Add some decimal->hex convertions in routing rules.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Deprecate the current TPROXY implementation.
2012-05-10 11:11:15 -07:00 · 2012-05-10 11:02:08 -07:00 · 2012-05-10 07:29:59 -07:00
115 changed files with 2244 additions and 5437 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -81,6 +81,9 @@ for p in $@; do
 		DATADIR)
 		    pn=SHAREDIR
 		    ;;
+		SYSCONFDIR)
+		    pn=CONFDIR
+		    ;;
 	    esac

 	    params[${pn}]="${pv}"
@@ -129,7 +132,7 @@ if [ -z "$vendor" ]; then

    vendor=${params[HOST]}
 elif [ $vendor = linux ]; then
-    rcfile=shorewallrc.default;
+    rcfile=$shorewallrc.default;
 else
    rcfile=shorewallrc.$vendor
    if [ ! -f $rcfile ]; then
@@ -178,7 +181,6 @@ for on in \
    SYSTEMD \
    SYSCONFFILE \
    SYSCONFDIR \
-    SPARSE \
    ANNOTATED \
    VARDIR
 do
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -39,7 +39,8 @@ my %options;

 my %aliases = ( VENDOR         => 'HOST',
 		SHAREDSTATEDIR => 'VARDIR',
-		DATADIR        => 'SHAREDIR' );
+		DATADIR        => 'SHAREDIR',
+		SYSCONFDIR     => 'CONFDIR' );

 for ( @ARGV ) {
    die "ERROR: Invalid option specification ( $_ )" unless /^(?:--)?(\w+)=(.*)$/;
@@ -139,7 +140,6 @@ for ( qw/ HOST
 	  SYSTEMD
 	  SYSCONFFILE
 	  SYSCONFDIR
-	  SPARSE
 	  ANNOTATED
 	  VARDIR / ) {

--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -28,7 +28,7 @@
 #

 SHOREWALL_LIBVERSION=40502
-SHOREWALL_CAPVERSION=40504
+SHOREWALL_CAPVERSION=40502

 [ -n "${g_program:=shorewall}" ]

@@ -130,6 +130,71 @@ combine_list()
    echo $o
 }

+#
+# Call this function to assert mutual exclusion with Shorewall. If you invoke the
+# /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as
+# the first argument. Example "shorewall nolock refresh"
+#
+# This function uses the lockfile utility from procmail if it exists.
+# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the
+# behavior of lockfile.
+#
+mutex_on()
+{
+    local try
+    try=0
+    local lockf
+    lockf=${LOCKFILE:=${VARDIR}/lock}
+    local lockpid
+
+    MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
+
+    if [ $MUTEX_TIMEOUT -gt 0 ]; then
+
+	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
+
+	if [ -f $lockf ]; then
+	    lockpid=`cat ${lockf} 2> /dev/null`
+	    if [ -z "$lockpid" -o $lockpid = 0 ]; then
+		rm -f ${lockf}
+		error_message "WARNING: Stale lockfile ${lockf} removed"
+	    elif ! qt ps p ${lockpid}; then
+		rm -f ${lockf}
+		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
+	    fi
+	fi
+
+	if qt mywhich lockfile; then
+	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
+	    chmod u+w ${lockf}
+	    echo $$ > ${lockf}
+	    chmod u-w ${lockf}
+	else
+	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
+		sleep 1
+		try=$((${try} + 1))
+	    done
+
+	    if  [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
+	        # Create the lockfile
+		echo $$ > ${lockf}
+	    else
+		echo "Giving up on lock file ${lockf}" >&2
+	    fi
+	fi
+    fi
+}
+
+#
+# Call this function to release mutual exclusion
+#
+mutex_off()
+{
+    rm -f ${LOCKFILE:=${VARDIR}/lock}
+}
+
+[ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
+
 #
 # Validate an IP address
 #
@@ -258,8 +323,6 @@ ip_range_explicit() {
    done
 }

-[ -z "$LEFTSHIFT" ] && . ${g_basedir}/lib.common
-
 #
 # Netmask to VLSM
 #
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -1994,7 +1994,6 @@ determine_capabilities() {
    IMQ_TARGET=
    DSCP_MATCH=
    DSCP_TARGET=
-    GEOIP_MATCH=

    chain=fooX$$

@@ -2203,7 +2202,6 @@ determine_capabilities() {
    qt $g_tool -A $chain -j NFLOG && NFLOG_TARGET=Yes
    qt $g_tool -A $chain -j MARK --set-mark 5 && MARK_ANYWHERE=Yes
    qt $g_tool -A $chain -m statistic --mode nth --every 2 --packet 1 && STATISTIC_MATCH=Yes
-    qt $g_tool -A $chain -m geoip --src-cc US && GEOIP_MATCH=Yes

    if [ $g_family -eq 4 ]; then
 	qt $g_tool -A $chain -j ACCOUNT --addr 192.168.1.0/29 --tname $chain && ACCOUNT_TARGET=Yes
@@ -2318,7 +2316,6 @@ report_capabilities() {
 	report_capability "IMQ Target (IMQ_TARGET)" $IMQ_TARGET
 	report_capability "DSCP Match (DSCP_MATCH)" $DSCP_MATCH
 	report_capability "DSCP Target (DSCP_TARGET)" $DSCP_TARGET
-	report_capability "Geo IP match" $GEOIP_MATCH

 	if [ $g_family -eq 4 ]; then
 	    report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
@@ -2409,7 +2406,6 @@ report_capabilities1() {
    report_capability1 IMQ_TARGET
    report_capability1 DSCP_MATCH
    report_capability1 DSCP_TARGET
-    report_capability1 GEOIP_MATCH

    echo CAPVERSION=$SHOREWALL_CAPVERSION
    echo KERNELVERSION=$KERNELVERSION
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -717,69 +717,3 @@ truncate() # $1 = length
 {
    cut -b -${1}
 }
-
-#
-# Call this function to assert mutual exclusion with Shorewall. If you invoke the
-# /sbin/shorewall program while holding mutual exclusion, you should pass "nolock" as
-# the first argument. Example "shorewall nolock refresh"
-#
-# This function uses the lockfile utility from procmail if it exists.
-# Otherwise, it uses a somewhat race-prone algorithm to attempt to simulate the
-# behavior of lockfile.
-#
-mutex_on()
-{
-    local try
-    try=0
-    local lockf
-    lockf=${LOCKFILE:=${VARDIR}/lock}
-    local lockpid
-
-    MUTEX_TIMEOUT=${MUTEX_TIMEOUT:-60}
-
-    if [ $MUTEX_TIMEOUT -gt 0 ]; then
-
-	[ -d ${VARDIR} ] || mkdir -p ${VARDIR}
-
-	if [ -f $lockf ]; then
-	    lockpid=`cat ${lockf} 2> /dev/null`
-	    if [ -z "$lockpid" -o $lockpid = 0 ]; then
-		rm -f ${lockf}
-		error_message "WARNING: Stale lockfile ${lockf} removed"
-	    elif [ $lockpid -eq $$ ]; then
-                return 0
-	    elif ! qt ps p ${lockpid}; then
-		rm -f ${lockf}
-		error_message "WARNING: Stale lockfile ${lockf} from pid ${lockpid} removed"
-	    fi
-	fi
-
-	if qt mywhich lockfile; then
-	    lockfile -${MUTEX_TIMEOUT} -r1 ${lockf}
-	    chmod u+w ${lockf}
-	    echo $$ > ${lockf}
-	    chmod u-w ${lockf}
-	else
-	    while [ -f ${lockf} -a ${try} -lt ${MUTEX_TIMEOUT} ] ; do
-		sleep 1
-		try=$((${try} + 1))
-	    done
-
-	    if  [ ${try} -lt ${MUTEX_TIMEOUT} ] ; then
-	        # Create the lockfile
-		echo $$ > ${lockf}
-	    else
-		echo "Giving up on lock file ${lockf}" >&2
-	    fi
-	fi
-    fi
-}
-
-#
-# Call this function to release mutual exclusion
-#
-mutex_off()
-{
-    rm -f ${LOCKFILE:=${VARDIR}/lock}
-}
-
--- a/Shorewall-init/ifupdown.sh
+++ b/Shorewall-init/ifupdown.sh
@@ -106,11 +106,15 @@ if [ -f /etc/debian_version ]; then
 	    else
 		exit 0
 	    fi
+
+	    case "$PHASE" in
+		pre-*)
+		    exit 0
+		    ;;
+	    esac
 	    ;;
    esac
 elif [ -f /etc/SuSE-release ]; then
-    PHASE=''
-
    case $0 in
 	/etc/ppp*)
 	    #
@@ -142,8 +146,6 @@ else
    #
    # Assume RedHat/Fedora/CentOS/Foobar/...
    #
-    PHASE=''
-
    case $0 in
 	/etc/ppp*)
 	    INTERFACE="$1"
@@ -184,12 +186,20 @@ else
    esac
 fi

-[ -n "$LOGFILE" ] || LOGFILE=/dev/null
-
 for PRODUCT in $PRODUCTS; do
+    #
+    # For backward compatibility, lib.base appends the product name to VARDIR
+    # Save it here and restore it below
+    #
+    save_vardir=${VARDIR}
    if [ -x $VARDIR/$PRODUCT/firewall ]; then
-	  ( ${VARDIR}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
+	  ( . ${SHAREDIR}/shorewall/lib.base
+	    mutex_on
+	    ${VARDIR}/firewall -V0 $COMMAND $INTERFACE || echo_notdone
+	    mutex_off
+	  )
    fi
+    VARDIR=${save_vardir}
 done

 exit 0
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -260,11 +260,6 @@ else
    first_install="Yes"
 fi

-if [ -n "$DESTDIR" ]; then
-    mkdir -p ${DESTDIR}${CONFDIR}/logrotate.d
-    chmod 755 ${DESTDIR}${CONFDIR}/logrotate.d
-fi
-
 #
 # Install the Firewall Script
 #
@@ -300,14 +295,6 @@ fi
 mkdir -p ${DESTDIR}/usr/share/shorewall-init
 chmod 755 ${DESTDIR}/usr/share/shorewall-init

-#
-# Install logrotate file
-#
-if [ -d ${DESTDIR}${CONFDIR}/logrotate.d ]; then
-    run_install $OWNERSHIP -m 0644 logrotate ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT
-    echo "Logrotate file installed as ${DESTDIR}${CONFDIR}/logrotate.d/$PRODUCT"
-fi
-
 #
 # Create the version file
 #
@@ -325,7 +312,7 @@ fi
 if [ $HOST = debian ]; then
    if [ -n "${DESTDIR}" ]; then
 	mkdir -p ${DESTDIR}/etc/network/if-up.d/
-	mkdir -p ${DESTDIR}/etc/network/if-down.d/
+	mkdir -p ${DESTDIR}/etc/network/if-post-down.d/
    fi

    if [ ! -f ${DESTDIR}/etc/default/shorewall-init ]; then
@@ -360,7 +347,7 @@ fi

 cp ifupdown.sh ifupdown

-[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown
+d[ "${SHAREDIR}" = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ifupdown

 mkdir -p ${DESTDIR}${LIBEXECDIR}/shorewall-init

@@ -373,7 +360,6 @@ fi
 case $HOST in
    debian)
 	install_file ifupdown ${DESTDIR}/etc/network/if-up.d/shorewall 0544
-	install_file ifupdown ${DESTDIR}/etc/network/if-down.d/shorewall 0544
 	install_file ifupdown ${DESTDIR}/etc/network/if-post-down.d/shorewall 0544
 	;;
    suse)
@@ -396,12 +382,12 @@ if [ -z "$DESTDIR" ]; then
    if [ -n "$first_install" ]; then
 	if [ $HOST = debian ]; then
 	    
-	    update-rc.d shorewall-init enable
+	    update-rc.d shorewall-init defaults

 	    echo "Shorewall Init will start automatically at boot"
 	else
 	    if [ -n "$SYSTEMD" ]; then
-		if systemctl enable shorewall-init.service; then
+		if systemctl enable shorewall-init; then
 		    echo "Shorewall Init will start automatically at boot"
 		fi
 	    elif [ -x ${SBINDIR}/insserv -o -x /usr${SBINDIR}/insserv ]; then
--- a/Shorewall-init/logrotate
+++ b/Shorewall-init/logrotate
@@ -1,5 +0,0 @@
-/var/log/shorewall-ifupdown.log {
-  missingok
-  notifempty
-  create 0600 root root
-}
--- a/Shorewall-init/sysconfig
+++ b/Shorewall-init/sysconfig
@@ -16,8 +16,3 @@ IFUPDOWN=0
 # during 'start' and will save them there during 'stop'.
 #
 SAVE_IPSETS=""
-#
-# Where Up/Down events get logged
-#
-LOGFILE=/var/log/shorewall-ifupdown.log
-
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -403,7 +403,6 @@ echo "Common functions linked through ${DESTDIR}${SHAREDIR}/$PRODUCT/functions"
 #

 install_file shorecap ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap 0755
-[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}/${LIBEXECDIR}/$PRODUCT/shorecap

 echo
 echo "Capability file builder installed in ${DESTDIR}${LIBEXECDIR}/$PRODUCT/shorecap"
@@ -499,7 +498,7 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
 	perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' ${CONFDIR}/${PRODUCT}/${PRODUCT}.conf
 	update-rc.d $PRODUCT enable defaults
    elif [ -n "$SYSTEMD" ]; then
-	if systemctl enable ${PRODUCT}.service; then
+	if systemctl enable $PRODUCT; then
 	    echo "$Product will start automatically at boot"
 	fi
    elif mywhich insserv; then
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -45,22 +45,17 @@
 #    used during firewall compilation, then the generated firewall program will likewise not
 #    require Shorewall to be installed.

-
+SHAREDIR=/usr/share/shorewall-lite
+VARDIR=/var/lib/shorewall-lite
+CONFDIR=/etc/shorewall-lite
 g_program=shorewall-lite
+g_product="Shorewall Lite"
+g_family=4
+g_base=shorewall
+g_basedir=/usr/share/shorewall-lite

-#
-# This is modified by the installer when ${SHAREDIR} != /usr/share
-#
-. /usr/share/shorewall/shorewallrc
-
-g_libexec="$LIBEXECDIR"
-g_sharedir="$SHAREDIR"/shorewall-lite
-g_sbindir="$SBINDIR"
-g_vardir="$VARDIR"
-g_confdir="$CONFDIR"/shorewall-lite
-g_readrc=1
-
-. ${SHAREDIR}/shorewall/lib.cli
+. /usr/share/shorewall-lite/lib.base
+. /usr/share/shorewall/lib.cli
 . /usr/share/shorewall-lite/configpath

 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
--- a/Shorewall/Macros/macro.MSSQL
+++ b/Shorewall/Macros/macro.MSSQL
@@ -1,11 +0,0 @@
-#
-# Shorewall version 4 - MSSQL Macro
-#
-# /usr/share/shorewall/macro.MSSQL
-#
-#	This macro handles MSSQL (Microsoft SQL Server)
-#
-###############################################################################
-#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
-#				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	tcp	1433
--- a/Shorewall/Macros/macro.mDNS
+++ b/Shorewall/Macros/macro.mDNS
@@ -1,11 +1,9 @@
 #
-# Shorewall version 4 - Multicast DNS Macro -- this macro assumes that only
-#                       the DEST zone sends mDNS queries. If both zones send
-#                       queries, use the mDNSbi macro.
+# Shorewall version 4 - Multicast DNS Macro
 #
 # /usr/share/shorewall/macro.mDNS
 #
-#	This macro handles multicast DNS traffic
+#	This macro handles multicast DNS traffic.
 #
 ###############################################################################
 #ACTION	SOURCE	DEST			PROTO	DEST	SOURCE	RATE	USER/
--- a/Shorewall/Macros/macro.mDNSbi
+++ b/Shorewall/Macros/macro.mDNSbi
@@ -1,16 +0,0 @@
-#
-# Shorewall version 4 - Bi-directional Multicast DNS Macro.
-#
-# /usr/share/shorewall/macro.mDNSbi
-#
-#	This macro handles multicast DNS traffic
-#
-###############################################################################
-#ACTION	SOURCE	DEST			PROTO	DEST	SOURCE	RATE	USER/
-#						PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	224.0.0.251		udp	5353
-PARAM	-	-			udp	32768:	5353
-PARAM	-	224.0.0.251		2
-PARAM	DEST	SOURCE:224.0.0.251	udp	5353
-PARAM	DEST	SOURCE			udp	32768:	5353
-PARAM	DEST	SOURCE:224.0.0.251	2
--- a/Shorewall/Perl/Shorewall/Accounting.pm
+++ b/Shorewall/Perl/Shorewall/Accounting.pm
@@ -46,7 +46,6 @@ my $jumpchainref;
 my %accountingjumps;
 my $asection;
 my $defaultchain;
-my $ipsecdir;
 my $defaultrestriction;
 my $restriction;
 my $accounting_commands = { COMMENT => 0, SECTION => 2 };
@@ -93,7 +92,6 @@ sub initialize() {
    # These are the legacy values
    #
    $defaultchain       = 'accounting';
-    $ipsecdir           = '';
    $defaultrestriction = NO_RESTRICT;
    $sectionname        = '';
 }
@@ -113,25 +111,20 @@ sub process_section ($) {

    if ( $sectionname eq 'INPUT' ) {
 	$defaultchain = 'accountin';
-	$ipsecdir     = 'in';
 	$defaultrestriction = INPUT_RESTRICT;
    } elsif ( $sectionname eq 'OUTPUT' ) {
 	$defaultchain = 'accountout';
-	$ipsecdir     = 'out';
 	$defaultrestriction = OUTPUT_RESTRICT;
    } elsif ( $sectionname eq 'FORWARD' ) {
 	$defaultchain = 'accountfwd';
-	$ipsecdir     = '';
 	$defaultrestriction = NO_RESTRICT;
     } else {
 	 fatal_error "The $sectionname SECTION is not allowed when ACCOUNTING_TABLE=filter" unless $acctable eq 'mangle';
 	 if ( $sectionname eq 'PREROUTING' ) {
 	     $defaultchain = 'accountpre';
-	     $ipsecdir     = 'in';
 	     $defaultrestriction = PREROUTE_RESTRICT;
 	 } else {
 	     $defaultchain = 'accountpost';
-	     $ipsecdir     = 'out';
 	     $defaultrestriction = POSTROUTE_RESTRICT;
 	 }
     }
@@ -292,21 +285,7 @@ sub process_accounting_rule( ) {
    }

    my $chainref = $chain_table{$config{ACCOUNTING_TABLE}}{$chain};
-    my $dir = $ipsecdir;
-
-    if ( $asection && $ipsec ne '-' ) {
-	if ( $ipsecdir ) {
-	    fatal_error "Invalid IPSEC ($ipsec)" if $ipsec =~ /^(?:in|out)\b/;
-	} else {
-	    if ( $ipsec =~ s/^(?:(in|out)\b)// ) {
-		$dir = $1;
-	    } else {
-		fatal_error q(IPSEC rules in the $asection section require that the value begin with 'in' or 'out');
-	    }
-	}
-
-	$rule .= do_ipsec( $dir, $ipsec );
-    }
+    my $dir;

    if ( ! $chainref ) {
 	if ( reserved_chain_name( $chain ) ) {
@@ -318,32 +297,28 @@ sub process_accounting_rule( ) {
 	    $chainref = ensure_accounting_chain $chain, 0 , $restriction;
 	}

-	unless ( $asection ) {
-	    $dir = ipsec_chain_name( $chain );
+	$dir      = ipsec_chain_name( $chain );

-	    if ( $ipsec ne '-' ) {
-		if ( $dir ) {
-		    $rule .= do_ipsec( $dir, $ipsec );
-		    $chainref->{ipsec} = $dir;
-		} else {
-		    fatal_error "Adding an IPSEC rule to an unreferenced accounting chain is not allowed";
-		}
-	    } else {
-		warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );
+	if ( $ipsec ne '-' ) {
+	    if ( $dir ) {
+		$rule .= do_ipsec( $dir, $ipsec );
 		$chainref->{ipsec} = $dir;
+	    } else {
+		fatal_error "Adding an IPSEC rule to an unreferenced accounting chain is not allowed";
 	    }
+	} else {
+	    warning_message "Adding rule to unreferenced accounting chain $chain" unless reserved_chain_name( $chain );
+	    $chainref->{ipsec} = $dir;
 	}
    } else {
 	fatal_error "$chain is not an accounting chain" unless $chainref->{accounting};

-	unless ( $asection ) {
-	    if ( $ipsec ne '-' ) {
-		$dir = $chainref->{ipsec};
-		fatal_error "Adding an IPSEC rule into a non-IPSEC chain is not allowed" unless $dir;
-		$rule .= do_ipsec( $dir , $ipsec );
-	    } elsif ( $asection ) {
-		$restriction |= $chainref->{restriction};
-	    }
+	if ( $ipsec ne '-' ) {
+	    $dir = $chainref->{ipsec};
+	    fatal_error "Adding an IPSEC rule into a non-IPSEC chain is not allowed" unless $dir;
+	    $rule .= do_ipsec( $dir , $ipsec );
+	} elsif ( $asection ) {
+	    $restriction |= $chainref->{restriction};
 	}
    }

@@ -391,6 +366,7 @@ sub process_accounting_rule( ) {
 	} else {
 	    $jumpchainref->{ipsec} = $chainref->{ipsec};
 	}
+
    }

    if ( $rule2 ) {
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -812,16 +812,16 @@ sub compiler {

 	optimize_level0;

-	if ( ( my $optimize = $config{OPTIMIZE} ) & 0x1E ) {
+	if ( $config{OPTIMIZE} & 0x1E ) {
 	    progress_message2 'Optimizing Ruleset...';
 	    #
 	    # Optimize Policy Chains
 	    #
-	    optimize_policy_chains if ( $optimize & OPTIMIZE_POLICY_MASK2n4 ) == OPTIMIZE_POLICY_MASK; # Level 2 but not 4
+	    optimize_policy_chains if $config{OPTIMIZE} & 2;
 	    #
 	    # More Optimization
 	    #
-	    optimize_ruleset if $config{OPTIMIZE} & OPTIMIZE_RULESET_MASK;
+	    optimize_ruleset if $config{OPTIMIZE} & 0x1C;
 	}

 	enable_script;
@@ -877,16 +877,16 @@ sub compiler {

 	    optimize_level0;

-	    if ( ( my $optimize = $config{OPTIMIZE} & OPTIMIZE_MASK ) ) {
+	    if ( $config{OPTIMIZE} & OPTIMIZE_MASK ) {
 		progress_message2 'Optimizing Ruleset...';
 		#
 		# Optimize Policy Chains
 		#
-		optimize_policy_chains if ( $optimize & OPTIMIZE_POLICY_MASK2n4 ) == OPTIMIZE_POLICY_MASK; # Level 2 but not 4
+		optimize_policy_chains if $config{OPTIMIZE} & OPTIMIZE_POLICY_MASK;
 		#
 		# Ruleset Optimization
 		#
-		optimize_ruleset if $optimize & OPTIMIZE_RULESET_MASK;
+		optimize_ruleset if $config{OPTIMIZE} & OPTIMIZE_RULESET_MASK;
 	    }

 	    enable_script if $debug;
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -54,7 +54,6 @@ our @EXPORT = qw(
 		 progress_message3

 		 supplied
-		 split_list

 		 get_action_params
 		 get_action_chain
@@ -307,11 +306,6 @@ my  %capdesc = ( NAT_ENABLED     => 'NAT',
 		 IMQ_TARGET      => 'IMQ Target',
 		 DSCP_MATCH      => 'DSCP Match',
 		 DSCP_TARGET     => 'DSCP Target',
-		 GEOIP_MATCH     => 'GeoIP Match' ,
-		 #
-		 # Constants
-		 #
-		 LOG_OPTIONS     => 'Log Options',
 		 CAPVERSION      => 'Capability Version',
 		 KERNELVERSION   => 'Kernel Version',
 	       );
@@ -395,7 +389,6 @@ our $currentfilename;        # File NAME
 my  $currentlinenumber;      # Line number
 my  $perlscript;             # File Handle Reference to current temporary file being written by an in-line Perl script
 my  $perlscriptname;         # Name of that file.
-my  $embedded;               # True if we're in an embedded perl script
 my  @tempfiles;              # Files that need unlinking at END
 my  $first_entry;            # Message to output or function to call on first non-blank line of a file

@@ -451,12 +444,6 @@ my $omitting;
 my @ifstack;
 my $ifstack;
 #
-# Entries on the ifstack are a 4-tuple:
-#
-#    [0] - Keyword (IF, ELSEIF, ELSE or ENDIF)
-#    [1] - True if the outermost IF evaluated to false
-#    [2] - True if the the last unterminated IF evaluated to false
-#
 # From .shorewallrc
 #
 our %shorewallrc;
@@ -512,7 +499,7 @@ sub initialize( $;$ ) {
    $omitting       = 0;
    $ifstack        = 0;
    @ifstack        = ();
-    $embedded       = 0;
+
    #
    # Misc Globals
    #
@@ -525,8 +512,8 @@ sub initialize( $;$ ) {
 		    KLUDGEFREE => '',
 		    STATEMATCH => '-m state --state',
 		    UNTRACKED  => 0,
-		    VERSION    => "4.5.6",
-		    CAPVERSION => 40504 ,
+		    VERSION    => "4.4.22.1",
+		    CAPVERSION => 40502 ,
 		  );
    #
    # From shorewall.conf file
@@ -569,7 +556,6 @@ sub initialize( $;$ ) {
 	  RESTOREFILE => undef,
 	  IPSECFILE => undef,
 	  LOCKFILE => undef,
-	  GEOIPDIR => undef,
 	  #
 	  # Default Actions/Macros
 	  #
@@ -758,9 +744,7 @@ sub initialize( $;$ ) {
 	       IMQ_TARGET => undef,
 	       DSCP_MATCH => undef,
 	       DSCP_TARGET => undef,
-	       GEOIP_MATCH => undef,
 	       CAPVERSION => undef,
-	       LOG_OPTIONS => 1,
 	       KERNELVERSION => undef,
 	       );
    #
@@ -962,14 +946,8 @@ sub fatal_error	{
    }

    cleanup;
-
-    if ( $embedded ) {
-	confess "@_$currentlineinfo" if $confess;
-	die "@_$currentlineinfo\n";
-    }  else {
-	confess "   ERROR: @_$currentlineinfo" if $confess;
-	die "   ERROR: @_$currentlineinfo\n";
-    }
+    confess "   ERROR: @_$currentlineinfo" if $confess;
+    die "   ERROR: @_$currentlineinfo\n";
 }

 sub fatal_error1 {
@@ -1453,10 +1431,10 @@ sub find_file($)
    "$config_path[0]$filename";
 }

-sub split_list( $$;$ ) {
-    my ($list, $type, $origlist ) = @_;
+sub split_list( $$ ) {
+    my ($list, $type ) = @_;

-    fatal_error( "Invalid $type list (" . ( $origlist ? $origlist : $list ) . ')' ) if $list =~ /^,|,$|,,|!,|,!$/;
+    fatal_error "Invalid $type list ($list)" if $list =~ /^,|,$|,,|!,|,!$/;

    split /,/, $list;
 }
@@ -1657,128 +1635,62 @@ sub close_file() {
 }

 #
-# Process an ?IF, ?ELSIF, ?ELSE or ?END directive
+# Process an ?IF, ?ELSE or ?END directive
 #
 sub have_capability( $ );

-#
-# Report an error from process_conditional()
-#
-sub cond_error( $$$ ) {
-    $currentfilename   = $_[1];
-    $currentlinenumber = $_[2];
-    fatal_error $_[0];
-}
+sub process_conditional( $$$ ) {
+    my ( $omitting, $line, $linenumber ) = @_;

-#
-# Evaluate an expression in an ?IF or ?ELSIF directive
-#
-sub evaluate_expression( $$$ ) {
-    my ( $expression , $filename , $linenumber ) = @_;
-    my $val;
-    my $count = 0;
+    print "CD===> $currentline\n" if $debug;

-    #                         $1      $2   $3      -     $4
-    while ( $expression =~ m( ^(.*?) \$({)? (\w+) (?(2)}) (.*)$ )x ) {
-	my ( $first, $var, $rest ) = ( $1, $3, $4);
+    fatal_error "Invalid compiler directive ($line)" unless $line =~ /^\s*\?(IF\s+|ELSE|ENDIF)(.*)$/;

-	$val = ( exists $ENV{$var}     ? $ENV{$var}    :
-		 exists $params{$var}  ? $params{$var} :
-		 exists $config{$var}  ? $config{$var} :
-		 exists $capdesc{$var} ? have_capability( $var ) : 0 );
-	$val = 0 unless defined $val;
-	$val = "'$val'" unless $val =~ /^-?\d+$/;
-	$expression = join( '', $first, $val || 0, $rest );
-	cond_error( "Variable Expansion Loop" , $filename, $linenumber ) if ++$count > 100;
-    }
+    my ($keyword, $rest) = ( $1, $2 );

-    #                         $1      $2   $3      -     $4
-    while ( $expression =~ m( ^(.*?) __({)? (\w+) (?(2)}) (.*)$ )x ) {
-	my ( $first, $cap, $rest ) = ( $1, $3, $4);
-
-	if ( exists $capdesc{$cap} ) {
-	    $val = have_capability( $cap )
-	} elsif ( $cap =~ /^IPV([46])$/ ) {
-	    $val = ( $family == $1 );
-	} else {
-	    cond_error "Unknown capability ($cap)", $filename, $linenumber;
-	}
-
-	$expression = join( '', $first, $val || 0, $rest );
-    }
-
-    $expression =~ s/^\s*(.+)\s*$/$1/;
-
-    unless ( $expression =~ /^\d+$/ ) {
-	#
-	# Not a simple one-term expression -- compile it
-	#
-	$val = eval qq(package Shorewall::User;\nuse strict;\n# line $linenumber "$filename"\n$expression);
-
-	unless ( $val ) {
-	    cond_error( "Couldn't parse expression: $@" , $filename, $linenumber ) if $@;
-	    cond_error( "Undefined expression" , $filename, $linenumber ) unless defined $val;
-	}
-    }
-
-    $val;
-}
-
-#
-# Each entry in @ifstack consists of a 4-tupple
-#
-# [0] = The keyword (IF,ELSIF or ELSE)
-# [1] = True if we were already omitting at the last IF directive
-# [2] = True if we have included any block of the current IF...ELSEIF....ELSEIF... sequence.
-# [3] = The line number of the directive
-#
-sub process_conditional( $$$$ ) {
-    my ( $omitting, $line, $filename, $linenumber ) = @_;
-
-    print "CD===> $line\n" if $debug;
-
-    cond_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF)(.*)$/;
-
-    my ($keyword, $expression) = ( $1, $2 );
-
-    if ( supplied $expression ) {
-	$expression =~ s/#.*//;
-	$expression =~ s/\s*$//;
+    if ( supplied $rest ) {
+	$rest =~ s/#.*//;
+	$rest =~ s/\s*$//;
    } else {
-	$expression = '';
+	$rest = '';
    }

