Yet another fix for TTL/HL

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Ensure that the .service files run the utility in ${SBINDIR}
2012-09-24 16:23:15 -07:00 · 2012-09-24 14:32:20 -07:00 · 2012-09-24 14:25:31 -07:00 · 2012-09-24 08:44:07 -07:00 · 2012-09-24 07:14:44 -07:00 · 2012-09-23 12:19:41 -07:00
138 changed files with 5512 additions and 992 deletions
--- a/Shorewall-core/configure
+++ b/Shorewall-core/configure
@@ -76,7 +76,7 @@ for p in $@; do
 		    pn=HOST
 		    ;;
 		SHAREDSTATEDIR)
-		    pn=VARDIR
+		    pn=VARLIB
 		    ;;
 		DATADIR)
 		    pn=SHAREDIR
@@ -161,6 +161,17 @@ if [ $# -gt 0 ]; then
    echo '#'           >> shorewallrc
 fi

+if [ -n "${options[VARLIB]}" ]; then
+    if [ -z "${options[VARDIR]}" ]; then
+	options[VARDIR]='${VARLIB}/${PRODUCT}'
+    fi
+elif [ -n "${options[VARDIR]}" ]; then
+    if [ -z "{$options[VARLIB]}" ]; then
+	options[VARLIB]=${options[VARDIR]}
+	options[VARDIR]='${VARLIB}/${PRODUCT}'
+    fi
+fi
+
 for on in \
    HOST \
    PREFIX \
@@ -180,6 +191,7 @@ for on in \
    SYSCONFDIR \
    SPARSE \
    ANNOTATED \
+    VARLIB \
    VARDIR
 do
    echo "$on=${options[${on}]}"
--- a/Shorewall-core/configure.pl
+++ b/Shorewall-core/configure.pl
@@ -38,7 +38,7 @@ my %params;
 my %options;

 my %aliases = ( VENDOR         => 'HOST',
-		SHAREDSTATEDIR => 'VARDIR',
+		SHAREDSTATEDIR => 'VARLIB',
 		DATADIR        => 'SHAREDIR' );

 for ( @ARGV ) {
@@ -123,6 +123,15 @@ printf $outfile "#\n# Created by Shorewall Core version %s configure.pl - %s %2d

 print  $outfile "# Input: @ARGV\n#\n" if @ARGV;

+if ( $options{VARLIB} ) {
+    unless ( $options{VARDIR} ) {
+	$options{VARDIR} = '${VARLIB}/${PRODUCT}';
+    }
+} elsif ( $options{VARDIR} ) {
+    $options{VARLIB} = $options{VARDIR};
+    $options{VARDIR} = '${VARLIB}/${PRODUCT}';
+}
+
 for ( qw/ HOST
 	  PREFIX
 	  SHAREDIR
@@ -141,6 +150,7 @@ for ( qw/ HOST
 	  SYSCONFDIR
 	  SPARSE
 	  ANNOTATED
+	  VARLIB
 	  VARDIR / ) {

    my $val = $options{$_} || '';
--- a/Shorewall-core/install.sh
+++ b/Shorewall-core/install.sh
@@ -164,7 +164,18 @@ else
    usage 1
 fi

-for var in SHAREDIR LIBEXECDIR PERLLIBDIR CONFDIR SBINDIR VARDIR; do
+update=0
+
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR="${VARLIB}/${PRODUCT}"
+    update=1
+elif [ -z "${VARDIR}" ]; then
+    VARDIR="${VARLIB}/${PRODUCT}"
+    update=2
+fi
+
+for var in SHAREDIR LIBEXECDIR PERLLIBDIR CONFDIR SBINDIR VARLIB VARDIR; do
    require $var
 done

@@ -346,9 +357,25 @@ ln -sf lib.base ${DESTDIR}${SHAREDIR}/shorewall/functions
 echo "$VERSION" > ${DESTDIR}${SHAREDIR}/shorewall/coreversion
 chmod 644 ${DESTDIR}${SHAREDIR}/shorewall/coreversion

-[ $file != "${SHAREDIR}/shorewall/shorewallrc" ] && cp $file ${DESTDIR}${SHAREDIR}/shorewall/shorewallrc
+if [ -z "${DESTDIR}" ]; then
+    if [ $update -ne 0 ]; then
+	echo "Updating $file - original saved in $file.bak"

-[ -z "${DESTDIR}" ] && [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc ~/.shorewallrc
+	cp $file $file.bak
+
+	echo '#'                                             >> $file
+	echo "# Updated by Shorewall-core $VERSION -" `date` >> $file
+	echo '#'                                             >> $file
+
+	[ $update -eq 1 ] && sed -i 's/VARDIR/VARLIB/' $file
+
+	echo 'VARDIR=${VARLIB}/${PRODUCT}' >> $file
+    fi
+
+    [ ! -f ~/.shorewallrc ] && cp ${SHAREDIR}/shorewall/shorewallrc ~/.shorewallrc
+fi
+
+[ $file != "${DESTDIR}${SHAREDIR}/shorewall/shorewallrc" ] && cp $file ${DESTDIR}${SHAREDIR}/shorewall/shorewallrc

 if [ ${SHAREDIR} != /usr/share ]; then
    for f in lib.*; do
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -42,7 +42,6 @@ if [ -z "$g_readrc" ]; then
    g_sharedir="$SHAREDIR"/$g_program
    g_sbindir="$SBINDIR"
    g_perllib="$PERLLIBDIR"
-    g_vardir="$VARDIR"
    g_confdir="$CONFDIR"/$g_program
    g_readrc=1
 fi
@@ -76,7 +75,12 @@ case $g_program in
 	;;
 esac

-VARDIR=${VARDIR}/${g_program}
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR=${VARLIB}/$g_program
+elif [ -z "${VARDIR}" ]; then
+    VARDIR="${VARLIB}/${PRODUCT}"
+fi

 #
 # Conditionally produce message
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -621,7 +621,7 @@ show_nfacct() {
 	NFACCT=
    else
 	NFACCT=$(mywhich nfacct)
-	[ -n "$NFACCT" ] || "No NF Accounting defined"
+	[ -n "$NFACCT" ] || echo "No NF Accounting defined (nfacct not found)"
    fi

    if [ -n "$NFACCT" ]; then
@@ -1216,6 +1216,8 @@ do_dump_command() {
 	brctl show
    fi

+    show_routing
+
    if [ $g_family -eq 4 ]; then
 	heading "Per-IP Counters"

@@ -1252,8 +1254,6 @@ do_dump_command() {
 	done
    fi

-    show_routing
-
    if [ $g_family -eq 4 ]; then
 	heading "ARP"
 	arp -na
@@ -2020,6 +2020,21 @@ determine_capabilities() {
    GEOIP_MATCH=
    RPFILTER_MATCH=
    NFACCT_MATCH=
+    AMANDA_HELPER=
+    FTP_HELPER=
+    FTP0_HELPER=
+    IRC_HELPER=
+    IRC0_HELPER=
+    NETBIOS_NS_HELPER=
+    H323_HELPER=
+    PPTP_HELPER=
+    SANE_HELPER=
+    SANE0_HELPER=
+    SIP_HELPER=
+    SIP0_HELPER=
+    SNMP_HELPER=
+    TFTP_HELPER=
+    TFTP0_HELPER=

    chain=fooX$$

@@ -2173,15 +2188,36 @@ determine_capabilities() {
 	qt $g_tool -t mangle -L FORWARD -n && MANGLE_FORWARD=Yes
    fi

-    qt $g_tool -t raw	    -L -n && RAW_TABLE=Yes
+    qt $g_tool -t raw	  -L -n && RAW_TABLE=Yes
    qt $g_tool -t rawpost -L -n && RAWPOST_TABLE=Yes

    if [ -n "$RAW_TABLE" ]; then
-	qt $g_tool -t raw -N $chain
-	qt $g_tool -t raw -A $chain -j CT --notrack && CT_TARGET=Yes
-	qt $g_tool -t raw -N $chain
 	qt $g_tool -t raw -F $chain
 	qt $g_tool -t raw -X $chain
+	qt $g_tool -t raw -N $chain
+	
+	if qt $g_tool -t raw -A $chain -j CT --notrack; then
+	    CT_TARGET=Yes;
+
+	    qt $g_tool -t raw -A $chain -p udp --dport 10080 -j CT --helper amanda     && AMANDA_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 21    -j CT --helper ftp        && FTP_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 21    -j CT --helper ftp-0      && FTP0_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 1719  -j CT --helper RAS        && H323_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 6667  -j CT --helper irc        && IRC_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 6667  -j CT --helper irc-0      && IRC0_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 137   -j CT --helper netbios-ns && NETBIOS_NS_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 1729  -j CT --helper pptp       && PPTP_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 6566  -j CT --helper sane       && SANE_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p tcp --dport 6566  -j CT --helper sane-0     && SANE0_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 5060  -j CT --helper sip        && SIP_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 5060  -j CT --helper sip-0      && SIP0_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 161   -j CT --helper snmp       && SNMP_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 69    -j CT --helper tftp       && TFTP_HELPER=Yes
+	    qt $g_tool -t raw -A $chain -p udp --dport 69    -j CT --helper tftp-0     && TFTP0_HELPER=Yes
+	fi
+
+	qt $g_tool -t raw -F $chain
+	qt $g_tool -t raw -X $chain	   
    fi

    if qt mywhich ipset; then
@@ -2199,10 +2235,10 @@ determine_capabilities() {

 	    if [ -n "$have_ipset" ]; then
 		if qt $g_tool -A $chain -m set --match-set $chain src -j ACCEPT; then
-		    qt $g_tool -D $chain -m set --match-set $chain src -j ACCEPT
+		    qt $g_tool -F $chain
 		    IPSET_MATCH=Yes
 		elif qt $g_tool -A $chain -m set --set $chain src -j ACCEPT; then
-		    qt $g_tool -D $chain -m set --set $chain src -j ACCEPT
+		    qt $g_tool -F $chain
 		    IPSET_MATCH=Yes
 		    OLD_IPSET_MATCH=Yes
 		fi
@@ -2211,10 +2247,10 @@ determine_capabilities() {
 	elif qt ipset -N $chain hash:ip family inet6; then
 	    IPSET_V5=Yes
 	    if qt $g_tool -A $chain -m set --match-set $chain src -j ACCEPT; then
-		qt $g_tool -D $chain -m set --match-set $chain src -j ACCEPT
+		qt $g_tool -F $chain
 		IPSET_MATCH=Yes
 	    elif qt $g_tool -A $chain -m set --set $chain src -j ACCEPT; then
-		qt $g_tool -D $chain -m set --set $chain src -j ACCEPT
+		qt $g_tool -F $chain
 		IPSET_MATCH=Yes
 		OLD_IPSET_MATCH=Yes
 	    fi
@@ -2232,7 +2268,28 @@ determine_capabilities() {
    fi
    qt $g_tool -A $chain -j NFQUEUE --queue-num 4 && NFQUEUE_TARGET=Yes
    qt $g_tool -A $chain -m realm --realm 4 && REALM_MATCH=Yes
-    qt $g_tool -A $chain -m helper --helper "ftp" && HELPER_MATCH=Yes
+
+    #
+    # -m helper doesn't verify the existence of the specified helper :-(
+    #
+    if qt $g_tool -A $chain -p tcp --dport 21 -m helper --helper ftp; then
+	HELPER_MATCH=Yes
+
+	if [ -z "$CT_TARGET" ]; then
+	    AMANDA_HELPER=Yes
+	    FTP_HELPER=Yes
+	    FTP_HELPER=Yes
+	    H323_HELPER=Yes
+	    IRC_HELPER=Yes
+	    NS_HELPER=Yes
+	    PPTP_HELPER=Yes
+	    SANE_HELPER=Yes
+	    SIP_HELPER=Yes
+	    SNMP_HELPER=Yes
+	    TFTP_HELPER=Yes
+	fi
+    fi
+
    qt $g_tool -A $chain -m connlimit --connlimit-above 8 -j DROP && CONNLIMIT_MATCH=Yes
    qt $g_tool -A $chain -m time --timestart 23:00 -j DROP && TIME_MATCH=Yes
    qt $g_tool -A $chain -g $chain1 && GOTO_TARGET=Yes
@@ -2360,6 +2417,21 @@ report_capabilities() {
 	report_capability "Geo IP match" $GEOIP_MATCH
 	report_capability "RPFilter match" $RPFILTER_MATCH
 	report_capability "NFAcct match" $NFACCT_MATCH
+	report_capability "Amanda Helper" $AMANDA_HELPER
+	report_capability "FTP Helper" $FTP_HELPER
+	report_capability "FTP-0 Helper" $FTP0_HELPER
+	report_capability "IRC Helper" $IRC_HELPER
+	report_capability "IRC-0 Helper" $IRC0_HELPER
+	report_capability "Netbios_ns Helper" $NETBIOS_NS_HELPER
+	report_capability "H323 Helper" $H323_HELPER
+	report_capability "PPTP Helper" $PPTP_HELPER
+	report_capability "SANE Helper" $SANE_HELPER
+	report_capability "SANE-0 Helper" $SANE0_HELPER
+	report_capability "SIP Helper" $SIP_HELPER
+	report_capability "SIP-0 Helper" $SIP0_HELPER
+	report_capability "SNMP Helper" $SNMP_HELPER
+	report_capability "TFTP Helper" $TFTP_HELPER
+	report_capability "TFTP-0 Helper" $TFTP0_HELPER

 	if [ $g_family -eq 4 ]; then
 	    report_capability "iptables -S (IPTABLES_S)" $IPTABLES_S
@@ -2369,6 +2441,9 @@ report_capabilities() {

 	report_capability "Basic Filter (BASIC_FILTER)" $BASIC_FILTER
 	report_capability "CT Target (CT_TARGET)" $CT_TARGET
+
+	echo "   Kernel Version (KERNELVERSION): $KERNELVERSION"
+	echo "   Capabilities Version (CAPVERSION): $CAPVERSION"
    fi

    [ -n "$PKTTYPE" ] || USEPKTTYPE=
@@ -2453,6 +2528,21 @@ report_capabilities1() {
    report_capability1 GEOIP_MATCH
    report_capability1 RPFILTER_MATCH
    report_capability1 NFACCT_MATCH
+    report_capability1 AMANDA_HELPER
+    report_capability1 FTP_HELPER
+    report_capability1 FTP0_HELPER
+    report_capability1 IRC_HELPER
+    report_capability1 IRC0_HELPER
+    report_capability1 NETBIOS_NS_HELPER
+    report_capability1 H323_HELPER
+    report_capability1 PPTP_HELPER
+    report_capability1 SANE_HELPER
+    report_capability1 SANE0_HELPER
+    report_capability1 SIP_HELPER
+    report_capability1 SIP0_HELPER
+    report_capability1 SNMP_HELPER
+    report_capability1 TFTP_HELPER
+    report_capability1 TFTP0_HELPER

    echo CAPVERSION=$SHOREWALL_CAPVERSION
    echo KERNELVERSION=$KERNELVERSION
@@ -2989,9 +3079,16 @@ usage() # $1 = exit status
    echo "   show connections"
    echo "   show filters"
    echo "   show ip"
+
+    if [ $g_family -eq 4 ]; then
+	echo "   show ipa"
+    fi
+
    echo "   show [ -m ] log [<regex>]"
-    echo "   show [ -x ] mangle|nat|raw|rawpost|routing"
+    echo "   show [ -x ] mangle|nat|raw|rawpost"
+    echo "   show nfacct"
    echo "   show policies"
+    echo "   show routing"
    echo "   show tc [ device ]"
    echo "   show vardir"
    echo "   show zones"
@@ -3042,7 +3139,7 @@ shorewall_cli() {
    g_shorewalldir=

