Yet another fix for TTL/HL

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Ensure that the .service files run the utility in ${SBINDIR}
2012-09-24 16:23:15 -07:00 · 2012-09-24 14:32:20 -07:00 · 2012-09-24 14:25:31 -07:00 · 2012-09-24 08:44:07 -07:00 · 2012-09-24 07:14:44 -07:00 · 2012-09-23 12:19:41 -07:00
168 changed files with 8511 additions and 2142 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -76,7 +76,7 @@ for p in $@; do
 		    pn=HOST
 		    ;;
 		SHAREDSTATEDIR)
-		    pn=VARDIR
+		    pn=VARLIB
 		    ;;
 		DATADIR)
 		    pn=SHAREDIR
@@ -161,6 +161,17 @@ if [ $# -gt 0 ]; then
    echo '#'           >> shorewallrc
 fi

+if [ -n "${options[VARLIB]}" ]; then
+    if [ -z "${options[VARDIR]}" ]; then
+	options[VARDIR]='${VARLIB}/${PRODUCT}'
+    fi
+elif [ -n "${options[VARDIR]}" ]; then
+    if [ -z "{$options[VARLIB]}" ]; then
+	options[VARLIB]=${options[VARDIR]}
+	options[VARDIR]='${VARLIB}/${PRODUCT}'
+    fi
+fi
+
 for on in \
    HOST \
    PREFIX \
@@ -180,6 +191,7 @@ for on in \
    SYSCONFDIR \
    SPARSE \
    ANNOTATED \
+    VARLIB \
    VARDIR
 do
    echo "$on=${options[${on}]}"
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -38,7 +38,7 @@ my %params;
 my %options;

 my %aliases = ( VENDOR         => 'HOST',
-		SHAREDSTATEDIR => 'VARDIR',
+		SHAREDSTATEDIR => 'VARLIB',
 		DATADIR        => 'SHAREDIR' );

 for ( @ARGV ) {
@@ -123,6 +123,15 @@ printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d

 print  $outfile "# Input: @ARGV\n#\n" if @ARGV;

+if ( $options{VARLIB} ) {
+    unless ( $options{VARDIR} ) {
+	$options{VARDIR} = '${VARLIB}/${PRODUCT}';
+    }
+} elsif ( $options{VARDIR} ) {
+    $options{VARLIB} = $options{VARDIR};
+    $options{VARDIR} = '${VARLIB}/${PRODUCT}';
+}
+
 for ( qw/ HOST
 	  PREFIX
 	  SHAREDIR
@@ -141,6 +150,7 @@ for ( qw/ HOST
 	  SYSCONFDIR
 	  SPARSE
 	  ANNOTATED
+	  VARLIB
 	  VARDIR / ) {

    my $val = $options{$_} || '';
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -164,7 +164,18 @@ else
    usage 1
 fi

-for var in SHAREDIR LIBEXECDIR PERLLIBDIR CONFDIR SBINDIR VARDIR; do
+update=0
+
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR="${VARLIB}/${PRODUCT}"
+    update=1
+elif [ -z "${VARDIR}" ]; then
+    VARDIR="${VARLIB}/${PRODUCT}"
+    update=2
+fi
+
+for var in SHAREDIR LIBEXECDIR PERLLIBDIR CONFDIR SBINDIR VARLIB VARDIR; do
    require $var
 done

@@ -346,9 +357,25 @@ ln -sf lib.base ${DESTDIR}${SHAREDIR}/shorewall/functions
 echo "$VERSION" > ${DESTDIR}${SHAREDIR}/shorewall/coreversion
 chmod 644 ${DESTDIR}${SHAREDIR}/shorewall/coreversion

-[ $file != "${SHAREDIR}/shorewall/shorewallrc" ] && cp $file ${DESTDIR}${SHAREDIR}/shorewall/shorewallrc
+if [ -z "${DESTDIR}" ]; then
+    if [ $update -ne 0 ]; then
+	echo "Updating $file - original saved in $file.bak"

-[ -z "${DESTDIR}" ] && [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc ~/.shorewallrc
+	cp $file $file.bak
+
+	echo '#'                                             >> $file
+	echo "# Updated by Shorewall-core $VERSION -" `date` >> $file
+	echo '#'                                             >> $file
+
+	[ $update -eq 1 ] && sed -i 's/VARDIR/VARLIB/' $file
+
+	echo 'VARDIR=${VARLIB}/${PRODUCT}' >> $file
+    fi
+
+    [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc ~/.shorewallrc
+fi
+
+[ $file != "${DESTDIR}${SHAREDIR}/shorewall/shorewallrc" ] && cp $file ${DESTDIR}${SHAREDIR}/shorewall/shorewallrc

 if [ ${SHAREDIR} != /usr/share ]; then
    for f in lib.*; do
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -28,7 +28,7 @@
 #

 SHOREWALL_LIBVERSION=40502
-SHOREWALL_CAPVERSION=40504
+SHOREWALL_CAPVERSION=40507

 [ -n "${g_program:=shorewall}" ]

@@ -42,7 +42,6 @@ if [ -z "$g_readrc" ]; then
    g_sharedir="$SHAREDIR"/$g_program
    g_sbindir="$SBINDIR"
    g_perllib="$PERLLIBDIR"
-    g_vardir="$VARDIR"
    g_confdir="$CONFDIR"/$g_program
    g_readrc=1
 fi
@@ -76,7 +75,12 @@ case $g_program in
 	;;
 esac

-VARDIR=${VARDIR}/${g_program}
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR=${VARLIB}/$g_program
+elif [ -z "${VARDIR}" ]; then
+    VARDIR="${VARLIB}/${PRODUCT}"
+fi

 #
 # Conditionally produce message
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -615,6 +615,20 @@ show_connections_filter() {
    fi
 }

+show_nfacct() {
+    if [ -n "$NFACCT" -a ! -x "$NFACCT" ]; then
+	error_message "WARNING: NFACCT=$NFACCT does not exist or is not executable"
+	NFACCT=
+    else
+	NFACCT=$(mywhich nfacct)
+	[ -n "$NFACCT" ] || echo "No NF Accounting defined (nfacct not found)"
+    fi
+
+    if [ -n "$NFACCT" ]; then
+	$NFACCT list
+	echo
+    fi
+}
 #
 # Show Command Executor
 #
@@ -920,6 +934,12 @@ show_command() {
 	    echo
 	    [ -f ${VARDIR}/marks ] && cat ${VARDIR}/marks;
 	    ;;
+	nfacct)
+	    [ $# -gt 1 ] && usage 1
+	    echo "$g_product $SHOREWALL_VERSION NF Accounting at $g_hostname - $(date)"
+	    echo
+	    show_nfacct
+	    ;;
 	*)
 	    case "$g_program" in
 		*-lite)
@@ -1196,12 +1216,17 @@ do_dump_command() {
 	brctl show
    fi

+    show_routing
+
    if [ $g_family -eq 4 ]; then
 	heading "Per-IP Counters"

 	perip_accounting
    fi

+    heading "NF Accounting"
+    show_nfacct
+
    if qt mywhich setkey; then
 	heading "PFKEY SPD"
 	setkey -DP
@@ -1229,8 +1254,6 @@ do_dump_command() {
 	done
    fi

-    show_routing
-
    if [ $g_family -eq 4 ]; then
 	heading "ARP"
 	arp -na
@@ -1995,6 +2018,23 @@ determine_capabilities() {
    DSCP_MATCH=
    DSCP_TARGET=
    GEOIP_MATCH=
+    RPFILTER_MATCH=
+    NFACCT_MATCH=
+    AMANDA_HELPER=
+    FTP_HELPER=
+    FTP0_HELPER=
+    IRC_HELPER=
+    IRC0_HELPER=
+    NETBIOS_NS_HELPER=
+    H323_HELPER=
+    PPTP_HELPER=
+    SANE_HELPER=
+    SANE0_HELPER=
+    SIP_HELPER=
+    SIP0_HELPER=
+    SNMP_HELPER=
+    TFTP_HELPER=
+    TFTP0_HELPER=

    chain=fooX$$

@@ -2107,6 +2147,19 @@ determine_capabilities() {

    qt $g_tool -A $chain -j ACCEPT -m comment --comment "This is a comment" && COMMENTS=Yes

+    if [ -n "$NFACCT" -a ! -x "$NFACCT" ]; then
+	error_message "WARNING: NFACCT=$NFACCT does not exist or is not executable"
+	NFACCT=
+    else
+	NFACCT=$(mywhich nfacct)
+    fi
+
+    if [ -n "$NFACCT" ] && qt $NFACCT add $chain; then
+	qt $g_tool -A $chain -m nfacct --nfacct-name $chain && NFACCT_MATCH=Yes
+	qt $g_tool -D $chain -m nfacct --nfacct-name $chain
+	qt $NFACCT del $chain
+    fi
+
    if [ -n "$MANGLE_ENABLED" ]; then
 	qt $g_tool -t mangle -N $chain

@@ -2127,6 +2180,7 @@ determine_capabilities() {
 	qt $g_tool -t mangle -A $chain -j IMQ --todev 0 && IMQ_TARGET=Yes
 	qt $g_tool -t mangle -A $chain -m dscp --dscp 0 && DSCP_MATCH=Yes
 	qt $g_tool -t mangle -A $chain -j DSCP --set-dscp 0 && DSCP_TARGET=Yes
+	qt $g_tool -t mangle -A $chain -m rpfilter && RPFILTER_MATCH=Yes

 	qt $g_tool -t mangle -F $chain
 	qt $g_tool -t mangle -X $chain
@@ -2134,15 +2188,36 @@ determine_capabilities() {
 	qt $g_tool -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
    fi

-    qt $g_tool -t raw	    -L -n && RAW_TABLE=Yes
+    qt $g_tool -t raw	  -L -n && RAW_TABLE=Yes
    qt $g_tool -t rawpost -L -n && RAWPOST_TABLE=Yes

    if [ -n "$RAW_TABLE" ]; then
-	qt $g_tool -t raw -N $chain
-	qt $g_tool -t raw -A $chain -j CT --notrack && CT_TARGET=Yes
-	qt $g_tool -t raw -N $chain
 	qt $g_tool -t raw -F $chain
 	qt $g_tool -t raw -X $chain
+	qt $g_tool -t raw -N $chain
+	
+	if qt $g_tool -t raw -A $chain -j CT --notrack; then
+	    CT_TARGET=Yes;
+
+	    qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda     && AMANDA_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 21    -j CT --helper ftp        && FTP_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 21    -j CT --helper ftp-0      && FTP0_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 1719  -j CT --helper RAS        && H323_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 6667  -j CT --helper irc        && IRC_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 6667  -j CT --helper irc-0      && IRC0_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 137   -j CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 1729  -j CT --helper pptp       && PPTP_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 6566  -j CT --helper sane       && SANE_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 6566  -j CT --helper sane-0     && SANE0_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 5060  -j CT --helper sip        && SIP_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 5060  -j CT --helper sip-0      && SIP0_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 161   -j CT --helper snmp       && SNMP_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 69    -j CT --helper tftp       && TFTP_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 69    -j CT --helper tftp-0     && TFTP0_HELPER=Yes
+	fi
+
+	qt $g_tool -t raw -F $chain
+	qt $g_tool -t raw -X $chain	   
    fi

    if qt mywhich ipset; then
@@ -2160,10 +2235,10 @@ determine_capabilities() {

 	    if [ -n "$have_ipset" ]; then
 		if qt $g_tool -A $chain -m set --match-set $chain src -j ACCEPT; then
-		    qt $g_tool -D $chain -m set --match-set $chain src -j ACCEPT
+		    qt $g_tool -F $chain
 		    IPSET_MATCH=Yes
 		elif qt $g_tool -A $chain -m set --set $chain src -j ACCEPT; then
-		    qt $g_tool -D $chain -m set --set $chain src -j ACCEPT
+		    qt $g_tool -F $chain
 		    IPSET_MATCH=Yes
 		    OLD_IPSET_MATCH=Yes
 		fi
@@ -2172,10 +2247,10 @@ determine_capabilities() {
 	elif qt ipset -N $chain hash:ip family inet6; then
 	    IPSET_V5=Yes
 	    if qt $g_tool -A $chain -m set --match-set $chain src -j ACCEPT; then
-		qt $g_tool -D $chain -m set --match-set $chain src -j ACCEPT
+		qt $g_tool -F $chain
 		IPSET_MATCH=Yes
 	    elif qt $g_tool -A $chain -m set --set $chain src -j ACCEPT; then
-		qt $g_tool -D $chain -m set --set $chain src -j ACCEPT
+		qt $g_tool -F $chain
 		IPSET_MATCH=Yes
 		OLD_IPSET_MATCH=Yes
 	    fi
@@ -2193,7 +2268,28 @@ determine_capabilities() {
    fi
    qt $g_tool -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
    qt $g_tool -A $chain -m realm --realm 4 && REALM_MATCH=Yes
-    qt $g_tool -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
+
+    #
+    # -m helper doesn't verify the existence of the specified helper :-(
+    #
+    if qt $g_tool -A $chain -p tcp --dport 21 -m helper --helper ftp; then
+	HELPER_MATCH=Yes
+
+	if [ -z "$CT_TARGET" ]; then
+	    AMANDA_HELPER=Yes
+	    FTP_HELPER=Yes
+	    FTP_HELPER=Yes
+	    H323_HELPER=Yes
+	    IRC_HELPER=Yes
+	    NS_HELPER=Yes
+	    PPTP_HELPER=Yes
+	    SANE_HELPER=Yes
+	    SIP_HELPER=Yes
+	    SNMP_HELPER=Yes
+	    TFTP_HELPER=Yes
+	fi
+    fi
+
    qt $g_tool -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes
    qt $g_tool -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
    qt $g_tool -A $chain -g $chain1 && GOTO_TARGET=Yes
@@ -2319,6 +2415,23 @@ report_capabilities() {
 	report_capability "DSCP Match (DSCP_MATCH)" $DSCP_MATCH
 	report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET
 	report_capability "Geo IP match" $GEOIP_MATCH
+	report_capability "RPFilter match" $RPFILTER_MATCH
+	report_capability "NFAcct match" $NFACCT_MATCH
+	report_capability "Amanda Helper" $AMANDA_HELPER
+	report_capability "FTP Helper" $FTP_HELPER
+	report_capability "FTP-0 Helper" $FTP0_HELPER
+	report_capability "IRC Helper" $IRC_HELPER
+	report_capability "IRC-0 Helper" $IRC0_HELPER
+	report_capability "Netbios_ns Helper" $NETBIOS_NS_HELPER
+	report_capability "H323 Helper" $H323_HELPER
+	report_capability "PPTP Helper" $PPTP_HELPER
+	report_capability "SANE Helper" $SANE_HELPER
+	report_capability "SANE-0 Helper" $SANE0_HELPER
+	report_capability "SIP Helper" $SIP_HELPER
+	report_capability "SIP-0 Helper" $SIP0_HELPER
+	report_capability "SNMP Helper" $SNMP_HELPER
+	report_capability "TFTP Helper" $TFTP_HELPER
+	report_capability "TFTP-0 Helper" $TFTP0_HELPER

 	if [ $g_family -eq 4 ]; then
 	    report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
@@ -2328,6 +2441,9 @@ report_capabilities() {

 	report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
 	report_capability "CT Target (CT_TARGET)" $CT_TARGET
+
+	echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
+	echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
    fi

    [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -2410,6 +2526,23 @@ report_capabilities1() {
    report_capability1 DSCP_MATCH
    report_capability1 DSCP_TARGET
    report_capability1 GEOIP_MATCH
+    report_capability1 RPFILTER_MATCH
+    report_capability1 NFACCT_MATCH
+    report_capability1 AMANDA_HELPER
+    report_capability1 FTP_HELPER
+    report_capability1 FTP0_HELPER
+    report_capability1 IRC_HELPER
+    report_capability1 IRC0_HELPER
+    report_capability1 NETBIOS_NS_HELPER
+    report_capability1 H323_HELPER
+    report_capability1 PPTP_HELPER
+    report_capability1 SANE_HELPER
+    report_capability1 SANE0_HELPER
+    report_capability1 SIP_HELPER
+    report_capability1 SIP0_HELPER
+    report_capability1 SNMP_HELPER
+    report_capability1 TFTP_HELPER
+    report_capability1 TFTP0_HELPER

    echo CAPVERSION=$SHOREWALL_CAPVERSION
    echo KERNELVERSION=$KERNELVERSION
@@ -2946,9 +3079,16 @@ usage() # $1 = exit status
    echo "   show connections"
    echo "   show filters"
    echo "   show ip"
+
+    if [ $g_family -eq 4 ]; then
+	echo "   show ipa"
+    fi
+
    echo "   show [ -m ] log [<regex>]"
-    echo "   show [ -x ] mangle|nat|raw|rawpost|routing"
+    echo "   show [ -x ] mangle|nat|raw|rawpost"
+    echo "   show nfacct"
    echo "   show policies"
+    echo "   show routing"
    echo "   show tc [ device ]"
    echo "   show vardir"
    echo "   show zones"
@@ -2999,7 +3139,7 @@ shorewall_cli() {
    g_shorewalldir=

    VERBOSE=
-    VERBOSITY=
+    VERBOSITY=1

    [ -n "$g_lite" ] || . ${g_basedir}/lib.cli-std

--- a/Shorewall-core/shorewallrc.apple
+++ b/Shorewall-core/shorewallrc.apple
@@ -17,4 +17,4 @@ ANNOTATED=                             #Unused on OS X
 SYSTEMD=                               #Unused on OS X
 SYSCONFDIR=                            #Unused on OS X
 SPARSE=Yes                             #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
-VARDIR=/var/lib                        #Unused on OS X
+VARLIB=/var/lib                        #Unused on OS X
--- a/Shorewall-core/shorewallrc.archlinux
+++ b/Shorewall-core/shorewallrc.archlinux
@@ -17,4 +17,5 @@ ANNOTATED=                             #If non-zero, annotated configuration fil
 SYSCONFDIR=                            #Directory where SysV init parameter files are installed
 SYSTEMD=                               #Directory where .service files are installed (systems running systemd only)
 SPARSE=                                #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                        #Directory where product variable data is stored.
+VARLIB=/var/lib                        #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT              #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.cygwin
+++ b/Shorewall-core/shorewallrc.cygwin
@@ -17,4 +17,4 @@ ANNOTATED=                            #Unused on Cygwin
 SYSTEMD=                              #Unused on Cygwin
 SYSCONFDIR=                           #Unused on Cygwin
 SPARSE=Yes                            #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
-VARDIR=/var/lib                       #Unused on Cygwin
+VARLIB=/var/lib                       #Unused on Cygwin
--- a/Shorewall-core/shorewallrc.debian
+++ b/Shorewall-core/shorewallrc.debian
@@ -18,4 +18,5 @@ SYSCONFFILE=default.debian              #Name of the distributed file to be inst
 SYSCONFDIR=/etc/default                 #Directory where SysV init parameter files are installed
 SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes                              #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                         #Directory where product variable data is stored.
+VARLIB=/var/lib                         #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.default
+++ b/Shorewall-core/shorewallrc.default
@@ -18,4 +18,5 @@ SYSTEMD=                                #Directory where .service files are inst
 SYSCONFFILE=                            #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                             #Directory where SysV init parameter files are installed
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                         #Directory where product variable data is stored.
+VARLIB=/var/lib                         #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.redhat
+++ b/Shorewall-core/shorewallrc.redhat
@@ -18,4 +18,5 @@ SYSTEMD=/lib/systemd/system             #Directory where .service files are inst
 SYSCONFFILE=sysconfig                   #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT
 SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter files are installed
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                         #Directory where product variable data is stored.
+VARLIB=/var/lib                         #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.slackware
+++ b/Shorewall-core/shorewallrc.slackware
@@ -19,4 +19,5 @@ SYSTEMD=                                   #Name of the directory where .service
 SYSCONFFILE=                               #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                                #Name of the directory where SysV init parameter files are installed.
 ANNOTATED=                                 #If non-empty, install annotated configuration files
-VARDIR=/var/lib                            #Directory where product variable data is stored.
+VARLIB=/var/lib                            #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT                  #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.suse
+++ b/Shorewall-core/shorewallrc.suse
@@ -12,10 +12,11 @@ SBINDIR=/sbin                                         #Directory where system ad
 MANDIR=${SHAREDIR}/man/                               #Directory where manpages are installed.
 INITDIR=/etc/init.d                                   #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                                     #Name of the product's SysV init script
-INITSOURCE=init.sh                                    #Name of the distributed file to be installed as the SysV init script
+INITSOURCE=init.suse.sh                               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                                            #If non-zero, annotated configuration files are installed
 SYSTEMD=                                              #Directory where .service files are installed (systems running systemd only)
 SYSCONFFILE=                                          #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=/etc/sysconfig/                            #Directory where SysV init parameter files are installed
 SPARSE=                                               #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                                       #Directory where persistent product data is stored.
+VARLIB=/var/lib                                       #Directory where persistent product data is stored.
+VARDIR=${VARLIB}/$PRODUCT                             #Directory where product variable data is stored.
--- a/Shorewall-init/ifupdown.sh
+++ b/Shorewall-init/ifupdown.sh
@@ -22,6 +22,21 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
+	fi
+    fi
+}
+
 Debian_SuSE_ppp() {
    NEWPRODUCTS=
    INTERFACE="$1"
@@ -187,8 +202,10 @@ fi
 [ -n "$LOGFILE" ] || LOGFILE=/dev/null

 for PRODUCT in $PRODUCTS; do
-    if [ -x $VARDIR/$PRODUCT/firewall ]; then
-	  ( ${VARDIR}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
+    setstatedir
+
+    if [ -x $VARLIB/$PRODUCT/firewall ]; then
+	  ( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
    fi
 done

--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -62,11 +62,29 @@ not_configured () {
 	exit 0
 }

+# set the STATEDIR variable
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
+	fi
+    fi
+}
+
 #
 # The installer may alter this
 #
 . /usr/share/shorewall/shorewallrc

+vardir=$VARDIR
+
 # check if shorewall-init is configured or not
 if [ -f "$SYSCONFDIR/shorewall-init" ]
 then
@@ -81,27 +99,27 @@ fi

 # Initialize the firewall
 shorewall_start () {
-  local product
-  local VARDIR
+  local PRODUCT
+  local STATEDIR

  echo -n "Initializing \"Shorewall-based firewalls\": "
-  for product in $PRODUCTS; do
-      VARDIR=/var/lib/$product
-      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
-      if [ -x ${VARDIR}/firewall ]; then
+  for PRODUCT in $PRODUCTS; do
+      setstatedir
+
+      if [ ! -x ${VARDIR}/$PRODUCT/firewall ]; then
+	  if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	      ${SBINDIR}/$PRODUCT compile
+	  fi
+      fi
+
+      if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
 	  #
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  ( 
-	      . /usr/share/$product/lib.base
-	      #
-	      # Get mutex so the firewall state is stable
-	      #
-	      mutex_on
-	      if ! ${VARDIR}/firewall status > /dev/null 2>&1; then
-		  ${VARDIR}/firewall stop || echo_notdone
+	      if ! ${VARDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
+		  ${VARDIR}/$PRODUCT/firewall stop || echo_notdone
 	      fi
-	      mutex_off
 	  )
      fi
  done
@@ -113,19 +131,21 @@ shorewall_start () {

 # Clear the firewall
 shorewall_stop () {
-  local product
+  local PRODUCT
  local VARDIR

  echo -n "Clearing \"Shorewall-based firewalls\": "
-  for product in $PRODUCTS; do
-      VARDIR=/var/lib/$product
-      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
-      if [ -x ${VARDIR}/firewall ]; then
-	  ( . /usr/share/$product/lib.base
-	    mutex_on
-	    ${VARDIR}/firewall clear || echo_notdone
-	    mutex_off
-	  )
+  for PRODUCT in $PRODUCTS; do
+      setstatedir
+
+      if [ ! -x ${VARDIR}/$PRODUCT/firewall ]; then
+	  if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	      ${SBINDIR}/$PRODUCT compile
+	  fi
+      fi
+
+      if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
+	  ${VARDIR}/$PRODUCT/firewall clear || echo_notdone
      fi
  done

--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -14,13 +14,8 @@
 #                    prior to bringing up the network.  
 ### END INIT INFO
 #determine where the files were installed
-if [ -f ~/.shorewallrc ]; then
-    . ~/.shorewallrc || exit 1
-else
-    SBINDIR=/sbin
-    SYSCONFDIR=/etc/default
-    VARDIR=/var/lib
-fi
+
+. /usr/share/shorewall/shorewallrc

 prog="shorewall-init"
 logger="logger -i -t $prog"
@@ -29,6 +24,8 @@ lockfile="/var/lock/subsys/shorewall-init"
 # Source function library.
 . /etc/rc.d/init.d/functions

+vardir=$VARDIR
+
 # Get startup options (override default)
 OPTIONS=

@@ -40,9 +37,25 @@ else
    exit 6
 fi

+# set the STATEDIR variable
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
+	fi
+    fi
+}
+
 # Initialize the firewall
 start () {
-    local product
+    local PRODUCT
    local vardir

    if [ -z "$PRODUCTS" ]; then
@@ -52,11 +65,19 @@ start () {
    fi

    echo -n "Initializing \"Shorewall-based firewalls\": "
-    for product in $PRODUCTS; do
-	if [ -x ${VARDIR}/$product/firewall ]; then
-	    ${VARDIR}/$product/firewall stop 2>&1 | $logger
+    for PRODUCT in $PRODUCTS; do
+	setstatedir
+
+	if [ ! -x ${VARDIR}/firewall ]; then
+	    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+		${SBINDIR}/$PRODUCT compile
+	    fi
+	fi
+
+	if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
+	    ${VARDIR}/$PRODUCT/firewall stop 2>&1 | $logger
 	    retval=${PIPESTATUS[0]}
-	    [ retval -ne 0 ] && break
+	    [ $retval -ne 0 ] && break
 	fi
    done

@@ -72,15 +93,23 @@ start () {

 # Clear the firewall
 stop () {
-    local product
+    local PRODUCT
    local vardir

    echo -n "Clearing \"Shorewall-based firewalls\": "
-    for product in $PRODUCTS; do
-	if [ -x ${VARDIR}/$product/firewall ]; then
-	    ${VARDIR}/$product/firewall clear 2>&1 | $logger
+    for PRODUCT in $PRODUCTS; do
+	setstatedir
+
+	if [ ! -x ${VARDIR}/firewall ]; then
+	    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+		${SBINDIR}/$PRODUCT compile
+	    fi
+	fi
+
+	if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
+	    ${VARDIR}/$PRODUCT/firewall clear 2>&1 | $logger
 	    retval=${PIPESTATUS[0]}
-	    [ retval -ne 0 ] && break
+	    [ $retval -ne 0 ] && break
 	fi
    done

@@ -107,19 +136,15 @@ case "$1" in
 	status_q || exit 0
 	$1
 	;;
-    restart|reload|force-reload)
+    restart|reload|force-reload|condrestart|try-restart)
 	echo "Not implemented"
 	exit 3
 	;;
-    condrestart|try-restart)
-	echo "Not implemented"
-	exit 3
-        ;;
    status)
 	status $prog
 	;;
  *)
-	echo "Usage: /etc/init.d/shorewall-init {start|stop}"
+	echo "Usage: /etc/init.d/shorewall-init {start|stop|status}"
 	exit 1
 esac

--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -58,16 +58,34 @@ fi
 #
 . /usr/share/shorewall/shorewallrc

+# Locate the current PRODUCT's statedir
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile $STATEDIR/firewall
+	fi
+    fi
+}
+
 # Initialize the firewall
 shorewall_start () {
  local PRODUCT
-  local VARDIR
+  local STATEDIR

  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-      if [ -x ${VARDIR}/firewall ]; then
+      setstatedir
+
+      if [ -x ${STATEDIR}/firewall ]; then
 	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-	      ${VARDIR}/firewall stop || echo_notdone
+	      ${STATEDIR}/firewall stop || echo_notdone
 	  fi
      fi
  done
@@ -86,6 +104,14 @@ shorewall_stop () {

  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
+      setstatedir
+
+      if [ ! -x ${VARDIR}/firewall ]; then
+	  if [ $PRODUCT = shorewall -o $product = shorewall6 ]; then
+	      ${SBINDIR}/$PRODUCT compile
+	  fi
+      fi
+
      if [ -x ${VARDIR}/firewall ]; then
 	  ${VARDIR}/firewall clear || exit 1
      fi
--- a/Shorewall-init/init.suse.sh
+++ b/Shorewall-init/init.suse.sh
@@ -0,0 +1,135 @@
+#! /bin/bash
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2010,2012 - Tom Eastep (teastep@shorewall.net)
+#
+#       On most distributions, this file should be called /etc/init.d/shorewall.
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#
+### BEGIN INIT INFO
+# Provides: shorewall-init
+# Required-Start: $local_fs
+# Required-Stop:  $local_fs
+# Default-Start:  2 3 5
+# Default-Stop:   0 1 6
+# Short-Description: Initialize the firewall at boot time
+# Description:       Place the firewall in a safe state at boot time
+#                    prior to bringing up the network.  
+### END INIT INFO
+
+if [ "$(id -u)" != "0" ]
+then
+  echo "You must be root to start, stop or restart \"Shorewall \"."
+  exit 1
+fi
+
+# check if shorewall-init is configured or not
+if [ -f "/etc/sysconfig/shorewall-init" ]
+then
+	. /etc/sysconfig/shorewall-init
+	if [ -z "$PRODUCTS" ]
+	then
+		exit 0
+	fi
+else
+	exit 0
+fi
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
+# set the STATEDIR variable
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
+	fi
+    fi
+}
+
+# Initialize the firewall
+shorewall_start () {
+  local PRODUCT
+  local STATEDIR
+
+  echo -n "Initializing \"Shorewall-based firewalls\": "
+  for PRODUCT in $PRODUCTS; do
+      setstatedir
+
+      if [ -x $STATEDIR/firewall ]; then
+	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+	      $STATEDIR/$PRODUCT/firewall stop || echo_notdone
+	  fi
+      fi
+  done
+
+  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+      ipset -R < "$SAVE_IPSETS"
+  fi
+
+  return 0
+}
+
+# Clear the firewall
+shorewall_stop () {
+  local PRODUCT
+  local STATEDIR
+
+  echo -n "Clearing \"Shorewall-based firewalls\": "
+  for PRODUCT in $PRODUCTS; do
+      setstatedir
+
+      if [ -x ${STATEDIR}/firewall ]; then
+	  ${STATEDIR}/firewall clear || exit 1
+      fi
+  done
+
+  if [ -n "$SAVE_IPSETS" ]; then
+      mkdir -p $(dirname "$SAVE_IPSETS")
+      if ipset -S > "${SAVE_IPSETS}.tmp"; then
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+      fi
+  fi
+
+  return 0
+}
+
+case "$1" in
+  start)
+     shorewall_start
+     ;;
+  stop)
+     shorewall_stop
+     ;;
+  *)
+     echo "Usage: /etc/init.d/shorewall-init {start|stop}"
+     exit 1
+esac
+
+exit 0
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -160,7 +160,14 @@ else
    usage 1
 fi

-for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARDIR; do
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR=${VARLIB}/${PRODUCT}
+elif [ -z "${VARDIR}" ]; then
+    VARDIR=${VARLIB}/${PRODUCT}
+fi
+
+for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARLIB VARDIR; do
    require $var
 done

@@ -285,6 +292,7 @@ fi
 if [ -n "$SYSTEMD" ]; then
    mkdir -p ${DESTDIR}${SYSTEMD}
    run_install $OWNERSHIP -m 600 shorewall-init.service ${DESTDIR}${SYSTEMD}/shorewall-init.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\ ${DESTDIR}${SYSTEMD}/shorewall-init.service
    echo "Service file installed as ${DESTDIR}${SYSTEMD}/shorewall-init.service"
    if [ -n "$DESTDIR" ]; then
 	mkdir -p ${DESTDIR}${SBINDIR}
@@ -297,8 +305,8 @@ fi
 #
 # Create /usr/share/shorewall-init if needed
 #
-mkdir -p ${DESTDIR}/usr/share/shorewall-init
-chmod 755 ${DESTDIR}/usr/share/shorewall-init
+mkdir -p ${DESTDIR}${SHAREDIR}/shorewall-init
+chmod 755 ${DESTDIR}${SHAREDIR}/shorewall-init

 #
 # Install logrotate file
@@ -311,14 +319,14 @@ fi
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall-init/version
-chmod 644 ${DESTDIR}/usr/share/shorewall-init/version
+echo "$VERSION" > ${DESTDIR}/${SHAREDIR}/shorewall-init/version
+chmod 644 ${DESTDIR}${SHAREDIR}/shorewall-init/version

 #
 # Remove and create the symbolic link to the init script
 #
 if [ -z "$DESTDIR" ]; then
-    rm -f /usr/share/shorewall-init/init
+    rm -f ${SHAREDIR}/shorewall-init/init
    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/shorewall-init/init
 fi

@@ -401,7 +409,7 @@ if [ -z "$DESTDIR" ]; then
 	    echo "Shorewall Init will start automatically at boot"
 	else
 	    if [ -n "$SYSTEMD" ]; then
-		if systemctl enable shorewall-init; then
+		if systemctl enable shorewall-init.service; then
 		    echo "Shorewall Init will start automatically at boot"
 		fi
 	    elif [ -x ${SBINDIR}/insserv -o -x /usr${SBINDIR}/insserv ]; then
--- a/Shorewall-lite/init.fedora.sh
+++ b/Shorewall-lite/init.fedora.sh
--- a/Shorewall-lite/init.suse.sh
+++ b/Shorewall-lite/init.suse.sh
@@ -0,0 +1,92 @@
+#!/bin/sh
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012 - Tom Eastep (teastep@shorewall.net)
+#
+#	On most distributions, this file should be called /etc/init.d/shorewall.
+#
+#	Complete documentation is available at http://shorewall.net
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of Version 2 of the GNU General Public License
+#	as published by the Free Software Foundation.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, write to the Free Software
+#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#	If an error occurs while starting or restarting the firewall, the
+#	firewall is automatically stopped.
+#
+#	Commands are:
+#
+#	   shorewall start			  Starts the firewall
+#	   shorewall restart			  Restarts the firewall
+#	   shorewall reload			  Reload the firewall
+#						  (same as restart)
+#	   shorewall stop			  Stops the firewall
+#	   shorewall status			  Displays firewall status
+#
+
+
+### BEGIN INIT INFO
+# Provides:	  shorewall-lite
+# Required-Start: $network $remote_fs
+# Required-Stop:  
+# Default-Start:  2 3 5
+# Default-Stop:	  0 1 6
+# Description:	  starts and stops the shorewall firewall
+# Short-Description: Packet filtering firewall
+### END INIT INFO
+
+################################################################################
+# Give Usage Information						       #
+################################################################################
+usage() {
+    echo "Usage: $0 start|stop|reload|restart|status"
+    exit 1
+}
+
+################################################################################
+# Get startup options (override default)
+################################################################################
+OPTIONS=
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
+if [ -f ${SYSCONFDIR}/shorewall-lite ]; then
+    . ${SYSCONFDIR}/shorewall-lite
+fi
+
+SHOREWALL_INIT_SCRIPT=1
+
+################################################################################
+# E X E C U T I O N    B E G I N S   H E R E				       #
+################################################################################
+command="$1"
+
+case "$command" in
+    start)
+	exec ${SBINDIR}/shorewall-lite $OPTIONS start $STARTOPTIONS
+	;;
+    restart|reload)
+	exec ${SBINDIR}/shorewall-lite $OPTIONS restart $RESTARTOPTIONS
+	;;
+    status|stop)
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $@
+	;;
+    *)
+	usage
+	;;
+esac
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -171,7 +171,14 @@ else
    usage 1
 fi