-    my ( $lastkeyword, $prioromit, $included, $lastlinenumber ) = @ifstack ? @{$ifstack[-1]} : ('', 0, 0, 0 );
+    my ( $lastkeyword, $prioromit, $lastomit, $lastlinenumber ) = @ifstack ? @{$ifstack[-1]} : ('', 0, 0, 0 );

    if ( $keyword =~ /^IF/ ) {
-	cond_error( "Missing IF expression" , $filename, $linenumber ) unless supplied $expression;
-	my $nextomitting = $omitting || ! evaluate_expression( $expression , $filename, $linenumber );
-	push @ifstack, [ 'IF', $omitting, ! $nextomitting, $linenumber ];
-	$omitting = $nextomitting;
-    } elsif ( $keyword =~ /^ELSIF/ ) {
-	cond_error( "?ELSIF has no matching ?IF" , $filename, $linenumber ) unless @ifstack > $ifstack && $lastkeyword =~ /IF/;
-	cond_error( "Missing IF expression" , $filename, $linenumber ) unless $expression;
-	if ( $omitting && ! $included ) {
-	    #
-	    # We can only change to including if we were previously omitting
-	    #
-	    $omitting = $prioromit || ! evaluate_expression( $expression , $filename, $linenumber );
-	    $included = ! $omitting;
+	fatal_error "Missing IF variable" unless $rest;
+	my $invert = $rest =~ s/^!\s*//;
+
+	fatal_error "Invalid IF variable ($rest)" unless ($rest =~ s/^\$// || $rest =~ /^__/ ) && $rest =~ /^\w+$/;
+
+	push @ifstack, [ 'IF', $lastomit, $omitting, $linenumber ];
+
+	if ( $rest eq '__IPV6' ) {
+	    $omitting = $family == F_IPV4;
+	} elsif ( $rest eq '__IPV4' ) {
+	    $omitting = $family == F_IPV6;
 	} else {
-	    #
-	    # We have already included -- so we don't want to include this part
-	    #
-	    $omitting = 1;
+	    my $cap = $rest;
+
+	    $cap =~ s/^__//;
+
+	    $omitting = ! ( exists $ENV{$rest}    ? $ENV{$rest}    :
+			    exists $params{$rest} ? $params{$rest} :
+			    exists $config{$rest} ? $config{$rest} :
+			    exists $capdesc{$cap} ? have_capability( $cap ) : 0 );
 	}
-	$ifstack[-1] = [ 'ELSIF', $prioromit, $included, $lastlinenumber ];
+
+	$omitting = ! $omitting if $invert;
+
+	$omitting ||= $lastomit; #?IF cannot transition from omitting -> not omitting
    } elsif ( $keyword eq 'ELSE' ) {
-	cond_error( "Invalid ?ELSE" , $filename, $linenumber ) unless $expression eq '';
-	cond_error( "?ELSE has no matching ?IF" , $filename, $linenumber ) unless @ifstack > $ifstack && $lastkeyword =~ /IF/;
-	$omitting = $included || ! $omitting unless $prioromit;
-	$ifstack[-1] = [ 'ELSE', $prioromit, 1, $lastlinenumber ];
+	fatal_error "Invalid ?ELSE" unless $rest eq '';
+	fatal_error "?ELSE has no matching ?IF" unless @ifstack > $ifstack && $lastkeyword eq 'IF';
+	$omitting = ! $omitting unless $lastomit;
+	$ifstack[-1] = [ 'ELSE', $prioromit, $omitting, $lastlinenumber ];
    } else {
-	cond_error( "Invalid ?ENDIF" , $filename, $linenumber ) unless $expression eq '';
-	cond_error( q(Unexpected "?ENDIF" without matching ?IF or ?ELSE) , $filename, $linenumber ) if @ifstack <= $ifstack;
+	fatal_error "Invalid ?ENDIF" unless $rest eq '';
+	fatal_error q(Unexpected "?ENDIF" without matching ?IF or ?ELSE) if @ifstack <= $ifstack;
 	$omitting = $prioromit;
 	pop @ifstack;
    }
@@ -1808,7 +1720,7 @@ sub copy( $ ) {
 	    $lineno++;

 	    if ( /^\s*\?/ ) {
-		$omitting = process_conditional( $omitting, $_, $file, $lineno );
+		$omitting = process_conditional( $omitting, $_, $lineno );
 		next;
 	    }

@@ -1861,7 +1773,7 @@ sub copy1( $ ) {
 		chomp;

 		if ( /^\s*\?/ ) {
-		    $omitting = process_conditional( $omitting, $_, $currentfilename, $currentlinenumber );
+		    $omitting = process_conditional( $omitting, $_, $currentlinenumber );
 		    next;
 		}

@@ -1992,7 +1904,7 @@ EOF
 		chomp;

 		if ( /^\s*\?/ ) {
-		    $omitting = process_conditional( $omitting, $_, $file, $lineno );
+		    $omitting = process_conditional( $omitting, $_, $lineno );
 		    next;
 		}

@@ -2128,7 +2040,7 @@ sub embedded_shell( $ ) {
 	my $last = 0;

 	while ( read_a_line( PLAIN_READ ) ) {
-	    last if $last = $currentline =~ s/^\s*\??END(\s+SHELL)?\s*(?:;\s*)?$//;
+	    last if $last = $currentline =~ s/^\s*END(\s+SHELL)?\s*;?//;
 	    $command .= "$currentline\n";
 	}

@@ -2162,18 +2074,14 @@ sub embedded_perl( $ ) {
 	my $last = 0;

 	while ( read_a_line( PLAIN_READ ) ) {
-	    last if $last = $currentline =~ s/^\s*\??END(\s+PERL)?\s*(?:;\s*)?//;
+	    last if $last = $currentline =~ s/^\s*END(\s+PERL)?\s*;?//;
 	    $command .= "$currentline\n";
 	}

 	fatal_error ( "Missing END PERL" ) unless $last;
 	fatal_error ( "Invalid END PERL directive" ) unless $currentline =~ /^\s*$/;
-    } else {
-	$currentline = '';
    }

-    $embedded++;
-
    unless (my $return = eval $command ) {
 	#
 	# Perl found the script offensive or the script itself died
@@ -2191,8 +2099,6 @@ sub embedded_perl( $ ) {
 	fatal_error "Perl Script Returned False";
    }

-    $embedded--;
-
    if ( $perlscript ) {
 	fatal_error "INCLUDEs nested too deeply" if @includestack >= 4;

@@ -2343,21 +2249,10 @@ sub read_a_line($) {
 	$currentlinenumber = 0;

 	while ( <$currentfile> ) {
-	    chomp;
-	    #
-	    # Handle conditionals
-	    #
-	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF)/ ) {
-		$omitting = process_conditional( $omitting, $_, $currentfilename, $. );
-		next;
-	    }
-
-	    if ( $omitting ) {
-		print "OMIT=> $_\n" if $debug;
-		next;
-	    }

 	    $currentlinenumber = $. unless $currentlinenumber;
+
+	    chomp;
 	    #
 	    # Suppress leading whitespace in certain continuation lines
 	    #
@@ -2372,16 +2267,31 @@ sub read_a_line($) {
 	    #
 	    chop $currentline, next if ($currentline .= $_) =~ /\\$/;
 	    #
+	    # Handle conditionals
+	    #
+	    if ( $currentline =~ /^\s*\?(?:IF|ELSE|ENDIF)/ ) {
+		$omitting = process_conditional( $omitting, $currentline, $currentlinenumber );
+		$currentline='';
+		next;
+	    }
+
+	    if ( $omitting ) {
+		print "OMIT=> $currentline\n" if $debug;
+		$currentline='';
+		$currentlinenumber = 0;
+		next;
+	    }
+	    #
 	    # Must check for shell/perl before doing variable expansion
 	    #
 	    if ( $options & EMBEDDED_ENABLED ) {
-		if ( $currentline =~ s/^\s*\??(BEGIN\s+)SHELL\s*;?// || $currentline =~ s/^\s*\??SHELL\s*// ) {
+		if ( $currentline =~ s/^\s*(BEGIN\s+)?SHELL\s*;?// ) {
 		    handle_first_entry if $first_entry;
 		    embedded_shell( $1 );
 		    next;
 		}

-		if ( $currentline =~ s/^\s*\??(BEGIN\s+)PERL\s*;?// || $currentline =~ s/^\s*\??PERL\s*// ) {
+		if ( $currentline =~ s/^\s*(BEGIN\s+)?PERL\s*\;?// ) {
 		    handle_first_entry if $first_entry;
 		    embedded_perl( $1 );
 		    next;
@@ -2530,22 +2440,6 @@ sub level_error( $ ) {
    fatal_error "Invalid log level ($_[0])";
 }

-my %logoptions = ( tcp_sequence         => '--log-tcp-sequence',
-		   ip_options           => '--log-ip-options',
-		   tcp_options          => '--log-tcp-options',
-		   uid                  => '--log-uid',
-		   macdecode            => '--log-macdecode',
-		   #
-		   # Because a level can pass through validate_level() more than once,
-		   # the full option names are also included here.
-		   #
-		   '--log-tcp-sequence' => '--log-tcp-sequence',
-		   '--log-ip-options'   => '--log-ip-options',
-		   '--log-tcp-options'  => '--log-tcp-options',
-		   '--log-uid'          => '--log-uid',
-		   '--log-macdecode'    => '--log-macdecode',
-		 );
-
 sub validate_level( $ ) {
    my $rawlevel = $_[0];
    my $level    = uc $rawlevel;
@@ -2556,44 +2450,17 @@ sub validate_level( $ ) {
 	my $qualifier;

 	unless ( $value =~ /^[0-7]$/ ) {
-	    } if ( $value =~ /^([0-7])(.*)$/ ) {
-		$value = $1;
-		$qualifier = $2;
-	    } elsif ( $value =~ /^([A-Za-z0-7]+)(.*)$/ ) {
-	        level_error( $level) unless defined( $value = $validlevels{$1} );
-		$qualifier = $2;
+	    level_error( $level ) unless $level =~ /^([A-Za-z0-7]+)(.*)$/ && defined( $value = $validlevels{$1} );
+	    $qualifier = $2;
 	}

 	if ( $value =~ /^[0-7]$/ ) {
 	    #
 	    # Syslog Level
 	    #
-	    if ( supplied $qualifier ) {
-		my $options = '';
-		my %options;
-
-		level_error ( $rawlevel ) unless $qualifier =~ /^\((.*)\)$/;
-
-		for ( split_list lc $1, "log options" ) {
-		    my $option = $logoptions{$_};
-		    fatal_error "Unknown LOG option ($_)" unless $option;
-
-		    unless ( $options{$option} ) {
-			if ( $options ) {
-			    $options = join( ',', $options, $option );
-			} else {
-			    $options = $option;
-			}
-
-			$options{$option} = 1;
-		    }
-		}
-
-		$value .= "($options)" if $options;
-	    }
+	    level_error( $rawlevel ) if supplied $qualifier;

 	    require_capability ( 'LOG_TARGET' , "Log level $level", 's' );
-
 	    return $value;
 	}

@@ -3208,10 +3075,6 @@ sub Dscp_Target() {
    have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j DSCP --set-dscp 0" );
 }

-sub GeoIP_Match() {
-    qt1( "$iptables -A $sillyname -m geoip --src-cc US" );
-}
-
 our %detect_capability =
    ( ACCOUNT_TARGET =>\&Account_Target,
      AUDIT_TARGET => \&Audit_Target,
@@ -3231,7 +3094,6 @@ our %detect_capability =
      EXMARK => \&Exmark,
      FLOW_FILTER => \&Flow_Filter,
      FWMARK_RT_MASK => \&Fwmark_Rt_Mask,
-      GEOIP_MATCH => \&GeoIP_Match,
      GOTO_TARGET => \&Goto_Target,
      HASHLIMIT_MATCH => \&Hashlimit_Match,
      HEADER_MATCH => \&Header_Match,
@@ -3409,7 +3271,7 @@ sub determine_capabilities() {
 	$capabilities{IMQ_TARGET}      = detect_capability( 'IMQ_TARGET' );
 	$capabilities{DSCP_MATCH}      = detect_capability( 'DSCP_MATCH' );
 	$capabilities{DSCP_TARGET}     = detect_capability( 'DSCP_TARGET' );
-	$capabilities{GEOIP_MATCH}     = detect_capability( 'GEOIP_MATCH' );
+

 	qt1( "$iptables -F $sillyname" );
 	qt1( "$iptables -X $sillyname" );
@@ -3523,10 +3385,10 @@ sub update_config_file( $ ) {
    #
    # Establish default values for the mark layout items
    #
-    $config{TC_BITS}         = ( $wide ? 14 : 8 )             unless defined $config{TC_BITS};
-    $config{MASK_BITS}       = ( $wide ? 16 : 8 )             unless defined $config{MASK_BITS};
-    $config{PROVIDER_OFFSET} = ( $high ? $wide ? 16 : 8 : 0 ) unless defined $config{PROVIDER_OFFSET};
-    $config{PROVIDER_BITS}   = 8                              unless defined $config{PROVIDER_BITS};
+    $config{TC_BITS}         = ( $wide ? 14 : 8 )             unless supplied $config{TC_BITS};
+    $config{MASK_BITS}       = ( $wide ? 16 : 8 )             unless supplied $config{MASK_BITS};
+    $config{PROVIDER_OFFSET} = ( $high ? $wide ? 16 : 8 : 0 ) unless supplied $config{PROVIDER_OFFSET};
+    $config{PROVIDER_BITS}   = 8                              unless supplied $config{PROVIDER_BITS};

    my $fn;

@@ -4014,13 +3876,6 @@ sub get_configuration( $$$ ) {

    $globals{STATEMATCH} = '-m conntrack --ctstate' if have_capability 'CONNTRACK_MATCH';

-    #
-    # The following is not documented as it is not likely useful to the user base in general 
-    # Going forward, it allows me to create a configuration that will work on multiple
-    # Shorewall versions.        TME
-    #
-    $config{VERSION} = sprintf "%d%02d%02d", $1, $2, $3 if $globals{VERSION} =~ /^(\d+)\.(\d+)\.(\d+)/;
-
    if ( my $rate = $config{LOGLIMIT} ) {
 	my $limit;

@@ -4239,10 +4094,9 @@ sub get_configuration( $$$ ) {
 	$globals{ZONE_OFFSET}     = $config{PROVIDER_BITS};
    }

-    fatal_error 'Invalid Packet Mark layout' if $config{ZONE_BITS} + $globals{ZONE_OFFSET} > 30;
+    fatal_error 'Invalid Packet Mark layout' if $config{ZONE_BITS} + $globals{ZONE_OFFSET} > 31;

    $globals{EXCLUSION_MASK} = 1 << ( $globals{ZONE_OFFSET} + $config{ZONE_BITS} );
-    $globals{TPROXY_MARK}    = $globals{EXCLUSION_MASK} << 1;
    $globals{PROVIDER_MIN}   = 1 << $config{PROVIDER_OFFSET};

    $globals{TC_MAX}         = make_mask( $config{TC_BITS} );
@@ -4256,10 +4110,10 @@ sub get_configuration( $$$ ) {
    }

    if ( ( my $userbits = $config{PROVIDER_OFFSET} - $config{TC_BITS} ) > 0 ) {
+
 	$globals{USER_MASK} = make_mask( $userbits ) << $config{TC_BITS};
-	$globals{USER_BITS} = $userbits;
    } else {
-	$globals{USER_MASK} = $globals{USER_BITS} = 0;
+	$globals{USER_MASK} = 0;
    }

    if ( supplied ( $val = $config{ZONE2ZONE} ) ) {
@@ -4677,7 +4531,7 @@ sub dump_mark_layout() {
 	     $globals{TC_MASK} );

    dumpout( "User",
-	     $globals{USER_BITS},
+	     $globals{USER_MASK},
 	     $globals{TC_MAX} + 1,
 	     $globals{USER_MASK},
 	     $globals{USER_MASK} );
@@ -4699,12 +4553,6 @@ sub dump_mark_layout() {
 	     $globals{EXCLUSION_MASK},
 	     $globals{EXCLUSION_MASK},
 	     $globals{EXCLUSION_MASK} );
-
-    dumpout( "TProxy",
-	     1,
-	     $globals{TPROXY_MARK},
-	     $globals{TPROXY_MARK},
-	     $globals{TPROXY_MARK} );
 }

 END {
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -35,11 +35,7 @@ use strict;

 our @ISA = qw(Exporter);
 our @EXPORT = qw( setup_masq setup_nat setup_netmap add_addresses );
-our %EXPORT_TAGS = ( rules => [ qw ( handle_nat_rule handle_nonat_rule ) ] );
 our @EXPORT_OK = ();
-
-Exporter::export_ok_tags('rules');
-
 our $VERSION = 'MODULEVERSION';

 my @addresses_to_add;
@@ -58,8 +54,8 @@ sub initialize() {
 #
 sub process_one_masq( )
 {
-    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition, $origdest ) =
-	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8, origdest => 9 };
+    my ($interfacelist, $networks, $addresses, $proto, $ports, $ipsec, $mark, $user, $condition ) =
+	split_line1 'masq file', { interface => 0, source => 1, address => 2, proto => 3, port => 4, ipsec => 5, mark => 6, user => 7, switch => 8 };

    if ( $interfacelist eq 'COMMENT' ) {
 	process_comment;
@@ -237,7 +233,7 @@ sub process_one_masq( )
 		     $baserule . $rule ,
 		     $networks ,
 		     $destnets ,
-		     $origdest ,
+		     '' ,
 		     $target ,
 		     '' ,
 		     '' ,
@@ -518,227 +514,6 @@ sub setup_netmap() {

 }

-#
-# Called from process_rule1 to add a rule to the NAT table
-#
-sub handle_nat_rule( $$$$$$$$$$$$ ) {
-    my ( $dest,           # <server>[:port]
-	 $proto,          # Protocol
-	 $ports,          # Destination port list
-	 $origdest,       # Original Destination
-	 $action_target,  # If the target is an action, the name of the log action chain to jump to
-	 $action,         # The Action
-	 $sourceref,      # Reference to the Source Zone's table entry in the Zones module
-	 $action_chain,   # Name of the action chain if the rule is in an action
-	 $rule,           # Matches 
-	 $source,         # Source Address
-	 $loglevel,       # [<level>[:<tag>]]
-	 $log_action,     # Action name to include in the log message
-       ) = @_;
-
-    my ( $server, $serverport , $origdstports ) = ( '', '', '' );
-    my $randomize = $dest =~ s/:random$// ? ' --random' : '';
-
-    #
-    # Isolate server port
-    #
-    if ( $dest =~ /^(.*)(?::(.+))$/ ) {
-	#
-	# Server IP and Port
-	#
-	$server = $1;      # May be empty
-	$serverport = $2;  # Not Empty due to RE
-
-	$origdstports = validate_port( $proto, $ports )	if $ports && $ports ne '-' && port_count( $ports ) == 1;
-
-	if ( $serverport =~ /^(\d+)-(\d+)$/ ) {
-	    #
-	    # Server Port Range
-	    #
-	    fatal_error "Invalid port range ($serverport)" unless $1 < $2;
-	    my @ports = ( $1, $2 );
-	    $_ = validate_port( proto_name( $proto ), $_) for ( @ports );
-	    ( $ports = $serverport ) =~ tr/-/:/;
-	} else {
-	    $serverport = $ports = validate_port( proto_name( $proto ), $serverport );
-	}
-    } elsif ( $dest ne ':' ) {
-	#
-	# Simple server IP address (may be empty or "-")
-	#
-	$server = $dest;
-    }
-    #
-    # Generate the target
-    #
-    my $target = '';
-
-    if ( $action eq 'REDIRECT' ) {
-	fatal_error "A server IP address ($server) may not be specified in a REDIRECT rule" if $server;
-	$target  = 'REDIRECT';
-	$target .= " --to-port $serverport" if $serverport;
-	if ( $origdest eq '' || $origdest eq '-' ) {
-	    $origdest = ALLIP;
-	} elsif ( $origdest eq 'detect' ) {
-	    fatal_error 'ORIGINAL DEST "detect" is invalid in an action' if $action_chain;
-
-	    if ( $config{DETECT_DNAT_IPADDRS} ) {
-		my $interfacesref = $sourceref->{interfaces};
-		my @interfaces = keys %$interfacesref;
-		$origdest = @interfaces ? "detect:@interfaces" : ALLIP;
-	    } else {
-		$origdest = ALLIP;
-	    }
-	}
-    } elsif ( $action_target ) {
-	fatal_error "A server port ($serverport) is not allowed in $action rule" if $serverport;
-	$target = $action_target;
-    } else {
-	if ( $server eq '' ) {
-	    fatal_error "A server and/or port must be specified in the DEST column in $action rules" unless $serverport;
-	} elsif ( $server =~ /^(.+)-(.+)$/ ) {
-	    validate_range( $1, $2 );
-	} else {
-	    unless ( $server eq ALLIP ) {
-		my @servers = validate_address $server, 1;
-		$server = join ',', @servers;
-	    }
-	}
-
-	if ( $action eq 'DNAT' ) {
-	    $target = $action;
-	    if ( $server ) {
-		$serverport = ":$serverport" if $serverport;
-		for my $serv ( split /,/, $server ) {
-		    $target .= " --to-destination ${serv}${serverport}";
-		}
-	    } else {
-		$target .= " --to-destination :$serverport";
-	    }
-	}
-
-	unless ( $origdest && $origdest ne '-' && $origdest ne 'detect' ) {
-	    if ( ! $action_chain && $config{DETECT_DNAT_IPADDRS} ) {
-		my $interfacesref = $sourceref->{interfaces};
-		my @interfaces = keys %$interfacesref;
-		$origdest = @interfaces ? "detect:@interfaces" : ALLIP;
-	    } else {
-		$origdest = ALLIP;
-	    }
-	}
-    }
-
-    $target .= $randomize;
-    #
-    # And generate the nat table rule(s)
-    #
-    my $firewallsource = $sourceref && ( $sourceref->{type} & ( FIREWALL | VSERVER ) );
-
-    expand_rule ( ensure_chain ('nat' ,
-				( $action_chain   ? $action_chain :
-				  $firewallsource ? 'OUTPUT' :
-				  dnat_chain $sourceref->{name} ) ) ,
-		  $firewallsource ? OUTPUT_RESTRICT : PREROUTE_RESTRICT ,
-		  $rule ,
-		  $source ,
-		  $origdest ,
-		  '' ,
-		  $target ,
-		  $loglevel ,
-		  $log_action ,
-		  $serverport ? do_proto( $proto, '', '' ) : '',
-		);
-
-    ( $ports, $origdstports, $server );
-}
-
-#
-# Called from process_rule1() to handle the nat table part of the NONAT and ACCEPT+ actions
-#
-sub handle_nonat_rule( $$$$$$$$$$ ) {
-    my ( $action, $source, $dest, $origdest, $sourceref, $inaction, $chain, $loglevel, $log_action, $rule ) = @_;
-
-    my $sourcezone = $sourceref->{name};
-    #
-    # NONAT or ACCEPT+ may not specify a destination interface
-    #
-    fatal_error "Invalid DEST ($dest) in $action rule" if $dest =~ /:/;
-
-    $origdest = '' unless $origdest and $origdest ne '-';
-
-    if ( $origdest eq 'detect' ) {
-	my $interfacesref = $sourceref->{interfaces};
-	my $interfaces = [ ( keys %$interfacesref ) ];
-	$origdest = $interfaces ? "detect:@$interfaces" : ALLIP;
-    }
-
-    my $tgt = 'RETURN';
-
-    my $nonat_chain;
-
-    my $chn;
-
-    if ( $inaction ) {
-	$nonat_chain = ensure_chain( 'nat', $chain );
-    } elsif ( $sourceref->{type} == FIREWALL ) {
-	$nonat_chain = $nat_table->{OUTPUT};
-    } else {
-	$nonat_chain = ensure_chain( 'nat', dnat_chain( $sourcezone ) );
-
-	my @interfaces = keys %{zone_interfaces $sourcezone};
-
-	for ( @interfaces ) {
-	    my $ichain = input_chain $_;
-
-	    if ( $nat_table->{$ichain} ) {
-		#
-		# Static NAT is defined on this interface
-		#
-		$chn = new_chain( 'nat', newnonatchain ) unless $chn;
-		add_ijump $chn, j => $nat_table->{$ichain}, @interfaces > 1 ? imatch_source_dev( $_ )  : ();
-	    }
-	}
-
-	if ( $chn ) {
-	    #
-	    # Call expand_rule() to correctly handle logging. Because
-	    # the 'logname' argument is passed, expand_rule() will
-	    # not create a separate logging chain but will rather emit
-	    # any logging rule in-line.
-	    #
-	    expand_rule( $chn,
-			 PREROUTE_RESTRICT,
-			 '', # Rule
-			 '', # Source
-			 '', # Dest
-			 '', # Original dest
-			 'ACCEPT',
-			 $loglevel,
-			 $log_action,
-			 '',
-			 dnat_chain( $sourcezone  ) );
-	    $loglevel = '';
-	    $tgt = $chn->{name};
-	} else {
-	    $tgt = 'ACCEPT';
-	}
-    }
-
-    set_optflags( $nonat_chain, DONT_MOVE | DONT_OPTIMIZE ) if $tgt eq 'RETURN';
-
-    expand_rule( $nonat_chain ,
-		 PREROUTE_RESTRICT ,
-		 $rule ,
-		 $source ,
-		 $dest ,
-		 $origdest ,
-		 $tgt,
-		 $loglevel ,
-		 $log_action ,
-		 '',
-	       );
-}
-
 sub add_addresses () {
    if ( @addresses_to_add ) {
 	my @addrs = @addresses_to_add;
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -39,9 +39,7 @@ our @EXPORT = qw( process_providers
 		  @routemarked_interfaces
 		  handle_stickiness
 		  handle_optional_interfaces
-		  compile_updown
 		  setup_load_distribution
-		  have_providers
 	       );
 our @EXPORT_OK = qw( initialize lookup_provider );
 our $VERSION = '4.4_24';
@@ -62,11 +60,9 @@ my  @load_interfaces;

 my $balancing;
 my $fallback;
-my $metrics;
 my $first_default_route;
 my $first_fallback_route;
 my $maxload;
-my $tproxies;

 my %providers;

@@ -99,11 +95,9 @@ sub initialize( $ ) {
    @load_interfaces        = ();
    $balancing              = 0;
    $fallback               = 0;
-    $metrics                = 0;
    $first_default_route    = 1;
    $first_fallback_route   = 1;
    $maxload                = 0;
-    $tproxies               = 0;

    %providers  = ( local   => { number => LOCAL_TABLE   , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
 		    main    => { number => MAIN_TABLE    , mark => 0 , optional => 0 ,routes => [], rules => [] } ,
@@ -402,8 +396,8 @@ sub process_a_provider() {
 	$gateway = '';
    }

-    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load ) =
-	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0 );
+    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $local , $load ) =
+	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0      , 0 );

    unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
@@ -441,14 +435,9 @@ sub process_a_provider() {
 		$default = -1;
 		$default_balance = 0;
 	    } elsif ( $option eq 'local' ) {
-		warning_message q(The 'local' provider option is deprecated in favor of 'tproxy');
-		$local = $tproxy = 1;
-		$track  = 0           if $config{TRACK_PROVIDERS};
-		$default_balance = 0  if $config{USE_DEFAULT_RT};
-	    } elsif ( $option eq 'tproxy' ) {
-		$tproxy = 1;
-		$track  = 0           if $config{TRACK_PROVIDERS};
-		$default_balance = 0  if $config{USE_DEFAULT_RT};
+		$local = 1;
+		$track = 0           if $config{TRACK_PROVIDERS};
+		$default_balance = 0 if $config{USE_DEFAULT_RT};
 	    } elsif ( $option =~ /^load=(0?\.\d{1,8})/ ) {
 		$load = $1;
 		require_capability 'STATISTIC_MATCH', "load=$load", 's';
@@ -467,16 +456,10 @@ sub process_a_provider() {
    }

    if ( $local ) {
-	fatal_error "GATEWAY not valid with 'local' provider"  unless $gatewaycase eq 'none';
-	fatal_error "'track' not valid with 'local'"           if $track;
-	fatal_error "DUPLICATE not valid with 'local'"         if $duplicate ne '-';
-    } elsif ( $tproxy ) {
-	fatal_error "Only one 'tproxy' provider is allowed"    if $tproxies++;
-	fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'none';
-	fatal_error "'track' not valid with 'tproxy'"          if $track;
-	fatal_error "DUPLICATE not valid with 'tproxy'"        if $duplicate ne '-';
-	fatal_error "MARK not allowed with 'tproxy'"           if $mark ne '-';
-	$mark = $globals{TPROXY_MARK};
+	fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none';
+	fatal_error "'track' not valid with 'local'"          if $track;
+	fatal_error "DUPLICATE not valid with 'local'"        if $duplicate ne '-';
+	fatal_error "MARK required with 'local'"              unless $mark;
    }

    my $val = 0;
@@ -488,29 +471,24 @@ sub process_a_provider() {

 	require_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' );

-	if ( $tproxy && ! $local ) {
-	    $val = $globals{TPROXY_MARK};
-	    $pref = 1;
-	} else {
-	    $val = numeric_value $mark;
+	$val = numeric_value $mark;

-	    fatal_error "Invalid Mark Value ($mark)" unless defined $val && $val;
+	fatal_error "Invalid Mark Value ($mark)" unless defined $val && $val;

-	    verify_mark $mark;
+	verify_mark $mark;

-	    fatal_error "Invalid Mark Value ($mark)" unless ( $val & $globals{PROVIDER_MASK} ) == $val;
+	fatal_error "Invalid Mark Value ($mark)" unless ( $val & $globals{PROVIDER_MASK} ) == $val;

-	    fatal_error "Provider MARK may not be specified when PROVIDER_BITS=0" unless $config{PROVIDER_BITS};
+	fatal_error "Provider MARK may not be specified when PROVIDER_BITS=0" unless $config{PROVIDER_BITS};

-	    for my $providerref ( values %providers  ) {
-		fatal_error "Duplicate mark value ($mark)" if numeric_value( $providerref->{mark} ) == $val;
-	    }
-
-	    $lastmark = $val;
-	    
-	    $pref = 10000 + $number - 1;
+	for my $providerref ( values %providers  ) {
+	    fatal_error "Duplicate mark value ($mark)" if numeric_value( $providerref->{mark} ) == $val;
 	}

