    } else {
 		$origdest = ALLIP;
 	    }
 	}
    }
    $target .= $randomize;
    #
    # And generate the nat table rule(s)
    #
    my $firewallsource = $sourceref && ( $sourceref->{type} & ( FIREWALL | VSERVER ) );
    expand_rule ( ensure_chain ('nat' ,
 				( $action_chain   ? $action_chain :
 				  $firewallsource ? 'OUTPUT' :
 				  dnat_chain $sourceref->{name} ) ) ,
 		  $firewallsource ? OUTPUT_RESTRICT : PREROUTE_RESTRICT ,
 		  $rule ,
 		  $source ,
 		  $origdest ,
 		  '' ,
 		  $target ,
 		  $loglevel ,
 		  $log_action ,
 		  $serverport ? do_proto( $proto, '', '' ) : '',
 		);
    ( $ports, $origdstports, $server );
 }
 #
 # Called from process_rule1() to handle the nat table part of the NONAT and ACCEPT+ actions
 #
 sub handle_nonat_rule( $$$$$$$$$$ ) {
    my ( $action, $source, $dest, $origdest, $sourceref, $inaction, $chain, $loglevel, $log_action, $rule ) = @_;
    my $sourcezone = $sourceref->{name};
    #
    # NONAT or ACCEPT+ may not specify a destination interface
    #
    fatal_error "Invalid DEST ($dest) in $action rule" if $dest =~ /:/;
    $origdest = '' unless $origdest and $origdest ne '-';
    if ( $origdest eq 'detect' ) {
 	my $interfacesref = $sourceref->{interfaces};
 	my $interfaces = [ ( keys %$interfacesref ) ];
 	$origdest = $interfaces ? "detect:@$interfaces" : ALLIP;
    }
    my $tgt = 'RETURN';
    my $nonat_chain;
    my $chn;
    if ( $inaction ) {
 	$nonat_chain = ensure_chain( 'nat', $chain );
    } elsif ( $sourceref->{type} == FIREWALL ) {
 	$nonat_chain = $nat_table->{OUTPUT};
    } else {
 	$nonat_chain = ensure_chain( 'nat', dnat_chain( $sourcezone ) );
 	my @interfaces = keys %{zone_interfaces $sourcezone};
 	for ( @interfaces ) {
 	    my $ichain = input_chain $_;
 	    if ( $nat_table->{$ichain} ) {
 		#
 		# Static NAT is defined on this interface
 		#
 		$chn = new_chain( 'nat', newnonatchain ) unless $chn;
 		add_ijump $chn, j => $nat_table->{$ichain}, @interfaces > 1 ? imatch_source_dev( $_ )  : ();
 	    }
 	}
 	if ( $chn ) {
 	    #
 	    # Call expand_rule() to correctly handle logging. Because
 	    # the 'logname' argument is passed, expand_rule() will
 	    # not create a separate logging chain but will rather emit
 	    # any logging rule in-line.
 	    #
 	    expand_rule( $chn,
 			 PREROUTE_RESTRICT,
 			 '', # Rule
 			 '', # Source
 			 '', # Dest
 			 '', # Original dest
 			 'ACCEPT',
 			 $loglevel,
 			 $log_action,
 			 '',
 			 dnat_chain( $sourcezone  ) );
 	    $loglevel = '';
 	    $tgt = $chn->{name};
 	} else {
 	    $tgt = 'ACCEPT';
 	}
    }
    set_optflags( $nonat_chain, DONT_MOVE | DONT_OPTIMIZE ) if $tgt eq 'RETURN';
    expand_rule( $nonat_chain ,
 		 PREROUTE_RESTRICT ,
 		 $rule ,
 		 $source ,
 		 $dest ,
 		 $origdest ,
 		 $tgt,
 		 $loglevel ,
 		 $log_action ,
 		 '',
 	       );
 }
 sub add_addresses () {
    if ( @addresses_to_add ) {
 	my @addrs = @addresses_to_add;
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -39,7 +39,9 @@ our @EXPORT = qw( process_providers
 		  @routemarked_interfaces
 		  handle_stickiness
 		  handle_optional_interfaces
 		  compile_updown
 		  setup_load_distribution
 		  have_providers
 	       );
 our @EXPORT_OK = qw( initialize lookup_provider );
 our $VERSION = '4.4_24';
@@ -60,9 +62,11 @@ my  @load_interfaces;
 my $balancing;
 my $fallback;
 my $metrics;
 my $first_default_route;
 my $first_fallback_route;
 my $maxload;
 my $tproxies;
 my %providers;
@@ -95,9 +99,11 @@ sub initialize( $ ) {
    @load_interfaces        = ();
    $balancing              = 0;
    $fallback               = 0;
    $metrics                = 0;
    $first_default_route    = 1;
    $first_fallback_route   = 1;
    $maxload                = 0;
    $tproxies               = 0;
    %providers  = ( local   => { number => LOCAL_TABLE   , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
 		    main    => { number => MAIN_TABLE    , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
@@ -461,10 +467,11 @@ sub process_a_provider() {
    }
    if ( $local ) {
-	fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none';
+	fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'none';
-	fatal_error "'track' not valid with 'local'"          if $track;
+	fatal_error "'track' not valid with 'local'"           if $track;
-	fatal_error "DUPLICATE not valid with 'local'"        if $duplicate ne '-';
+	fatal_error "DUPLICATE not valid with 'local'"         if $duplicate ne '-';
    } elsif ( $tproxy ) {
 	fatal_error "Only one 'tproxy' provider is allowed"    if $tproxies++;
 	fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'none';
 	fatal_error "'track' not valid with 'tproxy'"          if $track;
 	fatal_error "DUPLICATE not valid with 'tproxy'"        if $duplicate ne '-';
@@ -695,19 +702,20 @@ CEOF
 	emit '';
 	if ( $gateway ) {
 	    if ( $family == F_IPV4 ) {
-		emit qq(run_ip route replace $gateway dev $physical table ) . DEFAULT_TABLE;
+		emit qq(run_ip route replace $gateway/32 dev $physical table ) . DEFAULT_TABLE;
 		emit qq(run_ip route replace default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
 	    } else {
 		emit qq(qt \$IP -6 route del default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
 		emit qq(run_ip route add default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
 	    }
 	    emit qq(echo "qt \$IP -$family route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_${table}_routing);
 	    emit qq(echo "qt \$IP -4  route del $gateway/32 dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_${table}_routing) if $family == F_IPV4;
 	} else {
 	    emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $physical metric $number);
 	    emit qq(echo "qt \$IP -$family route del default dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_${table}_routing);
 	}
-	$fallback = 1;
+	$metrics = 1;
    }
    emit( qq(\n) ,
@@ -1153,14 +1161,16 @@ sub finish_providers() {
 	emit( "    progress_message \"Fallback route '\$(echo \$FALLBACK_ROUTE | sed 's/\$\\s*//')' Added\"",
 	      'else',
-	      '#',
+	      '    #',
-	      '# We don\'t have any \'fallback\' providers so we delete any default routes in the default table',
+	      '    # We don\'t have any \'fallback\' providers so we delete any default routes in the default table',
-	      '#',
+	      '    #',
-	      "    while qt \$IP -$family route del default table " . DEFAULT_TABLE . '; do true; done',
+	      '    delete_default_routes ' . DEFAULT_TABLE,
 	      'fi',
 	      '' );
    } elsif ( $config{USE_DEFAULT_RT} ) {
-	emit "while qt \$IP -$family route del default table " . DEFAULT_TABLE . '; do true; done';
+	emit( 'delete_default_routes ' . DEFAULT_TABLE,
 	      ''
 	    );
    }
    unless ( $config{KEEP_RT_TABLES} ) {
@@ -1198,11 +1208,13 @@ sub process_providers( $ ) {
    }
    if ( $providers ) {
 	fatal_error q(Either all 'fallback' providers must specify a weight or non of them can specify a weight) if $fallback && $metrics;
 	my $fn = open_file( 'route_rules' );
 	if ( $fn ){
 	    if ( -f ( my $fn1 = find_file 'rtrules' ) ) {
-		warning_message "Both $fn and $fn1 exists: $fn1 will be ignored";
+		warning_message "Both $fn and $fn1 exist: $fn1 will be ignored";
 	    }
 	} else {
 	    $fn = open_file( 'rtrules' );
@@ -1269,6 +1281,7 @@ EOF
            startup_error "$g_interface is not an optional provider or provider interface"
            ;;
    esac
 }
 #
@@ -1309,6 +1322,10 @@ EOF
 }
 sub have_providers() {
    return our $providers;
 }
 sub setup_providers() {
    our $providers;
@@ -1354,6 +1371,228 @@ sub setup_providers() {
 }
 #
 # Emit the updown() function
 #
 sub compile_updown() {
    emit( '',
 	  '#',
 	  '# Handle the "up" and "down" commands',
 	  '#',
 	  'updown() # $1 = interface',
 	  '{',
 	);
    push_indent;
    emit( 'local state',
 	  'state=cleared',
 	  ''
 	);
    emit 'progress_message3 "$g_product $COMMAND triggered by $1"';
    emit '';
    if ( $family == F_IPV4 ) {
 	emit 'if shorewall_is_started; then';
    } else {
 	emit 'if shorewall6_is_started; then';
    }
    emit( '    state=started',
 	  'elif [ -f ${VARDIR}/state ]; then',
 	  '    case "$(cat ${VARDIR}/state)" in',
 	  '        Stopped*)',
 	  '            state=stopped',
 	  '            ;;',
 	  '        Cleared*)',
 	  '            ;;',
 	  '        *)',
 	  '            state=unknown',
 	  '            ;;',
 	  '    esac',
 	  'else',
 	  '    state=unknown',
 	  'fi',
 	  ''
 	);
    emit( 'case $1 in' );
    push_indent;
    my $ignore   = find_interfaces_by_option 'ignore', 1;
    my $required = find_interfaces_by_option 'required';
    my $optional = find_interfaces_by_option 'optional';
    if ( @$ignore ) {
 	my $interfaces = join '|', map get_physical( $_ ), @$ignore;
 	$interfaces =~ s/\+/*/g;
 	emit( "$interfaces)",
 	      '    progress_message3 "$COMMAND on interface $1 ignored"',
 	      '    exit 0',
 	      '    ;;'
 	    );
    }
    my @nonshared = ( grep $providers{$_}->{optional},
 		      sort( { $providers{$a}->{number} <=> $providers{$b}->{number} } values %provider_interfaces ) );
    if ( @nonshared ) {
 	my $interfaces = join( '|', map $providers{$_}->{physical}, @nonshared );
 	emit "$interfaces)";
 	push_indent;
 	emit( q(if [ "$state" = started ]; then) ,
 	      q(    if [ "$COMMAND" = up ]; then) , 
 	      q(        progress_message3 "Attempting enable on interface $1") ,
 	      q(        COMMAND=enable) ,
 	      q(        detect_configuration),        
 	      q(        enable_provider $1),
 	      q(    elif [ "$PHASE" != post-down ]; then # pre-down or not Debian) ,
 	      q(        progress_message3 "Attempting disable on interface $1") ,
 	      q(        COMMAND=disable) ,
 	      q(        detect_configuration),        
 	      q(        disable_provider $1) ,
 	      q(    fi) ,
 	      q(elif [ "$COMMAND" = up ]; then) ,
 	      q(    echo 0 > ${VARDIR}/${1}.status) ,
 	      q(    COMMAND=start),
 	      q(    progress_message3 "$g_product attempting start") ,
 	      q(    detect_configuration),
 	      q(    define_firewall),
 	      q(else),
 	      q(    progress_message3 "$COMMAND on interface $1 ignored") ,
 	      q(fi) ,
 	      q(;;) );
 	pop_indent;
    }
    if ( @$required ) {
 	my $interfaces = join '|', map get_physical( $_ ), @$required;
 	my $wildcard = ( $interfaces =~ s/\+/*/g );
 	emit( "$interfaces)",
 	      '    if [ "$COMMAND" = up ]; then' );
 	if ( $wildcard ) {
 	    emit( '        if [ "$state" = started ]; then',
 		  '            COMMAND=restart',
 		  '        else',
 		  '            COMMAND=start',
 		  '        fi' );
 	} else {
 	    emit( '        COMMAND=start' );
 	}
 	emit( '        progress_message3 "$g_product attempting $COMMAND"',
 	      '        detect_configuration',
 	      '        define_firewall',
 	      '    elif [ "$PHASE" != pre-down ]; then # Not Debian pre-down phase'
 	    );
 	push_indent;
 	if ( $wildcard ) {
 	    emit( '    if [ "$state" = started ]; then',
 		  '        progress_message3 "$g_product attempting restart"',
 		  '        COMMAND=restart',
 		  '        detect_configuration',
 		  '        define_firewall',
 		  '    fi' );
 	} else {
 	    emit( '    COMMAND=stop',
 		  '    progress_message3 "$g_product attempting stop"',
 		  '    detect_configuration',
 		  '    stop_firewall' );
 	}
 	pop_indent;
 	emit( '    fi',
 	      '    ;;'
 	    );
    }
    if ( @$optional ) {
 	my @interfaces = map( get_physical( $_ ), grep( ! $provider_interfaces{$_} , @$optional ) );
 	my $interfaces = join '|', @interfaces;
 	if ( $interfaces ) {
 	    if ( $interfaces =~ s/\+/*/g || @interfaces > 1 ) {
 		emit( "$interfaces)",
 		      '    if [ "$COMMAND" = up ]; then',
 		      '        echo 0 > ${VARDIR}/${1}.state',
 		      '    else',
 		      '        echo 1 > ${VARDIR}/${1}.state',
 		      '    fi' );
 	    } else {
 		emit( "$interfaces)",
 		      '    if [ "$COMMAND" = up ]; then',
 		      "        echo 0 > \${VARDIR}/$interfaces.state",
 		      '    else',
 		      "        echo 1 > \${VARDIR}/$interfaces.state",
 		      '    fi' );
 	    }
 	    emit( '',
 		  '    if [ "$state" = started ]; then',
 		  '        COMMAND=restart',
 		  '        progress_message3 "$g_product attempting restart"',
 		  '        detect_configuration',
 		  '        define_firewall',
 		  '    elif [ "$state" = stopped ]; then',
 		  '        COMMAND=start',
 		  '        progress_message3 "$g_product attempting start"',
 		  '        detect_configuration',
 		  '        define_firewall',
 		  '    else',
 		  '        progress_message3 "$COMMAND on interface $1 ignored"',
 		  '    fi',
 		  '    ;;',
 		);
 	}
    }
    if ( my @plain_interfaces = all_plain_interfaces ) {			
 	my $interfaces = join ( '|', @plain_interfaces );
 	$interfaces =~ s/\+/*/g;
 	emit( "$interfaces)",
 	      '    case $state in',
 	      '        started)',
 	      '            COMMAND=restart',
 	      '            progress_message3 "$g_product attempting restart"',
 	      '            detect_configuration',
 	      '            define_firewall',
 	      '            ;;',
 	      '        *)',
 	      '            progress_message3 "$COMMAND on interface $1 ignored"',
 	      '            ;;',
 	      '    esac',
 	    );
    }
    pop_indent;
    emit( 'esac' );
    pop_indent;
    emit( '}',
 	  '',
 	);
 }
 sub lookup_provider( $ ) {
    my $provider    = $_[0];
    my $providerref = $providers{ $provider };
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -20,7 +20,7 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   This module contains the code that handles the /etc/shorewall/notrack file.
+#   This module contains the code that handles the /etc/shorewall/conntrack file.
 #
 package Shorewall::Raw;
 require Exporter;
@@ -32,8 +32,8 @@ use Shorewall::Chains qw(:DEFAULT :internal);
 use strict;
 our @ISA = qw(Exporter);
-our @EXPORT = qw( setup_notrack );
+our @EXPORT = qw( setup_conntrack );
-our @EXPORT_OK = qw( );
+our @EXPORT_OK = qw( handle_helper_rule );
 our $VERSION = 'MODULEVERSION';
 my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured => 1, protoinfo => 1, helper => 1, mark => 1, natseqinfo => 1, secmark => 1 );
@@ -41,21 +41,34 @@ my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured
 #
 # Notrack
 #
-sub process_notrack_rule( $$$$$$$ ) {
+sub process_conntrack_rule( $$$$$$$$$ ) {
-    my ($action, $source, $dest, $proto, $ports, $sports, $user ) = @_;
+    my ($chainref, $zoneref, $action, $source, $dest, $proto, $ports, $sports, $user ) = @_;
    require_capability 'RAW_TABLE', 'conntrack rules', '';
    $proto  = ''    if $proto  eq 'any';
    $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
    $sports = ''    if $sports eq 'any' || $sports eq 'all';
-    ( my $zone, $source) = split /:/, $source, 2;
+    my $zone;
-    my $zoneref  = find_zone $zone;
+    my $restriction = PREROUTE_RESTRICT;
    my $chainref = ensure_raw_chain( notrack_chain $zone );
    my $restriction = $zoneref->{type} == FIREWALL || $zoneref->{type} == VSERVER ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;
-    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
+    unless ( $chainref ) {
-    require_capability 'RAW_TABLE', 'Notrack rules', '';
+	#
 	# Entry in the conntrack file
 	#
 	if ( $zoneref ) {
 	    $zone = $zoneref->{name};
 	} else {
 	    ($zone, $source) = split /:/, $source, 2;
 	    $zoneref = find_zone ( $zone );
 	}
 	$chainref = ensure_raw_chain( notrack_chain $zone );
 	$restriction = OUTPUT_RESTRICT if $zoneref->{type} == FIREWALL || $zoneref->{type} == VSERVER;
 	fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
    }
    my $target = $action;
    my $exception_rule = '';
@@ -66,29 +79,45 @@ sub process_notrack_rule( $$$$$$$ ) {
 	fatal_error "Invalid notrack ACTION ( $action )" if $junk || $target ne 'CT';
-	require_capability 'CT_TARGET', 'CT entries in the notrack file', '';
+	require_capability 'CT_TARGET', 'CT entries in the conntrack file', '';
 	if ( $option eq 'notrack' ) {
-	    fatal_error "Invalid notrack ACTION ( $action )" if supplied $args;
+	    fatal_error "Invalid conntrack ACTION ( $action )" if supplied $args;
 	    $action = 'CT --notrack';
 	} else {
 	    fatal_error "Invalid or missing CT option and arguments" unless supplied $option && supplied $args;
 	    if ( $option eq 'helper' ) {
-		fatal_error "Invalid helper' ($args)" if $args =~ /,/;
+		my $modifiers = '';
-		validate_helper( $args, $proto );
+
-		$action = "CT --helper $args";
+		if ( $args =~ /^([-\w.]+)\((.+)\)$/ ) {
-		$exception_rule = do_proto( $proto, '-', '-' );
+		    $args      = $1;
-	    } elsif ( $option eq 'ctevents' ) {
+		    $modifiers = $2;
 		for ( split ',', $args ) {
 		    fatal_error "Invalid 'ctevents' event ($_)" unless $valid_ctevent{$_};
 		}
-		$action = "CT --ctevents $args";
+		fatal_error "Invalid helper' ($args)" if $args =~ /,/;
-	    } elsif ( $option eq 'expevent' ) {
+		validate_helper( $args, $proto );
-		fatal_error "Invalid expevent argument ($args)" unless $args eq 'new';
+		$action = "CT --helper $helpers_aliases{$args}";
-	    } elsif ( $option eq 'zone' ) {
+		$exception_rule = do_proto( $proto, '-', '-' );
-		fatal_error "Invalid zone id ($args)" unless $args =~ /^\d+$/;
+
 		for my $mod ( split_list1( $modifiers, 'ctevents' ) ) {
 		    fatal_error "Invalid helper option ($mod)" unless $mod =~ /^(\w+)=(.+)$/;
 		    $mod    = $1;
 		    my $val = $2;
 		    if ( $mod eq 'ctevents' ) {
 			for ( split_list( $val, 'ctevents' ) ) {
 			    fatal_error "Invalid 'ctevents' event ($_)" unless $valid_ctevent{$_};
 			}
 			$action .= " --ctevents $val";
 		    } elsif ( $mod eq 'expevents' ) {
 			fatal_error "Invalid expevent argument ($val)" unless $val eq 'new';
 			$action .= ' --expevents new';
 		    } else {
 			fatal_error "Invalid helper option ($mod)";
 		    }
 		}
 	    } else {
 		fatal_error "Invalid CT option ($option)";
 	    }
@@ -106,9 +135,60 @@ sub process_notrack_rule( $$$$$$$ ) {
 		 $target ,
 		 $exception_rule );
-    progress_message "  Notrack rule \"$currentline\" $done";
+    progress_message "  Conntrack rule \"$currentline\" $done";
 }
-    $globals{UNTRACKED} = 1;
+sub handle_helper_rule( $$$$$$$$$$$ ) {
    my ( $helper, $source, $dest, $proto, $ports, $sports, $sourceref, $action_target, $actionchain, $user, $rule ) = @_;
    if ( $helper ne '-' ) {
 	fatal_error "A HELPER is not allowed with this ACTION" if $action_target;
 	#
 	# This means that an ACCEPT or NAT rule with a helper is being processed
 	#
 	process_conntrack_rule( $actionchain ? ensure_raw_chain( $actionchain ) : undef ,
 				$sourceref ,
 				"CT:helper:$helper",
 				$source ,
 				$dest ,
 				$proto ,
 				$ports ,
 				$sports ,
 				$user );
    } else {
 	assert( $action_target );
 	#
 	# The target is an action
 	#
 	if ( $actionchain ) {
 	    #
 	    # And the source is another action chain
 	    #
 	    expand_rule( ensure_raw_chain( $actionchain ) ,
 			 PREROUTE_RESTRICT ,
 			 $rule ,
 			 $source ,
 			 $dest ,
 			 '' ,
 			 $action_target ,
 			 '',
 			 'CT' ,
 			 '' );
 	} else {
 	    expand_rule( ensure_raw_chain( notrack_chain( $sourceref->{name} ) ) ,
 			 ( $sourceref->{type} == FIREWALL || $sourceref->{type} == VSERVER ?