-for var in SHAREDIR LIBEXECDIRDIRDIR CONFDIR SBINDIR VARDIR; do
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR=${VARLIB}/${PRODUCT}
+elif [ -z "${VARDIR}" ]; then
+    VARDIR=${VARLIB}/${PRODUCT}
+fi
+
+for var in SHAREDIR LIBEXECDIRDIRDIR CONFDIR SBINDIR VARLIB VARDIR; do
    require $var
 done

@@ -253,7 +260,10 @@ case "$HOST" in
    archlinux)
 	echo "Installing ArchLinux-specific configuration..."
 	;;
-    linux|suse)
+    suse)
+	echo "Installing Suse-specific configuration..."
+	;;
+    linux)
 	;;
    *)
 	echo "ERROR: Unknown HOST \"$HOST\"" >&2
@@ -303,8 +313,8 @@ if [ -z "$DESTDIR" -a -d ${CONFDIR}/$PRODUCT ]; then
 	mv -f ${CONFDIR}/$PRODUCT/shorewall.conf ${CONFDIR}/$PRODUCT/$PRODUCT.conf
 else
    rm -rf ${DESTDIR}${CONFDIR}/$PRODUCT
-    rm -rf ${DESTDIR}/usr/share/$PRODUCT
-    rm -rf ${DESTDIR}/var/lib/$PRODUCT
+    rm -rf ${DESTDIR}${SHAREDIR}/$PRODUCT
+    rm -rf ${DESTDIR}${VARDIR}
    [ "$LIBEXECDIR" = /usr/share ] || rm -rf ${DESTDIR}/usr/share/$PRODUCT/wait4ifup ${DESTDIR}/usr/share/$PRODUCT/shorecap
 fi

@@ -327,9 +337,9 @@ echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
 # Create ${CONFDIR}/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
 #
 mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
-mkdir -p ${DESTDIR}/usr/share/$PRODUCT
+mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
-mkdir -p ${DESTDIR}/var/lib/$PRODUCT
+mkdir -p ${DESTDIR}${VARDIR}

 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
 chmod 755 ${DESTDIR}/usr/share/$PRODUCT
@@ -355,6 +365,7 @@ fi
 #
 if [ -n "$SYSTEMD" ]; then
    run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}/${SYSTEMD}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
    echo "Service file installed as ${DESTDIR}/lib/systemd/system/$PRODUCT.service"
 fi

@@ -499,7 +510,7 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
 	perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' ${CONFDIR}/${PRODUCT}/${PRODUCT}.conf
 	update-rc.d $PRODUCT enable defaults
    elif [ -n "$SYSTEMD" ]; then
-	if systemctl enable $PRODUCT; then
+	if systemctl enable ${PRODUCT}.service; then
 	    echo "$Product will start automatically at boot"
 	fi
    elif mywhich insserv; then
--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -25,17 +25,17 @@
 #       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
 ################################################################################################
-g_program=shorewall-lite
+PRODUCT=shorewall-lite

 #
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc

+g_program=$PRODUCT
 g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR"/shorewall-lite
 g_sbindir="$SBINDIR"
-g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall-lite
 g_readrc=1

--- a/Shorewall/Macros/macro.Amanda
+++ b/Shorewall/Macros/macro.Amanda
@@ -8,9 +8,16 @@
 #	files from those nodes.
 #
 ###############################################################################
+FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	udp	10080
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __AMANDA_HELPER )
+ PARAM	-	-	udp	10080 ; helper=amanda
+?else
+ PARAM	-	-	udp	10080
+?endif
+
 PARAM	-	-	tcp	10080
 #
 # You may also need this rule.  With AMANDA 2.4.4 on Linux kernel 2.6,
--- a/Shorewall/Macros/macro.BLACKLIST
+++ b/Shorewall/Macros/macro.BLACKLIST
@@ -8,8 +8,8 @@
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-?IF $BLACKLIST_LOGLEVEL
+?if $BLACKLIST_LOGLEVEL
 blacklog
-?ELSE
+?else
 $BLACKLIST_DISPOSITION
-?ENDIF
+?endif
--- a/Shorewall/Macros/macro.FTP
+++ b/Shorewall/Macros/macro.FTP
@@ -6,6 +6,11 @@
 #	This macro handles FTP traffic.
 #
 ###############################################################################
+FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	tcp	21
+?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER  )
+ PARAM	-	-	tcp	21 ; helper=ftp
+?else
+ PARAM	-	-	tcp	21
+?endif
--- a/Shorewall/Macros/macro.IRC
+++ b/Shorewall/Macros/macro.IRC
@@ -6,6 +6,12 @@
 #	This macro handles IRC traffic (Internet Relay Chat).
 #
 ###############################################################################
+FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	tcp	6667
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __IRC_HELPER  )
+ PARAM	-	-	tcp	6667 ; helper=irc
+?else
+ PARAM	-	-	tcp	6667
+?endif
--- a/Shorewall/Macros/macro.PPtP
+++ b/Shorewall/Macros/macro.PPtP
@@ -6,8 +6,14 @@
 #	This macro handles PPTP traffic.
 #
 ###############################################################################
+FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	47
 PARAM	DEST	SOURCE	47
-PARAM	-	-	tcp	1723
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __PPTP_HELPER )
+ PARAM	-	-	tcp	1723 ; helper=pptp
+?else
+ PARAM	-	-	tcp	1723
+?endif
--- a/Shorewall/Macros/macro.SANE
+++ b/Shorewall/Macros/macro.SANE
@@ -6,9 +6,16 @@
 #	This macro handles SANE network scanning.
 #
 ###############################################################################
+FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	tcp	6566
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __SANE_HELPER )
+ PARAM	-	-	tcp	6566 ; helper=sane
+?else
+ PARAM	-	-	tcp	6566
+?endif
+
 #
 # Kernels 2.6.23+ has nf_conntrack_sane module which will handle
 # sane data connection.
--- a/Shorewall/Macros/macro.SIP
+++ b/Shorewall/Macros/macro.SIP
@@ -0,0 +1,17 @@
+#
+# Shorewall version 4 - SIP Macro
+#
+# /usr/share/shorewall/macro.SIP
+#
+#	This macro handles SIP traffic.
+#
+###############################################################################
+FORMAT 2
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __SIP_HELPER  )
+ PARAM	-	-	udp	5060 ; helper=sip
+?else
+ PARAM	-	-	udp	5060
+?endif
--- a/Shorewall/Macros/macro.SMB
+++ b/Shorewall/Macros/macro.SMB
@@ -10,9 +10,17 @@
 #	between hosts you fully trust.
 #
 ###############################################################################
+FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	135,445
-PARAM	-	-	udp	137:139
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
+ PARAM	-	-	udp	137 ; helper=netbios-ns
+ PARAM	-	-	udp	138:139
+?else
+ PARAM	-	-	udp	137:139
+?endif
+
 PARAM	-	-	udp	1024:	137
 PARAM	-	-	tcp	135,139,445
--- a/Shorewall/Macros/macro.SMBBI
+++ b/Shorewall/Macros/macro.SMBBI
@@ -10,13 +10,28 @@
 #	allow SMB traffic between hosts you fully trust.
 #
 ###############################################################################
+FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	135,445
-PARAM	-	-	udp	137:139
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
+ PARAM	-	-	udp	137 ; helper=netbios-ns
+ PARAM	-	-	udp	138:139
+?else
+ PARAM	-	-	udp	137:139
+?endif
+
 PARAM	-	-	udp	1024:	137
 PARAM	-	-	tcp	135,139,445
 PARAM	DEST	SOURCE	udp	135,445
-PARAM	DEST	SOURCE	udp	137:139
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
+ PARAM	DEST	SOURCE	udp	137 ; helper=netbios-ns
+ PARAM	DEST	SOURCE	udp	138:139
+?else
+ PARAM	DEST	SOURCE	udp	137:139
+?endif
+
 PARAM	DEST	SOURCE	udp	1024:	137
 PARAM	DEST	SOURCE	tcp	135,139,445
--- a/Shorewall/Macros/macro.SNMP
+++ b/Shorewall/Macros/macro.SNMP
@@ -3,10 +3,17 @@
 #
 # /usr/share/shorewall/macro.SNMP
 #
-#	This macro handles SNMP traffic (including traps).
+#	This macro handles SNMP traffic.
+#
+#       Note: To allow SNMP Traps, use the SNMPTrap macro
 #
 ###############################################################################
+FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	udp	161:162
-PARAM	-	-	tcp	161
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __SNMP_HELPER )
+ PARAM	-	-  	udp     161 ; helper=snmp
+?else
+ PARAM	-	-	udp	161
+?endif
--- a/Shorewall/Macros/macro.SNMPTrap
+++ b/Shorewall/Macros/macro.SNMPTrap
@@ -0,0 +1,12 @@
+#
+# Shorewall version 4 - SNMP Trap Macro
+#
+# /usr/share/shorewall/macro.SNMP
+#
+#	This macro handles SNMP traps.
+#
+###############################################################################
+FORMAT 2
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	udp	162
--- a/Shorewall/Macros/macro.TFTP
+++ b/Shorewall/Macros/macro.TFTP
@@ -8,6 +8,12 @@
 #	Internet.
 #
 ###############################################################################
+FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	udp	69
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __TFTP_HELPER )
+ PARAM	-	-	udp	69 ; helper=tftp
+?else
+ PARAM	-	-	udp	69
+?endif
--- a/Shorewall/Macros/macro.mDNS
+++ b/Shorewall/Macros/macro.mDNS
@@ -1,9 +1,11 @@
 #
-# Shorewall version 4 - Multicast DNS Macro
+# Shorewall version 4 - Multicast DNS Macro -- this macro assumes that only
+#                       the DEST zone sends mDNS queries. If both zones send
+#                       queries, use the mDNSbi macro.
 #
 # /usr/share/shorewall/macro.mDNS
 #
-#	This macro handles multicast DNS traffic.
+#	This macro handles multicast DNS traffic
 #
 ###############################################################################
 #ACTION	SOURCE	DEST			PROTO	DEST	SOURCE	RATE	USER/
--- a/Shorewall/Macros/macro.mDNSbi
+++ b/Shorewall/Macros/macro.mDNSbi
@@ -0,0 +1,16 @@
+#
+# Shorewall version 4 - Bi-directional Multicast DNS Macro.
+#
+# /usr/share/shorewall/macro.mDNSbi
+#
+#	This macro handles multicast DNS traffic
+#
+###############################################################################
+#ACTION	SOURCE	DEST			PROTO	DEST	SOURCE	RATE	USER/
+#						PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	224.0.0.251		udp	5353
+PARAM	-	-			udp	32768:	5353
+PARAM	-	224.0.0.251		2
+PARAM	DEST	SOURCE:224.0.0.251	udp	5353
+PARAM	DEST	SOURCE			udp	32768:	5353
+PARAM	DEST	SOURCE:224.0.0.251	2
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -236,6 +236,11 @@ sub process_accounting_rule( ) {
 	    }
 	} elsif ( $action =~ /^NFLOG/ ) {
 	    $target = validate_level $action;
+	} elsif ( $action =~ /^NFACCT\((\w+)\)$/ ) {
+	    require_capability 'NFACCT_MATCH', 'The NFACCT action', 's';
+	    $nfobjects{$1} = 1;
+	    $target = '';
+	    $rule .= "-m nfacct --nfacct-name $1 ";
 	} else {
 	    ( $action, my $cmd ) = split /:/, $action;

--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -36,7 +36,7 @@ use Shorewall::IPAddrs;
 use strict;

 our @ISA = qw(Exporter);
-our @EXPORT = qw(
+our @EXPORT = ( qw(
 		    DONT_OPTIMIZE
 		    DONT_DELETE
 		    DONT_MOVE
@@ -79,14 +79,14 @@ our @EXPORT = qw(
 		    add_interface_options

 		    %chain_table
-		    %helpers
 		    %targets
 		    $raw_table
 		    $rawpost_table
 		    $nat_table
 		    $mangle_table
 		    $filter_table
-	       );
+		)
+	      );

 our %EXPORT_TAGS = (
 		    internal => [  qw( STANDARD
@@ -102,6 +102,7 @@ our %EXPORT_TAGS = (
 				       CHAIN
 				       SET
 				       AUDIT
+				       HELPER
 				       NO_RESTRICT
 				       PREROUTE_RESTRICT
 				       DESTIFACE_DISALLOW
@@ -225,6 +226,7 @@ our %EXPORT_TAGS = (
 				       handle_network_list
 				       expand_rule
 				       addnatjump
+				       mysplit
 				       set_chain_variables
 				       mark_firewall_not_started
 				       mark_firewall6_not_started
@@ -238,12 +240,14 @@ our %EXPORT_TAGS = (
 				       set_global_variables
 				       save_dynamic_chains
 				       load_ipsets
+				       create_nfobjects
 				       create_netfilter_load
 				       preview_netfilter_load
 				       create_chainlist_reload
 				       create_stop_load
 				       %targets
 				       %dscpmap
+				       %nfobjects
 				     ) ],
 		   );

@@ -301,18 +305,39 @@ our $VERSION = 'MODULEVERSION';
 #       Only 'referenced' chains get written to the iptables-restore input.
 #
 #       'loglevel', 'synparams', 'synchain', 'audit' and 'default' only apply to policy chains.
+###########################################################################################################################################
 #
+# For each ordered pair of zones, there may exist a 'canonical rules chain' in the filter table; the name if this chain is formed by
+# joining the names of the zones using the ZONE_SEPARATOR ('2' or '-'). This chain contains the rules that specifically deal with
+# connections from the first zone to the second. These chains will end with the policy rules when EXPAND_POLICIES=Yes and when there is an
+# explicit policy for the order pair. Otherwise, unless the applicable policy is CONTINUE, the chain will terminate with a jump to a
+# wildcard policy chain (all[2-]zone, zone[2-]all, or all[2-]all).
+#
+#
+# Except in the most trivial one-interface configurations, each zone has a "forward chain" which is branched to from the filter table
+# FORWARD chain. 
+#
+# For each network interface, there are up to 6 chains in the filter table:
+#
+# - Input, Output, Forward "Interface Chains"
+#      These are present when there is more than one zone associated with the interface. They are jumped to from the INPUT, OUTPUT and
+#      FORWARD chains respectively.
+# - Input Option, Output Option and Forward "Interface Option Chains"
+#      Used when blacklisting is involved for enforcing interface options that require Netfilter rules. When these chains are not used,
+#      any rules that they contained are moved to the corresponding interface chains.
+#
+
 our %chain_table;
 our $raw_table;
 our $rawpost_table;
 our $nat_table;
 our $mangle_table;
 our $filter_table;
-our %helpers;
 my  $comment;
 my  @comments;
 my  $export;
 my  %renamed;
+our %nfobjects;

 #
 # Target Types
@@ -330,6 +355,7 @@ use constant { STANDARD => 1,              #defined by Netfilter
 	       CHAIN    => 1024,           #Manual Chain
 	       SET      => 2048,           #SET
 	       AUDIT    => 4096,           #A_ACCEPT, etc
+	       HELPER   => 8192,           #CT:helper
 	   };
 #
 # Valid Targets -- value is a combination of one or more of the above
@@ -630,18 +656,8 @@ sub initialize( $$$ ) {

    %ipset_exists       = ();

-    %helpers = ( amanda          => TCP,
-		 ftp             => TCP,
-		 h323            => UDP,
-		 irc             => TCP,
-		 netbios_ns      => UDP,
-		 pptp            => TCP,
-		 sane            => TCP,
-		 sip             => UDP,
-		 snmp            => UDP,
-		 tftp            => UDP);
-
-    %isocodes = ();
+    %isocodes  = ();
+    %nfobjects = ();

    #
    # The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined.
@@ -936,8 +952,10 @@ sub compatible( $$ ) {
 	    }
 	}
    }
-
-    return 1;
+    #
+    # Don't combine chains where each specifies '-m policy'
+    #
+    return ! ( $ref1->{policy} && $ref2->{policy} );
 }

 #
@@ -1038,6 +1056,7 @@ sub push_rule( $$ ) {

    push @{$chainref->{rules}}, $ruleref;
    $chainref->{referenced} = 1;
+    $chainref->{optflags}  |= DONT_MOVE if ( $ruleref->{target} || '' ) eq 'RETURN';
    trace( $chainref, 'A', @{$chainref->{rules}}, "-A $chainref->{name} $_[1]" ) if $debug;

    $ruleref;
@@ -1229,6 +1248,7 @@ sub push_irule( $$$;@ ) {
    if ( $jump ) {
 	$ruleref->{jump}       = $jump;
 	$ruleref->{target}     = $target;
+	$chainref->{optflags} |= DONT_MOVE if $target eq 'RETURN';
 	$ruleref->{targetopts} = $targetopts if $targetopts;
    } else {
 	$ruleref->{target} = '';
@@ -1857,7 +1877,7 @@ sub dnat_chain( $ )
 #
 sub notrack_chain( $ )
 {
-    $_[0] . '_notrk';
+    $_[0] . '_ctrk';
 }

 #
@@ -2123,7 +2143,7 @@ sub reset_optflags( $$ ) {

    $chainref->{optflags} ^= $flags;

-    trace( $chainref, '!O', undef, '' ) if $debug;
+    trace( $chainref, "O${flags}", undef, '' ) if $debug;

    $chainref;
 }
@@ -2135,7 +2155,7 @@ sub set_optflags( $$ ) {

    $chainref->{optflags} |= $flags;

-    trace( $chainref, '!O', undef, '' ) if $debug;
+    trace( $chainref, "!O${flags}", undef, '' ) if $debug;

    $chainref;
 }
@@ -2466,7 +2486,8 @@ sub initialize_chain_table($) {
 		    'NFQUEUE!'        => STANDARD + NFQ,
 		    'ADD'             => STANDARD + SET,
 		    'DEL'             => STANDARD + SET,
-		    'WHITELIST'       => STANDARD
+		    'WHITELIST'       => STANDARD,
+		    'HELPER'          => STANDARD + HELPER + NATONLY, #Actually RAWONLY
 		   );

 	for my $chain ( qw(OUTPUT PREROUTING) ) {
@@ -2512,6 +2533,7 @@ sub initialize_chain_table($) {
 		    'NFQUEUE!'        => STANDARD + NFQ,
 		    'ADD'             => STANDARD + SET,
 		    'DEL'             => STANDARD + SET,
+		    'HELPER'          => STANDARD + HELPER + NATONLY, #Actually RAWONLY
 		   );

 	for my $chain ( qw(OUTPUT PREROUTING) ) {
@@ -2872,7 +2894,7 @@ sub optimize_level4( $$ ) {
 			#
 			# Not so easy -- the rule contains matches
 			#
-			if ( $chainref->{builtin} || ! $globals{KLUDGEFREE} ) {
+			if ( $chainref->{builtin} || ! $globals{KLUDGEFREE} || $firstrule->{policy} ) {
 			    #
 			    # This case requires a new rule merging algorithm. Ignore this chain for
 			    # now on.
@@ -2965,6 +2987,57 @@ sub optimize_level4( $$ ) {
 	}
    }

+    #
+    # Identify short chains with a single reference and replace the reference with the chain rules
+    #
+    my @chains  = grep ( $_->{referenced}   &&
+			 ! $_->{optflags}   &&
+			 @{$_->{rules}} < 4 &&
+			 keys %{$_->{references}} == 1 , values %$tableref );
+
+    if ( my $chains  = @chains ) {
+	$passes++;
+
+	progress_message "\n Table $table pass $passes, $chains short chains, level 4b...";
+
+	for my $chainref ( @chains ) {
+	    my $name = $chainref->{name};
+	    for my $sourceref ( map $tableref->{$_}, keys %{$chainref->{references}} ) {
+		my $name1 = $sourceref->{name};
+
+		if ( $chainref->{references}{$name1} == 1 ) {
+		    my $rulenum  = 0;
+		    my $rulesref = $sourceref->{rules};
+		    my $rules    = @{$chainref->{rules}};
+
+		    for ( @$rulesref ) {
+			if ( $_->{simple} && ( $_->{target} || '' ) eq $name ) {
+			    trace( $sourceref, 'D', $rulenum  + 1, $_ ) if $debug;
+			    splice @$rulesref, $rulenum, 1, @{$chainref->{rules}};
+			    while ( my $ruleref = shift @{$chainref->{rules}} ) {
+				trace ( $sourceref, 'I', $rulenum++, $ruleref ) if $debug;
+				my $target = $ruleref->{target};
+
+				if ( $target && ( my $targetref = $tableref->{$target} ) ) {
+				    #
+				    # The rule target is a chain
+				    #
+				    add_reference( $sourceref, $targetref );
+				    delete_reference( $chainref, $targetref );
+				}
+			    }
+
+			    delete $chainref->{references}{$name1};
+			    delete_chain $chainref;
+			    last;
+			}
+			$rulenum++;
+		    }
+		}
+	    }
+	}
+    }
+
    $passes;
 }

@@ -3268,6 +3341,62 @@ sub combine_dports {
    \@rules;
 }

+#
+# Delete duplicate rules from the passed chain.
+#
+#   The arguments are a reference to the chain followed by references to each 
+#   of its rules.
+#
+sub delete_duplicates {
+    my @rules;
+    my $chainref  = shift;
+    my $lastrule  = @_;
+    my $baseref   = pop;
+    my $ruleref;
+    my $duplicate = 0;
+
+    while ( @_ && ! $duplicate ) {
+	{
+	    my $ports1;
+	    my @keys1     = sort( keys( %$baseref ) );
+	    my $rulenum   = @_;
+	    my $duplicate = 0;
+
+	  RULE:
+
+	    while ( --$rulenum >= 0 ) {
+		$ruleref = $_[$rulenum];
+
+		my @keys2 = sort(keys( %$ruleref ) );
+
+		next unless @keys1 == @keys2 ;
+
+		my $keynum = 0;
+
+		for my $key ( @keys1 ) {
+		    next RULE unless $key eq $keys2[$keynum++];
+		    next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
+		}
+
+		$duplicate = 1;
+	    }
+
+	    if ( $duplicate ) {
+		trace( $chainref, 'D', $lastrule, $baseref ) if $debug;
+	    } else {
+		unshift @rules, $baseref;
+	    }
+
+	    $baseref = pop @_;
+	    $lastrule--;
+	}
+    }
+
+    unshift @rules, $baseref if $baseref;
+
+    \@rules;
+}
+
 sub optimize_level16( $$$ ) {
    my ( $table, $tableref , $passes ) = @_;
    my @chains   = ( grep $_->{referenced}, values %{$tableref} );
@@ -3276,11 +3405,23 @@ sub optimize_level16( $$$ ) {

    progress_message "\n Table $table pass $passes, $chains referenced user chains, level 16...";

+    if ( $table eq 'raw' ) {
+	#
+	# Helpers in rules have the potential for generating lots of duplicate iptables rules
+	# in the raw table. This step eliminates those duplicates
+	#
+	for my $chainref ( @chains ) {
+	    $chainref->{rules} = delete_duplicates( $chainref, @{$chainref->{rules}} );
+	}
+
+	$passes++;
+    }
+
    for my $chainref ( @chains ) {
 	$chainref->{rules} = combine_dports( $chainref, @{$chainref->{rules}} );
    }

-    $passes++;
+    ++$passes;
 }

 #
@@ -3469,7 +3610,7 @@ sub source_exclusion( $$ ) {

    my $table = reftype $target ? $target->{table} : 'filter';

-    my $chainref = new_chain( $table , newexclusionchain( $table ) );
+    my $chainref = dont_move new_chain( $table , newexclusionchain( $table ) );

    add_ijump( $chainref, j => 'RETURN', imatch_source_net( $_ ) ) for @$exclusions;
    add_ijump( $chainref, g => $target );
@@ -3491,7 +3632,7 @@ sub source_iexclusion( $$$$$;@ ) {
 	$source = $1;
 	@exclusion = mysplit( $2 );

-	my $chainref1 = new_chain( $table , newexclusionchain( $table ) );
+	my $chainref1 = dont_move new_chain( $table , newexclusionchain( $table ) );

 	add_ijump( $chainref1 , j => 'RETURN', imatch_source_net( $_ ) ) for @exclusion;

@@ -3520,7 +3661,7 @@ sub dest_exclusion( $$ ) {

    my $table = reftype $target ? $target->{table} : 'filter';

-    my $chainref = new_chain( $table , newexclusionchain( $table ) );
+    my $chainref = dont_move new_chain( $table , newexclusionchain( $table ) );

    add_ijump( $chainref, j => 'RETURN', imatch_dest_net( $_ ) ) for @$exclusions;
    add_ijump( $chainref, g => $target );
@@ -3542,7 +3683,7 @@ sub dest_iexclusion( $$$$$;@ ) {
 	$dest = $1;
 	@exclusion = mysplit( $2 );

-	my $chainref1 = new_chain( $table , newexclusionchain( $table ) );
+	my $chainref1 = dont_move new_chain( $table , newexclusionchain( $table ) );

 	add_ijump( $chainref1 , j => 'RETURN', imatch_dest_net( $_ ) ) for @exclusion;

@@ -4166,7 +4307,7 @@ sub resolve_id( $$ ) {
 	require_capability 'OWNER_NAME_MATCH', "Specifying a $type name", 's';
    } else {
 	my $num = $type eq 'user' ? getpwnam( $id ) : getgrnam( $id );
-	fatal_error "Unknown $type ($id)" unless supplied $num;
+	fatal_error "Unknown $type ($id)" unless supplied $num && $num  >= 0;
 	$id = $num;
    }

@@ -4185,45 +4326,38 @@ sub do_user( $ ) {

    require_capability 'OWNER_MATCH', 'A non-empty USER column', 's';

-    if ( $user =~ /^(!)?(.*)\+(.*)$/ ) {
-	$rule .= "! --cmd-owner $2 " if supplied $2;
-	$user = "!$1";
-    } elsif ( $user =~ /^(.*)\+(.*)$/ ) {
-	$rule .= "--cmd-owner $2 " if supplied $2;
-	$user = $1;
+    assert( $user =~ /^(!)?(.*?)(:(.+))?$/ );
+    my $invert = $1 ? '! ' : '';
+    my $group  = supplied $4 ? $4 : '';
+
+    if ( supplied $2 ) {
+	$user  = $2;
+	if ( $user =~ /^(\d+)(-(\d+))?$/ ) {
+	    if ( supplied $2 ) {
+		fatal_error "Invalid User Range ($user)" unless $3 >= $1;
+	    }
+	} else {
+	    $user  = resolve_id( $user, 'user' );
+	}
+
+	$rule .= "${invert}--uid-owner $user ";
    }

-    if ( $user =~ /^(!)?(.*):(.*)$/ ) {
-	my $invert = $1 ? '! ' : '';
-	my $group  = defined $3 ? $3 : '';
-
-	if ( supplied $2 ) {
-	    $user  = $2;
-	    $user  = resolve_id( $user, 'user' ) unless $user =~ /\d+$/;
-	    $rule .= "${invert}--uid-owner $user ";
+    if ( $group ne '' ) {
+	if ( $group =~ /^(\d+)(-(\d+))?$/ ) {
+	    if ( supplied $2 ) {
+		fatal_error "Invalid Group Range ($group)" unless $3 >= $1;
+	    }
+	} else {
+	    $group = resolve_id( $group, 'group' );
 	}

-	if ( $group ne '' ) {
-	    $group = resolve_id( $group, 'group' ) unless $group =~ /^\d+$/;
-	    $rule .= "${invert}--gid-owner $group ";
-	}
-    } elsif ( $user =~ /^(!)?(.*)$/ ) {
-	my $invert = $1 ? '! ' : '';
-	$user   = $2;
-
-	fatal_error "Invalid USER/GROUP (!)" if $user eq '';
-	$user = resolve_id ($user, 'user' ) unless $user =~ /\d+$/;
-	$rule .= "${invert}--uid-owner $user ";
-    } else {
-	$user  = resolve_id( $user, 'user' ) unless $user =~ /\d+$/;
-	$rule .= "--uid-owner $user ";
+	$rule .= "${invert}--gid-owner $group ";
    }

    $rule;
 }

-
-
 #
 # Create a "-m tos" match for the passed TOS
 #
@@ -4318,10 +4452,20 @@ sub validate_helper( $;$ ) {
 	#
 	#  Recognized helper
 	#
+	my $capability      = $helpers_map{$helper};
+	my $external_helper = lc $capability;
+	
+	$external_helper =~ s/_helper//;
+	$external_helper =~ s/_/-/;
+
+	fatal_error "The $external_helper helper is not enabled" unless $helpers_enabled{$external_helper};
+	
 	if ( supplied $proto ) {
+	    require_capability $helpers_map{$helper}, "Helper $helper", 's';
+
 	    my $protonum = -1;

-	    fatal_error "Unknown PROTO ($protonum)" unless defined ( $protonum = resolve_proto( $proto ) );
+	    fatal_error "Unknown PROTO ($proto)" unless defined ( $protonum = resolve_proto( $proto ) );

 	    unless ( $protonum == $helper_proto ) {
 		fatal_error "The $helper_base helper requires PROTO=" . (proto_name $helper_proto );
@@ -4342,7 +4486,7 @@ sub do_helper( $ ) {

    validate_helper( $helper );

-    qq(-m helper --helper "$helper" ) if defined wantarray;
+    qq(-m helper --helper "$helpers_aliases{$helper}" ) if defined wantarray;
 }


@@ -4786,7 +4930,7 @@ sub match_source_net( $;$\$ ) {
 	    return '! -s ' . record_runtime_address $1, $2;
 	}

-	validate_net $net, 1;
+	$net = validate_net $net, 1;
 	return "! -s $net ";
    }

@@ -4794,7 +4938,7 @@ sub match_source_net( $;$\$ ) {
 	return '-s ' . record_runtime_address $1, $2;
    }

-    validate_net $net, 1;
+    $net = validate_net $net, 1;
    $net eq ALLIP ? '' : "-s $net ";
 }

@@ -4859,7 +5003,7 @@ sub imatch_source_net( $;$\$ ) {
 	    return  ( s => '! ' . record_runtime_address( $1, $2, 1 ) );
 	}

-	validate_net $net, 1;
+	$net = validate_net $net, 1;
 	return ( s => "! $net " );
    }

@@ -4867,7 +5011,7 @@ sub imatch_source_net( $;$\$ ) {
 	return ( s =>  record_runtime_address( $1, $2, 1 ) );
    }

-    validate_net $net, 1;
+    $net = validate_net $net, 1;
    $net eq ALLIP ? () : ( s => $net );
 }

@@ -4928,7 +5072,7 @@ sub match_dest_net( $;$ ) {
 	    return '! -d ' . record_runtime_address $1, $2;
 	}

-	validate_net $net, 1;
+	$net = validate_net $net, 1;
 	return "! -d $net ";
    }

@@ -4936,7 +5080,7 @@ sub match_dest_net( $;$ ) {
 	return '-d ' . record_runtime_address $1, $2;
    }

-    validate_net $net, 1;
+    $net = validate_net $net, 1;
    $net eq ALLIP ? '' : "-d $net ";
 }

@@ -4995,7 +5139,7 @@ sub imatch_dest_net( $;$ ) {
 	    return ( d => '! ' . record_runtime_address( $1, $2, 1 ) );
 	}

-	validate_net $net, 1;
+	$net = validate_net $net, 1;
 	return ( d => "! $net " );
    }

@@ -5003,7 +5147,7 @@ sub imatch_dest_net( $;$ ) {
 	return ( d => record_runtime_address( $1, $2, 1 ) );
    }

-    validate_net $net, 1;
+    $net = validate_net $net, 1;
    $net eq ALLIP ? () : ( d =>  $net );
 }

@@ -5020,7 +5164,7 @@ sub match_orig_dest ( $ ) {
 	if ( $net =~ /^&(.+)/ ) {
 	    $net = record_runtime_address '&', $1;
 	} else {
-	    validate_net $net, 1;
+	    $net = validate_net $net, 1;
 	}

 	have_capability( 'OLD_CONNTRACK_MATCH' ) ? "-m conntrack --ctorigdst ! $net " : "-m conntrack ! --ctorigdst $net ";
@@ -5028,7 +5172,7 @@ sub match_orig_dest ( $ ) {
 	if ( $net =~ /^&(.+)/ ) {
 	    $net = record_runtime_address '&', $1;
 	} else {
-	    validate_net $net, 1;
+	    $net = validate_net $net, 1;
 	}

 	$net eq ALLIP ? '' : "-m conntrack --ctorigdst $net ";
@@ -5390,6 +5534,7 @@ sub set_chain_variables() {
    } else {
 	emit 'IPSET=ipset';
    }
+
 }

 #
@@ -5758,7 +5903,11 @@ sub isolate_source_interface( $ ) {
 	} else {
 	    $iiface = $source;
 	}
-    } elsif  ( $source =~ /^(.+?):<(.+)>\s*$/ || $source =~ /^(.+?):\[(.+)\]\s*$/ || $source =~ /^(.+?):(!?\+.+)$/ ) {
+    } elsif  ( $source =~ /^(.+?):<(.+)>\s*$/   ||
+	       $source =~ /^(.+?):\[(.+)\]\s*$/ ||
+	       $source =~ /^(.+?):(!?\+.+)$/    ||
+	       $source =~ /^(.+?):(\[.+\]\/(?:\d+))\s*$/
+	     ) {
 	$iiface = $1;
 	$inets  = $2;
    } elsif ( $source =~ /:/ ) {
@@ -5863,7 +6012,11 @@ sub isolate_dest_interface( $$$$ ) {
 	} else {
 	    $diface = $dest;
 	}
-    } elsif ( $dest =~ /^(.+?):<(.+)>\s*$/ || $dest =~ /^(.+?):\[(.+)\]\s*$/ || $dest =~ /^(.+?):(!?\+.+)$/ ) {
+    } elsif ( $dest =~ /^(.+?):<(.+)>\s*$/   || 
+	      $dest =~ /^(.+?):\[(.+)\]\s*$/ ||
+	      $dest =~ /^(.+?):(!?\+.+)$/    ||
+	      $dest =~ /^(.+?):(\[.+\]\/(?:\d+))\s*$/
+	    ) {
 	$diface = $1;
 	$dnets  = $2;
    } elsif ( $dest =~ /:/ ) {
@@ -6057,7 +6210,7 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$ ) {
 	#
 	my $echain = newexclusionchain( $table );

-	my $echainref = new_chain $table, $echain;
+	my $echainref = dont_move new_chain $table, $echain;
 	#
 	# Use the current rule and send all possible matches to the exclusion chain
 	#
@@ -6856,6 +7009,32 @@ sub load_ipsets() {
    }
 }