+	$pref = 10000 + $number - 1;
+
+	$lastmark = $val;
+
    }

    unless ( $loose ) {
@@ -549,7 +527,6 @@ sub process_a_provider() {
 			   duplicate   => $duplicate ,
 			   address     => $address ,
 			   local       => $local ,
-			   tproxy      => $tproxy ,
 			   load        => $load ,
 			   rules       => [] ,
 			   routes      => [] ,
@@ -602,7 +579,6 @@ sub add_a_provider( $$ ) {
    my $duplicate   = $providerref->{duplicate};
    my $address     = $providerref->{address};
    my $local       = $providerref->{local};
-    my $tproxy      = $providerref->{tproxy};
    my $load        = $providerref->{load};

    my $dev         = chain_base $physical;
@@ -624,7 +600,7 @@ sub add_a_provider( $$ ) {
 	$provider_interfaces{$interface} = $table;

 	if ( $gatewaycase eq 'none' ) {
-	    if ( $tproxy ) {
+	    if ( $local ) {
 		emit 'run_ip route add local ' . ALLIP . " dev $physical table $number";
 	    } else {
 		emit "run_ip route add default dev $physical table $number";
@@ -657,7 +633,7 @@ CEOF

    if ( $mark ne '-' ) {
 	my $hexmark = in_hex( $mark );
-	my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex( $globals{ $tproxy && ! $local ? 'TPROXY_MARK' : 'PROVIDER_MASK' } ) : '';
+	my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : '';

 	emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $config{DELETE_THEN_ADD};

@@ -702,20 +678,19 @@ CEOF
 	emit '';
 	if ( $gateway ) {
 	    if ( $family == F_IPV4 ) {
-		emit qq(run_ip route replace $gateway/32 dev $physical table ) . DEFAULT_TABLE;
+		emit qq(run_ip route replace $gateway dev $physical table ) . DEFAULT_TABLE;
 		emit qq(run_ip route replace default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
 	    } else {
 		emit qq(qt \$IP -6 route del default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
 		emit qq(run_ip route add default via $gateway src $address dev $physical table ) . DEFAULT_TABLE . qq( metric $number);
 	    }
 	    emit qq(echo "qt \$IP -$family route del default via $gateway table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_${table}_routing);
-	    emit qq(echo "qt \$IP -4  route del $gateway/32 dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_${table}_routing) if $family == F_IPV4;
 	} else {
 	    emit qq(run_ip route add default table ) . DEFAULT_TABLE . qq( dev $physical metric $number);
 	    emit qq(echo "qt \$IP -$family route del default dev $physical table ) . DEFAULT_TABLE . qq(" >> \${VARDIR}/undo_${table}_routing);
 	}

-	$metrics = 1;
+	$fallback = 1;
    }

    emit( qq(\n) ,
@@ -723,7 +698,7 @@ CEOF
 	  qq(    qt \$IP -6 rule add from all table ) . DEFAULT_TABLE . qq( prio 32767\n) ,
 	  qq(fi) ) if $family == F_IPV6;

-    unless ( $tproxy ) {
+    unless ( $local ) {
 	emit '';

 	if ( $loose ) {
@@ -787,7 +762,7 @@ CEOF
 		if ( $gateway ) {
 		    emit qq(add_gateway "via $gateway dev $physical $realm" ) . $tbl;
 		} else {
-		    emit qq(add_gateway "dev $physical $realm" ) . $tbl;
+		    emit qq(add_gateway "nexthop dev $physical $realm" ) . $tbl;
 		}
 	    }
 	    	} else {
@@ -889,8 +864,7 @@ CEOF
 		  "qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface};
 	}

-	emit( "echo 1 > \${VARDIR}/${physical}.status",
-	      "progress_message2 \"   Provider $table ($number) stopped\"" );
+	emit( "progress_message2 \"   Provider $table ($number) stopped\"" );

 	pop_indent;

@@ -1053,8 +1027,8 @@ sub setup_null_routing() {
    emit "> \${VARDIR}/undo_rfc1918_routing\n";
    for ( rfc1918_networks ) {
 	emit( qq(if ! \$IP -4 route ls | grep -q '^$_.* dev '; then),
-	      qq(    run_ip route replace blackhole $_),
-	      qq(    echo "qt \$IP -4 route del blackhole $_" >> \${VARDIR}/undo_rfc1918_routing),
+	      qq(    run_ip route replace unreachable $_),
+	      qq(    echo "qt \$IP -4 route del unreachable $_" >> \${VARDIR}/undo_rfc1918_routing),
 	      qq(fi\n) );
    }
 }
@@ -1143,10 +1117,6 @@ sub finish_providers() {
 	       '# We don\'t have any \'balance\' providers so we restore any default route that we\'ve saved',
 	       '#',
 	       "restore_default_route $config{USE_DEFAULT_RT}" ,
-	       '#',
-	       '# And delete any routes in the \'balance\' table',
-	       '#',
-	       "qt \$IP -$family route del default table " . BALANCE_TABLE,
 	       '' );
    }

@@ -1160,17 +1130,10 @@ sub finish_providers() {
 	}

 	emit( "    progress_message \"Fallback route '\$(echo \$FALLBACK_ROUTE | sed 's/\$\\s*//')' Added\"",
-	      'else',
-	      '    #',
-	      '    # We don\'t have any \'fallback\' providers so we delete any default routes in the default table',
-	      '    #',
-	      '    delete_default_routes ' . DEFAULT_TABLE,
 	      'fi',
 	      '' );
    } elsif ( $config{USE_DEFAULT_RT} ) {
-	emit( 'delete_default_routes ' . DEFAULT_TABLE,
-	      ''
-	    );
+	emit "qt \$IP -$family route del default table " . DEFAULT_TABLE;
    }

    unless ( $config{KEEP_RT_TABLES} ) {
@@ -1208,8 +1171,6 @@ sub process_providers( $ ) {
    }

    if ( $providers ) {
-	fatal_error q(Either all 'fallback' providers must specify a weight or non of them can specify a weight) if $fallback && $metrics;
-
 	my $fn = open_file( 'route_rules' );

 	if ( $fn ){
@@ -1281,7 +1242,6 @@ EOF
            startup_error "$g_interface is not an optional provider or provider interface"
            ;;
    esac
-
 }

 #
@@ -1322,10 +1282,6 @@ EOF

 }

-sub have_providers() {
-    return our $providers;
-}
-
 sub setup_providers() {
    our $providers;

@@ -1371,228 +1327,6 @@ sub setup_providers() {

 }

-#
-# Emit the updown() function
-#
-sub compile_updown() {
-    emit( '',
-	  '#',
-	  '# Handle the "up" and "down" commands',
-	  '#',
-	  'updown() # $1 = interface',
-	  '{',
-	);
-
-    push_indent;
-
-    emit( 'local state',
-	  'state=cleared',
-	  ''
-	);
-
-    emit 'progress_message3 "$g_product $COMMAND triggered by $1"';
-    emit '';
-
-    if ( $family == F_IPV4 ) {
-	emit 'if shorewall_is_started; then';
-    } else {
-	emit 'if shorewall6_is_started; then';
-    }
-
-    emit( '    state=started',
-	  'elif [ -f ${VARDIR}/state ]; then',
-	  '    case "$(cat ${VARDIR}/state)" in',
-	  '        Stopped*)',
-	  '            state=stopped',
-	  '            ;;',
-	  '        Cleared*)',
-	  '            ;;',
-	  '        *)',
-	  '            state=unknown',
-	  '            ;;',
-	  '    esac',
-	  'else',
-	  '    state=unknown',
-	  'fi',
-	  ''
-	);
-
-    emit( 'case $1 in' );
-
-    push_indent;
-
-    my $ignore   = find_interfaces_by_option 'ignore', 1;
-    my $required = find_interfaces_by_option 'required';
-    my $optional = find_interfaces_by_option 'optional';
-
-    if ( @$ignore ) {
-	my $interfaces = join '|', map get_physical( $_ ), @$ignore;
-
-	$interfaces =~ s/\+/*/g;
-
-	emit( "$interfaces)",
-	      '    progress_message3 "$COMMAND on interface $1 ignored"',
-	      '    exit 0',
-	      '    ;;'
-	    );
-    }
-
-    my @nonshared = ( grep $providers{$_}->{optional},
-		      sort( { $providers{$a}->{number} <=> $providers{$b}->{number} } values %provider_interfaces ) );
-
-    if ( @nonshared ) {
-	my $interfaces = join( '|', map $providers{$_}->{physical}, @nonshared );
-
-	emit "$interfaces)";
-
-	push_indent;
-
-	emit( q(if [ "$state" = started ]; then) ,
-	      q(    if [ "$COMMAND" = up ]; then) , 
-	      q(        progress_message3 "Attempting enable on interface $1") ,
-	      q(        COMMAND=enable) ,
-	      q(        detect_configuration),        
-	      q(        enable_provider $1),
-	      q(    elif [ "$PHASE" != post-down ]; then # pre-down or not Debian) ,
-	      q(        progress_message3 "Attempting disable on interface $1") ,
-	      q(        COMMAND=disable) ,
-	      q(        detect_configuration),        
-	      q(        disable_provider $1) ,
-	      q(    fi) ,
-	      q(elif [ "$COMMAND" = up ]; then) ,
-	      q(    echo 0 > ${VARDIR}/${1}.status) ,
-	      q(    COMMAND=start),
-	      q(    progress_message3 "$g_product attempting start") ,
-	      q(    detect_configuration),
-	      q(    define_firewall),
-	      q(else),
-	      q(    progress_message3 "$COMMAND on interface $1 ignored") ,
-	      q(fi) ,
-	      q(;;) );
-
-	pop_indent;
-    }
-
-    if ( @$required ) {
-	my $interfaces = join '|', map get_physical( $_ ), @$required;
-
-	my $wildcard = ( $interfaces =~ s/\+/*/g );
-
-	emit( "$interfaces)",
-	      '    if [ "$COMMAND" = up ]; then' );
-
-	if ( $wildcard ) {
-	    emit( '        if [ "$state" = started ]; then',
-		  '            COMMAND=restart',
-		  '        else',
-		  '            COMMAND=start',
-		  '        fi' );
-	} else {
-	    emit( '        COMMAND=start' );
-	}
-
-	emit( '        progress_message3 "$g_product attempting $COMMAND"',
-	      '        detect_configuration',
-	      '        define_firewall',
-	      '    elif [ "$PHASE" != pre-down ]; then # Not Debian pre-down phase'
-	    );
-
-	push_indent;
-
-	if ( $wildcard ) {
-
-	    emit( '    if [ "$state" = started ]; then',
-		  '        progress_message3 "$g_product attempting restart"',
-		  '        COMMAND=restart',
-		  '        detect_configuration',
-		  '        define_firewall',
-		  '    fi' );
-
-	} else {
-	    emit( '    COMMAND=stop',
-		  '    progress_message3 "$g_product attempting stop"',
-		  '    detect_configuration',
-		  '    stop_firewall' );
-	}
-
-	pop_indent;
-
-	emit( '    fi',
-	      '    ;;'
-	    );
-    }
-
-    if ( @$optional ) {
-	my @interfaces = map( get_physical( $_ ), grep( ! $provider_interfaces{$_} , @$optional ) );
-	my $interfaces = join '|', @interfaces;
-
-	if ( $interfaces ) {
-	    if ( $interfaces =~ s/\+/*/g || @interfaces > 1 ) {
-		emit( "$interfaces)",
-		      '    if [ "$COMMAND" = up ]; then',
-		      '        echo 0 > ${VARDIR}/${1}.state',
-		      '    else',
-		      '        echo 1 > ${VARDIR}/${1}.state',
-		      '    fi' );
-	    } else {
-		emit( "$interfaces)",
-		      '    if [ "$COMMAND" = up ]; then',
-		      "        echo 0 > \${VARDIR}/$interfaces.state",
-		      '    else',
-		      "        echo 1 > \${VARDIR}/$interfaces.state",
-		      '    fi' );
-	    }
-
-	    emit( '',
-		  '    if [ "$state" = started ]; then',
-		  '        COMMAND=restart',
-		  '        progress_message3 "$g_product attempting restart"',
-		  '        detect_configuration',
-		  '        define_firewall',
-		  '    elif [ "$state" = stopped ]; then',
-		  '        COMMAND=start',
-		  '        progress_message3 "$g_product attempting start"',
-		  '        detect_configuration',
-		  '        define_firewall',
-		  '    else',
-		  '        progress_message3 "$COMMAND on interface $1 ignored"',
-		  '    fi',
-		  '    ;;',
-		);
-	}
-    }
-
-    if ( my @plain_interfaces = all_plain_interfaces ) {			
-	my $interfaces = join ( '|', @plain_interfaces );
-
-	$interfaces =~ s/\+/*/g;
-	
-	emit( "$interfaces)",
-	      '    case $state in',
-	      '        started)',
-	      '            COMMAND=restart',
-	      '            progress_message3 "$g_product attempting restart"',
-	      '            detect_configuration',
-	      '            define_firewall',
-	      '            ;;',
-	      '        *)',
-	      '            progress_message3 "$COMMAND on interface $1 ignored"',
-	      '            ;;',
-	      '    esac',
-	    );
-    }
-
-    pop_indent;
-
-    emit( 'esac' );
-
-    pop_indent;
-
-    emit( '}',
-	  '',
-	);
-}
-
 sub lookup_provider( $ ) {
    my $provider    = $_[0];
    my $providerref = $providers{ $provider };
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -33,7 +33,6 @@ use Shorewall::Config qw(:DEFAULT :internal);
 use Shorewall::Zones;
 use Shorewall::Chains qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
-use Shorewall::Nat qw(:rules);
 use Scalar::Util 'reftype';

 use strict;
@@ -1667,7 +1666,7 @@ sub verify_audit($;$$) {
 # Similarly, if a new action tuple is encountered, this function is called recursively for each rule in the action
 # body. In this latter case, a reference to the tuple's chain is passed in the first ($chainref) argument.
 #
-sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
+sub process_rule1 ( $$$$$$$$$$$$$$$$ $) {
    my ( $chainref,   #reference to Action Chain if we are being called from process_action(); undef otherwise
 	 $target,
 	 $current_param,
@@ -1686,10 +1685,10 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
 	 $condition,
 	 $wildcard ) = @_;

-    my ( $action, $loglevel)    = split_action $target;
+    my ( $action, $loglevel) = split_action $target;
    my ( $basictarget, $param ) = get_target_param $action;
    my $rule = '';
-    my $optimize = $wildcard ? ( $basictarget =~ /!$/ ? 0 : $config{OPTIMIZE} & 5 ) : 0;
+    my $optimize = $wildcard ? ( $basictarget =~ /!$/ ? 0 : $config{OPTIMIZE} & 1 ) : 0;
    my $inaction = '';
    my $normalized_target;
    my $normalized_action;
@@ -1758,7 +1757,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
    #
    # We can now dispense with the postfix character
    #
-    fatal_error "The +, - and ! modifiers are not allowed in the blrules file" if $action =~ s/[-+!]$// && $blacklist;
+    fatal_error "The +, - and ! modifiers are not allowed in the blrules file" if $action =~ s/[\+\-!]$// && $blacklist;
    #
    # Handle actions
    #
@@ -1806,33 +1805,32 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {

 	$bt =~ s/[-+!]$//;

-	my %functions =
-	    ( ACCEPT => sub() { $action = 'RETURN' if $blacklist; } ,
-	      
-	      REDIRECT => sub () {
-		  my $z = $actiontype & NATONLY ? '' : firewall_zone;
-		  if ( $dest eq '-' ) {
-		      $dest = $inaction ? '' : join( '', $z, '::' , $ports =~ /[:,]/ ? '' : $ports );
-		  } elsif ( $inaction ) {
-		      $dest = ":$dest";
-		  } else {
-		      $dest = join( '', $z, '::', $dest ) unless $dest =~ /^[^\d].*:/;
-		  }
-	      } ,
+	my %functions = ( ACCEPT => sub() { $action = 'RETURN' if $blacklist; } ,

-	      REJECT => sub { $action = 'reject'; } ,
+			  REDIRECT => sub () {
+			      my $z = $actiontype & NATONLY ? '' : firewall_zone;
+			      if ( $dest eq '-' ) {
+				  $dest = $inaction ? '' : join( '', $z, '::' , $ports =~ /[:,]/ ? '' : $ports );
+			      } elsif ( $inaction ) {
+				  $dest = ":$dest";
+			      } else {
+				  $dest = join( '', $z, '::', $dest ) unless $dest =~ /^[^\d].*:/;
+			      }
+			  } ,

-	      CONTINUE => sub { $action = 'RETURN'; } ,
+			  REJECT => sub { $action = 'reject'; } ,

-	      WHITELIST => sub {
-		  fatal_error "'WHITELIST' may only be used in the blrules file" unless $blacklist;
-		  $action = 'RETURN';
-	      } ,
+			  CONTINUE => sub { $action = 'RETURN'; } ,

-	      COUNT => sub { $action = ''; } ,
+			  WHITELIST => sub {
+			      fatal_error "'WHITELIST' may only be used in the blrules file" unless $blacklist;
+			      $action = 'RETURN';
+			  } ,

-	      LOG => sub { fatal_error 'LOG requires a log level' unless supplied $loglevel; } ,
-	    );
+			  COUNT => sub { $action = ''; } ,
+
+			  LOG => sub { fatal_error 'LOG requires a log level' unless supplied $loglevel; } ,
+		     );

 	my $function = $functions{ $bt };

@@ -1922,7 +1920,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
    #
    # Take care of chain
    #
-    my $chain;
+    my ( $chain, $policy );

    if ( $inaction ) {
        #
@@ -1945,8 +1943,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
 	    #
 	    # Ensure that the chain exists but don't mark it as referenced until after optimization is checked
 	    #
-	    $chainref  = ensure_chain 'filter', $chain;
-	    my $policy = $chainref->{policy};
+	    $chainref = ensure_chain 'filter', $chain;
+	    $policy   = $chainref->{policy};

 	    if ( $policy eq 'NONE' ) {
 		return 0 if $wildcard;
@@ -1955,10 +1953,10 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
 	    #
 	    # Handle Optimization
 	    #
-	    if ( $optimize == 1 && $section eq 'NEW' ) {
+	    if ( $optimize > 0 && $section eq 'NEW' ) {
 		my $loglevel = $filter_table->{$chainref->{policychain}}{loglevel};
 		if ( $loglevel ne '' ) {
-		    return 0 if $target eq "${policy}:${loglevel}";
+		    return 0 if $target eq "${policy}:$loglevel}";
 		} else {
 		    return 0 if $basictarget eq $policy;
 		}
@@ -2021,8 +2019,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
 	if ( $config{FASTACCEPT} ) {
 	    fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" unless
 		$section eq 'BLACKLIST' ||
-		    ( $section eq 'RELATED' && ( $config{RELATED_DISPOSITION} ne 'ACCEPT' || $config{RELATED_LOG_LEVEL} ) )
-		}
+		( $section eq 'RELATED' && ( $config{RELATED_DISPOSITION} ne 'ACCEPT' || $config{RELATED_LOG_LEVEL} ) )
+	}

 	fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT );
 	$rule .= "$globals{STATEMATCH} $section " unless $section eq 'ALL' || $blacklist;
@@ -2032,29 +2030,132 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
    # Generate NAT rule(s), if any
    #
    if ( $actiontype & NATRULE ) {
+	my ( $server, $serverport );
+	my $randomize = $dest =~ s/:random$// ? ' --random' : '';
+
 	require_capability( 'NAT_ENABLED' , "$basictarget rules", '' );
 	#
-	# Add the appropriate rule to the nat table
+	# Isolate server port
 	#
-	( $ports,
-	  $origdstports,
-	  $dest ) = handle_nat_rule( $dest,
-				     $proto,
-				     $ports,
-				     $origdest,
-				     ( $actiontype & ACTION ) ? $usedactions{$normalized_target}->{name} : '',
-				     $action,
-				     $sourceref,
-				     $inaction ? $chain : '',
-				     $rule,
-				     $source,
-				     ( $actiontype & ACTION ) ? '' : $loglevel,
-				     $log_action
-				   );		 
+	if ( $dest =~ /^(.*)(:(.+))$/ ) {
+	    #
+	    # Server IP and Port
+	    #
+	    $server = $1;      # May be empty
+	    $serverport = $3;  # Not Empty due to RE
+	    $origdstports = $ports;
+
+	    if ( $origdstports && $origdstports ne '-' && port_count( $origdstports ) == 1 ) {
+		$origdstports = validate_port( $proto, $origdstports );
+	    } else {
+		$origdstports = '';
+	    }
+
+	    if ( $serverport =~ /^(\d+)-(\d+)$/ ) {
+		#
+		# Server Port Range
+		#
+		fatal_error "Invalid port range ($serverport)" unless $1 < $2;
+		my @ports = ( $1, $2 );
+		$_ = validate_port( proto_name( $proto ), $_) for ( @ports );
+		( $ports = $serverport ) =~ tr/-/:/;
+	    } else {
+		$serverport = $ports = validate_port( proto_name( $proto ), $serverport );
+	    }
+	} elsif ( $dest eq ':' ) {
+	    #
+	    # Rule with no server IP or port ( zone:: )
+	    #
+	    $server = $serverport = '';
+	} else {
+	    #
+	    # Simple server IP address (may be empty or "-")
+	    #
+	    $server = $dest;
+	    $serverport = '';
+	}
+
+	#
+	# Generate the target
+	#
+	my $target = '';
+
+	if ( $actiontype  & REDIRECT ) {
+	    fatal_error "A server IP address ($server) may not be specified in a REDIRECT rule" if $server;
+	    $target  = 'REDIRECT';
+	    $target .= " --to-port $serverport" if $serverport;
+	    if ( $origdest eq '' || $origdest eq '-' ) {
+		$origdest = ALLIP;
+	    } elsif ( $origdest eq 'detect' ) {
+		fatal_error 'ORIGINAL DEST "detect" is invalid in an action' if $inaction;
+
+		if ( $config{DETECT_DNAT_IPADDRS} && $sourcezone ne firewall_zone ) {
+		    my $interfacesref = $sourceref->{interfaces};
+		    my @interfaces = keys %$interfacesref;
+		    $origdest = @interfaces ? "detect:@interfaces" : ALLIP;
+ 		} else {
+		    $origdest = ALLIP;
+		}
+	    }
+	} elsif ( $actiontype & ACTION ) {
+	    fatal_error "A server port ($serverport) is not allowed in $action rule" if $serverport;
+	    $target = $usedactions{$normalized_target}->{name};
+	    $loglevel = '';
+	} else {
+	    if ( $server eq '' ) {
+		fatal_error "A server and/or port must be specified in the DEST column in $action rules" unless $serverport;
+	    } elsif ( $server =~ /^(.+)-(.+)$/ ) {
+		validate_range( $1, $2 );
+	    } else {
+		unless ( ( $actiontype & ACTION ) && $server eq ALLIP ) {
+		    my @servers = validate_address $server, 1;
+		    $server = join ',', @servers;
+		}
+	    }
+
+	    if ( $action eq 'DNAT' ) {
+		$target = 'DNAT';
+		if ( $server ) {
+		    $serverport = ":$serverport" if $serverport;
+		    for my $serv ( split /,/, $server ) {
+			$target .= " --to-destination ${serv}${serverport}";
+		    }
+		} else {
+		    $target .= " --to-destination :$serverport";
+		}
+	    }
+
+	    unless ( $origdest && $origdest ne '-' && $origdest ne 'detect' ) {
+		if ( ! $inaction && $config{DETECT_DNAT_IPADDRS} && $sourcezone ne firewall_zone ) {
+		    my $interfacesref = $sourceref->{interfaces};
+		    my @interfaces = keys %$interfacesref;
+		    $origdest = @interfaces ? "detect:@interfaces" : ALLIP;
+		} else {
+		    $origdest = ALLIP;
+		}
+	    }
+	}
+
+	$target .= $randomize;
+
+	#
+	# And generate the nat table rule(s)
+	#
+	expand_rule ( ensure_chain ('nat' , $inaction ? $chain : $sourceref->{type} == FIREWALL ? 'OUTPUT' : dnat_chain $sourcezone ),
+		      PREROUTE_RESTRICT ,
+		      $rule ,
+		      $source ,
+		      $origdest ,
+		      '' ,
+		      $target ,
+		      $loglevel ,
+		      $log_action ,
+		      $serverport ? do_proto( $proto, '', '' ) : '',
+		    );
 	#
 	# After NAT:
 	#   - the destination port will be the server port ($ports) -- we did that above
-	#   - the destination IP will be the server IP   ($dest)  -- also done above
+	#   - the destination IP   will be the server IP   ($dest)
 	#   - there will be no log level (we log NAT rules in the nat table rather than in the filter table).
 	#   - the target will be ACCEPT.
 	#
@@ -2067,24 +2168,89 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
 			  do_condition( $condition )
 			);
 	    $loglevel = '';
+	    $dest     = $server;
 	    $action   = 'ACCEPT';
 	    $origdest = ALLIP if  $origdest =~ /[+]/;
 	}
    } elsif ( $actiontype & NONAT ) {
 	#
-	# NONAT or ACCEPT+
+	# NONAT or ACCEPT+ -- May not specify a destination interface
 	#
-	handle_nonat_rule( $action,
-			   $source,
-			   $dest,
-			   $origdest,
-			   $sourceref,
-			   $inaction,
-			   $chain,
-			   $loglevel,
-			   $log_action,
-			   $rule
-			 );
+	fatal_error "Invalid DEST ($dest) in $action rule" if $dest =~ /:/;
+
+	$origdest = '' unless $origdest and $origdest ne '-';
+
+	if ( $origdest eq 'detect' ) {
+	    my $interfacesref = $sourceref->{interfaces};
+	    my $interfaces = [ ( keys %$interfacesref ) ];
+	    $origdest = $interfaces ? "detect:@$interfaces" : ALLIP;
+	}
+
+	my $tgt = 'RETURN';
+
+	my $nonat_chain;
+
+	my $chn;
+
+	if ( $inaction ) {
+	    $nonat_chain = ensure_chain( 'nat', $chain );
+	} elsif ( $sourceref->{type} == FIREWALL ) {
+	    $nonat_chain = $nat_table->{OUTPUT};
+	} else {
+	    $nonat_chain = ensure_chain( 'nat', dnat_chain( $sourcezone ) );
+
+	    my @interfaces = keys %{zone_interfaces $sourcezone};
+
+	    for ( @interfaces ) {
+		my $ichain = input_chain $_;
+
+		if ( $nat_table->{$ichain} ) {
+		    #
+		    # Static NAT is defined on this interface
+		    #
+		    $chn = new_chain( 'nat', newnonatchain ) unless $chn;
+		    add_ijump $chn, j => $nat_table->{$ichain}, @interfaces > 1 ? imatch_source_dev( $_ )  : ();
+		}
+	    }
+
+	    if ( $chn ) {
+		#
+		# Call expand_rule() to correctly handle logging. Because
+		# the 'logname' argument is passed, expand_rule() will
+		# not create a separate logging chain but will rather emit
+		# any logging rule in-line.
+		#
+		expand_rule( $chn,
+			     PREROUTE_RESTRICT,
+			     '', # Rule
+			     '', # Source
+			     '', # Dest
+			     '', # Original dest
+			     'ACCEPT',
+			     $loglevel,
+			     $log_action,
+			     '',
+			     dnat_chain( $sourcezone  ) );
+		$loglevel = '';
+		$tgt = $chn->{name};
+	    } else {
+		$tgt = 'ACCEPT';
+	    }
+	}
+
+	set_optflags( $nonat_chain, DONT_MOVE | DONT_OPTIMIZE ) if $tgt eq 'RETURN';
+
+	expand_rule( $nonat_chain ,
+		     PREROUTE_RESTRICT ,
+		     $rule ,
+		     $source ,
+		     $dest ,
+		     $origdest ,
+		     $tgt,
+		     $loglevel ,
+		     $log_action ,
+		     '',
+		   );
    }

    #
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -163,17 +163,13 @@ my  @tcclasses;
 my  %tcclasses;

 my  %restrictions = ( tcpre      => PREROUTE_RESTRICT ,
-		      PREROUTING => PREROUTE_RESTRICT ,
 		      tcpost     => POSTROUTE_RESTRICT ,
 		      tcfor      => NO_RESTRICT ,
 		      tcin       => INPUT_RESTRICT ,
-		      tcout      => OUTPUT_RESTRICT ,
-		    );
+		      tcout      => OUTPUT_RESTRICT );

 my $family;

-my $divertref; # DIVERT chain
-
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
@@ -185,34 +181,31 @@ my $divertref; # DIVERT chain
 #      able to re-initialize its dependent modules' state.
 #
 sub initialize( $ ) {
-    $family    = shift;
-    %classids  = ();
+    $family   = shift;
+    %classids = ();
    @tcdevices = ();
    %tcdevices = ();
    @tcclasses = ();
    %tcclasses = ();
    @devnums   = ();
-    $devnum    = 0;
-    $sticky    = 0;
-    $ipp2p     = 0;
-    $divertref = 0;
+    $devnum = 0;
+    $sticky = 0;
+    $ipp2p  = 0;
 }

 sub process_tc_rule( ) {
    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp );
    if ( $family == F_IPV4 ) {
 	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp ) =
-	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13 }, { COMMENT => 0, FORMAT => 2 } , 14;
+	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13 }, undef , 14;
 	$headers = '-';
    } else {
 	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp ) =
-	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 },  { COMMENT => 0, FORMAT => 2 }, 15;
+	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 }, undef, 15;
    }

    our @tccmd;

-    our $format;
-
    fatal_error 'MARK must be specified' if $originalmark eq '-';

    if ( $originalmark eq 'COMMENT' ) {
@@ -220,15 +213,6 @@ sub process_tc_rule( ) {
 	return;
    }

-    if ( $originalmark eq 'FORMAT' ) {
-	if ( $source =~ /^([12])$/ ) {
-	    $format = $1;
-	    return;
-	}
-
-	fatal_error "Invalid FORMAT ($source)";
-    }
-
    my ( $mark, $designator, $remainder ) = split( /:/, $originalmark, 3 );

    fatal_error "Invalid MARK ($originalmark)" unless supplied $mark;
@@ -258,7 +242,6 @@ sub process_tc_rule( ) {
    my $restriction = 0;
    my $cmd;
    my $rest;
-    my $matches = '';

    my %processtcc = ( sticky => sub() {
 			                  if ( $chain eq 'tcout' ) {
@@ -311,56 +294,22 @@ sub process_tc_rule( ) {

 					  $target = "IPMARK --addr $srcdst --and-mask $mask1 --or-mask $mask2 --shift $shift";
 				      },
-		       DIVERT => sub() {
-			                  fatal_error "Invalid MARK ($originalmark)"               unless $format == 2;
-			                  fatal_error "Invalid DIVERT specification( $cmd/$rest )" if $rest;
-
-					  $chain = 'PREROUTING';
-
-					  $mark = in_hex( $globals{TPROXY_MARK} ) . '/' . in_hex( $globals{TPROXY_MARK} );
-
-					  unless ( $divertref ) {
-					      $divertref = new_chain( 'mangle', 'divert' );
-					      add_ijump( $divertref , j => 'MARK', targetopts => "--set-mark $mark"  );
-					      add_ijump( $divertref , j => 'ACCEPT' );
-					  }
-
-					  $target = 'divert';
-
-					  $matches = '! --tcp-flags FIN,SYN,RST,ACK SYN  -m socket --transparent ';
-				      },					      
 		       TPROXY => sub() {
 			                  require_capability( 'TPROXY_TARGET', 'Use of TPROXY', 's');

 			                  fatal_error "Invalid TPROXY specification( $cmd/$rest )" if $rest;