 			   OUTPUT_RESTRICT :
 			   PREROUTE_RESTRICT ) ,
 			 $rule ,
 			 $source ,
 			 $dest ,
 			 '' ,
 			 $action_target ,
 			 '' ,
 			 'CT' ,
 			 '' );
 	}
    }
 }
 sub process_format( $ ) {
@@ -119,51 +199,72 @@ sub process_format( $ ) {
    $format;
 }
-sub setup_notrack() {
+sub setup_conntrack() {
-    my $format = 1;
+    for my $name ( qw/notrack conntrack/ ) {
    my $action = 'NOTRACK';
-    if ( my $fn = open_file 'notrack' ) {
+	my $fn = open_file( $name );
-	first_entry "$doing $fn...";
+	if ( $fn ) {
-	my $nonEmpty = 0;
+	    my $format = 1;
-	while ( read_a_line( NORMAL_READ ) ) {
+	    my $action = 'NOTRACK';
 	    my ( $source, $dest, $proto, $ports, $sports, $user );
-	    if ( $format == 1 ) {
+	    my $empty = 1;
 		( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
-		if ( $source eq 'FORMAT' ) {
+	    first_entry( "$doing $fn..." );
 		    $format = process_format( $dest );
 		    next;
 		}
-		if ( $source eq 'COMMENT' ) {
+	    while ( read_a_line( NORMAL_READ ) ) {
-		    process_comment;
+		my ( $source, $dest, $proto, $ports, $sports, $user );
 		    next;
 		}
 	    } else {
 		( $action, $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6 }, { COMMENT => 0, FORMAT => 2 };
-		if ( $action eq 'FORMAT' ) {
+		if ( $format == 1 ) {
-		    $format = process_format( $source );
+		    ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Conntrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
-		    $action = 'NOTRACK';
+
-		    next;
+		    if ( $source eq 'FORMAT' ) {
 			$format = process_format( $dest );
 			next;
 		    }
 		} else {
 		    ( $action, $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6 }, { COMMENT => 0, FORMAT => 2 };
 		    if ( $action eq 'FORMAT' ) {
 			$format = process_format( $source );
 			$action = 'NOTRACK';
 			next;
 		    }
 		}
 		if ( $action eq 'COMMENT' ) {
 		    process_comment;
 		    next;
 		}
 		$empty = 0;
 		if ( $source eq 'all' ) {
 		    for my $zone (all_zones) {
 			process_conntrack_rule( undef, undef, $action, $zone, $dest, $proto, $ports, $sports, $user );
 		    }
 		} else {
 		    process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user );
 		}
 	    }
-	    process_notrack_rule $action, $source, $dest, $proto, $ports, $sports, $user;
+	    clear_comment;
 	}
-	clear_comment;
+	    if ( $name eq 'notrack') {
 		if ( $empty ) {
 		    if ( unlink( $fn ) ) {
 			warning_message "Empty notrack file ($fn) removed";
 		    } else {
 			warning_message "Unable to remove empty notrack file ($fn): $!";
 		    }
 		} else {
 		    warning_message "Non-empty notrack file ($fn); please move its contents to the conntrack file";
 		}
 	    }
 	}
    }
 }
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -33,6 +33,8 @@ use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::Chains qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
 use Shorewall::Nat qw(:rules);
 use Shorewall::Raw qw( handle_helper_rule );
 use Scalar::Util 'reftype';
 use strict;
@@ -90,7 +92,9 @@ my %rulecolumns = ( action    =>   0,
 		    connlimit =>  10,
 		    time      =>  11,
 		    headers   =>  12,
-		    switch    =>  13 );
+		    switch    =>  13,
 		    helper    =>  14,
 		  );
 use constant { MAX_MACRO_NEST_LEVEL => 5 };
@@ -914,7 +918,7 @@ sub new_action( $$ ) {
    fatal_error "Invalid action name($action)" if reserved_name( $action );
-    $actions{$action} = { actchain => ''  };
+    $actions{$action} = { actchain => '' };
    $targets{$action} = $type;
 }
@@ -1423,7 +1427,7 @@ sub process_actions() {
 }
-sub process_rule1 ( $$$$$$$$$$$$$$$$$ );
+sub process_rule1 ( $$$$$$$$$$$$$$$$$$ );
 #
 # Populate an action invocation chain. As new action tuples are encountered,
@@ -1456,14 +1460,14 @@ sub process_action( $) {
 	while ( read_a_line( NORMAL_READ ) ) {
-	    my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition );
+	    my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper );
 	    if ( $format == 1 ) {
 		($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) =
 		    split_line1 'action file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, rate => 6, user => 7, mark => 8 }, $rule_commands;
-		$origdest = $connlimit = $time = $headers = $condition = '-';
+		$origdest = $connlimit = $time = $headers = $condition = $helper = '-';
 	    } else {
-		($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition )
+		($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper )
 		    = split_line1 'action file', \%rulecolumns, $action_commands;
 	    }
@@ -1501,6 +1505,7 @@ sub process_action( $) {
 			   $time,
 			   $headers,
 			   $condition,
 			   $helper,
 			   0 );
 	}
@@ -1530,8 +1535,8 @@ sub use_policy_action( $ ) {
 #
 # Expand a macro rule from the rules file
 #
-sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {
+sub process_macro ( $$$$$$$$$$$$$$$$$$$) {
-    my ($macro, $chainref, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $wildcard ) = @_;
+    my ($macro, $chainref, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
    my $nocomment = no_comment;
@@ -1549,13 +1554,13 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {
    while ( read_a_line( NORMAL_READ ) ) {
-	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition );
+	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper);
 	if ( $format == 1 ) {
 	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 'macro file', \%rulecolumns, $rule_commands;
-	    ( $morigdest, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition ) = qw/- - - - - -/;
+	    ( $morigdest, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper ) = qw/- - - - - - -/;
 	} else {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition ) = split_line1 'macro file', \%rulecolumns, $rule_commands;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper ) = split_line1 'macro file', \%rulecolumns, $rule_commands;
 	}
 	fatal_error 'TARGET must be specified' if $mtarget eq '-';
@@ -1589,7 +1594,7 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {
 	my $actiontype = $targets{$action} || find_macro( $action );
-	fatal_error "Invalid Action ($mtarget) in macro" unless $actiontype & ( ACTION +  STANDARD + NATRULE + MACRO + CHAIN );
+	fatal_error( "Invalid Action ($mtarget) in macro", $actiontype ) unless $actiontype & ( ACTION + STANDARD + NATRULE + MACRO + CHAIN );
 	if ( $msource ) {
 	    if ( $msource eq '-' ) {
@@ -1634,6 +1639,7 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {
 				    merge_macro_column( $mtime,      $time ),
 				    merge_macro_column( $mheaders,   $headers ),
 				    merge_macro_column( $mcondition, $condition ),
 				    merge_macro_column( $mhelper,    $helper ),
 				    $wildcard
 				   );
@@ -1666,7 +1672,7 @@ sub verify_audit($;$$) {
 # Similarly, if a new action tuple is encountered, this function is called recursively for each rule in the action
 # body. In this latter case, a reference to the tuple's chain is passed in the first ($chainref) argument.
 #
-sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
+sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
    my ( $chainref,   #reference to Action Chain if we are being called from process_action(); undef otherwise
 	 $target,
 	 $current_param,
@@ -1683,9 +1689,10 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 	 $time,
 	 $headers,
 	 $condition,
 	 $helper,
 	 $wildcard ) = @_;
-    my ( $action, $loglevel) = split_action $target;
+    my ( $action, $loglevel)    = split_action $target;
    my ( $basictarget, $param ) = get_target_param $action;
    my $rule = '';
    my $optimize = $wildcard ? ( $basictarget =~ /!$/ ? 0 : $config{OPTIMIZE} & 5 ) : 0;
@@ -1734,6 +1741,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 				       $time,
 				       $headers,
 				       $condition,
 				       $helper,
 				       $wildcard );
 	$macro_nest_level--;
@@ -1757,7 +1765,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
    #
    # We can now dispense with the postfix character
    #
-    fatal_error "The +, - and ! modifiers are not allowed in the blrules file" if $action =~ s/[\+\-!]$// && $blacklist;
+    fatal_error "The +, - and ! modifiers are not allowed in the blrules file" if $action =~ s/[-+!]$// && $blacklist;
    #
    # Handle actions
    #
@@ -1775,12 +1783,13 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 	    #
 	    process_action( $ref );
 	    #
-	    # Processing the action may determine that the action or one of it's dependents does NAT, so:
+	    # Processing the action may determine that the action or one of it's dependents does NAT or HELPER, so:
 	    #
 	    #    - Refresh $actiontype
-	    #    - Create the associate nat table chain if appropriate.
+	    #    - Create the associated nat and/or table chain if appropriate.
 	    #
 	    ensure_chain( 'nat', $ref->{name} ) if ( $actiontype = $targets{$basictarget} ) & NATRULE;
 	    ensure_chain( 'raw', $ref->{name} ) if ( $actiontype & HELPER );
 	}
 	$action = $basictarget; # Remove params, if any, from $action.
@@ -1795,6 +1804,10 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 	$targets{$inaction} |= NATRULE if $inaction;
 	fatal_error "NAT rules are only allowed in the NEW section" unless $section eq 'NEW';
    }
    if ( $actiontype & HELPER ) {
 	fatal_error "HELPER rules are only allowed in the NEW section" unless $section eq 'NEW';
    }
    #
    # Take care of irregular syntax and targets
    #
@@ -1805,37 +1818,51 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 	$bt =~ s/[-+!]$//;
-	my %functions = ( ACCEPT => sub() { $action = 'RETURN' if $blacklist; } ,
+	my %functions =
 	    ( ACCEPT => sub() { 
 		  if ( $blacklist ) {
 		      $action = 'RETURN';
 		  } elsif ( $helper ne '-' ) {
 		      $actiontype |= HELPER if $section eq 'NEW';
 		  }
 	      } ,
 	      REDIRECT => sub () {
 		  my $z = $actiontype & NATONLY ? '' : firewall_zone;
 		  if ( $dest eq '-' ) {
 		      $dest = $inaction ? '' : join( '', $z, '::' , $ports =~ /[:,]/ ? '' : $ports );
 		  } elsif ( $inaction ) {
 		      $dest = ":$dest";
 		  } else {
 		      $dest = join( '', $z, '::', $dest ) unless $dest =~ /^[^\d].*:/;
 		  }
 	      } ,
-			  REDIRECT => sub () {
+	      REJECT => sub { $action = 'reject'; } ,
 			      my $z = $actiontype & NATONLY ? '' : firewall_zone;
 			      if ( $dest eq '-' ) {
 				  $dest = $inaction ? '' : join( '', $z, '::' , $ports =~ /[:,]/ ? '' : $ports );
 			      } elsif ( $inaction ) {
 				  $dest = ":$dest";
 			      } else {
 				  $dest = join( '', $z, '::', $dest ) unless $dest =~ /^[^\d].*:/;
 			      }
 			  } ,
-			  REJECT => sub { $action = 'reject'; } ,
+	      CONTINUE => sub { $action = 'RETURN'; } ,
-			  CONTINUE => sub { $action = 'RETURN'; } ,
+	      WHITELIST => sub {
 		  fatal_error "'WHITELIST' may only be used in the blrules file" unless $blacklist;
 		  $action = 'RETURN';
 	      } ,
-			  WHITELIST => sub {
+	      COUNT => sub { $action = ''; } ,
 			      fatal_error "'WHITELIST' may only be used in the blrules file" unless $blacklist;
 			      $action = 'RETURN';
 			  } ,
-			  COUNT => sub { $action = ''; } ,
+	      LOG => sub { fatal_error 'LOG requires a log level' unless supplied $loglevel; } ,
-			  LOG => sub { fatal_error 'LOG requires a log level' unless supplied $loglevel; } ,
+	      HELPER => sub { 
-		     );
+		  fatal_error "HELPER requires require that the helper be specified in the HELPER column" if $helper eq '-';
 		  fatal_error "HELPER rules may only appear in the NEW section" unless $section eq 'NEW';
 		  $action = ''; } ,
 	    );
 	my $function = $functions{ $bt };
 	if ( $function ) {
 	    $function->();
 	} elsif ( $actiontype & NATRULE && $helper ne '-' ) {
 	    $actiontype |= HELPER;
 	} elsif ( $actiontype & SET ) {
 	    my %xlate = ( ADD => 'add-set' , DEL => 'del-set' );
@@ -1920,7 +1947,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
    #
    # Take care of chain
    #
-    my ( $chain, $policy );
+    my $chain;
    if ( $inaction ) {
        #
@@ -1943,8 +1970,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 	    #
 	    # Ensure that the chain exists but don't mark it as referenced until after optimization is checked
 	    #
-	    $chainref = ensure_chain 'filter', $chain;
+	    $chainref  = ensure_chain 'filter', $chain;
-	    $policy   = $chainref->{policy};
+	    my $policy = $chainref->{policy};
 	    if ( $policy eq 'NONE' ) {
 		return 0 if $wildcard;
@@ -1956,7 +1983,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 	    if ( $optimize == 1 && $section eq 'NEW' ) {
 		my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel};
 		if ( $loglevel ne '' ) {
-		    return 0 if $target eq "${policy}:$loglevel}";
+		    return 0 if $target eq "${policy}:${loglevel}";
 		} else {
 		    return 0 if $basictarget eq $policy;
 		}
@@ -2002,6 +2029,18 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 		      do_headers( $headers ) ,
 		      do_condition( $condition ) ,
 		    );
    } elsif ( $section eq 'RELATED' ) {
 	$rule = join( '',
 		      do_proto($proto, $ports, $sports),
 		      do_ratelimit( $ratelimit, $basictarget ) ,
 		      do_user( $user ) ,
 		      do_test( $mark , $globals{TC_MASK} ) ,
 		      do_connlimit( $connlimit ),
 		      do_time( $time ) ,
 		      do_headers( $headers ) ,
 		      do_condition( $condition ) ,
 		      do_helper( $helper ) ,
 		    );
    } else {
 	$rule = join( '',
 		      do_proto($proto, $ports, $sports),
@@ -2019,143 +2058,59 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 	if ( $config{FASTACCEPT} ) {
 	    fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" unless
 		$section eq 'BLACKLIST' ||
-		( $section eq 'RELATED' && ( $config{RELATED_DISPOSITION} ne 'ACCEPT' || $config{RELATED_LOG_LEVEL} ) )
+		    ( $section eq 'RELATED' && ( $config{RELATED_DISPOSITION} ne 'ACCEPT' || $config{RELATED_LOG_LEVEL} ) )
-	}
+		}
 	fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT );
 	$rule .= "$globals{STATEMATCH} $section " unless $section eq 'ALL' || $blacklist;
    }
    #
    # Generate CT rules(s), if any
    #
    if ( $actiontype & HELPER ) {
 	handle_helper_rule( $helper,
 			    $source,
 			    $origdest ? $origdest : $dest,
 			    $proto,
 			    $ports,
 			    $sports,
 			    $sourceref,
 			    ( $actiontype & ACTION ) ? $usedactions{$normalized_target}->{name} : '',
 			    $inaction ? $chain : '' ,
 			    $user ,
 			    $rule ,
 			  );
 	$targets{$inaction} |= HELPER if $inaction; 
    }
    # Generate NAT rule(s), if any
    #
    if ( $actiontype & NATRULE ) {
 	my ( $server, $serverport );
 	my $randomize = $dest =~ s/:random$// ? ' --random' : '';
 	require_capability( 'NAT_ENABLED' , "$basictarget rules", '' );
 	#
-	# Isolate server port
+	# Add the appropriate rule to the nat table
 	#
-	if ( $dest =~ /^(.*)(:(.+))$/ ) {
+	( $ports,
-	    #
+	  $origdstports,
-	    # Server IP and Port
+	  $dest ) = handle_nat_rule( $dest,
-	    #
+				     $proto,
-	    $server = $1;      # May be empty
+				     $ports,
-	    $serverport = $3;  # Not Empty due to RE
+				     $origdest,
-	    $origdstports = $ports;
+				     ( $actiontype & ACTION ) ? $usedactions{$normalized_target}->{name} : '',
 				     $action,
 				     $sourceref,
 				     $inaction ? $chain : '',
 				     $rule,
 				     $source,
 				     ( $actiontype & ACTION ) ? '' : $loglevel,
 				     $log_action,
 				   );
 	    if ( $origdstports && $origdstports ne '-' && port_count( $origdstports ) == 1 ) {
 		$origdstports = validate_port( $proto, $origdstports );
 	    } else {
 		$origdstports = '';
 	    }
 	    if ( $serverport =~ /^(\d+)-(\d+)$/ ) {
 		#
 		# Server Port Range
 		#
 		fatal_error "Invalid port range ($serverport)" unless $1 < $2;
 		my @ports = ( $1, $2 );
 		$_ = validate_port( proto_name( $proto ), $_) for ( @ports );
 		( $ports = $serverport ) =~ tr/-/:/;
 	    } else {
 		$serverport = $ports = validate_port( proto_name( $proto ), $serverport );
 	    }
 	} elsif ( $dest eq ':' ) {
 	    #
 	    # Rule with no server IP or port ( zone:: )
 	    #
 	    $server = $serverport = '';
 	} else {
 	    #
 	    # Simple server IP address (may be empty or "-")
 	    #
 	    $server = $dest;
 	    $serverport = '';
 	}
 	#
 	# Generate the target
 	#
 	my $target = '';
 	if ( $actiontype  & REDIRECT ) {
 	    fatal_error "A server IP address ($server) may not be specified in a REDIRECT rule" if $server;
 	    $target  = 'REDIRECT';
 	    $target .= " --to-port $serverport" if $serverport;
 	    if ( $origdest eq '' || $origdest eq '-' ) {
 		$origdest = ALLIP;
 	    } elsif ( $origdest eq 'detect' ) {
 		fatal_error 'ORIGINAL DEST "detect" is invalid in an action' if $inaction;
 		if ( $config{DETECT_DNAT_IPADDRS} && $sourcezone ne firewall_zone ) {
 		    my $interfacesref = $sourceref->{interfaces};
 		    my @interfaces = keys %$interfacesref;
 		    $origdest = @interfaces ? "detect:@interfaces" : ALLIP;
 		} else {
 		    $origdest = ALLIP;
 		}
 	    }
 	} elsif ( $actiontype & ACTION ) {
 	    fatal_error "A server port ($serverport) is not allowed in $action rule" if $serverport;
 	    $target = $usedactions{$normalized_target}->{name};
 	    $loglevel = '';
 	} else {
 	    if ( $server eq '' ) {
 		fatal_error "A server and/or port must be specified in the DEST column in $action rules" unless $serverport;
 	    } elsif ( $server =~ /^(.+)-(.+)$/ ) {
 		validate_range( $1, $2 );
 	    } else {
 		unless ( $server eq ALLIP ) {
 		    my @servers = validate_address $server, 1;
 		    $server = join ',', @servers;
 		}
 	    }
 	    if ( $action eq 'DNAT' ) {
 		$target = 'DNAT';
 		if ( $server ) {
 		    $serverport = ":$serverport" if $serverport;
 		    for my $serv ( split /,/, $server ) {
 			$target .= " --to-destination ${serv}${serverport}";
 		    }
 		} else {
 		    $target .= " --to-destination :$serverport";
 		}
 	    }
 	    unless ( $origdest && $origdest ne '-' && $origdest ne 'detect' ) {
 		if ( ! $inaction && $config{DETECT_DNAT_IPADDRS} && $sourcezone ne firewall_zone ) {
 		    my $interfacesref = $sourceref->{interfaces};
 		    my @interfaces = keys %$interfacesref;
 		    $origdest = @interfaces ? "detect:@interfaces" : ALLIP;
 		} else {
 		    $origdest = ALLIP;
 		}
 	    }
 	}
 	$target .= $randomize;
 	#
 	# And generate the nat table rule(s)
 	#
 	expand_rule ( ensure_chain ('nat' , $inaction ? $chain : $sourceref->{type} == FIREWALL ? 'OUTPUT' : dnat_chain $sourcezone ),
 		      PREROUTE_RESTRICT ,
 		      $rule ,
 		      $source ,
 		      $origdest ,
 		      '' ,
 		      $target ,
 		      $loglevel ,
 		      $log_action ,
 		      $serverport ? do_proto( $proto, '', '' ) : '',
 		    );
 	#
 	# After NAT:
 	#   - the destination port will be the server port ($ports) -- we did that above
-	#   - the destination IP   will be the server IP   ($dest)