+#
+# Create nfacct objects if needed
+#
+sub create_nfobjects() {
+    
+    my @objects = ( keys %nfobjects );
+
+    if ( @objects ) {
+	if ( $config{NFACCT} ) {
+	    emit( qq(NFACCT="$config{NFACCT}") ,
+		  '[ -x "$NFACCT" ] || startup_error "NFACCT=$NFACCT does not exist or is not executable"'
+		);
+	} else {
+	    emit( 'NFACCT=$(mywhich nfacct)' ,
+		  '[ -n "$NFACCT" ] || startup_error "No nfacct utility found"',
+		  ''
+		);
+	}
+    }
+
+    for ( keys %nfobjects ) {
+	emit( qq(if ! qt \$NFACCT get $_; then),
+	      qq(    \$NFACCT add $_),
+	      qq(fi\n) );
+    }
+}
 #
 #
 # Generate the netfilter input
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -34,7 +34,6 @@ use Shorewall::Accounting;
 use Shorewall::Rules;
 use Shorewall::Proc;
 use Shorewall::Proxyarp;
-use Shorewall::IPAddrs;
 use Shorewall::Raw;
 use Shorewall::Misc;

@@ -54,8 +53,8 @@ my $family;
 #
 # Initilize the package-globals in the other modules
 #
-sub initialize_package_globals( $$ ) {
-    Shorewall::Config::initialize($family, $_[1]);
+sub initialize_package_globals( $$$ ) {
+    Shorewall::Config::initialize($family, $_[1], $_[2]);
    Shorewall::Chains::initialize ($family, 1, $export );
    Shorewall::Zones::initialize ($family, $_[0]);
    Shorewall::Nat::initialize;
@@ -158,7 +157,7 @@ sub generate_script_2() {

    push_indent;

-    if ( $shorewallrc{TEMPDIR} ) {
+    if ( $shorewallrc1{TEMPDIR} ) {
 	emit( '',
 	      qq(TMPDIR="$shorewallrc{TEMPDIR}") ,
 	      q(export TMPDIR) );
@@ -168,14 +167,14 @@ sub generate_script_2() {
 	emit( 'g_family=4' );

 	if ( $export ) {
-	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall-lite),
+	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall-lite),
 		   'g_product="Shorewall Lite"',
 		   'g_program=shorewall-lite',
 		   'g_basedir=/usr/share/shorewall-lite',
-		   qq(CONFIG_PATH="$shorewallrc{CONFDIR}/shorewall-lite:$shorewallrc{SHAREDIR}/shorewall-lite") ,
+		   qq(CONFIG_PATH="$shorewallrc1{CONFDIR}/shorewall-lite:$shorewallrc1{SHAREDIR}/shorewall-lite") ,
 		 );
 	} else {
-	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall),
+	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall),
 		   'g_product=Shorewall',
 		   'g_program=shorewall',
 		   'g_basedir=/usr/share/shorewall',
@@ -186,14 +185,14 @@ sub generate_script_2() {
 	emit( 'g_family=6' );

 	if ( $export ) {
-	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall6-lite),
+	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall6-lite),
 		   'g_product="Shorewall6 Lite"',
 		   'g_program=shorewall6-lite',
 		   'g_basedir=/usr/share/shorewall6',
-		   qq(CONFIG_PATH="$shorewallrc{CONFDIR}/shorewall6-lite:$shorewallrc{SHAREDIR}/shorewall6-lite") ,
+		   qq(CONFIG_PATH="$shorewallrc1{CONFDIR}/shorewall6-lite:$shorewallrc{SHAREDIR}/shorewall6-lite") ,
 		 );
 	} else {
-	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall6),
+	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall6),
 		   'g_product=Shorewall6',
 		   'g_program=shorewall6',
 		   'g_basedir=/usr/share/shorewall',
@@ -202,21 +201,8 @@ sub generate_script_2() {
 	}
    }

-    emit( '[ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir' );
-
-    if ( $family == F_IPV4 ) {
-	if ( $export ) {
-	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall-lite}" ]' );
-	} else {
-	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall}" ]' );
-	}
-    } else {
-	if ( $export ) {
-	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall6-lite}" ]' );
-	} else {
-	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall6}" ]' );
-	}
-    }
+    emit (   '[ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir' );
+    emit ( qq([ -n "\${VARDIR:=$shorewallrc1{VARDIR}}" ]) );

    emit 'TEMPFILE=';

@@ -368,6 +354,7 @@ sub generate_script_3($) {
    emit '';

    load_ipsets;
+    create_nfobjects;

    if ( $family == F_IPV4 ) {
 	emit ( 'if [ "$COMMAND" = refresh ]; then' ,
@@ -545,8 +532,8 @@ EOF
 #
 sub compiler {

-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , ''          , '');
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc                      , $shorewallrc1 ) =
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , ''          , '/usr/share/shorewall/shorewallrc', '' );

    $export = 0;
    $test   = 0;
@@ -585,6 +572,7 @@ sub compiler {
 		  annotate      => { store => \$annotate,      validate=> \&validate_boolean    } ,
 		  config_path   => { store => \$config_path } ,
 		  shorewallrc   => { store => \$shorewallrc } ,
+		  shorewallrc1  => { store => \$shorewallrc1 } ,
 		);
    #
    #                               P A R A M E T E R    P R O C E S S I N G
@@ -602,7 +590,7 @@ sub compiler {
    #
    # Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals
    #
-    initialize_package_globals( $update, $shorewallrc );
+    initialize_package_globals( $update, $shorewallrc, $shorewallrc1 );

    set_config_path( $config_path ) if $config_path;

@@ -665,11 +653,6 @@ sub compiler {
    #                           (Produces no output to the compiled script)
    #
    process_policies;
-    #
-    #                                       N O T R A C K
-    #                           (Produces no output to the compiled script)
-    #
-    setup_notrack;

    enable_script;

@@ -709,6 +692,14 @@ sub compiler {
    #
    setup_proxy_arp;

+    emit( "#\n# Disable automatic helper association on kernel 3.5.0 and later\n#" ,
+	  'if [ -f /proc/sys/net/netfilter/nf_conntrack_helper ]; then' ,
+	  '    progress_message "Disabling Kernel Automatic Helper Association"',
+	  "    echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper",
+	  'fi',
+	  ''
+	);
+
    if ( $scriptfilename || $debug ) {
 	emit 'return 0';
 	pop_indent;
@@ -788,6 +779,10 @@ sub compiler {
    #
    process_rules( $convert );
    #
+    # Process the conntrack file
+    #
+    setup_conntrack;
+    #
    # Add Tunnel rules.
    #
    setup_tunnels;
@@ -911,6 +906,7 @@ sub compiler {
 	    # call that function during normal 'check', we must validate routestopped here.
 	    #
 	    process_routestopped;
+	    process_stoppedrules;
 	}

 	if ( $family == F_IPV4 ) {
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -62,6 +62,7 @@ our @EXPORT = qw(

 		 have_capability
 		 require_capability
+		 kernel_version
                );

 our @EXPORT_OK = qw( $shorewall_dir initialize shorewall);
@@ -143,12 +144,25 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       %globals
 				       %config_files
 				       %shorewallrc
+				       %shorewallrc1

-				       @auditoptions
-
+				       %helpers
+				       %helpers_map
+				       %helpers_enabled
+				       %helpers_aliases
+				       
 		                       F_IPV4
 		                       F_IPV6

+				       TCP
+				       UDP
+				       UDPLITE
+				       ICMP
+				       DCCP
+				       IPv6_ICMP
+				       SCTP
+				       GRE
+
 				       MIN_VERBOSITY
 				       MAX_VERBOSITY

@@ -160,7 +174,18 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       CONFIG_CONTINUATION
 				       DO_INCLUDE
 				       NORMAL_READ
-				     ) ] );
+				     ) , ] ,
+		   protocols => [ qw (
+				       TCP
+				       UDP
+				       UDPLITE
+				       ICMP
+				       DCCP
+				       IPv6_ICMP
+				       SCTP
+				       GRE
+				    ) , ],
+		   );

 Exporter::export_ok_tags('internal');

@@ -227,6 +252,10 @@ our %globals;
 #
 our %config;
 #
+# Entries in shorewall.conf that have been renamed
+#
+my %renamed = ( AUTO_COMMENT => 'AUTOCOMMENT' );
+#
 # Config options and global settings that are to be copied to output script
 #
 my @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOAD_HELPERS_ONLY SUBSYSLOCK LOG_VERBOSITY/;
@@ -308,6 +337,24 @@ my  %capdesc = ( NAT_ENABLED     => 'NAT',
 		 DSCP_MATCH      => 'DSCP Match',
 		 DSCP_TARGET     => 'DSCP Target',
 		 GEOIP_MATCH     => 'GeoIP Match' ,
+		 RPFILTER_MATCH  => 'RPFilter Match',
+		 NFACCT_MATCH    => 'NFAcct Match',
+		 AMANDA_HELPER   => 'Amanda Helper',
+		 FTP_HELPER      => 'FTP Helper',
+		 FTP0_HELPER     => 'FTP-0 Helper',
+		 H323_HELPER     => 'H323 Helpers',
+		 IRC_HELPER      => 'IRC Helper',
+		 IRC0_HELPER     => 'IRC-0 Helper',
+		 NETBIOS_NS_HELPER =>
+                                    'Netbios-ns Helper',
+		 PPTP_HELPER     => 'PPTP Helper',
+		 SANE_HELPER     => 'SANE Helper',
+		 SANE0_HELPER    => 'SANE-0 Helper',
+		 SIP_HELPER      => 'SIP Helper',
+		 SIP0_HELPER     => 'SIP-0 Helper',
+		 SNMP_HELPER     => 'SNMP Helper',
+		 TFTP_HELPER     => 'TFTP Helper',
+		 TFTP0_HELPER     => 'TFTP-0 Helper',
 		 #
 		 # Constants
 		 #
@@ -316,10 +363,43 @@ my  %capdesc = ( NAT_ENABLED     => 'NAT',
 		 KERNELVERSION   => 'Kernel Version',
 	       );

+use constant {
+	       ICMP                => 1,
+	       TCP                 => 6,
+	       UDP                 => 17,
+	       DCCP                => 33,
+	       GRE                 => 47,
+	       IPv6_ICMP           => 58,
+	       SCTP                => 132,
+	       UDPLITE             => 136,
+	     };
+
+our %helpers = ( amanda          => UDP,
+		 ftp             => TCP,
+		 irc             => TCP,
+		 'netbios-ns'    => UDP,
+		 pptp            => TCP,
+		 'Q.931'         => TCP,
+		 RAS             => UDP,
+		 sane            => TCP,
+		 sip             => UDP,
+		 snmp            => UDP,
+		 tftp            => UDP,
+	       );
+
+our %helpers_map;
+
+our %helpers_names;
+
+our %helpers_aliases;
+
+our %helpers_enabled;
+
 our %config_files = ( #accounting      => 1,
 		      actions          => 1,
 		      blacklist        => 1,
 		      clear            => 1,
+		      conntrack        => 1,
 		      ecn              => 1,
 		      findgw           => 1,
 		      hosts            => 1,
@@ -343,6 +423,7 @@ our %config_files = ( #accounting      => 1,
 		      route_rules      => 1,
 		      routes           => 1,
 		      routestopped     => 1,
+		      rtrules          => 1,
 		      rules            => 1,
 		      scfilter         => 1,
 		      secmarks         => 1,
@@ -350,6 +431,7 @@ our %config_files = ( #accounting      => 1,
 		      started          => 1,
 		      stop             => 1,
 		      stopped          => 1,
+		      stoppedrules     => 1,
 		      tcclasses        => 1,
 		      tcclear          => 1,
 		      tcdevices        => 1,
@@ -451,9 +533,15 @@ my $omitting;
 my @ifstack;
 my $ifstack;
 #
+# Entries on the ifstack are a 4-tuple:
+#
+#    [0] - Keyword (IF, ELSEIF, ELSE or ENDIF)
+#    [1] - True if the outermost IF evaluated to false
+#    [2] - True if the the last unterminated IF evaluated to false
+#
 # From .shorewallrc
 #
-our %shorewallrc;
+our ( %shorewallrc, %shorewallrc1 );
 #
 # read_a_line options
 #
@@ -469,7 +557,7 @@ use constant { PLAIN_READ          => 0,     # No read_a_line options
               NORMAL_READ         => -1     # All options
 	   };

-sub process_shorewallrc($);
+sub process_shorewallrc($$);
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
@@ -480,8 +568,8 @@ sub process_shorewallrc($);
 #   2. The compiler can run multiple times in the same process so it has to be
 #      able to re-initialize its dependent modules' state.
 #
-sub initialize( $;$ ) {
-    ( $family, my $shorewallrc ) = @_;
+sub initialize( $;$$) {
+    ( $family, my ( $shorewallrc, $shorewallrc1 ) ) = @_;

    if ( $family == F_IPV4 ) {
 	( $product, $Product, $toolname, $toolNAME ) = qw( shorewall  Shorewall iptables  IPTABLES );
@@ -518,9 +606,8 @@ sub initialize( $;$ ) {
 		    EXPORT     => 0,
 		    KLUDGEFREE => '',
 		    STATEMATCH => '-m state --state',
-		    UNTRACKED  => 0,
-		    VERSION    => "4.4.22.1",
-		    CAPVERSION => 40504 ,
+		    VERSION    => "4.5.8-Beta2",
+		    CAPVERSION => 40507 ,
 		  );
    #
    # From shorewall.conf file
@@ -548,6 +635,7 @@ sub initialize( $;$ ) {
 	  LOG_VERBOSITY => undef,
 	  STARTUP_LOG => undef,
 	  SFILTER_LOG_LEVEL => undef,
+	  RPFILTER_LOG_LEVEL => undef,
 	  #
 	  # Location of Files
 	  #
@@ -564,6 +652,7 @@ sub initialize( $;$ ) {
 	  IPSECFILE => undef,
 	  LOCKFILE => undef,
 	  GEOIPDIR => undef,
+	  NFACCT => undef,
 	  #
 	  # Default Actions/Macros
 	  #
@@ -618,7 +707,7 @@ sub initialize( $;$ ) {
 	  DELETE_THEN_ADD => undef,
 	  MULTICAST => undef,
 	  DONT_LOAD => '',
-	  AUTO_COMMENT => undef ,
+	  AUTOCOMMENT => undef ,
 	  MANGLE_ENABLED => undef ,
 	  RFC1918_STRICT => undef ,
 	  NULL_ROUTE_RFC1918 => undef ,
@@ -640,6 +729,8 @@ sub initialize( $;$ ) {
 	  EXPORTMODULES => undef,
 	  LEGACY_FASTSTART => undef,
 	  USE_PHYSICAL_NAMES => undef,
+	  HELPERS => undef,
+	  AUTOHELPERS => undef,
 	  #
 	  # Packet Disposition
 	  #
@@ -648,6 +739,7 @@ sub initialize( $;$ ) {
 	  BLACKLIST_DISPOSITION => undef,
 	  SMURF_DISPOSITION => undef,
 	  SFILTER_DISPOSITION => undef,
+	  RPFILTER_DISPOSITION => undef,
 	  RELATED_DISPOSITION => undef,
 	  #
 	  # Mark Geometry
@@ -753,6 +845,24 @@ sub initialize( $;$ ) {
 	       DSCP_MATCH => undef,
 	       DSCP_TARGET => undef,
 	       GEOIP_MATCH => undef,
+	       RPFILTER_MATCH => undef,
+	       NFACCT_MATCH => undef,
+	       AMANDA_HELPER => undef,
+	       FTP_HELPER => undef,
+	       FTP0_HELPER => undef,
+	       H323_HELPER => undef,
+	       IRC_HELPER => undef,
+	       IRC0_HELPER => undef,
+	       NETBIOS_NS_HELPER => undef,
+	       PPTP_HELPER => undef,
+	       SANE_HELPER => undef,
+	       SANE0_HELPER => undef,
+	       SIP_HELPER => undef,
+	       SIP0_HELPER => undef,
+	       SNMP_HELPER => undef,
+	       TFTP_HELPER => undef,
+	       TFTP0_HELPER => undef,
+
 	       CAPVERSION => undef,
 	       LOG_OPTIONS => 1,
 	       KERNELVERSION => undef,
@@ -787,12 +897,77 @@ sub initialize( $;$ ) {

    @actparms = ();

+    %helpers_enabled = (
+			amanda       => 1,
+			ftp          => 1,
+			'ftp-0'      => 1,
+			h323         => 1,
+			irc          => 1,
+			'irc-0'      => 1,
+			'netbios-ns' => 1,
+			pptp         => 1,
+			sane         => 1,
+			'sane-0'     => 1,
+			sip          => 1,
+			'sip-0'      => 1,
+			snmp         => 1,
+			tftp         => 1,
+			'tftp-0'     => 1,
+		       );
+
+    %helpers_map = ( amanda          => 'AMANDA_HELPER',
+		     ftp             => 'FTP_HELPER',
+		     irc             => 'IRC_HELPER',
+		     'netbios-ns'    => 'NETBIOS_NS_HELPER',
+		     pptp            => 'PPTP_HELPER',
+		     'Q.931'         => 'H323_HELPER',
+		     RAS             => 'H323_HELPER',
+		     sane            => 'SANE_HELPER',
+		     sip             => 'SIP_HELPER',
+		     snmp            => 'SNMP_HELPER',
+		     tftp            => 'TFTP_HELPER',
+		   );
+
+    %helpers_aliases = ( amanda       => 'amanda',
+			 ftp          => 'ftp',
+			 irc          => 'irc',
+			 'netbios-ns' => 'netbios-ns',
+			 pptp         => 'pptp',
+			 'Q.931'      => 'Q.931',
+			 RAS          => 'RAS',
+			 sane         => 'sane',
+			 sip          => 'sip',
+			 snmp         => 'snmp',
+			 tftp         => 'tftp',
+		       );
+
    %shorewallrc = (
 		    SHAREDIR => '/usr/share/',
 		    CONFDIR  => '/etc/',
 		    );
+    #
+    # If we are compiling for export, process the shorewallrc from the remote system
+    #
+    if ( $shorewallrc1 ) {
+	process_shorewallrc( $shorewallrc1,
+			     $family == F_IPV4 ? 'shorewall-lite' : 'shorewall6-lite'
+			   );

-    process_shorewallrc( $shorewallrc ) if $shorewallrc;
+	%shorewallrc1 = %shorewallrc;
+
+	%shorewallrc = (
+			SHAREDIR => '/usr/share/',
+			CONFDIR  => '/etc/',
+		       );
+    }
+    #
+    # Process the global shorewallrc file
+    #
+    #   Note: The build file executes this function passing only the protocol family
+    #
+    process_shorewallrc( $shorewallrc,
+			 $family == F_IPV4 ? 'shorewall' : 'shorewall6'
+		       ) if defined $shorewallrc;

    $globals{SHAREDIRPL} = "$shorewallrc{SHAREDIR}/shorewall/";

@@ -808,6 +983,8 @@ sub initialize( $;$ ) {
 	$globals{PRODUCT}       = 'shorewall6';
 	$config{IP6TABLES}      = undef;
    }
+
+    %shorewallrc1 = %shorewallrc unless $shorewallrc1;
 }

 my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
@@ -929,6 +1106,12 @@ sub cleanup() {
 	qt1( "$iptables -X $sillyname1" );
 	qt1( "$iptables -t mangle -F $sillyname" );
 	qt1( "$iptables -t mangle -X $sillyname" );
+	qt1( "$iptables -t nat -F $sillyname" );
+	qt1( "$iptables -t nat -X $sillyname" );
+	qt1( "$iptables -t raw -F $sillyname" );
+	qt1( "$iptables -t raw -X $sillyname" );
+	qt1( "$iptables -t rawpost -F $sillyname" );
+	qt1( "$iptables -t rawpost -X $sillyname" );
 	$sillyname = '';
    }
 }
@@ -1056,7 +1239,7 @@ sub in_hex2( $ ) {
 }

 sub in_hex3( $ ) {
-    sprintf '0x%03x', $_[0];
+    sprintf '%03x', $_[0];
 }

 sub in_hex4( $ ) {
@@ -1651,70 +1834,134 @@ sub close_file() {
 }

 #
-# Process an ?IF, ?ELSE or ?END directive
+# Process an ?IF, ?ELSIF, ?ELSE or ?END directive
 #
 sub have_capability( $ );

 #
-# Report an error from process_conditional() -- the first argument is the linenumber
+# Report an error from process_conditional()
 #
-sub cond_error( $$ ) {
-    $currentlinenumber = $_[0];
-    fatal_error $_[1];
+sub cond_error( $$$ ) {
+    $currentfilename   = $_[1];
+    $currentlinenumber = $_[2];
+    fatal_error $_[0];
 }

-sub process_conditional( $$$ ) {
-    my ( $omitting, $line, $linenumber ) = @_;
+#
+# Evaluate an expression in an ?IF or ?ELSIF directive
+#
+sub evaluate_expression( $$$ ) {
+    my ( $expression , $filename , $linenumber ) = @_;
+    my $val;
+    my $count = 0;
+
+    #                         $1      $2   $3      -     $4
+    while ( $expression =~ m( ^(.*?) \$({)? (\w+) (?(2)}) (.*)$ )x ) {
+	my ( $first, $var, $rest ) = ( $1, $3, $4);
+
+	$val = ( exists $ENV{$var}     ? $ENV{$var}    :
+		 exists $params{$var}  ? $params{$var} :
+		 exists $config{$var}  ? $config{$var} :
+		 exists $renamed{$var} ? $config{$renamed{$var}} :
+		 exists $capdesc{$var} ? have_capability( $var ) : 0 );
+	$val = 0 unless defined $val;
+	$val = "'$val'" unless $val =~ /^-?\d+$/;
+	$expression = join( '', $first, $val || 0, $rest );
+	cond_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
+    }
+
+    #                         $1      $2   $3      -     $4
+    while ( $expression =~ m( ^(.*?) __({)? (\w+) (?(2)}) (.*)$ )x ) {
+	my ( $first, $cap, $rest ) = ( $1, $3, $4);
+
+	if ( exists $capdesc{$cap} ) {
+	    $val = have_capability( $cap );
+	    if ( defined $val ) {
+		$val = "'$val'" unless $val =~ /^-?\d+$/;
+	    } else {
+		$val = 0;
+	    }
+	} elsif ( $cap =~ /^IPV([46])$/ ) {
+	    $val = ( $family == $1 );
+	} else {
+	    cond_error "Unknown capability ($cap)", $filename, $linenumber;
+	}
+
+	$expression = join( '', $first, $val || 0, $rest );
+    }
+
+    $expression =~ s/^\s*(.+)\s*$/$1/;
+
+    unless ( $expression =~ /^\d+$/ ) {
+	#
+	# Not a simple one-term expression -- compile it
+	#
+	$val = eval qq(package Shorewall::User;\nuse strict;\n# line $linenumber "$filename"\n$expression);
+
+	unless ( $val ) {
+	    cond_error( "Couldn't parse expression: $@" , $filename, $linenumber ) if $@;
+	    cond_error( "Undefined expression" , $filename, $linenumber ) unless defined $val;
+	}
+    }
+
+    $val;
+}
+
+#
+# Each entry in @ifstack consists of a 4-tupple
+#
+# [0] = The keyword (IF,ELSIF or ELSE)
+# [1] = True if we were already omitting at the last IF directive
+# [2] = True if we have included any block of the current IF...ELSEIF....ELSEIF... sequence.
+# [3] = The line number of the directive
+#
+sub process_conditional( $$$$ ) {
+    my ( $omitting, $line, $filename, $linenumber ) = @_;

    print "CD===> $line\n" if $debug;

-    cond_error $linenumber, "Invalid compiler directive ($line)" unless $line =~ /^\s*\?(IF\s+|ELSE|ENDIF)(.*)$/;
+    cond_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF)(.*)$/i;

-    my ($keyword, $rest) = ( $1, $2 );
+    my ($keyword, $expression) = ( uc $1, $2 );

-    if ( supplied $rest ) {
-	$rest =~ s/#.*//;
-	$rest =~ s/\s*$//;
+    if ( supplied $expression ) {
+	$expression =~ s/#.*//;
+	$expression =~ s/\s*$//;
    } else {
-	$rest = '';
+	$expression = '';
    }

-    my ( $lastkeyword, $prioromit, $lastomit, $lastlinenumber ) = @ifstack ? @{$ifstack[-1]} : ('', 0, 0, 0 );
+    my ( $lastkeyword, $prioromit, $included, $lastlinenumber ) = @ifstack ? @{$ifstack[-1]} : ('', 0, 0, 0 );

    if ( $keyword =~ /^IF/ ) {
-	cond_error $linenumber, "Missing IF variable" unless $rest;
-	my $invert = $rest =~ s/^!\s*//;
-
-	cond_error $linenumber, "Invalid IF variable ($rest)" unless ($rest =~ s/^\$// || $rest =~ /^__/ ) && $rest =~ /^\w+$/;
-
-	push @ifstack, [ 'IF', $omitting, $omitting, $linenumber ];
-
-	if ( $rest eq '__IPV6' ) {
-	    $omitting = $family == F_IPV4;
-	} elsif ( $rest eq '__IPV4' ) {
-	    $omitting = $family == F_IPV6;
+	cond_error( "Missing IF expression" , $filename, $linenumber ) unless supplied $expression;
+	my $nextomitting = $omitting || ! evaluate_expression( $expression , $filename, $linenumber );
+	push @ifstack, [ 'IF', $omitting, ! $nextomitting, $linenumber ];
+	$omitting = $nextomitting;
+    } elsif ( $keyword =~ /^ELSIF/ ) {
+	cond_error( "?ELSIF has no matching ?IF" , $filename, $linenumber ) unless @ifstack > $ifstack && $lastkeyword =~ /IF/;
+	cond_error( "Missing IF expression" , $filename, $linenumber ) unless $expression;
+	if ( $omitting && ! $included ) {
+	    #
+	    # We can only change to including if we were previously omitting
+	    #
+	    $omitting = $prioromit || ! evaluate_expression( $expression , $filename, $linenumber );
+	    $included = ! $omitting;
 	} else {
-	    my $cap = $rest;
-
-	    $cap =~ s/^__//;
-
-	    $omitting = ! ( exists $ENV{$rest}    ? $ENV{$rest}    :
-			    exists $params{$rest} ? $params{$rest} :
-			    exists $config{$rest} ? $config{$rest} :
-			    exists $capdesc{$cap} ? have_capability( $cap ) : 0 );
+	    #
+	    # We have already included -- so we don't want to include this part
+	    #
+	    $omitting = 1;
 	}
-
-	$omitting = ! $omitting if $invert;
-
-	$omitting ||= $lastomit; #?IF cannot transition from omitting -> not omitting
+	$ifstack[-1] = [ 'ELSIF', $prioromit, $included, $lastlinenumber ];
    } elsif ( $keyword eq 'ELSE' ) {
-	cond_error $linenumber, "Invalid ?ELSE" unless $rest eq '';
-	cond_error $linenumber, "?ELSE has no matching ?IF" unless @ifstack > $ifstack && $lastkeyword eq 'IF';
-	$omitting = ! $omitting unless $lastomit;
-	$ifstack[-1] = [ 'ELSE', $prioromit, $omitting, $lastlinenumber ];
+	cond_error( "Invalid ?ELSE" , $filename, $linenumber ) unless $expression eq '';
+	cond_error( "?ELSE has no matching ?IF" , $filename, $linenumber ) unless @ifstack > $ifstack && $lastkeyword =~ /IF/;
+	$omitting = $included || ! $omitting unless $prioromit;
+	$ifstack[-1] = [ 'ELSE', $prioromit, 1, $lastlinenumber ];
    } else {
-	cond_error $linenumber, "Invalid ?ENDIF" unless $rest eq '';
-	cond_error $linenumber, q(Unexpected "?ENDIF" without matching ?IF or ?ELSE) if @ifstack <= $ifstack;
+	cond_error( "Invalid ?ENDIF" , $filename, $linenumber ) unless $expression eq '';
+	cond_error( q(Unexpected "?ENDIF" without matching ?IF or ?ELSE) , $filename, $linenumber ) if @ifstack <= $ifstack;
 	$omitting = $prioromit;
 	pop @ifstack;
    }
@@ -1744,7 +1991,7 @@ sub copy( $ ) {
 	    $lineno++;

 	    if ( /^\s*\?/ ) {
-		$omitting = process_conditional( $omitting, $_, $lineno );
+		$omitting = process_conditional( $omitting, $_, $file, $lineno );
 		next;
 	    }

@@ -1797,7 +2044,7 @@ sub copy1( $ ) {
 		chomp;

 		if ( /^\s*\?/ ) {
-		    $omitting = process_conditional( $omitting, $_, $currentlinenumber );
+		    $omitting = process_conditional( $omitting, $_, $currentfilename, $currentlinenumber );
 		    next;
 		}

@@ -1928,7 +2175,7 @@ EOF
 		chomp;

 		if ( /^\s*\?/ ) {
-		    $omitting = process_conditional( $omitting, $_, $lineno );
+		    $omitting = process_conditional( $omitting, $_, $file, $lineno );
 		    next;
 		}

@@ -2283,8 +2530,8 @@ sub read_a_line($) {
 	    #
 	    # Handle conditionals
 	    #
-	    if ( /^\s*\?(?:IF|ELSE|ENDIF)/ ) {
-		$omitting = process_conditional( $omitting, $_, $. );
+	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF)/i ) {
+		$omitting = process_conditional( $omitting, $_, $currentfilename, $. );
 		next;
 	    }

@@ -2379,10 +2626,10 @@ sub read_a_line($) {
    }
 }

-sub process_shorewallrc( $ ) {
-    my $shorewallrc = shift;
+sub process_shorewallrc( $$ ) {
+    my ( $shorewallrc , $product ) = @_;

-    $shorewallrc{PRODUCT} = $family == F_IPV4 ? 'shorewall' : 'shorewall6';
+    $shorewallrc{PRODUCT} = $product;

    if ( open_file $shorewallrc ) {
 	while ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE | CHECK_GUNK ) ) {
@@ -2398,6 +2645,15 @@ sub process_shorewallrc( $ ) {
    } else {
 	fatal_error "Failed to open $shorewallrc: $!";
    }
+
+    if ( supplied $shorewallrc{VARDIR} ) {
+	if ( ! supplied $shorewallrc{VARLIB} ) {
+	    $shorewallrc{VARLIB} =  $shorewallrc{VARDIR};
+	    $shorewallrc{VARDIR} = "$shorewallrc{VARLIB}/$product";
+	}
+    } elsif ( supplied $shorewallrc{VARLIB} ) {
+	$shorewallrc{VARDIR} = "$shorewallrc{VARLIB}/$product" unless supplied $shorewallrc{VARDIR};
+    }
 }

 #
@@ -2969,7 +3225,7 @@ sub Old_IPSet_Match() {

 	if ( qt( "$ipset -N $sillyname iphash" ) ) {
 	    if ( qt1( "$iptables -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) {
-		qt1( "$iptables -D $sillyname -m set --set $sillyname src -j ACCEPT" );
+		qt1( "$iptables -F $sillyname" );
 		$result = $capabilities{IPSET_MATCH} = 1;
 	    }

@@ -2992,7 +3248,7 @@ sub IPSet_Match() {

 	if ( qt( "$ipset -N $sillyname iphash" ) || qt( "$ipset -N $sillyname hash:ip family $fam") ) {
 	    if ( qt1( "$iptables -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) {
-		qt1( "$iptables -D $sillyname -m set --match-set $sillyname src -j ACCEPT" );
+		qt1( "$iptables -F $sillyname" );
 		$result = ! ( $capabilities{OLD_IPSET_MATCH} = 0 );
 	    } else {
 		$result = have_capability 'OLD_IPSET_MATCH';
@@ -3044,7 +3300,79 @@ sub Realm_Match() {
 }

 sub Helper_Match() {
-    qt1( "$iptables -A $sillyname -m helper --helper \"ftp\"" );
+    qt1( "$iptables -A $sillyname -p tcp --dport 21 -m helper --helper ftp" );
+}
+
+sub have_helper( $$$ ) {
+    my ( $helper, $proto, $port ) = @_;
+
+    if ( $helpers_enabled{$helper} ) {
+	if ( have_capability 'CT_TARGET' ) {
+	    qt1( "$iptables -t raw -A $sillyname -p $proto --dport $port -j CT --helper $helper" );
+	} else {
+	    have_capability 'HELPER_MATCH';
+	}
+    }
+}
+
+sub Amanda_Helper() {
+    have_helper( 'amanda', 'udp', 10080 );
+}
+
+sub FTP0_Helper() {
+    have_helper( 'ftp-0', 'tcp', 21 ) and $helpers_aliases{ftp} = 'ftp-0';
+}
+
+sub FTP_Helper() {
+    have_helper( 'ftp', 'tcp', 21 ) || FTP0_Helper;
+}
+
+sub H323_Helpers() {
+    have_helper( 'RAS', 'udp', 1719 );
+}
+
+sub IRC0_Helper() {
+    have_helper( 'irc-0', 'tcp', 6667 ) and $helpers_aliases{irc} = 'irc-0';
+}
+
+sub IRC_Helper() {
+    have_helper( 'irc', 'tcp', 6667 ) || IRC0_Helper;
+}
+
+sub Netbios_ns_Helper() {
+    have_helper( 'netbios-ns', 'udp', 137 );
+}
+
+sub PPTP_Helper() {
+    have_helper( 'pptp', 'tcp', 1729 );
+}
+
+sub SANE0_Helper() {
+    have_helper( 'sane-0', 'tcp', 6566 ) and $helpers_aliases{sane} = 'sane-0';
+}
+
+sub SANE_Helper() {
+    have_helper( 'sane', 'tcp', 6566 ) || SANE0_Helper;
+}
+
+sub SIP0_Helper() {
+    have_helper( 'sip-0', 'udp', 5060 ) and $helpers_aliases{sip} = 'sip-0';
+}
+
+sub SIP_Helper() {
+    have_helper( 'sip', 'udp', 5060 ) || SIP0_Helper;
+}
+
+sub SNMP_Helper() {
+    have_helper( 'snmp', 'udp', 161 );
+}
+
+sub TFTP0_Helper() {
+    have_helper( 'tftp-0', 'udp', 69 ) and $helpers_aliases{tftp} = 'tftp-0';
+}
+
+sub TFTP_Helper() {
+    have_helper( 'tftp', 'udp', 69 ) || TFTP0_Helper;
 }

 sub Connlimit_Match() {
@@ -3121,8 +3449,6 @@ sub Ct_Target() {
    if ( have_capability 'RAW_TABLE' ) {
 	qt1( "$iptables -t raw -N $sillyname" );
 	$ct_target = qt1( "$iptables -t raw -A $sillyname -j CT --notrack" );
-	qt1( "$iptables -t raw -F $sillyname" );
-	qt1( "$iptables -t raw -X $sillyname" );
    }

    $ct_target;
@@ -3132,6 +3458,7 @@ sub Statistic_Match() {
    qt1( "$iptables -A $sillyname -m statistic --mode nth --every 2 --packet 1" );
 }

+
 sub Imq_Target() {
    have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j IMQ --todev 0" );
 }
@@ -3144,12 +3471,29 @@ sub Dscp_Target() {
    have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j DSCP --set-dscp 0" );
 }