-					  $chain = 'PREROUTING';
+					  $chain = 'tcpre';

 					  $cmd =~ /TPROXY\((.+?)\)$/;

 					  my $params = $1;
-					  my ( $port, $ip, $bad );

-					  if ( $format == 1 ) {
-					      fatal_error "Invalid TPROXY specification( $cmd )" unless defined $params;
+					  fatal_error "Invalid TPROXY specification( $cmd )" unless defined $params;

-					      ( $mark, $port, $ip, $bad ) = split_list $params, 'Parameter';
+					  ( $mark, my $port, my $ip, my $bad ) = split ',', $params;

-					      fatal_error "Invalid TPROXY specification( $cmd )" if defined $bad;
-
-					      warning_message "TPROXY is deprecated in a format-1 tcrules file";
-					  } else {
-					      if ( $params ) {
-						  ( $port, $ip, $bad ) = split_list $params, 'Parameter';
-
-						  fatal_error "Invalid TPROXY specification( $cmd )" if defined $bad;
-					      
-					      } else {
-						  fatal_error "Invalid TPROXY specification ($cmd)" unless $cmd eq 'TPROXY' || $cmd eq 'TPROXY()';
-					      }
-
-					      $mark = in_hex( $globals{TPROXY_MARK} ) . '/' . in_hex( $globals{TPROXY_MARK} );
-					  }
+					  fatal_error "Invalid TPROXY specification( $cmd )" if defined $bad;

 					  if ( $port ) {
 					      $port = validate_port( 'tcp', $port );
@@ -581,7 +530,7 @@ sub process_tc_rule( ) {

    if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
 				     $restrictions{$chain} | $restriction,
-				     do_proto( $proto, $ports, $sports) . $matches .
+				     do_proto( $proto, $ports, $sports) .
 				     do_user( $user ) .
 				     do_test( $testval, $globals{TC_MASK} ) .
 				     do_length( $length ) .
@@ -590,7 +539,7 @@ sub process_tc_rule( ) {
 				     do_helper( $helper ) .
 				     do_headers( $headers ) .
 				     do_probability( $probability ) .
-				     do_dscp( $dscp ) ,
+				     do_dscp( $dscp ),
 				     $source ,
 				     $dest ,
 				     '' ,
@@ -853,8 +802,6 @@ sub process_simple_device() {
    progress_message "  Simple tcdevice \"$currentline\" $done.";
 }

-my %validlinklayer = ( ethernet => 1, atm => 1, adsl => 1 );
-
 sub validate_tc_device( ) {
    my ( $device, $inband, $outband , $options , $redirected ) = split_line 'tcdevices', { interface => 0, in_bandwidth => 1, out_bandwidth => 2, options => 3, redirect => 4 };

@@ -889,8 +836,7 @@ sub validate_tc_device( ) {
    fatal_error "Duplicate INTERFACE ($device)"    if $tcdevices{$device};
    fatal_error "Invalid INTERFACE name ($device)" if $device =~ /[:+]/;

-    my ( $classify, $pfifo, $flow, $qdisc, $linklayer, $overhead, $mtu, $mpu, $tsize ) = 
-	(0,         0,      '',    'htb',  '',         0,         0,    0,    0);
+    my ( $classify, $pfifo, $flow, $qdisc )  = (0, 0, '', 'htb' );

    if ( $options ne '-' ) {
 	for my $option ( split_list1 $options, 'option' ) {
@@ -906,25 +852,6 @@ sub validate_tc_device( ) {
 		$qdisc = 'hfsc';
 	    } elsif ( $option eq 'htb' ) {
 		$qdisc = 'htb';
-	    } elsif ( $option =~ /^linklayer=([a-z]+)$/ ) {
-		$linklayer = $1;
-		fatal_error "Invalid linklayer ($linklayer)" unless $validlinklayer{ $linklayer };
-	    } elsif ( $option =~ /^overhead=(.+)$/ ) {
-		$overhead = numeric_value( $1 );
-		fatal_error "Invalid overhead ($1)" unless defined $overhead;
-		fatal_error q('overhead' requires 'linklayer') unless $linklayer; 
-	    } elsif ( $option =~ /^mtu=(.+)$/ ) {
-		$mtu = numeric_value( $1 );
-		fatal_error "Invalid mtu ($1)" unless defined $mtu;
-		fatal_error q('mtu' requires 'linklayer') unless $linklayer; 
-	    } elsif ( $option =~ /^mpu=(.+)$/ ) {
-		$mpu = numeric_value( $1 );
-		fatal_error "Invalid mpu ($1)" unless defined $mpu;
-		fatal_error q('mpu' requires 'linklayer') unless $linklayer;
-	    } elsif ( $option =~ /^tsize=(.+)$/ ) {
-		$tsize = numeric_value( $1 );
-		fatal_error "Invalid tsize ($1)" unless defined $tsize;
-		fatal_error q('tsize' requires 'linklayer') unless $linklayer; 
 	    } else {
 		fatal_error "Unknown device option ($option)";
 	    }
@@ -963,12 +890,7 @@ sub validate_tc_device( ) {
 			    guarantee     => 0,
 			    name          => $device,
 			    physical      => physical_name $device,
-			    filters       => [],
-			    linklayer     => $linklayer,
-			    overhead      => $overhead,
-			    mtu           => $mtu,
-			    mpu           => $mpu,
-			    tsize         => $tsize,
+			    filters       => []
 			  } ,

    push @tcdevices, $device;
@@ -1002,7 +924,7 @@ sub convert_delay( $ ) {
    my $delay = shift;

    return 0 unless $delay;
-    return $1 if $delay =~ /^(\d+(\.\d+)?)(ms)?$/;
+    return $1 if $delay =~ /^(\d+)(ms)?$/;
    fatal_error "Invalid Delay ($delay)";
 }

@@ -1031,18 +953,6 @@ sub dev_by_number( $ ) {
    ( $dev , $devref );
 }

-use constant { RED_INTEGER => 1, RED_FLOAT => 2, RED_NONE => 3 };
-
-my %validredoptions = ( min         => RED_INTEGER,
-			max         => RED_INTEGER,
-			limit       => RED_INTEGER,
-			burst       => RED_INTEGER,
-			avpkt       => RED_INTEGER,
-			bandwidth   => RED_INTEGER,
-			probability => RED_FLOAT,
-			ecn         => RED_NONE,
-		      );
-
 sub validate_tc_class( ) {
    my ( $devclass, $mark, $rate, $ceil, $prio, $options ) =
 	split_line 'tcclasses file', { interface => 0, mark => 1, rate => 2, ceil => 3, prio => 4, options => 5 };
@@ -1052,7 +962,6 @@ sub validate_tc_class( ) {
    my $occurs = 1;
    my $parentclass = 1;
    my $parentref;
-    my $lsceil = 0;

    fatal_error 'INTERFACE must be specified' if $devclass eq '-';
    fatal_error 'CEIL must be specified'      if $ceil eq '-';
@@ -1099,18 +1008,22 @@ sub validate_tc_class( ) {
    my $markval = 0;

    if ( $mark ne '-' ) {
-	fatal_error "MARK may not be specified when TC_BITS=0" unless $config{TC_BITS};
-
-	$markval = numeric_value( $mark );
-	fatal_error "Invalid MARK ($markval)" unless defined $markval;
-
-	fatal_error "Invalid Mark ($mark)" unless $markval <= $globals{TC_MAX};
-
-	if ( $classnumber ) {
-	    fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
+	if ( $devref->{classify} ) {
+	    warning_message "INTERFACE $device has the 'classify' option - MARK value ($mark) ignored";
 	} else {
-	    $classnumber = $config{TC_BITS} >= 14 ? $devref->{nextclass}++ : hex_value( $devnum . $markval );
-	    fatal_error "Duplicate MARK ($mark)" if $tcref->{$classnumber};
+	    fatal_error "MARK may not be specified when TC_BITS=0" unless $config{TC_BITS};
+
+	    $markval = numeric_value( $mark );
+	    fatal_error "Invalid MARK ($markval)" unless defined $markval;
+
+	    fatal_error "Invalid Mark ($mark)" unless $markval <= $globals{TC_MAX};
+
+	    if ( $classnumber ) {
+		fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
+	    } else {
+		$classnumber = $config{TC_BITS} >= 14 ? $devref->{nextclass}++ : hex_value( $devnum . $markval );
+		fatal_error "Duplicate MARK ($mark)" if $tcref->{$classnumber};
+	    }
 	}
    } else {
 	fatal_error "Duplicate Class NUMBER ($classnumber)" if $tcref->{$classnumber};
@@ -1125,9 +1038,7 @@ sub validate_tc_class( ) {
 	my $parentnum = in_hexp $parentclass;
 	fatal_error "Unknown Parent class ($parentnum)" unless $parentref && $parentref->{occurs} == 1;
 	fatal_error "The class ($parentnum) specifies UMAX and/or DMAX; it cannot serve as a parent" if $parentref->{dmax};
-	fatal_error "The class ($parentnum) specifies 'flow'; it cannot serve as a parent"           if $parentref->{flow};
-	fatal_error "The class ($parentnum) specifies 'red'; it cannot serve as a parent "           if $parentref->{red};
-	fatal_error "The class ($parentnum) has an 'ls' curve; it cannot serve as a parent "         if $parentref->{lsceil};
+	fatal_error "The class ($parentnum) specifies flow; it cannot serve as a parent"             if $parentref->{flow};
 	fatal_error "The default class ($parentnum) may not have sub-classes"                        if ( $devref->{default} || 0 ) == $parentclass;
 	$parentref->{leaf} = 0;
 	$ratemax  = $parentref->{rate};
@@ -1138,27 +1049,16 @@ sub validate_tc_class( ) {

    my ( $umax, $dmax ) = ( '', '' );

-    if ( $ceil =~ /^(.+):(.+)/ ) {
-	fatal_error "An LS rate may only be specified for HFSC classes" unless $devref->{qdisc} eq 'hfsc';
-	$lsceil = $1;
-	$ceil   = $2;
-    }
-
    if ( $devref->{qdisc} eq 'hfsc' ) {
-	if ( $rate eq '-' ) {
-	    fatal_error 'A RATE must be supplied' unless $lsceil;
-	    $rate = 0;
-	} else {
-	    ( my $trate , $dmax, $umax , my $rest ) = split ':', $rate , 4;
+	( my $trate , $dmax, $umax , my $rest ) = split ':', $rate , 4;

-	    fatal_error "Invalid RATE ($rate)" if defined $rest;
+	fatal_error "Invalid RATE ($rate)" if defined $rest;

-	    $rate = convert_rate ( $ratemax, $trate, 'RATE', $ratename );
-	    $dmax = convert_delay( $dmax );
-	    $umax = convert_size( $umax );
-	    fatal_error "DMAX must be specified when UMAX is specified" if $umax && ! $dmax;
-	    $parentclass ||= 1;
-	}
+	$rate = convert_rate ( $ratemax, $trate, 'RATE', $ratename );
+	$dmax = convert_delay( $dmax );
+	$umax = convert_size( $umax );
+	fatal_error "DMAX must be specified when UMAX is specified" if $umax && ! $dmax;
+	$parentclass ||= 1;
    } else {
 	$rate = convert_rate ( $ratemax, $rate, 'RATE' , $ratename );
    }
@@ -1175,8 +1075,7 @@ sub validate_tc_class( ) {
 			       rate      => $rate ,
 			       umax      => $umax ,
 			       dmax      => $dmax ,
-			       ceiling   => $ceil   = ( supplied $ceil   ? convert_rate( $ceilmax, $ceil,   'CEIL'  , $ceilname ) : 0 ),
-			       lsceil    => $lsceil = ( $lsceil          ? convert_rate( $ceilmax, $lsceil, 'LSCEIL', $ceilname ) : 0 ),
+			       ceiling   => convert_rate( $ceilmax, $ceil, 'CEIL' , $ceilname ) ,
 			       priority  => $prio eq '-' ? 1 : $prio ,
 			       mark      => $markval ,
 			       flow      => '' ,
@@ -1190,9 +1089,7 @@ sub validate_tc_class( ) {

    $tcref = $tcref->{$classnumber};

-    fatal_error "RATE ($rate) exceeds CEIL ($ceil)" if $rate && $ceil && $rate > $ceil;
-
-    my ( $red, %redopts ) = ( 0, ( avpkt => 1000 ) );
+    fatal_error "RATE ($tcref->{rate}) exceeds CEIL ($tcref->{ceiling})" if $tcref->{rate} > $tcref->{ceiling};

    unless ( $options eq '-' ) {
 	for my $option ( split_list1 "\L$options", 'option' ) {
@@ -1217,11 +1114,9 @@ sub validate_tc_class( ) {
 		push @{$tcref->{tos}}, $option;
 	    } elsif ( $option =~ /^flow=(.*)$/ ) {
 		fatal_error "The 'flow' option is not allowed with 'pfifo'" if $tcref->{pfifo};
-		fatal_error "The 'flow' option is not allowed with 'red'"   if $tcref->{red};
 		$tcref->{flow} = process_flow $1;
 	    } elsif ( $option eq 'pfifo' ) {
-		fatal_error "The 'pfifo' option is not allowed with 'flow='" if $tcref->{flow};
-		fatal_error "The 'pfifo' option is not allowed with 'red='"  if $tcref->{red};
+		fatal_error "The 'pfifo'' option is not allowed with 'flow='" if $tcref->{flow};
 		$tcref->{pfifo} = 1;
 	    } elsif ( $option =~ /^occurs=(\d+)$/ ) {
 		my $val = $1;
@@ -1242,57 +1137,6 @@ sub validate_tc_class( ) {
 		warning_message "limit ignored with pfifo queuing" if $tcref->{pfifo};
 		fatal_error "Invalid limit ($1)" if $1 < 3 || $1 > 128;
 		$tcref->{limit} = $1;
-	    } elsif ( $option =~ s/^red=// ) {
-		fatal_error "The 'red=' option is not allowed with 'flow='" if $tcref->{flow};
-		fatal_error "The 'red=' option is not allowed with 'pfifo'" if $tcref->{pfifo};
-		$tcref->{red} = 1;
-		my $opttype;
-
-		for my $redopt ( split_list( $option , q('red' option list) ) ) {
-		    #
-		    #                            $2  ----------------------
-		    #              $1  ------       | $3 -------           |
-		    #                 |      |      |   |       |          |
-		    if ( $redopt =~ /^([a-z]+) (?:= (   ([01]?\.)?(\d{1,8})) )?$/x ) {
-			fatal_error "Invalid RED option ($1)" unless $opttype = $validredoptions{$1};
-			if ( $2 ) {
-			    #
-			    # '=<value>' supplied
-			    #
-			    fatal_error "The $1 option does not take a value" if $opttype == RED_NONE;
-			    if ( $3 ) {
-				#
-				# fractional value
-				#
-				fatal_error "The $1 option requires an integer value"  if $opttype == RED_INTEGER;
-				fatal_error "The value of $1 must be <= 1" if $2 > 1;
-			    } else {
-				#
-				# Integer value
-				#
-				fatal_error "The $1 option requires a value 0 <= value <= 1" if $opttype == RED_FLOAT;
-			    }
-			} else {
-			    #
-			    # No value supplied
-			    #
-			    fatal_error "The $1 option requires a value" unless $opttype == RED_NONE;
-			}
-
-			$redopts{$1} = $2;
-		    } else {
-			fatal_error "Invalid RED option specification ($redopt)";
-		    }
-		}
-
-		for ( qw/ limit min max avpkt burst probability / ) {
-		    fatal_error "The $_ 'red' option is required" unless $redopts{$_};
-		}
-
-		fatal_error "The 'max' red option must be at least 2 * 'min'"   unless $redopts{max}   >= 2 * $redopts{min};
-		fatal_error "The 'limit' red option must be at least 2 * 'max'" unless $redopts{limit} >= 2 * $redopts{min};
-		$redopts{ecn} = 1 if exists $redopts{ecn};
-		$tcref->{redopts} = \%redopts;
 	    } else {
 		fatal_error "Unknown option ($option)";
 	    }
@@ -1324,8 +1168,6 @@ sub validate_tc_class( ) {
 					       occurs   => 0,
 					       parent   => $parentclass,
 					       limit    => $tcref->{limit},
-					       red      => $tcref->{red},
-					       redopts  => $tcref->{redopts},
 					     };
 	push @tcclasses, "$device:$classnumber";
    };
@@ -1657,6 +1499,7 @@ sub process_tc_priority() {
 					   $interface eq '-' &&
 					   $helper    eq '-' );

+
    my $val = numeric_value $band;

    fatal_error "Invalid PRIORITY ($band)" unless $val && $val <= 3;
@@ -1741,14 +1584,8 @@ sub process_tcpri() {
 			  mark => '--mark 0/'   . in_hex( $globals{TC_MASK} )
 			);

-	    insert_irule( $mangle_table->{tcpost} ,
-			  j => 'RETURN', 
-			  1 ,
-			  mark => '! --mark 0/' . in_hex( $globals{TC_MASK} ) ,
-			);
-
 	    add_ijump( $mangle_table->{tcpost} ,
-		       j    => 'CONNMARK --save-mark --mask '    . in_hex( $globals{TC_MASK} ),
+		       j    => 'CONNMARK --save-mark --ctmask '    . in_hex( $globals{TC_MASK} ),
 		       mark => '! --mark 0/' . in_hex( $globals{TC_MASK} )
 		     );
 	}
@@ -1817,22 +1654,11 @@ sub process_traffic_shaping() {
 		   "${dev}_mtu1=\$(get_device_mtu1 $device)"
 		 );

-	    my $stab;
-
-	    if ( $devref->{linklayer} ) {
-		$stab =  "stab linklayer $devref->{linklayer} overhead $devref->{overhead} ";
-		$stab .= "mtu $devref->{mtu} "     if $devref->{mtu};
-		$stab .= "mpu $devref->{mpu} "     if $devref->{mpu};
-		$stab .= "tsize $devref->{tsize} " if $devref->{tsize};
-	    } else {
-		$stab = '';
-	    }
-
 	    if ( $devref->{qdisc} eq 'htb' ) {
-		emit ( "run_tc qdisc add dev $device ${stab}root handle $devnum: htb default $defmark r2q $r2q" ,
+		emit ( "run_tc qdisc add dev $device root handle $devnum: htb default $defmark r2q $r2q" ,
 		       "run_tc class add dev $device parent $devnum: classid $devnum:1 htb rate $devref->{out_bandwidth} \$${dev}_mtu1" );
 	    } else {
-		emit ( "run_tc qdisc add dev $device ${stab}root handle $devnum: hfsc default $defmark" ,
+		emit ( "run_tc qdisc add dev $device root handle $devnum: hfsc default $defmark" ,
 		       "run_tc class add dev $device parent $devnum: classid $devnum:1 hfsc sc rate $devref->{out_bandwidth} ul rate $devref->{out_bandwidth}" );
 	    }

@@ -1856,9 +1682,8 @@ sub process_traffic_shaping() {
 	    handle_in_bandwidth( $device, $devref->{in_bandwidth} );

 	    for my $rdev ( @{$devref->{redirected}} ) {
-		my $phyrdev = get_physical( $rdev );
-		emit ( "run_tc qdisc add dev $phyrdev handle ffff: ingress" );
-		emit( "run_tc filter add dev $phyrdev parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" );
+		emit ( "run_tc qdisc add dev $rdev handle ffff: ingress" );
+		emit( "run_tc filter add dev $rdev parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" );
 	    }

 	    for my $class ( @tcclasses ) {
@@ -1879,12 +1704,10 @@ sub process_traffic_shaping() {
 		my $mark     = $tcref->{mark};
 		my $devicenumber  = in_hexp $devref->{number};
 		my $classid  = join( ':', $devicenumber, $classnum);
-		my $rawrate  = $tcref->{rate};
-		my $rate     = "${rawrate}kbit";
-		my $lsceil   = $tcref->{lsceil};
+		my $rate     = "$tcref->{rate}kbit";
 		my $quantum  = calculate_quantum $rate, calculate_r2q( $devref->{out_bandwidth} );

-		$classids{$classid}=$devname;
+		$classids{$classid}=$device;

 		my $priority = $tcref->{priority} << 8;
 		my $parent   = in_hexp $tcref->{parent};
@@ -1895,50 +1718,23 @@ sub process_traffic_shaping() {
 		    emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid htb rate $rate ceil $tcref->{ceiling}kbit prio $tcref->{priority} \$${dev}_mtu1 quantum \$quantum" );
 		} else {
 		    my $dmax = $tcref->{dmax};
-		    my $rule = "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc";

 		    if ( $dmax ) {
 			my $umax = $tcref->{umax} ? "$tcref->{umax}b" : "\${${dev}_mtu}b";
-			$rule .= " sc umax $umax dmax ${dmax}ms";
-			$rule .= " rate $rate" if $rawrate;
+			emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc sc umax $umax dmax ${dmax}ms rate $rate ul rate $tcref->{ceiling}kbit" );
 		    } else {
-			$rule .= " sc rate $rate" if $rawrate;
+			emit ( "run_tc class add dev $device parent $devicenumber:$parent classid $classid hfsc sc rate $rate ul rate $tcref->{ceiling}kbit" );
 		    }
-
-		    $rule .= " ls rate ${lsceil}kbit" if $lsceil;
-		    $rule .= " ul rate $tcref->{ceiling}kbit" if $tcref->{ceiling};
-
-		    emit $rule;
 		}

-		if ( $tcref->{leaf} ) {
-		    if ( $tcref->{red} ) {
-			1 while $devnums[++$sfq];
-			$sfqinhex = in_hexp( $sfq);
+		if ( $tcref->{leaf} && ! $tcref->{pfifo} ) {
+		    1 while $devnums[++$sfq];

-			my ( $options, $redopts ) = ( '', $tcref->{redopts} );
-
-			while ( my ( $option, $type ) = each %validredoptions ) {
-			    if ( my $value = $redopts->{$option} ) {
-				if ( $type == RED_NONE ) {
-				    $options = join( ' ', $options, $option ) if $value;
-				} else {
-				    $options = join( ' ', $options, $option, $value );
-				}
-			    }
-			}
-
-			emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: red${options}" );
-
-		    } elsif ( $tcref->{leaf} && ! $tcref->{pfifo} ) {
-			1 while $devnums[++$sfq];
-
-			$sfqinhex = in_hexp( $sfq);
-			if ( $devref->{qdisc} eq 'htb' ) {
-			    emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq quantum \$quantum limit $tcref->{limit} perturb 10" );
-			} else {
-			    emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq limit $tcref->{limit} perturb 10" );
-			}
+		    $sfqinhex = in_hexp( $sfq);
+		    if ( $devref->{qdisc} eq 'htb' ) {
+			emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq quantum \$quantum limit $tcref->{limit} perturb 10" );
+		    } else {
+			emit( "run_tc qdisc add dev $device parent $classid handle $sfqinhex: sfq limit $tcref->{limit} perturb 10" );
 		    }
 		}
 		#
@@ -2002,14 +1798,14 @@ sub process_traffic_shaping() {
 		my $devicenumber  = in_hexp $devref->{number};
 		my $classid  = join( ':', $devicenumber, $classnum);

-		$classids{$classid}=$devname;
+		$classids{$classid}=$device;
 	    }
 	}
    }
 }

 #
-# Validate the TC configuration storing basic information in %tcdevices and %tcclasses (complex TC only)
+# Validate the TC configuration storing basic information in %tcdevices and %tcdevices
 #
 sub process_tc() {
    if ( $config{TC_ENABLED} eq 'Internal' || $config{TC_ENABLED} eq 'Shared' ) {
@@ -2157,10 +1953,10 @@ sub setup_tc() {
 	append_file $globals{TC_SCRIPT};
    } else {
 	process_tcpri if $config{TC_ENABLED} eq 'Simple';
-	setup_traffic_shaping if @tcdevices && $config{TC_ENABLED} ne 'Shared';
+	setup_traffic_shaping unless $config{TC_ENABLED} eq 'Shared';
    }

-    if ( $config{MANGLE_ENABLED} ) {
+    if ( $config{TC_ENABLED} ) {
 	our  @tccmd = ( { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
 			  target    => 'CONNMARK --save-mark --mask' ,
 			  mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK,
@@ -2206,11 +2002,6 @@ sub setup_tc() {
 			  mark      => HIGHMARK,
 			  mask      => '',
 			  connmark  => '' },
-			{ match     => sub( $ ) { $_[0] =~ /^DIVERT/ },
-			  target    => 'DIVERT',
-			  mark      => HIGHMARK,
-			  mask      => '',
-			  connmark  => '' },
 			{ match     => sub( $ ) { $_[0] =~ /^TTL/ },
 			  target    => 'TTL',
 			  mark      => NOMARK,
@@ -2245,16 +2036,15 @@ sub setup_tc() {

 	if ( my $fn = open_file 'tcrules' ) {

-	    our $format = 1;
-
 	    first_entry "$doing $fn...";

 	    process_tc_rule while read_a_line( NORMAL_READ );

 	    clear_comment;
-
 	}
+    }

+    if ( $config{MANGLE_ENABLED} ) {
 	if ( my $fn = open_file 'secmarks' ) {

 	    first_entry "$doing $fn...";
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -2,6 +2,7 @@
 # Shorewall 4.4 -- /usr/share/shorewall/Shorewall/Tunnels.pm
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
 #     (c) 2007,2008,2009,2010,2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
@@ -125,9 +126,9 @@ sub setup_tunnels() {
    sub setup_pptp_server {
 	my ($inchainref, $outchainref, $kind, $source, $dest ) = @_;

-	add_tunnel_rule $inchainref,  p => 47, @$source;
-	add_tunnel_rule $outchainref, p => 47, @$dest;
-	add_tunnel_rule $inchainref,  p => 'tcp --dport 1723', @$source
+	add_tunnel_rule $inchainref,  p => 47, @$dest;
+	add_tunnel_rule $outchainref, p => 47, @$source;
+	add_tunnel_rule $inchainref,  p => 'tcp --dport 1723', @$dest
 	}

    sub setup_one_openvpn {
@@ -291,7 +292,7 @@ sub setup_tunnels() {

 	while ( read_a_line( NORMAL_READ ) ) {

-	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateways => 2, gateway_zone => 3 , gateway_zones => 3 }, undef, 4;
+	    my ( $kind, $zone, $gateway, $gatewayzones ) = split_line1 'tunnels file', { type => 0, zone => 1, gateway => 2, gateways => 2, gateway_zone => 3 }, undef, 4;

 	    fatal_error 'TYPE must be specified' if $kind eq '-';

--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -41,8 +41,6 @@ our @EXPORT = qw( NOTHING
 		  IP
 		  BPORT
 		  IPSEC
-		  NO_UPDOWN
-		  NO_SFILTER

 		  determine_zones
 		  zone_report
@@ -64,7 +62,6 @@ our @EXPORT = qw( NOTHING
 		  validate_interfaces_file
 		  all_interfaces
 		  all_real_interfaces
-		  all_plain_interfaces
 		  all_bridges
 		  interface_number
 		  find_interface
@@ -75,7 +72,6 @@ our @EXPORT = qw( NOTHING
 		  port_to_bridge
 		  source_port_to_bridge
 		  interface_is_optional
-		  interface_is_required
 		  find_interfaces_by_option
 		  find_interfaces_by_option1
 		  get_interface_option
@@ -84,6 +80,7 @@ our @EXPORT = qw( NOTHING
 		  set_interface_provider
 		  interface_zones
 		  verify_required_interfaces
+		  compile_updown
 		  validate_hosts_file
 		  find_hosts_by_option
 		  find_zone_hosts_by_option
@@ -176,7 +173,6 @@ my  %reservedName = ( all => 1,
 #                                     number      => <ordinal position in the interfaces file>
 #                                     physical    => <physical interface name>
 #                                     base        => <shell variable base representing this interface>
-#                                     provider    => <Provider Name, if interface is associated with a provider>
 #                                     zones       => { zone1 => 1, ... }
 #                                   }
 #                 }
@@ -223,14 +219,11 @@ use constant { SIMPLE_IF_OPTION   => 1,
 	       IF_OPTION_WILDOK   => 64
 	   };

-use constant { NO_UPDOWN   => 1, 
-	       NO_SFILTER  => 2 };
-
 my %validinterfaceoptions;

 my %defaultinterfaceoptions = ( routefilter => 1 , wait => 60 );

-my %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore => NO_UPDOWN );
+my %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 );

 my %validhostoptions;

@@ -288,7 +281,6 @@ sub initialize( $$ ) {
 				  bridge      => SIMPLE_IF_OPTION,
 				  detectnets  => OBSOLETE_IF_OPTION,
 				  dhcp        => SIMPLE_IF_OPTION,
-				  ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				  maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				  logmartians => BINARY_IF_OPTION,
 				  nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
@@ -324,7 +316,6 @@ sub initialize( $$ ) {
 	%validinterfaceoptions = (  blacklist   => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    bridge      => SIMPLE_IF_OPTION,
 				    dhcp        => SIMPLE_IF_OPTION,
-				    ignore      => NUMERIC_IF_OPTION + IF_OPTION_WILDOK,
 				    maclist     => SIMPLE_IF_OPTION + IF_OPTION_HOST,
 				    nets        => IPLIST_IF_OPTION + IF_OPTION_ZONEONLY + IF_OPTION_VSERVER,
 				    nosmurfs    => SIMPLE_IF_OPTION + IF_OPTION_HOST,
@@ -492,8 +483,7 @@ sub process_zone( \$ ) {

    my $complex = 0;

-    my $zoneref = $zones{$zone} = { name       => $zone,
-				    type       => $type,
+    my $zoneref = $zones{$zone} = { type       => $type,
 				    parents    => \@parents,
 				    bridge     => '',
 				    options    => { in_out  => parse_zone_option_list( $options , $type, $complex , IN_OUT ) ,
@@ -575,7 +565,6 @@ sub determine_zones()
 		for ( @{$zones{$zone}{children}} ) {
 		    next ZONE unless $ordered{$_};
 		}
-
 		$ordered{$zone} = 1;
 		push @zones, $zone;
 		redo PUSHED;
@@ -583,7 +572,7 @@ sub determine_zones()
 	}
    }

-    assert( @zones == @z );
+    assert( scalar @zones == scalar @z );

 }

@@ -1040,7 +1029,7 @@ sub process_interface( $$ ) {

    if ( $options eq 'ignore' ) {
 	fatal_error "Ignored interfaces may not be associated with a zone" if $zone;
-	$options{ignore} = NO_UPDOWN | NO_SFILTER;
+	$options{ignore} = 1;
 	$options = '-';
    }