+	#   - the destination IP will be the server IP   ($dest)  -- also done above
 	#   - there will be no log level (we log NAT rules in the nat table rather than in the filter table).
 	#   - the target will be ACCEPT.
 	#
@@ -2168,89 +2123,25 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
 			  do_condition( $condition )
 			);
 	    $loglevel = '';
 	    $dest     = $server;
 	    $action   = 'ACCEPT';
 	    $origdest = ALLIP if  $origdest =~ /[+]/;
 	    $helper   = '-';
 	}
    } elsif ( $actiontype & NONAT ) {
 	#
-	# NONAT or ACCEPT+ -- May not specify a destination interface
+	# NONAT or ACCEPT+
 	#
-	fatal_error "Invalid DEST ($dest) in $action rule" if $dest =~ /:/;
+	handle_nonat_rule( $action,
-
+			   $source,
-	$origdest = '' unless $origdest and $origdest ne '-';
+			   $dest,
-
+			   $origdest,
-	if ( $origdest eq 'detect' ) {
+			   $sourceref,
-	    my $interfacesref = $sourceref->{interfaces};
+			   $inaction,
-	    my $interfaces = [ ( keys %$interfacesref ) ];
+			   $chain,
-	    $origdest = $interfaces ? "detect:@$interfaces" : ALLIP;
+			   $loglevel,
-	}
+			   $log_action,
-
+			   $rule
-	my $tgt = 'RETURN';
+			 );
 	my $nonat_chain;
 	my $chn;
 	if ( $inaction ) {
 	    $nonat_chain = ensure_chain( 'nat', $chain );
 	} elsif ( $sourceref->{type} == FIREWALL ) {
 	    $nonat_chain = $nat_table->{OUTPUT};
 	} else {
 	    $nonat_chain = ensure_chain( 'nat', dnat_chain( $sourcezone ) );
 	    my @interfaces = keys %{zone_interfaces $sourcezone};
 	    for ( @interfaces ) {
 		my $ichain = input_chain $_;
 		if ( $nat_table->{$ichain} ) {
 		    #
 		    # Static NAT is defined on this interface
 		    #
 		    $chn = new_chain( 'nat', newnonatchain ) unless $chn;
 		    add_ijump $chn, j => $nat_table->{$ichain}, @interfaces > 1 ? imatch_source_dev( $_ )  : ();
 		}
 	    }
 	    if ( $chn ) {
 		#
 		# Call expand_rule() to correctly handle logging. Because
 		# the 'logname' argument is passed, expand_rule() will
 		# not create a separate logging chain but will rather emit
 		# any logging rule in-line.
 		#
 		expand_rule( $chn,
 			     PREROUTE_RESTRICT,
 			     '', # Rule
 			     '', # Source
 			     '', # Dest
 			     '', # Original dest
 			     'ACCEPT',
 			     $loglevel,
 			     $log_action,
 			     '',
 			     dnat_chain( $sourcezone  ) );
 		$loglevel = '';
 		$tgt = $chn->{name};
 	    } else {
 		$tgt = 'ACCEPT';
 	    }
 	}
 	set_optflags( $nonat_chain, DONT_MOVE | DONT_OPTIMIZE ) if $tgt eq 'RETURN';
 	expand_rule( $nonat_chain ,
 		     PREROUTE_RESTRICT ,
 		     $rule ,
 		     $source ,
 		     $dest ,
 		     $origdest ,
 		     $tgt,
 		     $loglevel ,
 		     $log_action ,
 		     '',
 		   );
    }
    #
@@ -2390,7 +2281,7 @@ sub build_zone_list( $$$\$\$ ) {
 # Process a Record in the rules file
 #
 sub process_rule ( ) {
-    my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $condition )
+    my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $condition, $helper )
 	= split_line1 'rules file', \%rulecolumns, $rule_commands;
    fatal_error 'ACTION must be specified' if $target eq '-';
@@ -2447,6 +2338,7 @@ sub process_rule ( ) {
 						 $time,
 						 $headers,
 						 $condition,
 						 $helper,
 						 $wild );
 		}
 	    }
@@ -2471,7 +2363,7 @@ sub classic_blacklist() {
    my $fw       = firewall_zone;
    my @zones    = off_firewall_zones;
    my @vservers = vserver_zones;
-    my @state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
+    my @state = $config{BLACKLISTNEWONLY} ? have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
    my $result;
    for my $zone ( @zones ) {
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -853,6 +853,8 @@ sub process_simple_device() {
    progress_message "  Simple tcdevice \"$currentline\" $done.";
 }
 my %validlinklayer = ( ethernet => 1, atm => 1, adsl => 1 );
 sub validate_tc_device( ) {
    my ( $device, $inband, $outband , $options , $redirected ) = split_line 'tcdevices', { interface => 0, in_bandwidth => 1, out_bandwidth => 2, options => 3, redirect => 4 };
@@ -887,7 +889,8 @@ sub validate_tc_device( ) {
    fatal_error "Duplicate INTERFACE ($device)"    if $tcdevices{$device};
    fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;
-    my ( $classify, $pfifo, $flow, $qdisc )  = (0, 0, '', 'htb' );
+    my ( $classify, $pfifo, $flow, $qdisc, $linklayer, $overhead, $mtu, $mpu, $tsize ) = 
 	(0,         0,      '',    'htb',  '',         0,         0,    0,    0);
    if ( $options ne '-' ) {
 	for my $option ( split_list1 $options, 'option' ) {
@@ -903,6 +906,25 @@ sub validate_tc_device( ) {
 		$qdisc = 'hfsc';
 	    } elsif ( $option eq 'htb' ) {
 		$qdisc = 'htb';
 	    } elsif ( $option =~ /^linklayer=([a-z]+)$/ ) {
 		$linklayer = $1;
 		fatal_error "Invalid linklayer ($linklayer)" unless $validlinklayer{ $linklayer };
 	    } elsif ( $option =~ /^overhead=(.+)$/ ) {
 		$overhead = numeric_value( $1 );
 		fatal_error "Invalid overhead ($1)" unless defined $overhead;
 		fatal_error q('overhead' requires 'linklayer') unless $linklayer; 
 	    } elsif ( $option =~ /^mtu=(.+)$/ ) {
 		$mtu = numeric_value( $1 );
 		fatal_error "Invalid mtu ($1)" unless defined $mtu;
 		fatal_error q('mtu' requires 'linklayer') unless $linklayer; 
 	    } elsif ( $option =~ /^mpu=(.+)$/ ) {
 		$mpu = numeric_value( $1 );
 		fatal_error "Invalid mpu ($1)" unless defined $mpu;
 		fatal_error q('mpu' requires 'linklayer') unless $linklayer;
 	    } elsif ( $option =~ /^tsize=(.+)$/ ) {
 		$tsize = numeric_value( $1 );
 		fatal_error "Invalid tsize ($1)" unless defined $tsize;
 		fatal_error q('tsize' requires 'linklayer') unless $linklayer; 
 	    } else {
 		fatal_error "Unknown device option ($option)";
 	    }
@@ -941,7 +963,12 @@ sub validate_tc_device( ) {
 			    guarantee     => 0,
 			    name          => $device,
 			    physical      => physical_name $device,
-			    filters       => []
+			    filters       => [],
 			    linklayer     => $linklayer,
 			    overhead      => $overhead,
 			    mtu           => $mtu,
 			    mpu           => $mpu,
 			    tsize         => $tsize,
 			  } ,
    push @tcdevices, $device;
@@ -975,7 +1002,7 @@ sub convert_delay( $ ) {
    my $delay = shift;
    return 0 unless $delay;
-    return $1 if $delay =~ /^(\d+)(ms)?$/;
+    return $1 if $delay =~ /^(\d+(\.\d+)?)(ms)?$/;
    fatal_error "Invalid Delay ($delay)";
 }
@@ -1004,6 +1031,18 @@ sub dev_by_number( $ ) {
    ( $dev , $devref );
 }
 use constant { RED_INTEGER => 1, RED_FLOAT => 2, RED_NONE => 3 };
 my %validredoptions = ( min         => RED_INTEGER,
 			max         => RED_INTEGER,
 			limit       => RED_INTEGER,
 			burst       => RED_INTEGER,
 			avpkt       => RED_INTEGER,
 			bandwidth   => RED_INTEGER,
 			probability => RED_FLOAT,
 			ecn         => RED_NONE,
 		      );
 sub validate_tc_class( ) {
    my ( $devclass, $mark, $rate, $ceil, $prio, $options ) =
 	split_line 'tcclasses file', { interface => 0, mark => 1, rate => 2, ceil => 3, prio => 4, options => 5 };
@@ -1013,6 +1052,7 @@ sub validate_tc_class( ) {
    my $occurs = 1;
    my $parentclass = 1;
    my $parentref;
    my $lsceil = 0;
    fatal_error 'INTERFACE must be specified' if $devclass eq '-';
    fatal_error 'CEIL must be specified'      if $ceil eq '-';
@@ -1059,22 +1099,18 @@ sub validate_tc_class( ) {
    my $markval = 0;
    if ( $mark ne '-' ) {
-	if ( $devref->{classify} ) {
+	fatal_error "MARK may not be specified when TC_BITS=0" unless $config{TC_BITS};
-	    warning_message "INTERFACE $device has the 'classify' option - MARK value ($mark) ignored";
+
 	$markval = numeric_value( $mark );
 	fatal_error "Invalid MARK ($markval)" unless defined $markval;
 	fatal_error "Invalid Mark ($mark)" unless $markval <= $globals{TC_MAX};
 	if ( $classnumber ) {
 	    fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
 	} else {
-	    fatal_error "MARK may not be specified when TC_BITS=0" unless $config{TC_BITS};
+	    $classnumber = $config{TC_BITS} >= 14 ? $devref->{nextclass}++ : hex_value( $devnum . $markval );
-
+	    fatal_error "Duplicate MARK ($mark)" if $tcref->{$classnumber};
 	    $markval = numeric_value( $mark );
 	    fatal_error "Invalid MARK ($markval)" unless defined $markval;
 	    fatal_error "Invalid Mark ($mark)" unless $markval <= $globals{TC_MAX};
 	    if ( $classnumber ) {
 		fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
 	    } else {
 		$classnumber = $config{TC_BITS} >= 14 ? $devref->{nextclass}++ : hex_value( $devnum . $markval );
 		fatal_error "Duplicate MARK ($mark)" if $tcref->{$classnumber};
 	    }
 	}
    } else {
 	fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
@@ -1089,7 +1125,9 @@ sub validate_tc_class( ) {
 	my $parentnum = in_hexp $parentclass;
 	fatal_error "Unknown Parent class ($parentnum)" unless $parentref && $parentref->{occurs} == 1;
 	fatal_error "The class ($parentnum) specifies UMAX and/or DMAX; it cannot serve as a parent" if $parentref->{dmax};
-	fatal_error "The class ($parentnum) specifies flow; it cannot serve as a parent"             if $parentref->{flow};
+	fatal_error "The class ($parentnum) specifies 'flow'; it cannot serve as a parent"           if $parentref->{flow};
 	fatal_error "The class ($parentnum) specifies 'red'; it cannot serve as a parent "           if $parentref->{red};
 	fatal_error "The class ($parentnum) has an 'ls' curve; it cannot serve as a parent "         if $parentref->{lsceil};
 	fatal_error "The default class ($parentnum) may not have sub-classes"                        if ( $devref->{default} || 0 ) == $parentclass;
 	$parentref->{leaf} = 0;
 	$ratemax  = $parentref->{rate};
@@ -1100,16 +1138,27 @@ sub validate_tc_class( ) {
    my ( $umax, $dmax ) = ( '', '' );
    if ( $ceil =~ /^(.+):(.+)/ ) {
 	fatal_error "An LS rate may only be specified for HFSC classes" unless $devref->{qdisc} eq 'hfsc';
 	$lsceil = $1;
 	$ceil   = $2;
    }
    if ( $devref->{qdisc} eq 'hfsc' ) {
-	( my $trate , $dmax, $umax , my $rest ) = split ':', $rate , 4;
+	if ( $rate eq '-' ) {
 	    fatal_error 'A RATE must be supplied' unless $lsceil;
 	    $rate = 0;
 	} else {
 	    ( my $trate , $dmax, $umax , my $rest ) = split ':', $rate , 4;
-	fatal_error "Invalid RATE ($rate)" if defined $rest;
+	    fatal_error "Invalid RATE ($rate)" if defined $rest;
-	$rate = convert_rate ( $ratemax, $trate, 'RATE', $ratename );
+	    $rate = convert_rate ( $ratemax, $trate, 'RATE', $ratename );
-	$dmax = convert_delay( $dmax );
+	    $dmax = convert_delay( $dmax );
-	$umax = convert_size( $umax );
+	    $umax = convert_size( $umax );
-	fatal_error "DMAX must be specified when UMAX is specified" if $umax && ! $dmax;
+	    fatal_error "DMAX must be specified when UMAX is specified" if $umax && ! $dmax;
-	$parentclass ||= 1;
+	    $parentclass ||= 1;
 	}
    } else {
 	$rate = convert_rate ( $ratemax, $rate, 'RATE' , $ratename );
    }
@@ -1126,7 +1175,8 @@ sub validate_tc_class( ) {
 			       rate      => $rate ,
 			       umax      => $umax ,
 			       dmax      => $dmax ,
-			       ceiling   => convert_rate( $ceilmax, $ceil, 'CEIL' , $ceilname ) ,
+			       ceiling   => $ceil   = ( supplied $ceil   ? convert_rate( $ceilmax, $ceil,   'CEIL'  , $ceilname ) : 0 ),
 			       lsceil    => $lsceil = ( $lsceil          ? convert_rate( $ceilmax, $lsceil, 'LSCEIL', $ceilname ) : 0 ),
 			       priority  => $prio eq '-' ? 1 : $prio ,
 			       mark      => $markval ,
 			       flow      => '' ,
@@ -1140,7 +1190,9 @@ sub validate_tc_class( ) {
    $tcref = $tcref->{$classnumber};
-    fatal_error "RATE ($tcref->{rate}) exceeds CEIL ($tcref->{ceiling})" if $tcref->{rate} > $tcref->{ceiling};
+    fatal_error "RATE ($rate) exceeds CEIL ($ceil)" if $rate && $ceil && $rate > $ceil;
    my ( $red, %redopts ) = ( 0, ( avpkt => 1000 ) );
    unless ( $options eq '-' ) {
 	for my $option ( split_list1 "\L$options", 'option' ) {
@@ -1165,9 +1217,11 @@ sub validate_tc_class( ) {
 		push @{$tcref->{tos}}, $option;
 	    } elsif ( $option =~ /^flow=(.*)$/ ) {
 		fatal_error "The 'flow' option is not allowed with 'pfifo'" if $tcref->{pfifo};
 		fatal_error "The 'flow' option is not allowed with 'red'"   if $tcref->{red};
 		$tcref->{flow} = process_flow $1;
 	    } elsif ( $option eq 'pfifo' ) {
-		fatal_error "The 'pfifo'' option is not allowed with 'flow='" if $tcref->{flow};
+		fatal_error "The 'pfifo' option is not allowed with 'flow='" if $tcref->{flow};
 		fatal_error "The 'pfifo' option is not allowed with 'red='"  if $tcref->{red};
 		$tcref->{pfifo} = 1;
 	    } elsif ( $option =~ /^occurs=(\d+)$/ ) {
 		my $val = $1;
@@ -1188,6 +1242,57 @@ sub validate_tc_class( ) {
 		warning_message "limit ignored with pfifo queuing" if $tcref->{pfifo};
 		fatal_error "Invalid limit ($1)" if $1 < 3 || $1 > 128;
 		$tcref->{limit} = $1;
 	    } elsif ( $option =~ s/^red=// ) {
 		fatal_error "The 'red=' option is not allowed with 'flow='" if $tcref->{flow};
 		fatal_error "The 'red=' option is not allowed with 'pfifo'" if $tcref->{pfifo};
 		$tcref->{red} = 1;
 		my $opttype;
 		for my $redopt ( split_list( $option , q('red' option list) ) ) {
 		    #
 		    #                            $2  ----------------------
 		    #              $1  ------       | $3 -------           |
 		    #                 |      |      |   |       |          |
 		    if ( $redopt =~ /^([a-z]+) (?:= (   ([01]?\.)?(\d{1,8})) )?$/x ) {
 			fatal_error "Invalid RED option ($1)" unless $opttype = $validredoptions{$1};
 			if ( $2 ) {
 			    #
 			    # '=<value>' supplied
 			    #
 			    fatal_error "The $1 option does not take a value" if $opttype == RED_NONE;
 			    if ( $3 ) {
 				#
 				# fractional value
 				#
 				fatal_error "The $1 option requires an integer value"  if $opttype == RED_INTEGER;
 				fatal_error "The value of $1 must be <= 1" if $2 > 1;
 			    } else {
 				#
 				# Integer value
 				#
 				fatal_error "The $1 option requires a value 0 <= value <= 1" if $opttype == RED_FLOAT;
 			    }
 			} else {
 			    #
 			    # No value supplied
 			    #
 			    fatal_error "The $1 option requires a value" unless $opttype == RED_NONE;
 			}
 			$redopts{$1} = $2;
 		    } else {
 			fatal_error "Invalid RED option specification ($redopt)";
 		    }
 		}
 		for ( qw/ limit min max avpkt burst probability / ) {
 		    fatal_error "The $_ 'red' option is required" unless $redopts{$_};
 		}
 		fatal_error "The 'max' red option must be at least 2 * 'min'"   unless $redopts{max}   >= 2 * $redopts{min};