+sub RPFilter_Match() {
+    have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -m rpfilter" );
+}
+
+sub NFAcct_Match() {
+    my $result;
+
+    if ( qt1( "nfacct add $sillyname" ) ) {
+	$result = qt1( "$iptables -A $sillyname -m nfacct --nfacct-name $sillyname" );
+	qt( "$iptables -D $sillyname -m nfacct --nfacct-name $sillyname" );
+	qt( "nfacct del $sillyname" );
+    }
+
+    $result;
+}
+
 sub GeoIP_Match() {
    qt1( "$iptables -A $sillyname -m geoip --src-cc US" );
 }

 our %detect_capability =
    ( ACCOUNT_TARGET =>\&Account_Target,
+      AMANDA_HELPER => \&Amanda_Helper,
      AUDIT_TARGET => \&Audit_Target,
      ADDRTYPE => \&Addrtype,
      BASIC_FILTER => \&Basic_Filter,
@@ -3166,9 +3510,12 @@ our %detect_capability =
      ENHANCED_REJECT => \&Enhanced_Reject,
      EXMARK => \&Exmark,
      FLOW_FILTER => \&Flow_Filter,
+      FTP_HELPER => \&FTP_Helper,
+      FTP0_HELPER => \&FTP0_Helper,
      FWMARK_RT_MASK => \&Fwmark_Rt_Mask,
      GEOIP_MATCH => \&GeoIP_Match,
      GOTO_TARGET => \&Goto_Target,
+      H323_HELPER => \&H323_Helpers,
      HASHLIMIT_MATCH => \&Hashlimit_Match,
      HEADER_MATCH => \&Header_Match,
      HELPER_MATCH => \&Helper_Match,
@@ -3177,6 +3524,8 @@ our %detect_capability =
      IPP2P_MATCH => \&Ipp2p_Match,
      IPRANGE_MATCH => \&IPRange_Match,
      IPSET_MATCH => \&IPSet_Match,
+      IRC_HELPER => \&IRC_Helper,
+      IRC0_HELPER => \&IRC0_Helper,
      OLD_IPSET_MATCH => \&Old_IPSet_Match,
      IPSET_V5 => \&IPSET_V5,
      IPTABLES_S => \&Iptables_S,
@@ -3192,7 +3541,9 @@ our %detect_capability =
      MARK_ANYWHERE => \&Mark_Anywhere,
      MULTIPORT => \&Multiport,
      NAT_ENABLED => \&Nat_Enabled,
+      NETBIOS_NS_HELPER => \&Netbios_ns_Helper,
      NEW_CONNTRACK_MATCH => \&New_Conntrack_Match,
+      NFACCT_MATCH => \&NFAcct_Match,
      NFQUEUE_TARGET => \&Nfqueue_Target,
      OLD_CONNTRACK_MATCH => \&Old_Conntrack_Match,
      OLD_HL_MATCH => \&Old_Hashlimit_Match,
@@ -3203,12 +3554,21 @@ our %detect_capability =
      PHYSDEV_BRIDGE => \&Physdev_Bridge,
      PHYSDEV_MATCH => \&Physdev_Match,
      POLICY_MATCH => \&Policy_Match,
+      PPTP_HELPER => \&PPTP_Helper,
      RAW_TABLE => \&Raw_Table,
      RAWPOST_TABLE => \&Rawpost_Table,
      REALM_MATCH => \&Realm_Match,
      RECENT_MATCH => \&Recent_Match,
+      RPFILTER_MATCH => \&RPFilter_Match,
+      SANE_HELPER => \&SANE_Helper,
+      SANE0_HELPER => \&SANE0_Helper,
+      SIP_HELPER => \&SIP_Helper,
+      SIP0_HELPER => \&SIP0_Helper,
+      SNMP_HELPER => \&SNMP_Helper,
      STATISTIC_MATCH => \&Statistic_Match,
      TCPMSS_MATCH => \&Tcpmss_Match,
+      TFTP_HELPER => \&TFTP_Helper,
+      TFTP0_HELPER => \&TFTP0_Helper,
      TIME_MATCH => \&Time_Match,
      TPROXY_TARGET => \&Tproxy_Target,
      USEPKTTYPE => \&Usepkttype,
@@ -3313,7 +3673,6 @@ sub determine_capabilities() {
 	$capabilities{CLASSIFY_TARGET} = detect_capability( 'CLASSIFY_TARGET' );
 	$capabilities{IPMARK_TARGET}   = detect_capability( 'IPMARK_TARGET' );
 	$capabilities{TPROXY_TARGET}   = detect_capability( 'TPROXY_TARGET' );
-
 	$capabilities{MANGLE_FORWARD}  = detect_capability( 'MANGLE_FORWARD' );
 	$capabilities{RAW_TABLE}       = detect_capability( 'RAW_TABLE' );
 	$capabilities{RAWPOST_TABLE}   = detect_capability( 'RAWPOST_TABLE' );
@@ -3323,7 +3682,6 @@ sub determine_capabilities() {
 	$capabilities{TCPMSS_MATCH}    = detect_capability( 'TCPMSS_MATCH' );
 	$capabilities{NFQUEUE_TARGET}  = detect_capability( 'NFQUEUE_TARGET' );
 	$capabilities{REALM_MATCH}     = detect_capability( 'REALM_MATCH' );
-	$capabilities{HELPER_MATCH}    = detect_capability( 'HELPER_MATCH' );
 	$capabilities{CONNLIMIT_MATCH} = detect_capability( 'CONNLIMIT_MATCH' );
 	$capabilities{TIME_MATCH}      = detect_capability( 'TIME_MATCH' );
 	$capabilities{GOTO_TARGET}     = detect_capability( 'GOTO_TARGET' );
@@ -3346,6 +3704,14 @@ sub determine_capabilities() {
 	$capabilities{DSCP_MATCH}      = detect_capability( 'DSCP_MATCH' );
 	$capabilities{DSCP_TARGET}     = detect_capability( 'DSCP_TARGET' );
 	$capabilities{GEOIP_MATCH}     = detect_capability( 'GEOIP_MATCH' );
+	$capabilities{RPFILTER_MATCH}  = detect_capability( 'RPFILTER_MATCH' );
+	$capabilities{NFACCT_MATCH}    = detect_capability( 'NFACCT_MATCH' );
+	
+	if ( have_capability 'CT_TARGET' ) {
+	    $capabilities{$_} = detect_capability $_ for ( values( %helpers_map ) );
+	} else {
+	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
+	}

 	qt1( "$iptables -F $sillyname" );
 	qt1( "$iptables -X $sillyname" );
@@ -3362,6 +3728,11 @@ sub determine_capabilities() {
 	    qt1( "$iptables -t nat -X $sillyname" );
 	}

+	if ( $capabilities{RAW_ENABLED} ) {
+	    qt1( "$iptables -t raw -F $sillyname" );
+	    qt1( "$iptables -t raw -X $sillyname" );
+	}
+
 	$sillyname = $sillyname1 = undef;
    }
 }
@@ -3375,6 +3746,13 @@ sub require_capability( $$$ ) {
    fatal_error "$description require${singular} $capdesc{$capability} in your kernel and iptables" unless have_capability $capability;
 }

+#
+# Return Kernel Version
+#
+sub kernel_version() {
+    $capabilities{KERNELVERSION}
+}
+
 #
 # Set default config path
 #
@@ -3593,7 +3971,14 @@ sub process_shorewall_conf( $$ ) {
 		if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*?)\s*$/ ) {
 		    my ($var, $val) = ($1, $2);

-		    warning_message "Unknown configuration option ($var) ignored", next unless exists $config{$var};
+		    unless ( exists $config{$var} ) {
+			if ( exists $renamed{$var} ) {
+			    $var = $renamed{$var};
+			} else {
+			    warning_message "Unknown configuration option ($var) ignored";
+			    next ;
+			}
+		    }

 		    $config{$var} = ( $val =~ /\"([^\"]*)\"$/ ? $1 : $val );

@@ -3637,7 +4022,9 @@ sub read_capabilities() {
 		next;
 	    }

-	    $capabilities{$var} = $val =~ /^\"([^\"]*)\"$/ ? $1 : $val;
+	    $val = $val =~ /^\"([^\"]*)\"$/ ? $1 : $val;
+	    
+	    $capabilities{$var} = $var =~ /VERSION$/ ? $val :  $val ne '';
 	} else {
 	    fatal_error "Unrecognized capabilities entry";
 	}
@@ -3660,6 +4047,7 @@ sub read_capabilities() {
    }

    $globals{KLUDGEFREE} = $capabilities{KLUDGEFREE};
+
 }

 #
@@ -3948,8 +4336,23 @@ sub get_configuration( $$$ ) {

    get_capabilities( $export );

+    report_capabilities unless $config{LOAD_HELPERS_ONLY};
+
+    $helpers_aliases{ftp}  = 'ftp-0',  $capabilities{FTP_HELPER}  = 1 if $capabilities{FTP0_HELPER};
+    $helpers_aliases{irc}  = 'irc-0',  $capabilities{IRC_HELPER}  = 1 if $capabilities{IRC0_HELPER};
+    $helpers_aliases{sane} = 'sane-0', $capabilities{SANE_HELPER} = 1 if $capabilities{SANE0_HELPER};
+    $helpers_aliases{sip}  = 'sip-0',  $capabilities{SIP_HELPER}  = 1 if $capabilities{SIP0_HELPER};
+    $helpers_aliases{tftp} = 'tftp-0', $capabilities{TFTP_HELPER} = 1 if $capabilities{TFTP0_HELPER};
+
    $globals{STATEMATCH} = '-m conntrack --ctstate' if have_capability 'CONNTRACK_MATCH';

+    #
+    # The following is not documented as it is not likely useful to the user base in general 
+    # Going forward, it allows me to create a configuration that will work on multiple
+    # Shorewall versions.        TME
+    #
+    $config{VERSION} = sprintf "%d%02d%02d", $1, $2, $3 if $globals{VERSION} =~ /^(\d+)\.(\d+)\.(\d+)/;
+
    if ( my $rate = $config{LOGLIMIT} ) {
 	my $limit;

@@ -4148,6 +4551,30 @@ sub get_configuration( $$$ ) {
    default_yes_no 'LEGACY_FASTSTART'           , 'Yes';
    default_yes_no 'USE_PHYSICAL_NAMES'         , '';
    default_yes_no 'IPSET_WARNINGS'             , 'Yes';
+    default_yes_no 'AUTOHELPERS'                , 'Yes';
+
+    if ( supplied $config{HELPERS} ) {
+	my %helpers_temp = %helpers_enabled;
+
+	$helpers_temp{$_} = 0 for keys %helpers_temp;
+
+	for ( split_list $config{HELPERS} , 'helper' ) {
+	    my $name = $_;
+	    if ( exists $helpers_enabled{$name} ) {
+		s/-/_/;
+		require_capability( uc( $_ ) . '_HELPER' , "The $name helper", 's' );
+		$helpers_temp{$name} = 1;
+	    } else {
+		fatal_error "Unknown Helper ($_)";
+	    }
+	}
+	
+	%helpers_enabled = %helpers_temp;
+
+	while ( my ( $helper, $enabled ) = each %helpers_enabled ) {
+	    $capabilities{uc($helper) . '_HELPER'} = 0 unless $enabled; 
+	}
+    }

    require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};

@@ -4185,10 +4612,10 @@ sub get_configuration( $$$ ) {
    }

    if ( ( my $userbits = $config{PROVIDER_OFFSET} - $config{TC_BITS} ) > 0 ) {
-
 	$globals{USER_MASK} = make_mask( $userbits ) << $config{TC_BITS};
+	$globals{USER_BITS} = $userbits;
    } else {
-	$globals{USER_MASK} = 0;
+	$globals{USER_MASK} = $globals{USER_BITS} = 0;
    }

    if ( supplied ( $val = $config{ZONE2ZONE} ) ) {
@@ -4233,6 +4660,15 @@ sub get_configuration( $$$ ) {
 	$config{SFILTER_DISPOSITION} = 'DROP';
    }

+    default_log_level 'RPFILTER_LOG_LEVEL', 'info';
+
+    if ( $val = $config{RPFILTER_DISPOSITION} ) {
+	fatal_error "Invalid RPFILTER_DISPOSITION setting ($val)" unless $val =~ /^(A_)?(DROP|REJECT)$/;
+	require_capability 'AUDIT_TARGET' , "RPFILTER_DISPOSITION=$val", 's' if $1;
+    } else {
+	$config{RPFILTER_DISPOSITION} = 'DROP';
+    }
+
    if ( $val = $config{MACLIST_DISPOSITION} ) {
 	if ( $val =~ /^(?:A_)?DROP$/ ) {
 	    $globals{MACLIST_TARGET} = $val;
@@ -4384,8 +4820,6 @@ sub get_configuration( $$$ ) {
 	$config{LOCKFILE} = '';
    }

-    report_capabilities unless $config{LOAD_HELPERS_ONLY};
-
    require_capability( 'MULTIPORT'       , "Shorewall $globals{VERSION}" , 's' );
    require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' , 's' )           if $config{MACLIST_TTL};
    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{PROVIDER_OFFSET} > 0;
@@ -4606,7 +5040,7 @@ sub dump_mark_layout() {
 	     $globals{TC_MASK} );

    dumpout( "User",
-	     $globals{USER_MASK},
+	     $globals{USER_BITS},
 	     $globals{TC_MAX} + 1,
 	     $globals{USER_MASK},
 	     $globals{USER_MASK} );
@@ -4628,6 +5062,12 @@ sub dump_mark_layout() {
 	     $globals{EXCLUSION_MASK},
 	     $globals{EXCLUSION_MASK},
 	     $globals{EXCLUSION_MASK} );
+
+    dumpout( "TProxy",
+	     1,
+	     $globals{TPROXY_MARK},
+	     $globals{TPROXY_MARK},
+	     $globals{TPROXY_MARK} );
 }

 END {
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -26,13 +26,13 @@
 #
 package Shorewall::IPAddrs;
 require Exporter;
-use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 numeric_value F_IPV4 F_IPV6 );
+use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 numeric_value F_IPV4 F_IPV6 :protocols );
 use Socket;

 use strict;

 our @ISA = qw(Exporter);
-our @EXPORT = qw( ALLIPv4
+our @EXPORT = ( qw( ALLIPv4
                  ALLIPv6
 		  NILIPv4
 		  NILIPv6
@@ -48,14 +48,6 @@ our @EXPORT = qw( ALLIPv4
 		  ALLIP
 		  NILIP
 		  ALL
-		  TCP
-		  UDP
-		  UDPLITE
-		  ICMP
-		  DCCP
-		  IPv6_ICMP
-		  SCTP
-		  GRE

 		  validate_address
 		  validate_net
@@ -80,7 +72,7 @@ our @EXPORT = qw( ALLIPv4
 		  validate_port_list
 		  validate_icmp
 		  validate_icmp6
-		 );
+		 ) );
 our @EXPORT_OK = qw( );
 our $VERSION = 'MODULEVERSION';

@@ -115,14 +107,7 @@ use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       IPv6_LINK_ALLRTRS   => 'ff01::2' ,
 	       IPv6_SITE_ALLNODES  => 'ff02::1' ,
 	       IPv6_SITE_ALLRTRS   => 'ff02::2' ,
-	       ICMP                => 1,
-	       TCP                 => 6,
-	       UDP                 => 17,
-	       DCCP                => 33,
-	       GRE                 => 47,
-	       IPv6_ICMP           => 58,
-	       SCTP                => 132,
-	       UDPLITE             => 136 };
+	   };

 my @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );

@@ -193,7 +178,7 @@ sub encodeaddr( $ ) {
    $result;
 }

-sub validate_4net( $$ ) {
+sub validate_4net( $$; $ ) {
    my ($net, $vlsm, $rest) = split( '/', $_[0], 3 );
    my $allow_name = $_[1];

@@ -222,11 +207,13 @@ sub validate_4net( $$ ) {
    }

    if ( defined wantarray ) {
-	assert ( ! $allow_name );
 	if ( wantarray ) {
+	    assert( ! $allow_name );
 	    ( decodeaddr( $net ) , $vlsm );
+	} elsif ( valid_4address $net ) {
+	    $vlsm == 32 ? $net : "$net/$vlsm";
 	} else {
-	    "$net/$vlsm";
+	    $net;
 	}
    }
 }
@@ -621,9 +608,9 @@ sub validate_6address( $$ ) {
    defined wantarray ? wantarray ? @addrs : $addrs[0] : undef;
 }

-sub validate_6net( $$ ) {
+sub validate_6net( $$;$ ) {
    my ($net, $vlsm, $rest) = split( '/', $_[0], 3 );
-    my $allow_name = $_[1];
+    my $allow_name = $_[0];

    if ( $net =~ /\+(\[?)/ ) {
 	if ( $1 ) {
@@ -635,22 +622,28 @@ sub validate_6net( $$ ) {
 	}
    }

+    fatal_error "Invalid Network address ($_[0])" unless supplied $net;
+
+    $net = $1 if $net =~ /^\[(.*)\]$/;
+
    if ( defined $vlsm ) {
        fatal_error "Invalid VLSM ($vlsm)"              unless $vlsm =~ /^\d+$/ && $vlsm <= 128;
 	fatal_error "Invalid Network address ($_[0])"   if defined $rest;
 	fatal_error "Invalid IPv6 address ($net)"       unless valid_6address $net;
    } else {
-	fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/' || ! defined $net;
+	fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/';
 	validate_6address $net, $allow_name;
 	$vlsm = 128;
    }

    if ( defined wantarray ) {
-	assert ( ! $allow_name );
 	if ( wantarray ) {
+	    assert( ! $allow_name );
 	    ( $net , $vlsm );
+	} elsif ( valid_6address ( $net ) ) {
+	    $vlsm == 32 ? $net : "$net/$vlsm";
 	} else {
-	    "$net/$vlsm";
+	    $net;
 	}
    }
 }
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -58,8 +58,8 @@ sub initialize() {
 #
 sub process_one_masq( )
 {
-    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition ) =
-	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8 };
+    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest ) =
+	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9 };

    if ( $interfacelist eq 'COMMENT' ) {
 	process_comment;
@@ -237,7 +237,7 @@ sub process_one_masq( )
 		     $baserule . $rule ,
 		     $networks ,
 		     $destnets ,
-		     '' ,
+		     $origdest ,
 		     $target ,
 		     '' ,
 		     '' ,
@@ -431,8 +431,8 @@ sub setup_netmap() {
 		    my @rulein;
 		    my @ruleout;

-		    validate_net $net1, 0;
-		    validate_net $net2, 0;
+		    $net1 = validate_net $net1, 0;
+		    $net2 = validate_net $net2, 0;

 		    unless ( $interfaceref->{root} ) {
 			@rulein  = imatch_source_dev( $interface );
@@ -466,7 +466,7 @@ sub setup_netmap() {

 		    require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';

-		    validate_net $net2, 0;
+		    $net2 = validate_net $net2, 0;

 		    unless ( $interfaceref->{root} ) {
 			@match = imatch_dest_dev(  $interface );
@@ -632,12 +632,13 @@ sub handle_nat_rule( $$$$$$$$$$$$ ) {
    #
    # And generate the nat table rule(s)
    #
+    my $firewallsource = $sourceref && ( $sourceref->{type} & ( FIREWALL | VSERVER ) );
+
    expand_rule ( ensure_chain ('nat' ,
-				( $action_chain ?
-				  $action_chain :
-				  ( $sourceref->{type} == FIREWALL ? 'OUTPUT' : 
-				    dnat_chain $sourceref->{name} ) ) ),
-		  PREROUTE_RESTRICT ,
+				( $action_chain   ? $action_chain :
+				  $firewallsource ? 'OUTPUT' :
+				  dnat_chain $sourceref->{name} ) ) ,
+		  $firewallsource ? OUTPUT_RESTRICT : PREROUTE_RESTRICT ,
 		  $rule ,
 		  $source ,
 		  $origdest ,
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -41,6 +41,7 @@ our @EXPORT = qw( process_providers
 		  handle_optional_interfaces
 		  compile_updown
 		  setup_load_distribution
+		  have_providers
 	       );
 our @EXPORT_OK = qw( initialize lookup_provider );
 our $VERSION = '4.4_24';
@@ -61,9 +62,11 @@ my  @load_interfaces;

 my $balancing;
 my $fallback;
+my $metrics;
 my $first_default_route;
 my $first_fallback_route;
 my $maxload;
+my $tproxies;

 my %providers;

@@ -96,9 +99,11 @@ sub initialize( $ ) {
    @load_interfaces        = ();
    $balancing              = 0;
    $fallback               = 0;
+    $metrics                = 0;
    $first_default_route    = 1;
    $first_fallback_route   = 1;
    $maxload                = 0;
+    $tproxies               = 0;

    %providers  = ( local   => { number => LOCAL_TABLE   , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
 		    main    => { number => MAIN_TABLE    , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
@@ -116,7 +121,7 @@ sub setup_route_marking() {

    require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;

-    add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask", connmark => "! --mark 0/$mask" for qw/PREROUTING OUTPUT/;
+    add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;

    my $chainref  = new_chain 'mangle', 'routemark';

@@ -462,10 +467,11 @@ sub process_a_provider() {
    }

    if ( $local ) {
-	fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none';
-	fatal_error "'track' not valid with 'local'"          if $track;
-	fatal_error "DUPLICATE not valid with 'local'"        if $duplicate ne '-';
+	fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'none';
+	fatal_error "'track' not valid with 'local'"           if $track;
+	fatal_error "DUPLICATE not valid with 'local'"         if $duplicate ne '-';
    } elsif ( $tproxy ) {
+	fatal_error "Only one 'tproxy' provider is allowed"    if $tproxies++;
 	fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'none';
 	fatal_error "'track' not valid with 'tproxy'"          if $track;
 	fatal_error "DUPLICATE not valid with 'tproxy'"        if $duplicate ne '-';
@@ -708,6 +714,8 @@ CEOF
 	    emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $physical metric $number);
 	    emit qq(echo "qt \$IP -$family route del default dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_${table}_routing);
 	}
+
+	$metrics = 1;
    }

    emit( qq(\n) ,
@@ -930,7 +938,7 @@ sub add_an_rtrule( ) {
    if ( $dest eq '-' ) {
 	$dest = 'to ' . ALLIP;
    } else {
-	validate_net( $dest, 0 );
+	$dest = validate_net( $dest, 0 );
 	$dest = "to $dest";
    }

@@ -942,22 +950,22 @@ sub add_an_rtrule( ) {
 	if ( $source =~ /:/ ) {
 	    ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
 	    fatal_error "Invalid SOURCE" if defined $remainder;
-	    validate_net ( $source, 0 );
+	    $source = validate_net ( $source, 0 );
 	    $interface = physical_name $interface;
 	    $source = "iif $interface from $source";
 	} elsif ( $source =~ /\..*\..*/ ) {
-	    validate_net ( $source, 0 );
+	    $source = validate_net ( $source, 0 );
 	    $source = "from $source";
 	} else {
 	    $source = 'iif ' . physical_name $source;
 	}
-    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ||  $source =~  /^(.+?):\[(.+)\]\s*$/ ) {
+    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ||  $source =~  /^(.+?):\[(.+)\]\s*$/ || $source =~ /^(.+?):(\[.+?\](?:\/\d+))$/ ) {
 	my ($interface, $source ) = ($1, $2);
-	validate_net ($source, 0);
+	$source = validate_net ($source, 0);
 	$interface = physical_name $interface;
 	$source = "iif $interface from $source";
    } elsif (  $source =~ /:.*:/ || $source =~ /\..*\..*/ ) {
-	validate_net ( $source, 0 );
+	$source = validate_net ( $source, 0 );
 	$source = "from $source";
    } else {
 	$source = 'iif ' . physical_name $source;
@@ -1012,7 +1020,7 @@ sub add_a_route( ) {
    }

    fatal_error 'DEST must be specified' if $dest eq '-';
-    validate_net ( $dest, 1 );
+    $dest = validate_net ( $dest, 1 );

    validate_address ( $gateway, 1 ) if $gateway ne '-';

@@ -1200,11 +1208,13 @@ sub process_providers( $ ) {
    }

    if ( $providers ) {
+	fatal_error q(Either all 'fallback' providers must specify a weight or non of them can specify a weight) if $fallback && $metrics;
+
 	my $fn = open_file( 'route_rules' );

 	if ( $fn ){
 	    if ( -f ( my $fn1 = find_file 'rtrules' ) ) {
-		warning_message "Both $fn and $fn1 exists: $fn1 will be ignored";
+		warning_message "Both $fn and $fn1 exist: $fn1 will be ignored";
 	    }
 	} else {
 	    $fn = open_file( 'rtrules' );
@@ -1312,6 +1322,10 @@ EOF

 }

+sub have_providers() {
+    return our $providers;
+}
+
 sub setup_providers() {
    our $providers;

--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -20,7 +20,7 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   This module contains the code that handles the /etc/shorewall/notrack file.
+#   This module contains the code that handles the /etc/shorewall/conntrack file.
 #
 package Shorewall::Raw;
 require Exporter;
@@ -32,8 +32,8 @@ use Shorewall::Chains qw(:DEFAULT :internal);
 use strict;

 our @ISA = qw(Exporter);
-our @EXPORT = qw( setup_notrack );
-our @EXPORT_OK = qw( );
+our @EXPORT = qw( setup_conntrack );
+our @EXPORT_OK = qw( handle_helper_rule );
 our $VERSION = 'MODULEVERSION';

 my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured => 1, protoinfo => 1, helper => 1, mark => 1, natseqinfo => 1, secmark => 1 );
@@ -41,54 +41,89 @@ my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured
 #
 # Notrack
 #
-sub process_notrack_rule( $$$$$$$ ) {
+sub process_conntrack_rule( $$$$$$$$$ ) {

-    my ($action, $source, $dest, $proto, $ports, $sports, $user ) = @_;
+    my ($chainref, $zoneref, $action, $source, $dest, $proto, $ports, $sports, $user ) = @_;
+
+    require_capability 'RAW_TABLE', 'conntrack rules', '';

    $proto  = ''    if $proto  eq 'any';
    $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
    $sports = ''    if $sports eq 'any' || $sports eq 'all';

-    ( my $zone, $source) = split /:/, $source, 2;
-    my $zoneref  = find_zone $zone;
-    my $chainref = ensure_raw_chain( notrack_chain $zone );
-    my $restriction = $zoneref->{type} == FIREWALL || $zoneref->{type} == VSERVER ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;
+    my $zone;
+    my $restriction = PREROUTE_RESTRICT;

-    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
-    require_capability 'RAW_TABLE', 'Notrack rules', '';
+    unless ( $chainref ) {
+	#
+	# Entry in the conntrack file
+	#
+	if ( $zoneref ) {
+	    $zone = $zoneref->{name};
+	} else {
+	    ($zone, $source) = split /:/, $source, 2;
+	    $zoneref = find_zone ( $zone );
+	}
+
+	$chainref = ensure_raw_chain( notrack_chain $zone );
+	$restriction = OUTPUT_RESTRICT if $zoneref->{type} == FIREWALL || $zoneref->{type} == VSERVER;
+	fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
+    }

    my $target = $action;
    my $exception_rule = '';
    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user );

-    unless ( $action eq 'NOTRACK' ) {
+    if ( $action eq 'NOTRACK' ) {
+	#
+	# A patch that deimplements the NOTRACK target has been posted on the
+	# Netfilter development list
+	#
+	$action = 'CT --notrack' if have_capability 'CT_TARGET';
+    } else {
 	(  $target, my ( $option, $args, $junk ) ) = split ':', $action, 4;

 	fatal_error "Invalid notrack ACTION ( $action )" if $junk || $target ne 'CT';

-	require_capability 'CT_TARGET', 'CT entries in the notrack file', '';
+	require_capability 'CT_TARGET', 'CT entries in the conntrack file', '';

 	if ( $option eq 'notrack' ) {
-	    fatal_error "Invalid notrack ACTION ( $action )" if supplied $args;
+	    fatal_error "Invalid conntrack ACTION ( $action )" if supplied $args;
 	    $action = 'CT --notrack';
 	} else {
 	    fatal_error "Invalid or missing CT option and arguments" unless supplied $option && supplied $args;

 	    if ( $option eq 'helper' ) {
-		fatal_error "Invalid helper' ($args)" if $args =~ /,/;
-		validate_helper( $args, $proto );
-		$action = "CT --helper $args";
-		$exception_rule = do_proto( $proto, '-', '-' );
-	    } elsif ( $option eq 'ctevents' ) {
-		for ( split ',', $args ) {
-		    fatal_error "Invalid 'ctevents' event ($_)" unless $valid_ctevent{$_};
+		my $modifiers = '';
+
+		if ( $args =~ /^([-\w.]+)\((.+)\)$/ ) {
+		    $args      = $1;
+		    $modifiers = $2;
 		}

-		$action = "CT --ctevents $args";
-	    } elsif ( $option eq 'expevent' ) {
-		fatal_error "Invalid expevent argument ($args)" unless $args eq 'new';
-	    } elsif ( $option eq 'zone' ) {
-		fatal_error "Invalid zone id ($args)" unless $args =~ /^\d+$/;
+		fatal_error "Invalid helper' ($args)" if $args =~ /,/;
+		validate_helper( $args, $proto );
+		$action = "CT --helper $helpers_aliases{$args}";
+		$exception_rule = do_proto( $proto, '-', '-' );
+
+		for my $mod ( split_list1( $modifiers, 'ctevents' ) ) {
+		    fatal_error "Invalid helper option ($mod)" unless $mod =~ /^(\w+)=(.+)$/;
+		    $mod    = $1;
+		    my $val = $2;
+		    
+		    if ( $mod eq 'ctevents' ) {
+			for ( split_list( $val, 'ctevents' ) ) {
+			    fatal_error "Invalid 'ctevents' event ($_)" unless $valid_ctevent{$_};
+			}
+
+			$action .= " --ctevents $val";
+		    } elsif ( $mod eq 'expevents' ) {
+			fatal_error "Invalid expevent argument ($val)" unless $val eq 'new';
+			$action .= ' --expevents new';
+		    } else {
+			fatal_error "Invalid helper option ($mod)";
+		    }
+		}
 	    } else {
 		fatal_error "Invalid CT option ($option)";
 	    }
@@ -106,9 +141,60 @@ sub process_notrack_rule( $$$$$$$ ) {
 		 $target ,
 		 $exception_rule );

-    progress_message "  Notrack rule \"$currentline\" $done";
+    progress_message "  Conntrack rule \"$currentline\" $done";
+}

-    $globals{UNTRACKED} = 1;
+sub handle_helper_rule( $$$$$$$$$$$ ) {
+    my ( $helper, $source, $dest, $proto, $ports, $sports, $sourceref, $action_target, $actionchain, $user, $rule ) = @_;
+
+    if ( $helper ne '-' ) {
+	fatal_error "A HELPER is not allowed with this ACTION" if $action_target;
+	#
+	# This means that an ACCEPT or NAT rule with a helper is being processed
+	#
+	process_conntrack_rule( $actionchain ? ensure_raw_chain( $actionchain ) : undef ,
+				$sourceref ,
+				"CT:helper:$helper",
+				$source ,
+				$dest ,
+				$proto ,
+				$ports ,
+				$sports ,
+				$user );
+    } else {
+	assert( $action_target );
+	#
+	# The target is an action
+	#
+	if ( $actionchain ) {
+	    #
+	    # And the source is another action chain
+	    #
+	    expand_rule( ensure_raw_chain( $actionchain ) ,
+			 PREROUTE_RESTRICT ,
+			 $rule ,
+			 $source ,
+			 $dest ,
+			 '' ,
+			 $action_target ,
+			 '',
+			 'CT' ,
+			 '' );
+	} else {
+	    expand_rule( ensure_raw_chain( notrack_chain( $sourceref->{name} ) ) ,
+			 ( $sourceref->{type} == FIREWALL || $sourceref->{type} == VSERVER ?
+			   OUTPUT_RESTRICT :
+			   PREROUTE_RESTRICT ) ,
+			 $rule ,
+			 $source ,
+			 $dest ,
+			 '' ,
+			 $action_target ,
+			 '' ,
+			 'CT' ,
+			 '' );
+	}
+    }
 }

 sub process_format( $ ) {
@@ -119,51 +205,72 @@ sub process_format( $ ) {
    $format;
 }

-sub setup_notrack() {
+sub setup_conntrack() {

-    my $format = 1;
-    my $action = 'NOTRACK';
+    for my $name ( qw/notrack conntrack/ ) {

-    if ( my $fn = open_file 'notrack' ) {
+	my $fn = open_file( $name );

-	first_entry "$doing $fn...";
+	if ( $fn ) {

-	my $nonEmpty = 0;
+	    my $format = 1;

-	while ( read_a_line( NORMAL_READ ) ) {
-	    my ( $source, $dest, $proto, $ports, $sports, $user );
+	    my $action = 'NOTRACK';

-	    if ( $format == 1 ) {
-		( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
+	    my $empty = 1;

-		if ( $source eq 'FORMAT' ) {
-		    $format = process_format( $dest );
-		    next;
-		}
+	    first_entry( "$doing $fn..." );

-		if ( $source eq 'COMMENT' ) {
-		    process_comment;
-		    next;
-		}
-	    } else {
-		( $action, $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6 }, { COMMENT => 0, FORMAT => 2 };
+	    while ( read_a_line( NORMAL_READ ) ) {
+		my ( $source, $dest, $proto, $ports, $sports, $user );

-		if ( $action eq 'FORMAT' ) {
-		    $format = process_format( $source );
-		    $action = 'NOTRACK';
-		    next;
+		if ( $format == 1 ) {
+		    ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Conntrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
+
+		    if ( $source eq 'FORMAT' ) {
+			$format = process_format( $dest );
+			next;
+		    }
+		} else {
+		    ( $action, $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6 }, { COMMENT => 0, FORMAT => 2 };
+
+		    if ( $action eq 'FORMAT' ) {
+			$format = process_format( $source );
+			$action = 'NOTRACK';
+			next;
+		    }
 		}

 		if ( $action eq 'COMMENT' ) {
 		    process_comment;
 		    next;
 		}
+
+		$empty = 0;
+
+		if ( $source eq 'all' ) {
+		    for my $zone (all_zones) {
+			process_conntrack_rule( undef, undef, $action, $zone, $dest, $proto, $ports, $sports, $user );
+		    }
+		} else {
+		    process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user );
+		}
 	    }

-	    process_notrack_rule $action, $source, $dest, $proto, $ports, $sports, $user;
-	}
+	    clear_comment;

-	clear_comment;
+	    if ( $name eq 'notrack') {
+		if ( $empty ) {
+		    if ( unlink( $fn ) ) {
+			warning_message "Empty notrack file ($fn) removed";
+		    } else {
+			warning_message "Unable to remove empty notrack file ($fn): $!";
+		    }
+		} else {
+		    warning_message "Non-empty notrack file ($fn); please move its contents to the conntrack file";
+		}
+	    }
+	}
    }
 }

--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -34,6 +34,7 @@ use Shorewall::Zones;
 use Shorewall::Chains qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
 use Shorewall::Nat qw(:rules);
+use Shorewall::Raw qw( handle_helper_rule );
 use Scalar::Util 'reftype';

 use strict;
@@ -91,7 +92,9 @@ my %rulecolumns = ( action    =>   0,
 		    connlimit =>  10,
 		    time      =>  11,
 		    headers   =>  12,
-		    switch    =>  13 );
+		    switch    =>  13,
+		    helper    =>  14,
+		  );

 use constant { MAX_MACRO_NEST_LEVEL => 5 };