@@ -1160,16 +1149,7 @@ sub process_interface( $$ ) {
 	    }
 	}

-	fatal_error "Invalid combination of interface options"
-	    if ( ( $options{required} && $options{optional} ) ||
-		 ( $options{required} && $options{ignore}   ) ||
-		 ( $options{optional} && $options{ignore}   ) );
-
-	if ( supplied( my $ignore = $options{ignore} ) ) {
-	    fatal_error "Invalid value ignore=0" if ! $ignore;
-	} else {
-	    $options{ignore} = 0;
-	}
+	fatal_error "Invalid combination of interface options" if $options{required} && $options{optional};

 	if ( $netsref eq 'dynamic' ) {
 	    my $ipset = $family == F_IPV4 ? "${zone}_" . chain_base $physical : "6_${zone}_" . chain_base $physical;
@@ -1191,10 +1171,6 @@ sub process_interface( $$ ) {
 	# No options specified -- auto-detect bridge
 	#
 	$hostoptionsref->{routeback} = $options{routeback} = is_a_bridge( $physical ) unless $export;
-	#
-	# And give the 'ignore' option a defined value
-	#
-	$options{ignore} ||= 0;
    }

    $physical{$physical} = $interfaces{$interface} = { name       => $interface ,
@@ -1440,65 +1416,11 @@ sub interface_is_optional($) {
    $optionsref && $optionsref->{optional};
 }

-#
-# Return the 'required' setting of the passed interface
-#
-sub interface_is_required($) {
-    my $optionsref = $interfaces{$_[0]}{options};
-    $optionsref && $optionsref->{required};
-}
-
-#
-# Return true if the interface is 'plain'
-#
-sub interface_is_plain($) {
-    my $interfaceref = $interfaces{$_[0]};
-    my $optionsref   = $interfaceref->{options};
-
-    $interfaceref->{bridge} eq $interfaceref->{name} && ! ( $optionsref && ( $optionsref->{required} || $optionsref->{optional} || $optionsref->{ignore} ) )
-}
-
-#
-# Return a minimal list of physical interfaces that are neither ignored, optional, required nor a bridge port.
-#
-sub all_plain_interfaces() {
-    my @plain1 = map get_physical($_), grep $_ ne '%vserver%' && interface_is_plain( $_ ), @interfaces;
-    my @plain2;
-    my @wild1;
-    my @wild2;
-   
-    for ( @plain1 ) {
-	if ( /\+$/ ) {
-	    return ( '+' ) if $_ eq '+';
-	    push @wild1, $_;
-	    chop;
-	    push @wild2, $_;
-	} else {
-	    push @plain2, $_;
-	}
-    }
-
-    return @plain2 unless @wild1;
-
-    @plain1 = ();
-
-NAME:
-    for my $name ( @plain2) {
-	for ( @wild2 ) {
-	    next NAME if substr( $name, 0, length( $_ ) ) eq $_;
-	}
-
-	push @plain1, $name;
-    }
-
-    ( @plain1, @wild1 );
-}
-
 #
 # Returns reference to array of interfaces with the passed option
 #
-sub find_interfaces_by_option( $;$ ) {
-    my ( $option , $nonzero ) = @_;
+sub find_interfaces_by_option( $ ) {
+    my $option = $_[0];
    my @ints = ();

    for my $interface ( @interfaces ) {
@@ -1507,11 +1429,7 @@ sub find_interfaces_by_option( $;$ ) {
 	next unless $interfaceref->{root};

 	my $optionsref = $interfaceref->{options};
-	if ( $nonzero ) {
-	    if ( $optionsref && $optionsref->{$option} ) {
-		push @ints , $interface
-	    }
-	} elsif ( $optionsref && defined $optionsref->{$option} ) {
+	if ( $optionsref && defined $optionsref->{$option} ) {
 	    push @ints , $interface
 	}
    }
@@ -1622,16 +1540,16 @@ sub verify_required_interfaces( $ ) {
 		my $physical = get_physical $interface;

 		if ( $physical =~ /\+$/ ) {
+		    my $base = uc chain_base $physical;
+
 		    $physical =~ s/\+$/*/;

-		    emit( "waittime=$wait",
-			  '',
-			  'for interface in $(find_all_interfaces); do',
+		    emit( 'for interface in $(find_all_interfaces); do',
 			  '    case $interface in',
 			  "        $physical)",
+			  "            waittime=$wait",
 			  '            while [ $waittime -gt 0 ]; do',
 			  '                interface_is_usable $interface && break',
-			  '                sleep 1',
 			  '                waittime=$(($waittime - 1))',
 			  '            done',
 			  '            ;;',
@@ -1644,8 +1562,8 @@ sub verify_required_interfaces( $ ) {
 		    emit qq(    waittime=$wait);
 		    emit  '';
 		    emit  q(    while [ $waittime -gt 0 ]; do);
-		    emit  q(        sleep 1);
 		    emit qq(        interface_is_usable $physical && break);
+		    emit  q(        sleep 1);
 		    emit   '        waittime=$(($waittime - 1))';
 		    emit  q(    done);
 		    emit  q(fi);
@@ -1716,12 +1634,181 @@ sub verify_required_interfaces( $ ) {
    $returnvalue;
 }

+#
+# Emit the updown() function
+#
+sub compile_updown() {
+    emit( '',
+	  '#',
+	  '# Handle the "up" and "down" commands',
+	  '#',
+	  'updown() # $1 = interface',
+	  '{',
+	);
+
+    push_indent;
+
+    emit( 'local state',
+	  'state=cleared',
+	  '' );
+
+    emit 'progress_message3 "$g_product $COMMAND triggered by $1"';
+    emit '';
+
+    if ( $family == F_IPV4 ) {
+	emit 'if shorewall_is_started; then';
+    } else {
+	emit 'if shorewall6_is_started; then';
+    }
+
+    emit( '    state=started',
+	  'elif [ -f ${VARDIR}/state ]; then',
+	  '    case "$(cat ${VARDIR}/state)" in',
+	  '        Stopped*)',
+	  '            state=stopped',
+	  '            ;;',
+	  '        Cleared*)',
+	  '            ;;',
+	  '        *)',
+	  '            state=unknown',
+	  '            ;;',
+	  '    esac',
+	  'else',
+	  '    state=unknown',
+	  'fi',
+	  ''
+	);
+
+    emit( 'case $1 in' );
+
+    push_indent;
+
+    my $ignore   = find_interfaces_by_option 'ignore';
+    my $required = find_interfaces_by_option 'required';
+    my $optional = find_interfaces_by_option 'optional';
+
+    if ( @$ignore ) {
+	my $interfaces = join '|', map $interfaces{$_}->{physical}, @$ignore;
+
+	$interfaces =~ s/\+/*/g;
+
+	emit( "$interfaces)",
+	      '    progress_message3 "$COMMAND on interface $1 ignored"',
+	      '    exit 0',
+	      '    ;;'
+	    );
+    }
+
+    if ( @$required ) {
+	my $interfaces = join '|', map $interfaces{$_}->{physical}, @$required;
+
+	my $wildcard = ( $interfaces =~ s/\+/*/g );
+
+	emit( "$interfaces)",
+	      '    if [ "$COMMAND" = up ]; then' );
+
+	if ( $wildcard ) {
+	    emit( '        if [ "$state" = started ]; then',
+		  '            COMMAND=restart',
+		  '        else',
+		  '            COMMAND=start',
+		  '        fi' );
+	} else {
+	    emit( '        COMMAND=start' );
+	}
+
+	emit( '        progress_message3 "$g_product attempting $COMMAND"',
+	      '        detect_configuration',
+	      '        define_firewall' );
+
+	if ( $wildcard ) {
+	    emit( '    elif [ "$state" = started ]; then',
+		  '        progress_message3 "$g_product attempting restart"',
+		  '        COMMAND=restart',
+		  '        detect_configuration',
+		  '        define_firewall' );
+	} else {
+	    emit( '    else',
+		  '        COMMAND=stop',
+		  '        progress_message3 "$g_product attempting stop"',
+		  '        detect_configuration',
+		  '        stop_firewall' );
+	}
+
+	emit( '    fi',
+	      '    ;;'
+	    );
+    }
+
+    if ( @$optional ) {
+	my @interfaces = map $interfaces{$_}->{physical}, @$optional;
+	my $interfaces = join '|', @interfaces;
+
+	if ( $interfaces =~ s/\+/*/g || @interfaces > 1 ) {
+	    emit( "$interfaces)",
+		  '    if [ "$COMMAND" = up ]; then',
+		  '        echo 0 > ${VARDIR}/${1}.state',
+		  '    else',
+		  '        echo 1 > ${VARDIR}/${1}.state',
+		  '    fi' );
+	} else {
+	    emit( "$interfaces)",
+		  '    if [ "$COMMAND" = up ]; then',
+		  "        echo 0 > \${VARDIR}/$interfaces.state",
+		  '    else',
+		  "        echo 1 > \${VARDIR}/$interfaces.state",
+		  '    fi' );
+	}
+
+	emit( '',
+	      '    if [ "$state" = started ]; then',
+	      '        COMMAND=restart',
+	      '        progress_message3 "$g_product attempting restart"',
+	      '        detect_configuration',
+	      '        define_firewall',
+	      '    elif [ "$state" = stopped ]; then',
+	      '        COMMAND=start',
+	      '        progress_message3 "$g_product attempting start"',
+	      '        detect_configuration',
+	      '        define_firewall',
+	      '    else',
+	      '        progress_message3 "$COMMAND on interface $1 ignored"',
+	      '    fi',
+	      '    ;;',
+	    );
+    }
+
+    emit( "*)",
+	  '    case $state in',
+	  '        started)',
+	  '            COMMAND=restart',
+	  '            progress_message3 "$g_product attempting restart"',
+	  '            detect_configuration',
+	  '            define_firewall',
+	  '            ;;',
+	  '        *)',
+	  '            progress_message3 "$COMMAND on interface $1 ignored"',
+	  '            ;;',
+	  '    esac',
+	);
+
+    pop_indent;
+
+    emit( 'esac' );
+
+    pop_indent;
+
+    emit( '}',
+	  '',
+	);
+}
+
 #
 # Process a record in the hosts file
 #
 sub process_host( ) {
    my $ipsec = 0;
-    my ($zone, $hosts, $options ) = split_line1 'hosts file', { zone => 0, host => 1, hosts => 1, options => 2 }, {}, 3;
+    my ($zone, $hosts, $options ) = split_line 'hosts file', { zone => 0, hosts => 1, options => 2 };

    fatal_error 'ZONE must be specified'  if $zone eq '-';
    fatal_error 'HOSTS must be specified' if $hosts eq '-';
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -348,9 +348,7 @@ case "$COMMAND" in
 	[ $# -eq 1 ] && exit 0
 	shift
 	[ $# -ne 1 ] && usage 2
-	mutex_on
-	( updown $1 )
-	mutex_off
+	updown $1
 	status=0
 	;;
    enable)
--- a/Shorewall/Samples/Universal/rules
+++ b/Shorewall/Samples/Universal/rules
@@ -13,6 +13,6 @@
 #SECTION ESTABLISHED
 #SECTION RELATED
 SECTION NEW
-Invalid(DROP)	net		$FW		tcp
+
 SSH(ACCEPT)	net		$FW
 Ping(ACCEPT)	net		$FW
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -55,8 +55,6 @@ TCP_FLAGS_LOG_LEVEL=info

 CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall

-GEOIPDIR=/usr/share/xt_geoip/LE
-
 IPTABLES=

 IP=
@@ -170,7 +168,7 @@ MUTEX_TIMEOUT=60

 NULL_ROUTE_RFC1918=No

-OPTIMIZE=31
+OPTIMIZE=15

 OPTIMIZE_ACCOUNTING=No

--- a/Shorewall/Samples/one-interface/interfaces
+++ b/Shorewall/Samples/one-interface/interfaces
@@ -14,4 +14,4 @@
 FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            dhcp,tcpflags,logmartians,nosmurfs,sourceroute=0
+net     eth0            dhcp,tcpflags,logmartians,nosmurfs
--- a/Shorewall/Samples/one-interface/rules
+++ b/Shorewall/Samples/one-interface/rules
@@ -18,10 +18,6 @@
 #SECTION RELATED
 SECTION NEW

-# Drop packets in the INVALID state
-
-Invalid(DROP)  net    	        $FW		tcp
-
 # Drop Ping from the "bad" net zone.. and prevent your log from being flooded..

 Ping(DROP)	net		$FW
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -66,8 +66,6 @@ TCP_FLAGS_LOG_LEVEL=info

 CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall

-GEOIPDIR=/usr/share/xt_geoip/LE
-
 IPTABLES=

 IP=
@@ -181,7 +179,7 @@ MUTEX_TIMEOUT=60

 NULL_ROUTE_RFC1918=No

-OPTIMIZE=31
+OPTIMIZE=1

 OPTIMIZE_ACCOUNTING=No

--- a/Shorewall/Samples/three-interfaces/interfaces
+++ b/Shorewall/Samples/three-interfaces/interfaces
@@ -14,6 +14,6 @@
 FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            tcpflags,dhcp,nosmurfs,routefilter,logmartians,sourceroute=0
+net     eth0            tcpflags,dhcp,nosmurfs,routefilter,logmartians
 loc     eth1            tcpflags,nosmurfs,routefilter,logmartians
 dmz     eth2            tcpflags,nosmurfs,routefilter,logmartians
--- a/Shorewall/Samples/three-interfaces/masq
+++ b/Shorewall/Samples/three-interfaces/masq
@@ -10,9 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
-################################################################################################################
-#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
-#											GROUP		DEST
+##############################################################################
+#INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
 eth0			10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
--- a/Shorewall/Samples/three-interfaces/rules
+++ b/Shorewall/Samples/three-interfaces/rules
@@ -20,7 +20,7 @@ SECTION NEW

 #       Don't allow connection pickup from the net
 #
-Invalid(DROP)	net		all		tcp
+Invalid(DROP)	net		all
 #
 #	Accept DNS connections from the firewall to the Internet
 #
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -64,8 +64,6 @@ TCP_FLAGS_LOG_LEVEL=info

 CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall

-GEOIPDIR=/usr/share/xt_geoip/LE
-
 IPTABLES=

 IP=
@@ -179,7 +177,7 @@ MUTEX_TIMEOUT=60

 NULL_ROUTE_RFC1918=No

-OPTIMIZE=31
+OPTIMIZE=1

 OPTIMIZE_ACCOUNTING=No

--- a/Shorewall/Samples/two-interfaces/interfaces
+++ b/Shorewall/Samples/two-interfaces/interfaces
@@ -14,5 +14,5 @@
 FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
+net     eth0            dhcp,tcpflags,nosmurfs,routefilter,logmartians
 loc     eth1            tcpflags,nosmurfs,routefilter,logmartians
--- a/Shorewall/Samples/two-interfaces/masq
+++ b/Shorewall/Samples/two-interfaces/masq
@@ -10,9 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-masq"
-################################################################################################################
-#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
-#											GROUP		DEST
+###############################################################################
+#INTERFACE		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK
 eth0			10.0.0.0/8,\
 			169.254.0.0/16,\
 			172.16.0.0/12,\
--- a/Shorewall/Samples/two-interfaces/rules
+++ b/Shorewall/Samples/two-interfaces/rules
@@ -20,7 +20,7 @@ SECTION NEW

 #       Don't allow connection pickup from the net
 #
-Invalid(DROP)	net		all		tcp
+Invalid(DROP)	net		all
 #
 #	Accept DNS connections from the firewall to the network
 #
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -67,8 +67,6 @@ TCP_FLAGS_LOG_LEVEL=info

 CONFIG_PATH=${CONFDIR}/shorewall:${SHAREDIR}/shorewall

-GEOIPDIR=/usr/share/xt_geoip/LE
-
 IPTABLES=

 IP=
@@ -182,7 +180,7 @@ MUTEX_TIMEOUT=60

 NULL_ROUTE_RFC1918=No

-OPTIMIZE=31
+OPTIMIZE=1

 OPTIMIZE_ACCOUNTING=No

--- a/Shorewall/action.Broadcast
+++ b/Shorewall/action.Broadcast
@@ -31,7 +31,7 @@ FORMAT 2

 DEFAULTS DROP,-

-?BEGIN PERL;
+BEGIN PERL;

 use Shorewall::IPAddrs;
 use Shorewall::Config;
@@ -70,4 +70,4 @@ add_jump $chainref, $target, 0, '-d 224.0.0.0/4 ';

 1;

-?END PERL;
+END PERL;
--- a/Shorewall/action.Drop
+++ b/Shorewall/action.Drop
@@ -36,7 +36,7 @@ FORMAT 2
 # The following magic provides different defaults for $2 thru $5, when $1 is
 # 'audit'.
 #
-?BEGIN PERL;
+BEGIN PERL;
 use Shorewall::Config;

 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
@@ -54,7 +54,7 @@ if ( defined $p1 ) {

 1;

-?END PERL;
+END PERL;

 DEFAULTS -,REJECT,DROP,ACCEPT,DROP

--- a/Shorewall/action.DropSmurfs
+++ b/Shorewall/action.DropSmurfs
@@ -13,7 +13,7 @@ FORMAT 2

 DEFAULTS -

-?BEGIN PERL;
+BEGIN PERL;
 use strict;
 use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
 use Shorewall::Chains;
@@ -77,7 +77,7 @@ if ( $family == F_IPV4 ) {
    add_ijump( $chainref, g => $target, s => IPv6_MULTICAST );
 }

-?END PERL;
+END PERL;



--- a/Shorewall/action.Invalid
+++ b/Shorewall/action.Invalid
@@ -31,7 +31,7 @@ FORMAT 2

 DEFAULTS DROP,-

-?BEGIN PERL;
+BEGIN PERL;

 use Shorewall::IPAddrs;
 use Shorewall::Config;
@@ -53,4 +53,4 @@ allow_optimize( $chainref );

 1;

-?END PERL;
+END PERL;
--- a/Shorewall/action.NotSyn
+++ b/Shorewall/action.NotSyn
@@ -31,7 +31,7 @@ FORMAT 2

 DEFAULTS DROP,-

-?BEGIN PERL;
+BEGIN PERL;

 use Shorewall::IPAddrs;
 use Shorewall::Config;
@@ -53,4 +53,4 @@ allow_optimize( $chainref );

 1;

-?END PERL;
+END PERL;
--- a/Shorewall/action.RST
+++ b/Shorewall/action.RST
@@ -5,7 +5,7 @@
 #
 #     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
 #
-#     (c) 2012 - Tom Eastep (teastep@shorewall.net)
+#     (c) 2011 - Tom Eastep (teastep@shorewall.net)
 #
 #       Complete documentation is available at http://shorewall.net
 #
@@ -31,15 +31,16 @@ FORMAT 2

 DEFAULTS DROP,-

-?BEGIN PERL;
+BEGIN PERL;

+use Shorewall::IPAddrs;
 use Shorewall::Config;
 use Shorewall::Chains;

 my ( $action, $audit ) = get_action_params( 2 );

 fatal_error "Invalid parameter ($audit) to action NotSyn"   if supplied $audit && $audit ne 'audit';
-fatal_error "Invalid parameter ($action) to action NotSyn"  unless $action =~ /^(?:ACCEPT|DROP)$/;
+fatal_error "Invalid parameter ($action) to action NotSyn"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;

 my $chainref         = get_action_chain;
 my ( $level, $tag )  = get_action_logging;
@@ -52,4 +53,4 @@ allow_optimize( $chainref );

 1;

-?END PERL;
+END PERL;
--- a/Shorewall/action.Reject
+++ b/Shorewall/action.Reject
@@ -32,7 +32,7 @@ FORMAT 2
 # The following magic provides different defaults for $2 thru $5, when $1 is
 # 'audit'.
 #
-?BEGIN PERL;
+BEGIN PERL;
 use Shorewall::Config;

 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
@@ -50,7 +50,7 @@ if ( defined $p1 ) {

 1;

-?END PERL;
+END PERL;

 DEFAULTS -,REJECT,REJECT,ACCEPT,DROP

--- a/Shorewall/action.TCPFlags
+++ b/Shorewall/action.TCPFlags
@@ -13,11 +13,12 @@ FORMAT 2

 DEFAULTS DROP,-

-?BEGIN PERL;
+BEGIN PERL;
 use strict;
 use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
 use Shorewall::Chains;

+
 my ( $disposition, $audit ) = get_action_params( 2 );

 my $chainref        = get_action_chain;
@@ -54,7 +55,7 @@ add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,RST SYN,RST';
 add_ijump $chainref , g => $disposition, p => 'tcp --tcp-flags SYN,FIN SYN,FIN';
 add_ijump $chainref , g => $disposition, p => 'tcp --syn --sport 0';

-?END PERL;
+END PERL;



--- a/Shorewall/configfiles/masq
+++ b/Shorewall/configfiles/masq
@@ -6,6 +6,6 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-masq.html
 #
-################################################################################################################
-#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH	ORIGINAL
-#											GROUP		DEST
+######################################################################################################
+#INTERFACE:DEST		SOURCE		ADDRESS		PROTO	PORT(S)	IPSEC	MARK	USER/	SWITCH
+#											GROUP
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -55,8 +55,6 @@ TCP_FLAGS_LOG_LEVEL=info

 CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"

-GEOIPDIR=/usr/share/xt_geoip/LE
-
 IPTABLES=

 IP=
--- a/Shorewall/configfiles/tcrules
+++ b/Shorewall/configfiles/tcrules
@@ -10,8 +10,6 @@
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
 ##########################################################################################################################################
-FORMAT 2
-##########################################################################################################################################
 #ACTION	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER    PROBABILITY DSCP
 #						PORT(S)	PORT(S)

--- a/Shorewall/configfiles/tunnels
+++ b/Shorewall/configfiles/tunnels
@@ -7,5 +7,5 @@
 # http://www.shorewall.net/manpages/shorewall-tunnels.html
 #
 ###############################################################################
-#TYPE			ZONE	GATEWAY(S)			GATEWAY
-#								ZONE(S)
+#TYPE			ZONE	GATEWAYS			GATEWAY
+#								ZONES
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -22,7 +22,7 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

-VERSION=4.5.5       #The Build script inserts the actual version
+VERSION=xxx       #The Build script inserts the actual version

 #
 # Change to the directory containing this script
@@ -244,6 +244,27 @@ esac

 OWNERSHIP="-o $OWNER -g $GROUP"

+#
+# Determine where to install the firewall script
+#
+
+if [ $PRODUCT = shorewall -a "$BUILD" = "$HOST" ]; then
+    #
+    # Fix up 'use Digest::' if SHA is installed
+    #
+    if perl -e 'use Digest::SHA;' 2> /dev/null ; then
+	sed -i 's/Digest::SHA1/Digest::SHA/' Perl/Shorewall/Chains.pm
+    fi
+    #
+    # Verify that Perl is installed
+    #
+    if ! perl -c Perl/compiler.pl; then
+	echo "ERROR: $Product $VERSION requires Perl which either is not installed or is not able to compile the Shorewall Perl code" >&2
+	echo "       Try perl -c $PWD/Perl/compiler.pl" >&2
+	exit 1
+    fi
+fi
+
 case "$HOST" in
    cygwin)
 	echo "Installing Cygwin-specific configuration..."
@@ -274,51 +295,6 @@ case "$HOST" in
 	;;
 esac

-if [ $PRODUCT = shorewall ]; then
-    if [ -n "$DIGEST" ]; then
-	#
-	# The user specified which digest to use
-	#
-	if [ "$DIGEST" != SHA ]; then
-	    if [ "$BUILD" = "$HOST" ] && ! eval perl -e \'use Digest::$DIGEST\;\' 2> /dev/null ; then
-		echo "ERROR: Perl compilation with Digest::$DIGEST failed" >&2
-		exit 1;
-	    fi
-
-	    eval sed -i \'s/Digest::SHA/Digest::$DIGEST/\' Perl/Shorewall/Chains.pm
-	fi
-    elif [ "$BUILD" = "$HOST" ]; then
-        #
-        # Fix up 'use Digest::' if SHA1 is installed
-        #
-	DIGEST=SHA
-	if ! perl -e 'use Digest::SHA;' 2> /dev/null ; then
-	    if perl -e 'use Digest::SHA1;' 2> /dev/null ; then
-		sed -i 's/Digest::SHA/Digest::SHA1/' Perl/Shorewall/Chains.pm
-		DIGEST=SHA1
-	    else
-		echo "ERROR: Shorewall $VERSION requires either Digest::SHA or Digest::SHA1" >&2
-		exit 1
-	    fi
-	fi
-    fi
-
-    if [ "$BUILD" = "$HOST" ]; then
-        #
-        # Verify that Perl and all required modules are installed
-        #
-	echo "Compiling the Shorewall Perl Modules with Digest::$DIGEST"
-
-	if ! perl -c Perl/compiler.pl; then
-	    echo "ERROR: $Product $VERSION requires Perl which either is not installed or is not able to compile the Shorewall Perl code" >&2
-	    echo "       Try perl -c $PWD/Perl/compiler.pl" >&2
-	    exit 1
-	fi
-    else
-	echo "Using Digest::$DIGEST"
-    fi
-fi
-
 if [ $BUILD != cygwin ]; then
    if [ `id -u` != 0 ] ; then
 	echo "Not setting file owner/group permissions, not running as root."
@@ -1009,9 +985,9 @@ cd ..
 #
 # Install the libraries
 #
-for f in lib.* Perl/lib.*; do
+for f in lib.* ; do
    if [ -f $f ]; then
-	install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$(basename $f) 0644
+	install_file $f ${DESTDIR}${SHAREDIR}/$PRODUCT/$f 0644
 	echo "Library ${f#*.} file installed as ${DESTDIR}${SHAREDIR}/$PRODUCT/$f"
    fi
 done
@@ -1131,7 +1107,7 @@ if [ -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then
 	perl -p -w -i -e 's/^STARTUP_ENABLED=No/STARTUP_ENABLED=Yes/;s/^IP_FORWARDING=On/IP_FORWARDING=Keep/;s/^SUBSYSLOCK=.*/SUBSYSLOCK=/;' ${CONFDIR}/$PRODUCT/$PRODUCT.conf
 	update-rc.d $PRODUCT enable
    elif [ -n "$SYSTEMD" ]; then
-	if systemctl enable ${PRODUCT}.service; then
+	if systemctl enable $PRODUCT; then
 	    echo "$Product will start automatically at boot"
 	fi
    elif mywhich insserv; then
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -181,7 +181,7 @@ get_config() {
 	if [ "$2" = Yes ]; then
 	    case $STARTUP_ENABLED in
 		No|no|NO)
-		    echo "   ERROR: $g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${g_confdir}/${g_program}.conf" >&2
+		    echo "   ERROR: $g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${CONFDIR}/${g_program}.conf" >&2
 		    exit 2
 		    ;;
 		Yes|yes|YES)
@@ -1571,7 +1571,7 @@ usage() # $1 = exit status
    echo "   allow <address> ..."
    echo "   check [ -e ] [ -r ] [ -p ] [ -r ] [ -T ] [ <directory> ]"
    echo "   clear"
-    echo "   compile [ -e ] [ -p ] [ -t ] [ -d ] [ -T ] [ <directory name> ] [ <path name> ]"
+    echo "   compile [ -e ] [ -d ] [ <directory name> ] [ <path name> ]"
    echo "   delete <interface>[:<host-list>] ... <zone>"
    echo "   disable <interface>"
    echo "   drop <address> ..."
--- a/Shorewall/Perl/lib.core
+++ b/Shorewall/Perl/lib.core
@@ -171,6 +171,28 @@ interface_is_up() {
    [ -n "$($IP -$g_family link list dev $1 2> /dev/null | grep -e '[<,]UP[,>]')" ]
 }

+#
+# Determine if interface is usable from a Netfilter perspective
+#
+interface_is_usable() # $1 = interface
+{
+    [ "$1" = lo ] && return 0
+    interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ] && run_isusable_exit $1
+}
+
+#
+# Find interface addresses--returns the set of addresses assigned to the passed
+# device
+#
+find_interface_addresses() # $1 = interface
+{
+    if [ $g_family -eq 4 ]; then
+	$IP -f inet addr show $1 2> /dev/null | grep inet\  | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
+    else
+	$IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
+    fi
+}
+
 #
 #  echo the list of networks routed out of a given interface
 #
@@ -182,6 +204,7 @@ get_routed_networks() # $1 = interface name, $2-n = Fatal error message

    [ $g_family -eq 4 ] && mask=32 || mask=128

+
    $IP -$g_family route show dev $1 2> /dev/null |
 	while read address rest; do
 	    case "$address" in
@@ -339,16 +362,6 @@ replace_default_route() # $1 = USE_DEFAULT_RT
    fi
 }

-#
-# Delete default routes with metric 0 from the passed routing table
-#
-delete_default_routes() # $1 = table number
-{
-    $IP -$g_family route ls table $1 | fgrep default | fgrep -v metric | while read route; do
-	qt $IP -$g_family route del $route
-    done
-} 
-
 restore_default_route() # $1 = USE_DEFAULT_RT
 {
    local result
@@ -630,37 +643,9 @@ EOF
 #################################################################################
 #                        IPv4-specific Functions
 #################################################################################
-#
-# Determine if interface is usable from a Netfilter perspective
-#
-interface_is_usable() # $1 = interface
-{
-    local status;
-    status=0
-
-    if [ "$1" != lo ]; then
-	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != 0.0.0.0 ]; then
-	    [ "$COMMAND" = enable ] || run_isusable_exit $1
-	    status=$?
-	else
-	    status=1
-	fi
-    fi
-
-    return $status
-}
-
-#
-# Find interface addresses--returns the set of addresses assigned to the passed device
-#
-find_interface_addresses() # $1 = interface
-{
-    $IP -f inet addr show $1 2> /dev/null | grep inet\  | sed 's/\s*inet //;s/\/.*//;s/ peer.*//'
-}
-
-#
 # Find the value 'weight' in the passed arguments then echo the next value
 #
+
 find_weight() {
    while [ $# -gt 1 ]; do
 	[ "x$1" = xweight ] && echo $2 && return
@@ -1031,34 +1016,6 @@ get_all_bcasts()
 #################################################################################
 #                        IPv6-specific Functions
 #################################################################################
-#
-# Determine if interface is usable from a Netfilter perspective
-#
-interface_is_usable() # $1 = interface
-{
-    local status;
-    status=0
-
-    if [ "$1" != lo ]; then
-	if interface_is_up $1 && [ "$(find_first_interface_address_if_any $1)" != :: ]; then
-	    [ "$COMMAND" = enable ] || run_isusable_exit $1
-	    status=$?
-	else
-	    status=1
-	fi
-    fi
-
-    return $status
-}
-
-#
-# Find interface addresses--returns the set of addresses assigned to the passed device
-#
-find_interface_addresses() # $1 = interface
-{
-    $IP -f inet6 addr show $1 2> /dev/null | grep 'inet6 2' | sed 's/\s*inet6 //;s/\/.*//;s/ peer.*//'
-}
-
 #
 # Get all interface addresses with VLSMs
 #
--- a/Shorewall/manpages/shorewall-accounting.xml
+++ b/Shorewall/manpages/shorewall-accounting.xml
@@ -539,8 +539,7 @@

      <varlistentry>
        <term><emphasis role="bold">IPSEC - <emphasis>option-list</emphasis>
-        (Optional - Added in Shorewall 4.4.13 but broken until 4.5.4.1
-        )</emphasis></term>
+        (Optional - Added in Shorewall 4.4.13 )</emphasis></term>