 		fatal_error "The 'limit' red option must be at least 2 * 'max'" unless $redopts{limit} >= 2 * $redopts{min};
 		$redopts{ecn} = 1 if exists $redopts{ecn};
 		$tcref->{redopts} = \%redopts;
 	    } else {
 		fatal_error "Unknown option ($option)";
 	    }
@@ -1219,6 +1324,8 @@ sub validate_tc_class( ) {
 					       occurs   => 0,
 					       parent   => $parentclass,
 					       limit    => $tcref->{limit},
 					       red      => $tcref->{red},
 					       redopts  => $tcref->{redopts},
 					     };
 	push @tcclasses, "$device:$classnumber";
    };
@@ -1550,7 +1657,6 @@ sub process_tc_priority() {
 					   $interface eq '-' &&
 					   $helper    eq '-' );
    my $val = numeric_value $band;
    fatal_error "Invalid PRIORITY ($band)" unless $val && $val <= 3;
@@ -1642,7 +1748,7 @@ sub process_tcpri() {
 			);
 	    add_ijump( $mangle_table->{tcpost} ,
-		       j    => 'CONNMARK --save-mark --ctmask '    . in_hex( $globals{TC_MASK} ),
+		       j    => 'CONNMARK --save-mark --mask '    . in_hex( $globals{TC_MASK} ),
 		       mark => '! --mark 0/' . in_hex( $globals{TC_MASK} )
 		     );
 	}
@@ -1711,11 +1817,22 @@ sub process_traffic_shaping() {
 		   "${dev}_mtu1=\$(get_device_mtu1 $device)"
 		 );
 	    my $stab;
 	    if ( $devref->{linklayer} ) {
 		$stab =  "stab linklayer $devref->{linklayer} overhead $devref->{overhead} ";
 		$stab .= "mtu $devref->{mtu} "     if $devref->{mtu};
 		$stab .= "mpu $devref->{mpu} "     if $devref->{mpu};
 		$stab .= "tsize $devref->{tsize} " if $devref->{tsize};
 	    } else {
 		$stab = '';
 	    }
 	    if ( $devref->{qdisc} eq 'htb' ) {
-		emit ( "run_tc qdisc add dev $device root handle $devnum: htb default $defmark r2q $r2q" ,
+		emit ( "run_tc qdisc add dev $device ${stab}root handle $devnum: htb default $defmark r2q $r2q" ,
 		       "run_tc class add dev $device parent $devnum: classid $devnum:1 htb rate $devref->{out_bandwidth} \$${dev}_mtu1" );
 	    } else {
-		emit ( "run_tc qdisc add dev $device root handle $devnum: hfsc default $defmark" ,
+		emit ( "run_tc qdisc add dev $device ${stab}root handle $devnum: hfsc default $defmark" ,
 		       "run_tc class add dev $device parent $devnum: classid $devnum:1 hfsc sc rate $devref->{out_bandwidth} ul rate $devref->{out_bandwidth}" );
 	    }
@@ -1739,8 +1856,9 @@ sub process_traffic_shaping() {
 	    handle_in_bandwidth( $device, $devref->{in_bandwidth} );
 	    for my $rdev ( @{$devref->{redirected}} ) {
-		emit ( "run_tc qdisc add dev $rdev handle ffff: ingress" );
+		my $phyrdev = get_physical( $rdev );
-		emit( "run_tc filter add dev $rdev parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" );
+		emit ( "run_tc qdisc add dev $phyrdev handle ffff: ingress" );
 		emit( "run_tc filter add dev $phyrdev parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" );
 	    }
 	    for my $class ( @tcclasses ) {
@@ -1761,10 +1879,12 @@ sub process_traffic_shaping() {
 		my $mark     = $tcref->{mark};
 		my $devicenumber  = in_hexp $devref->{number};
 		my $classid  = join( ':', $devicenumber, $classnum);
-		my $rate     = "$tcref->{rate}kbit";
+		my $rawrate  = $tcref->{rate};
 		my $rate     = "${rawrate}kbit";
 		my $lsceil   = $tcref->{lsceil};
 		my $quantum  = calculate_quantum $rate, calculate_r2q( $devref->{out_bandwidth} );
-		$classids{$classid}=$device;
+		$classids{$classid}=$devname;
 		my $priority = $tcref->{priority} << 8;
 		my $parent   = in_hexp $tcref->{parent};
@@ -1775,23 +1895,50 @@ sub process_traffic_shaping() {
 		    emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum" );
 		} else {
 		    my $dmax = $tcref->{dmax};
 		    my $rule = "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc";
 		    if ( $dmax ) {
 			my $umax = $tcref->{umax} ? "$tcref->{umax}b" : "\${${dev}_mtu}b";
-			emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc sc umax $umax dmax ${dmax}ms rate $rate ul rate $tcref->{ceiling}kbit" );
+			$rule .= " sc umax $umax dmax ${dmax}ms";
 			$rule .= " rate $rate" if $rawrate;
 		    } else {
-			emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc sc rate $rate ul rate $tcref->{ceiling}kbit" );
+			$rule .= " sc rate $rate" if $rawrate;
 		    }
 		    $rule .= " ls rate ${lsceil}kbit" if $lsceil;
 		    $rule .= " ul rate $tcref->{ceiling}kbit" if $tcref->{ceiling};
 		    emit $rule;
 		}
-		if ( $tcref->{leaf} && ! $tcref->{pfifo} ) {
+		if ( $tcref->{leaf} ) {
-		    1 while $devnums[++$sfq];
+		    if ( $tcref->{red} ) {
 			1 while $devnums[++$sfq];
 			$sfqinhex = in_hexp( $sfq);
-		    $sfqinhex = in_hexp( $sfq);
+			my ( $options, $redopts ) = ( '', $tcref->{redopts} );
-		    if ( $devref->{qdisc} eq 'htb' ) {
+
-			emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq quantum \$quantum limit $tcref->{limit} perturb 10" );
+			while ( my ( $option, $type ) = each %validredoptions ) {
-		    } else {
+			    if ( my $value = $redopts->{$option} ) {
-			emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq limit $tcref->{limit} perturb 10" );
+				if ( $type == RED_NONE ) {
 				    $options = join( ' ', $options, $option ) if $value;
 				} else {
 				    $options = join( ' ', $options, $option, $value );
 				}
 			    }
 			}
 			emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: red${options}" );
 		    } elsif ( $tcref->{leaf} && ! $tcref->{pfifo} ) {
 			1 while $devnums[++$sfq];
 			$sfqinhex = in_hexp( $sfq);
 			if ( $devref->{qdisc} eq 'htb' ) {
 			    emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq quantum \$quantum limit $tcref->{limit} perturb 10" );
 			} else {
 			    emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq limit $tcref->{limit} perturb 10" );
 			}
 		    }
 		}
 		#
@@ -1855,14 +2002,14 @@ sub process_traffic_shaping() {
 		my $devicenumber  = in_hexp $devref->{number};
 		my $classid  = join( ':', $devicenumber, $classnum);
-		$classids{$classid}=$device;
+		$classids{$classid}=$devname;
 	    }
 	}
    }
 }
 #
-# Validate the TC configuration storing basic information in %tcdevices and %tcdevices
+# Validate the TC configuration storing basic information in %tcdevices and %tcclasses (complex TC only)
 #
 sub process_tc() {
    if ( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' ) {
@@ -2010,10 +2157,10 @@ sub setup_tc() {
 	append_file $globals{TC_SCRIPT};
    } else {
 	process_tcpri if $config{TC_ENABLED} eq 'Simple';
-	setup_traffic_shaping unless $config{TC_ENABLED} eq 'Shared';
+	setup_traffic_shaping if @tcdevices && $config{TC_ENABLED} ne 'Shared';
    }
-    if ( $config{TC_ENABLED} ) {
+    if ( $config{MANGLE_ENABLED} ) {
 	our  @tccmd = ( { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
 			  target    => 'CONNMARK --save-mark --mask' ,
 			  mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK,
@@ -2107,9 +2254,7 @@ sub setup_tc() {
 	    clear_comment;
 	}
    }
    if ( $config{MANGLE_ENABLED} ) {
 	if ( my $fn = open_file 'secmarks' ) {
 	    first_entry "$doing $fn...";
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -61,7 +61,7 @@ sub setup_tunnels() {
 	    }
 	}
-	my @options = $globals{UNTRACKED} ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
+	my @options = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
 	add_tunnel_rule $inchainref,  p => 50, @$source;
 	add_tunnel_rule $outchainref, p => 50, @$dest;
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -41,6 +41,8 @@ our @EXPORT = qw( NOTHING
 		  IP
 		  BPORT
 		  IPSEC
 		  NO_UPDOWN
 		  NO_SFILTER
 		  determine_zones
 		  zone_report
@@ -55,6 +57,7 @@ our @EXPORT = qw( NOTHING
 		  all_parent_zones
 		  complex_zones
 		  vserver_zones
 		  on_firewall_zones
 		  off_firewall_zones
 		  non_firewall_zones
 		  single_interface
@@ -62,6 +65,7 @@ our @EXPORT = qw( NOTHING
 		  validate_interfaces_file
 		  all_interfaces
 		  all_real_interfaces
 		  all_plain_interfaces
 		  all_bridges
 		  interface_number
 		  find_interface
@@ -72,6 +76,7 @@ our @EXPORT = qw( NOTHING
 		  port_to_bridge
 		  source_port_to_bridge
 		  interface_is_optional
 		  interface_is_required
 		  find_interfaces_by_option
 		  find_interfaces_by_option1
 		  get_interface_option
@@ -80,7 +85,6 @@ our @EXPORT = qw( NOTHING
 		  set_interface_provider
 		  interface_zones
 		  verify_required_interfaces
 		  compile_updown
 		  validate_hosts_file
 		  find_hosts_by_option
 		  find_zone_hosts_by_option
@@ -114,7 +118,8 @@ use constant { IN_OUT     => 1,
 #
 #     @zones contains the ordered list of zones with sub-zones appearing before their parents.
 #
-#     %zones{<zone1> => {type =>       <zone type>       FIREWALL, IP, IPSEC, BPORT;
+#     %zones{<zone1> => {name =>       <name>,
 #                        type =>       <zone type>       FIREWALL, IP, IPSEC, BPORT;
 #                        complex =>    0|1
 #                        super   =>    0|1
 #                        options =>    { in_out  => < policy match string >
@@ -173,6 +178,7 @@ my  %reservedName = ( all => 1,
 #                                     number      => <ordinal position in the interfaces file>
 #                                     physical    => <physical interface name>
 #                                     base        => <shell variable base representing this interface>
 #                                     provider    => <Provider Name, if interface is associated with a provider>
 #                                     zones       => { zone1 => 1, ... }
 #                                   }
 #                 }
@@ -219,11 +225,14 @@ use constant { SIMPLE_IF_OPTION   => 1,
 	       IF_OPTION_WILDOK   => 64
 	   };
 use constant { NO_UPDOWN   => 1, 
 	       NO_SFILTER  => 2 };
 my %validinterfaceoptions;
 my %defaultinterfaceoptions = ( routefilter => 1 , wait => 60 );
-my %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 );
+my %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN );
 my %validhostoptions;
@@ -281,6 +290,7 @@ sub initialize( $$ ) {
 				  bridge      => SIMPLE_IF_OPTION,
 				  detectnets  => OBSOLETE_IF_OPTION,
 				  dhcp        => SIMPLE_IF_OPTION,
 				  ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				  maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  logmartians => BINARY_IF_OPTION,
 				  nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
@@ -291,6 +301,7 @@ sub initialize( $$ ) {
 				  required    => SIMPLE_IF_OPTION,
 				  routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
 				  routefilter => NUMERIC_IF_OPTION ,
 				  rpfilter    => SIMPLE_IF_OPTION,
 				  sfilter     => IPLIST_IF_OPTION,
 				  sourceroute => BINARY_IF_OPTION,
 				  tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -316,6 +327,7 @@ sub initialize( $$ ) {
 	%validinterfaceoptions = (  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
 				    dhcp        => SIMPLE_IF_OPTION,
 				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				    maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -323,6 +335,7 @@ sub initialize( $$ ) {
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
 				    routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
 				    rpfilter    => SIMPLE_IF_OPTION,
 				    sfilter     => IPLIST_IF_OPTION,
 				    sourceroute => BINARY_IF_OPTION,
 				    tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -483,7 +496,8 @@ sub process_zone( \$ ) {
    my $complex = 0;
-    my $zoneref = $zones{$zone} = { type       => $type,
+    my $zoneref = $zones{$zone} = { name       => $zone,
 				    type       => $type,
 				    parents    => \@parents,
 				    bridge     => '',
 				    options    => { in_out  => parse_zone_option_list( $options , $type, $complex , IN_OUT ) ,
@@ -565,6 +579,7 @@ sub determine_zones()
 		for ( @{$zones{$zone}{children}} ) {
 		    next ZONE unless $ordered{$_};
 		}
 		$ordered{$zone} = 1;
 		push @zones, $zone;
 		redo PUSHED;
@@ -572,7 +587,7 @@ sub determine_zones()
 	}
    }
-    assert( scalar @zones == scalar @z );
+    assert( @zones == @z );
 }
@@ -825,6 +840,10 @@ sub all_zones() {
    @zones;
 }
 sub on_firewall_zones() {
   grep ( ( $zones{$_}{type} & ( FIREWALL | VSERVER ) )  ,  @zones );
 }
 sub off_firewall_zones() {
   grep ( ! ( $zones{$_}{type} & ( FIREWALL | VSERVER ) )  ,  @zones );
 }
@@ -1029,7 +1048,7 @@ sub process_interface( $$ ) {
    if ( $options eq 'ignore' ) {
 	fatal_error "Ignored interfaces may not be associated with a zone" if $zone;
-	$options{ignore} = 1;
+	$options{ignore} = NO_UPDOWN | NO_SFILTER;
 	$options = '-';
    }
@@ -1149,7 +1168,23 @@ sub process_interface( $$ ) {
 	    }
 	}
-	fatal_error "Invalid combination of interface options" if $options{required} && $options{optional};
+	fatal_error q(The 'required', 'optional' and 'ignore' options are mutually exclusive)
 	    if ( ( $options{required} && $options{optional} ) ||
 		 ( $options{required} && $options{ignore}   ) ||
 		 ( $options{optional} && $options{ignore}   ) );
 	if ( $options{rpfilter} ) {
 	    require_capability( 'RPFILTER_MATCH', q(The 'rpfilter' option), 's' ) ;
 	    fatal_error q(The 'routefilter', 'sfilter' and 'rpfilter' options are mutually exclusive) if $options{routefilter} || @$filterref;
 	} else {
 	    fatal_error q(The 'routefilter', 'sfilter' and 'rpfilter' options are mutually exclusive) if $options{routefilter} && @$filterref;
 	}
 	if ( supplied( my $ignore = $options{ignore} ) ) {
 	    fatal_error "Invalid value ignore=0" if ! $ignore;
 	} else {
 	    $options{ignore} = 0;
 	}
 	if ( $netsref eq 'dynamic' ) {
 	    my $ipset = $family == F_IPV4 ? "${zone}_" . chain_base $physical : "6_${zone}_" . chain_base $physical;
@@ -1171,6 +1206,10 @@ sub process_interface( $$ ) {
 	# No options specified -- auto-detect bridge
 	#
 	$hostoptionsref->{routeback} = $options{routeback} = is_a_bridge( $physical ) unless $export;
 	#
 	# And give the 'ignore' option a defined value
 	#
 	$options{ignore} ||= 0;
    }
    $physical{$physical} = $interfaces{$interface} = { name       => $interface ,
@@ -1416,11 +1455,65 @@ sub interface_is_optional($) {
    $optionsref && $optionsref->{optional};
 }
 #
 # Return the 'required' setting of the passed interface
 #
 sub interface_is_required($) {
    my $optionsref = $interfaces{$_[0]}{options};
    $optionsref && $optionsref->{required};
 }
 #
 # Return true if the interface is 'plain'
 #
 sub interface_is_plain($) {
    my $interfaceref = $interfaces{$_[0]};
    my $optionsref   = $interfaceref->{options};
    $interfaceref->{bridge} eq $interfaceref->{name} && ! ( $optionsref && ( $optionsref->{required} || $optionsref->{optional} || $optionsref->{ignore} ) )