    VERBOSE=
-    VERBOSITY=
+    VERBOSITY=1

    [ -n "$g_lite" ] || . ${g_basedir}/lib.cli-std

--- a/Shorewall-core/shorewallrc.apple
+++ b/Shorewall-core/shorewallrc.apple
@@ -17,4 +17,4 @@ ANNOTATED=                             #Unused on OS X
 SYSTEMD=                               #Unused on OS X
 SYSCONFDIR=                            #Unused on OS X
 SPARSE=Yes                             #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
-VARDIR=/var/lib                        #Unused on OS X
+VARLIB=/var/lib                        #Unused on OS X
--- a/Shorewall-core/shorewallrc.archlinux
+++ b/Shorewall-core/shorewallrc.archlinux
@@ -17,4 +17,5 @@ ANNOTATED=                             #If non-zero, annotated configuration fil
 SYSCONFDIR=                            #Directory where SysV init parameter files are installed
 SYSTEMD=                               #Directory where .service files are installed (systems running systemd only)
 SPARSE=                                #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                        #Directory where product variable data is stored.
+VARLIB=/var/lib                        #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT              #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.cygwin
+++ b/Shorewall-core/shorewallrc.cygwin
@@ -17,4 +17,4 @@ ANNOTATED=                            #Unused on Cygwin
 SYSTEMD=                              #Unused on Cygwin
 SYSCONFDIR=                           #Unused on Cygwin
 SPARSE=Yes                            #Only install $PRODUCT/$PRODUCT.conf in $CONFDIR.
-VARDIR=/var/lib                       #Unused on Cygwin
+VARLIB=/var/lib                       #Unused on Cygwin
--- a/Shorewall-core/shorewallrc.debian
+++ b/Shorewall-core/shorewallrc.debian
@@ -18,4 +18,5 @@ SYSCONFFILE=default.debian              #Name of the distributed file to be inst
 SYSCONFDIR=/etc/default                 #Directory where SysV init parameter files are installed
 SYSTEMD=                                #Directory where .service files are installed (systems running systemd only)
 SPARSE=Yes                              #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                         #Directory where product variable data is stored.
+VARLIB=/var/lib                         #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.default
+++ b/Shorewall-core/shorewallrc.default
@@ -18,4 +18,5 @@ SYSTEMD=                                #Directory where .service files are inst
 SYSCONFFILE=                            #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                             #Directory where SysV init parameter files are installed
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                         #Directory where product variable data is stored.
+VARLIB=/var/lib                         #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.redhat
+++ b/Shorewall-core/shorewallrc.redhat
@@ -18,4 +18,5 @@ SYSTEMD=/lib/systemd/system             #Directory where .service files are inst
 SYSCONFFILE=sysconfig                   #Name of the distributed file to be installed as $SYSCONFDIR/$PRODUCT
 SYSCONFDIR=/etc/sysconfig/              #Directory where SysV init parameter files are installed
 SPARSE=                                 #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                         #Directory where product variable data is stored.
+VARLIB=/var/lib                         #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT               #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.slackware
+++ b/Shorewall-core/shorewallrc.slackware
@@ -19,4 +19,5 @@ SYSTEMD=                                   #Name of the directory where .service
 SYSCONFFILE=                               #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=                                #Name of the directory where SysV init parameter files are installed.
 ANNOTATED=                                 #If non-empty, install annotated configuration files
-VARDIR=/var/lib                            #Directory where product variable data is stored.
+VARLIB=/var/lib                            #Directory where product variable data is stored.
+VARDIR=${VARLIB}/$PRODUCT                  #Directory where product variable data is stored.
--- a/Shorewall-core/shorewallrc.suse
+++ b/Shorewall-core/shorewallrc.suse
@@ -12,10 +12,11 @@ SBINDIR=/sbin                                         #Directory where system ad
 MANDIR=${SHAREDIR}/man/                               #Directory where manpages are installed.
 INITDIR=/etc/init.d                                   #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                                     #Name of the product's SysV init script
-INITSOURCE=init.sh                                    #Name of the distributed file to be installed as the SysV init script
+INITSOURCE=init.suse.sh                               #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                                            #If non-zero, annotated configuration files are installed
 SYSTEMD=                                              #Directory where .service files are installed (systems running systemd only)
 SYSCONFFILE=                                          #Name of the distributed file to be installed in $SYSCONFDIR
 SYSCONFDIR=/etc/sysconfig/                            #Directory where SysV init parameter files are installed
 SPARSE=                                               #If non-empty, only install $PRODUCT/$PRODUCT.conf in $CONFDIR
-VARDIR=/var/lib                                       #Directory where persistent product data is stored.
+VARLIB=/var/lib                                       #Directory where persistent product data is stored.
+VARDIR=${VARLIB}/$PRODUCT                             #Directory where product variable data is stored.
--- a/Shorewall-init/ifupdown.sh
+++ b/Shorewall-init/ifupdown.sh
@@ -22,6 +22,21 @@
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #

+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
+	fi
+    fi
+}
+
 Debian_SuSE_ppp() {
    NEWPRODUCTS=
    INTERFACE="$1"
@@ -187,8 +202,10 @@ fi
 [ -n "$LOGFILE" ] || LOGFILE=/dev/null

 for PRODUCT in $PRODUCTS; do
-    if [ -x $VARDIR/$PRODUCT/firewall ]; then
-	  ( ${VARDIR}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
+    setstatedir
+
+    if [ -x $VARLIB/$PRODUCT/firewall ]; then
+	  ( ${VARLIB}/$PRODUCT/firewall -V0 $COMMAND $INTERFACE >> $LOGFILE 2>&1 ) || true
    fi
 done

--- a/Shorewall-init/init.debian.sh
+++ b/Shorewall-init/init.debian.sh
@@ -62,11 +62,29 @@ not_configured () {
 	exit 0
 }

+# set the STATEDIR variable
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
+	fi
+    fi
+}
+
 #
 # The installer may alter this
 #
 . /usr/share/shorewall/shorewallrc

+vardir=$VARDIR
+
 # check if shorewall-init is configured or not
 if [ -f "$SYSCONFDIR/shorewall-init" ]
 then
@@ -81,27 +99,27 @@ fi

 # Initialize the firewall
 shorewall_start () {
-  local product
-  local VARDIR
+  local PRODUCT
+  local STATEDIR

  echo -n "Initializing \"Shorewall-based firewalls\": "
-  for product in $PRODUCTS; do
-      VARDIR=/var/lib/$product
-      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
-      if [ -x ${VARDIR}/firewall ]; then
+  for PRODUCT in $PRODUCTS; do
+      setstatedir
+
+      if [ ! -x ${VARDIR}/$PRODUCT/firewall ]; then
+	  if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	      ${SBINDIR}/$PRODUCT compile
+	  fi
+      fi
+
+      if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
 	  #
 	  # Run in a sub-shell to avoid name collisions
 	  #
 	  ( 
-	      . /usr/share/$product/lib.base
-	      #
-	      # Get mutex so the firewall state is stable
-	      #
-	      mutex_on
-	      if ! ${VARDIR}/firewall status > /dev/null 2>&1; then
-		  ${VARDIR}/firewall stop || echo_notdone
+	      if ! ${VARDIR}/$PRODUCT/firewall status > /dev/null 2>&1; then
+		  ${VARDIR}/$PRODUCT/firewall stop || echo_notdone
 	      fi
-	      mutex_off
 	  )
      fi
  done
@@ -113,19 +131,21 @@ shorewall_start () {

 # Clear the firewall
 shorewall_stop () {
-  local product
+  local PRODUCT
  local VARDIR

  echo -n "Clearing \"Shorewall-based firewalls\": "
-  for product in $PRODUCTS; do
-      VARDIR=/var/lib/$product
-      [ -f /etc/$product/vardir ] && . /etc/$product/vardir
-      if [ -x ${VARDIR}/firewall ]; then
-	  ( . /usr/share/$product/lib.base
-	    mutex_on
-	    ${VARDIR}/firewall clear || echo_notdone
-	    mutex_off
-	  )
+  for PRODUCT in $PRODUCTS; do
+      setstatedir
+
+      if [ ! -x ${VARDIR}/$PRODUCT/firewall ]; then
+	  if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	      ${SBINDIR}/$PRODUCT compile
+	  fi
+      fi
+
+      if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
+	  ${VARDIR}/$PRODUCT/firewall clear || echo_notdone
      fi
  done

--- a/Shorewall-init/init.fedora.sh
+++ b/Shorewall-init/init.fedora.sh
@@ -14,13 +14,8 @@
 #                    prior to bringing up the network.  
 ### END INIT INFO
 #determine where the files were installed
-if [ -f ~/.shorewallrc ]; then
-    . ~/.shorewallrc || exit 1
-else
-    SBINDIR=/sbin
-    SYSCONFDIR=/etc/default
-    VARDIR=/var/lib
-fi
+
+. /usr/share/shorewall/shorewallrc

 prog="shorewall-init"
 logger="logger -i -t $prog"
@@ -29,6 +24,8 @@ lockfile="/var/lock/subsys/shorewall-init"
 # Source function library.
 . /etc/rc.d/init.d/functions

+vardir=$VARDIR
+
 # Get startup options (override default)
 OPTIONS=

@@ -40,9 +37,25 @@ else
    exit 6
 fi

+# set the STATEDIR variable
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
+	fi
+    fi
+}
+
 # Initialize the firewall
 start () {
-    local product
+    local PRODUCT
    local vardir

    if [ -z "$PRODUCTS" ]; then
@@ -52,11 +65,19 @@ start () {
    fi

    echo -n "Initializing \"Shorewall-based firewalls\": "
-    for product in $PRODUCTS; do
-	if [ -x ${VARDIR}/$product/firewall ]; then
-	    ${VARDIR}/$product/firewall stop 2>&1 | $logger
+    for PRODUCT in $PRODUCTS; do
+	setstatedir
+
+	if [ ! -x ${VARDIR}/firewall ]; then
+	    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+		${SBINDIR}/$PRODUCT compile
+	    fi
+	fi
+
+	if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
+	    ${VARDIR}/$PRODUCT/firewall stop 2>&1 | $logger
 	    retval=${PIPESTATUS[0]}
-	    [ retval -ne 0 ] && break
+	    [ $retval -ne 0 ] && break
 	fi
    done

@@ -72,15 +93,23 @@ start () {

 # Clear the firewall
 stop () {
-    local product
+    local PRODUCT
    local vardir

    echo -n "Clearing \"Shorewall-based firewalls\": "
-    for product in $PRODUCTS; do
-	if [ -x ${VARDIR}/$product/firewall ]; then
-	    ${VARDIR}/$product/firewall clear 2>&1 | $logger
+    for PRODUCT in $PRODUCTS; do
+	setstatedir
+
+	if [ ! -x ${VARDIR}/firewall ]; then
+	    if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+		${SBINDIR}/$PRODUCT compile
+	    fi
+	fi
+
+	if [ -x ${VARDIR}/$PRODUCT/firewall ]; then
+	    ${VARDIR}/$PRODUCT/firewall clear 2>&1 | $logger
 	    retval=${PIPESTATUS[0]}
-	    [ retval -ne 0 ] && break
+	    [ $retval -ne 0 ] && break
 	fi
    done

@@ -107,19 +136,15 @@ case "$1" in
 	status_q || exit 0
 	$1
 	;;
-    restart|reload|force-reload)
+    restart|reload|force-reload|condrestart|try-restart)
 	echo "Not implemented"
 	exit 3
 	;;
-    condrestart|try-restart)
-	echo "Not implemented"
-	exit 3
-        ;;
    status)
 	status $prog
 	;;
  *)
-	echo "Usage: /etc/init.d/shorewall-init {start|stop}"
+	echo "Usage: /etc/init.d/shorewall-init {start|stop|status}"
 	exit 1
 esac

--- a/Shorewall-init/init.sh
+++ b/Shorewall-init/init.sh
@@ -58,16 +58,34 @@ fi
 #
 . /usr/share/shorewall/shorewallrc

+# Locate the current PRODUCT's statedir
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile $STATEDIR/firewall
+	fi
+    fi
+}
+
 # Initialize the firewall
 shorewall_start () {
  local PRODUCT
-  local VARDIR
+  local STATEDIR

  echo -n "Initializing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
-      if [ -x ${VARDIR}/firewall ]; then
+      setstatedir
+
+      if [ -x ${STATEDIR}/firewall ]; then
 	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
-	      ${VARDIR}/firewall stop || echo_notdone
+	      ${STATEDIR}/firewall stop || echo_notdone
 	  fi
      fi
  done
@@ -86,6 +104,14 @@ shorewall_stop () {

  echo -n "Clearing \"Shorewall-based firewalls\": "
  for PRODUCT in $PRODUCTS; do
+      setstatedir
+
+      if [ ! -x ${VARDIR}/firewall ]; then
+	  if [ $PRODUCT = shorewall -o $product = shorewall6 ]; then
+	      ${SBINDIR}/$PRODUCT compile
+	  fi
+      fi
+
      if [ -x ${VARDIR}/firewall ]; then
 	  ${VARDIR}/firewall clear || exit 1
      fi
--- a/Shorewall-init/init.suse.sh
+++ b/Shorewall-init/init.suse.sh
@@ -0,0 +1,135 @@
+#! /bin/bash
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 2010,2012 - Tom Eastep (teastep@shorewall.net)
+#
+#       On most distributions, this file should be called /etc/init.d/shorewall.
+#
+#       Complete documentation is available at http://shorewall.net
+#
+#       This program is free software; you can redistribute it and/or modify
+#       it under the terms of Version 2 of the GNU General Public License
+#       as published by the Free Software Foundation.
+#
+#       This program is distributed in the hope that it will be useful,
+#       but WITHOUT ANY WARRANTY; without even the implied warranty of
+#       MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#       GNU General Public License for more details.
+#
+#       You should have received a copy of the GNU General Public License
+#       along with this program; if not, write to the Free Software
+#       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#
+### BEGIN INIT INFO
+# Provides: shorewall-init
+# Required-Start: $local_fs
+# Required-Stop:  $local_fs
+# Default-Start:  2 3 5
+# Default-Stop:   0 1 6
+# Short-Description: Initialize the firewall at boot time
+# Description:       Place the firewall in a safe state at boot time
+#                    prior to bringing up the network.  
+### END INIT INFO
+
+if [ "$(id -u)" != "0" ]
+then
+  echo "You must be root to start, stop or restart \"Shorewall \"."
+  exit 1
+fi
+
+# check if shorewall-init is configured or not
+if [ -f "/etc/sysconfig/shorewall-init" ]
+then
+	. /etc/sysconfig/shorewall-init
+	if [ -z "$PRODUCTS" ]
+	then
+		exit 0
+	fi
+else
+	exit 0
+fi
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
+# set the STATEDIR variable
+setstatedir() {
+    local statedir
+    if [ -f ${CONFDIR}/${PRODUCT}/vardir ]; then
+	statedir=$( . /${CONFDIR}/${PRODUCT}/vardir && echo $VARDIR )
+    fi
+
+    [ -n "$statedir" ] && STATEDIR=${statedir} || STATEDIR=${VARDIR}/${PRODUCT}
+
+    if [ ! -x $STATEDIR/firewall ]; then
+	if [ $PRODUCT = shorewall -o $PRODUCT = shorewall6 ]; then
+	    ${SBINDIR}/$PRODUCT compile
+	fi
+    fi
+}
+
+# Initialize the firewall
+shorewall_start () {
+  local PRODUCT
+  local STATEDIR
+
+  echo -n "Initializing \"Shorewall-based firewalls\": "
+  for PRODUCT in $PRODUCTS; do
+      setstatedir
+
+      if [ -x $STATEDIR/firewall ]; then
+	  if ! ${SBIN}/$PRODUCT status > /dev/null 2>&1; then
+	      $STATEDIR/$PRODUCT/firewall stop || echo_notdone
+	  fi
+      fi
+  done
+
+  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+      ipset -R < "$SAVE_IPSETS"
+  fi
+
+  return 0
+}
+
+# Clear the firewall
+shorewall_stop () {
+  local PRODUCT
+  local STATEDIR
+
+  echo -n "Clearing \"Shorewall-based firewalls\": "
+  for PRODUCT in $PRODUCTS; do
+      setstatedir
+
+      if [ -x ${STATEDIR}/firewall ]; then
+	  ${STATEDIR}/firewall clear || exit 1
+      fi
+  done
+
+  if [ -n "$SAVE_IPSETS" ]; then
+      mkdir -p $(dirname "$SAVE_IPSETS")
+      if ipset -S > "${SAVE_IPSETS}.tmp"; then
+	  grep -qE -- '^(-N|create )' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+      fi
+  fi
+
+  return 0
+}
+
+case "$1" in
+  start)
+     shorewall_start
+     ;;
+  stop)
+     shorewall_stop
+     ;;
+  *)
+     echo "Usage: /etc/init.d/shorewall-init {start|stop}"
+     exit 1
+esac
+
+exit 0
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -160,7 +160,14 @@ else
    usage 1
 fi