        <listitem>
          <para>The option-list consists of a comma-separated list of options
@@ -654,51 +653,28 @@
                match the rule.</para>
              </listitem>
            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">in</emphasis></term>
-
-              <listitem>
-                <para>May only be used in the FORWARD section and must be the
-                first or the only item the list. Indicates that matching
-                packets have been decrypted in input.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">out</emphasis></term>
-
-              <listitem>
-                <para>May only be used in the FORWARD section and must be the
-                first or the only item in the list. Indicates that matching
-                packets will be encrypted on output.</para>
-              </listitem>
-            </varlistentry>
          </variablelist>

-          <para>If this column is non-empty and sections are not used,
-          then:</para>
+          <para>If this column is non-empty, then:</para>

          <itemizedlist>
            <listitem>
-              <para>A chain NAME appearing in the ACTION column must be a
+              <para>A chain NAME may appearing in the ACTION column must be a
              chain branched either directly or indirectly from the <emphasis
-              role="bold">accipsecin</emphasis> or <emphasis
-              role="bold">accipsecout</emphasis> chain.</para>
+              role="bold">accountin</emphasis> or <emphasis
+              role="bold">accountout</emphasis> chain.</para>
            </listitem>

            <listitem>
              <para>The CHAIN column must contain either <emphasis
-              role="bold">accipsecin</emphasis> or <emphasis
-              role="bold">accipsecout</emphasis> or a chain branched either
+              role="bold">accountin</emphasis> or <emphasis
+              role="bold">accountout</emphasis> or a chain branched either
              directly or indirectly from those chains.</para>
            </listitem>
-
-            <listitem>
-              <para>These rules will NOT appear in the <emphasis
-              role="bold">accounting</emphasis> chain.</para>
-            </listitem>
          </itemizedlist>
+
+          <para>These rules will NOT appear in the <emphasis
+          role="bold">accounting</emphasis> chain.</para>
        </listitem>
      </varlistentry>
    </variablelist>
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -343,22 +343,13 @@ loc     eth2            -</programlisting>
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">ignore[=1]</emphasis></term>
+              <term><emphasis role="bold">ignore</emphasis></term>

              <listitem>
                <para>When specified, causes the generated script to ignore
                up/down events from Shorewall-init for this device.
                Additionally, the option exempts the interface from hairpin
-                filtering. When '=1' is omitted, the ZONE column must contain
-                '-' and <option>ignore</option> must be the only
-                OPTION.</para>
-
-                <para>Beginning with Shorewall 4.5.5, may be specified as
-                '<option>ignore=1</option>' which only causes the generated
-                script to ignore up/down events from Shorewall-init; hairpin
-                filtering is still applied. In this case, the above
-                restrictions on the ZONE and OPTIONS columns are
-                lifted.</para>
+                filtering.</para>
              </listitem>
            </varlistentry>

--- a/Shorewall/manpages/shorewall-masq.xml
+++ b/Shorewall/manpages/shorewall-masq.xml
@@ -509,22 +509,6 @@
          restart</command>.</para>
        </listitem>
      </varlistentry>
-
-      <varlistentry>
-        <term><emphasis role="bold">ORIGINAL DEST</emphasis> (origdest) -
-        [<emphasis
-        role="bold">-</emphasis>|<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>]</term>
-
-        <listitem>
-          <para>(Optional) Added in Shorewall 4.5.6. This column may be
-          included and may contain one or more addresses (host or network)
-          separated by commas. Address ranges are not allowed. When this
-          column is supplied, rules are generated that require that the
-          original destination address matches one of the listed addresses. It
-          is useful for specifying that SNAT should occur only for connections
-          that were acted on by a DNAT when they entered the firewall.</para>
-        </listitem>
-      </varlistentry>
    </variablelist>
  </refsect1>

--- a/Shorewall/manpages/shorewall-providers.xml
+++ b/Shorewall/manpages/shorewall-providers.xml
@@ -270,20 +270,6 @@
                <filename>shorewall.conf</filename>.</para>
              </listitem>
            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">tproxy</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 4.5.4. Used for supporting the TPROXY
-                action in shorewall-tcrules(5). See <ulink
-                url="http://www.shorewall.net/Shorewall_Squid_Usage.html">http://www.shorewall.net/Shorewall_Squid_Usage.html</ulink>.
-                When specified, the MARK, DUPLICATE and GATEWAY columns should
-                be empty, INTERFACE should be set to 'lo' and
-                <option>tproxy</option> should be the only OPTION. Only one
-                <option>tproxy</option> provider is allowed.</para>
-              </listitem>
-            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -563,7 +563,7 @@
        role="bold">-</emphasis>]}<emphasis
        role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
        role="bold">:</emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
-        role="bold">+</emphasis><emphasis>ipset</emphasis>|<replaceable>^countrycode-list</replaceable>}</term>
+        role="bold">+</emphasis><emphasis>ipset</emphasis>}</term>

        <listitem>
          <para>Source hosts to which the rule applies. May be a
@@ -639,18 +639,6 @@
          url="shorewall-interfaces.html">shorewall-interfaces</ulink>
          (5).</para>

-          <para>Beginning with Shorewall 4.5.4, A
-          <replaceable>countrycode-list</replaceable> may be specified. A
-          countrycode-list is a comma-separated list of up to 15 two-character
-          ISO-3661 country codes enclosed in square brackets ('[...]') and
-          preceded by a caret ('^'). When a single country code is given, the
-          square brackets may be omitted. A list of country codes supported by
-          Shorewall may be found at <ulink
-          url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
-          Specifying a <replaceable>countrycode-list</replaceable> requires
-          <firstterm>GeoIP Match</firstterm> support in your iptables and
-          Kernel.</para>
-
          <para>You may exclude certain hosts from the set already defined
          through use of an <emphasis>exclusion</emphasis> (see <ulink
          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5)).</para>
@@ -738,7 +726,7 @@
        role="bold">+</emphasis>][<emphasis
        role="bold">-</emphasis>]}<emphasis
        role="bold">[:{</emphasis><emphasis>interface</emphasis>|<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]|<emphasis>exclusion</emphasis>|<emphasis
-        role="bold">+</emphasis><emphasis>ipset</emphasis>|<emphasis>^countrycode-list</emphasis>}][<option>:</option><replaceable>port</replaceable>[:<emphasis
+        role="bold">+</emphasis><emphasis>ipset</emphasis>}][<option>:</option><replaceable>port</replaceable>[:<emphasis
        role="bold">random</emphasis>]]</term>

        <listitem>
@@ -756,18 +744,6 @@
          "+" to indicate that the rule is to apply to intra-zone traffic as
          well as inter-zone traffic.</para>

-          <para>Beginning with Shorewall 4.5.4, A
-          <replaceable>countrycode-list</replaceable> may be specified. A
-          countrycode-list is a comma-separated list of up to 15 two-character
-          ISO-3661 country codes enclosed in square brackets ('[...]') and
-          preceded by a caret ('^'). When a single country code is given, the
-          square brackets may be omitted. A list of country codes supported by
-          Shorewall may be found at <ulink
-          url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
-          Specifying a <replaceable>countrycode-list</replaceable> requires
-          <firstterm>GeoIP Match</firstterm> support in your iptables and
-          Kernel.</para>
-
          <para>When <emphasis role="bold">none</emphasis> is used either in
          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
          role="bold">DEST</emphasis> column, the rule is ignored.</para>
@@ -1084,7 +1060,8 @@
      <varlistentry>
        <term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
        role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
-        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>]</term>
+        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][<emphasis
+        role="bold">+</emphasis><emphasis>program-name</emphasis>]</term>

        <listitem>
          <para>This optional column may only be non-empty if the SOURCE is
@@ -1125,11 +1102,15 @@
            </varlistentry>

            <varlistentry>
-              <term>2001-2099</term>
+              <term>+upnpd</term>

              <listitem>
-                <para>UIDs 2001 through 2099 (Shorewall 4.5.6 and
-                later)</para>
+                <para>program named upnpd</para>
+
+                <important>
+                  <para>The ability to specify a program name was removed from
+                  Netfilter in kernel version 2.6.14.</para>
+                </important>
              </listitem>
            </varlistentry>
          </variablelist>
@@ -1524,7 +1505,7 @@
          SSH connection to the ipset S:</para>

          <programlisting>        #ACTION                       SOURCE           DEST           PROTO       DEST
-        #                                                                         PORT(S)
+        #                                                             PORT(S)
        ADD(+S:dst,src,dst)           net              fw             tcp         22</programlisting>
        </listitem>
      </varlistentry>
@@ -1554,19 +1535,6 @@
        DNAT        net             dmz:$BACKUP tcp         80           -         -          -         -         -       -             -        -          primary_down</programlisting>
        </listitem>
      </varlistentry>
-
-      <varlistentry>
-        <term>Example 13:</term>
-
-        <listitem>
-          <para>Drop all email from the <emphasis>Anonymous Proxy</emphasis>
-          and <emphasis>Satellite Provider</emphasis> address ranges:</para>
-
-          <programlisting>        #ACTION                       SOURCE           DEST           PROTO       DEST
-        #                                                                         PORT(S)
-        DROP                          net:^A1,A2       fw             tcp         22</programlisting>
-        </listitem>
-      </varlistentry>
    </variablelist>
  </refsect1>

@@ -1583,10 +1551,7 @@
    url="http://www.shorewall.net/ipsets.html">http://www.shorewall.net/ipsets.html</ulink></para>

    <para><ulink
-    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://www.shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
-
-    <para><ulink
-    url="http://www.shorewall.net/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink></para>
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorweall-blrules(5), shorewall-hosts(5),
--- a/Shorewall/manpages/shorewall-tcclasses.xml
+++ b/Shorewall/manpages/shorewall-tcclasses.xml
@@ -11,7 +11,7 @@
  <refnamediv>
    <refname>tcclasses</refname>

-    <refpurpose>Shorewall file to define HTB and HFSC classes</refpurpose>
+    <refpurpose>Shorewall file to define HTB classes</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
@@ -166,8 +166,8 @@
          marking the traffic you want to fit in the classes defined in here.
          Must be specified as '-' if the <emphasis
          role="bold">classify</emphasis> option is given for the interface in
-          <ulink url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)
-          and you are running Shorewall 4.5.5 or earlier.</para>
+          <ulink
+          url="shorewall-tcdevices.html">shorewall-tcdevices</ulink>(5)</para>

          <para>You can use the same marks for different interfaces.</para>
        </listitem>
@@ -175,7 +175,7 @@

      <varlistentry>
        <term><emphasis role="bold">RATE</emphasis> -
-        {-|<emphasis>rate</emphasis>[:<emphasis>dmax</emphasis>[:<emphasis>umax</emphasis>]]}</term>
+        <emphasis>rate</emphasis>[:<emphasis>dmax</emphasis>[:<emphasis>umax</emphasis>]]</term>

        <listitem>
          <para>The minimum bandwidth this class should get, when the traffic
@@ -185,12 +185,11 @@
          class exceed the CEIL of the parent class, things don't work
          well.</para>

-          <para>When using the HFSC queuing discipline, this column specify
-          the real-time (RT) service curve. leaf classes may specify
-          <replaceable>dmax</replaceable>, the maximum delay in milliseconds
-          that the first queued packet for this class should experience. May
-          be expressed as an integer, optionally followed by 'ms' with no
-          intervening white space (e.g., 10ms).</para>
+          <para>When using the HFSC queuing discipline, leaf classes may
+          specify <replaceable>dmax</replaceable>, the maximum delay in
+          milliseconds that the first queued packet for this class should
+          experience. May be expressed as an integer, optionally followed by
+          'ms' with no intervening white space (e.g., 10ms).</para>

          <para>HFSC leaf classes may also specify
          <replaceable>umax</replaceable>, the largest packet expected in this
@@ -199,18 +198,12 @@
          followed by 'b' with no intervening white space (e.g., 800b).
          <replaceable>umax</replaceable> may only be given if
          <replaceable>dmax</replaceable> is also given.</para>
-
-          <para>Beginning with Shorewall 4.5.6, HFSC classes may omit this
-          column (e.g, '-' in the column), provided that an
-          <replaceable>lsrate</replaceable> is specified (see CEIL below).
-          These rates are used to arbitrate between classes of the same
-          priority.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">CEIL</emphasis> -
-        [<emphasis>lsrate</emphasis>:]<emphasis>rate</emphasis></term>
+        <emphasis>rate</emphasis></term>

        <listitem>
          <para>The maximum bandwidth this class is allowed to use when the
@@ -221,9 +214,6 @@
          here for setting the maximum bandwidth to the RATE of the parent
          class, or the OUT-BANDWIDTH of the device if there is no parent
          class.</para>
-
-          <para>Beginning with Shorewall 4.5.6, you can also specify an
-          <replaceable>lsrate</replaceable> (link sharing rate).</para>
        </listitem>
      </varlistentry>

@@ -263,7 +253,7 @@
                <para>This is the default class for that interface where all
                traffic should go, that is not classified otherwise.</para>

-                <para/>
+                <para></para>

                <note>
                  <para>You must define <emphasis
@@ -320,7 +310,7 @@
                limited to 64 bytes because we want only packets WITHOUT
                payload to match.</para>

-                <para/>
+                <para></para>

                <note>
                  <para>This option is only valid for ONE class per
@@ -440,121 +430,6 @@
                assumed.</para>
              </listitem>
            </varlistentry>
-
-            <varlistentry>
-              <term>red=(<replaceable>redoption</replaceable>=<replaceable>value</replaceable>,
-              ...)</term>
-
-              <listitem>
-                <para>Added in Shorewall 4.5.6. When specified on a leaf
-                class, causes the class to use the RED (Random Early
-                Detection) queuing discipline rather than SFQ. See tc-red (8)
-                for additional information.</para>
-
-                <para>Allowable redoptions are:</para>
-
-                <variablelist>
-                  <varlistentry>
-                    <term>min <replaceable>min</replaceable></term>
-
-                    <listitem>
-                      <para>Average queue size at which marking becomes a
-                      possibility.</para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term>max <replaceable>max</replaceable></term>
-
-                    <listitem>
-                      <para>At this average queue size, the marking
-                      probability is maximal. Must be at least twice
-                      <replaceable>min</replaceable> to prevent synchronous
-                      retransmits, higher for low
-                      <replaceable>min</replaceable>.</para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term>probability
-                    <replaceable>probability</replaceable></term>
-
-                    <listitem>
-                      <para>Maximum probability for marking, specified as a
-                      floating point number from 0.0 to 1.0. Suggested values
-                      are 0.01 or 0.02 (1 or 2%, respectively).</para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term>limit <replaceable>limit</replaceable></term>
-
-                    <listitem>
-                      <para>Hard limit on the real (not average) queue size in
-                      bytes. Further packets are dropped. Should be set higher
-                      than
-                      <replaceable>max</replaceable>+<replaceable>burst</replaceable>.
-                      It is advised to set this a few times higher than
-                      <replaceable>max</replaceable>. Shorewall requires that
-                      <replaceable>limit</replaceable> be at least twice
-                      <replaceable>min</replaceable>.</para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term>burst <replaceable>burst</replaceable></term>
-
-                    <listitem>
-                      <para>Used for determining how fast the average queue
-                      size is influenced by the real queue size. Larger values
-                      make the calculation more sluggish, allowing longer
-                      bursts of traffic before marking starts. Real life
-                      experiments support the following guide‐line:
-                      (<replaceable>min</replaceable>+<replaceable>min</replaceable>+<replaceable>max</replaceable>)/(3*<replaceable>avpkt</replaceable>).</para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term>avpkt <replaceable>avpkt</replaceable></term>
-
-                    <listitem>
-                      <para>Optional. Specified in bytes. Used with burst to
-                      determine the time constant for average queue size
-                      calculations. 1000 is a good value and is the Shorewall
-                      default.</para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term>bandwidth
-                    <replaceable>bandwidth</replaceable></term>
-
-                    <listitem>
-                      <para>Optional. This rate is used for calculating the
-                      average queue size after some idle time. Should be set
-                      to the bandwidth of your interface. Does not mean that
-                      RED will shape for you!</para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term>ecn</term>
-
-                    <listitem>
-                      <para>RED can either 'mark' or 'drop'. Explicit
-                      Congestion Notification allows RED to notify remote
-                      hosts that their rate exceeds the amount of bandwidth
-                      available. Non-ECN capable hosts can only be notified by
-                      dropping a packet. If this parameter is specified,
-                      packets which indicate that their hosts honor ECN will
-                      only be marked and not dropped, unless the queue size
-                      hits <replaceable>limit</replaceable> bytes. Needs a tc
-                      binary with RED support compiled in. Recommended.</para>
-                    </listitem>
-                  </varlistentry>
-                </variablelist>
-              </listitem>
-            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
@@ -628,10 +503,6 @@
    <para><ulink
    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

-    <para>tc-hfsc(7)</para>
-
-    <para>tc-red(8)</para>
-
    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
--- a/Shorewall/manpages/shorewall-tcdevices.xml
+++ b/Shorewall/manpages/shorewall-tcdevices.xml
@@ -179,17 +179,7 @@
      <varlistentry>
        <term><emphasis role="bold">OPTIONS</emphasis> - {<emphasis
        role="bold">-</emphasis>|<emphasis
-        role="bold">{classify</emphasis>|<emphasis
-        role="bold">hfsc</emphasis>|<emphasis
-        role="bold">linklayer</emphasis>={<emphasis
-        role="bold">ethernet</emphasis>|<emphasis
-        role="bold">atm</emphasis>|<emphasis
-        role="bold">adsl</emphasis>}|<emphasis
-        role="bold">tsize</emphasis>=<replaceable>tsize</replaceable>|<emphasis
-        role="bold">mtu</emphasis>=<replaceable>mtu</replaceable>|<emphasis
-        role="bold">mpu</emphasis>=<replaceable>mpu</replaceable>|<emphasis
-        role="bold">overhead</emphasis>=<replaceable>overhead</replaceable>}
-        ,...}</term>
+        role="bold">{classify</emphasis>|hfsc} ,...}</term>

        <listitem>
          <para><option>classify</option> ― When specified, Shorewall will not
@@ -200,34 +190,7 @@
          <para><option>hfsc</option> - Shorewall normally uses the
          <firstterm>Hierarchical Token Bucket</firstterm> queuing discipline.
          When <option>hfsc</option> is specified, the <firstterm>Hierarchical
-          Fair Service Curves</firstterm> discipline is used instead (see
-          tc-hfsc (7)).</para>
-
-          <para><emphasis role="bold">linklayer</emphasis> - Added in
-          Shorewall 4.5.6. Type of link (ethernet, atm, adsl). When specified,
-          causes scheduler packet size manipulation as described in tc-stab
-          (8). When this option is given, the following options may also be
-          given after it:</para>
-
-          <blockquote>
-            <para><emphasis
-            role="bold">mtu</emphasis>=<replaceable>mtu</replaceable> - The
-            device MTU; default 2048 (will be rounded up to a power of
-            two)</para>
-
-            <para><emphasis
-            role="bold">mpu</emphasis>=<replaceable>mpubytes</replaceable> -
-            Minimum packet size used in calculations. Smaller packets will be
-            rounded up to this size</para>
-
-            <para><emphasis
-            role="bold">tsize</emphasis>=<replaceable>tablesize</replaceable>
-            - Size table entries; default is 512</para>
-
-            <para><emphasis
-            role="bold">overhead</emphasis>=<replaceable>overheadbytes</replaceable>
-            - Number of overhead bytes per packet.</para>
-          </blockquote>
+          Fair Service Curves</firstterm> discipline is used instead.</para>
        </listitem>
      </varlistentry>

@@ -277,8 +240,6 @@
  <refsect1>
    <title>See ALSO</title>

-    <para>tc-hfsc (7)</para>
-
    <para><ulink
    url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>

--- a/Shorewall/manpages/shorewall-tcfilters.xml
+++ b/Shorewall/manpages/shorewall-tcfilters.xml
@@ -35,7 +35,7 @@
        <term>IPV4</term>

        <listitem>
-          <para>Following entries apply to IPv4.</para>
+          <para>Following entriess apply to IPv4.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-tcrules.xml
+++ b/Shorewall/manpages/shorewall-tcrules.xml
@@ -38,34 +38,6 @@
      url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink>.</para>
    </important>

-    <para>Beginning with Shorewall 4.5.4, the tcrules file supports two
-    different formats:</para>
-
-    <variablelist>
-      <varlistentry>
-        <term>FORMAT 1 (default - deprecated)</term>
-
-        <listitem>
-          <para>The older limited-function version of TPROXY is
-          supported.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>FORMAT 2</term>
-
-        <listitem>
-          <para>The newer version of TPROXY is supported.</para>
-        </listitem>
-      </varlistentry>
-    </variablelist>
-
-    <para>The format is specified by a line as follows:</para>
-
-    <blockquote>
-      <para><emphasis role="bold">FORMAT {1|2}</emphasis></para>
-    </blockquote>
-
    <para>The columns in the file are as follows (where the column name is
    followed by a different name in parentheses, the different name is used in
    the alternate specification syntax).</para>
@@ -435,81 +407,6 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
              classes will have a value &gt; 256.</para>
            </listitem>

-            <listitem>
-              <para><emphasis role="bold">DIVERT</emphasis></para>
-
-              <para>Added in Shorewall 4.5.4 and only available when FORMAT is
-              2. Two DIVERT rule should preceed the TPROXY rule and should
-              select DEST PORT tcp 80 and SOURCE PORT tcp 80 respectively
-              (assuming that tcp port 80 is being proxied). DIVERT avoids
-              sending packets to the TPROXY target once a socket connection to
-              Squid3 has been established by TPROXY. DIVERT marks the packet
-              with a unique mark and exempts it from any rules that
-              follow.</para>
-            </listitem>
-
-            <listitem>
-              <para><emphasis
-              role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])
-              -- FORMAT 1</para>
-
-              <para>Transparently redirects a packet without altering the IP
-              header. Requires a local provider to be defined in <ulink
-              url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
-
-              <para>There are three parameters to TPROXY - only the first
-              (mark) is required:</para>
-
-              <itemizedlist>
-                <listitem>
-                  <para><replaceable>mark</replaceable> - the MARK value
-                  corresponding to the local provider in <ulink
-                  url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
-                </listitem>
-
-                <listitem>
-                  <para><replaceable>port</replaceable> - the port on which
-                  the proxy server is listening. If omitted, the original
-                  destination port.</para>
-                </listitem>
-
-                <listitem>
-                  <para><replaceable>address</replaceable> - a local (to the
-                  firewall) IP address on which the proxy server is listening.
-                  If omitted, the IP address of the interface on which the
-                  request arrives.</para>
-                </listitem>
-              </itemizedlist>
-            </listitem>
-
-            <listitem>
-              <para><emphasis
-              role="bold">TPROXY</emphasis>([<replaceable>port</replaceable>][,<replaceable>address</replaceable>])
-              -- FORMAT 2</para>
-
-              <para>Transparently redirects a packet without altering the IP
-              header. Requires a tproxy provider to be defined in <ulink
-              url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
-
-              <para>There are three parameters to TPROXY - neither is
-              required:</para>
-
-              <itemizedlist>
-                <listitem>
-                  <para><replaceable>port</replaceable> - the port on which
-                  the proxy server is listening. If omitted, the original
-                  destination port.</para>
-                </listitem>
-
-                <listitem>
-                  <para><replaceable>address</replaceable> - a local (to the
-                  firewall) IP address on which the proxy server is listening.
-                  If omitted, the IP address of the interface on which the
-                  request arrives.</para>
-                </listitem>
-              </itemizedlist>
-            </listitem>
-
            <listitem>
              <para><emphasis role="bold">TTL</emphasis>([<emphasis
              role="bold">-</emphasis>|<emphasis
--- a/Shorewall/manpages/shorewall-tunnels.xml
+++ b/Shorewall/manpages/shorewall-tunnels.xml
@@ -125,9 +125,9 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">GATEWAY</emphasis>(S) (gateway or
-        gateways) - <emphasis>address-or-range</emphasis> <emphasis
-        role="bold">[ , ... ]</emphasis></term>
+        <term><emphasis role="bold">GATEWAY</emphasis>S -
+        <emphasis>address-or-range</emphasis> <emphasis role="bold">[ , ...
+        ]</emphasis></term>

        <listitem>
          <para>The IP address of the remote tunnel gateway. If the remote
@@ -144,8 +144,8 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">GATEWAY ZONES</emphasis> (gateway_zone or
-        gateway_zones) - [<emphasis>zone</emphasis>[<emphasis
+        <term><emphasis role="bold">GATEWAY ZONES</emphasis> (gateway_zone) -
+        [<emphasis>zone</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>zone</emphasis>]...]</term>

        <listitem>
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -669,21 +669,6 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>

-      <varlistentry>
-        <term><emphasis
-        role="bold">GEOIPDIR</emphasis>=[<emphasis>pathname</emphasis>]</term>
-
-        <listitem>
-          <para>Added in Shorewall 4.5.4. Specifies the pathname of the
-          directory containing the <firstterm>GeoIP Match</firstterm>
-          database. See <ulink
-          url="http://www.shorewall.net/ISOCODES.html">http://www.shorewall.net/ISOCODES.html</ulink>.
-          If not specified, the default value is
-          <filename>/usr/share/xt_geoip/LE</filename> which is the default
-          location of the little-endian database.</para>
-        </listitem>
-      </varlistentry>
-
      <varlistentry>
        <term><emphasis role="bold">HIGH_ROUTE_MARKS=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@@ -1553,23 +1538,6 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
                  chain are appended to it.</para>
                </listitem>
              </itemizedlist>
-
-              <para>An additional optimization was added in Shorewall 4.5.4.
-              If the last rule in a chain is an unqualified jump to a simple
-              target, then all immediately preceding rules with the same
-              simple target are omitted.</para>
-
-              <para>For example, consider this chain:</para>
-
-              <programlisting>	-A fw-net -p udp --dport 67:68 -j ACCEPT
-	-A fw-net -p udp --sport 1194 -j ACCEPT
-	-A fw-net -p 41 -j ACCEPT
-	-A fw-net -j ACCEPT
-</programlisting>
-
-              <para>Since all of the rules are jumps to the simple target
-              ACCEPT, this chain is totally optimized away and jumps to the
-              chain are replace with jumps to ACCEPT.</para>
            </listitem>

            <listitem>
--- a/Shorewall/modules
+++ b/Shorewall/modules
@@ -16,24 +16,24 @@
 #
 # Essential Modules
 #
-INCLUDE modules.essential
+?INCLUDE modules.essential
 #
 # Other xtables modules
 #
-INCLUDE modules.xtables
+?INCLUDE modules.xtables
 #
 # Helpers
 #
-INCLUDE helpers
+?INCLUDE helpers
 #
 # Ipset
 #
-INCLUDE modules.ipset
+?INCLUDE modules.ipset
 #
 # Traffic Shaping
 #
-INCLUDE modules.tc
+?INCLUDE modules.tc
 #
 # Extensions
 #
-INCLUDE modules.extensions
+?INCLUDE modules.extensions
--- a/Shorewall6-lite/shorecap
+++ b/Shorewall6-lite/shorecap
@@ -45,22 +45,17 @@
 #    used during firewall compilation, then the generated firewall program will likewise not
 #    require Shorewall to be installed.

-g_program=shorewall6-lite
+SHAREDIR=/usr/share/shorewall6-lite
+VARDIR=/var/lib/shorewall6-lite
+CONFDIR=/etc/shorewall6-lite
+g_product="Shorewall6 Lite"
+g_family=6
+g_base=shorewall6
+g_basedir=/usr/share/shorewall6-lite

-#
-# This is modified by the installer when ${SHAREDIR} != /usr/share
-#
-. /usr/share/shorewall/shorewallrc
-
-g_libexec="$LIBEXECDIR"
-g_sharedir="$SHAREDIR"/shorewall6-lite
-g_sbindir="$SBINDIR"
-g_vardir="$VARDIR"
-g_confdir="$CONFDIR"/shorewall6-lite
-g_readrc=1
-
-. ${SHAREDIR}/shorewall/lib.cli
-. ${SHAREDIR}/shorewall-lite/configpath
+. /usr/share/shorewall6-lite/lib.base
+. /usr/share/shorewall6/lib.cli
+. /usr/share/shorewall6-lite/configpath

 [ -n "$PATH" ] || PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

--- a/Shorewall6/Samples6/Universal/interfaces
+++ b/Shorewall6/Samples6/Universal/interfaces
@@ -11,5 +11,5 @@ FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
 -	lo		ignore
-net	all		dhcp,physical=+,routeback,sourceroute=0
+net	all		dhcp,physical=+,routeback

--- a/Shorewall6/Samples6/Universal/rules
+++ b/Shorewall6/Samples6/Universal/rules
@@ -14,6 +14,5 @@
 #SECTION RELATED
 SECTION NEW

-Invalid(DROP)	net		$FW		tcp
 SSH(ACCEPT)	net		$FW
 Ping(ACCEPT)	net		$FW
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -54,8 +54,6 @@ TCP_FLAGS_LOG_LEVEL=info

 CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall

-GEOIPDIR=/usr/share/xt_geoip/LE
-
 IP6TABLES=

 IP=
@@ -155,7 +153,7 @@ MODULE_SUFFIX=ko

 MUTEX_TIMEOUT=60

-OPTIMIZE=31
+OPTIMIZE=15

 OPTIMIZE_ACCOUNTING=No

--- a/Shorewall6/Samples6/one-interface/rules
+++ b/Shorewall6/Samples6/one-interface/rules
@@ -18,10 +18,6 @@
 #SECTION RELATED
 SECTION NEW

-# Drop packets in the INVALID state
-
-Invalid(DROP)  net    	        $FW		tcp
-
 # Drop Ping from the "bad" net zone.. and prevent your log from being flooded..