@@ -915,7 +918,7 @@ sub new_action( $$ ) {

    fatal_error "Invalid action name($action)" if reserved_name( $action );

-    $actions{$action} = { actchain => ''  };
+    $actions{$action} = { actchain => '' };

    $targets{$action} = $type;
 }
@@ -1424,7 +1427,7 @@ sub process_actions() {

 }

-sub process_rule1 ( $$$$$$$$$$$$$$$$$ );
+sub process_rule1 ( $$$$$$$$$$$$$$$$$$ );

 #
 # Populate an action invocation chain. As new action tuples are encountered,
@@ -1457,14 +1460,14 @@ sub process_action( $) {

 	while ( read_a_line( NORMAL_READ ) ) {

-	    my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition );
+	    my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper );

 	    if ( $format == 1 ) {
 		($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) =
 		    split_line1 'action file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, rate => 6, user => 7, mark => 8 }, $rule_commands;
-		$origdest = $connlimit = $time = $headers = $condition = '-';
+		$origdest = $connlimit = $time = $headers = $condition = $helper = '-';
 	    } else {
-		($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition )
+		($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper )
 		    = split_line1 'action file', \%rulecolumns, $action_commands;
 	    }

@@ -1502,6 +1505,7 @@ sub process_action( $) {
 			   $time,
 			   $headers,
 			   $condition,
+			   $helper,
 			   0 );
 	}

@@ -1531,8 +1535,8 @@ sub use_policy_action( $ ) {
 #
 # Expand a macro rule from the rules file
 #
-sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {
-    my ($macro, $chainref, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $wildcard ) = @_;
+sub process_macro ( $$$$$$$$$$$$$$$$$$$) {
+    my ($macro, $chainref, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;

    my $nocomment = no_comment;

@@ -1550,13 +1554,13 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {

    while ( read_a_line( NORMAL_READ ) ) {

-	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition );
+	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper);

 	if ( $format == 1 ) {
 	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 'macro file', \%rulecolumns, $rule_commands;
-	    ( $morigdest, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition ) = qw/- - - - - -/;
+	    ( $morigdest, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper ) = qw/- - - - - - -/;
 	} else {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition ) = split_line1 'macro file', \%rulecolumns, $rule_commands;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper ) = split_line1 'macro file', \%rulecolumns, $rule_commands;
 	}

 	fatal_error 'TARGET must be specified' if $mtarget eq '-';
@@ -1590,7 +1594,7 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {

 	my $actiontype = $targets{$action} || find_macro( $action );

-	fatal_error "Invalid Action ($mtarget) in macro" unless $actiontype & ( ACTION +  STANDARD + NATRULE + MACRO + CHAIN );
+	fatal_error( "Invalid Action ($mtarget) in macro", $actiontype ) unless $actiontype & ( ACTION + STANDARD + NATRULE + MACRO + CHAIN );

 	if ( $msource ) {
 	    if ( $msource eq '-' ) {
@@ -1635,6 +1639,7 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {
 				    merge_macro_column( $mtime,      $time ),
 				    merge_macro_column( $mheaders,   $headers ),
 				    merge_macro_column( $mcondition, $condition ),
+				    merge_macro_column( $mhelper,    $helper ),
 				    $wildcard
 				   );

@@ -1667,7 +1672,7 @@ sub verify_audit($;$$) {
 # Similarly, if a new action tuple is encountered, this function is called recursively for each rule in the action
 # body. In this latter case, a reference to the tuple's chain is passed in the first ($chainref) argument.
 #
-sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
+sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
    my ( $chainref,   #reference to Action Chain if we are being called from process_action(); undef otherwise
 	 $target,
 	 $current_param,
@@ -1684,6 +1689,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
 	 $time,
 	 $headers,
 	 $condition,
+	 $helper,
 	 $wildcard ) = @_;

    my ( $action, $loglevel)    = split_action $target;
@@ -1735,6 +1741,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
 				       $time,
 				       $headers,
 				       $condition,
+				       $helper,
 				       $wildcard );

 	$macro_nest_level--;
@@ -1776,12 +1783,13 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
 	    #
 	    process_action( $ref );
 	    #
-	    # Processing the action may determine that the action or one of it's dependents does NAT, so:
+	    # Processing the action may determine that the action or one of it's dependents does NAT or HELPER, so:
 	    #
 	    #    - Refresh $actiontype
-	    #    - Create the associate nat table chain if appropriate.
+	    #    - Create the associated nat and/or table chain if appropriate.
 	    #
 	    ensure_chain( 'nat', $ref->{name} ) if ( $actiontype = $targets{$basictarget} ) & NATRULE;
+	    ensure_chain( 'raw', $ref->{name} ) if ( $actiontype & HELPER );
 	}

 	$action = $basictarget; # Remove params, if any, from $action.
@@ -1796,6 +1804,10 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
 	$targets{$inaction} |= NATRULE if $inaction;
 	fatal_error "NAT rules are only allowed in the NEW section" unless $section eq 'NEW';
    }
+
+    if ( $actiontype & HELPER ) {
+	fatal_error "HELPER rules are only allowed in the NEW section" unless $section eq 'NEW';
+    }
    #
    # Take care of irregular syntax and targets
    #
@@ -1806,37 +1818,51 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {

 	$bt =~ s/[-+!]$//;

-	my %functions = ( ACCEPT => sub() { $action = 'RETURN' if $blacklist; } ,
+	my %functions =
+	    ( ACCEPT => sub() { 
+		  if ( $blacklist ) {
+		      $action = 'RETURN';
+		  } elsif ( $helper ne '-' ) {
+		      $actiontype |= HELPER if $section eq 'NEW';
+		  }
+	      } ,
+	      
+	      REDIRECT => sub () {
+		  my $z = $actiontype & NATONLY ? '' : firewall_zone;
+		  if ( $dest eq '-' ) {
+		      $dest = $inaction ? '' : join( '', $z, '::' , $ports =~ /[:,]/ ? '' : $ports );
+		  } elsif ( $inaction ) {
+		      $dest = ":$dest";
+		  } else {
+		      $dest = join( '', $z, '::', $dest ) unless $dest =~ /^[^\d].*:/;
+		  }
+	      } ,

-			  REDIRECT => sub () {
-			      my $z = $actiontype & NATONLY ? '' : firewall_zone;
-			      if ( $dest eq '-' ) {
-				  $dest = $inaction ? '' : join( '', $z, '::' , $ports =~ /[:,]/ ? '' : $ports );
-			      } elsif ( $inaction ) {
-				  $dest = ":$dest";
-			      } else {
-				  $dest = join( '', $z, '::', $dest ) unless $dest =~ /^[^\d].*:/;
-			      }
-			  } ,
+	      REJECT => sub { $action = 'reject'; } ,

-			  REJECT => sub { $action = 'reject'; } ,
+	      CONTINUE => sub { $action = 'RETURN'; } ,

-			  CONTINUE => sub { $action = 'RETURN'; } ,
+	      WHITELIST => sub {
+		  fatal_error "'WHITELIST' may only be used in the blrules file" unless $blacklist;
+		  $action = 'RETURN';
+	      } ,

-			  WHITELIST => sub {
-			      fatal_error "'WHITELIST' may only be used in the blrules file" unless $blacklist;
-			      $action = 'RETURN';
-			  } ,
+	      COUNT => sub { $action = ''; } ,

-			  COUNT => sub { $action = ''; } ,
+	      LOG => sub { fatal_error 'LOG requires a log level' unless supplied $loglevel; } ,

-			  LOG => sub { fatal_error 'LOG requires a log level' unless supplied $loglevel; } ,
-		     );
+	      HELPER => sub { 
+		  fatal_error "HELPER requires require that the helper be specified in the HELPER column" if $helper eq '-';
+		  fatal_error "HELPER rules may only appear in the NEW section" unless $section eq 'NEW';
+		  $action = ''; } ,
+	    );

 	my $function = $functions{ $bt };

 	if ( $function ) {
 	    $function->();
+	} elsif ( $actiontype & NATRULE && $helper ne '-' ) {
+	    $actiontype |= HELPER;
 	} elsif ( $actiontype & SET ) {
 	    my %xlate = ( ADD => 'add-set' , DEL => 'del-set' );

@@ -2003,6 +2029,18 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
 		      do_headers( $headers ) ,
 		      do_condition( $condition ) ,
 		    );
+    } elsif ( $section eq 'RELATED' ) {
+	$rule = join( '',
+		      do_proto($proto, $ports, $sports),
+		      do_ratelimit( $ratelimit, $basictarget ) ,
+		      do_user( $user ) ,
+		      do_test( $mark , $globals{TC_MASK} ) ,
+		      do_connlimit( $connlimit ),
+		      do_time( $time ) ,
+		      do_headers( $headers ) ,
+		      do_condition( $condition ) ,
+		      do_helper( $helper ) ,
+		    );
    } else {
 	$rule = join( '',
 		      do_proto($proto, $ports, $sports),
@@ -2020,14 +2058,32 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
 	if ( $config{FASTACCEPT} ) {
 	    fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" unless
 		$section eq 'BLACKLIST' ||
-		( $section eq 'RELATED' && ( $config{RELATED_DISPOSITION} ne 'ACCEPT' || $config{RELATED_LOG_LEVEL} ) )
-	}
+		    ( $section eq 'RELATED' && ( $config{RELATED_DISPOSITION} ne 'ACCEPT' || $config{RELATED_LOG_LEVEL} ) )
+		}

 	fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT );
 	$rule .= "$globals{STATEMATCH} $section " unless $section eq 'ALL' || $blacklist;
    }
-
    #
+    # Generate CT rules(s), if any
+    #
+    if ( $actiontype & HELPER ) {
+	handle_helper_rule( $helper,
+			    $source,
+			    $origdest ? $origdest : $dest,
+			    $proto,
+			    $ports,
+			    $sports,
+			    $sourceref,
+			    ( $actiontype & ACTION ) ? $usedactions{$normalized_target}->{name} : '',
+			    $inaction ? $chain : '' ,
+			    $user ,
+			    $rule ,
+			  );
+
+	$targets{$inaction} |= HELPER if $inaction; 
+    }
+
    # Generate NAT rule(s), if any
    #
    if ( $actiontype & NATRULE ) {
@@ -2048,8 +2104,9 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
 				     $rule,
 				     $source,
 				     ( $actiontype & ACTION ) ? '' : $loglevel,
-				     $log_action
-				   );		 
+				     $log_action,
+				   );
+
 	#
 	# After NAT:
 	#   - the destination port will be the server port ($ports) -- we did that above
@@ -2068,6 +2125,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
 	    $loglevel = '';
 	    $action   = 'ACCEPT';
 	    $origdest = ALLIP if  $origdest =~ /[+]/;
+	    $helper   = '-';
 	}
    } elsif ( $actiontype & NONAT ) {
 	#
@@ -2223,7 +2281,7 @@ sub build_zone_list( $$$\$\$ ) {
 # Process a Record in the rules file
 #
 sub process_rule ( ) {
-    my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $condition )
+    my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $users, $mark, $connlimit, $time, $headers, $condition, $helper )
 	= split_line1 'rules file', \%rulecolumns, $rule_commands;

    fatal_error 'ACTION must be specified' if $target eq '-';
@@ -2249,6 +2307,7 @@ sub process_rule ( ) {
    my @source    = build_zone_list ( $fw, $source, 'SOURCE', $intrazone, $wild );
    my @dest      = build_zone_list ( $fw, $dest,   'DEST'  , $intrazone, $wild );
    my @protos    = split_list1 $protos, 'Protocol';
+    my @users     = split_list1 $users, 'USER/GROUP';
    my $generated = 0;

    fatal_error "Invalid or missing ACTION ($target)" unless defined $action;
@@ -2264,23 +2323,26 @@ sub process_rule ( ) {
 	    $destzone = $action =~ /^REDIRECT/ ? $fw : '' unless defined_zone $destzone;
 	    if ( ! $wild || $intrazone || ( $sourcezone ne $destzone ) ) {
 		for my $proto ( @protos ) {
-		    $generated |= process_rule1( undef,
-						 $target,
-						 '',
-						 $source,
-						 $dest,
-						 $proto,
-						 $ports,
-						 $sports,
-						 $origdest,
-						 $ratelimit,
-						 $user,
-						 $mark,
-						 $connlimit,
-						 $time,
-						 $headers,
-						 $condition,
-						 $wild );
+		    for my $user ( @users ) {
+			$generated |= process_rule1( undef,
+						     $target,
+						     '',
+						     $source,
+						     $dest,
+						     $proto,
+						     $ports,
+						     $sports,
+						     $origdest,
+						     $ratelimit,
+						     $user,
+						     $mark,
+						     $connlimit,
+						     $time,
+						     $headers,
+						     $condition,
+						     $helper,
+						     $wild );
+		    }
 		}
 	    }
 	}
@@ -2304,48 +2366,49 @@ sub classic_blacklist() {
    my $fw       = firewall_zone;
    my @zones    = off_firewall_zones;
    my @vservers = vserver_zones;
-    my @state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
+    my @state = $config{BLACKLISTNEWONLY} ? have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
    my $result;

    for my $zone ( @zones ) {
 	my $zoneref = find_zone( $zone );
 	my $simple  =  @zones <= 2 && ! $zoneref->{complex};

-	if ( $zoneref->{options}{in}{blacklist} ) {
-	    my $blackref = $filter_table->{blacklst};
-	    add_ijump ensure_rules_chain( rules_chain( $zone, $_ ) ) , j => $blackref , @state for firewall_zone, @vservers;
+	if ( my $blackref = $filter_table->{blacklst} ) {
+	    if ( $zoneref->{options}{in}{blacklist} ) {
+		add_ijump ensure_rules_chain( rules_chain( $zone, $_ ) ) , j => $blackref , @state for firewall_zone, @vservers;

-	    if ( $simple ) {
-		#
-		# We won't create a zone forwarding chain for this zone so we must add blacklisting jumps to the rules chains
-		#
-		for my $zone1 ( @zones ) {
-		    my $ruleschain    = rules_chain( $zone, $zone1 );
+		if ( $simple ) {
+		    #
+		    # We won't create a zone forwarding chain for this zone so we must add blacklisting jumps to the rules chains
+		    #
+		    for my $zone1 ( @zones ) {
+			my $ruleschain    = rules_chain( $zone, $zone1 );
+			my $ruleschainref = $filter_table->{$ruleschain};
+
+			if ( $zone ne $zone1 || intrazone_allowed( $zone, $zoneref ) ) {
+			    add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
+			}
+		    }
+		}
+
+		$result = 1;
+	    }
+
+	    if ( $zoneref->{options}{out}{blacklist} ) {
+		$blackref = $filter_table->{blackout};
+		add_ijump ensure_rules_chain( rules_chain( firewall_zone, $zone ) ) , j => $blackref , @state;
+
+		for my $zone1 ( @zones, @vservers ) {
+		    my $ruleschain    = rules_chain( $zone1, $zone );
 		    my $ruleschainref = $filter_table->{$ruleschain};

-		    if ( $zone ne $zone1 || intrazone_allowed( $zone, $zoneref ) ) {
+		    if ( ( $zone ne $zone1 || intrazone_allowed( $zone, $zoneref ) ) ) {
 			add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
 		    }
 		}
+
+		$result = 1;
 	    }
-
-	    $result = 1;
-	}
-
-	if ( $zoneref->{options}{out}{blacklist} ) {
-	    my $blackref = $filter_table->{blackout};
-	    add_ijump ensure_rules_chain( rules_chain( firewall_zone, $zone ) ) , j => $blackref , @state;
-
-	    for my $zone1 ( @zones, @vservers ) {
-		my $ruleschain    = rules_chain( $zone1, $zone );
-		my $ruleschainref = $filter_table->{$ruleschain};
-
-		if ( ( $zone ne $zone1 || intrazone_allowed( $zone, $zoneref ) ) ) {
-		    add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
-		}
-	    }
-
-	    $result = 1;
 	}

 	unless ( $simple ) {
@@ -2354,7 +2417,7 @@ sub classic_blacklist() {
 	    #
 	    my $frwd_ref = new_standard_chain zone_forward_chain( $zone );

-	    add_ijump( $frwd_ref , j => $filter_table->{blacklst}, @state ) if $zoneref->{options}{in}{blacklist};
+	    add_ijump( $frwd_ref , j => $filter_table->{blacklst}, @state ) if $filter_table->{blacklst} && $zoneref->{options}{in}{blacklist};
 	}
    }

@@ -2401,6 +2464,8 @@ sub process_rules( $ ) {
 		   );

 	process_rule while read_a_line( NORMAL_READ );
+
+	clear_comment;
    }

    $section = '';
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -372,7 +372,11 @@ sub process_tc_rule( ) {

 					  if ( supplied $ip ) {
 					      if ( $family == F_IPV6 ) {
-						  $ip = $1 if $ip =~ /^\[(.+)\]$/ || $ip =~ /^<(.+)>$/;
+						  if ( $ip =~ /^\[(.+)\]$/ || $ip =~ /^<(.+)>$/ ) {
+						      $ip = $1;
+						  } elsif ( $ip =~ /^\[(.+)\]\/(\d+)$/ ) {
+						      $ip = join( $1, $2 );
+						  }
 					      }

 					      validate_address $ip, 1;
@@ -384,15 +388,21 @@ sub process_tc_rule( ) {
 		       TTL => sub() {
 			                  fatal_error "TTL is not supported in IPv6 - use HL instead" if $family == F_IPV6;
 					  fatal_error "Invalid TTL specification( $cmd/$rest )" if $rest;
-					  fatal_error "Chain designator $designator not allowed with TTL" if $designator && ! ( $designator eq 'F' );
-
 					  $chain = 'tcfor';

-					  $cmd =~ /^TTL\(([-+]?\d+)\)$/;
+					  if ( $designator ) {
+					      if ( $designator eq 'P' ) {
+						  $chain = 'tcpre';
+					      } else {
+						  fatal_error "Chain designator $designator not allowed with TTL" if $designator ne 'F';
+					      }
+					  }
+
+					  $cmd =~ /^TTL\(([-+]?(\d+))\)$/;

 					  my $param =  $1;

-					  fatal_error "Invalid TTL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
+					  fatal_error "Invalid TTL specification( $cmd )" unless supplied( $1 ) && ( $1 eq $2 || $2 != 0 ) && ( $param = abs $param ) < 256;

 					  if ( $1 =~ /^\+/ ) {
 					      $target .= " --ttl-inc $param";
@@ -405,15 +415,22 @@ sub process_tc_rule( ) {
 		       HL => sub() {
 			                  fatal_error "HL is not supported in IPv4 - use TTL instead" if $family == F_IPV4;
 					  fatal_error "Invalid HL specification( $cmd/$rest )" if $rest;
-					  fatal_error "Chain designator $designator not allowed with HL" if $designator && ! ( $designator eq 'F' );
-
 					  $chain = 'tcfor';

-					  $cmd =~ /^HL\(([-+]?\d+)\)$/;
+
+					  if ( $designator ) {
+					      if ( $designator eq 'P' ) {
+						  $chain = 'tcpre';
+					      } else {
+						  fatal_error "Chain designator $designator not allowed with HL" if $designator ne 'F';
+					      }
+					  }
+
+					  $cmd =~ /^HL\(([-+]?(\d+))\)$/;

 					  my $param =  $1;

-					  fatal_error "Invalid HL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
+					  fatal_error "Invalid HL specification( $cmd )" unless supplied( $1 ) && ( $1 eq $2 || $2 != 0 ) && ( $param = abs $param ) < 256;

 					  if ( $1 =~ /^\+/ ) {
 					      $target .= " --hl-inc $param";
@@ -820,8 +837,9 @@ sub process_simple_device() {
    }

    for ( my $i = 1; $i <= 3; $i++ ) {
+	my $prio = 16 | $i;
 	emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
-	emit "run_tc filter add dev $physical protocol all prio 2 parent $number: handle $i fw classid $number:$i";
+	emit "run_tc filter add dev $physical protocol all prio $prio parent $number: handle $i fw classid $number:$i";
 	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
 	emit '';
    }
@@ -853,6 +871,8 @@ sub process_simple_device() {
    progress_message "  Simple tcdevice \"$currentline\" $done.";
 }

+my %validlinklayer = ( ethernet => 1, atm => 1, adsl => 1 );
+
 sub validate_tc_device( ) {
    my ( $device, $inband, $outband , $options , $redirected ) = split_line 'tcdevices', { interface => 0, in_bandwidth => 1, out_bandwidth => 2, options => 3, redirect => 4 };

@@ -887,7 +907,8 @@ sub validate_tc_device( ) {
    fatal_error "Duplicate INTERFACE ($device)"    if $tcdevices{$device};
    fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;

-    my ( $classify, $pfifo, $flow, $qdisc )  = (0, 0, '', 'htb' );
+    my ( $classify, $pfifo, $flow, $qdisc, $linklayer, $overhead, $mtu, $mpu, $tsize ) = 
+	(0,         0,      '',    'htb',  '',         0,         0,    0,    0);

    if ( $options ne '-' ) {
 	for my $option ( split_list1 $options, 'option' ) {
@@ -903,6 +924,25 @@ sub validate_tc_device( ) {
 		$qdisc = 'hfsc';
 	    } elsif ( $option eq 'htb' ) {
 		$qdisc = 'htb';
+	    } elsif ( $option =~ /^linklayer=([a-z]+)$/ ) {
+		$linklayer = $1;
+		fatal_error "Invalid linklayer ($linklayer)" unless $validlinklayer{ $linklayer };
+	    } elsif ( $option =~ /^overhead=(.+)$/ ) {
+		$overhead = numeric_value( $1 );
+		fatal_error "Invalid overhead ($1)" unless defined $overhead;
+		fatal_error q('overhead' requires 'linklayer') unless $linklayer; 
+	    } elsif ( $option =~ /^mtu=(.+)$/ ) {
+		$mtu = numeric_value( $1 );
+		fatal_error "Invalid mtu ($1)" unless defined $mtu;
+		fatal_error q('mtu' requires 'linklayer') unless $linklayer; 
+	    } elsif ( $option =~ /^mpu=(.+)$/ ) {
+		$mpu = numeric_value( $1 );
+		fatal_error "Invalid mpu ($1)" unless defined $mpu;
+		fatal_error q('mpu' requires 'linklayer') unless $linklayer;
+	    } elsif ( $option =~ /^tsize=(.+)$/ ) {
+		$tsize = numeric_value( $1 );
+		fatal_error "Invalid tsize ($1)" unless defined $tsize;
+		fatal_error q('tsize' requires 'linklayer') unless $linklayer; 
 	    } else {
 		fatal_error "Unknown device option ($option)";
 	    }
@@ -941,7 +981,13 @@ sub validate_tc_device( ) {
 			    guarantee     => 0,
 			    name          => $device,
 			    physical      => physical_name $device,
-			    filters       => []
+			    filters       => [],
+			    linklayer     => $linklayer,
+			    overhead      => $overhead,
+			    mtu           => $mtu,
+			    mpu           => $mpu,
+			    tsize         => $tsize,
+			    filterpri     => 0,
 			  } ,

    push @tcdevices, $device;
@@ -975,7 +1021,7 @@ sub convert_delay( $ ) {
    my $delay = shift;

    return 0 unless $delay;
-    return $1 if $delay =~ /^(\d+)(ms)?$/;
+    return $1 if $delay =~ /^(\d+(\.\d+)?)(ms)?$/;
    fatal_error "Invalid Delay ($delay)";
 }

@@ -1004,6 +1050,28 @@ sub dev_by_number( $ ) {
    ( $dev , $devref );
 }

+use constant { RED_INTEGER => 1, RED_FLOAT => 2, RED_NONE => 3 };
+
+my %validredoptions = ( min         => RED_INTEGER,
+			max         => RED_INTEGER,
+			limit       => RED_INTEGER,
+			burst       => RED_INTEGER,
+			avpkt       => RED_INTEGER,
+			bandwidth   => RED_INTEGER,
+			probability => RED_FLOAT,
+			ecn         => RED_NONE,
+		      );
+
+sub validate_filter_priority( $$ ) {
+    my ( $priority, $kind ) = @_;
+
+    my $pri = numeric_value( $priority );
+
+    fatal_error "Invalid $kind priority ($priority)" unless defined $pri && $pri > 0 && $pri <= 65535;
+
+    $pri;
+}
+
 sub validate_tc_class( ) {
    my ( $devclass, $mark, $rate, $ceil, $prio, $options ) =
 	split_line 'tcclasses file', { interface => 0, mark => 1, rate => 2, ceil => 3, prio => 4, options => 5 };
@@ -1013,6 +1081,7 @@ sub validate_tc_class( ) {
    my $occurs = 1;
    my $parentclass = 1;
    my $parentref;
+    my $lsceil = 0;

    fatal_error 'INTERFACE must be specified' if $devclass eq '-';
    fatal_error 'CEIL must be specified'      if $ceil eq '-';
@@ -1056,25 +1125,36 @@ sub validate_tc_class( ) {

    my $tcref = $tcclasses{$device};

-    my $markval = 0;
+    if ( $devref->{qdisc} eq 'htb' ) {
+	fatal_error "Invalid PRIO ($prio)" unless defined numeric_value $prio;
+    }
+
+    my $markval  = 0;
+    my $markprio;

    if ( $mark ne '-' ) {
-	if ( $devref->{classify} ) {
-	    warning_message "INTERFACE $device has the 'classify' option - MARK value ($mark) ignored";
+	fatal_error "MARK may not be specified when TC_BITS=0" unless $config{TC_BITS};
+
+	( $mark, my $priority ) = split/:/, $mark, 2;
+
+	if ( supplied $priority ) {
+	    $markprio = validate_filter_priority( $priority, 'mark' );
 	} else {
-	    fatal_error "MARK may not be specified when TC_BITS=0" unless $config{TC_BITS};
+	    fatal_error "Missing mark priority" if $prio eq '-';
+	    $markprio =  ( $prio << 8 ) | 20;
+	    progress_message2 "   Priority of the $device packet mark $mark filter is $markprio";
+	}

-	    $markval = numeric_value( $mark );
-	    fatal_error "Invalid MARK ($markval)" unless defined $markval;
+	$markval = numeric_value( $mark );
+	fatal_error "Invalid MARK ($markval)" unless defined $markval;

-	    fatal_error "Invalid Mark ($mark)" unless $markval <= $globals{TC_MAX};
+	fatal_error "Invalid Mark ($mark)" unless $markval <= $globals{TC_MAX};

-	    if ( $classnumber ) {
-		fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
-	    } else {
-		$classnumber = $config{TC_BITS} >= 14 ? $devref->{nextclass}++ : hex_value( $devnum . $markval );
-		fatal_error "Duplicate MARK ($mark)" if $tcref->{$classnumber};
-	    }
+	if ( $classnumber ) {
+	    fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
+	} else {
+	    $classnumber = $config{TC_BITS} >= 14 ? $devref->{nextclass}++ : hex_value( $devnum . $markval );
+	    fatal_error "Duplicate MARK ($mark)" if $tcref->{$classnumber};
 	}
    } else {
 	fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
@@ -1089,7 +1169,9 @@ sub validate_tc_class( ) {
 	my $parentnum = in_hexp $parentclass;
 	fatal_error "Unknown Parent class ($parentnum)" unless $parentref && $parentref->{occurs} == 1;
 	fatal_error "The class ($parentnum) specifies UMAX and/or DMAX; it cannot serve as a parent" if $parentref->{dmax};
-	fatal_error "The class ($parentnum) specifies flow; it cannot serve as a parent"             if $parentref->{flow};
+	fatal_error "The class ($parentnum) specifies 'flow'; it cannot serve as a parent"           if $parentref->{flow};
+	fatal_error "The class ($parentnum) specifies 'red'; it cannot serve as a parent "           if $parentref->{red};
+	fatal_error "The class ($parentnum) has an 'ls' curve; it cannot serve as a parent "         if $parentref->{lsceil};
 	fatal_error "The default class ($parentnum) may not have sub-classes"                        if ( $devref->{default} || 0 ) == $parentclass;
 	$parentref->{leaf} = 0;
 	$ratemax  = $parentref->{rate};
@@ -1100,16 +1182,27 @@ sub validate_tc_class( ) {

    my ( $umax, $dmax ) = ( '', '' );

+    if ( $ceil =~ /^(.+):(.+)/ ) {
+	fatal_error "An LS rate may only be specified for HFSC classes" unless $devref->{qdisc} eq 'hfsc';
+	$lsceil = $1;
+	$ceil   = $2;
+    }
+
    if ( $devref->{qdisc} eq 'hfsc' ) {
-	( my $trate , $dmax, $umax , my $rest ) = split ':', $rate , 4;
+	if ( $rate eq '-' ) {
+	    fatal_error 'A RATE must be supplied' unless $lsceil;
+	    $rate = 0;
+	} else {
+	    ( my $trate , $dmax, $umax , my $rest ) = split ':', $rate , 4;

-	fatal_error "Invalid RATE ($rate)" if defined $rest;
+	    fatal_error "Invalid RATE ($rate)" if defined $rest;

-	$rate = convert_rate ( $ratemax, $trate, 'RATE', $ratename );
-	$dmax = convert_delay( $dmax );
-	$umax = convert_size( $umax );
-	fatal_error "DMAX must be specified when UMAX is specified" if $umax && ! $dmax;
-	$parentclass ||= 1;
+	    $rate = convert_rate ( $ratemax, $trate, 'RATE', $ratename );
+	    $dmax = convert_delay( $dmax );
+	    $umax = convert_size( $umax );
+	    fatal_error "DMAX must be specified when UMAX is specified" if $umax && ! $dmax;
+	    $parentclass ||= 1;
+	}
    } else {
 	$rate = convert_rate ( $ratemax, $rate, 'RATE' , $ratename );
    }
@@ -1120,15 +1213,15 @@ sub validate_tc_class( ) {
 	warning_message "Total RATE of classes ($devref->{guarantee}kbits) exceeds OUT-BANDWIDTH (${full}kbits)" if ( $devref->{guarantee} += $rate ) > $full;
    }

-    fatal_error "Invalid PRIO ($prio)" unless defined numeric_value $prio;
-
    $tcref->{$classnumber} = { tos       => [] ,
 			       rate      => $rate ,
 			       umax      => $umax ,
 			       dmax      => $dmax ,
-			       ceiling   => convert_rate( $ceilmax, $ceil, 'CEIL' , $ceilname ) ,
-			       priority  => $prio eq '-' ? 1 : $prio ,
+			       ceiling   => $ceil   = ( supplied $ceil   ? convert_rate( $ceilmax, $ceil,   'CEIL'  , $ceilname ) : 0 ),
+			       lsceil    => $lsceil = ( $lsceil          ? convert_rate( $ceilmax, $lsceil, 'LSCEIL', $ceilname ) : 0 ),
+			       priority  => $prio ,
 			       mark      => $markval ,
+			       markprio  => $markprio ,
 			       flow      => '' ,
 			       pfifo     => 0,
 			       occurs    => 1,
@@ -1140,34 +1233,60 @@ sub validate_tc_class( ) {

    $tcref = $tcref->{$classnumber};

-    fatal_error "RATE ($tcref->{rate}) exceeds CEIL ($tcref->{ceiling})" if $tcref->{rate} > $tcref->{ceiling};
+    fatal_error "RATE ($rate) exceeds CEIL ($ceil)" if $rate && $ceil && $rate > $ceil;
+
+    my ( $red, %redopts ) = ( 0, ( avpkt => 1000 ) );

    unless ( $options eq '-' ) {
 	for my $option ( split_list1 "\L$options", 'option' ) {
-	    my $optval = $tosoptions{$option};
+	    my $priority;
+	    my $optval;

-	    $option = "tos=$optval" if $optval;
+	    ( $option, my $pri ) =  split /:/, $option, 2;
+
+	    if ( $option =~ /^tos=(.+)/ || ( $optval = $tosoptions{$option} ) ) {
+
+		if ( supplied $pri ) {
+		    $priority = validate_filter_priority( $pri, 'mark' );
+		} else {
+		    fatal_error "Missing TOS priority" if $prio eq '-';
+		    $priority = ( $prio << 8 ) | 15;
+		    progress_message2 "   Priority of the $device $option filter is $priority";
+		}
+
+		$option = "tos=$optval" if $optval;
+	    } elsif ( supplied $pri ) {
+		$option = join ':', $option, $pri;
+	    }

 	    if ( $option eq 'default' ) {
 		fatal_error "Only one default class may be specified for device $device" if $devref->{default};
 		fatal_error "The $option option is not valid with 'occurs" if $tcref->{occurs} > 1;
 		$devref->{default} = $classnumber;
-	    } elsif ( $option eq 'tcp-ack' ) {
+	    } elsif ( $option =~ /tcp-ack(:(\d+|0x[0-0a-fA-F]))?$/ ) {
 		fatal_error "The $option option is not valid with 'occurs" if $tcref->{occurs} > 1;
-		$tcref->{tcp_ack} = 1;
+		if ( $1 ) {
+		    $tcref->{tcp_ack} = validate_filter_priority( $2, 'tcp-ack' );
+		} else {
+		    fatal_error "Missing tcp-ack priority" if $prio eq '-';
+		    my $ackpri = $tcref->{tcp_ack} =  ( $prio << 8 ) | 10;
+		    progress_message2 "   Priority of the $device tcp-ack filter is $ackpri";
+		}
 	    } elsif ( $option =~ /^tos=0x[0-9a-f]{2}$/ ) {
 		fatal_error "The $option option is not valid with 'occurs" if $tcref->{occurs} > 1;
 		( undef, $option ) = split /=/, $option;
-		push @{$tcref->{tos}}, "$option/0xff";
+		push @{$tcref->{tos}}, "$option/0xff:$priority";
 	    } elsif ( $option =~ /^tos=0x[0-9a-f]{2}\/0x[0-9a-f]{2}$/ ) {
 		fatal_error "The $option option is not valid with 'occurs" if $tcref->{occurs} > 1;
 		( undef, $option ) = split /=/, $option;
-		push @{$tcref->{tos}}, $option;
+		push @{$tcref->{tos}}, "$option:$priority";
 	    } elsif ( $option =~ /^flow=(.*)$/ ) {
 		fatal_error "The 'flow' option is not allowed with 'pfifo'" if $tcref->{pfifo};
+		fatal_error "The 'flow' option is not allowed with 'red'"   if $tcref->{red};
 		$tcref->{flow} = process_flow $1;
 	    } elsif ( $option eq 'pfifo' ) {
-		fatal_error "The 'pfifo'' option is not allowed with 'flow='" if $tcref->{flow};
+		fatal_error "The 'pfifo' option is not allowed with 'flow='" if $tcref->{flow};
+		fatal_error "The 'pfifo' option is not allowed with 'red='"  if $tcref->{red};
 		$tcref->{pfifo} = 1;
 	    } elsif ( $option =~ /^occurs=(\d+)$/ ) {
 		my $val = $1;
@@ -1188,6 +1307,57 @@ sub validate_tc_class( ) {
 		warning_message "limit ignored with pfifo queuing" if $tcref->{pfifo};
 		fatal_error "Invalid limit ($1)" if $1 < 3 || $1 > 128;
 		$tcref->{limit} = $1;
+	    } elsif ( $option =~ s/^red=// ) {
+		fatal_error "The 'red=' option is not allowed with 'flow='" if $tcref->{flow};
+		fatal_error "The 'red=' option is not allowed with 'pfifo'" if $tcref->{pfifo};
+		$tcref->{red} = 1;
+		my $opttype;
+
+		for my $redopt ( split_list( $option , q('red' option list) ) ) {
+		    #
+		    #                            $2  ----------------------
+		    #              $1  ------       | $3 -------           |
+		    #                 |      |      |   |       |          |
+		    if ( $redopt =~ /^([a-z]+) (?:= (   ([01]?\.)?(\d{1,8})) )?$/x ) {
+			fatal_error "Invalid RED option ($1)" unless $opttype = $validredoptions{$1};
+			if ( $2 ) {
+			    #
+			    # '=<value>' supplied
+			    #
+			    fatal_error "The $1 option does not take a value" if $opttype == RED_NONE;
+			    if ( $3 ) {
+				#
+				# fractional value
+				#
+				fatal_error "The $1 option requires an integer value"  if $opttype == RED_INTEGER;
+				fatal_error "The value of $1 must be <= 1" if $2 > 1;
+			    } else {
+				#
+				# Integer value
+				#
+				fatal_error "The $1 option requires a value 0 <= value <= 1" if $opttype == RED_FLOAT;
+			    }
+			} else {
+			    #
+			    # No value supplied
+			    #
+			    fatal_error "The $1 option requires a value" unless $opttype == RED_NONE;
+			}
+
+			$redopts{$1} = $2;
+		    } else {
+			fatal_error "Invalid RED option specification ($redopt)";
+		    }
+		}
+
+		for ( qw/ limit min max avpkt burst probability / ) {
+		    fatal_error "The $_ 'red' option is required" unless $redopts{$_};
+		}
+
+		fatal_error "The 'max' red option must be at least 2 * 'min'"   unless $redopts{max}   >= 2 * $redopts{min};
+		fatal_error "The 'limit' red option must be at least 2 * 'max'" unless $redopts{limit} >= 2 * $redopts{min};
+		$redopts{ecn} = 1 if exists $redopts{ecn};
+		$tcref->{redopts} = \%redopts;
 	    } else {
 		fatal_error "Unknown option ($option)";
 	    }
@@ -1214,11 +1384,14 @@ sub validate_tc_class( ) {
 					       ceiling  => $tcref->{ceiling} ,
 					       priority => $tcref->{priority} ,
 					       mark     => 0 ,
+					       markprio => $markprio ,
 					       flow     => $tcref->{flow} ,
 					       pfifo    => $tcref->{pfifo},
 					       occurs   => 0,
 					       parent   => $parentclass,
 					       limit    => $tcref->{limit},
+					       red      => $tcref->{red},
+					       redopts  => $tcref->{redopts},
 					     };
 	push @tcclasses, "$device:$classnumber";
    };
@@ -1233,7 +1406,7 @@ my %validlengths = ( 32 => '0xffe0', 64 => '0xffc0', 128 => '0xff80', 256 => '0x
 #
 sub process_tc_filter() {