-for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARDIR; do
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR=${VARLIB}/${PRODUCT}
+elif [ -z "${VARDIR}" ]; then
+    VARDIR=${VARLIB}/${PRODUCT}
+fi
+
+for var in SHAREDIR LIBEXECDIR CONFDIR SBINDIR VARLIB VARDIR; do
    require $var
 done

@@ -285,6 +292,7 @@ fi
 if [ -n "$SYSTEMD" ]; then
    mkdir -p ${DESTDIR}${SYSTEMD}
    run_install $OWNERSHIP -m 600 shorewall-init.service ${DESTDIR}${SYSTEMD}/shorewall-init.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\ ${DESTDIR}${SYSTEMD}/shorewall-init.service
    echo "Service file installed as ${DESTDIR}${SYSTEMD}/shorewall-init.service"
    if [ -n "$DESTDIR" ]; then
 	mkdir -p ${DESTDIR}${SBINDIR}
@@ -297,8 +305,8 @@ fi
 #
 # Create /usr/share/shorewall-init if needed
 #
-mkdir -p ${DESTDIR}/usr/share/shorewall-init
-chmod 755 ${DESTDIR}/usr/share/shorewall-init
+mkdir -p ${DESTDIR}${SHAREDIR}/shorewall-init
+chmod 755 ${DESTDIR}${SHAREDIR}/shorewall-init

 #
 # Install logrotate file
@@ -311,14 +319,14 @@ fi
 #
 # Create the version file
 #
-echo "$VERSION" > ${DESTDIR}/usr/share/shorewall-init/version
-chmod 644 ${DESTDIR}/usr/share/shorewall-init/version
+echo "$VERSION" > ${DESTDIR}/${SHAREDIR}/shorewall-init/version
+chmod 644 ${DESTDIR}${SHAREDIR}/shorewall-init/version

 #
 # Remove and create the symbolic link to the init script
 #
 if [ -z "$DESTDIR" ]; then
-    rm -f /usr/share/shorewall-init/init
+    rm -f ${SHAREDIR}/shorewall-init/init
    ln -s ${INITDIR}/${INITFILE} ${SHAREDIR}/shorewall-init/init
 fi

--- a/Shorewall-lite/init.fedora.sh
+++ b/Shorewall-lite/init.fedora.sh
--- a/Shorewall-lite/init.suse.sh
+++ b/Shorewall-lite/init.suse.sh
@@ -0,0 +1,92 @@
+#!/bin/sh
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012 - Tom Eastep (teastep@shorewall.net)
+#
+#	On most distributions, this file should be called /etc/init.d/shorewall.
+#
+#	Complete documentation is available at http://shorewall.net
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of Version 2 of the GNU General Public License
+#	as published by the Free Software Foundation.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, write to the Free Software
+#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#	If an error occurs while starting or restarting the firewall, the
+#	firewall is automatically stopped.
+#
+#	Commands are:
+#
+#	   shorewall start			  Starts the firewall
+#	   shorewall restart			  Restarts the firewall
+#	   shorewall reload			  Reload the firewall
+#						  (same as restart)
+#	   shorewall stop			  Stops the firewall
+#	   shorewall status			  Displays firewall status
+#
+
+
+### BEGIN INIT INFO
+# Provides:	  shorewall-lite
+# Required-Start: $network $remote_fs
+# Required-Stop:  
+# Default-Start:  2 3 5
+# Default-Stop:	  0 1 6
+# Description:	  starts and stops the shorewall firewall
+# Short-Description: Packet filtering firewall
+### END INIT INFO
+
+################################################################################
+# Give Usage Information						       #
+################################################################################
+usage() {
+    echo "Usage: $0 start|stop|reload|restart|status"
+    exit 1
+}
+
+################################################################################
+# Get startup options (override default)
+################################################################################
+OPTIONS=
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
+if [ -f ${SYSCONFDIR}/shorewall-lite ]; then
+    . ${SYSCONFDIR}/shorewall-lite
+fi
+
+SHOREWALL_INIT_SCRIPT=1
+
+################################################################################
+# E X E C U T I O N    B E G I N S   H E R E				       #
+################################################################################
+command="$1"
+
+case "$command" in
+    start)
+	exec ${SBINDIR}/shorewall-lite $OPTIONS start $STARTOPTIONS
+	;;
+    restart|reload)
+	exec ${SBINDIR}/shorewall-lite $OPTIONS restart $RESTARTOPTIONS
+	;;
+    status|stop)
+	exec ${SBINDIR}/shorewall-lite $OPTIONS $command $@
+	;;
+    *)
+	usage
+	;;
+esac
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -171,7 +171,14 @@ else
    usage 1
 fi

-for var in SHAREDIR LIBEXECDIRDIRDIR CONFDIR SBINDIR VARDIR; do
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR=${VARLIB}/${PRODUCT}
+elif [ -z "${VARDIR}" ]; then
+    VARDIR=${VARLIB}/${PRODUCT}
+fi
+
+for var in SHAREDIR LIBEXECDIRDIRDIR CONFDIR SBINDIR VARLIB VARDIR; do
    require $var
 done

@@ -253,7 +260,10 @@ case "$HOST" in
    archlinux)
 	echo "Installing ArchLinux-specific configuration..."
 	;;
-    linux|suse)
+    suse)
+	echo "Installing Suse-specific configuration..."
+	;;
+    linux)
 	;;
    *)
 	echo "ERROR: Unknown HOST \"$HOST\"" >&2
@@ -303,8 +313,8 @@ if [ -z "$DESTDIR" -a -d ${CONFDIR}/$PRODUCT ]; then
 	mv -f ${CONFDIR}/$PRODUCT/shorewall.conf ${CONFDIR}/$PRODUCT/$PRODUCT.conf
 else
    rm -rf ${DESTDIR}${CONFDIR}/$PRODUCT
-    rm -rf ${DESTDIR}/usr/share/$PRODUCT
-    rm -rf ${DESTDIR}/var/lib/$PRODUCT
+    rm -rf ${DESTDIR}${SHAREDIR}/$PRODUCT
+    rm -rf ${DESTDIR}${VARDIR}
    [ "$LIBEXECDIR" = /usr/share ] || rm -rf ${DESTDIR}/usr/share/$PRODUCT/wait4ifup ${DESTDIR}/usr/share/$PRODUCT/shorecap
 fi

@@ -327,9 +337,9 @@ echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT"
 # Create ${CONFDIR}/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed
 #
 mkdir -p ${DESTDIR}${CONFDIR}/$PRODUCT
-mkdir -p ${DESTDIR}/usr/share/$PRODUCT
+mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
-mkdir -p ${DESTDIR}/var/lib/$PRODUCT
+mkdir -p ${DESTDIR}${VARDIR}

 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
 chmod 755 ${DESTDIR}/usr/share/$PRODUCT
@@ -355,6 +365,7 @@ fi
 #
 if [ -n "$SYSTEMD" ]; then
    run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}/${SYSTEMD}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
    echo "Service file installed as ${DESTDIR}/lib/systemd/system/$PRODUCT.service"
 fi

--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -25,17 +25,17 @@
 #       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
 ################################################################################################
-g_program=shorewall-lite
+PRODUCT=shorewall-lite

 #
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc

+g_program=$PRODUCT
 g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR"/shorewall-lite
 g_sbindir="$SBINDIR"
-g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall-lite
 g_readrc=1

--- a/Shorewall/Macros/macro.Amanda
+++ b/Shorewall/Macros/macro.Amanda
@@ -8,9 +8,16 @@
 #	files from those nodes.
 #
 ###############################################################################
+FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	udp	10080
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __AMANDA_HELPER )
+ PARAM	-	-	udp	10080 ; helper=amanda
+?else
+ PARAM	-	-	udp	10080
+?endif
+
 PARAM	-	-	tcp	10080
 #
 # You may also need this rule.  With AMANDA 2.4.4 on Linux kernel 2.6,
--- a/Shorewall/Macros/macro.BLACKLIST
+++ b/Shorewall/Macros/macro.BLACKLIST
@@ -8,8 +8,8 @@
 ###############################################################################
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-?IF $BLACKLIST_LOGLEVEL
+?if $BLACKLIST_LOGLEVEL
 blacklog
-?ELSE
+?else
 $BLACKLIST_DISPOSITION
-?ENDIF
+?endif
--- a/Shorewall/Macros/macro.FTP
+++ b/Shorewall/Macros/macro.FTP
@@ -6,6 +6,11 @@
 #	This macro handles FTP traffic.
 #
 ###############################################################################
+FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	tcp	21
+?if ( __CT_TARGET && ! $AUTOHELPERS && __FTP_HELPER  )
+ PARAM	-	-	tcp	21 ; helper=ftp
+?else
+ PARAM	-	-	tcp	21
+?endif
--- a/Shorewall/Macros/macro.IRC
+++ b/Shorewall/Macros/macro.IRC
@@ -6,6 +6,12 @@
 #	This macro handles IRC traffic (Internet Relay Chat).
 #
 ###############################################################################
+FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	tcp	6667
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __IRC_HELPER  )
+ PARAM	-	-	tcp	6667 ; helper=irc
+?else
+ PARAM	-	-	tcp	6667
+?endif
--- a/Shorewall/Macros/macro.PPtP
+++ b/Shorewall/Macros/macro.PPtP
@@ -6,8 +6,14 @@
 #	This macro handles PPTP traffic.
 #
 ###############################################################################
+FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	47
 PARAM	DEST	SOURCE	47
-PARAM	-	-	tcp	1723
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __PPTP_HELPER )
+ PARAM	-	-	tcp	1723 ; helper=pptp
+?else
+ PARAM	-	-	tcp	1723
+?endif
--- a/Shorewall/Macros/macro.SANE
+++ b/Shorewall/Macros/macro.SANE
@@ -6,9 +6,16 @@
 #	This macro handles SANE network scanning.
 #
 ###############################################################################
+FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	tcp	6566
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __SANE_HELPER )
+ PARAM	-	-	tcp	6566 ; helper=sane
+?else
+ PARAM	-	-	tcp	6566
+?endif
+
 #
 # Kernels 2.6.23+ has nf_conntrack_sane module which will handle
 # sane data connection.
--- a/Shorewall/Macros/macro.SIP
+++ b/Shorewall/Macros/macro.SIP
@@ -0,0 +1,17 @@
+#
+# Shorewall version 4 - SIP Macro
+#
+# /usr/share/shorewall/macro.SIP
+#
+#	This macro handles SIP traffic.
+#
+###############################################################################
+FORMAT 2
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __SIP_HELPER  )
+ PARAM	-	-	udp	5060 ; helper=sip
+?else
+ PARAM	-	-	udp	5060
+?endif
--- a/Shorewall/Macros/macro.SMB
+++ b/Shorewall/Macros/macro.SMB
@@ -10,9 +10,17 @@
 #	between hosts you fully trust.
 #
 ###############################################################################
+FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	135,445
-PARAM	-	-	udp	137:139
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
+ PARAM	-	-	udp	137 ; helper=netbios-ns
+ PARAM	-	-	udp	138:139
+?else
+ PARAM	-	-	udp	137:139
+?endif
+
 PARAM	-	-	udp	1024:	137
 PARAM	-	-	tcp	135,139,445
--- a/Shorewall/Macros/macro.SMBBI
+++ b/Shorewall/Macros/macro.SMBBI
@@ -10,13 +10,28 @@
 #	allow SMB traffic between hosts you fully trust.
 #
 ###############################################################################
+FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	udp	135,445
-PARAM	-	-	udp	137:139
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
+ PARAM	-	-	udp	137 ; helper=netbios-ns
+ PARAM	-	-	udp	138:139
+?else
+ PARAM	-	-	udp	137:139
+?endif
+
 PARAM	-	-	udp	1024:	137
 PARAM	-	-	tcp	135,139,445
 PARAM	DEST	SOURCE	udp	135,445
-PARAM	DEST	SOURCE	udp	137:139
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __NETBIOS_NS_HELPER )
+ PARAM	DEST	SOURCE	udp	137 ; helper=netbios-ns
+ PARAM	DEST	SOURCE	udp	138:139
+?else
+ PARAM	DEST	SOURCE	udp	137:139
+?endif
+
 PARAM	DEST	SOURCE	udp	1024:	137
 PARAM	DEST	SOURCE	tcp	135,139,445
--- a/Shorewall/Macros/macro.SNMP
+++ b/Shorewall/Macros/macro.SNMP
@@ -3,10 +3,17 @@
 #
 # /usr/share/shorewall/macro.SNMP
 #
-#	This macro handles SNMP traffic (including traps).
+#	This macro handles SNMP traffic.
+#
+#       Note: To allow SNMP Traps, use the SNMPTrap macro
 #
 ###############################################################################
+FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	udp	161:162
-PARAM	-	-	tcp	161
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __SNMP_HELPER )
+ PARAM	-	-  	udp     161 ; helper=snmp
+?else
+ PARAM	-	-	udp	161
+?endif
--- a/Shorewall/Macros/macro.SNMPTrap
+++ b/Shorewall/Macros/macro.SNMPTrap
@@ -0,0 +1,12 @@
+#
+# Shorewall version 4 - SNMP Trap Macro
+#
+# /usr/share/shorewall/macro.SNMP
+#
+#	This macro handles SNMP traps.
+#
+###############################################################################
+FORMAT 2
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	udp	162
--- a/Shorewall/Macros/macro.TFTP
+++ b/Shorewall/Macros/macro.TFTP
@@ -8,6 +8,12 @@
 #	Internet.
 #
 ###############################################################################
+FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
-PARAM	-	-	udp	69
+
+?if ( __CT_TARGET && ! $AUTOHELPERS && __TFTP_HELPER )
+ PARAM	-	-	udp	69 ; helper=tftp
+?else
+ PARAM	-	-	udp	69
+?endif
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -36,7 +36,7 @@ use Shorewall::IPAddrs;
 use strict;

 our @ISA = qw(Exporter);
-our @EXPORT = qw(
+our @EXPORT = ( qw(
 		    DONT_OPTIMIZE
 		    DONT_DELETE
 		    DONT_MOVE
@@ -79,14 +79,14 @@ our @EXPORT = qw(
 		    add_interface_options