 Ping(DROP)	net		$FW
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -54,8 +54,6 @@ TCP_FLAGS_LOG_LEVEL=info

 CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall

-GEOIPDIR=/usr/share/xt_geoip/LE
-
 IP6TABLES=

 IP=
@@ -155,7 +153,7 @@ MODULE_SUFFIX=ko

 MUTEX_TIMEOUT=60

-OPTIMIZE=31
+OPTIMIZE=1

 OPTIMIZE_ACCOUNTING=No

--- a/Shorewall6/Samples6/three-interfaces/interfaces
+++ b/Shorewall6/Samples6/three-interfaces/interfaces
@@ -14,6 +14,6 @@
 FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            tcpflags,forward=1,sourceroute=0
+net     eth0            tcpflags,forward=1
 loc     eth1            tcpflags,forward=1
 dmz     eth2            tcpflags,forward=1
--- a/Shorewall6/Samples6/three-interfaces/rules
+++ b/Shorewall6/Samples6/three-interfaces/rules
@@ -20,7 +20,7 @@ SECTION NEW

 #       Don't allow connection pickup from the net
 #
-Invalid(DROP)	net		all		tcp
+Invalid(DROP)	net		all
 #
 #	Accept DNS connections from the firewall to the Internet
 #
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -54,8 +54,6 @@ TCP_FLAGS_LOG_LEVEL=info

 CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall

-GEOIPDIR=/usr/share/xt_geoip/LE
-
 IP6TABLES=

 IP=
@@ -155,7 +153,7 @@ MODULE_SUFFIX=ko

 MUTEX_TIMEOUT=60

-OPTIMIZE=31
+OPTIMIZE=1

 OPTIMIZE_ACCOUNTING=No

--- a/Shorewall6/Samples6/two-interfaces/interfaces
+++ b/Shorewall6/Samples6/two-interfaces/interfaces
@@ -14,5 +14,5 @@
 FORMAT 2
 ###############################################################################
 #ZONE	INTERFACE	OPTIONS
-net     eth0            tcpflags,forward=1,sourceroute=0
+net     eth0            tcpflags,forward=1
 loc     eth1            tcpflags,forward=1
--- a/Shorewall6/Samples6/two-interfaces/rules
+++ b/Shorewall6/Samples6/two-interfaces/rules
@@ -20,7 +20,7 @@ SECTION NEW

 #       Don't allow connection pickup from the net
 #
-Invalid(DROP)	net		all		tcp
+Invalid(DROP)	net		all
 #
 #	Accept DNS connections from the firewall to the network
 #
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -54,8 +54,6 @@ TCP_FLAGS_LOG_LEVEL=info

 CONFIG_PATH=${CONFDIR}/shorewall6:${SHAREDIR}/shorewall6:${SHAREDIR}/shorewall

-GEOIPDIR=/usr/share/xt_geoip/LE
-
 IP6TABLES=

 IP=
@@ -155,7 +153,7 @@ MODULE_SUFFIX=ko

 MUTEX_TIMEOUT=60

-OPTIMIZE=31
+OPTIMIZE=1

 OPTIMIZE_ACCOUNTING=No

--- a/Shorewall6/action.Broadcast
+++ b/Shorewall6/action.Broadcast
@@ -31,7 +31,7 @@ FORMAT 2

 DEFAULTS DROP,-

-?BEGIN PERL;
+BEGIN PERL;

 use Shorewall::IPAddrs;
 use Shorewall::Config;
@@ -68,4 +68,4 @@ add_jump $chainref, $target, 0, join( ' ', '-d', IPv6_MULTICAST . ' ' );

 1;

-?END PERL;
+END PERL;
--- a/Shorewall6/action.Drop
+++ b/Shorewall6/action.Drop
@@ -36,7 +36,7 @@ FORMAT 2
 # The following magic provides different defaults for $2 thru $5, when $1 is
 # 'audit'.
 #
-?BEGIN PERL;
+BEGIN PERL;
 use Shorewall::Config;

 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
@@ -54,7 +54,7 @@ if ( defined $p1 ) {

 1;

-?END PERL;
+END PERL;

 DEFAULTS -,REJECT,DROP,ACCEPT,DROP

--- a/Shorewall6/action.Reject
+++ b/Shorewall6/action.Reject
@@ -32,7 +32,7 @@ FORMAT 2
 # The following magic provides different defaults for $2 thru $5, when $1 is
 # 'audit'.
 #
-?BEGIN PERL;
+BEGIN PERL;
 use Shorewall::Config;

 my ( $p1, $p2, $p3 , $p4, $p5 ) = get_action_params( 5 );
@@ -50,7 +50,7 @@ if ( defined $p1 ) {

 1;

-?END PERL;
+END PERL;

 DEFAULTS -,REJECT,REJECT,ACCEPT,DROP

--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -54,8 +54,6 @@ TCP_FLAGS_LOG_LEVEL=info

 CONFIG_PATH="${CONFDIR}/shorewall6:/usr/share/shorewall6:${SHAREDIR}/shorewall"

-GEOIPDIR=/usr/share/xt_geoip/LE
-
 IP6TABLES=

 IP=
--- a/Shorewall6/configfiles/tcrules
+++ b/Shorewall6/configfiles/tcrules
@@ -10,7 +10,5 @@
 # See http://shorewall.net/PacketMarking.html for a detailed description of
 # the Netfilter/Shorewall packet marking mechanism.
 ###################################################################################################################################################
-FORMAT 2
-###################################################################################################################################################
 #ACTION	SOURCE		DEST		PROTO	DEST	SOURCE	USER	TEST	LENGTH	TOS   CONNBYTES		HELPER	HEADERS    PROBABILITY DSCP
 #						PORT(S)	PORT(S)
--- a/Shorewall6/configfiles/tunnels
+++ b/Shorewall6/configfiles/tunnels
@@ -7,5 +7,5 @@
 # http://www.shorewall.net/manpages6/shorewall6-tunnels.html
 #
 ###############################################################################
-#TYPE			ZONE	GATEWAY(S)			GATEWAY
-#								ZONE(S)
+#TYPE			ZONE	GATEWAYS			GATEWAY
+#								ZONES
--- a/Shorewall6/manpages/shorewall6-accounting.xml
+++ b/Shorewall6/manpages/shorewall6-accounting.xml
@@ -480,15 +480,13 @@

      <varlistentry>
        <term><emphasis role="bold">IPSEC - <emphasis>option-list</emphasis>
-        (Optional - Added in Shorewall 4.4.13 but broken until 4.5.4.1
-        )</emphasis></term>
+        (Optional - Added in Shorewall 4.4.13 )</emphasis></term>

        <listitem>
          <para>The option-list consists of a comma-separated list of options
          from the following list. Only packets that will be encrypted or have
          been de-crypted via an SA that matches these options will have their
-          source address changed. May only be specified when sections are
-          used.</para>
+          source address changed.</para>

          <variablelist>
            <varlistentry>
@@ -596,51 +594,28 @@
                match the rule.</para>
              </listitem>
            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">in</emphasis></term>
-
-              <listitem>
-                <para>May only be used in the FORWARD section and must be the
-                first or the only item the list. Indicates that matching
-                packets have been decrypted in input.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">out</emphasis></term>
-
-              <listitem>
-                <para>May only be used in the FORWARD section and must be the
-                first or the only item in the list. Indicates that matching
-                packets will be encrypted on output.</para>
-              </listitem>
-            </varlistentry>
          </variablelist>

-          <para>If this column is non-empty and sections are not used,
-          then:</para>
+          <para>If this column is non-empty, then:</para>

          <itemizedlist>
            <listitem>
-              <para>A chain NAME appearing in the ACTION column must be a
+              <para>A chain NAME may appearing in the ACTION column must be a
              chain branched either directly or indirectly from the <emphasis
-              role="bold">accipsecin</emphasis> or <emphasis
-              role="bold">accipsecout</emphasis> chain.</para>
+              role="bold">accountin</emphasis> or <emphasis
+              role="bold">accountout</emphasis> chain.</para>
            </listitem>

            <listitem>
              <para>The CHAIN column must contain either <emphasis
-              role="bold">accipsecin</emphasis> or <emphasis
-              role="bold">accipsecout</emphasis> or a chain branched either
+              role="bold">accountin</emphasis> or <emphasis
+              role="bold">accountout</emphasis> or a chain branched either
              directly or indirectly from those chains.</para>
            </listitem>
-
-            <listitem>
-              <para>These rules will NOT appear in the <emphasis
-              role="bold">accounting</emphasis> chain.</para>
-            </listitem>
          </itemizedlist>
+
+          <para>These rules will NOT appear in the <emphasis
+          role="bold">accounting</emphasis> chain.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall6/manpages/shorewall6-interfaces.xml
+++ b/Shorewall6/manpages/shorewall6-interfaces.xml
@@ -244,22 +244,13 @@ loc     eth2            -</programlisting>
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">ignore[=1]</emphasis></term>
+              <term><emphasis role="bold">ignore</emphasis></term>

              <listitem>
                <para>When specified, causes the generated script to ignore
                up/down events from Shorewall-init for this device.
                Additionally, the option exempts the interface from hairpin
-                filtering. When '=1' is omitted, the ZONE column must contain
-                '-' and <option>ignore</option> must be the only
-                OPTION.</para>
-
-                <para>Beginning with Shorewall 4.5.5, may be specified as
-                '<option>ignore=1</option>' which only causes the generated
-                script to ignore up/down events from Shorewall-init; hairpin
-                filtering is still applied. In this case, the above
-                restrictions on the ZONE and OPTIONS columns are
-                lifted.</para>
+                filtering.</para>
              </listitem>
            </varlistentry>

--- a/Shorewall6/manpages/shorewall6-providers.xml
+++ b/Shorewall6/manpages/shorewall6-providers.xml
@@ -245,20 +245,6 @@
                column is assumed.</para>
              </listitem>
            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">tproxy</emphasis></term>
-
-              <listitem>
-                <para>Added in Shorewall 4.5.4. Used for supporting the TPROXY
-                action in shorewall-tcrules(5). See <ulink
-                url="http://www.shorewall.net/Shorewall_Squid_Usage.html">http://www.shorewall.net/Shorewall_Squid_Usage.html</ulink>.
-                When specified, the MARK, DUPLICATE and GATEWAY columns should
-                be empty, INTERFACE should be set to 'lo' and
-                <option>tproxy</option> should be the only OPTION. Only one
-                <option>tproxy</option> provider is allowed.</para>
-              </listitem>
-            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -422,7 +422,7 @@
        role="bold">-</emphasis>]}<emphasis
        role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
        role="bold">:<option>&lt;</option></emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]<option>&gt;</option>|<emphasis>exclusion</emphasis>|<emphasis
-        role="bold">+</emphasis><emphasis>ipset</emphasis>|<replaceable>^countrycode-list</replaceable>}</term>
+        role="bold">+</emphasis><emphasis>ipset</emphasis>}</term>

        <listitem>
          <para>Source hosts to which the rule applies. May be a zone declared
@@ -490,18 +490,6 @@
          url="shorewall-interfaces.html">shorewall6-interfaces</ulink>
          (5).</para>

-          <para>Beginning with Shorewall 4.5.4, A
-          <replaceable>countrycode-list</replaceable> may be specified. A
-          countrycode-list is a comma-separated list of up to 15 two-character
-          ISO-3661 country codes enclosed in square brackets ('[...]') and
-          preceded by a caret ('^'). When a single country code is given, the
-          square brackets may be omitted. A list of country codes supported by
-          Shorewall may be found at <ulink
-          url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
-          Specifying a <replaceable>countrycode-list</replaceable> requires
-          <firstterm>GeoIP Match</firstterm> support in your ip6tables and
-          Kernel.</para>
-
          <para>When an <replaceable>interface</replaceable> is not specified,
          you may omit the angled brackets ('&lt;' and '&gt;') around the
          address(es) or you may supply them to improve readability.</para>
@@ -598,7 +586,7 @@
        role="bold">-</emphasis>]}<emphasis
        role="bold">[:</emphasis><emphasis>interface</emphasis>][<emphasis
        role="bold">:<option>&lt;</option></emphasis>{<emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...[<emphasis>exclusion</emphasis>]<option>&gt;</option>|<emphasis>exclusion</emphasis>|<emphasis
-        role="bold">+</emphasis><emphasis>ipset</emphasis>|^<emphasis>countrycode-list</emphasis>}</emphasis></term>
+        role="bold">+</emphasis><emphasis>ipset</emphasis>}</emphasis></term>

        <listitem>
          <para>Location of Server. May be a zone declared in <ulink
@@ -624,18 +612,6 @@
          url="shorewall-interfaces.html">shorewall6-interfaces</ulink>
          (5).</para>

-          <para>Beginning with Shorewall 4.5.4, A
-          <replaceable>countrycode-list</replaceable> may be specified. A
-          countrycode-list is a comma-separated list of up to 15 two-character
-          ISO-3661 country codes enclosed in square brackets ('[...]') and
-          preceded by a caret ('^'). When a single country code is given, the
-          square brackets may be omitted. A list of country codes supported by
-          Shorewall may be found at <ulink
-          url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
-          Specifying a <replaceable>countrycode-list</replaceable> requires
-          <firstterm>GeoIP Match</firstterm> support in your ip6tables and
-          Kernel.</para>
-
          <para>When <emphasis role="bold">none</emphasis> is used either in
          the <emphasis role="bold">SOURCE</emphasis> or <emphasis
          role="bold">DEST</emphasis> column, the rule is ignored.</para>
@@ -837,8 +813,8 @@

      <varlistentry>
        <term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
-        role="bold">!</emphasis>][<emphasis>user-name-or-number-or-range</emphasis>][<emphasis
-        role="bold">:</emphasis><emphasis>group-name-or-number-or-range</emphasis>]</term>
+        role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
+        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>]</term>

        <listitem>
          <para>This optional column may only be non-empty if the SOURCE is
@@ -877,15 +853,6 @@
                group</para>
              </listitem>
            </varlistentry>
-
-            <varlistentry>
-              <term>2001-2099</term>
-
-              <listitem>
-                <para>UIDs 2001 through 2099 (Shorewall 4.5.6 and
-                later)</para>
-              </listitem>
-            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
@@ -1248,19 +1215,6 @@
        DNAT        net             dmz:$BACKUP tcp         80           -         -          -         -         -       -             -        -          primary_down</programlisting>
        </listitem>
      </varlistentry>
-
-      <varlistentry>
-        <term>Example 7:</term>
-
-        <listitem>
-          <para>Drop all email from IP addresses in the country whose ISO-3661
-          country code is ZZ.</para>
-
-          <programlisting>        #ACTION                       SOURCE           DEST           PROTO       DEST
-        #                                                                         PORT(S)
-        DROP                          net:^ZZ          fw             tcp         22</programlisting>
-        </listitem>
-      </varlistentry>
    </variablelist>
  </refsect1>

@@ -1273,9 +1227,6 @@
  <refsect1>
    <title>See ALSO</title>

-    <para><ulink
-    url="http://www.shorewall.net/shorewall_logging.html">http://www.shorewall.net/shorewall_logging.html</ulink></para>
-
    <para><ulink
    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>

--- a/Shorewall6/manpages/shorewall6-tcclasses.xml
+++ b/Shorewall6/manpages/shorewall6-tcclasses.xml
@@ -11,7 +11,7 @@
  <refnamediv>
    <refname>tcclasses</refname>

-    <refpurpose>Shorewall6 file to define HTB and HFSC classes</refpurpose>
+    <refpurpose>Shorewall6 file to define HTB classes</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
@@ -163,8 +163,7 @@
          Must be specified as '-' if the <emphasis
          role="bold">classify</emphasis> option is given for the interface in
          <ulink
-          url="shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5) and
-          you are running Shorewall 4.5 5 or earlier.</para>
+          url="shorewall6-tcdevices.html">shorewall6-tcdevices</ulink>(5)</para>

          <para>You can use the same marks for different interfaces.</para>
        </listitem>
@@ -172,7 +171,7 @@

      <varlistentry>
        <term><emphasis role="bold">RATE</emphasis> -
-        {-|<emphasis>rate</emphasis>[:<emphasis>dmax</emphasis>[:<emphasis>umax</emphasis>]]}</term>
+        <emphasis>rate</emphasis>[:<emphasis>dmax</emphasis>[:<emphasis>umax</emphasis>]]</term>

        <listitem>
          <para>The minimum bandwidth this class should get, when the traffic
@@ -182,12 +181,11 @@
          class exceed the CEIL of the parent class, things don't work
          well.</para>

-          <para>When using the HFSC queuing discipline, this column specify
-          the real-time (RT) service curve. leaf classes may specify
-          <replaceable>dmax</replaceable>, the maximum delay in milliseconds
-          that the first queued packet for this class should experience. May
-          be expressed as an integer, optionally followed by 'ms' with no
-          intervening white space (e.g., 10ms).</para>
+          <para>When using the HFSC queuing discipline, leaf classes may
+          specify <replaceable>dmax</replaceable>, the maximum delay in
+          milliseconds that the first queued packet for this class should
+          experience. May be expressed as an integer, optionally followed by
+          'ms' with no intervening white space (e.g., 10ms).</para>

          <para>HFSC leaf classes may also specify
          <replaceable>umax</replaceable>, the largest packet expected in this
@@ -196,18 +194,12 @@
          followed by 'b' with no intervening white space (e.g., 800b).
          <replaceable>umax</replaceable> may only be given if
          <replaceable>dmax</replaceable> is also given.</para>
-
-          <para>Beginning with Shorewall 4.5.6, HFSC classes may omit this
-          column (e.g, '-' in the column), provided that an
-          <replaceable>lsrate</replaceable> is specified (see CEIL below).
-          These rates are used to arbitrate between classes of the same
-          priority.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">CEIL</emphasis> -
-        [<emphasis>lsrate</emphasis>:]<emphasis>rate</emphasis></term>
+        <emphasis>rate</emphasis></term>

        <listitem>
          <para>The maximum bandwidth this class is allowed to use when the
@@ -218,9 +210,6 @@
          here for setting the maximum bandwidth to the RATE of the parent
          class, or the OUT-BANDWIDTH of the device if there is no parent
          class.</para>
-
-          <para>Beginning with Shorewall 4.5.6, you can also specify an
-          <replaceable>lsrate</replaceable> (link sharing rate).</para>
        </listitem>
      </varlistentry>

@@ -315,7 +304,7 @@
                limited to 64 bytes because we want only packets WITHOUT
                payload to match.</para>

-                <para/>
+                <para></para>

                <note>
                  <para>This option is only valid for ONE class per
@@ -392,121 +381,6 @@
                assumed.</para>
              </listitem>
            </varlistentry>
-
-            <varlistentry>
-              <term>red=(<replaceable>redoption</replaceable>=<replaceable>value</replaceable>,
-              ...)</term>
-
-              <listitem>
-                <para>Added in Shorewall 4.5.6. When specified on a leaf
-                class, causes the class to use the RED (Random Early
-                Detection) queuing discipline rather than SFQ. See tc-red (8)
-                for additional information.</para>
-
-                <para>Allowable redoptions are:</para>
-
-                <variablelist>
-                  <varlistentry>
-                    <term>min <replaceable>min</replaceable></term>
-
-                    <listitem>
-                      <para>Average queue size at which marking becomes a
-                      possibility.</para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term>max <replaceable>max</replaceable></term>
-
-                    <listitem>
-                      <para>At this average queue size, the marking
-                      probability is maximal. Must be at least twice
-                      <replaceable>min</replaceable> to prevent synchronous
-                      retransmits, higher for low
-                      <replaceable>min</replaceable>.</para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term>probability
-                    <replaceable>probability</replaceable></term>
-
-                    <listitem>
-                      <para>Maximum probability for marking, specified as a
-                      floating point number from 0.0 to 1.0. Suggested values
-                      are 0.01 or 0.02 (1 or 2%, respectively).</para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term>limit <replaceable>limit</replaceable></term>
-
-                    <listitem>
-                      <para>Hard limit on the real (not average) queue size in
-                      bytes. Further packets are dropped. Should be set higher
-                      than
-                      <replaceable>max</replaceable>+<replaceable>burst</replaceable>.
-                      It is advised to set this a few times higher than
-                      <replaceable>max</replaceable>. Shorewall requires that
-                      <replaceable>limit</replaceable> be at least twice
-                      <replaceable>min</replaceable>.</para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term>burst <replaceable>burst</replaceable></term>
-
-                    <listitem>
-                      <para>Used for determining how fast the average queue
-                      size is influenced by the real queue size. Larger values
-                      make the calculation more sluggish, allowing longer
-                      bursts of traffic before marking starts. Real life
-                      experiments support the following guide‐line:
-                      (<replaceable>min</replaceable>+<replaceable>min</replaceable>+<replaceable>max</replaceable>)/(3*<replaceable>avpkt</replaceable>).</para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term>avpkt <replaceable>avpkt</replaceable></term>
-
-                    <listitem>
-                      <para>Optional. Specified in bytes. Used with burst to
-                      determine the time constant for average queue size
-                      calculations. 1000 is a good value and is the Shorewall
-                      default.</para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term>bandwidth
-                    <replaceable>bandwidth</replaceable></term>
-
-                    <listitem>
-                      <para>Optional. This rate is used for calculating the
-                      average queue size after some idle time. Should be set
-                      to the bandwidth of your interface. Does not mean that
-                      RED will shape for you!</para>
-                    </listitem>
-                  </varlistentry>
-
-                  <varlistentry>
-                    <term>ecn</term>
-
-                    <listitem>
-                      <para>RED can either 'mark' or 'drop'. Explicit
-                      Congestion Notification allows RED to notify remote
-                      hosts that their rate exceeds the amount of bandwidth
-                      available. Non-ECN capable hosts can only be notified by
-                      dropping a packet. If this parameter is specified,
-                      packets which indicate that their hosts honor ECN will
-                      only be marked and not dropped, unless the queue size
-                      hits <replaceable>limit</replaceable> bytes. Needs a tc
-                      binary with RED support compiled in. Recommended.</para>
-                    </listitem>
-                  </varlistentry>
-                </variablelist>
-              </listitem>
-            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>
@@ -574,10 +448,6 @@
  <refsect1>
    <title>See ALSO</title>

-    <para>tc-hfsc(7)</para>
-
-    <para>tc-red(8)</para>
-
    <para><ulink
    url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>

--- a/Shorewall6/manpages/shorewall6-tcdevices.xml
+++ b/Shorewall6/manpages/shorewall6-tcdevices.xml
@@ -180,17 +180,7 @@
      <varlistentry>
        <term><emphasis role="bold">OPTIONS</emphasis> - {<emphasis
        role="bold">-</emphasis>|<emphasis
-        role="bold">{classify</emphasis>|<emphasis
-        role="bold">hfsc</emphasis>|<emphasis
-        role="bold">linklayer</emphasis>={<emphasis
-        role="bold">ethernet</emphasis>|<emphasis
-        role="bold">atm</emphasis>|<emphasis
-        role="bold">adsl</emphasis>}|<emphasis
-        role="bold">tsize</emphasis>=<replaceable>tsize</replaceable>|<emphasis
-        role="bold">mtu</emphasis>=<replaceable>mtu</replaceable>|<emphasis
-        role="bold">mpu</emphasis>=<replaceable>mpu</replaceable>|<emphasis
-        role="bold">overhead</emphasis>=<replaceable>overhead</replaceable>}
-        ,...}</term>
+        role="bold">{classify</emphasis>|hfsc} ,...}</term>

        <listitem>
          <para><option>classify</option> ― When specified, Shorewall will not
@@ -201,34 +191,7 @@
          <para><option>hfsc</option> - Shorewall normally uses the
          <firstterm>Hierarchical Token Bucket</firstterm> queuing discipline.
          When <option>hfsc</option> is specified, the <firstterm>Hierarchical
-          Fair Service Curves</firstterm> discipline is used instead(see
-          tc-hfsc (7)).</para>
-
-          <para><emphasis role="bold">linklayer</emphasis> - Added in
-          Shorewall 4.5.6. Type of link (ethernet, atm, adsl). When specified,
-          causes scheduler packet size manipulation as described in tc-stab
-          (8). When this option is given, the following options may also be
-          given after it:</para>
-
-          <blockquote>
-            <para><emphasis
-            role="bold">mtu</emphasis>=<replaceable>mtu</replaceable> - The
-            device MTU; default 2048 (will be rounded up to a power of
-            two)</para>
-
-            <para><emphasis
-            role="bold">mpu</emphasis>=<replaceable>mpubytes</replaceable> -
-            Minimum packet size used in calculations. Smaller packets will be
-            rounded up to this size</para>
-
-            <para><emphasis
-            role="bold">tsize</emphasis>=<replaceable>tablesize</replaceable>
-            - Size table entries; default is 512</para>
-
-            <para><emphasis
-            role="bold">overhead</emphasis>=<replaceable>overheadbytes</replaceable>
-            - Number of overhead bytes per packet.</para>
-          </blockquote>
+          Fair Service Curves</firstterm> discipline is used instead.</para>
        </listitem>
      </varlistentry>

@@ -279,8 +242,6 @@
  <refsect1>
    <title>See ALSO</title>

-    <para>tc-hfsc (7)</para>
-
    <para><ulink
    url="http://shorewall.net/traffic_shaping.htm">http://shorewall.net/traffic_shaping.htm</ulink></para>

--- a/Shorewall6/manpages/shorewall6-tcfilters.xml
+++ b/Shorewall6/manpages/shorewall6-tcfilters.xml
@@ -35,7 +35,7 @@
        <term>IPV4</term>

        <listitem>
-          <para>Following entries apply to IPv4.</para>
+          <para>Following entriess apply to IPv4.</para>
        </listitem>
      </varlistentry>

@@ -235,6 +235,6 @@
    <para><ulink
    url="http://shorewall.net/PacketMarking.html">http://shorewall.net/PacketMarking.html</ulink></para>

-    <para/>
+    <para></para>
  </refsect1>
 </refentry>
--- a/Shorewall6/manpages/shorewall6-tcrules.xml
+++ b/Shorewall6/manpages/shorewall6-tcrules.xml
@@ -38,34 +38,6 @@
      url="http://shorewall.net/MultiISP.html">http://shorewall.net/MultiISP.html</ulink>.</para>
    </important>

-    <para>Beginning with Shorewall 4.5.4, the tcrules file supports two
-    different formats:</para>
-
-    <variablelist>
-      <varlistentry>
-        <term>FORMAT 1 (default - deprecated)</term>
-
-        <listitem>
-          <para>The older limited-function version of TPROXY is
-          supported.</para>
-        </listitem>
-      </varlistentry>
-
-      <varlistentry>
-        <term>FORMAT 2</term>
-
-        <listitem>
-          <para>The newer version of TPROXY is supported.</para>
-        </listitem>
-      </varlistentry>
-    </variablelist>
-
-    <para>The format is specified by a line as follows:</para>
-
-    <blockquote>
-      <para><emphasis role="bold">FORMAT {1|2}</emphasis></para>
-    </blockquote>
-
    <para>The columns in the file are as follows (where the column name is
    followed by a different name in parentheses, the different name is used in
    the alternate specification syntax).</para>
@@ -332,80 +304,6 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
              simply include COMMENT on a line by itself.</para>
            </listitem>

-            <listitem>
-              <para><emphasis role="bold">DIVERT</emphasis></para>
-
-              <para>Added in Shorewall 4.5.3. Two DIVERT rule should preceed
-              the TPROXY rule and should select DEST PORT tcp 80 and SOURCE
-              PORT tcp 80 respectively (assuming that tcp port 80 is being
-              proxied). DIVERT avoids sending packets to the TPROXY target
-              once a socket connection to Squid3 has been established by
-              TPROXY. DIVERT marks the packet with a unique mark and exempts
-              it from any rules that follow.</para>
-            </listitem>
-
-            <listitem>
-              <para><emphasis
-              role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])
-              -- FORMAT 1</para>
-
-              <para>Transparently redirects a packet without altering the IP
-              header. Requires a local provider to be defined in <ulink
-              url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
-
-              <para>There are three parameters to TPROXY - only the first
-              (mark) is required:</para>
-
-              <itemizedlist>
-                <listitem>
-                  <para><replaceable>mark</replaceable> - the MARK value
-                  corresponding to the local provider in <ulink
-                  url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
-                </listitem>
-
-                <listitem>
-                  <para><replaceable>port</replaceable> - the port on which
-                  the proxy server is listening. If omitted, the original
-                  destination port.</para>
-                </listitem>
-
-                <listitem>
-                  <para><replaceable>address</replaceable> - a local (to the
-                  firewall) IP address on which the proxy server is listening.
-                  If omitted, the IP address of the interface on which the
-                  request arrives.</para>
-                </listitem>
-              </itemizedlist>
-            </listitem>
-
-            <listitem>
-              <para><emphasis
-              role="bold">TPROXY</emphasis>([<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])
-              -- FORMAT 2</para>
-
-              <para>Transparently redirects a packet without altering the IP
-              header. Requires a local provider to be defined in <ulink
-              url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
-
-              <para>There are three parameters to TPROXY - only the first
-              (mark) is required:</para>
-
-              <itemizedlist>
-                <listitem>
-                  <para><replaceable>port</replaceable> - the port on which
-                  the proxy server is listening. If omitted, the original
-                  destination port.</para>
-                </listitem>
-
-                <listitem>
-                  <para><replaceable>address</replaceable> - a local (to the
-                  firewall) IP address on which the proxy server is listening.
-                  If omitted, the IP address of the interface on which the
-                  request arrives.</para>
-                </listitem>
-              </itemizedlist>
-            </listitem>
-
            <listitem>
              <para><emphasis role="bold">HL</emphasis>([<emphasis
              role="bold">-</emphasis>|<emphasis
--- a/Shorewall6/manpages/shorewall6-tunnels.xml
+++ b/Shorewall6/manpages/shorewall6-tunnels.xml
@@ -120,9 +120,9 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">GATEWAY</emphasis>(S) (gateway or
-        gateways) - <emphasis>address-or-range</emphasis> <emphasis
-        role="bold">[ , ... ]</emphasis></term>
+        <term><emphasis role="bold">GATEWAY</emphasis>S -
+        <emphasis>address-or-range</emphasis> <emphasis role="bold">[ , ...
+        ]</emphasis></term>

        <listitem>
          <para>The IP address of the remote tunnel gateway. If the remote
@@ -139,8 +139,8 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">GATEWAY ZONE(S)</emphasis> (gateway_zone
-        or gateway_zones) - [<emphasis>zone</emphasis>[<emphasis
+        <term><emphasis role="bold">GATEWAY ZONES</emphasis> (gateway_zone) -
+        [<emphasis>zone</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>zone</emphasis>]...]</term>

        <listitem>
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -578,21 +578,6 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>

-      <varlistentry>
-        <term><emphasis
-        role="bold">GEOIPDIR</emphasis>=[<emphasis>pathname</emphasis>]</term>
-
-        <listitem>
-          <para>Added in Shorewall 4.5.4. Specifies the pathname of the
-          directory containing the <firstterm>GeoIP Match</firstterm>
-          database. See <ulink
-          url="http://www.shorewall.net/ISOCODES.html">http://www.shorewall.net/ISOCODES.html</ulink>.
-          If not specified, the default value is
-          <filename>/usr/share/xt_geoip/LE</filename> which is the default
-          location of the little-endian database.</para>
-        </listitem>
-      </varlistentry>
-
      <varlistentry>
        <term><emphasis role="bold">HIGH_ROUTE_MARKS=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@@ -1351,23 +1336,6 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
                  chain are appended to it.</para>
                </listitem>
              </itemizedlist>
-
-              <para>An additional optimization was added in Shorewall 4.5.4.
-              If the last rule in a chain is an unqualified jump to a simple
-              target, then all immediately preceding rules with the same
-              simple target are omitted.</para>
-
-              <para>For example, consider this chain:</para>
-
-              <programlisting>	-A fw-net -p udp --dport 67:68 -j ACCEPT
-	-A fw-net -p udp --sport 1194 -j ACCEPT
-	-A fw-net -p 41 -j ACCEPT
-	-A fw-net -j ACCEPT
-</programlisting>
-
-              <para>Since all of the rules are jumps to the simple target
-              ACCEPT, this chain is totally optimized away and jumps to the
-              chain are replace with jumps to ACCEPT.</para>
            </listitem>