 }
 #
 # Return a minimal list of physical interfaces that are neither ignored, optional, required nor a bridge port.
 #
 sub all_plain_interfaces() {
    my @plain1 = map get_physical($_), grep $_ ne '%vserver%' && interface_is_plain( $_ ), @interfaces;
    my @plain2;
    my @wild1;
    my @wild2;
    for ( @plain1 ) {
 	if ( /\+$/ ) {
 	    return ( '+' ) if $_ eq '+';
 	    push @wild1, $_;
 	    chop;
 	    push @wild2, $_;
 	} else {
 	    push @plain2, $_;
 	}
    }
    return @plain2 unless @wild1;
    @plain1 = ();
 NAME:
    for my $name ( @plain2) {
 	for ( @wild2 ) {
 	    next NAME if substr( $name, 0, length( $_ ) ) eq $_;
 	}
 	push @plain1, $name;
    }
    ( @plain1, @wild1 );
 }
 #
 # Returns reference to array of interfaces with the passed option
 #
-sub find_interfaces_by_option( $ ) {
+sub find_interfaces_by_option( $;$ ) {
-    my $option = $_[0];
+    my ( $option , $nonzero ) = @_;
    my @ints = ();
    for my $interface ( @interfaces ) {
@@ -1429,7 +1522,11 @@ sub find_interfaces_by_option( $ ) {
 	next unless $interfaceref->{root};
 	my $optionsref = $interfaceref->{options};
-	if ( $optionsref && defined $optionsref->{$option} ) {
+	if ( $nonzero ) {
 	    if ( $optionsref && $optionsref->{$option} ) {
 		push @ints , $interface
 	    }
 	} elsif ( $optionsref && defined $optionsref->{$option} ) {
 	    push @ints , $interface
 	}
    }
@@ -1540,16 +1637,16 @@ sub verify_required_interfaces( $ ) {
 		my $physical = get_physical $interface;
 		if ( $physical =~ /\+$/ ) {
 		    my $base = uc chain_base $physical;
 		    $physical =~ s/\+$/*/;
-		    emit( 'for interface in $(find_all_interfaces); do',
+		    emit( "waittime=$wait",
 			  '',
 			  'for interface in $(find_all_interfaces); do',
 			  '    case $interface in',
 			  "        $physical)",
 			  "            waittime=$wait",
 			  '            while [ $waittime -gt 0 ]; do',
 			  '                interface_is_usable $interface && break',
 			  '                sleep 1',
 			  '                waittime=$(($waittime - 1))',
 			  '            done',
 			  '            ;;',
@@ -1562,8 +1659,8 @@ sub verify_required_interfaces( $ ) {
 		    emit qq(    waittime=$wait);
 		    emit  '';
 		    emit  q(    while [ $waittime -gt 0 ]; do);
 		    emit qq(        interface_is_usable $physical && break);
 		    emit  q(        sleep 1);
 		    emit qq(        interface_is_usable $physical && break);
 		    emit   '        waittime=$(($waittime - 1))';
 		    emit  q(    done);
 		    emit  q(fi);
@@ -1634,175 +1731,6 @@ sub verify_required_interfaces( $ ) {
    $returnvalue;
 }
 #
 # Emit the updown() function
 #
 sub compile_updown() {
    emit( '',
 	  '#',
 	  '# Handle the "up" and "down" commands',
 	  '#',
 	  'updown() # $1 = interface',
 	  '{',
 	);
    push_indent;
    emit( 'local state',
 	  'state=cleared',
 	  '' );
    emit 'progress_message3 "$g_product $COMMAND triggered by $1"';
    emit '';
    if ( $family == F_IPV4 ) {
 	emit 'if shorewall_is_started; then';
    } else {
 	emit 'if shorewall6_is_started; then';
    }
    emit( '    state=started',
 	  'elif [ -f ${VARDIR}/state ]; then',
 	  '    case "$(cat ${VARDIR}/state)" in',
 	  '        Stopped*)',
 	  '            state=stopped',
 	  '            ;;',
 	  '        Cleared*)',
 	  '            ;;',
 	  '        *)',
 	  '            state=unknown',
 	  '            ;;',
 	  '    esac',
 	  'else',
 	  '    state=unknown',
 	  'fi',
 	  ''
 	);
    emit( 'case $1 in' );
    push_indent;
    my $ignore   = find_interfaces_by_option 'ignore';
    my $required = find_interfaces_by_option 'required';
    my $optional = find_interfaces_by_option 'optional';
    if ( @$ignore ) {
 	my $interfaces = join '|', map $interfaces{$_}->{physical}, @$ignore;
 	$interfaces =~ s/\+/*/g;
 	emit( "$interfaces)",
 	      '    progress_message3 "$COMMAND on interface $1 ignored"',
 	      '    exit 0',
 	      '    ;;'
 	    );
    }
    if ( @$required ) {
 	my $interfaces = join '|', map $interfaces{$_}->{physical}, @$required;
 	my $wildcard = ( $interfaces =~ s/\+/*/g );
 	emit( "$interfaces)",
 	      '    if [ "$COMMAND" = up ]; then' );
 	if ( $wildcard ) {
 	    emit( '        if [ "$state" = started ]; then',
 		  '            COMMAND=restart',
 		  '        else',
 		  '            COMMAND=start',
 		  '        fi' );
 	} else {
 	    emit( '        COMMAND=start' );
 	}
 	emit( '        progress_message3 "$g_product attempting $COMMAND"',
 	      '        detect_configuration',
 	      '        define_firewall' );
 	if ( $wildcard ) {
 	    emit( '    elif [ "$state" = started ]; then',
 		  '        progress_message3 "$g_product attempting restart"',
 		  '        COMMAND=restart',
 		  '        detect_configuration',
 		  '        define_firewall' );
 	} else {
 	    emit( '    else',
 		  '        COMMAND=stop',
 		  '        progress_message3 "$g_product attempting stop"',
 		  '        detect_configuration',
 		  '        stop_firewall' );
 	}
 	emit( '    fi',
 	      '    ;;'
 	    );
    }
    if ( @$optional ) {
 	my @interfaces = map $interfaces{$_}->{physical}, @$optional;
 	my $interfaces = join '|', @interfaces;
 	if ( $interfaces =~ s/\+/*/g || @interfaces > 1 ) {
 	    emit( "$interfaces)",
 		  '    if [ "$COMMAND" = up ]; then',
 		  '        echo 0 > ${VARDIR}/${1}.state',
 		  '    else',
 		  '        echo 1 > ${VARDIR}/${1}.state',
 		  '    fi' );
 	} else {
 	    emit( "$interfaces)",
 		  '    if [ "$COMMAND" = up ]; then',
 		  "        echo 0 > \${VARDIR}/$interfaces.state",
 		  '    else',
 		  "        echo 1 > \${VARDIR}/$interfaces.state",
 		  '    fi' );
 	}
 	emit( '',
 	      '    if [ "$state" = started ]; then',
 	      '        COMMAND=restart',
 	      '        progress_message3 "$g_product attempting restart"',
 	      '        detect_configuration',
 	      '        define_firewall',
 	      '    elif [ "$state" = stopped ]; then',
 	      '        COMMAND=start',
 	      '        progress_message3 "$g_product attempting start"',
 	      '        detect_configuration',
 	      '        define_firewall',
 	      '    else',
 	      '        progress_message3 "$COMMAND on interface $1 ignored"',
 	      '    fi',
 	      '    ;;',
 	    );
    }
    emit( "*)",
 	  '    case $state in',
 	  '        started)',
 	  '            COMMAND=restart',
 	  '            progress_message3 "$g_product attempting restart"',
 	  '            detect_configuration',
 	  '            define_firewall',
 	  '            ;;',
 	  '        *)',
 	  '            progress_message3 "$COMMAND on interface $1 ignored"',
 	  '            ;;',
 	  '    esac',
 	);
    pop_indent;
    emit( 'esac' );
    pop_indent;
    emit( '}',
 	  '',
 	);
 }
 #
 # Process a record in the hosts file
 #
--- a/Shorewall/Perl/lib.core
+++ b/Shorewall/Perl/lib.core
@@ -182,7 +182,6 @@ get_routed_networks() # $1 = interface name, $2-n = Fatal error message
    [ $g_family -eq 4 ] && mask=32 || mask=128
    $IP -$g_family route show dev $1 2> /dev/null |
 	while read address rest; do
 	    case "$address" in
@@ -340,6 +339,16 @@ replace_default_route() # $1 = USE_DEFAULT_RT
    fi
 }
 #
 # Delete default routes with metric 0 from the passed routing table
 #
 delete_default_routes() # $1 = table number
 {
    $IP -$g_family route ls table $1 | fgrep default | fgrep -v metric | while read route; do
 	qt $IP -$g_family route del $route
    done
 } 
 restore_default_route() # $1 = USE_DEFAULT_RT
 {
    local result
@@ -907,7 +916,12 @@ add_gateway() # $1 = Delta $2 = Table Number
 	delta=$1
 	if ! echo $route | fgrep -q ' nexthop '; then
-	    route=`echo $route | sed 's/via/nexthop via/'`
+	    if echo $route | fgrep -q via; then
 		route=`echo $route | sed 's/via/nexthop via/'`
 	    else
 		route="nexthop $route"
 	    fi
 	    dev=$(find_device $route)
 	    if [ -f ${VARDIR}/${dev}_weight ]; then
 		weight=`cat ${VARDIR}/${dev}_weight`
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -348,7 +348,9 @@ case "$COMMAND" in
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
-	updown $1
+	mutex_on
 	( updown $1 )
 	mutex_off
 	status=0
 	;;
    enable)
--- a/Shorewall/Samples/Universal/rules
+++ b/Shorewall/Samples/Universal/rules
@@ -6,13 +6,13 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-###################################################################################################################################################################################
+##############################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH     HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
-
+Invalid(DROP)	net		$FW		tcp
 SSH(ACCEPT)	net		$FW
 Ping(ACCEPT)	net		$FW
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -41,6 +41,8 @@ MACLIST_LOG_LEVEL=info
 RELATED_LOG_LEVEL=
 RPFILTER_LOG_LEVEL=info
 SFILTER_LOG_LEVEL=info
 SMURF_LOG_LEVEL=info
@@ -67,6 +69,8 @@ LOCKFILE=
 MODULESDIR=
 NFACCT=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -110,7 +114,9 @@ ADD_SNAT_ALIASES=No
 ADMINISABSENTMINDED=Yes
-AUTO_COMMENT=Yes
+AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
 AUTOMAKE=No
@@ -140,6 +146,8 @@ FASTACCEPT=Yes
 FORWARD_CLEAR_MARK=
 HELPERS=
 IMPLICIT_CONTINUE=No
 IPSET_WARNINGS=Yes
@@ -170,7 +178,7 @@ MUTEX_TIMEOUT=60
 NULL_ROUTE_RFC1918=No
-OPTIMIZE=15
+OPTIMIZE=31
 OPTIMIZE_ACCOUNTING=No
@@ -208,6 +216,8 @@ MACLIST_DISPOSITION=REJECT
 RELATED_DISPOSITION=ACCEPT
 RPFILTER_DISPOSITION=DROP
 SMURF_DISPOSITION=DROP
 SFILTER_DISPOSITION=DROP
--- a/Shorewall/Samples/one-interface/interfaces
+++ b/Shorewall/Samples/one-interface/interfaces
@@ -14,4 +14,4 @@
 FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            dhcp,tcpflags,logmartians,nosmurfs
+net     eth0            dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0
--- a/Shorewall/Samples/one-interface/rules
+++ b/Shorewall/Samples/one-interface/rules
@@ -10,14 +10,18 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-rules"
-######################################################################################################################################################################################
+##############################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH     HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
 # Drop packets in the INVALID state
 Invalid(DROP)  net    	        $FW		tcp
 # Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
 Ping(DROP)	net		$FW
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -52,6 +52,8 @@ MACLIST_LOG_LEVEL=info
 RELATED_LOG_LEVEL=
 RPFILTER_LOG_LEVEL=info
 SFILTER_LOG_LEVEL=info
 SMURF_LOG_LEVEL=info
@@ -78,6 +80,8 @@ LOCKFILE=
 MODULESDIR=
 NFACCT=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -121,7 +125,9 @@ ADD_SNAT_ALIASES=No
 ADMINISABSENTMINDED=Yes
-AUTO_COMMENT=Yes
+AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
 AUTOMAKE=No
@@ -151,6 +157,8 @@ FASTACCEPT=No
 FORWARD_CLEAR_MARK=
 HELPERS=
 IMPLICIT_CONTINUE=No
 IPSET_WARNINGS=Yes
@@ -181,7 +189,7 @@ MUTEX_TIMEOUT=60
 NULL_ROUTE_RFC1918=No
-OPTIMIZE=1
+OPTIMIZE=31
 OPTIMIZE_ACCOUNTING=No
@@ -219,6 +227,8 @@ MACLIST_DISPOSITION=REJECT
 RELATED_DISPOSITION=ACCEPT
 RPFILTER_DISPOSITION=DROP
 SMURF_DISPOSITION=DROP
 SFILTER_DISPOSITION=DROP
--- a/Shorewall/Samples/three-interfaces/interfaces
+++ b/Shorewall/Samples/three-interfaces/interfaces
@@ -14,6 +14,6 @@
 FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            tcpflags,dhcp,nosmurfs,routefilter,logmartians
+net     eth0            tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0
 loc     eth1            tcpflags,nosmurfs,routefilter,logmartians
 dmz     eth2            tcpflags,nosmurfs,routefilter,logmartians
--- a/Shorewall/Samples/three-interfaces/masq
+++ b/Shorewall/Samples/three-interfaces/masq
@@ -10,8 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
-##############################################################################
+################################################################################################################
-#INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
+#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
 #											GROUP		DEST
 eth0			10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
--- a/Shorewall/Samples/three-interfaces/rules
+++ b/Shorewall/Samples/three-interfaces/rules
@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-######################################################################################################################################################################################
+##############################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH     HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
@@ -20,7 +20,7 @@ SECTION NEW
 #       Don't allow connection pickup from the net
 #
-Invalid(DROP)	net		all
+Invalid(DROP)	net		all		tcp
 #
 #	Accept DNS connections from the firewall to the Internet
 #
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -50,6 +50,8 @@ MACLIST_LOG_LEVEL=info
 RELATED_LOG_LEVEL=
 RPFILTER_LOG_LEVEL=info
 SFILTER_LOG_LEVEL=info
 SMURF_LOG_LEVEL=info
@@ -76,6 +78,8 @@ LOCKFILE=
 MODULESDIR=
 NFACCT=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -119,7 +123,9 @@ ADD_SNAT_ALIASES=No
 ADMINISABSENTMINDED=Yes
-AUTO_COMMENT=Yes
+AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
 AUTOMAKE=No
@@ -149,6 +155,8 @@ FASTACCEPT=No
 FORWARD_CLEAR_MARK=
 HELPERS=
 IMPLICIT_CONTINUE=No
 IPSET_WARNINGS=Yes
@@ -179,7 +187,7 @@ MUTEX_TIMEOUT=60
 NULL_ROUTE_RFC1918=No
-OPTIMIZE=1
+OPTIMIZE=31
 OPTIMIZE_ACCOUNTING=No
@@ -217,6 +225,8 @@ MACLIST_DISPOSITION=REJECT
 RELATED_DISPOSITION=ACCEPT
 RPFILTER_DISPOSITION=DROP
 SMURF_DISPOSITION=DROP
 SFILTER_DISPOSITION=DROP
--- a/Shorewall/Samples/two-interfaces/interfaces
+++ b/Shorewall/Samples/two-interfaces/interfaces
@@ -14,5 +14,5 @@
 FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians
+net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
 loc     eth1            tcpflags,nosmurfs,routefilter,logmartians
--- a/Shorewall/Samples/two-interfaces/masq
+++ b/Shorewall/Samples/two-interfaces/masq
@@ -10,8 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
-###############################################################################
+################################################################################################################
-#INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
+#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
 #											GROUP		DEST
 eth0			10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
--- a/Shorewall/Samples/two-interfaces/rules
+++ b/Shorewall/Samples/two-interfaces/rules
@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-######################################################################################################################################################################################
+##############################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH     HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
@@ -20,7 +20,7 @@ SECTION NEW
 #       Don't allow connection pickup from the net
 #
-Invalid(DROP)	net		all
+Invalid(DROP)	net		all		tcp
 #
 #	Accept DNS connections from the firewall to the network
 #
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -53,6 +53,8 @@ MACLIST_LOG_LEVEL=info
 RELATED_LOG_LEVEL=
 RPFILTER_LOG_LEVEL=info
 SFILTER_LOG_LEVEL=info
 SMURF_LOG_LEVEL=info
@@ -79,6 +81,8 @@ LOCKFILE=
 MODULESDIR=
 NFACCT=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -122,7 +126,9 @@ ADD_SNAT_ALIASES=No
 ADMINISABSENTMINDED=Yes
-AUTO_COMMENT=Yes
+AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
 AUTOMAKE=No
@@ -152,6 +158,8 @@ FASTACCEPT=No
 FORWARD_CLEAR_MARK=
 HELPERS=
 IMPLICIT_CONTINUE=No
 IPSET_WARNINGS=Yes
@@ -182,7 +190,7 @@ MUTEX_TIMEOUT=60
 NULL_ROUTE_RFC1918=No
-OPTIMIZE=1
+OPTIMIZE=31
 OPTIMIZE_ACCOUNTING=No
@@ -220,6 +228,8 @@ MACLIST_DISPOSITION=REJECT
 RELATED_DISPOSITION=ACCEPT
 RPFILTER_DISPOSITION=DROP
 SMURF_DISPOSITION=DROP
 SFILTER_DISPOSITION=DROP
--- a/Shorewall/action.Broadcast
+++ b/Shorewall/action.Broadcast
@@ -31,7 +31,7 @@ FORMAT 2
 DEFAULTS DROP,-
-BEGIN PERL;
+?BEGIN PERL;
 use Shorewall::IPAddrs;
 use Shorewall::Config;
@@ -70,4 +70,4 @@ add_jump $chainref, $target, 0, '-d 224.0.0.0/4 ';
 1;
-END PERL;
+?END PERL;
--- a/Shorewall/action.Drop
+++ b/Shorewall/action.Drop
@@ -36,7 +36,7 @@ FORMAT 2
 # The following magic provides different defaults for $2 thru $5, when $1 is
 # 'audit'.
 #
-BEGIN PERL;
+?BEGIN PERL;
 use Shorewall::Config;
 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
@@ -54,7 +54,7 @@ if ( defined $p1 ) {
 1;
-END PERL;
+?END PERL;
 DEFAULTS -,REJECT,DROP,ACCEPT,DROP
--- a/Shorewall/action.DropSmurfs
+++ b/Shorewall/action.DropSmurfs
@@ -13,7 +13,7 @@ FORMAT 2
 DEFAULTS -
-BEGIN PERL;
+?BEGIN PERL;
 use strict;
 use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
 use Shorewall::Chains;
@@ -77,7 +77,7 @@ if ( $family == F_IPV4 ) {
    add_ijump( $chainref, g => $target, s => IPv6_MULTICAST );
 }
-END PERL;
+?END PERL;
--- a/Shorewall/action.Invalid
+++ b/Shorewall/action.Invalid
@@ -31,7 +31,7 @@ FORMAT 2
 DEFAULTS DROP,-
-BEGIN PERL;
+?BEGIN PERL;
 use Shorewall::IPAddrs;
 use Shorewall::Config;
@@ -53,4 +53,4 @@ allow_optimize( $chainref );
 1;
-END PERL;
+?END PERL;
--- a/Shorewall/action.NotSyn
+++ b/Shorewall/action.NotSyn
@@ -31,7 +31,7 @@ FORMAT 2
 DEFAULTS DROP,-
-BEGIN PERL;
+?BEGIN PERL;
 use Shorewall::IPAddrs;
 use Shorewall::Config;
@@ -53,4 +53,4 @@ allow_optimize( $chainref );
 1;
-END PERL;
+?END PERL;
--- a/Shorewall/action.RST
+++ b/Shorewall/action.RST
@@ -31,7 +31,7 @@ FORMAT 2
 DEFAULTS DROP,-
-BEGIN PERL;
+?BEGIN PERL;
 use Shorewall::Config;
 use Shorewall::Chains;
@@ -52,4 +52,4 @@ allow_optimize( $chainref );
 1;
-END PERL;
+?END PERL;
--- a/Shorewall/action.Reject
+++ b/Shorewall/action.Reject
@@ -32,7 +32,7 @@ FORMAT 2
 # The following magic provides different defaults for $2 thru $5, when $1 is
 # 'audit'.
 #
-BEGIN PERL;
+?BEGIN PERL;
 use Shorewall::Config;
 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
@@ -50,7 +50,7 @@ if ( defined $p1 ) {
 1;
-END PERL;
+?END PERL;
 DEFAULTS -,REJECT,REJECT,ACCEPT,DROP
--- a/Shorewall/action.TCPFlags
+++ b/Shorewall/action.TCPFlags
@@ -13,12 +13,11 @@ FORMAT 2
 DEFAULTS DROP,-
-BEGIN PERL;
+?BEGIN PERL;
 use strict;
 use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
 use Shorewall::Chains;
 my ( $disposition, $audit ) = get_action_params( 2 );
 my $chainref        = get_action_chain;
@@ -55,7 +54,7 @@ add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,RST SYN,RST';
 add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,FIN SYN,FIN';
 add_ijump $chainref , g => $disposition, p => 'tcp --syn --sport 0';
-END PERL;
+?END PERL;