 		    %chain_table
-		    %helpers
 		    %targets
 		    $raw_table
 		    $rawpost_table
 		    $nat_table
 		    $mangle_table
 		    $filter_table
-		);
+		)
+	      );

 our %EXPORT_TAGS = (
 		    internal => [  qw( STANDARD
@@ -102,6 +102,7 @@ our %EXPORT_TAGS = (
 				       CHAIN
 				       SET
 				       AUDIT
+				       HELPER
 				       NO_RESTRICT
 				       PREROUTE_RESTRICT
 				       DESTIFACE_DISALLOW
@@ -225,6 +226,7 @@ our %EXPORT_TAGS = (
 				       handle_network_list
 				       expand_rule
 				       addnatjump
+				       mysplit
 				       set_chain_variables
 				       mark_firewall_not_started
 				       mark_firewall6_not_started
@@ -331,7 +333,6 @@ our $rawpost_table;
 our $nat_table;
 our $mangle_table;
 our $filter_table;
-our %helpers;
 my  $comment;
 my  @comments;
 my  $export;
@@ -354,6 +355,7 @@ use constant { STANDARD => 1,              #defined by Netfilter
 	       CHAIN    => 1024,           #Manual Chain
 	       SET      => 2048,           #SET
 	       AUDIT    => 4096,           #A_ACCEPT, etc
+	       HELPER   => 8192,           #CT:helper
 	   };
 #
 # Valid Targets -- value is a combination of one or more of the above
@@ -654,17 +656,6 @@ sub initialize( $$$ ) {

    %ipset_exists       = ();

-    %helpers = ( amanda          => TCP,
-		 ftp             => TCP,
-		 h323            => UDP,
-		 irc             => TCP,
-		 netbios_ns      => UDP,
-		 pptp            => TCP,
-		 sane            => TCP,
-		 sip             => UDP,
-		 snmp            => UDP,
-		 tftp            => UDP);
-
    %isocodes  = ();
    %nfobjects = ();

@@ -961,8 +952,10 @@ sub compatible( $$ ) {
 	    }
 	}
    }
-
-    return 1;
+    #
+    # Don't combine chains where each specifies '-m policy'
+    #
+    return ! ( $ref1->{policy} && $ref2->{policy} );
 }

 #
@@ -1884,7 +1877,7 @@ sub dnat_chain( $ )
 #
 sub notrack_chain( $ )
 {
-    $_[0] . '_notrk';
+    $_[0] . '_ctrk';
 }

 #
@@ -2493,7 +2486,8 @@ sub initialize_chain_table($) {
 		    'NFQUEUE!'        => STANDARD + NFQ,
 		    'ADD'             => STANDARD + SET,
 		    'DEL'             => STANDARD + SET,
-		    'WHITELIST'       => STANDARD
+		    'WHITELIST'       => STANDARD,
+		    'HELPER'          => STANDARD + HELPER + NATONLY, #Actually RAWONLY
 		   );

 	for my $chain ( qw(OUTPUT PREROUTING) ) {
@@ -2539,6 +2533,7 @@ sub initialize_chain_table($) {
 		    'NFQUEUE!'        => STANDARD + NFQ,
 		    'ADD'             => STANDARD + SET,
 		    'DEL'             => STANDARD + SET,
+		    'HELPER'          => STANDARD + HELPER + NATONLY, #Actually RAWONLY
 		   );

 	for my $chain ( qw(OUTPUT PREROUTING) ) {
@@ -2899,7 +2894,7 @@ sub optimize_level4( $$ ) {
 			#
 			# Not so easy -- the rule contains matches
 			#
-			if ( $chainref->{builtin} || ! $globals{KLUDGEFREE} ) {
+			if ( $chainref->{builtin} || ! $globals{KLUDGEFREE} || $firstrule->{policy} ) {
 			    #
 			    # This case requires a new rule merging algorithm. Ignore this chain for
 			    # now on.
@@ -2992,6 +2987,57 @@ sub optimize_level4( $$ ) {
 	}
    }

+    #
+    # Identify short chains with a single reference and replace the reference with the chain rules
+    #
+    my @chains  = grep ( $_->{referenced}   &&
+			 ! $_->{optflags}   &&
+			 @{$_->{rules}} < 4 &&
+			 keys %{$_->{references}} == 1 , values %$tableref );
+
+    if ( my $chains  = @chains ) {
+	$passes++;
+
+	progress_message "\n Table $table pass $passes, $chains short chains, level 4b...";
+
+	for my $chainref ( @chains ) {
+	    my $name = $chainref->{name};
+	    for my $sourceref ( map $tableref->{$_}, keys %{$chainref->{references}} ) {
+		my $name1 = $sourceref->{name};
+
+		if ( $chainref->{references}{$name1} == 1 ) {
+		    my $rulenum  = 0;
+		    my $rulesref = $sourceref->{rules};
+		    my $rules    = @{$chainref->{rules}};
+
+		    for ( @$rulesref ) {
+			if ( $_->{simple} && ( $_->{target} || '' ) eq $name ) {
+			    trace( $sourceref, 'D', $rulenum  + 1, $_ ) if $debug;
+			    splice @$rulesref, $rulenum, 1, @{$chainref->{rules}};
+			    while ( my $ruleref = shift @{$chainref->{rules}} ) {
+				trace ( $sourceref, 'I', $rulenum++, $ruleref ) if $debug;
+				my $target = $ruleref->{target};
+
+				if ( $target && ( my $targetref = $tableref->{$target} ) ) {
+				    #
+				    # The rule target is a chain
+				    #
+				    add_reference( $sourceref, $targetref );
+				    delete_reference( $chainref, $targetref );
+				}
+			    }
+
+			    delete $chainref->{references}{$name1};
+			    delete_chain $chainref;
+			    last;
+			}
+			$rulenum++;
+		    }
+		}
+	    }
+	}
+    }
+
    $passes;
 }

@@ -3295,6 +3341,62 @@ sub combine_dports {
    \@rules;
 }

+#
+# Delete duplicate rules from the passed chain.
+#
+#   The arguments are a reference to the chain followed by references to each 
+#   of its rules.
+#
+sub delete_duplicates {
+    my @rules;
+    my $chainref  = shift;
+    my $lastrule  = @_;
+    my $baseref   = pop;
+    my $ruleref;
+    my $duplicate = 0;
+
+    while ( @_ && ! $duplicate ) {
+	{
+	    my $ports1;
+	    my @keys1     = sort( keys( %$baseref ) );
+	    my $rulenum   = @_;
+	    my $duplicate = 0;
+
+	  RULE:
+
+	    while ( --$rulenum >= 0 ) {
+		$ruleref = $_[$rulenum];
+
+		my @keys2 = sort(keys( %$ruleref ) );
+
+		next unless @keys1 == @keys2 ;
+
+		my $keynum = 0;
+
+		for my $key ( @keys1 ) {
+		    next RULE unless $key eq $keys2[$keynum++];
+		    next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
+		}
+
+		$duplicate = 1;
+	    }
+
+	    if ( $duplicate ) {
+		trace( $chainref, 'D', $lastrule, $baseref ) if $debug;
+	    } else {
+		unshift @rules, $baseref;
+	    }
+
+	    $baseref = pop @_;
+	    $lastrule--;
+	}
+    }
+
+    unshift @rules, $baseref if $baseref;
+
+    \@rules;
+}
+
 sub optimize_level16( $$$ ) {
    my ( $table, $tableref , $passes ) = @_;
    my @chains   = ( grep $_->{referenced}, values %{$tableref} );
@@ -3303,11 +3405,23 @@ sub optimize_level16( $$$ ) {

    progress_message "\n Table $table pass $passes, $chains referenced user chains, level 16...";

+    if ( $table eq 'raw' ) {
+	#
+	# Helpers in rules have the potential for generating lots of duplicate iptables rules
+	# in the raw table. This step eliminates those duplicates
+	#
+	for my $chainref ( @chains ) {
+	    $chainref->{rules} = delete_duplicates( $chainref, @{$chainref->{rules}} );
+	}
+
+	$passes++;
+    }
+
    for my $chainref ( @chains ) {
 	$chainref->{rules} = combine_dports( $chainref, @{$chainref->{rules}} );
    }

-    $passes++;
+    ++$passes;
 }

 #
@@ -3496,7 +3610,7 @@ sub source_exclusion( $$ ) {

    my $table = reftype $target ? $target->{table} : 'filter';

-    my $chainref = new_chain( $table , newexclusionchain( $table ) );
+    my $chainref = dont_move new_chain( $table , newexclusionchain( $table ) );

    add_ijump( $chainref, j => 'RETURN', imatch_source_net( $_ ) ) for @$exclusions;
    add_ijump( $chainref, g => $target );
@@ -3518,7 +3632,7 @@ sub source_iexclusion( $$$$$;@ ) {
 	$source = $1;
 	@exclusion = mysplit( $2 );

-	my $chainref1 = new_chain( $table , newexclusionchain( $table ) );
+	my $chainref1 = dont_move new_chain( $table , newexclusionchain( $table ) );

 	add_ijump( $chainref1 , j => 'RETURN', imatch_source_net( $_ ) ) for @exclusion;

@@ -3547,7 +3661,7 @@ sub dest_exclusion( $$ ) {

    my $table = reftype $target ? $target->{table} : 'filter';

-    my $chainref = new_chain( $table , newexclusionchain( $table ) );
+    my $chainref = dont_move new_chain( $table , newexclusionchain( $table ) );

    add_ijump( $chainref, j => 'RETURN', imatch_dest_net( $_ ) ) for @$exclusions;
    add_ijump( $chainref, g => $target );
@@ -3569,7 +3683,7 @@ sub dest_iexclusion( $$$$$;@ ) {
 	$dest = $1;
 	@exclusion = mysplit( $2 );

-	my $chainref1 = new_chain( $table , newexclusionchain( $table ) );
+	my $chainref1 = dont_move new_chain( $table , newexclusionchain( $table ) );

 	add_ijump( $chainref1 , j => 'RETURN', imatch_dest_net( $_ ) ) for @exclusion;

@@ -4212,7 +4326,7 @@ sub do_user( $ ) {

    require_capability 'OWNER_MATCH', 'A non-empty USER column', 's';

-    assert ( $user =~ /^(!)?(.*?)(:(.*))?$/ );
+    assert( $user =~ /^(!)?(.*?)(:(.+))?$/ );
    my $invert = $1 ? '! ' : '';
    my $group  = supplied $4 ? $4 : '';

@@ -4338,10 +4452,20 @@ sub validate_helper( $;$ ) {
 	#
 	#  Recognized helper
 	#
+	my $capability      = $helpers_map{$helper};
+	my $external_helper = lc $capability;
+	
+	$external_helper =~ s/_helper//;
+	$external_helper =~ s/_/-/;
+
+	fatal_error "The $external_helper helper is not enabled" unless $helpers_enabled{$external_helper};
+	
 	if ( supplied $proto ) {
+	    require_capability $helpers_map{$helper}, "Helper $helper", 's';
+
 	    my $protonum = -1;

-	    fatal_error "Unknown PROTO ($protonum)" unless defined ( $protonum = resolve_proto( $proto ) );
+	    fatal_error "Unknown PROTO ($proto)" unless defined ( $protonum = resolve_proto( $proto ) );

 	    unless ( $protonum == $helper_proto ) {
 		fatal_error "The $helper_base helper requires PROTO=" . (proto_name $helper_proto );
@@ -4362,7 +4486,7 @@ sub do_helper( $ ) {

    validate_helper( $helper );

-    qq(-m helper --helper "$helper" ) if defined wantarray;
+    qq(-m helper --helper "$helpers_aliases{$helper}" ) if defined wantarray;
 }


@@ -4806,7 +4930,7 @@ sub match_source_net( $;$\$ ) {
 	    return '! -s ' . record_runtime_address $1, $2;
 	}

-	validate_net $net, 1;
+	$net = validate_net $net, 1;
 	return "! -s $net ";
    }

@@ -4814,7 +4938,7 @@ sub match_source_net( $;$\$ ) {
 	return '-s ' . record_runtime_address $1, $2;
    }

-    validate_net $net, 1;
+    $net = validate_net $net, 1;
    $net eq ALLIP ? '' : "-s $net ";
 }

@@ -4879,7 +5003,7 @@ sub imatch_source_net( $;$\$ ) {
 	    return  ( s => '! ' . record_runtime_address( $1, $2, 1 ) );
 	}

-	validate_net $net, 1;
+	$net = validate_net $net, 1;
 	return ( s => "! $net " );
    }

@@ -4887,7 +5011,7 @@ sub imatch_source_net( $;$\$ ) {
 	return ( s =>  record_runtime_address( $1, $2, 1 ) );
    }

-    validate_net $net, 1;
+    $net = validate_net $net, 1;
    $net eq ALLIP ? () : ( s => $net );
 }

@@ -4948,7 +5072,7 @@ sub match_dest_net( $;$ ) {
 	    return '! -d ' . record_runtime_address $1, $2;
 	}

-	validate_net $net, 1;
+	$net = validate_net $net, 1;
 	return "! -d $net ";
    }

@@ -4956,7 +5080,7 @@ sub match_dest_net( $;$ ) {
 	return '-d ' . record_runtime_address $1, $2;
    }

-    validate_net $net, 1;
+    $net = validate_net $net, 1;
    $net eq ALLIP ? '' : "-d $net ";
 }

@@ -5015,7 +5139,7 @@ sub imatch_dest_net( $;$ ) {
 	    return ( d => '! ' . record_runtime_address( $1, $2, 1 ) );
 	}

-	validate_net $net, 1;
+	$net = validate_net $net, 1;
 	return ( d => "! $net " );
    }

@@ -5023,7 +5147,7 @@ sub imatch_dest_net( $;$ ) {
 	return ( d => record_runtime_address( $1, $2, 1 ) );
    }

-    validate_net $net, 1;
+    $net = validate_net $net, 1;
    $net eq ALLIP ? () : ( d =>  $net );
 }

@@ -5040,7 +5164,7 @@ sub match_orig_dest ( $ ) {
 	if ( $net =~ /^&(.+)/ ) {
 	    $net = record_runtime_address '&', $1;
 	} else {
-	    validate_net $net, 1;
+	    $net = validate_net $net, 1;
 	}

 	have_capability( 'OLD_CONNTRACK_MATCH' ) ? "-m conntrack --ctorigdst ! $net " : "-m conntrack ! --ctorigdst $net ";
@@ -5048,7 +5172,7 @@ sub match_orig_dest ( $ ) {
 	if ( $net =~ /^&(.+)/ ) {
 	    $net = record_runtime_address '&', $1;
 	} else {
-	    validate_net $net, 1;
+	    $net = validate_net $net, 1;
 	}