-    my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length ) = split_line 'tcfilters file', { class => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, tos => 6, length => 7 };
+    my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length, $priority ) = split_line 'tcfilters file', { class => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, tos => 6, length => 7 , priority => 8 };

    fatal_error 'CLASS must be specified' if $devclass eq '-';

@@ -1243,7 +1416,7 @@ sub process_tc_filter() {

    fatal_error "Invalid INTERFACE:CLASS ($devclass)" if defined $rest || ! ($device && $class );

-    my ( $ip, $ip32, $prio , $lo ) = $family == F_IPV4 ? ('ip', 'ip', 10, 2 ) : ('ipv6', 'ip6', 11 , 4 );
+    my ( $ip, $ip32, $lo ) = $family == F_IPV4 ? ('ip', 'ip', 2 ) : ('ipv6', 'ip6', 4 );

    my $devref;

@@ -1253,6 +1426,18 @@ sub process_tc_filter() {
 	( $device , $devref ) = dev_by_number( $device );
    }

+    my ( $prio, $filterpri ) = ( undef, $devref->{filterpri} );
+
+    if ( $priority eq '-' ) {
+	$prio = ++$filterpri;
+	fatal_error "Filter priority overflow" if $prio > 65535;
+    } else {
+	$prio = validate_filter_priority( $priority, 'filter' );
+	$filterpri = $prio if $prio > $filterpri;
+    }
+
+    $devref->{filterpri} = $filterpri;
+
    my $devnum = in_hexp $devref->{number};

    my $tcref = $tcclasses{$device};
@@ -1550,7 +1735,6 @@ sub process_tc_priority() {
 					   $interface eq '-' &&
 					   $helper    eq '-' );

-
    my $val = numeric_value $band;

    fatal_error "Invalid PRIORITY ($band)" unless $val && $val <= 3;
@@ -1642,7 +1826,7 @@ sub process_tcpri() {
 			);

 	    add_ijump( $mangle_table->{tcpost} ,
-		       j    => 'CONNMARK --save-mark --ctmask '    . in_hex( $globals{TC_MASK} ),
+		       j    => 'CONNMARK --save-mark --mask '    . in_hex( $globals{TC_MASK} ),
 		       mark => '! --mark 0/' . in_hex( $globals{TC_MASK} )
 		     );
 	}
@@ -1711,11 +1895,22 @@ sub process_traffic_shaping() {
 		   "${dev}_mtu1=\$(get_device_mtu1 $device)"
 		 );

+	    my $stab;
+
+	    if ( $devref->{linklayer} ) {
+		$stab =  "stab linklayer $devref->{linklayer} overhead $devref->{overhead} ";
+		$stab .= "mtu $devref->{mtu} "     if $devref->{mtu};
+		$stab .= "mpu $devref->{mpu} "     if $devref->{mpu};
+		$stab .= "tsize $devref->{tsize} " if $devref->{tsize};
+	    } else {
+		$stab = '';
+	    }
+
 	    if ( $devref->{qdisc} eq 'htb' ) {
-		emit ( "run_tc qdisc add dev $device root handle $devnum: htb default $defmark r2q $r2q" ,
+		emit ( "run_tc qdisc add dev $device ${stab}root handle $devnum: htb default $defmark r2q $r2q" ,
 		       "run_tc class add dev $device parent $devnum: classid $devnum:1 htb rate $devref->{out_bandwidth} \$${dev}_mtu1" );
 	    } else {
-		emit ( "run_tc qdisc add dev $device root handle $devnum: hfsc default $defmark" ,
+		emit ( "run_tc qdisc add dev $device ${stab}root handle $devnum: hfsc default $defmark" ,
 		       "run_tc class add dev $device parent $devnum: classid $devnum:1 hfsc sc rate $devref->{out_bandwidth} ul rate $devref->{out_bandwidth}" );
 	    }

@@ -1762,12 +1957,13 @@ sub process_traffic_shaping() {
 		my $mark     = $tcref->{mark};
 		my $devicenumber  = in_hexp $devref->{number};
 		my $classid  = join( ':', $devicenumber, $classnum);
-		my $rate     = "$tcref->{rate}kbit";
+		my $rawrate  = $tcref->{rate};
+		my $rate     = "${rawrate}kbit";
+		my $lsceil   = $tcref->{lsceil};
 		my $quantum  = calculate_quantum $rate, calculate_r2q( $devref->{out_bandwidth} );

-		$classids{$classid}=$device;
+		$classids{$classid}=$devname;

-		my $priority = $tcref->{priority} << 8;
 		my $parent   = in_hexp $tcref->{parent};

 		emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum" );
@@ -1776,45 +1972,73 @@ sub process_traffic_shaping() {
 		    emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum" );
 		} else {
 		    my $dmax = $tcref->{dmax};
+		    my $rule = "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc";

 		    if ( $dmax ) {
 			my $umax = $tcref->{umax} ? "$tcref->{umax}b" : "\${${dev}_mtu}b";
-			emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc sc umax $umax dmax ${dmax}ms rate $rate ul rate $tcref->{ceiling}kbit" );
+			$rule .= " sc umax $umax dmax ${dmax}ms";
+			$rule .= " rate $rate" if $rawrate;
 		    } else {
-			emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc sc rate $rate ul rate $tcref->{ceiling}kbit" );
+			$rule .= " sc rate $rate" if $rawrate;
 		    }
+
+		    $rule .= " ls rate ${lsceil}kbit" if $lsceil;
+		    $rule .= " ul rate $tcref->{ceiling}kbit" if $tcref->{ceiling};
+
+		    emit $rule;
 		}

-		if ( $tcref->{leaf} && ! $tcref->{pfifo} ) {
-		    1 while $devnums[++$sfq];
+		if ( $tcref->{leaf} ) {
+		    if ( $tcref->{red} ) {
+			1 while $devnums[++$sfq];
+			$sfqinhex = in_hexp( $sfq);

-		    $sfqinhex = in_hexp( $sfq);
-		    if ( $devref->{qdisc} eq 'htb' ) {
-			emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq quantum \$quantum limit $tcref->{limit} perturb 10" );
-		    } else {
-			emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq limit $tcref->{limit} perturb 10" );
+			my ( $options, $redopts ) = ( '', $tcref->{redopts} );
+
+			while ( my ( $option, $type ) = each %validredoptions ) {
+			    if ( my $value = $redopts->{$option} ) {
+				if ( $type == RED_NONE ) {
+				    $options = join( ' ', $options, $option ) if $value;
+				} else {
+				    $options = join( ' ', $options, $option, $value );
+				}
+			    }
+			}
+
+			emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: red${options}" );
+
+		    } elsif ( $tcref->{leaf} && ! $tcref->{pfifo} ) {
+			1 while $devnums[++$sfq];
+
+			$sfqinhex = in_hexp( $sfq);
+			if ( $devref->{qdisc} eq 'htb' ) {
+			    emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq quantum \$quantum limit $tcref->{limit} perturb 10" );
+			} else {
+			    emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq limit $tcref->{limit} perturb 10" );
+			}
 		    }
 		}
 		#
 		# add filters
 		#
 		unless ( $mark eq '-' ) {
-		    emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid" if $tcref->{occurs} == 1;
+		    emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio $tcref->{markprio} handle $mark fw classid $classid" if $tcref->{occurs} == 1;
 		}

 		emit "run_tc filter add dev $device protocol all prio 1 parent $sfqinhex: handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow};
 		#
 		# options
 		#
-		emit( "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) . ' u32' .
+		emit( "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio $tcref->{tcp_ack} u32" .
 		      "\\\n    match ip protocol 6 0xff" .
 		      "\\\n    match u8 0x05 0x0f at 0" .
 		      "\\\n    match u16 0x0000 0xffc0 at 2" .
 		      "\\\n    match u8 0x10 0xff at 33 flowid $classid" ) if $tcref->{tcp_ack};

 		for my $tospair ( @{$tcref->{tos}} ) {
+		    ( $tospair, my $priority ) = split /:/, $tospair;
 		    my ( $tos, $mask ) = split q(/), $tospair;
-		    emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) . " u32 match ip tos $tos $mask flowid $classid";
+		    emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio $priority u32 match ip tos $tos $mask flowid $classid";
 		}

 		save_progress_message_short qq("   TC Class $classid defined.");
@@ -1856,14 +2080,14 @@ sub process_traffic_shaping() {
 		my $devicenumber  = in_hexp $devref->{number};
 		my $classid  = join( ':', $devicenumber, $classnum);

-		$classids{$classid}=$device;
+		$classids{$classid}=$devname;
 	    }
 	}
    }
 }

 #
-# Validate the TC configuration storing basic information in %tcdevices and %tcdevices
+# Validate the TC configuration storing basic information in %tcdevices and %tcclasses (complex TC only)
 #
 sub process_tc() {
    if ( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' ) {
@@ -2011,10 +2235,10 @@ sub setup_tc() {
 	append_file $globals{TC_SCRIPT};
    } else {
 	process_tcpri if $config{TC_ENABLED} eq 'Simple';
-	setup_traffic_shaping unless $config{TC_ENABLED} eq 'Shared';
+	setup_traffic_shaping if @tcdevices && $config{TC_ENABLED} ne 'Shared';
    }

-    if ( $config{TC_ENABLED} ) {
+    if ( $config{MANGLE_ENABLED} ) {
 	our  @tccmd = ( { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
 			  target    => 'CONNMARK --save-mark --mask' ,
 			  mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK,
@@ -2108,9 +2332,7 @@ sub setup_tc() {
 	    clear_comment;

 	}
-    }

-    if ( $config{MANGLE_ENABLED} ) {
 	if ( my $fn = open_file 'secmarks' ) {

 	    first_entry "$doing $fn...";
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -61,7 +61,7 @@ sub setup_tunnels() {
 	    }
 	}

-	my @options = $globals{UNTRACKED} ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
+	my @options = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';

 	add_tunnel_rule $inchainref,  p => 50, @$source;
 	add_tunnel_rule $outchainref, p => 50, @$dest;
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -31,66 +31,69 @@ use Shorewall::IPAddrs;
 use strict;

 our @ISA = qw(Exporter);
-our @EXPORT = qw( NOTHING
-		  NUMERIC
-		  NETWORK
-		  IPSECPROTO
-		  IPSECMODE
-		  FIREWALL
-		  VSERVER
-		  IP
-		  BPORT
-		  IPSEC
-		  NO_UPDOWN
-		  NO_SFILTER
+our @EXPORT = ( qw( NOTHING
+		    NUMERIC
+		    NETWORK
+		    IPSECPROTO
+		    IPSECMODE
+		    FIREWALL
+		    VSERVER
+		    IP
+		    BPORT
+		    IPSEC
+		    GROUP
+		    NO_UPDOWN
+		    NO_SFILTER

-		  determine_zones
-		  zone_report
-		  dump_zone_contents
-		  find_zone
-		  firewall_zone
-		  defined_zone
-		  zone_type
-		  zone_interfaces
-		  zone_mark
-		  all_zones
-		  all_parent_zones
-		  complex_zones
-		  vserver_zones
-		  off_firewall_zones
-		  non_firewall_zones
-		  single_interface
-		  chain_base
-		  validate_interfaces_file
-		  all_interfaces
-		  all_real_interfaces
-		  all_plain_interfaces
-		  all_bridges
-		  interface_number
-		  find_interface
-		  known_interface
-		  get_physical
-		  physical_name
-		  have_bridges
-		  port_to_bridge
-		  source_port_to_bridge
-		  interface_is_optional
-		  interface_is_required
-		  find_interfaces_by_option
-		  find_interfaces_by_option1
-		  get_interface_option
-		  interface_has_option
-		  set_interface_option
-		  set_interface_provider
-		  interface_zones
-		  verify_required_interfaces
-		  validate_hosts_file
-		  find_hosts_by_option
-		  find_zone_hosts_by_option
-		  find_zones_by_option
-		  all_ipsets
-		  have_ipsec
-		 );
+		    determine_zones
+		    zone_report
+		    dump_zone_contents
+		    find_zone
+		    firewall_zone
+		    defined_zone
+		    zone_type
+		    zone_interfaces
+		    zone_mark
+		    all_zones
+		    all_parent_zones
+		    complex_zones
+		    vserver_zones
+		    on_firewall_zones
+		    off_firewall_zones
+		    non_firewall_zones
+		    single_interface
+		    chain_base
+		    validate_interfaces_file
+		    all_interfaces
+		    all_real_interfaces
+		    all_plain_interfaces
+		    all_bridges
+		    interface_number
+		    find_interface
+		    known_interface
+		    get_physical
+		    physical_name
+		    have_bridges
+		    port_to_bridge
+		    source_port_to_bridge
+		    interface_is_optional
+		    interface_is_required
+		    find_interfaces_by_option
+		    find_interfaces_by_option1
+		    get_interface_option
+		    interface_has_option
+		    set_interface_option
+		    set_interface_provider
+		    interface_zones
+		    verify_required_interfaces
+		    validate_hosts_file
+		    find_hosts_by_option
+		    find_zone_hosts_by_option
+		    find_zones_by_option
+		    all_ipsets
+		    have_ipsec
+		 ),
+	      );

 our @EXPORT_OK = qw( initialize );
 our $VERSION = 'MODULEVERSION';
@@ -117,7 +120,8 @@ use constant { IN_OUT     => 1,
 #
 #     @zones contains the ordered list of zones with sub-zones appearing before their parents.
 #
-#     %zones{<zone1> => {type =>       <zone type>       FIREWALL, IP, IPSEC, BPORT;
+#     %zones{<zone1> => {name =>       <name>,
+#                        type =>       <zone type>       FIREWALL, IP, IPSEC, BPORT;
 #                        complex =>    0|1
 #                        super   =>    0|1
 #                        options =>    { in_out  => < policy match string >
@@ -299,6 +303,7 @@ sub initialize( $$ ) {
 				  required    => SIMPLE_IF_OPTION,
 				  routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
 				  routefilter => NUMERIC_IF_OPTION ,
+				  rpfilter    => SIMPLE_IF_OPTION,
 				  sfilter     => IPLIST_IF_OPTION,
 				  sourceroute => BINARY_IF_OPTION,
 				  tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -332,6 +337,7 @@ sub initialize( $$ ) {
 				    proxyndp    => BINARY_IF_OPTION,
 				    required    => SIMPLE_IF_OPTION,
 				    routeback   => SIMPLE_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_HOST + IF_OPTION_VSERVER,
+				    rpfilter    => SIMPLE_IF_OPTION,
 				    sfilter     => IPLIST_IF_OPTION,
 				    sourceroute => BINARY_IF_OPTION,
 				    tcpflags    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -529,6 +535,7 @@ sub process_zone( \$ ) {
    }

    if ( $zoneref->{options}{in_out}{blacklist} ) {
+	warning_message q(The 'blacklist' option is deprecated);
 	for ( qw/in out/ ) {
 	    unless ( $zoneref->{options}{$_}{blacklist} ) {
 		$zoneref->{options}{$_}{blacklist} = 1;
@@ -536,6 +543,10 @@ sub process_zone( \$ ) {
 		warning_message( "Redundant 'blacklist' in " . uc( $_ ) . '_OPTIONS' );
 	    }
 	}
+    } else {
+	for ( qw/in out/ ) {
+	    warning_message q(The 'blacklist' option is deprecated), last if  $zoneref->{options}{$_}{blacklist};
+	}
    }

    return $zone;
@@ -836,6 +847,10 @@ sub all_zones() {
    @zones;
 }

+sub on_firewall_zones() {
+   grep ( ( $zones{$_}{type} & ( FIREWALL | VSERVER ) )  ,  @zones );
+}
+
 sub off_firewall_zones() {
   grep ( ! ( $zones{$_}{type} & ( FIREWALL | VSERVER ) )  ,  @zones );
 }
@@ -1138,7 +1153,7 @@ sub process_interface( $$ ) {
 		    $hostoptions{broadcast} = 1;
 		} elsif ( $option eq 'sfilter' ) {
 		    $filterref = [ split_list $value, 'address' ];
-		    validate_net( $_, 1) for @{$filterref}
+		    $_ = validate_net( $_, 1) for @{$filterref}
 		} else {
 		    assert(0);
 		}
@@ -1160,11 +1175,18 @@ sub process_interface( $$ ) {
 	    }
 	}

-	fatal_error "Invalid combination of interface options"
+	fatal_error q(The 'required', 'optional' and 'ignore' options are mutually exclusive)
 	    if ( ( $options{required} && $options{optional} ) ||
 		 ( $options{required} && $options{ignore}   ) ||
 		 ( $options{optional} && $options{ignore}   ) );

+	if ( $options{rpfilter} ) {
+	    require_capability( 'RPFILTER_MATCH', q(The 'rpfilter' option), 's' ) ;
+	    fatal_error q(The 'routefilter', 'sfilter' and 'rpfilter' options are mutually exclusive) if $options{routefilter} || @$filterref;
+	} else {
+	    fatal_error q(The 'routefilter', 'sfilter' and 'rpfilter' options are mutually exclusive) if $options{routefilter} && @$filterref;
+	}
+
 	if ( supplied( my $ignore = $options{ignore} ) ) {
 	    fatal_error "Invalid value ignore=0" if ! $ignore;
 	} else {
@@ -1622,16 +1644,16 @@ sub verify_required_interfaces( $ ) {
 		my $physical = get_physical $interface;

 		if ( $physical =~ /\+$/ ) {
-		    my $base = uc chain_base $physical;
-
 		    $physical =~ s/\+$/*/;

-		    emit( 'for interface in $(find_all_interfaces); do',
+		    emit( "waittime=$wait",
+			  '',
+			  'for interface in $(find_all_interfaces); do',
 			  '    case $interface in',
 			  "        $physical)",
-			  "            waittime=$wait",
 			  '            while [ $waittime -gt 0 ]; do',
 			  '                interface_is_usable $interface && break',
+			  '                sleep 1',
 			  '                waittime=$(($waittime - 1))',
 			  '            done',
 			  '            ;;',
@@ -1644,8 +1666,8 @@ sub verify_required_interfaces( $ ) {
 		    emit qq(    waittime=$wait);
 		    emit  '';
 		    emit  q(    while [ $waittime -gt 0 ]; do);
-		    emit qq(        interface_is_usable $physical && break);
 		    emit  q(        sleep 1);
+		    emit qq(        interface_is_usable $physical && break);
 		    emit   '        waittime=$(($waittime - 1))';
 		    emit  q(    done);
 		    emit  q(fi);
@@ -1784,6 +1806,7 @@ sub process_host( ) {
 	    } elsif ( $option eq 'norfc1918' ) {
 		warning_message "The 'norfc1918' host option is no longer supported"
 	    } elsif ( $option eq 'blacklist' ) {
+		warning_message "The 'blacklist' option is deprecated";
 		$zoneref->{options}{in}{blacklist} = 1;
 	    } elsif ( $option =~ /^mss=(\d+)$/ ) {
 		fatal_error "Invalid mss ($1)" unless $1 >= 500;
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -37,7 +37,8 @@
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
 #         --preview                   # Preview the ruleset.
-#         --shorewallrc=<path>        # Path to shorewallrc file.
+#         --shorewallrc=<path>        # Path to global shorewallrc file.
+#         --shorewallrc1=<path>       # Path to export shorewallrc file.
 #         --config_path=<path-list>   # Search path for config files
 #
 use strict;
@@ -67,6 +68,7 @@ sub usage( $ ) {
    [ --update ]
    [ --convert ]
    [ --shorewallrc=<pathname> ]
+    [ --shorewallrc1=<pathname> ]
    [ --config_path=<path-list> ]
 ';

@@ -94,6 +96,7 @@ my $update        = 0;
 my $convert       = 0;
 my $config_path   = '';
 my $shorewallrc   = '';
+my $shorewallrc1  = '';

 Getopt::Long::Configure ('bundling');

@@ -126,6 +129,7 @@ my $result = GetOptions('h'               => \$help,
 			'convert'         => \$convert,
 			'config_path=s'   => \$config_path,
 			'shorewallrc=s'   => \$shorewallrc,
+			'shorewallrc1=s'  => \$shorewallrc1,
 		       );

 usage(1) unless $result && @ARGV < 2;
@@ -148,5 +152,6 @@ compiler( script          => $ARGV[0] || '',
 	  convert         => $convert,
 	  annotate        => $annotate,
 	  config_path     => $config_path,
-	  shorewallrc     => $shorewallrc
+	  shorewallrc     => $shorewallrc,
+	  shorewallrc1    => $shorewallrc1,
 	);
--- a/Shorewall/Perl/getparams
+++ b/Shorewall/Perl/getparams
@@ -25,12 +25,12 @@
 #
 #      $1 = Path name of params file
 #      $2 = $CONFIG_PATH
-#      $3 = Address family (4 o4 6)
+#      $3 = Address family (4 or 6)
 #
 if [ "$3" = 6 ]; then
-    g_program=shorewall6
+    PRODUCT=shorewall6
 else
-    g_program=shorewall
+    PRODUCT=shorewall
 fi

 #
@@ -38,11 +38,12 @@ fi
 #
 . /usr/share/shorewall/shorewallrc

+g_program=$PRODUCT
 g_libexec="$LIBEXECDIR"
-g_sharedir="$SHAREDIR"/shorewall
+g_sharedir="$SHAREDIR/shorewall"
 g_sbindir="$SBINDIR"
 g_perllib="$PERLLIBDIR"
-g_confdir="$CONFDIR"/shorewall
+g_confdir="$CONFDIR/$PRODUCT"
 g_readrc=1

 . $g_sharedir/lib.cli
--- a/Shorewall/Perl/lib.core
+++ b/Shorewall/Perl/lib.core
@@ -344,7 +344,7 @@ replace_default_route() # $1 = USE_DEFAULT_RT
 #
 delete_default_routes() # $1 = table number
 {
-    $IP -$g_family -o route ls table $1 | fgrep default | fgrep -v metric | while read route; do
+    $IP -$g_family route ls table $1 | fgrep default | fgrep -v metric | while read route; do
 	qt $IP -$g_family route del $route
    done
 } 
@@ -916,7 +916,12 @@ add_gateway() # $1 = Delta $2 = Table Number
 	delta=$1

 	if ! echo $route | fgrep -q ' nexthop '; then
-	    route=`echo $route | sed 's/via/nexthop via/'`
+	    if echo $route | fgrep -q via; then
+		route=`echo $route | sed 's/via/nexthop via/'`
+	    else
+		route="nexthop $route"
+	    fi
+
 	    dev=$(find_device $route)
 	    if [ -f ${VARDIR}/${dev}_weight ]; then
 		weight=`cat ${VARDIR}/${dev}_weight`
--- a/Shorewall/Samples/Universal/rules
+++ b/Shorewall/Samples/Universal/rules
@@ -6,13 +6,13 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-###################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+##############################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH     HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
-
+Invalid(DROP)	net		$FW		tcp
 SSH(ACCEPT)	net		$FW
 Ping(ACCEPT)	net		$FW
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -41,6 +41,8 @@ MACLIST_LOG_LEVEL=info

 RELATED_LOG_LEVEL=

+RPFILTER_LOG_LEVEL=info
+
 SFILTER_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info
@@ -67,6 +69,8 @@ LOCKFILE=

 MODULESDIR=

+NFACCT=
+
 PERL=/usr/bin/perl

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -110,7 +114,9 @@ ADD_SNAT_ALIASES=No

 ADMINISABSENTMINDED=Yes

-AUTO_COMMENT=Yes
+AUTOCOMMENT=Yes
+
+AUTOHELPERS=Yes

 AUTOMAKE=No

@@ -140,6 +146,8 @@ FASTACCEPT=Yes

 FORWARD_CLEAR_MARK=

+HELPERS=
+
 IMPLICIT_CONTINUE=No

 IPSET_WARNINGS=Yes
@@ -170,7 +178,7 @@ MUTEX_TIMEOUT=60

 NULL_ROUTE_RFC1918=No

-OPTIMIZE=15
+OPTIMIZE=31

 OPTIMIZE_ACCOUNTING=No

@@ -208,6 +216,8 @@ MACLIST_DISPOSITION=REJECT

 RELATED_DISPOSITION=ACCEPT

+RPFILTER_DISPOSITION=DROP
+
 SMURF_DISPOSITION=DROP

 SFILTER_DISPOSITION=DROP
--- a/Shorewall/Samples/one-interface/rules
+++ b/Shorewall/Samples/one-interface/rules
@@ -10,14 +10,18 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-rules"
-######################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+##############################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH     HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW

+# Drop packets in the INVALID state
+
+Invalid(DROP)  net    	        $FW		tcp
+
 # Drop Ping from the "bad" net zone.. and prevent your log from being flooded..

 Ping(DROP)	net		$FW
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -52,6 +52,8 @@ MACLIST_LOG_LEVEL=info

 RELATED_LOG_LEVEL=

+RPFILTER_LOG_LEVEL=info
+
 SFILTER_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info
@@ -78,6 +80,8 @@ LOCKFILE=

 MODULESDIR=

+NFACCT=
+
 PERL=/usr/bin/perl

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -121,7 +125,9 @@ ADD_SNAT_ALIASES=No

 ADMINISABSENTMINDED=Yes

-AUTO_COMMENT=Yes
+AUTOCOMMENT=Yes
+
+AUTOHELPERS=Yes

 AUTOMAKE=No

@@ -151,6 +157,8 @@ FASTACCEPT=No

 FORWARD_CLEAR_MARK=

+HELPERS=
+
 IMPLICIT_CONTINUE=No

 IPSET_WARNINGS=Yes
@@ -181,7 +189,7 @@ MUTEX_TIMEOUT=60

 NULL_ROUTE_RFC1918=No

-OPTIMIZE=1
+OPTIMIZE=31

 OPTIMIZE_ACCOUNTING=No

@@ -219,6 +227,8 @@ MACLIST_DISPOSITION=REJECT

 RELATED_DISPOSITION=ACCEPT

+RPFILTER_DISPOSITION=DROP
+
 SMURF_DISPOSITION=DROP

 SFILTER_DISPOSITION=DROP
--- a/Shorewall/Samples/three-interfaces/masq
+++ b/Shorewall/Samples/three-interfaces/masq
@@ -10,8 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
-##############################################################################
-#INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
+################################################################################################################
+#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
+#											GROUP		DEST
 eth0			10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
--- a/Shorewall/Samples/three-interfaces/rules
+++ b/Shorewall/Samples/three-interfaces/rules
@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-######################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+##############################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH     HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
@@ -20,7 +20,7 @@ SECTION NEW

 #       Don't allow connection pickup from the net
 #
-Invalid(DROP)	net		all
+Invalid(DROP)	net		all		tcp
 #
 #	Accept DNS connections from the firewall to the Internet
 #
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -50,6 +50,8 @@ MACLIST_LOG_LEVEL=info

 RELATED_LOG_LEVEL=

+RPFILTER_LOG_LEVEL=info
+
 SFILTER_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info
@@ -76,6 +78,8 @@ LOCKFILE=

 MODULESDIR=

+NFACCT=
+
 PERL=/usr/bin/perl

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -119,7 +123,9 @@ ADD_SNAT_ALIASES=No

 ADMINISABSENTMINDED=Yes

-AUTO_COMMENT=Yes
+AUTOCOMMENT=Yes
+
+AUTOHELPERS=Yes

 AUTOMAKE=No

@@ -149,6 +155,8 @@ FASTACCEPT=No

 FORWARD_CLEAR_MARK=

+HELPERS=
+
 IMPLICIT_CONTINUE=No

 IPSET_WARNINGS=Yes
@@ -179,7 +187,7 @@ MUTEX_TIMEOUT=60

 NULL_ROUTE_RFC1918=No

-OPTIMIZE=1
+OPTIMIZE=31

 OPTIMIZE_ACCOUNTING=No

@@ -217,6 +225,8 @@ MACLIST_DISPOSITION=REJECT

 RELATED_DISPOSITION=ACCEPT

+RPFILTER_DISPOSITION=DROP
+
 SMURF_DISPOSITION=DROP

 SFILTER_DISPOSITION=DROP
--- a/Shorewall/Samples/three-interfaces/stoppedrules
+++ b/Shorewall/Samples/three-interfaces/stoppedrules
@@ -1,6 +1,6 @@
 #
-# Shorewall6 version 4.0 - Sample Routestopped File for two-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Shorewall version 4.5 - Sample Stoppedrules File for three-interface configuration.
+# Copyright (C) 2012 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -9,11 +9,12 @@
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
-# For information about entries in this file, type "man shorewall6-routestopped"
-#
-# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional
-# information.
-#
-##############################################################################
-#INTERFACE	HOST(S)                  OPTIONS
-eth1		-
+# For information about entries in this file, type "man shorewall-stoppedrules"
+###############################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
+#							PORT(S)		PORT(S)
+ACCEPT		eth1		-
+ACCEPT		-		eth1
+ACCEPT		eth2		-
+ACCEPT		-		eth2
+
--- a/Shorewall/Samples/two-interfaces/masq
+++ b/Shorewall/Samples/two-interfaces/masq
@@ -10,8 +10,9 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
-###############################################################################
-#INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
+################################################################################################################
+#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
+#											GROUP		DEST
 eth0			10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
--- a/Shorewall/Samples/two-interfaces/rules
+++ b/Shorewall/Samples/two-interfaces/rules
@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-######################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+##############################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH     HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
@@ -20,7 +20,7 @@ SECTION NEW

 #       Don't allow connection pickup from the net
 #
-Invalid(DROP)	net		all
+Invalid(DROP)	net		all		tcp
 #
 #	Accept DNS connections from the firewall to the network
 #
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -53,6 +53,8 @@ MACLIST_LOG_LEVEL=info

 RELATED_LOG_LEVEL=

+RPFILTER_LOG_LEVEL=info
+
 SFILTER_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info
@@ -79,6 +81,8 @@ LOCKFILE=

 MODULESDIR=

+NFACCT=
+
 PERL=/usr/bin/perl

 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
@@ -122,7 +126,9 @@ ADD_SNAT_ALIASES=No

 ADMINISABSENTMINDED=Yes

-AUTO_COMMENT=Yes
+AUTOCOMMENT=Yes
+
+AUTOHELPERS=Yes

 AUTOMAKE=No

@@ -152,6 +158,8 @@ FASTACCEPT=No

 FORWARD_CLEAR_MARK=

+HELPERS=
+
 IMPLICIT_CONTINUE=No

 IPSET_WARNINGS=Yes
@@ -182,7 +190,7 @@ MUTEX_TIMEOUT=60

 NULL_ROUTE_RFC1918=No

-OPTIMIZE=1
+OPTIMIZE=31

 OPTIMIZE_ACCOUNTING=No

@@ -220,6 +228,8 @@ MACLIST_DISPOSITION=REJECT

 RELATED_DISPOSITION=ACCEPT

+RPFILTER_DISPOSITION=DROP
+
 SMURF_DISPOSITION=DROP

 SFILTER_DISPOSITION=DROP
--- a/Shorewall/Samples/two-interfaces/stoppedrules
+++ b/Shorewall/Samples/two-interfaces/stoppedrules
@@ -1,6 +1,6 @@
 #
-# Shorewall version 4.0 - Sample Routestopped File for two-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Shorewall version 4.5 - Sample Stoppedrules File for two-interface configuration.
+# Copyright (C) 2012 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -9,7 +9,9 @@
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
-# For information about entries in this file, type "man shorewall-routestopped"
-##############################################################################
-#INTERFACE	HOST(S)                  OPTIONS
-eth1		-
+# For information about entries in this file, type "man shorewall-stoppedrules"
+###############################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
+#							PORT(S)		PORT(S)
+ACCEPT		eth1		-
+ACCEPT		-		eth1
--- a/Shorewall/configfiles/blacklist
+++ b/Shorewall/configfiles/blacklist
@@ -1,11 +0,0 @@
-#
-# Shorewall version 4 - Blacklist File
-#
-# For information about entries in this file, type "man shorewall-blacklist"
-#
-# Please see http://shorewall.net/blacklisting_support.htm for additional
-# information.
-#
-###############################################################################
-#ADDRESS/SUBNET		PROTOCOL	PORT	OPTIONS
-
--- a/Shorewall/configfiles/conntrack
+++ b/Shorewall/configfiles/conntrack
@@ -0,0 +1,53 @@
+#
+# Shorewall version 4 - conntrack File
+#
+# For information about entries in this file, type "man shorewall-conntrack"
+#
+#############################################################################################
+FORMAT 2
+#ACTION			SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/
+#								PORT(S)		PORT(S)	GROUP
+?if $AUTOHELPERS && __CT_TARGET
+
+?if __AMANDA_HELPER
+CT:helper:amanda	all		-		udp	10080
+?endif
+
+?if __FTP_HELPER
+CT:helper:ftp		all		-		tcp	21
+?endif
+
+?if __H323_HELPER
+CT:helper:RAS		all		-		udp	1719
+CT:helper:Q.931		all		-		tcp	1720
+?endif
+
+?if __IRC_HELPER
+CT:helper:irc		all		-		tcp	6667
+?endif
+
+?if __NETBIOS_NS_HELPER
+CT:helper:netbios-ns	all		-		udp	137
+?endif
+
+?if __PPTP_HELPER
+CT:helper:pptp		all		-		tcp	1723
+?endif
+
+?if __SANE_HELPER
+CT:helper:sane		all		-		tcp	6566
+?endif
+
+?if __SIP_HELPER
+CT:helper:sip		all		-		udp	5060
+?endif
+
+?if __SNMP_HELPER
+CT:helper:snmp		all		-		udp	161
+?endif
+
+?if __TFTP_HELPER
+CT:helper:tftp		all		-		udp	69
+?endif
+
+?endif
--- a/Shorewall/configfiles/masq
+++ b/Shorewall/configfiles/masq
@@ -6,6 +6,6 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-masq.html
 #
-######################################################################################################
-#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH
-#											GROUP
+################################################################################################################
+#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
+#											GROUP		DEST
--- a/Shorewall/configfiles/notrack
+++ b/Shorewall/configfiles/notrack
@@ -1,9 +0,0 @@
-#
-# Shorewall version 4 - Notrack File
-#
-# For information about entries in this file, type "man shorewall-notrack"
-#
-#####################################################################################
-FORMAT 2
-#ACTION		SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/
-#							PORT(S)		PORT(S)	GROUP
--- a/Shorewall/configfiles/routestopped
+++ b/Shorewall/configfiles/routestopped
@@ -1,6 +1,8 @@
 #
 # Shorewall version 4 - Routestopped File
 #
+# This file is deprecated in favor of the stoppedrules file
+#
 # For information about entries in this file, type "man shorewall-routestopped"
 #
 # The manpage is also online at
--- a/Shorewall/configfiles/rules
+++ b/Shorewall/configfiles/rules
@@ -6,8 +6,8 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-######################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -41,6 +41,8 @@ MACLIST_LOG_LEVEL=info