--- a/Shorewall/configfiles/blacklist
+++ b/Shorewall/configfiles/blacklist
@@ -1,11 +0,0 @@
 #
 # Shorewall version 4 - Blacklist File
 #
 # For information about entries in this file, type "man shorewall-blacklist"
 #
 # Please see http://shorewall.net/blacklisting_support.htm for additional
 # information.
 #
 ###############################################################################
 #ADDRESS/SUBNET		PROTOCOL	PORT	OPTIONS
--- a/Shorewall/configfiles/conntrack
+++ b/Shorewall/configfiles/conntrack
@@ -0,0 +1,53 @@
 #
 # Shorewall version 4 - conntrack File
 #
 # For information about entries in this file, type "man shorewall-conntrack"
 #
 #############################################################################################
 FORMAT 2
 #ACTION			SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/
 #								PORT(S)		PORT(S)	GROUP
 ?if $AUTOHELPERS && __CT_TARGET
 ?if __AMANDA_HELPER
 CT:helper:amanda	all		-		udp	10080
 ?endif
 ?if __FTP_HELPER
 CT:helper:ftp		all		-		tcp	21
 ?endif
 ?if __H323_HELPER
 CT:helper:RAS		all		-		udp	1719
 CT:helper:Q.931		all		-		tcp	1720
 ?endif
 ?if __IRC_HELPER
 CT:helper:irc		all		-		tcp	6667
 ?endif
 ?if __NETBIOS_NS_HELPER
 CT:helper:netbios-ns	all		-		udp	137
 ?endif
 ?if __PPTP_HELPER
 CT:helper:pptp		all		-		tcp	1729
 ?endif
 ?if __SANE_HELPER
 CT:helper:sane		all		-		tcp	6566
 ?endif
 ?if __SIP_HELPER
 CT:helper:sip		all		-		udp	5060
 ?endif
 ?if __SNMP_HELPER
 CT:helper:snmp		all		-		udp	161
 ?endif
 ?if __TFTP_HELPER
 CT:helper:tftp		all		-		udp	69
 ?endif
 ?endif
--- a/Shorewall/configfiles/masq
+++ b/Shorewall/configfiles/masq
@@ -6,6 +6,6 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-masq.html
 #
-######################################################################################################
+################################################################################################################
-#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH
+#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
-#											GROUP
+#											GROUP		DEST
--- a/Shorewall/configfiles/notrack
+++ b/Shorewall/configfiles/notrack
@@ -1,9 +0,0 @@
 #
 # Shorewall version 4 - Notrack File
 #
 # For information about entries in this file, type "man shorewall-notrack"
 #
 #####################################################################################
 FORMAT 2
 #ACTION		SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/
 #							PORT(S)		PORT(S)	GROUP
--- a/Shorewall/configfiles/rules
+++ b/Shorewall/configfiles/rules
@@ -6,8 +6,8 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-######################################################################################################################################################################################
+#################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -41,6 +41,8 @@ MACLIST_LOG_LEVEL=info
 RELATED_LOG_LEVEL=
 RPFILTER_LOG_LEVEL=info
 SFILTER_LOG_LEVEL=info
 SMURF_LOG_LEVEL=info
@@ -67,6 +69,8 @@ LOCKFILE=
 MODULESDIR=
 NFACCT=
 PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
 PERL=/usr/bin/perl
@@ -110,7 +114,9 @@ ADD_SNAT_ALIASES=No
 ADMINISABSENTMINDED=Yes
-AUTO_COMMENT=Yes
+AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
 AUTOMAKE=No
@@ -140,6 +146,8 @@ FASTACCEPT=No
 FORWARD_CLEAR_MARK=
 HELPERS=
 IMPLICIT_CONTINUE=No
 IPSET_WARNINGS=Yes
@@ -208,6 +216,8 @@ MACLIST_DISPOSITION=REJECT
 RELATED_DISPOSITION=ACCEPT
 RPFILTER_DISPOSITION=DROP
 SMURF_DISPOSITION=DROP
 SFILTER_DISPOSITION=DROP
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-VERSION=xxx       #The Build script inserts the actual version
+VERSION=4.5.5       #The Build script inserts the actual version
 #
 # Change to the directory containing this script
@@ -244,32 +244,6 @@ esac
 OWNERSHIP="-o $OWNER -g $GROUP"
 #
 # Determine where to install the firewall script
 #
 if [ $PRODUCT = shorewall -a "$BUILD" = "$HOST" ]; then
    #
    # Fix up 'use Digest::' if SHA is installed
    #
    if ! perl -e 'use Digest::SHA;' 2> /dev/null ; then
 	if perl -e 'use Digest::SHA1;' 2> /dev/null ; then
 	    sed -i 's/Digest::SHA/Digest::SHA1/' Perl/Shorewall/Chains.pm
 	else
 	    echo "ERROR: Shorewall $VERSION requires either Digest::SHA or Digest::SHA1" >&2
 	    exit 1
 	fi
    fi
    #
    # Verify that Perl and all required modules are installed
    #
    if ! perl -c Perl/compiler.pl; then
 	echo "ERROR: $Product $VERSION requires Perl which either is not installed or is not able to compile the Shorewall Perl code" >&2
 	echo "       Try perl -c $PWD/Perl/compiler.pl" >&2
 	exit 1
    fi
 fi
 case "$HOST" in
    cygwin)
 	echo "Installing Cygwin-specific configuration..."
@@ -300,6 +274,51 @@ case "$HOST" in
 	;;
 esac
 if [ $PRODUCT = shorewall ]; then
    if [ -n "$DIGEST" ]; then
 	#
 	# The user specified which digest to use
 	#
 	if [ "$DIGEST" != SHA ]; then
 	    if [ "$BUILD" = "$HOST" ] && ! eval perl -e \'use Digest::$DIGEST\;\' 2> /dev/null ; then
 		echo "ERROR: Perl compilation with Digest::$DIGEST failed" >&2
 		exit 1;
 	    fi
 	    eval sed -i \'s/Digest::SHA/Digest::$DIGEST/\' Perl/Shorewall/Chains.pm
 	fi
    elif [ "$BUILD" = "$HOST" ]; then
        #
        # Fix up 'use Digest::' if SHA1 is installed
        #
 	DIGEST=SHA
 	if ! perl -e 'use Digest::SHA;' 2> /dev/null ; then
 	    if perl -e 'use Digest::SHA1;' 2> /dev/null ; then
 		sed -i 's/Digest::SHA/Digest::SHA1/' Perl/Shorewall/Chains.pm
 		DIGEST=SHA1
 	    else
 		echo "ERROR: Shorewall $VERSION requires either Digest::SHA or Digest::SHA1" >&2
 		exit 1
 	    fi
 	fi
    fi
    if [ "$BUILD" = "$HOST" ]; then
        #
        # Verify that Perl and all required modules are installed
        #
 	echo "Compiling the Shorewall Perl Modules with Digest::$DIGEST"
 	if ! perl -c Perl/compiler.pl; then
 	    echo "ERROR: $Product $VERSION requires Perl which either is not installed or is not able to compile the Shorewall Perl code" >&2
 	    echo "       Try perl -c $PWD/Perl/compiler.pl" >&2
 	    exit 1
 	fi
    else
 	echo "Using Digest::$DIGEST"
    fi
 fi
 if [ $BUILD != cygwin ]; then
    if [ `id -u` != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
@@ -352,7 +371,7 @@ mkdir -p ${DESTDIR}/${CONFDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${PERLLIBDIR}/Shorewall
 mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
-mkdir -p ${DESTDIR}/var/lib/$PRODUCT
+mkdir -p ${DESTDIR}${VARDIR}/$PRODUCT
 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
 chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT
@@ -615,14 +634,14 @@ if [ -f masq ]; then
    fi
 fi
 #
-# Install the Notrack file
+# Install the Conntrack file
 #
-run_install $OWNERSHIP -m 0644 notrack           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
+run_install $OWNERSHIP -m 0644 conntrack           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
-run_install $OWNERSHIP -m 0644 notrack.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
+run_install $OWNERSHIP -m 0644 conntrack.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
-if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/notrack ]; then
+if [ ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack ]; then
-    run_install $OWNERSHIP -m 0600 notrack${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/notrack
+    run_install $OWNERSHIP -m 0600 conntrack${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack
-    echo "Notrack file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/notrack"
+    echo "Conntrack file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack"
 fi
 #
@@ -679,10 +698,6 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/tunnels ]; then
    echo "Tunnels file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/tunnels"
 fi
 if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/blacklist ]; then
    run_install $OWNERSHIP -m 0600 blacklist${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/blacklist
    echo "Blacklist file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/blacklist"
 fi
 #
 # Install the blacklist rules file
 #
@@ -955,12 +970,6 @@ fi
 cd ..
 #
 # Install the Standard Actions file
 #
 install_file actions.std ${DESTDIR}${SHAREDIR}/$PRODUCT/actions.std 0644
 echo "Standard actions file installed as ${DESTDIR}${SHAREDIR}d/$PRODUCT/actions.std"
 #
 # Install the  Makefiles
 #
@@ -990,9 +999,9 @@ cd ..
 #
 # Install the libraries
 #
-for f in lib.* ; do
+for f in lib.* Perl/lib.*; do
    if [ -f $f ]; then
-	install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
+	install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$(basename $f) 0644
 	echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
    fi
 done
@@ -1112,7 +1121,7 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
 	perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' ${CONFDIR}/$PRODUCT/$PRODUCT.conf
 	update-rc.d $PRODUCT enable
    elif [ -n "$SYSTEMD" ]; then
-	if systemctl enable $PRODUCT; then
+	if systemctl enable ${PRODUCT}.service; then
 	    echo "$Product will start automatically at boot"
 	fi
    elif mywhich insserv; then
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -181,7 +181,7 @@ get_config() {
 	if [ "$2" = Yes ]; then
 	    case $STARTUP_ENABLED in
 		No|no|NO)
-		    echo "   ERROR: $g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${CONFDIR}/${g_program}.conf" >&2
+		    echo "   ERROR: $g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${g_confdir}/${g_program}.conf" >&2
 		    exit 2
 		    ;;
 		Yes|yes|YES)
@@ -1628,7 +1628,9 @@ usage() # $1 = exit status
    echo "   show macros"
    echo "   show marks"
    echo "   show [ -x ] mangle|nat|raw|rawpost|routing"
    echo "   show nfacct"
    echo "   show policies"
    echo "   show routing"
    echo "   show tc [ device ]"
    echo "   show vardir"
    echo "   show zones"
--- a/Shorewall/manpages/shorewall-accounting.xml
+++ b/Shorewall/manpages/shorewall-accounting.xml
@@ -294,8 +294,25 @@
            </varlistentry>
            <varlistentry>
-              <term>NFLOG[(nflog-parameters)] - Added in
+              <term><emphasis
-              Shorewall-4.4.20.</term>
+              role="bold">NFACCT</emphasis>(<replaceable>object</replaceable>)</term>
              <listitem>
                <para>Added in Shorewall 4.5.7. Provides a form of accounting
                that survives <command>shorewall stop/shorewall</command>
                start and <command>shorewall restart</command>. Requires the
                NFaccnt Match capability in your kernel and iptables.
                <replaceable>object</replaceable> names an nfacct object (see
                man nfaccnt(8)). Multiple rules can specify the same
                <replaceable>object</replaceable>; all packets that match any
                of the rules increment the packet and bytes count of the
                object.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term><emphasis role="bold">NFLOG</emphasis>[(nflog-parameters)]
              - Added in Shorewall-4.4.20.</term>
              <listitem>
                <para>Causes each matching packet to be sent via the currently
@@ -306,7 +323,7 @@
            </varlistentry>
            <varlistentry>
-              <term>COMMENT</term>
+              <term><emphasis role="bold">COMMENT</emphasis></term>
              <listitem>
                <para>The remainder of the line is treated as a comment which
--- a/Shorewall/manpages/shorewall-blacklist.xml
+++ b/Shorewall/manpages/shorewall-blacklist.xml
@@ -23,8 +23,10 @@
  <refsect1>
    <title>Description</title>
-    <para>The blacklist file is used to perform static blacklisting. You can
+    <para>The blacklist file is used to perform static blacklisting by source
-    blacklist by source address (IP or MAC), or by application.</para>
+    address (IP or MAC), or by application. The use of this file is deprecated
    and beginning with Shorewall 4.5.7, the file is no longer
    installed.</para>
    <para>The columns in the file are as follows (where the column name is
    followed by a different name in parentheses, the different name is used in
--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@@ -3,33 +3,34 @@
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
  <refmeta>
-    <refentrytitle>shorewall6-notrack</refentrytitle>
+    <refentrytitle>shorewall6-conntrack</refentrytitle>
    <manvolnum>5</manvolnum>
  </refmeta>
  <refnamediv>
-    <refname>notrack</refname>
+    <refname>conntrack</refname>
-    <refpurpose>shorewall notrack file</refpurpose>
+    <refpurpose>shorewall conntrack file</refpurpose>
  </refnamediv>
  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall/notrack</command>
+      <command>/etc/shorewall/conntrack</command>
    </cmdsynopsis>
  </refsynopsisdiv>
  <refsect1>
    <title>Description</title>
-    <para>The original intent of the notrack file was to exempt certain
+    <para>The original intent of the <emphasis role="bold">notrack</emphasis>
-    traffic from Netfilter connection tracking. Traffic matching entries in
+    file was to exempt certain traffic from Netfilter connection tracking.
-    this file were not to be tracked.</para>
+    Traffic matching entries in the file were not to be tracked.</para>
    <para>The role of the file was expanded in Shorewall 4.4.27 to include all
-    rules tht can be added in the Netfilter <emphasis
+    rules that can be added in the Netfilter <emphasis
-    role="bold">raw</emphasis> table.</para>
+    role="bold">raw</emphasis> table. In 4.5.7, the file's name was changed to
    <emphasis role="bold">conntrack</emphasis>.</para>
    <para>The file supports two different column layouts: FORMAT 1 and FORMAT
    2, FORMAT 1 being the default. The two differ in that FORMAT 2 has an
@@ -45,6 +46,13 @@
    <para>where <replaceable>format</replaceable> is either <emphasis
    role="bold">1</emphasis> or <emphasis role="bold">2</emphasis>.</para>
    <para>Comments may be attached to Netfilter rules generated from entries
    in this file through the use of COMMENT lines. These lines begin with the
    word COMMENT; the remainder of the line is treated as a comment which is
    attached to subsequent rules until another COMMENT line is found or until
    the end of the file is reached. To stop adding comments to rules, use a
    line with only the word COMMENT.</para>
    <para>The columns in the file are as follows (where the column name is
    followed by a different name in parentheses, the different name is used in
    the alternate specification syntax).</para>
@@ -53,63 +61,157 @@
      <varlistentry>
        <term><emphasis role="bold">ACTION</emphasis> - {<emphasis
        role="bold">NOTRACK</emphasis>|<emphasis
-        role="bold">CT</emphasis>:<replaceable>option</replaceable>[:<replaceable>arg,...</replaceable>]}</term>
+        role="bold">CT</emphasis>:<emphasis
        role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis
        role="bold">CT:notrack</emphasis>}</term>
        <listitem>
          <para>This column is only present when FORMAT = 2. Values other than
          NOTRACK require <firstterm>CT Target </firstterm>support in your
          iptables and kernel.</para>
          <para>Possible values for <replaceable>option</replaceable> and
          <replaceable>arg</replaceable>s are:</para>
          <itemizedlist>
            <listitem>
-              <para><option>notrack</option> (no
+              <para><option>NOTRACK</option> or
-              <replaceable>arg</replaceable>)</para>
+              <option>CT:notrack</option></para>
-              <para>Disables connection tracking for this packet, the same as
+              <para>Disables connection tracking for this packet.</para>
              if NOTRACK has been specified in this column.</para>
            </listitem>
            <listitem>
              <para><option>helper</option>:<replaceable>name</replaceable></para>
-              <para>Use the helper identified by the name to this connection.
+              <para>Attach the helper identified by the
-              This is more flexible than loading the conntrack helper with
+              <replaceable>name</replaceable> to this connection. This is more
-              preset ports.</para>
+              flexible than loading the conntrack helper with preset
-            </listitem>
+              ports.</para>
-            <listitem>
+              <para>At this writing, the available helpers are:</para>
              <para><option>ctevents</option>:<replaceable>event</replaceable>,...</para>
-              <para>Only generate the specified conntrack events for this
+              <variablelist>
-              connection. Possible event types are: <emphasis
+                <varlistentry>
-              role="bold">new</emphasis>, <emphasis
+                  <term>amanda</term>
              role="bold">related</emphasis>, <emphasis
              role="bold">destroy</emphasis>, <emphasis
              role="bold">reply</emphasis>, <emphasis
              role="bold">assured</emphasis>, <emphasis
              role="bold">protoinfo</emphasis>, <emphasis
              role="bold">helper</emphasis>, <emphasis
              role="bold">mark</emphasis> (this is connection mark, not packet
              mark), <emphasis role="bold">natseqinfo</emphasis>, and
              <emphasis role="bold">secmark</emphasis>.</para>
            </listitem>
-            <listitem>
+                  <listitem>
-              <para><option>expevents</option><option>:new</option></para>
+                    <para>Requires that the amanda netfilter helper is
                    present.</para>
                  </listitem>
                </varlistentry>
-              <para>Only generate a new expectation events for this
+                <varlistentry>
-              connection.</para>
+                  <term>ftp</term>
            </listitem>
-            <listitem>
+                  <listitem>
-              <para><option>zone</option>:<replaceable>id</replaceable></para>
+                    <para>Requires that the FTP netfilter helper is
                    present.</para>
                  </listitem>
                </varlistentry>
-              <para>Assign this packet to zone <replaceable>id</replaceable>
+                <varlistentry>
-              and only have lookups done in that zone. By default, packets
+                  <term>irc</term>
-              have zone 0.</para>
+
                  <listitem>
                    <para>Requires that the IRC netfilter helper is
                    present.</para>
                  </listitem>
                </varlistentry>
                <varlistentry>
                  <term>netbios-ns</term>
                  <listitem>
                    <para>Requires that the netbios_ns (sic) helper is
                    present.</para>
                  </listitem>
                </varlistentry>
                <varlistentry>
                  <term>RAS and Q.931</term>
                  <listitem>
                    <para>These require that the H323 netfilter helper is
                    present.</para>
                  </listitem>
                </varlistentry>
                <varlistentry>
                  <term>pptp</term>
                  <listitem>
                    <para>Requires that the pptp netfilter helper is
                    present.</para>
                  </listitem>
                </varlistentry>
                <varlistentry>
                  <term>sane</term>
                  <listitem>
                    <para>Requires that the SANE netfilter helper is
                    present.</para>
                  </listitem>
                </varlistentry>
                <varlistentry>
                  <term>sip</term>
                  <listitem>
                    <para>Requires that the SIP netfilter helper is
                    present.</para>
                  </listitem>
                </varlistentry>
                <varlistentry>
                  <term>snmp</term>
                  <listitem>
                    <para>Requires that the SNMP netfilter helper is
                    present.</para>
                  </listitem>
                </varlistentry>
                <varlistentry>
                  <term>tftp</term>
                  <listitem>
                    <para>Requires that the TFTP netfilter helper is
                    present.</para>
                  </listitem>
                </varlistentry>
              </variablelist>
              <para>May be followed by an option list of
              <replaceable>arg</replaceable>=<replaceable>val</replaceable>
              pairs in parentheses:</para>
              <itemizedlist>
                <listitem>
                  <para><option>ctevents</option>=<replaceable>event</replaceable>[,...]</para>
                  <para>Only generate the specified conntrack events for this
                  connection. Possible event types are: <emphasis
                  role="bold">new</emphasis>, <emphasis
                  role="bold">related</emphasis>, <emphasis
                  role="bold">destroy</emphasis>, <emphasis
                  role="bold">reply</emphasis>, <emphasis
                  role="bold">assured</emphasis>, <emphasis
                  role="bold">protoinfo</emphasis>, <emphasis
                  role="bold">helper</emphasis>, <emphasis
                  role="bold">mark</emphasis> (this is connection mark, not
                  packet mark), <emphasis role="bold">natseqinfo</emphasis>,
                  and <emphasis role="bold">secmark</emphasis>. If more than
                  one <emphasis>event</emphasis> is listed, the
                  <replaceable>event</replaceable> list must be enclosed in
                  parentheses (e.g., ctevents=(new,related)).</para>
                </listitem>
                <listitem>
                  <para><option>expevents</option><option>=new</option></para>
                  <para>Only generate a <emphasis role="bold">new</emphasis>
                  expectation events for this connection.</para>
                </listitem>
              </itemizedlist>
            </listitem>
          </itemizedlist>
@@ -130,13 +232,9 @@
          url="shorewall-exclusion.html">shorewall-exclusion</ulink>
          (5)).</para>
-          <para>Comments may be attached to Netfilter rules generated from
+          <para>Beginning with Shorewall 4.5.7, <option>all</option> can be
-          entries in this file through the use of COMMENT lines. These lines
+          used as the <replaceable>zone</replaceable> name to mean
-          begin with the word COMMENT; the remainder of the line is treated as
+          <firstterm>all zones</firstterm>.</para>
          a comment which is attached to subsequent rules until another
          COMMENT line is found or until the end of the file is reached. To
          stop adding comments to rules, use a line with only the word
          COMMENT.</para>
        </listitem>
      </varlistentry>
@@ -225,6 +323,14 @@
    </variablelist>
  </refsect1>
  <refsect1>
    <title>EXAMPLE</title>
    <programlisting>#ACTION                       SOURCE            DEST               PROTO            DEST              SOURCE              USER/GROUP
 #                                                                                   PORT(S)           PORT(S)
 CT:helper:ftp(expevents=new)  fw                -                  tcp              21              </programlisting>
  </refsect1>
  <refsect1>
    <title>FILES</title>
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -202,7 +202,7 @@ loc     eth2            -</programlisting>
                changed; the value assigned to the setting will be the value
                specified (if any) or 1 if no value is given.</para>
-                <para/>
+                <para></para>
                <note>
                  <para>This option does not work with a wild-card
@@ -236,7 +236,7 @@ loc     eth2            -</programlisting>
                <para>8 - do not reply for all local addresses</para>
-                <para/>
+                <para></para>
                <note>
                  <para>This option does not work with a wild-card
@@ -244,7 +244,7 @@ loc     eth2            -</programlisting>
                  the INTERFACE column.</para>
                </note>
-                <para/>
+                <para></para>
                <warning>
                  <para>Do not specify <emphasis
@@ -343,13 +343,22 @@ loc     eth2            -</programlisting>
            </varlistentry>
            <varlistentry>
-              <term><emphasis role="bold">ignore</emphasis></term>
+              <term><emphasis role="bold">ignore[=1]</emphasis></term>
              <listitem>
                <para>When specified, causes the generated script to ignore
                up/down events from Shorewall-init for this device.