 	$net eq ALLIP ? '' : "-m conntrack --ctorigdst $net ";
@@ -5779,7 +5903,11 @@ sub isolate_source_interface( $ ) {
 	} else {
 	    $iiface = $source;
 	}
-    } elsif  ( $source =~ /^(.+?):<(.+)>\s*$/ || $source =~ /^(.+?):\[(.+)\]\s*$/ || $source =~ /^(.+?):(!?\+.+)$/ ) {
+    } elsif  ( $source =~ /^(.+?):<(.+)>\s*$/   ||
+	       $source =~ /^(.+?):\[(.+)\]\s*$/ ||
+	       $source =~ /^(.+?):(!?\+.+)$/    ||
+	       $source =~ /^(.+?):(\[.+\]\/(?:\d+))\s*$/
+	     ) {
 	$iiface = $1;
 	$inets  = $2;
    } elsif ( $source =~ /:/ ) {
@@ -5884,7 +6012,11 @@ sub isolate_dest_interface( $$$$ ) {
 	} else {
 	    $diface = $dest;
 	}
-    } elsif ( $dest =~ /^(.+?):<(.+)>\s*$/ || $dest =~ /^(.+?):\[(.+)\]\s*$/ || $dest =~ /^(.+?):(!?\+.+)$/ ) {
+    } elsif ( $dest =~ /^(.+?):<(.+)>\s*$/   || 
+	      $dest =~ /^(.+?):\[(.+)\]\s*$/ ||
+	      $dest =~ /^(.+?):(!?\+.+)$/    ||
+	      $dest =~ /^(.+?):(\[.+\]\/(?:\d+))\s*$/
+	    ) {
 	$diface = $1;
 	$dnets  = $2;
    } elsif ( $dest =~ /:/ ) {
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -34,7 +34,6 @@ use Shorewall::Accounting;
 use Shorewall::Rules;
 use Shorewall::Proc;
 use Shorewall::Proxyarp;
-use Shorewall::IPAddrs;
 use Shorewall::Raw;
 use Shorewall::Misc;

@@ -54,8 +53,8 @@ my $family;
 #
 # Initilize the package-globals in the other modules
 #
-sub initialize_package_globals( $$ ) {
-    Shorewall::Config::initialize($family, $_[1]);
+sub initialize_package_globals( $$$ ) {
+    Shorewall::Config::initialize($family, $_[1], $_[2]);
    Shorewall::Chains::initialize ($family, 1, $export );
    Shorewall::Zones::initialize ($family, $_[0]);
    Shorewall::Nat::initialize;
@@ -158,7 +157,7 @@ sub generate_script_2() {

    push_indent;

-    if ( $shorewallrc{TEMPDIR} ) {
+    if ( $shorewallrc1{TEMPDIR} ) {
 	emit( '',
 	      qq(TMPDIR="$shorewallrc{TEMPDIR}") ,
 	      q(export TMPDIR) );
@@ -168,14 +167,14 @@ sub generate_script_2() {
 	emit( 'g_family=4' );

 	if ( $export ) {
-	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall-lite),
+	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall-lite),
 		   'g_product="Shorewall Lite"',
 		   'g_program=shorewall-lite',
 		   'g_basedir=/usr/share/shorewall-lite',
-		   qq(CONFIG_PATH="$shorewallrc{CONFDIR}/shorewall-lite:$shorewallrc{SHAREDIR}/shorewall-lite") ,
+		   qq(CONFIG_PATH="$shorewallrc1{CONFDIR}/shorewall-lite:$shorewallrc1{SHAREDIR}/shorewall-lite") ,
 		 );
 	} else {
-	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall),
+	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall),
 		   'g_product=Shorewall',
 		   'g_program=shorewall',
 		   'g_basedir=/usr/share/shorewall',
@@ -186,14 +185,14 @@ sub generate_script_2() {
 	emit( 'g_family=6' );

 	if ( $export ) {
-	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall6-lite),
+	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall6-lite),
 		   'g_product="Shorewall6 Lite"',
 		   'g_program=shorewall6-lite',
 		   'g_basedir=/usr/share/shorewall6',
-		   qq(CONFIG_PATH="$shorewallrc{CONFDIR}/shorewall6-lite:$shorewallrc{SHAREDIR}/shorewall6-lite") ,
+		   qq(CONFIG_PATH="$shorewallrc1{CONFDIR}/shorewall6-lite:$shorewallrc{SHAREDIR}/shorewall6-lite") ,
 		 );
 	} else {
-	    emit ( qq(g_confdir=$shorewallrc{CONFDIR}/shorewall6),
+	    emit ( qq(g_confdir=$shorewallrc1{CONFDIR}/shorewall6),
 		   'g_product=Shorewall6',
 		   'g_program=shorewall6',
 		   'g_basedir=/usr/share/shorewall',
@@ -202,21 +201,8 @@ sub generate_script_2() {
 	}
    }

-    emit( '[ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir' );
-
-    if ( $family == F_IPV4 ) {
-	if ( $export ) {
-	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall-lite}" ]' );
-	} else {
-	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall}" ]' );
-	}
-    } else {
-	if ( $export ) {
-	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall6-lite}" ]' );
-	} else {
-	    emit ( '[ -n "${VARDIR:=' . $shorewallrc{VARDIR} . '/shorewall6}" ]' );
-	}
-    }
+    emit (   '[ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir' );
+    emit ( qq([ -n "\${VARDIR:=$shorewallrc1{VARDIR}}" ]) );

    emit 'TEMPFILE=';

@@ -546,8 +532,8 @@ EOF
 #
 sub compiler {

-    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc ) =
-       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , ''          , '');
+    my ( $scriptfilename, $directory, $verbosity, $timestamp , $debug, $chains , $log , $log_verbosity, $preview, $confess , $update , $annotate , $convert, $config_path, $shorewallrc                      , $shorewallrc1 ) =
+       ( '',              '',         -1,          '',          0,      '',       '',   -1,             0,        0,         0,        0,        , 0       , ''          , '/usr/share/shorewall/shorewallrc', '' );

    $export = 0;
    $test   = 0;
@@ -586,6 +572,7 @@ sub compiler {
 		  annotate      => { store => \$annotate,      validate=> \&validate_boolean    } ,
 		  config_path   => { store => \$config_path } ,
 		  shorewallrc   => { store => \$shorewallrc } ,
+		  shorewallrc1  => { store => \$shorewallrc1 } ,
 		);
    #
    #                               P A R A M E T E R    P R O C E S S I N G
@@ -603,7 +590,7 @@ sub compiler {
    #
    # Now that we know the address family (IPv4/IPv6), we can initialize the other modules' globals
    #
-    initialize_package_globals( $update, $shorewallrc );
+    initialize_package_globals( $update, $shorewallrc, $shorewallrc1 );

    set_config_path( $config_path ) if $config_path;

@@ -666,11 +653,6 @@ sub compiler {
    #                           (Produces no output to the compiled script)
    #
    process_policies;
-    #
-    #                                       N O T R A C K
-    #                           (Produces no output to the compiled script)
-    #
-    setup_notrack;

    enable_script;

@@ -710,6 +692,14 @@ sub compiler {
    #
    setup_proxy_arp;

+    emit( "#\n# Disable automatic helper association on kernel 3.5.0 and later\n#" ,
+	  'if [ -f /proc/sys/net/netfilter/nf_conntrack_helper ]; then' ,
+	  '    progress_message "Disabling Kernel Automatic Helper Association"',
+	  "    echo 0 > /proc/sys/net/netfilter/nf_conntrack_helper",
+	  'fi',
+	  ''
+	);
+
    if ( $scriptfilename || $debug ) {
 	emit 'return 0';
 	pop_indent;
@@ -789,6 +779,10 @@ sub compiler {
    #
    process_rules( $convert );
    #
+    # Process the conntrack file
+    #
+    setup_conntrack;
+    #
    # Add Tunnel rules.
    #
    setup_tunnels;
@@ -912,6 +906,7 @@ sub compiler {
 	    # call that function during normal 'check', we must validate routestopped here.
 	    #
 	    process_routestopped;
+	    process_stoppedrules;
 	}

 	if ( $family == F_IPV4 ) {
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -62,6 +62,7 @@ our @EXPORT = qw(

 		 have_capability
 		 require_capability
+		 kernel_version
                );

 our @EXPORT_OK = qw( $shorewall_dir initialize shorewall);
@@ -143,12 +144,25 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       %globals
 				       %config_files
 				       %shorewallrc
+				       %shorewallrc1

-				       @auditoptions
-
+				       %helpers
+				       %helpers_map
+				       %helpers_enabled
+				       %helpers_aliases
+				       
 		                       F_IPV4
 		                       F_IPV6

+				       TCP
+				       UDP
+				       UDPLITE
+				       ICMP
+				       DCCP
+				       IPv6_ICMP
+				       SCTP
+				       GRE
+
 				       MIN_VERBOSITY
 				       MAX_VERBOSITY

@@ -160,7 +174,18 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       CONFIG_CONTINUATION
 				       DO_INCLUDE
 				       NORMAL_READ
-				     ) ] );
+				     ) , ] ,
+		   protocols => [ qw (
+				       TCP
+				       UDP
+				       UDPLITE
+				       ICMP
+				       DCCP
+				       IPv6_ICMP
+				       SCTP
+				       GRE
+				    ) , ],
+		   );

 Exporter::export_ok_tags('internal');

@@ -227,6 +252,10 @@ our %globals;
 #
 our %config;
 #
+# Entries in shorewall.conf that have been renamed
+#
+my %renamed = ( AUTO_COMMENT => 'AUTOCOMMENT' );
+#
 # Config options and global settings that are to be copied to output script
 #
 my @propagateconfig = qw/ DISABLE_IPV6 MODULESDIR MODULE_SUFFIX LOAD_HELPERS_ONLY SUBSYSLOCK LOG_VERBOSITY/;
@@ -310,6 +339,22 @@ my  %capdesc = ( NAT_ENABLED     => 'NAT',
 		 GEOIP_MATCH     => 'GeoIP Match' ,
 		 RPFILTER_MATCH  => 'RPFilter Match',
 		 NFACCT_MATCH    => 'NFAcct Match',
+		 AMANDA_HELPER   => 'Amanda Helper',
+		 FTP_HELPER      => 'FTP Helper',
+		 FTP0_HELPER     => 'FTP-0 Helper',
+		 H323_HELPER     => 'H323 Helpers',
+		 IRC_HELPER      => 'IRC Helper',
+		 IRC0_HELPER     => 'IRC-0 Helper',
+		 NETBIOS_NS_HELPER =>
+                                    'Netbios-ns Helper',
+		 PPTP_HELPER     => 'PPTP Helper',
+		 SANE_HELPER     => 'SANE Helper',
+		 SANE0_HELPER    => 'SANE-0 Helper',
+		 SIP_HELPER      => 'SIP Helper',
+		 SIP0_HELPER     => 'SIP-0 Helper',
+		 SNMP_HELPER     => 'SNMP Helper',
+		 TFTP_HELPER     => 'TFTP Helper',
+		 TFTP0_HELPER     => 'TFTP-0 Helper',
 		 #
 		 # Constants
 		 #
@@ -318,10 +363,43 @@ my  %capdesc = ( NAT_ENABLED     => 'NAT',
 		 KERNELVERSION   => 'Kernel Version',
 	       );

+use constant {
+	       ICMP                => 1,
+	       TCP                 => 6,
+	       UDP                 => 17,
+	       DCCP                => 33,
+	       GRE                 => 47,
+	       IPv6_ICMP           => 58,
+	       SCTP                => 132,
+	       UDPLITE             => 136,
+	     };
+
+our %helpers = ( amanda          => UDP,
+		 ftp             => TCP,
+		 irc             => TCP,
+		 'netbios-ns'    => UDP,
+		 pptp            => TCP,
+		 'Q.931'         => TCP,
+		 RAS             => UDP,
+		 sane            => TCP,
+		 sip             => UDP,
+		 snmp            => UDP,
+		 tftp            => UDP,
+	       );
+
+our %helpers_map;
+
+our %helpers_names;
+
+our %helpers_aliases;
+
+our %helpers_enabled;
+
 our %config_files = ( #accounting      => 1,
 		      actions          => 1,
 		      blacklist        => 1,
 		      clear            => 1,
+		      conntrack        => 1,
 		      ecn              => 1,
 		      findgw           => 1,
 		      hosts            => 1,
@@ -345,6 +423,7 @@ our %config_files = ( #accounting      => 1,
 		      route_rules      => 1,
 		      routes           => 1,
 		      routestopped     => 1,
+		      rtrules          => 1,
 		      rules            => 1,
 		      scfilter         => 1,
 		      secmarks         => 1,
@@ -352,6 +431,7 @@ our %config_files = ( #accounting      => 1,
 		      started          => 1,
 		      stop             => 1,
 		      stopped          => 1,
+		      stoppedrules     => 1,
 		      tcclasses        => 1,
 		      tcclear          => 1,
 		      tcdevices        => 1,
@@ -461,7 +541,7 @@ my $ifstack;
 #
 # From .shorewallrc
 #
-our %shorewallrc;
+our ( %shorewallrc, %shorewallrc1 );
 #
 # read_a_line options
 #
@@ -477,7 +557,7 @@ use constant { PLAIN_READ          => 0,     # No read_a_line options
               NORMAL_READ         => -1     # All options
 	   };

-sub process_shorewallrc($);
+sub process_shorewallrc($$);
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
@@ -488,8 +568,8 @@ sub process_shorewallrc($);
 #   2. The compiler can run multiple times in the same process so it has to be
 #      able to re-initialize its dependent modules' state.
 #
-sub initialize( $;$ ) {
-    ( $family, my $shorewallrc ) = @_;
+sub initialize( $;$$) {
+    ( $family, my ( $shorewallrc, $shorewallrc1 ) ) = @_;

    if ( $family == F_IPV4 ) {
 	( $product, $Product, $toolname, $toolNAME ) = qw( shorewall  Shorewall iptables  IPTABLES );
@@ -526,8 +606,7 @@ sub initialize( $;$ ) {
 		    EXPORT     => 0,
 		    KLUDGEFREE => '',
 		    STATEMATCH => '-m state --state',
-		    UNTRACKED  => 0,
-		    VERSION    => "4.5.6",
+		    VERSION    => "4.5.8-Beta2",
 		    CAPVERSION => 40507 ,
 		  );
    #
@@ -628,7 +707,7 @@ sub initialize( $;$ ) {
 	  DELETE_THEN_ADD => undef,
 	  MULTICAST => undef,
 	  DONT_LOAD => '',
-	  AUTO_COMMENT => undef ,
+	  AUTOCOMMENT => undef ,
 	  MANGLE_ENABLED => undef ,
 	  RFC1918_STRICT => undef ,
 	  NULL_ROUTE_RFC1918 => undef ,
@@ -650,6 +729,8 @@ sub initialize( $;$ ) {
 	  EXPORTMODULES => undef,
 	  LEGACY_FASTSTART => undef,
 	  USE_PHYSICAL_NAMES => undef,
+	  HELPERS => undef,
+	  AUTOHELPERS => undef,
 	  #
 	  # Packet Disposition
 	  #
@@ -766,6 +847,22 @@ sub initialize( $;$ ) {
 	       GEOIP_MATCH => undef,
 	       RPFILTER_MATCH => undef,
 	       NFACCT_MATCH => undef,
+	       AMANDA_HELPER => undef,
+	       FTP_HELPER => undef,
+	       FTP0_HELPER => undef,
+	       H323_HELPER => undef,
+	       IRC_HELPER => undef,
+	       IRC0_HELPER => undef,
+	       NETBIOS_NS_HELPER => undef,
+	       PPTP_HELPER => undef,
+	       SANE_HELPER => undef,
+	       SANE0_HELPER => undef,
+	       SIP_HELPER => undef,
+	       SIP0_HELPER => undef,
+	       SNMP_HELPER => undef,
+	       TFTP_HELPER => undef,
+	       TFTP0_HELPER => undef,
+
 	       CAPVERSION => undef,
 	       LOG_OPTIONS => 1,
 	       KERNELVERSION => undef,
@@ -800,12 +897,77 @@ sub initialize( $;$ ) {