 RELATED_LOG_LEVEL=

+RPFILTER_LOG_LEVEL=info
+
 SFILTER_LOG_LEVEL=info

 SMURF_LOG_LEVEL=info
@@ -67,6 +69,8 @@ LOCKFILE=

 MODULESDIR=

+NFACCT=
+
 PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"

 PERL=/usr/bin/perl
@@ -110,7 +114,9 @@ ADD_SNAT_ALIASES=No

 ADMINISABSENTMINDED=Yes

-AUTO_COMMENT=Yes
+AUTOCOMMENT=Yes
+
+AUTOHELPERS=Yes

 AUTOMAKE=No

@@ -140,6 +146,8 @@ FASTACCEPT=No

 FORWARD_CLEAR_MARK=

+HELPERS=
+
 IMPLICIT_CONTINUE=No

 IPSET_WARNINGS=Yes
@@ -208,6 +216,8 @@ MACLIST_DISPOSITION=REJECT

 RELATED_DISPOSITION=ACCEPT

+RPFILTER_DISPOSITION=DROP
+
 SMURF_DISPOSITION=DROP

 SFILTER_DISPOSITION=DROP
--- a/Shorewall/configfiles/stoppedrules
+++ b/Shorewall/configfiles/stoppedrules
@@ -0,0 +1,14 @@
+#
+# Shorewall version 4 - Stopped Rules File
+#
+# For information about entries in this file, type "man shorewall-stoppedrules"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-stoppedrules.html
+#
+# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional
+# information.
+#
+###############################################################################
+#ACTION		SOURCE			DEST		PROTO	DEST	SOURCE
+#								PORT(S)	PORT(S)
--- a/Shorewall/configfiles/tcfilters
+++ b/Shorewall/configfiles/tcfilters
@@ -5,6 +5,6 @@
 #
 # See http://shorewall.net/traffic_shaping.htm for additional information.
 #
-##############################################################################################
-#INTERFACE:	SOURCE		DEST		PROTO	DEST	SOURCE   TOS		LENGTH
+########################################################################################################
+#INTERFACE:	SOURCE		DEST		PROTO	DEST	SOURCE   TOS		LENGTH	PRIORITY
 #CLASS							PORT(S)	PORT(S)
--- a/Shorewall/init.fedora.sh
+++ b/Shorewall/init.fedora.sh
--- a/Shorewall/init.suse.sh
+++ b/Shorewall/init.suse.sh
@@ -0,0 +1,93 @@
+#!/bin/sh
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.2
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
+#
+#	On most distributions, this file should be called /etc/init.d/shorewall.
+#
+#	Complete documentation is available at http://shorewall.net
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of Version 2 of the GNU General Public License
+#	as published by the Free Software Foundation.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, write to the Free Software
+#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#	If an error occurs while starting or restarting the firewall, the
+#	firewall is automatically stopped.
+#
+#	Commands are:
+#
+#	   shorewall start			  Starts the firewall
+#	   shorewall restart			  Restarts the firewall
+#	   shorewall reload			  Reload the firewall
+#						  (same as restart)
+#	   shorewall stop			  Stops the firewall
+#	   shorewall status			  Displays firewall status
+#
+
+### BEGIN INIT INFO
+# Provides:          shorewall
+# Required-Start:    $network $remote_fs
+# Required-Stop:     $network $remote_fs
+# Default-Start:     2 3 5
+# Default-Stop:      0 6
+# Short-Description: Configure the firewall at boot time
+# Description:       Configure the firewall according to the rules specified in
+#                    /etc/shorewall
+### END INIT INFO
+
+################################################################################
+# Give Usage Information						       #
+################################################################################
+usage() {
+    echo "Usage: $0 start|stop|reload|restart|status" >&2
+    exit 1
+}
+
+################################################################################
+# Get startup options (override default)
+################################################################################
+OPTIONS="-v0"
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
+if [ -f ${SYSCONFDIR}/shorewall ]; then
+    . ${SYSCONFDIR}/shorewall
+fi
+
+export SHOREWALL_INIT_SCRIPT=1
+
+################################################################################
+# E X E C U T I O N    B E G I N S   H E R E				       #
+################################################################################
+command="$1"
+shift
+
+case "$command" in
+    start)
+	exec $SBINDIR/shorewall $OPTIONS start $STARTOPTIONS
+	;;
+    restart|reload)
+	exec $SBINDIR/shorewall $OPTIONS restart $RESTARTOPTIONS
+	;;
+    status|stop)
+	exec $SBINDIR/shorewall $OPTIONS $command
+	;;
+    *)
+	usage
+	;;
+esac
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -193,7 +193,14 @@ else
    usage 1
 fi

-for var in SHAREDIR LIBEXECDIR PERLLIBDIR CONFDIR SBINDIR VARDIR; do
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR=${VARLIB}/${PRODUCT}
+elif [ -z "${VARDIR}" ]; then
+    VARDIR=${VARLIB}/${PRODUCT}
+fi
+
+for var in SHAREDIR LIBEXECDIR PERLLIBDIR CONFDIR SBINDIR VARLIB VARDIR; do
    require $var
 done

@@ -371,7 +378,7 @@ mkdir -p ${DESTDIR}/${CONFDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${PERLLIBDIR}/Shorewall
 mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
-mkdir -p ${DESTDIR}/var/lib/$PRODUCT
+mkdir -p ${DESTDIR}${VARDIR}

 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
 chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT
@@ -388,6 +395,7 @@ fi
 if [ -n "$SYSTEMD" ]; then
    mkdir -p ${DESTDIR}${SYSTEMD}
    run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
    echo "Service file installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
 fi

@@ -601,14 +609,14 @@ else
    fi
 fi
 #
-# Install the Stopped Routing file
+# Install the Stopped Rules file
 #
-run_install $OWNERSHIP -m 0644 routestopped           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
-run_install $OWNERSHIP -m 0644 routestopped.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
+run_install $OWNERSHIP -m 0644 stoppedrules           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
+run_install $OWNERSHIP -m 0644 stoppedrules.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/routestopped ]; then
-    run_install $OWNERSHIP -m 0600 routestopped${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/routestopped
-    echo "Stopped Routing file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/routestopped"
+if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/stoppedrules ]; then
+    run_install $OWNERSHIP -m 0600 stoppedrules${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/stoppedrules
+    echo "Stopped Rules file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/stoppedrules"
 fi
 #
 # Install the Mac List file
@@ -634,14 +642,14 @@ if [ -f masq ]; then
    fi
 fi
 #
-# Install the Notrack file
+# Install the Conntrack file
 #
-run_install $OWNERSHIP -m 0644 notrack           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
-run_install $OWNERSHIP -m 0644 notrack.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
+run_install $OWNERSHIP -m 0644 conntrack           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
+run_install $OWNERSHIP -m 0644 conntrack.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/notrack ]; then
-    run_install $OWNERSHIP -m 0600 notrack${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/notrack
-    echo "Notrack file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/notrack"
+if [ ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack ]; then
+    run_install $OWNERSHIP -m 0600 conntrack${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack
+    echo "Conntrack file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack"
 fi

 #
@@ -698,10 +706,6 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/tunnels ]; then
    echo "Tunnels file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/tunnels"
 fi

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/blacklist ]; then
-    run_install $OWNERSHIP -m 0600 blacklist${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/blacklist
-    echo "Blacklist file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/blacklist"
-fi
 #
 # Install the blacklist rules file
 #
@@ -974,12 +978,6 @@ fi

 cd ..

-#
-# Install the Standard Actions file
-#
-install_file actions.std ${DESTDIR}${SHAREDIR}/$PRODUCT/actions.std 0644
-echo "Standard actions file installed as ${DESTDIR}${SHAREDIR}d/$PRODUCT/actions.std"
-
 #
 # Install the  Makefiles
 #
@@ -1131,7 +1129,7 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
 	perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' ${CONFDIR}/$PRODUCT/$PRODUCT.conf
 	update-rc.d $PRODUCT enable
    elif [ -n "$SYSTEMD" ]; then
-	if systemctl enable $PRODUCT; then
+	if systemctl enable ${PRODUCT}.service; then
 	    echo "$Product will start automatically at boot"
 	fi
    elif mywhich insserv; then
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -34,8 +34,6 @@ get_config() {

    ensure_config_path

-
-
    if [ "$1" = Yes ]; then
 	params=$(find_file params)

@@ -181,7 +179,7 @@ get_config() {
 	if [ "$2" = Yes ]; then
 	    case $STARTUP_ENABLED in
 		No|no|NO)
-		    echo "   ERROR: $g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${CONFDIR}/${g_program}.conf" >&2
+		    echo "   ERROR: $g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${g_confdir}/${g_program}.conf" >&2
 		    exit 2
 		    ;;
 		Yes|yes|YES)
@@ -363,6 +361,7 @@ uptodate() {
 compiler() {
    local pc
    local shorewallrc
+    local shorewallrc1

    pc=$g_libexec/shorewall/compiler.pl

@@ -378,7 +377,7 @@ compiler() {
    #
    # Get the config from $g_shorewalldir
    #
-    [ -n "$g_shorewalldir" -a "$g_shorewalldir" != ${g_confdir} ] && get_config
+    get_config Yes

    case $COMMAND in
 	*start|try|refresh)
@@ -399,14 +398,15 @@ compiler() {
    [ "$1" = nolock ] && shift;
    shift

+    shorewallrc=${g_basedir}/shorewallrc
+    
    if [ -n "$g_export" ]; then
-	shorewallrc=$(find_file shorewallrc)
-	[ -f "$shorewallrc" ] || fatal_error "Compiling for export requires a shorewallrc file"
-    else
-	shorewallrc="${g_basedir}/shorewallrc"
+	shorewallrc1=$(find_file shorewallrc)
+	[ -f "$shorewallrc1" ] || fatal_error "Compiling for export requires a shorewallrc file"
    fi

    options="--verbose=$VERBOSITY --family=$g_family --config_path=$CONFIG_PATH --shorewallrc=${shorewallrc}"
+    [ -n "$shorewallrc1" ] && options="$options --shorewallrc1=${shorewallrc1}"
    [ -n "$STARTUP_LOG" ] && options="$options --log=$STARTUP_LOG"
    [ -n "$LOG_VERBOSITY" ] && options="$options --log_verbosity=$LOG_VERBOSITY";
    [ -n "$g_export" ] && options="$options --export"
@@ -439,6 +439,21 @@ compiler() {
    fi
 }

+#
+# Run the postcompile user exit
+#
+run_postcompile() { # $1 is the compiled script
+    local script
+
+    script=$(find_file postcompile)
+
+    if [ -f $script ]; then
+	. $script $1
+    else
+	return 0
+    fi
+}
+
 #
 # Start Command Executor
 #
@@ -459,6 +474,7 @@ start_command() {
 	    progress_message3 "Compiling..."

 	    if compiler $g_debugging $nolock compile ${VARDIR}/.start; then
+		run_postcompile ${VARDIR}/.start
 		[ -n "$nolock" ] || mutex_on
 		run_it ${VARDIR}/.start $g_debugging start
 		rc=$?
@@ -603,6 +619,7 @@ compile_command() {
 		    case $option in
 			e*)
 			    g_export=Yes
+			    g_shorewalldir='.'
 			    option=${option#e}
 			    ;;
 			p*)
@@ -641,14 +658,14 @@ compile_command() {

    case $# in
 	0)
-	    file=${VARDIR}/firewall
+	    [ -n "$g_export" ] && file=firewall || file=${VARDIR}/firewall
 	    ;;
 	1)
 	    file=$1
 	    [ -d $file ] && echo "   ERROR: $file is a directory" >&2 && exit 2;
 	    ;;
 	2)
-	    [ -n "$g_shorewalldir" ] && usage 2
+	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2

 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -668,7 +685,7 @@ compile_command() {

    [ "x$file" = x- ] || progress_message3 "Compiling..."

-    compiler $g_debugging compile $file
+    compiler $g_debugging compile $file && run_postcompile $file
 }

 #
@@ -692,6 +709,7 @@ check_command() {
 			    ;;
 			e*)
 			    g_export=Yes
+			    g_shorewalldir='.'
 			    option=${option#e}
 			    ;;
 			p*)
@@ -731,7 +749,7 @@ check_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" ] && usage 2
+	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2

 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -934,6 +952,7 @@ restart_command() {
 	progress_message3 "Compiling..."

 	if compiler $g_debugging $nolock compile ${VARDIR}/.restart; then
+	    run_postcompile ${VARDIR}/.restart
 	    [ -n "$nolock" ] || mutex_on
 	    run_it ${VARDIR}/.restart $g_debugging restart
 	    rc=$?
@@ -1025,6 +1044,7 @@ refresh_command() {
    progress_message3 "Compiling..."

    if compiler $g_debugging $nolock compile ${VARDIR}/.refresh; then
+	run_postcompile ${VARDIR}/.refresh
 	[ -n "$nolock" ] || mutex_on
 	run_it ${VARDIR}/.refresh $g_debugging refresh
 	rc=$?
@@ -1139,6 +1159,8 @@ safe_commands() {
 	exit $status
    fi

+    run_postcompile ${VARDIR}/.$command
+
    case $command in
 	start)
 	    RESTOREFILE=NONE
@@ -1270,6 +1292,8 @@ try_command() {
 	exit $status
    fi

+    run_postcompile ${VARDIR}/.restart
+
    case $command in
 	start)
 	    RESTOREFILE=NONE
@@ -1628,7 +1652,9 @@ usage() # $1 = exit status
    echo "   show macros"
    echo "   show marks"
    echo "   show [ -x ] mangle|nat|raw|rawpost|routing"
+    echo "   show nfacct"
    echo "   show policies"
+    echo "   show routing"
    echo "   show tc [ device ]"
    echo "   show vardir"
    echo "   show zones"
@@ -1646,7 +1672,6 @@ compiler_command() {

    case $COMMAND in
 	compile)
-	    get_config Yes
 	    shift
 	    compile_command $@
 	    ;;
@@ -1656,7 +1681,6 @@ compiler_command() {
 	    refresh_command $@
 	    ;;
 	check)
-	    get_config Yes
 	    shift
 	    check_command $@
 	    ;;
--- a/Shorewall/manpages/shorewall-accounting.xml
+++ b/Shorewall/manpages/shorewall-accounting.xml
@@ -294,8 +294,25 @@
            </varlistentry>

            <varlistentry>
-              <term>NFLOG[(nflog-parameters)] - Added in
-              Shorewall-4.4.20.</term>
+              <term><emphasis
+              role="bold">NFACCT</emphasis>(<replaceable>object</replaceable>)</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.7. Provides a form of accounting
+                that survives <command>shorewall stop/shorewall</command>
+                start and <command>shorewall restart</command>. Requires the
+                NFaccnt Match capability in your kernel and iptables.
+                <replaceable>object</replaceable> names an nfacct object (see
+                man nfaccnt(8)). Multiple rules can specify the same
+                <replaceable>object</replaceable>; all packets that match any
+                of the rules increment the packet and bytes count of the
+                object.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">NFLOG</emphasis>[(nflog-parameters)]
+              - Added in Shorewall-4.4.20.</term>

              <listitem>
                <para>Causes each matching packet to be sent via the currently
@@ -306,7 +323,7 @@
            </varlistentry>

            <varlistentry>
-              <term>COMMENT</term>
+              <term><emphasis role="bold">COMMENT</emphasis></term>

              <listitem>
                <para>The remainder of the line is treated as a comment which
--- a/Shorewall/manpages/shorewall-blacklist.xml
+++ b/Shorewall/manpages/shorewall-blacklist.xml
@@ -23,8 +23,10 @@
  <refsect1>
    <title>Description</title>

-    <para>The blacklist file is used to perform static blacklisting. You can
-    blacklist by source address (IP or MAC), or by application.</para>
+    <para>The blacklist file is used to perform static blacklisting by source
+    address (IP or MAC), or by application. The use of this file is deprecated
+    and beginning with Shorewall 4.5.7, the file is no longer
+    installed.</para>

    <para>The columns in the file are as follows (where the column name is
    followed by a different name in parentheses, the different name is used in
--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@@ -3,33 +3,34 @@
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
  <refmeta>
-    <refentrytitle>shorewall6-notrack</refentrytitle>
+    <refentrytitle>shorewall6-conntrack</refentrytitle>

    <manvolnum>5</manvolnum>
  </refmeta>

  <refnamediv>
-    <refname>notrack</refname>
+    <refname>conntrack</refname>

-    <refpurpose>shorewall notrack file</refpurpose>
+    <refpurpose>shorewall conntrack file</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall/notrack</command>
+      <command>/etc/shorewall/conntrack</command>
    </cmdsynopsis>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

-    <para>The original intent of the notrack file was to exempt certain
-    traffic from Netfilter connection tracking. Traffic matching entries in
-    this file were not to be tracked.</para>
+    <para>The original intent of the <emphasis role="bold">notrack</emphasis>
+    file was to exempt certain traffic from Netfilter connection tracking.
+    Traffic matching entries in the file were not to be tracked.</para>

    <para>The role of the file was expanded in Shorewall 4.4.27 to include all
-    rules tht can be added in the Netfilter <emphasis
-    role="bold">raw</emphasis> table.</para>
+    rules that can be added in the Netfilter <emphasis
+    role="bold">raw</emphasis> table. In 4.5.7, the file's name was changed to
+    <emphasis role="bold">conntrack</emphasis>.</para>

    <para>The file supports two different column layouts: FORMAT 1 and FORMAT
    2, FORMAT 1 being the default. The two differ in that FORMAT 2 has an
@@ -45,6 +46,13 @@
    <para>where <replaceable>format</replaceable> is either <emphasis
    role="bold">1</emphasis> or <emphasis role="bold">2</emphasis>.</para>

+    <para>Comments may be attached to Netfilter rules generated from entries
+    in this file through the use of COMMENT lines. These lines begin with the
+    word COMMENT; the remainder of the line is treated as a comment which is
+    attached to subsequent rules until another COMMENT line is found or until
+    the end of the file is reached. To stop adding comments to rules, use a
+    line with only the word COMMENT.</para>
+
    <para>The columns in the file are as follows (where the column name is
    followed by a different name in parentheses, the different name is used in
    the alternate specification syntax).</para>
@@ -53,63 +61,157 @@
      <varlistentry>
        <term><emphasis role="bold">ACTION</emphasis> - {<emphasis
        role="bold">NOTRACK</emphasis>|<emphasis
-        role="bold">CT</emphasis>:<replaceable>option</replaceable>[:<replaceable>arg,...</replaceable>]}</term>
+        role="bold">CT</emphasis>:<emphasis
+        role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis
+        role="bold">CT:notrack</emphasis>}</term>

        <listitem>
          <para>This column is only present when FORMAT = 2. Values other than
          NOTRACK require <firstterm>CT Target </firstterm>support in your
          iptables and kernel.</para>

-          <para>Possible values for <replaceable>option</replaceable> and
-          <replaceable>arg</replaceable>s are:</para>
-
          <itemizedlist>
            <listitem>
-              <para><option>notrack</option> (no
-              <replaceable>arg</replaceable>)</para>
+              <para><option>NOTRACK</option> or
+              <option>CT:notrack</option></para>

-              <para>Disables connection tracking for this packet, the same as
-              if NOTRACK has been specified in this column.</para>
+              <para>Disables connection tracking for this packet.</para>
            </listitem>

            <listitem>
              <para><option>helper</option>:<replaceable>name</replaceable></para>

-              <para>Use the helper identified by the name to this connection.
-              This is more flexible than loading the conntrack helper with
-              preset ports.</para>
-            </listitem>
+              <para>Attach the helper identified by the
+              <replaceable>name</replaceable> to this connection. This is more
+              flexible than loading the conntrack helper with preset
+              ports.</para>

-            <listitem>
-              <para><option>ctevents</option>:<replaceable>event</replaceable>,...</para>
+              <para>At this writing, the available helpers are:</para>

-              <para>Only generate the specified conntrack events for this
-              connection. Possible event types are: <emphasis
-              role="bold">new</emphasis>, <emphasis
-              role="bold">related</emphasis>, <emphasis
-              role="bold">destroy</emphasis>, <emphasis
-              role="bold">reply</emphasis>, <emphasis
-              role="bold">assured</emphasis>, <emphasis
-              role="bold">protoinfo</emphasis>, <emphasis
-              role="bold">helper</emphasis>, <emphasis
-              role="bold">mark</emphasis> (this is connection mark, not packet
-              mark), <emphasis role="bold">natseqinfo</emphasis>, and
-              <emphasis role="bold">secmark</emphasis>.</para>
-            </listitem>
+              <variablelist>
+                <varlistentry>
+                  <term>amanda</term>

-            <listitem>
-              <para><option>expevents</option><option>:new</option></para>
+                  <listitem>
+                    <para>Requires that the amanda netfilter helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>

-              <para>Only generate a new expectation events for this
-              connection.</para>
-            </listitem>
+                <varlistentry>
+                  <term>ftp</term>

-            <listitem>
-              <para><option>zone</option>:<replaceable>id</replaceable></para>
+                  <listitem>
+                    <para>Requires that the FTP netfilter helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>

-              <para>Assign this packet to zone <replaceable>id</replaceable>
-              and only have lookups done in that zone. By default, packets
-              have zone 0.</para>
+                <varlistentry>
+                  <term>irc</term>
+
+                  <listitem>
+                    <para>Requires that the IRC netfilter helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>netbios-ns</term>
+
+                  <listitem>
+                    <para>Requires that the netbios_ns (sic) helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>RAS and Q.931</term>
+
+                  <listitem>
+                    <para>These require that the H323 netfilter helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>pptp</term>
+
+                  <listitem>
+                    <para>Requires that the pptp netfilter helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>sane</term>
+
+                  <listitem>
+                    <para>Requires that the SANE netfilter helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>sip</term>
+
+                  <listitem>
+                    <para>Requires that the SIP netfilter helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>snmp</term>
+
+                  <listitem>
+                    <para>Requires that the SNMP netfilter helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>tftp</term>
+
+                  <listitem>
+                    <para>Requires that the TFTP netfilter helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>
+              </variablelist>
+
+              <para>May be followed by an option list of
+              <replaceable>arg</replaceable>=<replaceable>val</replaceable>
+              pairs in parentheses:</para>
+
+              <itemizedlist>
+                <listitem>
+                  <para><option>ctevents</option>=<replaceable>event</replaceable>[,...]</para>
+
+                  <para>Only generate the specified conntrack events for this
+                  connection. Possible event types are: <emphasis
+                  role="bold">new</emphasis>, <emphasis
+                  role="bold">related</emphasis>, <emphasis
+                  role="bold">destroy</emphasis>, <emphasis
+                  role="bold">reply</emphasis>, <emphasis
+                  role="bold">assured</emphasis>, <emphasis
+                  role="bold">protoinfo</emphasis>, <emphasis
+                  role="bold">helper</emphasis>, <emphasis
+                  role="bold">mark</emphasis> (this is connection mark, not
+                  packet mark), <emphasis role="bold">natseqinfo</emphasis>,
+                  and <emphasis role="bold">secmark</emphasis>. If more than
+                  one <emphasis>event</emphasis> is listed, the
+                  <replaceable>event</replaceable> list must be enclosed in
+                  parentheses (e.g., ctevents=(new,related)).</para>
+                </listitem>
+
+                <listitem>
+                  <para><option>expevents</option><option>=new</option></para>
+
+                  <para>Only generate a <emphasis role="bold">new</emphasis>
+                  expectation events for this connection.</para>
+                </listitem>
+              </itemizedlist>
            </listitem>
          </itemizedlist>

@@ -130,13 +232,9 @@
          url="shorewall-exclusion.html">shorewall-exclusion</ulink>
          (5)).</para>

-          <para>Comments may be attached to Netfilter rules generated from
-          entries in this file through the use of COMMENT lines. These lines
-          begin with the word COMMENT; the remainder of the line is treated as
-          a comment which is attached to subsequent rules until another
-          COMMENT line is found or until the end of the file is reached. To
-          stop adding comments to rules, use a line with only the word
-          COMMENT.</para>
+          <para>Beginning with Shorewall 4.5.7, <option>all</option> can be
+          used as the <replaceable>zone</replaceable> name to mean
+          <firstterm>all zones</firstterm>.</para>
        </listitem>
      </varlistentry>

@@ -225,6 +323,14 @@
    </variablelist>
  </refsect1>

+  <refsect1>
+    <title>EXAMPLE</title>
+
+    <programlisting>#ACTION                       SOURCE            DEST               PROTO            DEST              SOURCE              USER/GROUP
+#                                                                                   PORT(S)           PORT(S)
+CT:helper:ftp(expevents=new)  fw                -                  tcp              21              </programlisting>
+  </refsect1>
+
  <refsect1>
    <title>FILES</title>

--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -202,7 +202,7 @@ loc     eth2            -</programlisting>
                changed; the value assigned to the setting will be the value
                specified (if any) or 1 if no value is given.</para>

-                <para/>
+                <para></para>

                <note>
                  <para>This option does not work with a wild-card
@@ -236,7 +236,7 @@ loc     eth2            -</programlisting>

                <para>8 - do not reply for all local addresses</para>

-                <para/>
+                <para></para>

                <note>
                  <para>This option does not work with a wild-card
@@ -244,7 +244,7 @@ loc     eth2            -</programlisting>
                  the INTERFACE column.</para>
                </note>

-                <para/>
+                <para></para>

                <warning>
                  <para>Do not specify <emphasis
@@ -394,7 +394,7 @@ loc     eth2            -</programlisting>
        1
        teastep@lists:~$ </programlisting>

-                <para/>
+                <para></para>

                <note>
                  <para>This option does not work with a wild-card
@@ -636,6 +636,20 @@ loc     eth2            -</programlisting>
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term>rpfilter</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.7. This is an anti-spoofing
+                measure that requires the 'RPFilter Match' capability in your
+                iptables and kernel. It provides a more efficient alternative
+                to the <option>sfilter</option> option below. It performs a
+                function similar to <option>routefilter</option> (see above)
+                but works with Multi-ISP configurations that do now use
+                balanced routes.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term>sfilter=(<emphasis>net</emphasis>[,...])</term>

@@ -668,7 +682,7 @@ loc     eth2            -</programlisting>
                changed; the value assigned to the setting will be the value
                specified (if any) or 1 if no value is given.</para>

-                <para/>
+                <para></para>

                <note>
                  <para>This option does not work with a wild-card
--- a/Shorewall/manpages/shorewall-masq.xml
+++ b/Shorewall/manpages/shorewall-masq.xml
@@ -509,6 +509,22 @@
          restart</command>.</para>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">ORIGINAL DEST</emphasis> (origdest) -
+        [<emphasis
+        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
+
+        <listitem>
+          <para>(Optional) Added in Shorewall 4.5.6. This column may be
+          included and may contain one or more addresses (host or network)
+          separated by commas. Address ranges are not allowed. When this
+          column is supplied, rules are generated that require that the
+          original destination address matches one of the listed addresses. It
+          is useful for specifying that SNAT should occur only for connections
+          that were acted on by a DNAT when they entered the firewall.</para>
+        </listitem>
+      </varlistentry>
    </variablelist>
  </refsect1>

--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@@ -280,7 +280,8 @@
                url="http://www.shorewall.net/Shorewall_Squid_Usage.html">http://www.shorewall.net/Shorewall_Squid_Usage.html</ulink>.
                When specified, the MARK, DUPLICATE and GATEWAY columns should
                be empty, INTERFACE should be set to 'lo' and
-                <option>tproxy</option> should be the only OPTION.</para>
+                <option>tproxy</option> should be the only OPTION. Only one
+                <option>tproxy</option> provider is allowed.</para>
              </listitem>
            </varlistentry>
          </variablelist>
--- a/Shorewall/manpages/shorewall-routestopped.xml
+++ b/Shorewall/manpages/shorewall-routestopped.xml
@@ -24,6 +24,10 @@
  <refsect1>
    <title>Description</title>

+    <para>This file is deprecated in favor of the <ulink
+    url="shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
+    file.</para>
+
    <para>This file is used to define the hosts that are accessible when the
    firewall is stopped or is being stopped.</para>

--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -503,6 +503,19 @@
                rule, it is passed on to the next rule.</para>
              </listitem>
            </varlistentry>
+
+            <varlistentry>
+              <term>HELPER</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.7. This action requires that the
+                HELPER column contains the name of the Netfilter helper to be
+                associated with connections matching this connection. May only
+                be specified in the NEW section and is useful for being able
+                to specify a helper when the applicable policy is ACCEPT. No
+                destination zone should be specified in HELPER rules.</para>
+              </listitem>
+            </varlistentry>
          </variablelist>

          <para>The <replaceable>target</replaceable> may optionally be
@@ -1084,8 +1097,7 @@
      <varlistentry>
        <term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
        role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
-        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
-        role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>
+        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][,...]</term>

        <listitem>
          <para>This optional column may only be non-empty if the SOURCE is
@@ -1096,6 +1108,9 @@
          <emphasis>user</emphasis> and/or <emphasis>group</emphasis>
          specified (or is NOT running under that id if "!" is given).</para>

+          <para>Beginning with Shorewall 4.5.8, multiple user or group
+          names/ids separated by commas may be specified.</para>
+
          <para>Examples:</para>

          <variablelist>
@@ -1126,15 +1141,11 @@
            </varlistentry>

            <varlistentry>
-              <term>+upnpd</term>
+              <term>2001-2099</term>

              <listitem>
-                <para>program named upnpd</para>
-
-                <important>
-                  <para>The ability to specify a program name was removed from
-                  Netfilter in kernel version 2.6.14.</para>
-                </important>
+                <para>UIDs 2001 through 2099 (Shorewall 4.5.6 and
+                later)</para>
              </listitem>
            </varlistentry>
          </variablelist>
@@ -1356,6 +1367,54 @@
          restart</command>.</para>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">HELPER</emphasis> - [helper]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.7.</para>
+
+          <para>In the NEW section, causes the named conntrack
+          <replaceable>helper</replaceable> to be associated with this
+          connection; the contents of this column are ignored unless ACTION is
+          ACCEPT*, DNAT* or REDIRECT*.</para>
+
+          <para>In the RELATED section, will only match if the related
+          connection has the named <replaceable>helper</replaceable>
+          associated with it.</para>
+
+          <para>The <replaceable>helper</replaceable> may be one of:</para>
+
+          <simplelist>
+            <member><option>amanda</option></member>
+
+            <member><option>ftp</option></member>
+
+            <member><option>irc</option></member>
+
+            <member><option>netbios-ns</option></member>
+
+            <member><option>pptp</option></member>
+
+            <member><option>Q.931</option></member>
+
+            <member><option>RAS</option></member>
+
+            <member><option>sane</option></member>
+
+            <member><option>sip</option></member>
+
+            <member><option>snmp</option></member>
+
+            <member><option>tftp</option></member>
+          </simplelist>
+
+          <para>If the HELPERS option is specified in <ulink
+          url="shorewall.conf.html">shorewall.conf</ulink>(5), then any module
+          specified in this column must be listed in the HELPERS
+          setting.</para>
+        </listitem>
+      </varlistentry>
    </variablelist>
  </refsect1>