                Additionally, the option exempts the interface from hairpin
-                filtering.</para>
+                filtering. When '=1' is omitted, the ZONE column must contain
                '-' and <option>ignore</option> must be the only
                OPTION.</para>
                <para>Beginning with Shorewall 4.5.5, may be specified as
                '<option>ignore=1</option>' which only causes the generated
                script to ignore up/down events from Shorewall-init; hairpin
                filtering is still applied. In this case, the above
                restrictions on the ZONE and OPTIONS columns are
                lifted.</para>
              </listitem>
            </varlistentry>
@@ -385,7 +394,7 @@ loc     eth2            -</programlisting>
        1
        teastep@lists:~$ </programlisting>
-                <para/>
+                <para></para>
                <note>
                  <para>This option does not work with a wild-card
@@ -627,6 +636,20 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>rpfilter</term>
              <listitem>
                <para>Added in Shorewall 4.5.7. This is an anti-spoofing
                measure that requires the 'RPFilter Match' capability in your
                iptables and kernel. It provides a more efficient alternative
                to the <option>sfilter</option> option below. It performs a
                function similar to <option>routefilter</option> (see above)
                but works with Multi-ISP configurations that do now use
                balanced routes.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>sfilter=(<emphasis>net</emphasis>[,...])</term>
@@ -659,7 +682,7 @@ loc     eth2            -</programlisting>
                changed; the value assigned to the setting will be the value
                specified (if any) or 1 if no value is given.</para>
-                <para/>
+                <para></para>
                <note>
                  <para>This option does not work with a wild-card
--- a/Shorewall/manpages/shorewall-masq.xml
+++ b/Shorewall/manpages/shorewall-masq.xml
@@ -509,6 +509,22 @@
          restart</command>.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">ORIGINAL DEST</emphasis> (origdest) -
        [<emphasis
        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
        <listitem>
          <para>(Optional) Added in Shorewall 4.5.6. This column may be
          included and may contain one or more addresses (host or network)
          separated by commas. Address ranges are not allowed. When this
          column is supplied, rules are generated that require that the
          original destination address matches one of the listed addresses. It
          is useful for specifying that SNAT should occur only for connections
          that were acted on by a DNAT when they entered the firewall.</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@@ -280,7 +280,8 @@
                url="http://www.shorewall.net/Shorewall_Squid_Usage.html">http://www.shorewall.net/Shorewall_Squid_Usage.html</ulink>.
                When specified, the MARK, DUPLICATE and GATEWAY columns should
                be empty, INTERFACE should be set to 'lo' and
-                <option>tproxy</option> should be the only OPTION.</para>
+                <option>tproxy</option> should be the only OPTION. Only one
                <option>tproxy</option> provider is allowed.</para>
              </listitem>
            </varlistentry>
          </variablelist>
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -503,6 +503,19 @@
                rule, it is passed on to the next rule.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>HELPER</term>
              <listitem>
                <para>Added in Shorewall 4.5.7. This action requires that the
                HELPER column contains the name of the Netfilter helper to be
                associated with connections matching this connection. May only
                be specified in the NEW section and is useful for being able
                to specify a helper when the applicable policy is ACCEPT. No
                destination zone should be specified in HELPER rules.</para>
              </listitem>
            </varlistentry>
          </variablelist>
          <para>The <replaceable>target</replaceable> may optionally be
@@ -806,7 +819,7 @@
            </orderedlist></para>
          <blockquote>
-            <para/>
+            <para></para>
            <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
            role="bold">+]|[-</emphasis>] is specified, the server may be
@@ -1084,8 +1097,7 @@
      <varlistentry>
        <term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
        role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
-        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
+        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>]</term>
        role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
        <listitem>
          <para>This optional column may only be non-empty if the SOURCE is
@@ -1126,15 +1138,11 @@
            </varlistentry>
            <varlistentry>
-              <term>+upnpd</term>
+              <term>2001-2099</term>
              <listitem>
-                <para>program named upnpd</para>
+                <para>UIDs 2001 through 2099 (Shorewall 4.5.6 and
-
+                later)</para>
                <important>
                  <para>The ability to specify a program name was removed from
                  Netfilter in kernel version 2.6.14.</para>
                </important>
              </listitem>
            </varlistentry>
          </variablelist>
@@ -1356,6 +1364,54 @@
          restart</command>.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">HELPER</emphasis> - [helper]</term>
        <listitem>
          <para>Added in Shorewall 4.5.7.</para>
          <para>In the NEW section, causes the named conntrack
          <replaceable>helper</replaceable> to be associated with this
          connection; the contents of this column are ignored unless ACTION is
          ACCEPT*, DNAT* or REDIRECT*.</para>
          <para>In the RELATED section, will only match if the related
          connection has the named <replaceable>helper</replaceable>
          associated with it.</para>
          <para>The <replaceable>helper</replaceable> may be one of:</para>
          <simplelist>
            <member><option>amanda</option></member>
            <member><option>ftp</option></member>
            <member><option>irc</option></member>
            <member><option>netbios-ns</option></member>
            <member><option>pptp</option></member>
            <member><option>Q.931</option></member>
            <member><option>RAS</option></member>
            <member><option>sane</option></member>
            <member><option>sip</option></member>
            <member><option>snmp</option></member>
            <member><option>tftp</option></member>
          </simplelist>
          <para>If the HELPERS option is specified in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink>(5), then any module
          specified in this column most be listed in the HELPERS
          setting.</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>
@@ -1569,7 +1625,7 @@
          <programlisting>        #ACTION                       SOURCE           DEST           PROTO       DEST
        #                                                                         PORT(S)
-        DROP                          net:^A1,A2       fw             tcp         22</programlisting>
+        DROP                          net:^A1,A2       fw             tcp         25</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
@@ -1588,7 +1644,10 @@
    url="http://www.shorewall.net/ipsets.html">http://www.shorewall.net/ipsets.html</ulink></para>
    <para><ulink
-    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
    <para><ulink
    url="http://www.shorewall.net/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink></para>
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorweall-blrules(5), shorewall-hosts(5),
--- a/Shorewall/manpages/shorewall-tcclasses.xml
+++ b/Shorewall/manpages/shorewall-tcclasses.xml
@@ -11,7 +11,7 @@
  <refnamediv>
    <refname>tcclasses</refname>
-    <refpurpose>Shorewall file to define HTB classes</refpurpose>
+    <refpurpose>Shorewall file to define HTB and HFSC classes</refpurpose>
  </refnamediv>
  <refsynopsisdiv>
@@ -166,8 +166,8 @@
          marking the traffic you want to fit in the classes defined in here.
          Must be specified as '-' if the <emphasis
          role="bold">classify</emphasis> option is given for the interface in
-          <ulink
+          <ulink url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
-          url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)</para>
+          and you are running Shorewall 4.5.5 or earlier.</para>
          <para>You can use the same marks for different interfaces.</para>
        </listitem>
@@ -175,7 +175,7 @@
      <varlistentry>
        <term><emphasis role="bold">RATE</emphasis> -
-        <emphasis>rate</emphasis>[:<emphasis>dmax</emphasis>[:<emphasis>umax</emphasis>]]</term>
+        {-|<emphasis>rate</emphasis>[:<emphasis>dmax</emphasis>[:<emphasis>umax</emphasis>]]}</term>
        <listitem>
          <para>The minimum bandwidth this class should get, when the traffic
@@ -185,11 +185,12 @@
          class exceed the CEIL of the parent class, things don't work
          well.</para>
-          <para>When using the HFSC queuing discipline, leaf classes may
+          <para>When using the HFSC queuing discipline, this column specify
-          specify <replaceable>dmax</replaceable>, the maximum delay in
+          the real-time (RT) service curve. leaf classes may specify
-          milliseconds that the first queued packet for this class should
+          <replaceable>dmax</replaceable>, the maximum delay in milliseconds
-          experience. May be expressed as an integer, optionally followed by
+          that the first queued packet for this class should experience. May
-          'ms' with no intervening white space (e.g., 10ms).</para>
+          be expressed as an integer, optionally followed by 'ms' with no
          intervening white space (e.g., 10ms).</para>
          <para>HFSC leaf classes may also specify
          <replaceable>umax</replaceable>, the largest packet expected in this
@@ -198,12 +199,18 @@
          followed by 'b' with no intervening white space (e.g., 800b).
          <replaceable>umax</replaceable> may only be given if
          <replaceable>dmax</replaceable> is also given.</para>
          <para>Beginning with Shorewall 4.5.6, HFSC classes may omit this
          column (e.g, '-' in the column), provided that an
          <replaceable>lsrate</replaceable> is specified (see CEIL below).
          These rates are used to arbitrate between classes of the same
          priority.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">CEIL</emphasis> -
-        <emphasis>rate</emphasis></term>
+        [<emphasis>lsrate</emphasis>:]<emphasis>rate</emphasis></term>
        <listitem>
          <para>The maximum bandwidth this class is allowed to use when the
@@ -214,6 +221,9 @@
          here for setting the maximum bandwidth to the RATE of the parent
          class, or the OUT-BANDWIDTH of the device if there is no parent
          class.</para>
          <para>Beginning with Shorewall 4.5.6, you can also specify an
          <replaceable>lsrate</replaceable> (link sharing rate).</para>
        </listitem>
      </varlistentry>
@@ -253,7 +263,7 @@
                <para>This is the default class for that interface where all
                traffic should go, that is not classified otherwise.</para>
-                <para></para>
+                <para/>
                <note>
                  <para>You must define <emphasis
@@ -310,7 +320,7 @@
                limited to 64 bytes because we want only packets WITHOUT
                payload to match.</para>
-                <para></para>
+                <para/>
                <note>
                  <para>This option is only valid for ONE class per
@@ -430,6 +440,121 @@
                assumed.</para>
              </listitem>
            </varlistentry>
            <varlistentry>
              <term>red=(<replaceable>redoption</replaceable>=<replaceable>value</replaceable>,
              ...)</term>
              <listitem>
                <para>Added in Shorewall 4.5.6. When specified on a leaf
                class, causes the class to use the RED (Random Early
                Detection) queuing discipline rather than SFQ. See tc-red (8)
                for additional information.</para>
                <para>Allowable redoptions are:</para>
                <variablelist>
                  <varlistentry>
                    <term>min <replaceable>min</replaceable></term>
                    <listitem>
                      <para>Average queue size at which marking becomes a
                      possibility.</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>max <replaceable>max</replaceable></term>
                    <listitem>
                      <para>At this average queue size, the marking
                      probability is maximal. Must be at least twice
                      <replaceable>min</replaceable> to prevent synchronous
                      retransmits, higher for low
                      <replaceable>min</replaceable>.</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>probability
                    <replaceable>probability</replaceable></term>
                    <listitem>
                      <para>Maximum probability for marking, specified as a
                      floating point number from 0.0 to 1.0. Suggested values
                      are 0.01 or 0.02 (1 or 2%, respectively).</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>limit <replaceable>limit</replaceable></term>
                    <listitem>
                      <para>Hard limit on the real (not average) queue size in
                      bytes. Further packets are dropped. Should be set higher
                      than
                      <replaceable>max</replaceable>+<replaceable>burst</replaceable>.
                      It is advised to set this a few times higher than
                      <replaceable>max</replaceable>. Shorewall requires that
                      <replaceable>limit</replaceable> be at least twice
                      <replaceable>min</replaceable>.</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>burst <replaceable>burst</replaceable></term>
                    <listitem>
                      <para>Used for determining how fast the average queue
                      size is influenced by the real queue size. Larger values
                      make the calculation more sluggish, allowing longer
                      bursts of traffic before marking starts. Real life
                      experiments support the following guide‐line:
                      (<replaceable>min</replaceable>+<replaceable>min</replaceable>+<replaceable>max</replaceable>)/(3*<replaceable>avpkt</replaceable>).</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>avpkt <replaceable>avpkt</replaceable></term>
                    <listitem>
                      <para>Optional. Specified in bytes. Used with burst to
                      determine the time constant for average queue size
                      calculations. 1000 is a good value and is the Shorewall
                      default.</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>bandwidth
                    <replaceable>bandwidth</replaceable></term>
                    <listitem>
                      <para>Optional. This rate is used for calculating the
                      average queue size after some idle time. Should be set
                      to the bandwidth of your interface. Does not mean that
                      RED will shape for you!</para>
                    </listitem>
                  </varlistentry>
                  <varlistentry>
                    <term>ecn</term>
                    <listitem>
                      <para>RED can either 'mark' or 'drop'. Explicit
                      Congestion Notification allows RED to notify remote
                      hosts that their rate exceeds the amount of bandwidth
                      available. Non-ECN capable hosts can only be notified by
                      dropping a packet. If this parameter is specified,
                      packets which indicate that their hosts honor ECN will
                      only be marked and not dropped, unless the queue size
                      hits <replaceable>limit</replaceable> bytes. Needs a tc
                      binary with RED support compiled in. Recommended.</para>
                    </listitem>
                  </varlistentry>
                </variablelist>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
@@ -503,6 +628,10 @@
    <para><ulink
    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
    <para>tc-hfsc(7)</para>
    <para>tc-red(8)</para>
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
--- a/Shorewall/manpages/shorewall-tcdevices.xml
+++ b/Shorewall/manpages/shorewall-tcdevices.xml
@@ -179,7 +179,17 @@
      <varlistentry>
        <term><emphasis role="bold">OPTIONS</emphasis> - {<emphasis
        role="bold">-</emphasis>|<emphasis
-        role="bold">{classify</emphasis>|hfsc} ,...}</term>
+        role="bold">{classify</emphasis>|<emphasis
        role="bold">hfsc</emphasis>|<emphasis
        role="bold">linklayer</emphasis>={<emphasis
        role="bold">ethernet</emphasis>|<emphasis
        role="bold">atm</emphasis>|<emphasis
        role="bold">adsl</emphasis>}|<emphasis
        role="bold">tsize</emphasis>=<replaceable>tsize</replaceable>|<emphasis
        role="bold">mtu</emphasis>=<replaceable>mtu</replaceable>|<emphasis
        role="bold">mpu</emphasis>=<replaceable>mpu</replaceable>|<emphasis
        role="bold">overhead</emphasis>=<replaceable>overhead</replaceable>}
        ,...}</term>
        <listitem>
          <para><option>classify</option> ― When specified, Shorewall will not
@@ -190,7 +200,34 @@
          <para><option>hfsc</option> - Shorewall normally uses the
          <firstterm>Hierarchical Token Bucket</firstterm> queuing discipline.