    @actparms = ();

+    %helpers_enabled = (
+			amanda       => 1,
+			ftp          => 1,
+			'ftp-0'      => 1,
+			h323         => 1,
+			irc          => 1,
+			'irc-0'      => 1,
+			'netbios-ns' => 1,
+			pptp         => 1,
+			sane         => 1,
+			'sane-0'     => 1,
+			sip          => 1,
+			'sip-0'      => 1,
+			snmp         => 1,
+			tftp         => 1,
+			'tftp-0'     => 1,
+		       );
+
+    %helpers_map = ( amanda          => 'AMANDA_HELPER',
+		     ftp             => 'FTP_HELPER',
+		     irc             => 'IRC_HELPER',
+		     'netbios-ns'    => 'NETBIOS_NS_HELPER',
+		     pptp            => 'PPTP_HELPER',
+		     'Q.931'         => 'H323_HELPER',
+		     RAS             => 'H323_HELPER',
+		     sane            => 'SANE_HELPER',
+		     sip             => 'SIP_HELPER',
+		     snmp            => 'SNMP_HELPER',
+		     tftp            => 'TFTP_HELPER',
+		   );
+
+    %helpers_aliases = ( amanda       => 'amanda',
+			 ftp          => 'ftp',
+			 irc          => 'irc',
+			 'netbios-ns' => 'netbios-ns',
+			 pptp         => 'pptp',
+			 'Q.931'      => 'Q.931',
+			 RAS          => 'RAS',
+			 sane         => 'sane',
+			 sip          => 'sip',
+			 snmp         => 'snmp',
+			 tftp         => 'tftp',
+		       );
+
    %shorewallrc = (
 		    SHAREDIR => '/usr/share/',
 		    CONFDIR  => '/etc/',
 		    );
+    #
+    # If we are compiling for export, process the shorewallrc from the remote system
+    #
+    if ( $shorewallrc1 ) {
+	process_shorewallrc( $shorewallrc1,
+			     $family == F_IPV4 ? 'shorewall-lite' : 'shorewall6-lite'
+			   );

-    process_shorewallrc( $shorewallrc ) if $shorewallrc;
+	%shorewallrc1 = %shorewallrc;
+
+	%shorewallrc = (
+			SHAREDIR => '/usr/share/',
+			CONFDIR  => '/etc/',
+		       );
+    }
+    #
+    # Process the global shorewallrc file
+    #
+    #   Note: The build file executes this function passing only the protocol family
+    #
+    process_shorewallrc( $shorewallrc,
+			 $family == F_IPV4 ? 'shorewall' : 'shorewall6'
+		       ) if defined $shorewallrc;

    $globals{SHAREDIRPL} = "$shorewallrc{SHAREDIR}/shorewall/";

@@ -821,6 +983,8 @@ sub initialize( $;$ ) {
 	$globals{PRODUCT}       = 'shorewall6';
 	$config{IP6TABLES}      = undef;
    }
+
+    %shorewallrc1 = %shorewallrc unless $shorewallrc1;
 }

 my @abbr = qw( Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec );
@@ -942,6 +1106,12 @@ sub cleanup() {
 	qt1( "$iptables -X $sillyname1" );
 	qt1( "$iptables -t mangle -F $sillyname" );
 	qt1( "$iptables -t mangle -X $sillyname" );
+	qt1( "$iptables -t nat -F $sillyname" );
+	qt1( "$iptables -t nat -X $sillyname" );
+	qt1( "$iptables -t raw -F $sillyname" );
+	qt1( "$iptables -t raw -X $sillyname" );
+	qt1( "$iptables -t rawpost -F $sillyname" );
+	qt1( "$iptables -t rawpost -X $sillyname" );
 	$sillyname = '';
    }
 }
@@ -1069,7 +1239,7 @@ sub in_hex2( $ ) {
 }

 sub in_hex3( $ ) {
-    sprintf '0x%03x', $_[0];
+    sprintf '%03x', $_[0];
 }

 sub in_hex4( $ ) {
@@ -1692,6 +1862,7 @@ sub evaluate_expression( $$$ ) {
 	$val = ( exists $ENV{$var}     ? $ENV{$var}    :
 		 exists $params{$var}  ? $params{$var} :
 		 exists $config{$var}  ? $config{$var} :
+		 exists $renamed{$var} ? $config{$renamed{$var}} :
 		 exists $capdesc{$var} ? have_capability( $var ) : 0 );
 	$val = 0 unless defined $val;
 	$val = "'$val'" unless $val =~ /^-?\d+$/;
@@ -1704,7 +1875,12 @@ sub evaluate_expression( $$$ ) {
 	my ( $first, $cap, $rest ) = ( $1, $3, $4);

 	if ( exists $capdesc{$cap} ) {
-	    $val = have_capability( $cap )
+	    $val = have_capability( $cap );
+	    if ( defined $val ) {
+		$val = "'$val'" unless $val =~ /^-?\d+$/;
+	    } else {
+		$val = 0;
+	    }
 	} elsif ( $cap =~ /^IPV([46])$/ ) {
 	    $val = ( $family == $1 );
 	} else {
@@ -1744,9 +1920,9 @@ sub process_conditional( $$$$ ) {

    print "CD===> $line\n" if $debug;

-    cond_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF)(.*)$/;
+    cond_error( "Invalid compiler directive ($line)" , $filename, $linenumber ) unless $line =~ /^\s*\?(IF\s+|ELSE|ELSIF\s+|ENDIF)(.*)$/i;

-    my ($keyword, $expression) = ( $1, $2 );
+    my ($keyword, $expression) = ( uc $1, $2 );

    if ( supplied $expression ) {
 	$expression =~ s/#.*//;
@@ -1758,7 +1934,7 @@ sub process_conditional( $$$$ ) {
    my ( $lastkeyword, $prioromit, $included, $lastlinenumber ) = @ifstack ? @{$ifstack[-1]} : ('', 0, 0, 0 );

    if ( $keyword =~ /^IF/ ) {
-	cond_error( "Missing IF expression" , $filename, $linenumber ) unless $expression;
+	cond_error( "Missing IF expression" , $filename, $linenumber ) unless supplied $expression;
 	my $nextomitting = $omitting || ! evaluate_expression( $expression , $filename, $linenumber );
 	push @ifstack, [ 'IF', $omitting, ! $nextomitting, $linenumber ];
 	$omitting = $nextomitting;
@@ -2354,7 +2530,7 @@ sub read_a_line($) {
 	    #
 	    # Handle conditionals
 	    #
-	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF)/ ) {
+	    if ( /^\s*\?(?:IF|ELSE|ELSIF|ENDIF)/i ) {
 		$omitting = process_conditional( $omitting, $_, $currentfilename, $. );
 		next;
 	    }
@@ -2450,10 +2626,10 @@ sub read_a_line($) {
    }
 }

-sub process_shorewallrc( $ ) {
-    my $shorewallrc = shift;
+sub process_shorewallrc( $$ ) {
+    my ( $shorewallrc , $product ) = @_;

-    $shorewallrc{PRODUCT} = $family == F_IPV4 ? 'shorewall' : 'shorewall6';
+    $shorewallrc{PRODUCT} = $product;

    if ( open_file $shorewallrc ) {
 	while ( read_a_line( STRIP_COMMENTS | SUPPRESS_WHITESPACE | CHECK_GUNK ) ) {
@@ -2469,6 +2645,15 @@ sub process_shorewallrc( $ ) {
    } else {
 	fatal_error "Failed to open $shorewallrc: $!";
    }
+
+    if ( supplied $shorewallrc{VARDIR} ) {
+	if ( ! supplied $shorewallrc{VARLIB} ) {
+	    $shorewallrc{VARLIB} =  $shorewallrc{VARDIR};
+	    $shorewallrc{VARDIR} = "$shorewallrc{VARLIB}/$product";
+	}
+    } elsif ( supplied $shorewallrc{VARLIB} ) {
+	$shorewallrc{VARDIR} = "$shorewallrc{VARLIB}/$product" unless supplied $shorewallrc{VARDIR};
+    }
 }

 #
@@ -3040,7 +3225,7 @@ sub Old_IPSet_Match() {

 	if ( qt( "$ipset -N $sillyname iphash" ) ) {
 	    if ( qt1( "$iptables -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) {
-		qt1( "$iptables -D $sillyname -m set --set $sillyname src -j ACCEPT" );
+		qt1( "$iptables -F $sillyname" );
 		$result = $capabilities{IPSET_MATCH} = 1;
 	    }

@@ -3063,7 +3248,7 @@ sub IPSet_Match() {

 	if ( qt( "$ipset -N $sillyname iphash" ) || qt( "$ipset -N $sillyname hash:ip family $fam") ) {
 	    if ( qt1( "$iptables -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) {
-		qt1( "$iptables -D $sillyname -m set --match-set $sillyname src -j ACCEPT" );
+		qt1( "$iptables -F $sillyname" );
 		$result = ! ( $capabilities{OLD_IPSET_MATCH} = 0 );
 	    } else {
 		$result = have_capability 'OLD_IPSET_MATCH';
@@ -3115,7 +3300,79 @@ sub Realm_Match() {
 }

 sub Helper_Match() {
-    qt1( "$iptables -A $sillyname -m helper --helper \"ftp\"" );
+    qt1( "$iptables -A $sillyname -p tcp --dport 21 -m helper --helper ftp" );
+}
+
+sub have_helper( $$$ ) {
+    my ( $helper, $proto, $port ) = @_;
+
+    if ( $helpers_enabled{$helper} ) {
+	if ( have_capability 'CT_TARGET' ) {
+	    qt1( "$iptables -t raw -A $sillyname -p $proto --dport $port -j CT --helper $helper" );
+	} else {
+	    have_capability 'HELPER_MATCH';
+	}
+    }
+}
+
+sub Amanda_Helper() {
+    have_helper( 'amanda', 'udp', 10080 );
+}
+
+sub FTP0_Helper() {
+    have_helper( 'ftp-0', 'tcp', 21 ) and $helpers_aliases{ftp} = 'ftp-0';
+}
+
+sub FTP_Helper() {
+    have_helper( 'ftp', 'tcp', 21 ) || FTP0_Helper;
+}
+
+sub H323_Helpers() {
+    have_helper( 'RAS', 'udp', 1719 );
+}
+
+sub IRC0_Helper() {
+    have_helper( 'irc-0', 'tcp', 6667 ) and $helpers_aliases{irc} = 'irc-0';
+}
+
+sub IRC_Helper() {
+    have_helper( 'irc', 'tcp', 6667 ) || IRC0_Helper;
+}
+
+sub Netbios_ns_Helper() {
+    have_helper( 'netbios-ns', 'udp', 137 );
+}
+
+sub PPTP_Helper() {
+    have_helper( 'pptp', 'tcp', 1729 );
+}
+
+sub SANE0_Helper() {
+    have_helper( 'sane-0', 'tcp', 6566 ) and $helpers_aliases{sane} = 'sane-0';
+}
+
+sub SANE_Helper() {
+    have_helper( 'sane', 'tcp', 6566 ) || SANE0_Helper;
+}
+
+sub SIP0_Helper() {
+    have_helper( 'sip-0', 'udp', 5060 ) and $helpers_aliases{sip} = 'sip-0';
+}
+
+sub SIP_Helper() {
+    have_helper( 'sip', 'udp', 5060 ) || SIP0_Helper;
+}
+
+sub SNMP_Helper() {
+    have_helper( 'snmp', 'udp', 161 );
+}
+
+sub TFTP0_Helper() {
+    have_helper( 'tftp-0', 'udp', 69 ) and $helpers_aliases{tftp} = 'tftp-0';
+}
+
+sub TFTP_Helper() {
+    have_helper( 'tftp', 'udp', 69 ) || TFTP0_Helper;
 }

 sub Connlimit_Match() {
@@ -3192,8 +3449,6 @@ sub Ct_Target() {
    if ( have_capability 'RAW_TABLE' ) {
 	qt1( "$iptables -t raw -N $sillyname" );
 	$ct_target = qt1( "$iptables -t raw -A $sillyname -j CT --notrack" );
-	qt1( "$iptables -t raw -F $sillyname" );
-	qt1( "$iptables -t raw -X $sillyname" );
    }

    $ct_target;
@@ -3203,6 +3458,7 @@ sub Statistic_Match() {
    qt1( "$iptables -A $sillyname -m statistic --mode nth --every 2 --packet 1" );
 }

+
 sub Imq_Target() {
    have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j IMQ --todev 0" );
 }
@@ -3237,6 +3493,7 @@ sub GeoIP_Match() {