            <listitem>
--- a/Shorewall6/modules
+++ b/Shorewall6/modules
@@ -16,24 +16,24 @@
 #
 # Essential Modules
 #
-INCLUDE modules.essential
+?INCLUDE modules.essential
 #
 # Other xtables modules
 #
-INCLUDE modules.xtables
+?INCLUDE modules.xtables
 #
 # Helpers
 #
-INCLUDE helpers
+?INCLUDE helpers
 #
 # Ipset
 #
-INCLUDE modules.ipset
+?INCLUDE modules.ipset
 #
 # Traffic Shaping
 #
-INCLUDE modules.tc
+?INCLUDE modules.tc
 #
 # Extensions
 #
-INCLUDE modules.extensions
+?INCLUDE modules.extensions
--- a/docs/CompiledPrograms.xml
+++ b/docs/CompiledPrograms.xml
@@ -135,8 +135,7 @@

          <itemizedlist>
            <listitem>
-              <para>Remove /etc/shorewall (/etc/shorewal6) from the setting of
-              CONFIG_PATH</para>
+              <para>CONFIG_PATH=/usr/share/shorewall</para>
            </listitem>

            <listitem>
--- a/docs/Documentation_Index.xml
+++ b/docs/Documentation_Index.xml
@@ -37,40 +37,15 @@
  <section id="Frequent">
    <title>Frequently Used Articles</title>

-    <informaltable frame="none" orient="land">
-      <tgroup cols="1">
-        <tbody>
-          <row>
-            <entry><ulink url="FAQ.htm">FAQs</ulink></entry>
-          </row>
+    <simplelist>
+      <member><ulink url="FAQ.htm">FAQs</ulink> (<ulink
+      url="FAQ_fr.html">Français</ulink>)</member>

-          <row>
-            <entry><ulink url="Manpages.html">IPv4 Manpages</ulink></entry>
-          </row>
+      <member><ulink url="GettingStarted.html">Beginner
+      Documentation</ulink></member>

-          <row>
-            <entry><ulink url="Manpages6.html">IPv6 Manpages</ulink></entry>
-          </row>
-
-          <row>
-            <entry><ulink url="GettingStarted.html">Beginner
-            Documentation</ulink></entry>
-          </row>
-
-          <row>
-            <entry><ulink
-            url="troubleshoot.htm">Troubleshooting</ulink></entry>
-          </row>
-        </tbody>
-      </tgroup>
-    </informaltable>
-  </section>
-
-  <section>
-    <title>Documentation for Earlier Versions</title>
-
-    <para><ulink url="4.2/Documentation_Index.html">Shorewall 4.0/4.2
-    Documentation</ulink></para>
+      <member><ulink url="troubleshoot.htm">Troubleshooting</ulink></member>
+    </simplelist>
  </section>

  <section id="Index">
@@ -142,8 +117,7 @@
            <entry><ulink url="Audit.html">AUDIT Target
            support</ulink></entry>

-            <entry>Manpages (<ulink url="Manpages.html">IPv4</ulink>) (<ulink
-            url="Manpages6.html">IPv6</ulink>)</entry>
+            <entry><ulink url="Manpages.html">Man Pages</ulink></entry>

            <entry><ulink url="Shorewall_Squid_Usage.html">Squid with
            Shorewall</ulink></entry>
@@ -387,21 +361,11 @@
            <entry/>
          </row>

-          <row>
-            <entry><ulink url="ISO-3661.html">ISO 3661 Country
-            Codes</ulink></entry>
-
-            <entry><ulink url="samba.htm">Samba</ulink></entry>
-
-            <entry/>
-          </row>
-
          <row>
            <entry><ulink url="Shorewall_and_Kazaa.html">Kazaa
            Filtering</ulink></entry>

-            <entry><ulink url="Shorewall-init.html">Shorewall
-            Init</ulink></entry>
+            <entry><ulink url="samba.htm">Samba</ulink></entry>

            <entry/>
          </row>
@@ -410,8 +374,8 @@
            <entry><ulink url="kernel.htm">Kernel
            Configuration</ulink></entry>

-            <entry><ulink url="Shorewall-Lite.html">Shorewall
-            Lite</ulink></entry>
+            <entry><ulink url="Shorewall-init.html">Shorewall
+            Init</ulink></entry>

            <entry/>
          </row>
@@ -420,7 +384,8 @@
            <entry><ulink url="KVM.html">KVM (Kernel-mode Virtual
            Machine)</ulink></entry>

-            <entry/>
+            <entry><ulink url="Shorewall-Lite.html">Shorewall
+            Lite</ulink></entry>

            <entry/>
          </row>
--- a/docs/FAQ.xml
+++ b/docs/FAQ.xml
@@ -2150,17 +2150,6 @@ gateway:~# </programlisting>
      and configured the <emphasis>shorewall-init</emphasis> package and a
      required interface has gone down.</para>
    </section>
-
-    <section id="faq99">
-      <title>(FAQ 99) My /var/lib/shorewall-init.log shows that Shorewall is
-      running at boot but after boot 'iptables -L' shows an empty
-      configuration</title>
-
-      <para><emphasis role="bold">Answer</emphasis>: This is caused by your
-      failure to disable your distributions default iptables configuration
-      tool when you installed Shorewall. Look for a service called 'iptables'
-      that is being started after Shorewall and disable it.</para>
-    </section>
  </section>

  <section id="MultiISP">
@@ -2232,8 +2221,6 @@ We have an error talking to the kernel
      you may be able to resolve the problem by loading the <emphasis
      role="bold">act_police</emphasis> kernel module. Other kernel modules
      that you will need include:<simplelist>
-          <member>cls_basic</member>
-
          <member>cls_fw</member>

          <member>cls_u32</member>
--- a/docs/ISO-3661.xml
+++ b/docs/ISO-3661.xml
@@ -1,544 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
-"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
-<article>
-  <!--$Id$-->
-
-  <articleinfo>
-    <title>ISO 3661 Country Codes recognized by Shorewall</title>
-
-    <authorgroup>
-      <author>
-        <firstname>Tom</firstname>
-
-        <surname>Eastep</surname>
-      </author>
-    </authorgroup>
-
-    <pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
-
-    <copyright>
-      <year>2012</year>
-
-      <holder>Thomas M. Eastep</holder>
-    </copyright>
-
-    <legalnotice>
-      <para>Permission is granted to copy, distribute and/or modify this
-      document under the terms of the GNU Free Documentation License, Version
-      1.2 or any later version published by the Free Software Foundation; with
-      no Invariant Sections, with no Front-Cover, and with no Back-Cover
-      Texts. A copy of the license is included in the section entitled
-      <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
-      License</ulink></quote>.</para>
-    </legalnotice>
-  </articleinfo>
-
-  <section>
-    <title>Introduction</title>
-
-    <para>Beginning with Shorewall 4.5.4, Shorewall allows matching packet
-    SOURCE and/or DEST IP addresses by their corresponding country. That is
-    done by specifying a comma-separated list of up to 15 ISO-3661 2-character
-    Country Codes enclosed in square brackets ('[...]') and prefixed by a
-    caret ('^'). When a single country code is given, the square brackets can
-    be omitted.</para>
-
-    <para>Example - Drop email from the Anonymous Proxy and Satellite Provider
-    networks.</para>
-
-    <para><filename>/etc/shorewall/rules</filename>:</para>
-
-    <programlisting>    #ACTION   	   SOURCE	 	DEST	PROTO	DEST
-    #		   					PORT(S)
-    DROP:info	   net:^[A1,A2]		dmz	tcp	25
-</programlisting>
-
-    <para>Using this feature requires the <firstterm>GeoIP Match</firstterm>
-    capability in your iptables and kernel. As of this writing, that
-    capability requires installing <ulink
-    url="http://xtables-addons.sourceforge.net/">xtables-addons</ulink> 1.33
-    or later and <ulink
-    url="http://xtables-addons.sourceforge.net/geoip.php">creating a
-    country-code database</ulink>.</para>
-
-    <para>The Shorewall compiler uses the geoip country-code database to
-    determine the valid set of two-character alphanumeric country codes. The
-    location of that database is currently hard-coded in xtables-addons as
-    <filename>/usr/share/xt_geoip/</filename>. Within that directory are two
-    sub-directories:</para>
-
-    <itemizedlist>
-      <listitem>
-        <para>LE -- contains the little-endian database</para>
-      </listitem>
-
-      <listitem>
-        <para>BE -- contains the big-endian database</para>
-      </listitem>
-    </itemizedlist>
-
-    <para>To accomodate both big-endian and little-endian machines as well as
-    any future ability to install the database at another location, Shorewall
-    supports a GEOIPDIR option in <ulink
-    url="manpages/shorewall.conf.html">shorewall.conf</ulink> (5) and <ulink
-    url="manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5). The
-    default value of that option is
-    <filename>/usr/share/xt_geoip/LE</filename>.</para>
-
-    <para>The country codes at the time of this writing are shown in the
-    following two sections.</para>
-  </section>
-
-  <section>
-    <title>IPv4</title>
-
-    <programlisting>     A1 =&gt; "Anonymous Proxy" ,
-     A2 =&gt; "Satellite Provider" ,
-     AD =&gt; "Andorra" ,
-     AE =&gt; "United Arab Emirates" ,
-     AF =&gt; "Afghanistan" ,
-     AG =&gt; "Antigua and Barbuda" ,
-     AI =&gt; "Anguilla" ,
-     AL =&gt; "Albania" ,
-     AM =&gt; "Armenia" ,
-     AN =&gt; "Netherlands Antilles" ,
-     AO =&gt; "Angola" ,
-     AP =&gt; "Asia/Pacific Region" ,
-     AQ =&gt; "Antarctica" ,
-     AR =&gt; "Argentina" ,
-     AS =&gt; "American Samoa" ,
-     AT =&gt; "Austria" ,
-     AU =&gt; "Australia" ,
-     AW =&gt; "Aruba" ,
-     AX =&gt; "Aland Islands" ,
-     AZ =&gt; "Azerbaijan" ,
-     BA =&gt; "Bosnia and Herzegovina" ,
-     BB =&gt; "Barbados" ,
-     BD =&gt; "Bangladesh" ,
-     BE =&gt; "Belgium" ,
-     BF =&gt; "Burkina Faso" ,
-     BG =&gt; "Bulgaria" ,
-     BH =&gt; "Bahrain" ,
-     BI =&gt; "Burundi" ,
-     BJ =&gt; "Benin" ,
-     BM =&gt; "Bermuda" ,
-     BN =&gt; "Brunei Darussalam" ,
-     BO =&gt; "Bolivia" ,
-     BR =&gt; "Brazil" ,
-     BS =&gt; "Bahamas" ,
-     BT =&gt; "Bhutan" ,
-     BV =&gt; "Bouvet Island" ,
-     BW =&gt; "Botswana" ,
-     BY =&gt; "Belarus" ,
-     BZ =&gt; "Belize" ,
-     CA =&gt; "Canada" ,
-     CC =&gt; "Cocos (Keeling) Islands" ,
-     CD =&gt; "Congo, The Democratic Republic of the" ,
-     CF =&gt; "Central African Republic" ,
-     CG =&gt; "Congo" ,
-     CH =&gt; "Switzerland" ,
-     CI =&gt; "Cote D'Ivoire" ,
-     CK =&gt; "Cook Islands" ,
-     CL =&gt; "Chile" ,
-     CM =&gt; "Cameroon" ,
-     CN =&gt; "China" ,
-     CO =&gt; "Colombia" ,
-     CR =&gt; "Costa Rica" ,
-     CU =&gt; "Cuba" ,
-     CV =&gt; "Cape Verde" ,
-     CX =&gt; "Christmas Island" ,
-     CY =&gt; "Cyprus" ,
-     CZ =&gt; "Czech Republic" ,
-     DE =&gt; "Germany" ,
-     DJ =&gt; "Djibouti" ,
-     DK =&gt; "Denmark" ,
-     DM =&gt; "Dominica" ,
-     DO =&gt; "Dominican Republic" ,
-     DZ =&gt; "Algeria" ,
-     EC =&gt; "Ecuador" ,
-     EE =&gt; "Estonia" ,
-     EG =&gt; "Egypt" ,
-     EH =&gt; "Western Sahara" ,
-     ER =&gt; "Eritrea" ,
-     ES =&gt; "Spain" ,
-     ET =&gt; "Ethiopia" ,
-     EU =&gt; "Europe" ,
-     FI =&gt; "Finland" ,
-     FJ =&gt; "Fiji" ,
-     FK =&gt; "Falkland Islands (Malvinas)" ,
-     FM =&gt; "Micronesia, Federated States of" ,
-     FO =&gt; "Faroe Islands" ,
-     FR =&gt; "France" ,
-     GA =&gt; "Gabon" ,
-     GB =&gt; "United Kingdom" ,
-     GD =&gt; "Grenada" ,
-     GE =&gt; "Georgia" ,
-     GF =&gt; "French Guiana" ,
-     GG =&gt; "Guernsey" ,
-     GH =&gt; "Ghana" ,
-     GI =&gt; "Gibraltar" ,
-     GL =&gt; "Greenland" ,
-     GM =&gt; "Gambia" ,
-     GN =&gt; "Guinea" ,
-     GP =&gt; "Guadeloupe" ,
-     GQ =&gt; "Equatorial Guinea" ,
-     GR =&gt; "Greece" ,
-     GS =&gt; "South Georgia and the South Sandwich Islands" ,
-     GT =&gt; "Guatemala" ,
-     GU =&gt; "Guam" ,
-     GW =&gt; "Guinea-Bissau" ,
-     GY =&gt; "Guyana" ,
-     HK =&gt; "Hong Kong" ,
-     HN =&gt; "Honduras" ,
-     HR =&gt; "Croatia" ,
-     HT =&gt; "Haiti" ,
-     HU =&gt; "Hungary" ,
-     ID =&gt; "Indonesia" ,
-     IE =&gt; "Ireland" ,
-     IL =&gt; "Israel" ,
-     IM =&gt; "Isle of Man" ,
-     IN =&gt; "India" ,
-     IO =&gt; "British Indian Ocean Territory" ,
-     IQ =&gt; "Iraq" ,
-     IR =&gt; "Iran, Islamic Republic of" ,
-     IS =&gt; "Iceland" ,
-     IT =&gt; "Italy" ,
-     JE =&gt; "Jersey" ,
-     JM =&gt; "Jamaica" ,
-     JO =&gt; "Jordan" ,
-     JP =&gt; "Japan" ,
-     KE =&gt; "Kenya" ,
-     KG =&gt; "Kyrgyzstan" ,
-     KH =&gt; "Cambodia" ,
-     KI =&gt; "Kiribati" ,
-     KM =&gt; "Comoros" ,
-     KN =&gt; "Saint Kitts and Nevis" ,
-     KP =&gt; "Korea, Democratic People's Republic of" ,
-     KR =&gt; "Korea, Republic of" ,
-     KW =&gt; "Kuwait" ,
-     KY =&gt; "Cayman Islands" ,
-     KZ =&gt; "Kazakhstan" ,
-     LA =&gt; "Lao People's Democratic Republic" ,
-     LB =&gt; "Lebanon" ,
-     LC =&gt; "Saint Lucia" ,
-     LI =&gt; "Liechtenstein" ,
-     LK =&gt; "Sri Lanka" ,
-     LR =&gt; "Liberia" ,
-     LS =&gt; "Lesotho" ,
-     LT =&gt; "Lithuania" ,
-     LU =&gt; "Luxembourg" ,
-     LV =&gt; "Latvia" ,
-     LY =&gt; "Libyan Arab Jamahiriya" ,
-     MA =&gt; "Morocco" ,
-     MC =&gt; "Monaco" ,
-     MD =&gt; "Moldova, Republic of" ,
-     ME =&gt; "Montenegro" ,
-     MG =&gt; "Madagascar" ,
-     MH =&gt; "Marshall Islands" ,
-     MK =&gt; "Macedonia" ,
-     ML =&gt; "Mali" ,
-     MM =&gt; "Myanmar" ,
-     MN =&gt; "Mongolia" ,
-     MO =&gt; "Macau" ,
-     MP =&gt; "Northern Mariana Islands" ,
-     MQ =&gt; "Martinique" ,
-     MR =&gt; "Mauritania" ,
-     MS =&gt; "Montserrat" ,
-     MT =&gt; "Malta" ,
-     MU =&gt; "Mauritius" ,
-     MV =&gt; "Maldives" ,
-     MW =&gt; "Malawi" ,
-     MX =&gt; "Mexico" ,
-     MY =&gt; "Malaysia" ,
-     MZ =&gt; "Mozambique" ,
-     NA =&gt; "Namibia" ,
-     NC =&gt; "New Caledonia" ,
-     NE =&gt; "Niger" ,
-     NF =&gt; "Norfolk Island" ,
-     NG =&gt; "Nigeria" ,
-     NI =&gt; "Nicaragua" ,
-     NL =&gt; "Netherlands" ,
-     NO =&gt; "Norway" ,
-     NP =&gt; "Nepal" ,
-     NR =&gt; "Nauru" ,
-     NU =&gt; "Niue" ,
-     NZ =&gt; "New Zealand" ,
-     OM =&gt; "Oman" ,
-     PA =&gt; "Panama" ,
-     PE =&gt; "Peru" ,
-     PF =&gt; "French Polynesia" ,
-     PG =&gt; "Papua New Guinea" ,
-     PH =&gt; "Philippines" ,
-     PK =&gt; "Pakistan" ,
-     PL =&gt; "Poland" ,
-     PM =&gt; "Saint Pierre and Miquelon" ,
-     PR =&gt; "Puerto Rico" ,
-     PS =&gt; "Palestinian Territory, Occupied" ,
-     PT =&gt; "Portugal" ,
-     PW =&gt; "Palau" ,
-     PY =&gt; "Paraguay" ,
-     QA =&gt; "Qatar" ,
-     RE =&gt; "Reunion" ,
-     RO =&gt; "Romania" ,
-     RS =&gt; "Serbia" ,
-     RU =&gt; "Russian Federation" ,
-     RW =&gt; "Rwanda" ,
-     SA =&gt; "Saudi Arabia" ,
-     SB =&gt; "Solomon Islands" ,
-     SC =&gt; "Seychelles" ,
-     SD =&gt; "Sudan" ,
-     SE =&gt; "Sweden" ,
-     SG =&gt; "Singapore" ,
-     SH =&gt; "Saint Helena" ,
-     SI =&gt; "Slovenia" ,
-     SJ =&gt; "Svalbard and Jan Mayen" ,
-     SK =&gt; "Slovakia" ,
-     SL =&gt; "Sierra Leone" ,
-     SM =&gt; "San Marino" ,
-     SN =&gt; "Senegal" ,
-     SO =&gt; "Somalia" ,
-     SR =&gt; "Suriname" ,
-     ST =&gt; "Sao Tome and Principe" ,
-     SV =&gt; "El Salvador" ,
-     SY =&gt; "Syrian Arab Republic" ,
-     SZ =&gt; "Swaziland" ,
-     TC =&gt; "Turks and Caicos Islands" ,
-     TD =&gt; "Chad" ,
-     TF =&gt; "French Southern Territories" ,
-     TG =&gt; "Togo" ,
-     TH =&gt; "Thailand" ,
-     TJ =&gt; "Tajikistan" ,
-     TK =&gt; "Tokelau" ,
-     TL =&gt; "Timor-Leste" ,
-     TM =&gt; "Turkmenistan" ,
-     TN =&gt; "Tunisia" ,
-     TO =&gt; "Tonga" ,
-     TR =&gt; "Turkey" ,
-     TT =&gt; "Trinidad and Tobago" ,
-     TV =&gt; "Tuvalu" ,
-     TW =&gt; "Taiwan" ,
-     TZ =&gt; "Tanzania, United Republic of" ,
-     UA =&gt; "Ukraine" ,
-     UG =&gt; "Uganda" ,
-     UM =&gt; "United States Minor Outlying Islands" ,
-     US =&gt; "United States" ,
-     UY =&gt; "Uruguay" ,
-     UZ =&gt; "Uzbekistan" ,
-     VA =&gt; "Holy See (Vatican City State)" ,
-     VC =&gt; "Saint Vincent and the Grenadines" ,
-     VE =&gt; "Venezuela" ,
-     VG =&gt; "Virgin Islands, British" ,
-     VI =&gt; "Virgin Islands, U.S." ,
-     VN =&gt; "Vietnam" ,
-     VU =&gt; "Vanuatu" ,
-     WF =&gt; "Wallis and Futuna" ,
-     WS =&gt; "Samoa" ,
-     YE =&gt; "Yemen" ,
-     YT =&gt; "Mayotte" ,
-     ZA =&gt; "South Africa" ,
-     ZM =&gt; "Zambia" ,
-     ZW =&gt; "Zimbabwe" ,
-</programlisting>
-  </section>
-
-  <section>
-    <title>IPv6</title>
-
-    <programlisting>     AD =&gt;  "Andorra" ,
-     AE =&gt;  "United Arab Emirates" ,
-     AF =&gt;  "Afghanistan" ,
-     AL =&gt;  "Albania" ,
-     AM =&gt;  "Armenia" ,
-     AO =&gt;  "Angola" ,
-     AP =&gt;  "Asia/Pacific Region" ,
-     AR =&gt;  "Argentina" ,
-     AS =&gt;  "American Samoa" ,
-     AT =&gt;  "Austria" ,
-     AU =&gt;  "Australia" ,
-     AW =&gt;  "Aruba" ,
-     AZ =&gt;  "Azerbaijan" ,
-     BA =&gt;  "Bosnia and Herzegovina" ,
-     BD =&gt;  "Bangladesh" ,
-     BE =&gt;  "Belgium" ,
-     BF =&gt;  "Burkina Faso" ,
-     BG =&gt;  "Bulgaria" ,
-     BH =&gt;  "Bahrain" ,
-     BI =&gt;  "Burundi" ,
-     BJ =&gt;  "Benin" ,
-     BM =&gt;  "Bermuda" ,
-     BN =&gt;  "Brunei Darussalam" ,
-     BO =&gt;  "Bolivia" ,
-     BR =&gt;  "Brazil" ,
-     BS =&gt;  "Bahamas" ,
-     BT =&gt;  "Bhutan" ,
-     BW =&gt;  "Botswana" ,
-     BY =&gt;  "Belarus" ,
-     BZ =&gt;  "Belize" ,
-     CA =&gt;  "Canada" ,
-     CD =&gt;  "Congo, The Democratic Republic of the" ,
-     CH =&gt;  "Switzerland" ,
-     CI =&gt;  "Cote D'Ivoire" ,
-     CK =&gt;  "Cook Islands" ,
-     CL =&gt;  "Chile" ,
-     CM =&gt;  "Cameroon" ,
-     CN =&gt;  "China" ,
-     CO =&gt;  "Colombia" ,
-     CR =&gt;  "Costa Rica" ,
-     CU =&gt;  "Cuba" ,
-     CW =&gt;  "" ,
-     CY =&gt;  "Cyprus" ,
-     CZ =&gt;  "Czech Republic" ,
-     DE =&gt;  "Germany" ,
-     DJ =&gt;  "Djibouti" ,
-     DK =&gt;  "Denmark" ,
-     DO =&gt;  "Dominican Republic" ,
-     DZ =&gt;  "Algeria" ,
-     EC =&gt;  "Ecuador" ,
-     EE =&gt;  "Estonia" ,
-     EG =&gt;  "Egypt" ,
-     ES =&gt;  "Spain" ,
-     EU =&gt;  "Europe" ,
-     FI =&gt;  "Finland" ,
-     FJ =&gt;  "Fiji" ,
-     FM =&gt;  "Micronesia, Federated States of" ,
-     FO =&gt;  "Faroe Islands" ,
-     FR =&gt;  "France" ,
-     GB =&gt;  "United Kingdom" ,
-     GD =&gt;  "Grenada" ,
-     GE =&gt;  "Georgia" ,
-     GG =&gt;  "Guernsey" ,
-     GH =&gt;  "Ghana" ,
-     GI =&gt;  "Gibraltar" ,
-     GL =&gt;  "Greenland" ,
-     GM =&gt;  "Gambia" ,
-     GP =&gt;  "Guadeloupe" ,
-     GR =&gt;  "Greece" ,
-     GT =&gt;  "Guatemala" ,
-     GU =&gt;  "Guam" ,
-     GY =&gt;  "Guyana" ,
-     HK =&gt;  "Hong Kong" ,
-     HN =&gt;  "Honduras" ,
-     HR =&gt;  "Croatia" ,
-     HT =&gt;  "Haiti" ,
-     HU =&gt;  "Hungary" ,
-     ID =&gt;  "Indonesia" ,
-     IE =&gt;  "Ireland" ,
-     IL =&gt;  "Israel" ,
-     IM =&gt;  "Isle of Man" ,
-     IN =&gt;  "India" ,
-     IQ =&gt;  "Iraq" ,
-     IR =&gt;  "Iran, Islamic Republic of" ,
-     IS =&gt;  "Iceland" ,
-     IT =&gt;  "Italy" ,
-     JE =&gt;  "Jersey" ,
-     JM =&gt;  "Jamaica" ,
-     JO =&gt;  "Jordan" ,
-     JP =&gt;  "Japan" ,
-     KE =&gt;  "Kenya" ,
-     KG =&gt;  "Kyrgyzstan" ,
-     KH =&gt;  "Cambodia" ,
-     KN =&gt;  "Saint Kitts and Nevis" ,
-     KR =&gt;  "Korea, Republic of" ,
-     KW =&gt;  "Kuwait" ,
-     KY =&gt;  "Cayman Islands" ,
-     KZ =&gt;  "Kazakhstan" ,
-     LA =&gt;  "Lao People's Democratic Republic" ,
-     LB =&gt;  "Lebanon" ,
-     LI =&gt;  "Liechtenstein" ,
-     LK =&gt;  "Sri Lanka" ,
-     LS =&gt;  "Lesotho" ,
-     LT =&gt;  "Lithuania" ,
-     LU =&gt;  "Luxembourg" ,
-     LV =&gt;  "Latvia" ,
-     LY =&gt;  "Libyan Arab Jamahiriya" ,
-     MA =&gt;  "Morocco" ,
-     MC =&gt;  "Monaco" ,
-     MD =&gt;  "Moldova, Republic of" ,
-     ME =&gt;  "Montenegro" ,
-     MG =&gt;  "Madagascar" ,
-     MH =&gt;  "Marshall Islands" ,
-     MK =&gt;  "Macedonia" ,
-     ML =&gt;  "Mali" ,
-     MM =&gt;  "Myanmar" ,
-     MN =&gt;  "Mongolia" ,
-     MO =&gt;  "Macau" ,
-     MT =&gt;  "Malta" ,
-     MU =&gt;  "Mauritius" ,
-     MV =&gt;  "Maldives" ,
-     MW =&gt;  "Malawi" ,
-     MX =&gt;  "Mexico" ,
-     MY =&gt;  "Malaysia" ,
-     MZ =&gt;  "Mozambique" ,
-     NA =&gt;  "Namibia" ,
-     NC =&gt;  "New Caledonia" ,
-     NF =&gt;  "Norfolk Island" ,
-     NG =&gt;  "Nigeria" ,
-     NI =&gt;  "Nicaragua" ,
-     NL =&gt;  "Netherlands" ,
-     NO =&gt;  "Norway" ,
-     NP =&gt;  "Nepal" ,
-     NR =&gt;  "Nauru" ,
-     NU =&gt;  "Niue" ,
-     NZ =&gt;  "New Zealand" ,
-     OM =&gt;  "Oman" ,
-     PA =&gt;  "Panama" ,
-     PE =&gt;  "Peru" ,
-     PF =&gt;  "French Polynesia" ,
-     PG =&gt;  "Papua New Guinea" ,
-     PH =&gt;  "Philippines" ,
-     PK =&gt;  "Pakistan" ,
-     PL =&gt;  "Poland" ,
-     PR =&gt;  "Puerto Rico" ,
-     PS =&gt;  "Palestinian Territory" ,
-     PT =&gt;  "Portugal" ,
-     PW =&gt;  "Palau" ,
-     PY =&gt;  "Paraguay" ,
-     QA =&gt;  "Qatar" ,
-     RO =&gt;  "Romania" ,
-     RS =&gt;  "Serbia" ,
-     RU =&gt;  "Russian Federation" ,
-     RW =&gt;  "Rwanda" ,
-     SA =&gt;  "Saudi Arabia" ,
-     SB =&gt;  "Solomon Islands" ,
-     SC =&gt;  "Seychelles" ,
-     SD =&gt;  "Sudan" ,
-     SE =&gt;  "Sweden" ,
-     SG =&gt;  "Singapore" ,
-     SI =&gt;  "Slovenia" ,
-     SK =&gt;  "Slovakia" ,
-     SL =&gt;  "Sierra Leone" ,
-     SM =&gt;  "San Marino" ,
-     SN =&gt;  "Senegal" ,
-     SO =&gt;  "Somalia" ,
-     ST =&gt;  "Sao Tome and Principe" ,
-     SV =&gt;  "El Salvador" ,
-     SY =&gt;  "Syrian Arab Republic" ,
-     SZ =&gt;  "Swaziland" ,
-     TH =&gt;  "Thailand" ,
-     TK =&gt;  "Tokelau" ,
-     TN =&gt;  "Tunisia" ,
-     TO =&gt;  "Tonga" ,
-     TR =&gt;  "Turkey" ,
-     TT =&gt;  "Trinidad and Tobago" ,
-     TV =&gt;  "Tuvalu" ,
-     TW =&gt;  "Taiwan" ,
-     TZ =&gt;  "Tanzania, United Republic of" ,
-     UA =&gt;  "Ukraine" ,
-     UG =&gt;  "Uganda" ,
-     US =&gt;  "United States" ,
-     UY =&gt;  "Uruguay" ,
-     UZ =&gt;  "Uzbekistan" ,
-     VA =&gt;  "Holy See (Vatican City State)" ,
-     VE =&gt;  "Venezuela" ,
-     VI =&gt;  "Virgin Islands, U.S." ,
-     VN =&gt;  "Vietnam" ,
-     VU =&gt;  "Vanuatu" ,
-     WS =&gt;  "Samoa" ,
-     YE =&gt;  "Yemen" ,
-     ZA =&gt;  "South Africa" ,
-     ZM =&gt;  "Zambia" ,
-     ZW =&gt;  "Zimbabwe" ,
-</programlisting>
-  </section>
-</article>
--- a/docs/Install.xml
+++ b/docs/Install.xml
@@ -564,6 +564,14 @@
              role="bold">sharedir</emphasis>.</para>
            </listitem>
          </varlistentry>
+
+          <varlistentry>
+            <term>sysconfdir</term>
+
+            <listitem>
+              <para>Alias for <emphasis role="bold">confdir</emphasis>.</para>
+            </listitem>
+          </varlistentry>
        </variablelist>

        <para>Note that %configure may dsgenerate option/value pairs that are
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Tom Eastep	746a363d41	Add some decimal->hex convertions in routing rules. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-10 11:11:15 -07:00
Tom Eastep	6e5b07c804	Deprecate the current TPROXY implementation. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-10 11:02:08 -07:00
Tom Eastep	865078f925	Allow Shorewall::Config::in_hex() to accept an argument already expressed in hex. Signed-off-by: Tom Eastep <teastep@shorewall.net>	2012-05-10 07:29:59 -07:00