          When <option>hfsc</option> is specified, the <firstterm>Hierarchical
-          Fair Service Curves</firstterm> discipline is used instead.</para>
+          Fair Service Curves</firstterm> discipline is used instead (see
          tc-hfsc (7)).</para>
          <para><emphasis role="bold">linklayer</emphasis> - Added in
          Shorewall 4.5.6. Type of link (ethernet, atm, adsl). When specified,
          causes scheduler packet size manipulation as described in tc-stab
          (8). When this option is given, the following options may also be
          given after it:</para>
          <blockquote>
            <para><emphasis
            role="bold">mtu</emphasis>=<replaceable>mtu</replaceable> - The
            device MTU; default 2048 (will be rounded up to a power of
            two)</para>
            <para><emphasis
            role="bold">mpu</emphasis>=<replaceable>mpubytes</replaceable> -
            Minimum packet size used in calculations. Smaller packets will be
            rounded up to this size</para>
            <para><emphasis
            role="bold">tsize</emphasis>=<replaceable>tablesize</replaceable>
            - Size table entries; default is 512</para>
            <para><emphasis
            role="bold">overhead</emphasis>=<replaceable>overheadbytes</replaceable>
            - Number of overhead bytes per packet.</para>
          </blockquote>
        </listitem>
      </varlistentry>
@@ -240,6 +277,8 @@
  <refsect1>
    <title>See ALSO</title>
    <para>tc-hfsc (7)</para>
    <para><ulink
    url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>
--- a/Shorewall/manpages/shorewall-tcfilters.xml
+++ b/Shorewall/manpages/shorewall-tcfilters.xml
@@ -35,7 +35,7 @@
        <term>IPV4</term>
        <listitem>
-          <para>Following entriess apply to IPv4.</para>
+          <para>Following entries apply to IPv4.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall-tcrules.xml
+++ b/Shorewall/manpages/shorewall-tcrules.xml
@@ -573,6 +573,9 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
    AF43 =&gt; 0x26
    EF   =&gt; 0x2e</programlisting>
              <para>To indicate more than one class, add their hex values
              together and specify the result.</para>
              <para>May be optionally followed by ':' and a capital letter
              designating the chain where classification is to occur.</para>
@@ -611,6 +614,9 @@ Maximize-Reliability =&gt; 0x04,
 Minimize-Cost        =&gt; 0x02,
 Normal-Service       =&gt; 0x00</programlisting>
              <para>To indicate more than one class, add their hex values
              together and specify the result.</para>
              <para>When <replaceable>tos</replaceable> is given as a number,
              it may be optionally followed by '/' and a
              <replaceable>mask</replaceable>. When no
--- a/Shorewall/manpages/shorewall-tos.xml
+++ b/Shorewall/manpages/shorewall-tos.xml
@@ -96,13 +96,16 @@
        <emphasis>tos</emphasis></term>
        <listitem>
-          <para>Must be one of the following;</para>
+          <para>Must may one of the following;</para>
          <programlisting>        <emphasis role="bold">tos-minimize-delay</emphasis> (16)
        <emphasis role="bold">tos-maximize-throughput</emphasis> (8)
        <emphasis role="bold">tos-maximize-reliability</emphasis> (4)
        <emphasis role="bold">tos-minimize-cost</emphasis> (2)
        <emphasis role="bold">tos-normal-service</emphasis> (0)</programlisting>
          <para>To specify more than one flag, add their values together and
          specify the numeric result.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -96,7 +96,7 @@
        role="bold">none</emphasis>}</term>
        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>
@@ -106,7 +106,7 @@
        role="bold">none</emphasis>}</term>
        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>
@@ -116,7 +116,7 @@
        role="bold">none</emphasis>}</term>
        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>
@@ -126,7 +126,7 @@
        role="bold">none</emphasis>}</term>
        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>
@@ -283,14 +283,14 @@
      </varlistentry>
      <varlistentry>
-        <term><emphasis role="bold">AUTO_COMMENT=</emphasis>[<emphasis
+        <term><emphasis role="bold">AUTOCOMMENT=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
        <listitem>
-          <para>If set, if there is not a current comment when a macro is
+          <para>Formerly named AUTO_COMMENT. If set, if there is not a current
-          invoked, the behavior is as if the first line of the macro file was
+          comment when a macro is invoked, the behavior is as if the first
-          "COMMENT &lt;macro name&gt;". The AUTO_COMMENT option has a default
+          line of the macro file was "COMMENT &lt;macro name&gt;". The
-          value of 'Yes'.</para>
+          AUTO_COMMENT option has a default value of 'Yes'.</para>
          <para>The setting of the AUTOMAKE option is ignored if the
          <command>start</command> or <command>restart</command> command
@@ -299,6 +299,49 @@
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">AUTOHELPERS=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
        <listitem>
          <para>Added in Shorewall 4.5.7. When set to <option>Yes</option>
          (the default), the generated ruleset will automatically associate
          helpers with applications that require them (FTP, IRC, etc.). When
          configuring your firewall on systems running kernel 3.5 or later, it
          is recommended that you:</para>
          <orderedlist>
            <listitem>
              <para>Set AUTOHELPERS=No.</para>
            </listitem>
            <listitem>
              <para>Either:</para>
              <orderedlist numeration="loweralpha">
                <listitem>
                  <para>Modify <ulink
                  url="shorewall-conntrack.html">shorewall-conntrack</ulink>
                  (5) to only apply helpers where they are required; or</para>
                </listitem>
                <listitem>
                  <para>Specify the appropriate helper in the HELPER column in
                  <ulink url="shorewall-rules.html">shorewall-rules</ulink>
                  (5).</para>
                  <note>
                    <para>The macros for those applications requiring a helper
                    automatically specify the appropriate HELPER where
                    required.</para>
                  </note>
                </listitem>
              </orderedlist>
            </listitem>
          </orderedlist>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">AUTOMAKE=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@@ -482,7 +525,7 @@
          </itemizedlist>
          <blockquote>
-            <para/>
+            <para></para>
            <para>If CONFIG_PATH is not given or if it is set to the empty
            value then the contents of /usr/share/shorewall/configpath are
@@ -684,6 +727,66 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">HELPERS</emphasis>=[<emphasis>helper</emphasis>[,<replaceable>helper</replaceable>...]]</term>
        <listitem>
          <para>Added in Shorewall 4.5.7. This option lists the Netfilter
          application helps that are to be enabled. If not specified, the
          default is to enable all helpers.</para>
          <para>Possible values for <replaceable>helper</replaceable>
          are:</para>
          <itemizedlist>
            <listitem>
              <para>amanda</para>
            </listitem>
            <listitem>
              <para>ftp</para>
            </listitem>
            <listitem>
              <para>h323</para>
            </listitem>
            <listitem>
              <para>irc</para>
            </listitem>
            <listitem>
              <para>netbios-ns</para>
            </listitem>
            <listitem>
              <para>pptp</para>
            </listitem>
            <listitem>
              <para>sane</para>
            </listitem>
            <listitem>
              <para>sip</para>
            </listitem>
            <listitem>
              <para>snmp</para>
            </listitem>
            <listitem>
              <para>tftp</para>
            </listitem>
          </itemizedlist>
          <para>When HELPERS is specified on a system running Kernel 3.5.0 or
          later, automatic association of helpers to connections is
          disabled.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">HIGH_ROUTE_MARKS=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@@ -829,7 +932,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
            </varlistentry>
          </variablelist>
-          <para/>
+          <para></para>
          <blockquote>
            <para>If this variable is not set or is given an empty value
@@ -1039,7 +1142,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
            </listitem>
          </itemizedlist>
-          <para/>
+          <para></para>
          <blockquote>
            <para>For example, using the default LOGFORMAT, the log prefix for
@@ -1056,7 +1159,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
              control your firewall after you enable this option.</para>
            </important>
-            <para/>
+            <para></para>
            <caution>
              <para>Do not use this option if the resulting log messages will
@@ -1437,6 +1540,17 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">NFACCT=</emphasis>[<emphasis>pathname</emphasis>]</term>
        <listitem>
          <para>Added in Shorewall 4.5.7. Specifies the pathname of the nfacct
          utiliity. If not specified, Shorewall will use the PATH settting to
          find the program.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">NULL_ROUTE_RFC1918=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@@ -1709,7 +1823,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        role="bold">"</emphasis></term>
        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>
@@ -1879,6 +1993,33 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">RPFILTER_DISPOSITION=</emphasis>[<emphasis
        role="bold">DROP</emphasis>|<emphasis
        role="bold">REJECT</emphasis>|A_DROP|A_REJECT]</term>
        <listitem>
          <para>Added in Shorewall 4.5.7. Determines the disposition of
          packets entering from interfaces the <option>rpfilter</option>
          option (see <ulink
          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)).
          Packets disposed of by this option are those whose response packets
          would not be sent through the same interface receiving the
          packet.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis
        role="bold">RPFILTER_LOG_LEVEL=</emphasis><emphasis>log-level</emphasis></term>
        <listitem>
          <para>Added in shorewall 4.5.7. Determines the logging of packets
          disposed via the RPFILTER_DISPOSITION. The default value is
          <option>info</option>.</para>
        </listitem>
      </varlistentry>
      <varlistentry>
        <term><emphasis role="bold">SAVE_IPSETS=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@@ -1900,7 +2041,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        <listitem>
          <para>Added in Shorewall 4.4.20. Determines the disposition of
-          packets matching the <option>filter</option> option (see <ulink
+          packets matching the <option>sfilter</option> option (see <ulink
          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
          of <firstterm>hairpin</firstterm> packets on interfaces without the
          <option>routeback</option> option.<footnote>
@@ -1916,7 +2057,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        <listitem>
          <para>Added on Shorewall 4.4.20. Determines the logging of packets
-          matching the <option>filter</option> option (see <ulink
+          matching the <option>sfilter</option> option (see <ulink
          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
          of <firstterm>hairpin</firstterm> packets on interfaces without the
          <option>routeback</option> option.<footnote>
--- a/Shorewall6-lite/shorecap
+++ b/Shorewall6-lite/shorecap
@@ -45,17 +45,22 @@
 #    used during firewall compilation, then the generated firewall program will likewise not
 #    require Shorewall to be installed.
-SHAREDIR=/usr/share/shorewall6-lite
+g_program=shorewall6-lite
 VARDIR=/var/lib/shorewall6-lite
 CONFDIR=/etc/shorewall6-lite
 g_product="Shorewall6 Lite"
 g_family=6
 g_base=shorewall6
 g_basedir=/usr/share/shorewall6-lite
-. /usr/share/shorewall6-lite/lib.base
+#
-. /usr/share/shorewall6/lib.cli
+# This is modified by the installer when ${SHAREDIR} != /usr/share
-. /usr/share/shorewall6-lite/configpath
+#
 . /usr/share/shorewall/shorewallrc
 g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR"/shorewall6-lite
 g_sbindir="$SBINDIR"
 g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall6-lite
 g_readrc=1
 . ${SHAREDIR}/shorewall/lib.cli
 . ${SHAREDIR}/shorewall-lite/configpath
 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
--- a/Shorewall6/Samples6/Universal/interfaces
+++ b/Shorewall6/Samples6/Universal/interfaces
@@ -11,5 +11,5 @@ FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
 -	lo		ignore
-net	all		dhcp,physical=+,routeback
+net	all		dhcp,physical=+,routeback,sourceroute=0
--- a/Shorewall6/Samples6/Universal/rules
+++ b/Shorewall6/Samples6/Universal/rules
@@ -6,13 +6,14 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-###########################################################################################################################################################################
+######################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH     HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
 Invalid(DROP)	net		$FW		tcp
 SSH(ACCEPT)	net		$FW
 Ping(ACCEPT)	net		$FW
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -40,6 +40,8 @@ MACLIST_LOG_LEVEL=info
 RELATED_LOG_LEVEL=
 RPFILTER_LOG_LEVEL=info
 SFILTER_LOG_LEVEL=info
 SMURF_LOG_LEVEL=info
@@ -66,6 +68,8 @@ LOCKFILE=
 MODULESDIR=
 NFACCT=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -105,7 +109,9 @@ ACCOUNTING_TABLE=filter
 ADMINISABSENTMINDED=Yes
-AUTO_COMMENT=Yes
+AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
 AUTOMAKE=No
@@ -131,6 +137,8 @@ FASTACCEPT=Yes
 FORWARD_CLEAR_MARK=
 HELPERS=
 IMPLICIT_CONTINUE=No
 IPSET_WARNINGS=Yes
@@ -155,7 +163,7 @@ MODULE_SUFFIX=ko
 MUTEX_TIMEOUT=60
-OPTIMIZE=15
+OPTIMIZE=31
 OPTIMIZE_ACCOUNTING=No
@@ -187,6 +195,8 @@ RELATED_DISPOSITION=ACCEPT
 SFILTER_DISPOSITION=DROP
 RPFILTER_DISPOSITION=DROP
 SMURF_DISPOSITION=DROP
 TCP_FLAGS_DISPOSITION=DROP
--- a/Shorewall6/Samples6/one-interface/rules
+++ b/Shorewall6/Samples6/one-interface/rules
@@ -10,14 +10,18 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall6-rules"
-###########################################################################################################################################################################
+######################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH     HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
 # Drop packets in the INVALID state
 Invalid(DROP)  net    	        $FW		tcp
 # Drop Ping from the "bad" net zone.. and prevent your log from being flooded..
 Ping(DROP)	net		$FW
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -40,6 +40,8 @@ MACLIST_LOG_LEVEL=info
 RELATED_LOG_LEVEL=
 RPFILTER_LOG_LEVEL=info
 SFILTER_LOG_LEVEL=info
 SMURF_LOG_LEVEL=info
@@ -66,6 +68,8 @@ LOCKFILE=
 MODULESDIR=
 NFACCT=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -105,7 +109,9 @@ ACCOUNTING_TABLE=filter
 ADMINISABSENTMINDED=Yes
-AUTO_COMMENT=Yes
+AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
 AUTOMAKE=No
@@ -131,6 +137,8 @@ FASTACCEPT=No
 FORWARD_CLEAR_MARK=
 HELPERS=
 IMPLICIT_CONTINUE=No
 IPSET_WARNINGS=Yes
@@ -155,7 +163,7 @@ MODULE_SUFFIX=ko
 MUTEX_TIMEOUT=60
-OPTIMIZE=1
+OPTIMIZE=31
 OPTIMIZE_ACCOUNTING=No
@@ -187,6 +195,8 @@ RELATED_DISPOSITION=ACCEPT
 SFILTER_DISPOSITION=DROP
 RPFILTER_DISPOSITION=DROP
 SMURF_DISPOSITION=DROP
 TCP_FLAGS_DISPOSITION=DROP
--- a/Shorewall6/Samples6/three-interfaces/interfaces
+++ b/Shorewall6/Samples6/three-interfaces/interfaces
@@ -14,6 +14,6 @@
 FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            tcpflags,forward=1
+net     eth0            tcpflags,forward=1,sourceroute=0
 loc     eth1            tcpflags,forward=1
 dmz     eth2            tcpflags,forward=1
--- a/Shorewall6/Samples6/three-interfaces/rules
+++ b/Shorewall6/Samples6/three-interfaces/rules
@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-rules"
-###########################################################################################################################################################################
+######################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH     HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
@@ -20,7 +20,7 @@ SECTION NEW
 #       Don't allow connection pickup from the net
 #
-Invalid(DROP)	net		all
+Invalid(DROP)	net		all		tcp
 #
 #	Accept DNS connections from the firewall to the Internet
 #
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -40,6 +40,8 @@ MACLIST_LOG_LEVEL=info
 RELATED_LOG_LEVEL=
 RPFILTER_LOG_LEVEL=info
 SFILTER_LOG_LEVEL=info
 SMURF_LOG_LEVEL=info
@@ -66,6 +68,8 @@ LOCKFILE=
 MODULESDIR=
 NFACCT=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -105,7 +109,9 @@ ACCOUNTING_TABLE=filter
 ADMINISABSENTMINDED=Yes
-AUTO_COMMENT=Yes
+AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
 AUTOMAKE=No
@@ -131,6 +137,8 @@ FASTACCEPT=No
 FORWARD_CLEAR_MARK=
 HELPERS=
 IMPLICIT_CONTINUE=No
 IPSET_WARNINGS=Yes
@@ -155,7 +163,7 @@ MODULE_SUFFIX=ko
 MUTEX_TIMEOUT=60
-OPTIMIZE=1
+OPTIMIZE=31
 OPTIMIZE_ACCOUNTING=No
@@ -187,6 +195,8 @@ RELATED_DISPOSITION=ACCEPT
 SFILTER_DISPOSITION=DROP
 RPFILTER_DISPOSITION=DROP
 SMURF_DISPOSITION=DROP
 TCP_FLAGS_DISPOSITION=DROP
--- a/Shorewall6/Samples6/two-interfaces/interfaces
+++ b/Shorewall6/Samples6/two-interfaces/interfaces
@@ -14,5 +14,5 @@
 FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            tcpflags,forward=1
+net     eth0            tcpflags,forward=1,sourceroute=0
 loc     eth1            tcpflags,forward=1
--- a/Shorewall6/Samples6/two-interfaces/rules
+++ b/Shorewall6/Samples6/two-interfaces/rules
@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-rules"
-###########################################################################################################################################################################
+######################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH     HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
@@ -20,7 +20,7 @@ SECTION NEW
 #       Don't allow connection pickup from the net
 #
-Invalid(DROP)	net		all
+Invalid(DROP)	net		all		tcp
 #
 #	Accept DNS connections from the firewall to the network
 #
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -40,6 +40,8 @@ MACLIST_LOG_LEVEL=info
 RELATED_LOG_LEVEL=
 RPFILTER_LOG_LEVEL=info
 SFILTER_LOG_LEVEL=info
 SMURF_LOG_LEVEL=info
@@ -66,6 +68,8 @@ LOCKFILE=
 MODULESDIR=
 NFACCT=
 PERL=/usr/bin/perl
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -105,7 +109,9 @@ ACCOUNTING_TABLE=filter
 ADMINISABSENTMINDED=Yes
-AUTO_COMMENT=Yes
+AUTOCOMMENT=Yes
 AUTOHELPERS=Yes
 AUTOMAKE=No
@@ -131,6 +137,8 @@ FASTACCEPT=No
 FORWARD_CLEAR_MARK=
 HELPERS=
 IMPLICIT_CONTINUE=No
 IPSET_WARNINGS=Yes
@@ -155,7 +163,7 @@ MODULE_SUFFIX=ko
 MUTEX_TIMEOUT=60
-OPTIMIZE=1
+OPTIMIZE=31
 OPTIMIZE_ACCOUNTING=No
@@ -187,6 +195,8 @@ RELATED_DISPOSITION=ACCEPT
 SFILTER_DISPOSITION=DROP
 RPFILTER_DISPOSITION=DROP
 SMURF_DISPOSITION=DROP
 TCP_FLAGS_DISPOSITION=DROP
--- a/Shorewall6/action.Broadcast
+++ b/Shorewall6/action.Broadcast
@@ -31,7 +31,7 @@ FORMAT 2
 DEFAULTS DROP,-
-BEGIN PERL;
+?BEGIN PERL;
 use Shorewall::IPAddrs;
 use Shorewall::Config;
@@ -68,4 +68,4 @@ add_jump $chainref, $target, 0, join( ' ', '-d', IPv6_MULTICAST . ' ' );
 1;
-END PERL;
+?END PERL;
--- a/Shorewall6/action.Drop
+++ b/Shorewall6/action.Drop
@@ -36,7 +36,7 @@ FORMAT 2
 # The following magic provides different defaults for $2 thru $5, when $1 is
 # 'audit'.
 #
-BEGIN PERL;
+?BEGIN PERL;
 use Shorewall::Config;
 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
@@ -54,7 +54,7 @@ if ( defined $p1 ) {
 1;
-END PERL;
+?END PERL;
 DEFAULTS -,REJECT,DROP,ACCEPT,DROP
--- a/Shorewall6/action.Reject
+++ b/Shorewall6/action.Reject
@@ -32,7 +32,7 @@ FORMAT 2
 # The following magic provides different defaults for $2 thru $5, when $1 is
 # 'audit'.
 #
-BEGIN PERL;
+?BEGIN PERL;
 use Shorewall::Config;
 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
@@ -50,7 +50,7 @@ if ( defined $p1 ) {
 1;
-END PERL;
+?END PERL;
 DEFAULTS -,REJECT,REJECT,ACCEPT,DROP
--- a/Shorewall6/configfiles/blacklist
+++ b/Shorewall6/configfiles/blacklist
@@ -1,10 +0,0 @@
 #
 # Shorewall6 version 4 - Blacklist File
 #
 # For information about entries in this file, type "man shorewall6-blacklist"
 #
 # Please see http://shorewall.net/blacklisting_support.htm for additional
 # information.
 #
 ###############################################################################
 #ADDRESS/SUBNET		PROTOCOL	PORT	OPTIONS
--- a/Shorewall6/configfiles/conntrack
+++ b/Shorewall6/configfiles/conntrack
@@ -0,0 +1,53 @@
 #
 # Shorewall version 4 - conntrack File
 #
 # For information about entries in this file, type "man shorewal6-conntrack"
 #
 #############################################################################################
 FORMAT 2
 #ACTION			SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/
 #								PORT(S)		PORT(S)	GROUP
 ?if __CT_TARGET
 ?if __AMANDA_HELPER
 CT:helper:amanda	all		-		udp	10080
 ?endif
 ?if __FTP_HELPER
 CT:helper:ftp		all		-		tcp	21
 ?endif
 ?if __H323_HELPER
 CT:helper:RAS		all		-		udp	1719
 CT:helper:Q.931		all		-		tcp	1720
 ?endif
 ?if __IRC_HELPER
 CT:helper:irc		all		-		tcp	6667
 ?endif
 ?if __NETBIOS_NS_HELPER
 CT:helper:netbios-ns	all		-		udp	137
 ?endif
 ?if __PPTP_HELPER
 CT:helper:pptp		all		-		tcp	1729
 ?endif
 ?if __SANE_HELPER
 CT:helper:sane		all		-		tcp	6566
 ?endif
 ?if __SIP_HELPER
 CT:helper:sip		all		-		udp	5060
 ?endif
 ?if __SNMP_HELPER
 CT:helper:snmp		all		-		udp	161
 ?endif
 ?if __TFTP_HELPER
 CT:helper:tftp		all		-		udp	69
 ?endif
 ?endif
--- a/Shorewall6/configfiles/notrack
+++ b/Shorewall6/configfiles/notrack
@@ -1,9 +0,0 @@
 #
 # Shorewall version 4 - Notrack File
 #
 # For information about entries in this file, type "man shorewall-notrack"
 #
 #####################################################################################
 FORMAT 2
 #ACTION		SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/
 #							PORT(S)		PORT(S)	GROUP
--- a/Shorewall6/configfiles/rules
+++ b/Shorewall6/configfiles/rules
@@ -6,8 +6,8 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages6/shorewall6-rules.html
 #
-###########################################################################################################################################################################
+#####################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH    HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Show More
+++ b/Show More