 our %detect_capability =
    ( ACCOUNT_TARGET =>\&Account_Target,
+      AMANDA_HELPER => \&Amanda_Helper,
      AUDIT_TARGET => \&Audit_Target,
      ADDRTYPE => \&Addrtype,
      BASIC_FILTER => \&Basic_Filter,
@@ -3253,9 +3510,12 @@ our %detect_capability =
      ENHANCED_REJECT => \&Enhanced_Reject,
      EXMARK => \&Exmark,
      FLOW_FILTER => \&Flow_Filter,
+      FTP_HELPER => \&FTP_Helper,
+      FTP0_HELPER => \&FTP0_Helper,
      FWMARK_RT_MASK => \&Fwmark_Rt_Mask,
      GEOIP_MATCH => \&GeoIP_Match,
      GOTO_TARGET => \&Goto_Target,
+      H323_HELPER => \&H323_Helpers,
      HASHLIMIT_MATCH => \&Hashlimit_Match,
      HEADER_MATCH => \&Header_Match,
      HELPER_MATCH => \&Helper_Match,
@@ -3264,6 +3524,8 @@ our %detect_capability =
      IPP2P_MATCH => \&Ipp2p_Match,
      IPRANGE_MATCH => \&IPRange_Match,
      IPSET_MATCH => \&IPSet_Match,
+      IRC_HELPER => \&IRC_Helper,
+      IRC0_HELPER => \&IRC0_Helper,
      OLD_IPSET_MATCH => \&Old_IPSet_Match,
      IPSET_V5 => \&IPSET_V5,
      IPTABLES_S => \&Iptables_S,
@@ -3279,6 +3541,7 @@ our %detect_capability =
      MARK_ANYWHERE => \&Mark_Anywhere,
      MULTIPORT => \&Multiport,
      NAT_ENABLED => \&Nat_Enabled,
+      NETBIOS_NS_HELPER => \&Netbios_ns_Helper,
      NEW_CONNTRACK_MATCH => \&New_Conntrack_Match,
      NFACCT_MATCH => \&NFAcct_Match,
      NFQUEUE_TARGET => \&Nfqueue_Target,
@@ -3291,13 +3554,21 @@ our %detect_capability =
      PHYSDEV_BRIDGE => \&Physdev_Bridge,
      PHYSDEV_MATCH => \&Physdev_Match,
      POLICY_MATCH => \&Policy_Match,
+      PPTP_HELPER => \&PPTP_Helper,
      RAW_TABLE => \&Raw_Table,
      RAWPOST_TABLE => \&Rawpost_Table,
      REALM_MATCH => \&Realm_Match,
      RECENT_MATCH => \&Recent_Match,
      RPFILTER_MATCH => \&RPFilter_Match,
+      SANE_HELPER => \&SANE_Helper,
+      SANE0_HELPER => \&SANE0_Helper,
+      SIP_HELPER => \&SIP_Helper,
+      SIP0_HELPER => \&SIP0_Helper,
+      SNMP_HELPER => \&SNMP_Helper,
      STATISTIC_MATCH => \&Statistic_Match,
      TCPMSS_MATCH => \&Tcpmss_Match,
+      TFTP_HELPER => \&TFTP_Helper,
+      TFTP0_HELPER => \&TFTP0_Helper,
      TIME_MATCH => \&Time_Match,
      TPROXY_TARGET => \&Tproxy_Target,
      USEPKTTYPE => \&Usepkttype,
@@ -3402,7 +3673,6 @@ sub determine_capabilities() {
 	$capabilities{CLASSIFY_TARGET} = detect_capability( 'CLASSIFY_TARGET' );
 	$capabilities{IPMARK_TARGET}   = detect_capability( 'IPMARK_TARGET' );
 	$capabilities{TPROXY_TARGET}   = detect_capability( 'TPROXY_TARGET' );
-
 	$capabilities{MANGLE_FORWARD}  = detect_capability( 'MANGLE_FORWARD' );
 	$capabilities{RAW_TABLE}       = detect_capability( 'RAW_TABLE' );
 	$capabilities{RAWPOST_TABLE}   = detect_capability( 'RAWPOST_TABLE' );
@@ -3412,7 +3682,6 @@ sub determine_capabilities() {
 	$capabilities{TCPMSS_MATCH}    = detect_capability( 'TCPMSS_MATCH' );
 	$capabilities{NFQUEUE_TARGET}  = detect_capability( 'NFQUEUE_TARGET' );
 	$capabilities{REALM_MATCH}     = detect_capability( 'REALM_MATCH' );
-	$capabilities{HELPER_MATCH}    = detect_capability( 'HELPER_MATCH' );
 	$capabilities{CONNLIMIT_MATCH} = detect_capability( 'CONNLIMIT_MATCH' );
 	$capabilities{TIME_MATCH}      = detect_capability( 'TIME_MATCH' );
 	$capabilities{GOTO_TARGET}     = detect_capability( 'GOTO_TARGET' );
@@ -3437,6 +3706,12 @@ sub determine_capabilities() {
 	$capabilities{GEOIP_MATCH}     = detect_capability( 'GEOIP_MATCH' );
 	$capabilities{RPFILTER_MATCH}  = detect_capability( 'RPFILTER_MATCH' );
 	$capabilities{NFACCT_MATCH}    = detect_capability( 'NFACCT_MATCH' );
+	
+	if ( have_capability 'CT_TARGET' ) {
+	    $capabilities{$_} = detect_capability $_ for ( values( %helpers_map ) );
+	} else {
+	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
+	}

 	qt1( "$iptables -F $sillyname" );
 	qt1( "$iptables -X $sillyname" );
@@ -3453,6 +3728,11 @@ sub determine_capabilities() {
 	    qt1( "$iptables -t nat -X $sillyname" );
 	}

+	if ( $capabilities{RAW_ENABLED} ) {
+	    qt1( "$iptables -t raw -F $sillyname" );
+	    qt1( "$iptables -t raw -X $sillyname" );
+	}
+
 	$sillyname = $sillyname1 = undef;
    }
 }
@@ -3466,6 +3746,13 @@ sub require_capability( $$$ ) {
    fatal_error "$description require${singular} $capdesc{$capability} in your kernel and iptables" unless have_capability $capability;
 }

+#
+# Return Kernel Version
+#
+sub kernel_version() {
+    $capabilities{KERNELVERSION}
+}
+
 #
 # Set default config path
 #
@@ -3684,7 +3971,14 @@ sub process_shorewall_conf( $$ ) {
 		if ( $currentline =~ /^\s*([a-zA-Z]\w*)=(.*?)\s*$/ ) {
 		    my ($var, $val) = ($1, $2);

-		    warning_message "Unknown configuration option ($var) ignored", next unless exists $config{$var};
+		    unless ( exists $config{$var} ) {
+			if ( exists $renamed{$var} ) {
+			    $var = $renamed{$var};
+			} else {
+			    warning_message "Unknown configuration option ($var) ignored";
+			    next ;
+			}
+		    }

 		    $config{$var} = ( $val =~ /\"([^\"]*)\"$/ ? $1 : $val );

@@ -3728,7 +4022,9 @@ sub read_capabilities() {
 		next;
 	    }

-	    $capabilities{$var} = $val =~ /^\"([^\"]*)\"$/ ? $1 : $val;
+	    $val = $val =~ /^\"([^\"]*)\"$/ ? $1 : $val;
+	    
+	    $capabilities{$var} = $var =~ /VERSION$/ ? $val :  $val ne '';
 	} else {
 	    fatal_error "Unrecognized capabilities entry";
 	}
@@ -3751,6 +4047,7 @@ sub read_capabilities() {
    }

    $globals{KLUDGEFREE} = $capabilities{KLUDGEFREE};
+
 }

 #
@@ -4039,6 +4336,14 @@ sub get_configuration( $$$ ) {

    get_capabilities( $export );

+    report_capabilities unless $config{LOAD_HELPERS_ONLY};
+
+    $helpers_aliases{ftp}  = 'ftp-0',  $capabilities{FTP_HELPER}  = 1 if $capabilities{FTP0_HELPER};
+    $helpers_aliases{irc}  = 'irc-0',  $capabilities{IRC_HELPER}  = 1 if $capabilities{IRC0_HELPER};
+    $helpers_aliases{sane} = 'sane-0', $capabilities{SANE_HELPER} = 1 if $capabilities{SANE0_HELPER};
+    $helpers_aliases{sip}  = 'sip-0',  $capabilities{SIP_HELPER}  = 1 if $capabilities{SIP0_HELPER};
+    $helpers_aliases{tftp} = 'tftp-0', $capabilities{TFTP_HELPER} = 1 if $capabilities{TFTP0_HELPER};
+
    $globals{STATEMATCH} = '-m conntrack --ctstate' if have_capability 'CONNTRACK_MATCH';

    #
@@ -4246,6 +4551,30 @@ sub get_configuration( $$$ ) {
    default_yes_no 'LEGACY_FASTSTART'           , 'Yes';
    default_yes_no 'USE_PHYSICAL_NAMES'         , '';
    default_yes_no 'IPSET_WARNINGS'             , 'Yes';
+    default_yes_no 'AUTOHELPERS'                , 'Yes';
+
+    if ( supplied $config{HELPERS} ) {
+	my %helpers_temp = %helpers_enabled;
+
+	$helpers_temp{$_} = 0 for keys %helpers_temp;
+
+	for ( split_list $config{HELPERS} , 'helper' ) {
+	    my $name = $_;
+	    if ( exists $helpers_enabled{$name} ) {
+		s/-/_/;
+		require_capability( uc( $_ ) . '_HELPER' , "The $name helper", 's' );
+		$helpers_temp{$name} = 1;
+	    } else {
+		fatal_error "Unknown Helper ($_)";
+	    }
+	}
+	
+	%helpers_enabled = %helpers_temp;
+
+	while ( my ( $helper, $enabled ) = each %helpers_enabled ) {
+	    $capabilities{uc($helper) . '_HELPER'} = 0 unless $enabled; 
+	}
+    }

    require_capability 'MARK' , 'FORWARD_CLEAR_MARK=Yes', 's', if $config{FORWARD_CLEAR_MARK};

@@ -4491,8 +4820,6 @@ sub get_configuration( $$$ ) {
 	$config{LOCKFILE} = '';
    }

-    report_capabilities unless $config{LOAD_HELPERS_ONLY};
-
    require_capability( 'MULTIPORT'       , "Shorewall $globals{VERSION}" , 's' );
    require_capability( 'RECENT_MATCH'    , 'MACLIST_TTL' , 's' )           if $config{MACLIST_TTL};
    require_capability( 'XCONNMARK'       , 'HIGH_ROUTE_MARKS=Yes' , 's' )  if $config{PROVIDER_OFFSET} > 0;
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -26,13 +26,13 @@
 #
 package Shorewall::IPAddrs;
 require Exporter;
-use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 numeric_value F_IPV4 F_IPV6 );
+use Shorewall::Config qw( :DEFAULT split_list require_capability in_hex8 numeric_value F_IPV4 F_IPV6 :protocols );
 use Socket;

 use strict;

 our @ISA = qw(Exporter);
-our @EXPORT = qw( ALLIPv4
+our @EXPORT = ( qw( ALLIPv4
                  ALLIPv6
 		  NILIPv4
 		  NILIPv6
@@ -48,14 +48,6 @@ our @EXPORT = qw( ALLIPv4
 		  ALLIP
 		  NILIP
 		  ALL
-		  TCP
-		  UDP
-		  UDPLITE
-		  ICMP
-		  DCCP
-		  IPv6_ICMP
-		  SCTP
-		  GRE

 		  validate_address
 		  validate_net
@@ -80,7 +72,7 @@ our @EXPORT = qw( ALLIPv4
 		  validate_port_list
 		  validate_icmp
 		  validate_icmp6
-		 );
+		 ) );
 our @EXPORT_OK = qw( );
 our $VERSION = 'MODULEVERSION';

@@ -115,14 +107,7 @@ use constant { ALLIPv4             => '0.0.0.0/0' ,
 	       IPv6_LINK_ALLRTRS   => 'ff01::2' ,
 	       IPv6_SITE_ALLNODES  => 'ff02::1' ,
 	       IPv6_SITE_ALLRTRS   => 'ff02::2' ,
-	       ICMP                => 1,
-	       TCP                 => 6,
-	       UDP                 => 17,
-	       DCCP                => 33,
-	       GRE                 => 47,
-	       IPv6_ICMP           => 58,
-	       SCTP                => 132,
-	       UDPLITE             => 136 };
+	   };

 my @rfc1918_networks = ( "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" );

@@ -193,7 +178,7 @@ sub encodeaddr( $ ) {
    $result;
 }

-sub validate_4net( $$ ) {
+sub validate_4net( $$; $ ) {
    my ($net, $vlsm, $rest) = split( '/', $_[0], 3 );
    my $allow_name = $_[1];

@@ -222,11 +207,13 @@ sub validate_4net( $$ ) {
    }

    if ( defined wantarray ) {
-	assert ( ! $allow_name );
 	if ( wantarray ) {
+	    assert( ! $allow_name );
 	    ( decodeaddr( $net ) , $vlsm );
+	} elsif ( valid_4address $net ) {
+	    $vlsm == 32 ? $net : "$net/$vlsm";
 	} else {
-	    "$net/$vlsm";
+	    $net;
 	}
    }
 }
@@ -621,9 +608,9 @@ sub validate_6address( $$ ) {
    defined wantarray ? wantarray ? @addrs : $addrs[0] : undef;
 }

-sub validate_6net( $$ ) {
+sub validate_6net( $$;$ ) {
    my ($net, $vlsm, $rest) = split( '/', $_[0], 3 );
-    my $allow_name = $_[1];
+    my $allow_name = $_[0];

    if ( $net =~ /\+(\[?)/ ) {
 	if ( $1 ) {
@@ -635,22 +622,28 @@ sub validate_6net( $$ ) {
 	}
    }

+    fatal_error "Invalid Network address ($_[0])" unless supplied $net;
+
+    $net = $1 if $net =~ /^\[(.*)\]$/;
+
    if ( defined $vlsm ) {
        fatal_error "Invalid VLSM ($vlsm)"              unless $vlsm =~ /^\d+$/ && $vlsm <= 128;
 	fatal_error "Invalid Network address ($_[0])"   if defined $rest;
 	fatal_error "Invalid IPv6 address ($net)"       unless valid_6address $net;
    } else {
-	fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/' || ! defined $net;
+	fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/';
 	validate_6address $net, $allow_name;
 	$vlsm = 128;
    }

    if ( defined wantarray ) {
-	assert ( ! $allow_name );
 	if ( wantarray ) {
+	    assert( ! $allow_name );
 	    ( $net , $vlsm );
+	} elsif ( valid_6address ( $net ) ) {
+	    $vlsm == 32 ? $net : "$net/$vlsm";
 	} else {
-	    "$net/$vlsm";
+	    $net;
 	}
    }
 }
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -41,6 +41,7 @@ our @EXPORT = qw( process_tos
 		  add_common_rules
 		  setup_mac_lists
 		  process_routestopped
+		  process_stoppedrules
 		  compile_stop_firewall
 		  generate_matrix
 		  );
@@ -203,25 +204,24 @@ sub setup_blacklist() {
    my $target      = $disposition eq 'REJECT' ? 'reject' : $disposition;
    my $orig_target = $target;

-    #
-    # We go ahead and generate the blacklist chains and jump to them, even if they turn out to be empty. That is necessary
-    # for 'refresh' to work properly.
-    #
-    if ( @$zones || @$zones1 ) {
-	$chainref  = set_optflags( new_standard_chain( 'blacklst' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones;
-	$chainref1 = set_optflags( new_standard_chain( 'blackout' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones1;
-
-	if ( supplied $level ) {
-	    $target = ensure_blacklog_chain ( $target, $disposition, $level, $audit );
-	} elsif ( $audit ) {
-	    require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
-	    $target = verify_audit( $disposition );
-	}
-    }
-
  BLACKLIST:
    {
 	if ( my $fn = open_file 'blacklist' ) {
+	    #
+	    # We go ahead and generate the blacklist chains and jump to them, even if they turn out to be empty. That is necessary
+	    # for 'refresh' to work properly.
+	    #
+	    if ( @$zones || @$zones1 ) {
+		$chainref  = set_optflags( new_standard_chain( 'blacklst' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones;
+		$chainref1 = set_optflags( new_standard_chain( 'blackout' ), DONT_OPTIMIZE | DONT_DELETE ) if @$zones1;
+
+		if ( supplied $level ) {
+		    $target = ensure_blacklog_chain ( $target, $disposition, $level, $audit );
+		} elsif ( $audit ) {
+		    require_capability 'AUDIT_TARGET', "BLACKLIST_DISPOSITION=$disposition", 's';
+		    $target = verify_audit( $disposition );
+		}
+	    }

 	    my $first_entry = 1;