@@ -1569,7 +1628,7 @@

          <programlisting>        #ACTION                       SOURCE           DEST           PROTO       DEST
        #                                                                         PORT(S)
-        DROP                          net:^A1,A2       fw             tcp         22</programlisting>
+        DROP                          net:^A1,A2       fw             tcp         25</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
--- a/Shorewall/manpages/shorewall-stoppedrules.xml
+++ b/Shorewall/manpages/shorewall-stoppedrules.xml
@@ -0,0 +1,162 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall-stoppedrules</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>stoppedrules</refname>
+
+    <refpurpose>The Shorewall file that governs what traffic flows through the
+    firewall while it is in the 'stopped' state.</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall/stoppedrules</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>This file is used to define the hosts that are accessible when the
+    firewall is stopped or is being stopped.</para>
+
+    <warning>
+      <para>Changes to this file do not take effect until after the next
+      <command>shorewall start</command>, <command>shorewall
+      restart</command>, or <option>shorewall compile</option> command.</para>
+    </warning>
+
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">ACTION</emphasis> -
+        <option>ACCEPT|NOTRACK</option></term>
+
+        <listitem>
+          <para>Determines the disposition of the packet.
+          <option>ACCEPT</option> means that the packet will be accepted.
+          <option>NOTRACK</option> indicates that no conntrack entry should be
+          created for the packet. <option>NOTRACK</option> does not imply
+          <option>ACCEPT</option>.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">SOURCE</emphasis> - [<emphasis
+        role="bold">-</emphasis>|[$FW|<replaceable>interface</replaceable>]|[{$FW|interface}[<emphasis>:address</emphasis>[,<emphasis>address</emphasis>]...]]|[<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...]</term>
+
+        <listitem>
+          <para><option>$FW</option> matches packets originating on the
+          firewall itself, while <replaceable>interface</replaceable>
+          specifies packets arriving on the named interface.</para>
+
+          <para>This column may also include a comma-separated list of
+          IP/subnet addresses. If your kernel and iptables include iprange
+          match support, IP address ranges are also allowed. Ipsets and
+          exclusion are also supported. When <option>$FW</option> or interface
+          are specified, the list must be preceeded by a colon (":").</para>
+
+          <para>If left empty or supplied as "-", 0.0.0.0/0 is assumed.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">DEST</emphasis> - [<emphasis
+        role="bold">-</emphasis>|[$FW|<replaceable>interface</replaceable>]|[{$FW|interface}[<emphasis>:address</emphasis>[,<emphasis>address</emphasis>]...]]|[<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...]</term>
+
+        <listitem>
+          <para><option>$FW</option> matches packets addressed the firewall
+          itself, while <replaceable>interface</replaceable> specifies packets
+          arriving on the named interface. Neither may be specified if the
+          target is <option>NOTRACK</option>.</para>
+
+          <para>This column may also include a comma-separated list of
+          IP/subnet addresses. If your kernel and iptables include iprange
+          match support, IP address ranges are also allowed. Ipsets and
+          exclusion are also supported. When <option>$FW</option> or interface
+          are specified, the list must be preceeded by a colon (":").</para>
+
+          <para>If left empty or supplied as "-", 0.0.0.0/0 is assumed.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PROTO (Optional) ‒
+        <replaceable>protocol-name-or-number</replaceable></term>
+
+        <listitem>
+          <para>Protocol.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>DEST PORT(S) (dport) ‒
+        <replaceable>service-name/port-number-list</replaceable></term>
+
+        <listitem>
+          <para>Optional. A comma-separated list of port numbers and/or
+          service names from <filename>/etc/services</filename>. May also
+          include port ranges of the form
+          <replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
+          if your kernel and iptables include port range support.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>SOURCE PORT(S) (sport) ‒
+        <replaceable>service-name/port-number-list</replaceable></term>
+
+        <listitem>
+          <para>Optional. A comma-separated list of port numbers and/or
+          service names from <filename>/etc/services</filename>. May also
+          include port ranges of the form
+          <replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
+          if your kernel and iptables include port range support.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <note>
+      <para>The <emphasis role="bold">source</emphasis> and <emphasis
+      role="bold">dest</emphasis> options work best when used in conjunction
+      with ADMINISABSENTMINDED=Yes in <ulink
+      url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+    </note>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall/stoppedrules</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para><ulink
+    url="http://shorewall.net/starting_and_stopping_shorewall.htm">http://shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
+
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-rtrules(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
+  </refsect1>
+</refentry>
--- a/Shorewall/manpages/shorewall-tcclasses.xml
+++ b/Shorewall/manpages/shorewall-tcclasses.xml
@@ -11,7 +11,7 @@
  <refnamediv>
    <refname>tcclasses</refname>

-    <refpurpose>Shorewall file to define HTB classes</refpurpose>
+    <refpurpose>Shorewall file to define HTB and HFSC classes</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
@@ -166,8 +166,8 @@
          marking the traffic you want to fit in the classes defined in here.
          Must be specified as '-' if the <emphasis
          role="bold">classify</emphasis> option is given for the interface in
-          <ulink
-          url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)</para>
+          <ulink url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
+          and you are running Shorewall 4.5.5 or earlier.</para>

          <para>You can use the same marks for different interfaces.</para>
        </listitem>
@@ -175,7 +175,7 @@

      <varlistentry>
        <term><emphasis role="bold">RATE</emphasis> -
-        <emphasis>rate</emphasis>[:<emphasis>dmax</emphasis>[:<emphasis>umax</emphasis>]]</term>
+        {-|<emphasis>rate</emphasis>[:<emphasis>dmax</emphasis>[:<emphasis>umax</emphasis>]]}</term>

        <listitem>
          <para>The minimum bandwidth this class should get, when the traffic
@@ -185,11 +185,12 @@
          class exceed the CEIL of the parent class, things don't work
          well.</para>

-          <para>When using the HFSC queuing discipline, leaf classes may
-          specify <replaceable>dmax</replaceable>, the maximum delay in
-          milliseconds that the first queued packet for this class should
-          experience. May be expressed as an integer, optionally followed by
-          'ms' with no intervening white space (e.g., 10ms).</para>
+          <para>When using the HFSC queuing discipline, this column specify
+          the real-time (RT) service curve. leaf classes may specify
+          <replaceable>dmax</replaceable>, the maximum delay in milliseconds
+          that the first queued packet for this class should experience. May
+          be expressed as an integer, optionally followed by 'ms' with no
+          intervening white space (e.g., 10ms).</para>

          <para>HFSC leaf classes may also specify
          <replaceable>umax</replaceable>, the largest packet expected in this
@@ -198,12 +199,18 @@
          followed by 'b' with no intervening white space (e.g., 800b).
          <replaceable>umax</replaceable> may only be given if
          <replaceable>dmax</replaceable> is also given.</para>
+
+          <para>Beginning with Shorewall 4.5.6, HFSC classes may omit this
+          column (e.g, '-' in the column), provided that an
+          <replaceable>lsrate</replaceable> is specified (see CEIL below).
+          These rates are used to arbitrate between classes of the same
+          priority.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">CEIL</emphasis> -
-        <emphasis>rate</emphasis></term>
+        [<emphasis>lsrate</emphasis>:]<emphasis>rate</emphasis></term>

        <listitem>
          <para>The maximum bandwidth this class is allowed to use when the
@@ -214,6 +221,9 @@
          here for setting the maximum bandwidth to the RATE of the parent
          class, or the OUT-BANDWIDTH of the device if there is no parent
          class.</para>
+
+          <para>Beginning with Shorewall 4.5.6, you can also specify an
+          <replaceable>lsrate</replaceable> (link sharing rate).</para>
        </listitem>
      </varlistentry>

@@ -222,17 +232,47 @@
        <emphasis>priority</emphasis></term>

        <listitem>
-          <para>The <emphasis>priority</emphasis> in which classes will be
-          serviced by the packet shaping scheduler and also the priority in
-          which bandwidth in excess of the rate will be given to each
-          class.</para>
+          <para>For HTB:</para>

-          <para>Higher priority classes will experience less delay since they
-          are serviced first. Priority values are serviced in ascending order
-          (e.g. 0 is higher priority than 1).</para>
+          <blockquote>
+            <para>The <emphasis>priority</emphasis> in which classes will be
+            serviced by the packet shaping scheduler and also the priority in
+            which bandwidth in excess of the rate will be given to each
+            class.</para>

-          <para>Classes may be set to the same priority, in which case they
-          will be serviced as equals.</para>
+            <para>Higher priority classes will experience less delay since
+            they are serviced first. Priority values are serviced in ascending
+            order (e.g. 0 is higher priority than 1).</para>
+
+            <para>Classes may be set to the same priority, in which case they
+            will be serviced as equals.</para>
+          </blockquote>
+
+          <para>For both HTB and HFSC, the <emphasis>priority</emphasis> is
+          used to calculate the priority of following Shorewall-generated
+          classification filters that refer to the class:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>Packet MARK</para>
+            </listitem>
+
+            <listitem>
+              <para><emphasis role="bold">tcp-ack</emphasis> and the <emphasis
+              role="bold">tos</emphasis> options (see below)</para>
+            </listitem>
+          </itemizedlist>
+
+          <para> The rules for classes with lower numeric priorities will
+          appear before those with higher numeric priorities. </para>
+
+          <para>Beginning with Shorewall 4.5.8, the PRIORITY may be omitted
+          from an HFSC class if you do not use the MARK column or the
+          <emphasis role="bold">tcp-ack</emphasis> or <emphasis
+          role="bold">tos</emphasis> options. If you use any of those features
+          and omit the PRIORITY, then you must specify a
+          <replaceable>priority</replaceable> along with the MARK or
+          option.</para>
        </listitem>
      </varlistentry>

@@ -253,7 +293,7 @@
                <para>This is the default class for that interface where all
                traffic should go, that is not classified otherwise.</para>

-                <para></para>
+                <para/>

                <note>
                  <para>You must define <emphasis
@@ -265,7 +305,7 @@

            <varlistentry>
              <term><emphasis
-              role="bold">tos=0x</emphasis><emphasis>value</emphasis>[/0x<emphasis>mask</emphasis>]
+              role="bold">tos=0x</emphasis><emphasis>value</emphasis>[/0x<emphasis>mask</emphasis>][:<replaceable>priority</replaceable>]
              (mask defaults to 0xff)</term>

              <listitem>
@@ -273,12 +313,20 @@
                <emphasis>value</emphasis>/<emphasis>mask</emphasis>
                combination of the IP packet's TOS/Precedence/DiffSrv octet
                (aka the TOS byte).</para>
+
+                <para>Beginning with Shorewall 4.5.8, the
+                <replaceable>value/mask</replaceable> may be followed by a
+                colon (":") and a <replaceable>priority</replaceable>. This
+                priority determines the order in which filter rules are
+                processed during packet classification. If not specified, the
+                value (<replaceable>class priority</replaceable> &lt;&lt; 8) |
+                10) is used.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis
-              role="bold">tos-</emphasis><emphasis>tosname</emphasis></term>
+              role="bold">tos-</emphasis><emphasis>tosname</emphasis>[:<replaceable>priority</replaceable>]</term>

              <listitem>
                <para>Aliases for the following TOS octet value and mask
@@ -286,6 +334,14 @@
                deprecated in favor of diffserve classes, but programs like
                ssh, rlogin, and ftp still use them.</para>

+                <para>Beginning with Shorewall 4.5.8, the
+                <replaceable>tos-name</replaceable> may be followed by a colon
+                (":") and a <replaceable>priority</replaceable>. This priority
+                determines the order in which filter rules are processed
+                during packet classification. If not specified, the value
+                (<replaceable>class priority</replaceable> &lt;&lt; 8) | 10)
+                is used.</para>
+
                <programlisting>        <emphasis role="bold">tos-minimize-delay</emphasis>       0x10/0x10
        <emphasis role="bold">tos-maximize-throughput</emphasis>  0x08/0x08
        <emphasis role="bold">tos-maximize-reliability</emphasis> 0x04/0x04
@@ -300,7 +356,8 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">tcp-ack</emphasis></term>
+              <term><emphasis
+              role="bold">tcp-ack[:<replaceable>priority</replaceable>]</emphasis></term>

              <listitem>
                <para>If defined, causes a tc filter to be created that puts
@@ -310,7 +367,13 @@
                limited to 64 bytes because we want only packets WITHOUT
                payload to match.</para>

-                <para></para>
+                <para>Beginning with Shorewall 4.5.8, the <emphasis
+                role="bold">tcp-ack</emphasis> may be followed by a colon
+                (":") and a <replaceable>priority</replaceable>. This priority
+                determines the order in which filter rules are processed
+                during packet classification. If not specified, the value
+                (<replaceable>class priority</replaceable> &lt;&lt; 8) | 20)
+                is used.</para>

                <note>
                  <para>This option is only valid for ONE class per
@@ -430,6 +493,121 @@
                assumed.</para>
              </listitem>
            </varlistentry>
+
+            <varlistentry>
+              <term>red=(<replaceable>redoption</replaceable>=<replaceable>value</replaceable>,
+              ...)</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.6. When specified on a leaf
+                class, causes the class to use the RED (Random Early
+                Detection) queuing discipline rather than SFQ. See tc-red (8)
+                for additional information.</para>
+
+                <para>Allowable redoptions are:</para>
+
+                <variablelist>
+                  <varlistentry>
+                    <term>min <replaceable>min</replaceable></term>
+
+                    <listitem>
+                      <para>Average queue size at which marking becomes a
+                      possibility.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>max <replaceable>max</replaceable></term>
+
+                    <listitem>
+                      <para>At this average queue size, the marking
+                      probability is maximal. Must be at least twice
+                      <replaceable>min</replaceable> to prevent synchronous
+                      retransmits, higher for low
+                      <replaceable>min</replaceable>.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>probability
+                    <replaceable>probability</replaceable></term>
+
+                    <listitem>
+                      <para>Maximum probability for marking, specified as a
+                      floating point number from 0.0 to 1.0. Suggested values
+                      are 0.01 or 0.02 (1 or 2%, respectively).</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>limit <replaceable>limit</replaceable></term>
+
+                    <listitem>
+                      <para>Hard limit on the real (not average) queue size in
+                      bytes. Further packets are dropped. Should be set higher
+                      than
+                      <replaceable>max</replaceable>+<replaceable>burst</replaceable>.
+                      It is advised to set this a few times higher than
+                      <replaceable>max</replaceable>. Shorewall requires that
+                      <replaceable>limit</replaceable> be at least twice
+                      <replaceable>min</replaceable>.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>burst <replaceable>burst</replaceable></term>
+
+                    <listitem>
+                      <para>Used for determining how fast the average queue
+                      size is influenced by the real queue size. Larger values
+                      make the calculation more sluggish, allowing longer
+                      bursts of traffic before marking starts. Real life
+                      experiments support the following guide‐line:
+                      (<replaceable>min</replaceable>+<replaceable>min</replaceable>+<replaceable>max</replaceable>)/(3*<replaceable>avpkt</replaceable>).</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>avpkt <replaceable>avpkt</replaceable></term>
+
+                    <listitem>
+                      <para>Optional. Specified in bytes. Used with burst to
+                      determine the time constant for average queue size
+                      calculations. 1000 is a good value and is the Shorewall
+                      default.</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>bandwidth
+                    <replaceable>bandwidth</replaceable></term>
+
+                    <listitem>
+                      <para>Optional. This rate is used for calculating the
+                      average queue size after some idle time. Should be set
+                      to the bandwidth of your interface. Does not mean that
+                      RED will shape for you!</para>
+                    </listitem>
+                  </varlistentry>
+
+                  <varlistentry>
+                    <term>ecn</term>
+
+                    <listitem>
+                      <para>RED can either 'mark' or 'drop'. Explicit
+                      Congestion Notification allows RED to notify remote
+                      hosts that their rate exceeds the amount of bandwidth
+                      available. Non-ECN capable hosts can only be notified by
+                      dropping a packet. If this parameter is specified,
+                      packets which indicate that their hosts honor ECN will
+                      only be marked and not dropped, unless the queue size
+                      hits <replaceable>limit</replaceable> bytes. Needs a tc
+                      binary with RED support compiled in. Recommended.</para>
+                    </listitem>
+                  </varlistentry>
+                </variablelist>
+              </listitem>
+            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
@@ -503,6 +681,10 @@
    <para><ulink
    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

+    <para>tc-hfsc(7)</para>
+
+    <para>tc-red(8)</para>
+
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
--- a/Shorewall/manpages/shorewall-tcdevices.xml
+++ b/Shorewall/manpages/shorewall-tcdevices.xml
@@ -179,7 +179,17 @@
      <varlistentry>
        <term><emphasis role="bold">OPTIONS</emphasis> - {<emphasis
        role="bold">-</emphasis>|<emphasis
-        role="bold">{classify</emphasis>|hfsc} ,...}</term>
+        role="bold">{classify</emphasis>|<emphasis
+        role="bold">htb|hfsc</emphasis>|<emphasis
+        role="bold">linklayer</emphasis>={<emphasis
+        role="bold">ethernet</emphasis>|<emphasis
+        role="bold">atm</emphasis>|<emphasis
+        role="bold">adsl</emphasis>}|<emphasis
+        role="bold">tsize</emphasis>=<replaceable>tsize</replaceable>|<emphasis
+        role="bold">mtu</emphasis>=<replaceable>mtu</replaceable>|<emphasis
+        role="bold">mpu</emphasis>=<replaceable>mpu</replaceable>|<emphasis
+        role="bold">overhead</emphasis>=<replaceable>overhead</replaceable>}
+        ,...}</term>

        <listitem>
          <para><option>classify</option> ― When specified, Shorewall will not
@@ -187,10 +197,40 @@
          marks. You must do all classification using CLASSIFY rules in <ulink
          url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5).</para>

+          <para><option>htb</option> - Use the <firstterm>Hierarchical Token
+          Bucket</firstterm> queuing discipline. This is the default.</para>
+
          <para><option>hfsc</option> - Shorewall normally uses the
-          <firstterm>Hierarchical Token Bucket</firstterm> queuing discipline.
-          When <option>hfsc</option> is specified, the <firstterm>Hierarchical
-          Fair Service Curves</firstterm> discipline is used instead.</para>
+          Hierarchical Token Bucket queuing discipline. When
+          <option>hfsc</option> is specified, the <firstterm>Hierarchical Fair
+          Service Curves</firstterm> discipline is used instead (see tc-hfsc
+          (7)).</para>
+
+          <para><emphasis role="bold">linklayer</emphasis> - Added in
+          Shorewall 4.5.6. Type of link (ethernet, atm, adsl). When specified,
+          causes scheduler packet size manipulation as described in tc-stab
+          (8). When this option is given, the following options may also be
+          given after it:</para>
+
+          <blockquote>
+            <para><emphasis
+            role="bold">mtu</emphasis>=<replaceable>mtu</replaceable> - The
+            device MTU; default 2048 (will be rounded up to a power of
+            two)</para>
+
+            <para><emphasis
+            role="bold">mpu</emphasis>=<replaceable>mpubytes</replaceable> -
+            Minimum packet size used in calculations. Smaller packets will be
+            rounded up to this size</para>
+
+            <para><emphasis
+            role="bold">tsize</emphasis>=<replaceable>tablesize</replaceable>
+            - Size table entries; default is 512</para>
+
+            <para><emphasis
+            role="bold">overhead</emphasis>=<replaceable>overheadbytes</replaceable>
+            - Number of overhead bytes per packet.</para>
+          </blockquote>
        </listitem>
      </varlistentry>

@@ -240,6 +280,8 @@
  <refsect1>
    <title>See ALSO</title>

+    <para>tc-hfsc (7)</para>
+
    <para><ulink
    url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>

--- a/Shorewall/manpages/shorewall-tcfilters.xml
+++ b/Shorewall/manpages/shorewall-tcfilters.xml
@@ -189,6 +189,73 @@
          <replaceable>number</replaceable> will match the rule.</para>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">PRIORITY</emphasis> - [<emphasis
+        role="bold">-</emphasis>|<emphasis>priority</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.8. Specifies the rule
+          <replaceable>priority</replaceable>. The
+          <replaceable>priority</replaceable> value must be &gt; 0 and &lt;=
+          65535.</para>
+
+          <para>When a <replaceable>priority</replaceable> is not
+          given:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>For Shorewall versions prior to 4.5.8 - all filters have
+              priority 10.</para>
+            </listitem>
+
+            <listitem>
+              <para>For Shorewall 4.5.8 and later - for each device, the
+              compiler maintains a <firstterm>high-water priority</firstterm>
+              with an initial value of 0. When a filter has no
+              <replaceable>priority</replaceable>, the high-water priority is
+              incremented by 1 and assigned to the filter. When a
+              <replaceable>priority</replaceable> greater than the high-water
+              priority is entered in this column, the high-water priority is
+              set to the specified <replaceable>priority</replaceable>. An
+              attempt to assign a priority value greater than 65535
+              (explicitly or implicitly) raises an error.</para>
+            </listitem>
+          </itemizedlist>
+
+          <para>The default priority values used by other Shorewall-generated
+          filters are as follows:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>Classify by packet mark - ( <replaceable>class
+              priority</replaceable> &lt;&lt; 8 ) | 20.</para>
+            </listitem>
+
+            <listitem>
+              <para>Ingress policing - 10</para>
+            </listitem>
+
+            <listitem>
+              <para>Simple TC ACK packets - 1</para>
+            </listitem>
+
+            <listitem>
+              <para>Complex TC ACK packets - ( <replaceable>class
+              priority</replaceable> &lt;&lt; 8 ) | 10.</para>
+            </listitem>
+
+            <listitem>
+              <para>Classify by TOS - ( <replaceable>class
+              priority</replaceable> &lt;&lt; 8 ) | 15.</para>
+            </listitem>
+
+            <listitem>
+              <para>Class with 'occurs' - 65535</para>
+            </listitem>
+          </itemizedlist>
+        </listitem>
+      </varlistentry>
    </variablelist>
  </refsect1>

@@ -218,6 +285,23 @@
       1:10      ::/0      ::/0         icmp6   echo-reply</programlisting>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term>Example 2:</term>
+
+        <listitem>
+          <para>Add two filters with priority 10 (Shorewall 4.5.8 or
+          later).</para>
+
+          <programlisting>       #CLASS    SOURCE    DEST         PROTO   DEST            PRIORITY
+       #                                        PORT
+
+       IPV4
+
+       1:10      0.0.0.0/0 0.0.0.0/0    icmp    echo-request    10
+       1:10      0.0.0.0/0 0.0.0.0/0    icmp    echo-reply      10</programlisting>
+        </listitem>
+      </varlistentry>
    </variablelist>
  </refsect1>

--- a/Shorewall/manpages/shorewall-tcrules.xml
+++ b/Shorewall/manpages/shorewall-tcrules.xml
@@ -515,11 +515,17 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
              role="bold">-</emphasis>|<emphasis
              role="bold">+</emphasis>]<replaceable>number</replaceable>)</para>

-              <para>Added in Shorewall 4.4.24. May be option followed by
+              <para>Added in Shorewall 4.4.24.</para>
+
+              <para>Prior to Shorewall 4.5.7.2, may be optionally followed by
              <emphasis role="bold">:F</emphasis> but the resulting rule is
-              always added to the FORWARD chain. If <emphasis
-              role="bold">+</emphasis> is included, packets matching the rule
-              will have their TTL incremented by
+              always added to the FORWARD chain. Beginning with Shorewall
+              4.5.7.s, it may be optionally followed by <emphasis
+              role="bold">:P</emphasis>, in which case the rule is added to
+              the PREROUTING chain.</para>
+
+              <para>If <emphasis role="bold">+</emphasis> is included, packets
+              matching the rule will have their TTL incremented by
              <replaceable>number</replaceable>. Similarly, if <emphasis
              role="bold">-</emphasis> is included, matching packets have
              their TTL decremented by <replaceable>number</replaceable>. If
@@ -573,6 +579,9 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
    AF43 =&gt; 0x26
    EF   =&gt; 0x2e</programlisting>

+              <para>To indicate more than one class, add their hex values
+              together and specify the result.</para>
+
              <para>May be optionally followed by ':' and a capital letter
              designating the chain where classification is to occur.</para>

@@ -611,6 +620,9 @@ Maximize-Reliability =&gt; 0x04,
 Minimize-Cost        =&gt; 0x02,
 Normal-Service       =&gt; 0x00</programlisting>

+              <para>To indicate more than one class, add their hex values
+              together and specify the result.</para>
+
              <para>When <replaceable>tos</replaceable> is given as a number,
              it may be optionally followed by '/' and a
              <replaceable>mask</replaceable>. When no
@@ -1002,10 +1014,7 @@ Normal-Service       =&gt; 0x00</programlisting>
          <para>Names a Netfiler protocol <firstterm>helper</firstterm> module
          such as <option>ftp</option>, <option>sip</option>,
          <option>amanda</option>, etc. A packet will match if it was accepted
-          by the named helper module. You can also append "-" and a port
-          number to the helper module name (e.g., <emphasis
-          role="bold">ftp-21</emphasis>) to specify the port number that the
-          original connection was made on.</para>
+          by the named helper module.</para>

          <para>Example: Mark all FTP data connections with mark
          4:<programlisting>#ACTION   SOURCE    DEST      PROTO   PORT(S)    SOURCE  USER TEST LENGTH TOS CONNBYTES HELPER
--- a/Shorewall/manpages/shorewall-tos.xml
+++ b/Shorewall/manpages/shorewall-tos.xml
@@ -96,13 +96,16 @@
        <emphasis>tos</emphasis></term>

        <listitem>
-          <para>Must be one of the following;</para>
+          <para>Must may one of the following;</para>

          <programlisting>        <emphasis role="bold">tos-minimize-delay</emphasis> (16)
        <emphasis role="bold">tos-maximize-throughput</emphasis> (8)
        <emphasis role="bold">tos-maximize-reliability</emphasis> (4)
        <emphasis role="bold">tos-minimize-cost</emphasis> (2)
        <emphasis role="bold">tos-normal-service</emphasis> (0)</programlisting>
+
+          <para>To specify more than one flag, add their values together and
+          specify the numeric result.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -96,7 +96,7 @@
        role="bold">none</emphasis>}</term>

        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>

@@ -106,7 +106,7 @@
        role="bold">none</emphasis>}</term>

        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>

@@ -116,7 +116,7 @@
        role="bold">none</emphasis>}</term>

        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>

@@ -126,7 +126,7 @@
        role="bold">none</emphasis>}</term>

        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>

@@ -283,14 +283,14 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">AUTO_COMMENT=</emphasis>[<emphasis
+        <term><emphasis role="bold">AUTOCOMMENT=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>

        <listitem>
-          <para>If set, if there is not a current comment when a macro is
-          invoked, the behavior is as if the first line of the macro file was
-          "COMMENT &lt;macro name&gt;". The AUTO_COMMENT option has a default
-          value of 'Yes'.</para>
+          <para>Formerly named AUTO_COMMENT. If set, if there is not a current
+          comment when a macro is invoked, the behavior is as if the first
+          line of the macro file was "COMMENT &lt;macro name&gt;". The
+          AUTO_COMMENT option has a default value of 'Yes'.</para>

          <para>The setting of the AUTOMAKE option is ignored if the
          <command>start</command> or <command>restart</command> command
@@ -299,6 +299,49 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">AUTOHELPERS=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.7. When set to <option>Yes</option>
+          (the default), the generated ruleset will automatically associate
+          helpers with applications that require them (FTP, IRC, etc.). When
+          configuring your firewall on systems running kernel 3.5 or later, it
+          is recommended that you:</para>
+
+          <orderedlist>
+            <listitem>
+              <para>Set AUTOHELPERS=No.</para>
+            </listitem>
+
+            <listitem>
+              <para>Either:</para>
+
+              <orderedlist numeration="loweralpha">
+                <listitem>
+                  <para>Modify <ulink
+                  url="shorewall-conntrack.html">shorewall-conntrack</ulink>
+                  (5) to only apply helpers where they are required; or</para>
+                </listitem>
+
+                <listitem>
+                  <para>Specify the appropriate helper in the HELPER column in
+                  <ulink url="shorewall-rules.html">shorewall-rules</ulink>
+                  (5).</para>
+
+                  <note>
+                    <para>The macros for those applications requiring a helper
+                    automatically specify the appropriate HELPER where
+                    required.</para>
+                  </note>
+                </listitem>
+              </orderedlist>
+            </listitem>
+          </orderedlist>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">AUTOMAKE=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@@ -482,7 +525,7 @@
          </itemizedlist>

          <blockquote>
-            <para/>
+            <para></para>

            <para>If CONFIG_PATH is not given or if it is set to the empty
            value then the contents of /usr/share/shorewall/configpath are
@@ -677,13 +720,73 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
          <para>Added in Shorewall 4.5.4. Specifies the pathname of the
          directory containing the <firstterm>GeoIP Match</firstterm>
          database. See <ulink
-          url="http://www.shorewall.net/ISOCODES.html">http://www.shorewall.net/ISOCODES.html</ulink>.
+          url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
          If not specified, the default value is
          <filename>/usr/share/xt_geoip/LE</filename> which is the default
          location of the little-endian database.</para>
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis
+        role="bold">HELPERS</emphasis>=[<emphasis>helper</emphasis>[,<replaceable>helper</replaceable>...]]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.7. This option lists the Netfilter
+          application helps that are to be enabled. If not specified, the
+          default is to enable all helpers.</para>
+
+          <para>Possible values for <replaceable>helper</replaceable>
+          are:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>amanda</para>
+            </listitem>
+
+            <listitem>
+              <para>ftp</para>
+            </listitem>
+
+            <listitem>
+              <para>h323</para>
+            </listitem>
+
+            <listitem>
+              <para>irc</para>
+            </listitem>
+
+            <listitem>
+              <para>netbios-ns</para>
+            </listitem>
+
+            <listitem>
+              <para>pptp</para>
+            </listitem>
+
+            <listitem>
+              <para>sane</para>
+            </listitem>
+
+            <listitem>
+              <para>sip</para>
+            </listitem>
+
+            <listitem>
+              <para>snmp</para>
+            </listitem>
+
+            <listitem>
+              <para>tftp</para>
+            </listitem>
+          </itemizedlist>
+
+          <para>When HELPERS is specified on a system running Kernel 3.5.0 or
+          later, automatic association of helpers to connections is
+          disabled.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">HIGH_ROUTE_MARKS=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@@ -829,7 +932,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
            </varlistentry>
          </variablelist>

-          <para/>
+          <para></para>

          <blockquote>
            <para>If this variable is not set or is given an empty value
@@ -1039,7 +1142,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
            </listitem>
          </itemizedlist>

-          <para/>
+          <para></para>

          <blockquote>
            <para>For example, using the default LOGFORMAT, the log prefix for
@@ -1056,7 +1159,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
              control your firewall after you enable this option.</para>
            </important>

-            <para/>
+            <para></para>

            <caution>
              <para>Do not use this option if the resulting log messages will
@@ -1437,6 +1540,17 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis
+        role="bold">NFACCT=</emphasis>[<emphasis>pathname</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.7. Specifies the pathname of the nfacct
+          utiliity. If not specified, Shorewall will use the PATH settting to
+          find the program.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">NULL_ROUTE_RFC1918=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@@ -1709,7 +1823,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        role="bold">"</emphasis></term>

        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>

@@ -1879,6 +1993,33 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">RPFILTER_DISPOSITION=</emphasis>[<emphasis
+        role="bold">DROP</emphasis>|<emphasis
+        role="bold">REJECT</emphasis>|A_DROP|A_REJECT]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.7. Determines the disposition of
+          packets entering from interfaces the <option>rpfilter</option>
+          option (see <ulink
+          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)).
+          Packets disposed of by this option are those whose response packets
+          would not be sent through the same interface receiving the
+          packet.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis
+        role="bold">RPFILTER_LOG_LEVEL=</emphasis><emphasis>log-level</emphasis></term>
+
+        <listitem>
+          <para>Added in shorewall 4.5.7. Determines the logging of packets
+          disposed via the RPFILTER_DISPOSITION. The default value is
+          <option>info</option>.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">SAVE_IPSETS=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@@ -1900,7 +2041,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'

        <listitem>
          <para>Added in Shorewall 4.4.20. Determines the disposition of
-          packets matching the <option>filter</option> option (see <ulink
+          packets matching the <option>sfilter</option> option (see <ulink
          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
          of <firstterm>hairpin</firstterm> packets on interfaces without the
          <option>routeback</option> option.<footnote>
@@ -1916,7 +2057,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'

        <listitem>
          <para>Added on Shorewall 4.4.20. Determines the logging of packets
-          matching the <option>filter</option> option (see <ulink
+          matching the <option>sfilter</option> option (see <ulink
          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)) and
          of <firstterm>hairpin</firstterm> packets on interfaces without the
          <option>routeback</option> option.<footnote>
--- a/Shorewall/manpages/shorewall.xml
+++ b/Shorewall/manpages/shorewall.xml
@@ -1623,9 +1623,11 @@
          temporary saved configuration
          (<filename>/var/lib/shorewall/.try</filename>). Next, if Shorewall
          is currently started then a <emphasis role="bold">restart</emphasis>
-          command is issued; otherwise, a <emphasis
-          role="bold">start</emphasis> command is performed. if an error
-          occurs during the compliation phase of the <emphasis
+          command is issued using the specified configuration
+          <replaceable>directory</replaceable>; otherwise, a <emphasis
+          role="bold">start</emphasis> command is performed using the
+          specified configuration <replaceable>directory</replaceable>. if an
+          error occurs during the compliation phase of the <emphasis
          role="bold">restart</emphasis> or <emphasis
          role="bold">start</emphasis>, the command terminates without
          changing the Shorewall state. If an error occurs during the
--- a/Shorewall/modules.essential
+++ b/Shorewall/modules.essential
@@ -25,6 +25,7 @@ loadmodule ip_conntrack
 loadmodule nf_conntrack
 loadmodule nf_conntrack_ipv4
 loadmodule iptable_nat
+loadmodule iptable_raw
 loadmodule xt_state
 loadmodule xt_tcpudp
 loadmodule ipt_LOG
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@@ -25,18 +25,18 @@
 #       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
 ################################################################################################
-g_program=shorewall
+PRODUCT=shorewall

 #
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc

+g_program=$PRODUCT
 g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR"/shorewall
 g_sbindir="$SBINDIR"
 g_perllib="$PERLLIBDIR"
-g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall
 g_readrc=1

--- a/Shorewall6-lite/init.fedora.sh
+++ b/Shorewall6-lite/init.fedora.sh
--- a/Shorewall6-lite/init.suse.sh
+++ b/Shorewall6-lite/init.suse.sh
@@ -0,0 +1,87 @@
+#!/bin/sh
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012 - Tom Eastep (teastep@shorewall.net)
+#
+#	On most distributions, this file should be called /etc/init.d/shorewall.
+#
+#	Complete documentation is available at http://shorewall.net
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of Version 2 of the GNU General Public License
+#	as published by the Free Software Foundation.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, write to the Free Software
+#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#	If an error occurs while starting or restarting the firewall, the
+#	firewall is automatically stopped.
+#
+#	Commands are:
+#
+#	   shorewall6-lite start			  Starts the firewall
+#	   shorewall6-lite restart			  Restarts the firewall
+#	   shorewall6-lite reload			  Reload the firewall
+#						          (same as restart)
+#	   shorewall6-lite stop 			  Stops the firewall
+#	   shorewall6-lite status			  Displays firewall status
+#
+
+### BEGIN INIT INFO
+# Provides:	  shorewall6-lite
+# Required-Start: $local_fs $remote_fs $syslog $network
+# Required-Stop:  $network $remote_fs
+# Default-Start:  2 3 5
+# Default-Stop:	  0 1 6
+# Description:	  starts and stops the shorewall firewall
+# Short-Description: Packet filtering firewall
+### END INIT INFO
+
+################################################################################
+# Give Usage Information						       #
+################################################################################
+usage() {
+    echo "Usage: $0 start|stop|reload|restart|status"
+    exit 1
+}
+
+################################################################################
+# Get startup options (override default)
+################################################################################
+OPTIONS=
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
+export SHOREWALL_INIT_SCRIPT=1
+
+################################################################################
+# E X E C U T I O N    B E G I N S   H E R E				       #
+################################################################################
+command="$1"
+
+case "$command" in
+    start)
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS start $STARTOPTIONS
+	;;
+    restart|reload)
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS restart $RESTARTOPTIONS
+	;;
+    status|stop)
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $@
+	;;
+    *)
+	usage
+	;;
+esac
--- a/Shorewall6-lite/shorewall6-lite
+++ b/Shorewall6-lite/shorewall6-lite
@@ -25,17 +25,17 @@
 #       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
 ################################################################################################
-g_program=shorewall6-lite
+PRODUCT=shorewall6-lite

 #
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc

+g_program=$PRODUCT
 g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR"/shorewall6-lite
 g_sbindir="$SBINDIR"
-g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall6-lite
 g_readrc=1

--- a/Shorewall6/Samples6/Universal/rules
+++ b/Shorewall6/Samples6/Universal/rules
@@ -6,13 +6,14 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-###########################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
+######################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH     HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW

+Invalid(DROP)	net		$FW		tcp
 SSH(ACCEPT)	net		$FW
 Ping(ACCEPT)	net		$FW
--- a/Show More
+++ b/Show More