@@ -668,6 +668,93 @@ sub process_routestopped() {
    }
 }

+#
+# Process the stoppedrules file. Returns true if the file was non-empty.
+#
+sub process_stoppedrules() {
+    my $fw = firewall_zone;
+    my $result;
+
+    if ( my $fn = open_file 'stoppedrules' ) {
+	first_entry "$doing $fn...";
+
+	while ( read_a_line( NORMAL_READ ) ) {
+
+	    $result = 1;
+
+	    my ( $target, $source, $dest, $proto, $ports, $sports ) = 
+		split_line1 'stoppedrules file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5 }, { COMMENT => 0, FORMAT => 2 };
+
+	    fatal_error( "Invalid TARGET ($target)" ) unless $target =~ /^(?:ACCEPT|NOTRACK)$/;
+
+	    my $tableref;
+
+	    my $chainref;
+	    my $restriction = NO_RESTRICT;
+
+	    if ( $target eq 'NOTRACK' ) {
+		$tableref = $raw_table;
+		require_capability 'RAW_TABLE', 'NOTRACK', 's';
+		$chainref = $raw_table->{PREROUTING};
+		$restriction = PREROUTE_RESTRICT | DESTIFACE_DISALLOW;
+	    } else {
+		$tableref = $filter_table;
+	    }
+
+	    if ( $source eq $fw ) {
+		$chainref = $tableref->{OUTPUT};
+		$source = '';
+		$restriction = OUTPUT_RESTRICT;
+	    } 
+
+	    if ( $source =~ s/^($fw):// ) {
+		$chainref = $filter_table->{OUTPUT};
+		$restriction = OUTPUT_RESTRICT;
+	    }
+
+	    if ( $dest eq $fw ) {
+		fatal_error "\$FW may not be specified as the destination of a NOTRACK rule" if $target eq 'NOTRACK';
+		$chainref = $filter_table->{INPUT};
+		$dest = '';
+		$restriction = INPUT_RESTRICT;
+	    }
+
+	    if ( $dest =~ s/^($fw):// ) {
+		fatal_error "\$FW may not be specified as the destination of a NOTRACK rule" if $target eq 'NOTRACK';
+		$chainref = $filter_table->{INPUT};
+		$restriction = INPUT_RESTRICT;
+	    }
+
+	    $chainref = $tableref->{FORWARD} unless $chainref;
+
+	    my $disposition = $target;
+
+	    $target = 'CT --notrack' if $target eq 'NOTRACK' and have_capability( 'CT_TARGET' );
+
+	    unless ( $restriction == OUTPUT_RESTRICT
+		     && $target eq 'ACCEPT'
+		     && $config{ADMINISABSENTMINDED} ) {
+		expand_rule( $chainref ,
+			     $restriction ,
+			     do_proto( $proto, $ports, $sports ) ,
+			     $source ,
+			     $dest ,
+			     '' ,
+			     $target,
+			     '',
+			     $disposition,
+			     do_proto( $proto, '-', '-' ) );
+	    } else {
+		warning_message "Redundant OUTPUT rule ignored because ADMINISABSENTMINDED=Yes";
+	    }
+	}
+    }
+
+    clear_comment;
+
+    $result;
+}
+
 sub setup_mss();

 sub add_common_rules ( $ ) {
@@ -681,7 +768,7 @@ sub add_common_rules ( $ ) {
    my $chain;
    my $dynamicref;

-    my @state     = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
+    my @state     = $config{BLACKLISTNEWONLY} ? have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
    my $faststate = $config{RELATED_DISPOSITION} eq 'ACCEPT' && $config{RELATED_LOG_LEVEL} eq '' ? 'ESTABLISHED,RELATED' : 'ESTABLISHED';
    my $level     = $config{BLACKLIST_LOGLEVEL};
    my $rejectref = $filter_table->{reject};
@@ -882,7 +969,7 @@ sub add_common_rules ( $ ) {
 	    add_ijump( $chainref, g => $smurfdest, s => IPv6_MULTICAST );
 	}

-	my @state = $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID';
+	my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID';

 	for my $hostref  ( @$list ) {
 	    $interface     = $hostref->[0];
@@ -1187,7 +1274,7 @@ sub setup_mac_lists( $ ) {
 	    my @policy     = have_ipsec ? ( policy => "--pol $ipsec --dir in" ) : ();
 	    my @source     = imatch_source_net $hostref->[2];

-	    my @state = $globals{UNTRACKED} ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
+	    my @state = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';

 	    if ( $table eq 'filter' ) {
 		my $chainref = source_exclusion( $hostref->[3], $filter_table->{mac_chain $interface} );
@@ -1342,6 +1429,7 @@ sub generate_source_rules( $$$;@ ) {
 sub handle_loopback_traffic() {
    my @zones   = ( vserver_zones, firewall_zone );
    my $natout  = $nat_table->{OUTPUT};
+    my $rawout  = $raw_table->{OUTPUT};
    my $rulenum = 0;

    my $outchainref;
@@ -1365,6 +1453,7 @@ sub handle_loopback_traffic() {
 	my $z1ref            = find_zone( $z1 );
 	my $type1            = $z1ref->{type};
 	my $natref           = $nat_table->{dnat_chain $z1};
+	my $notrackref       = $raw_table->{notrack_chain( $z1 )};
 	#
 	# Add jumps in the 'output' chain to the rules chains
 	#
@@ -1374,10 +1463,32 @@ sub handle_loopback_traffic() {

 		generate_dest_rules( $outchainref, $chain, $z2, @rule ) if $chain;
 	    }
+	    #
+	    # Handle conntrack 
+	    #
+	    if ( $notrackref ) {
+		add_ijump $rawout, j => $notrackref if $notrackref->{referenced};
+	    }
 	} else {
 	    for my $z2 ( @zones ) {
 		generate_source_rules( $outchainref, $z1, $z2, @rule );
 	    }
+	    #
+	    # Handle conntrack rules
+	    #
+	    if ( $notrackref->{referenced} ) {
+		for my $hostref ( @{defined_zone( $z1 )->{hosts}{ip}{'%vserver%'}} ) {
+		    my $exclusion   = source_exclusion( $hostref->{exclusions}, $notrackref);
+		    my @ipsec_match = match_ipsec_in $z1 , $hostref;
+
+		    for my $net ( @{$hostref->{hosts}} ) {
+			add_ijump( $rawout,
+				   j => $exclusion ,
+				   imatch_source_net $net,
+				   @ipsec_match );
+		    }
+		}
+	    }
 	}

 	if ( $natref && $natref->{referenced} ) {
@@ -1512,7 +1623,7 @@ sub handle_complex_zone( $$ ) {

    if ( have_ipsec ) {
 	#
-	# Prior to KLUDGEFREE, policy match could only match an 'in' or an 'out' policy (but not both), so we place the
+	# In general, policy match can only match an 'in' or an 'out' policy (but not both), so we place the
 	# '--pol ipsec --dir in' rules at the front of the (interface) forwarding chains. Otherwise, decrypted packets
 	# can match '--pol none --dir out' rules and send the packets down the wrong rules chain.
 	#
@@ -1995,12 +2106,6 @@ sub generate_matrix() {
 	}
    }
    #
-    # NOTRACK from firewall
-    #
-    if ( ( my $notrackref = $raw_table->{notrack_chain(firewall_zone)}) ) {
-	add_ijump $raw_table->{OUTPUT}, j => $notrackref if $notrackref->{referenced};
-    }
-    #
    # Main source-zone matrix-generation loop
    #
    progress_message '  Entering main matrix-generation loop...';
@@ -2322,6 +2427,14 @@ EOF
    deletechain shorewall

    run_stop_exit
+
+    #
+    # Enable automatic helper association on kernel 3.5.0 and later
+    #
+    if [ -f /proc/sys/net/netfilter/nf_conntrack_helper ]; then
+        echo 1 > /proc/sys/net/netfilter/nf_conntrack_helper
+    fi
+
 EOF

    if ( have_capability( 'NAT_ENABLED' ) ) {
@@ -2389,7 +2502,7 @@ EOF
 	}
    }

-    process_routestopped;
+    process_routestopped unless process_stoppedrules;

    add_ijump $input,  j => 'ACCEPT', i => 'lo';
    add_ijump $output, j => 'ACCEPT', o => 'lo' unless $config{ADMINISABSENTMINDED};
--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -431,8 +431,8 @@ sub setup_netmap() {
 		    my @rulein;
 		    my @ruleout;

-		    validate_net $net1, 0;
-		    validate_net $net2, 0;
+		    $net1 = validate_net $net1, 0;
+		    $net2 = validate_net $net2, 0;

 		    unless ( $interfaceref->{root} ) {
 			@rulein  = imatch_source_dev( $interface );
@@ -466,7 +466,7 @@ sub setup_netmap() {

 		    require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';

-		    validate_net $net2, 0;
+		    $net2 = validate_net $net2, 0;

 		    unless ( $interfaceref->{root} ) {
 			@match = imatch_dest_dev(  $interface );
@@ -632,12 +632,13 @@ sub handle_nat_rule( $$$$$$$$$$$$ ) {
    #
    # And generate the nat table rule(s)
    #
+    my $firewallsource = $sourceref && ( $sourceref->{type} & ( FIREWALL | VSERVER ) );
+
    expand_rule ( ensure_chain ('nat' ,
-				( $action_chain ?
-				  $action_chain :
-				  ( $sourceref->{type} == FIREWALL ? 'OUTPUT' : 
-				    dnat_chain $sourceref->{name} ) ) ),
-		  PREROUTE_RESTRICT ,
+				( $action_chain   ? $action_chain :
+				  $firewallsource ? 'OUTPUT' :
+				  dnat_chain $sourceref->{name} ) ) ,
+		  $firewallsource ? OUTPUT_RESTRICT : PREROUTE_RESTRICT ,
 		  $rule ,
 		  $source ,
 		  $origdest ,
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -121,7 +121,7 @@ sub setup_route_marking() {

    require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;

-    add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask", connmark => "! --mark 0/$mask" for qw/PREROUTING OUTPUT/;
+    add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;

    my $chainref  = new_chain 'mangle', 'routemark';

@@ -938,7 +938,7 @@ sub add_an_rtrule( ) {
    if ( $dest eq '-' ) {
 	$dest = 'to ' . ALLIP;
    } else {
-	validate_net( $dest, 0 );
+	$dest = validate_net( $dest, 0 );
 	$dest = "to $dest";
    }

@@ -950,22 +950,22 @@ sub add_an_rtrule( ) {
 	if ( $source =~ /:/ ) {
 	    ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
 	    fatal_error "Invalid SOURCE" if defined $remainder;
-	    validate_net ( $source, 0 );
+	    $source = validate_net ( $source, 0 );
 	    $interface = physical_name $interface;
 	    $source = "iif $interface from $source";
 	} elsif ( $source =~ /\..*\..*/ ) {
-	    validate_net ( $source, 0 );
+	    $source = validate_net ( $source, 0 );
 	    $source = "from $source";
 	} else {
 	    $source = 'iif ' . physical_name $source;
 	}
-    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ||  $source =~  /^(.+?):\[(.+)\]\s*$/ ) {
+    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ||  $source =~  /^(.+?):\[(.+)\]\s*$/ || $source =~ /^(.+?):(\[.+?\](?:\/\d+))$/ ) {
 	my ($interface, $source ) = ($1, $2);
-	validate_net ($source, 0);
+	$source = validate_net ($source, 0);
 	$interface = physical_name $interface;
 	$source = "iif $interface from $source";
    } elsif (  $source =~ /:.*:/ || $source =~ /\..*\..*/ ) {
-	validate_net ( $source, 0 );
+	$source = validate_net ( $source, 0 );
 	$source = "from $source";
    } else {
 	$source = 'iif ' . physical_name $source;
@@ -1020,7 +1020,7 @@ sub add_a_route( ) {
    }

    fatal_error 'DEST must be specified' if $dest eq '-';
-    validate_net ( $dest, 1 );
+    $dest = validate_net ( $dest, 1 );

    validate_address ( $gateway, 1 ) if $gateway ne '-';

@@ -1214,7 +1214,7 @@ sub process_providers( $ ) {

 	if ( $fn ){
 	    if ( -f ( my $fn1 = find_file 'rtrules' ) ) {
-		warning_message "Both $fn and $fn1 exists: $fn1 will be ignored";
+		warning_message "Both $fn and $fn1 exist: $fn1 will be ignored";
 	    }
 	} else {
 	    $fn = open_file( 'rtrules' );
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -20,7 +20,7 @@
 #       along with this program; if not, write to the Free Software
 #       Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-#   This module contains the code that handles the /etc/shorewall/notrack file.
+#   This module contains the code that handles the /etc/shorewall/conntrack file.
 #
 package Shorewall::Raw;
 require Exporter;
@@ -32,8 +32,8 @@ use Shorewall::Chains qw(:DEFAULT :internal);
 use strict;

 our @ISA = qw(Exporter);
-our @EXPORT = qw( setup_notrack );
-our @EXPORT_OK = qw( );
+our @EXPORT = qw( setup_conntrack );
+our @EXPORT_OK = qw( handle_helper_rule );
 our $VERSION = 'MODULEVERSION';

 my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured => 1, protoinfo => 1, helper => 1, mark => 1, natseqinfo => 1, secmark => 1 );
@@ -41,54 +41,89 @@ my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured
 #
 # Notrack
 #
-sub process_notrack_rule( $$$$$$$ ) {
+sub process_conntrack_rule( $$$$$$$$$ ) {

-    my ($action, $source, $dest, $proto, $ports, $sports, $user ) = @_;
+    my ($chainref, $zoneref, $action, $source, $dest, $proto, $ports, $sports, $user ) = @_;
+
+    require_capability 'RAW_TABLE', 'conntrack rules', '';

    $proto  = ''    if $proto  eq 'any';
    $ports  = ''    if $ports  eq 'any' || $ports  eq 'all';
    $sports = ''    if $sports eq 'any' || $sports eq 'all';

-    ( my $zone, $source) = split /:/, $source, 2;
-    my $zoneref  = find_zone $zone;
-    my $chainref = ensure_raw_chain( notrack_chain $zone );
-    my $restriction = $zoneref->{type} == FIREWALL || $zoneref->{type} == VSERVER ? OUTPUT_RESTRICT : PREROUTE_RESTRICT;
+    my $zone;
+    my $restriction = PREROUTE_RESTRICT;

-    fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
-    require_capability 'RAW_TABLE', 'Notrack rules', '';
+    unless ( $chainref ) {
+	#
+	# Entry in the conntrack file
+	#
+	if ( $zoneref ) {
+	    $zone = $zoneref->{name};
+	} else {
+	    ($zone, $source) = split /:/, $source, 2;
+	    $zoneref = find_zone ( $zone );
+	}
+
+	$chainref = ensure_raw_chain( notrack_chain $zone );
+	$restriction = OUTPUT_RESTRICT if $zoneref->{type} == FIREWALL || $zoneref->{type} == VSERVER;
+	fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
+    }

    my $target = $action;
    my $exception_rule = '';
    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user );

-    unless ( $action eq 'NOTRACK' ) {
+    if ( $action eq 'NOTRACK' ) {
+	#
+	# A patch that deimplements the NOTRACK target has been posted on the
+	# Netfilter development list
+	#
+	$action = 'CT --notrack' if have_capability 'CT_TARGET';
+    } else {
 	(  $target, my ( $option, $args, $junk ) ) = split ':', $action, 4;

 	fatal_error "Invalid notrack ACTION ( $action )" if $junk || $target ne 'CT';

-	require_capability 'CT_TARGET', 'CT entries in the notrack file', '';
+	require_capability 'CT_TARGET', 'CT entries in the conntrack file', '';

 	if ( $option eq 'notrack' ) {
-	    fatal_error "Invalid notrack ACTION ( $action )" if supplied $args;
+	    fatal_error "Invalid conntrack ACTION ( $action )" if supplied $args;
 	    $action = 'CT --notrack';
 	} else {
 	    fatal_error "Invalid or missing CT option and arguments" unless supplied $option && supplied $args;

 	    if ( $option eq 'helper' ) {
-		fatal_error "Invalid helper' ($args)" if $args =~ /,/;
-		validate_helper( $args, $proto );
-		$action = "CT --helper $args";
-		$exception_rule = do_proto( $proto, '-', '-' );
-	    } elsif ( $option eq 'ctevents' ) {
-		for ( split ',', $args ) {
-		    fatal_error "Invalid 'ctevents' event ($_)" unless $valid_ctevent{$_};
+		my $modifiers = '';
+
+		if ( $args =~ /^([-\w.]+)\((.+)\)$/ ) {
+		    $args      = $1;
+		    $modifiers = $2;
 		}

-		$action = "CT --ctevents $args";
-	    } elsif ( $option eq 'expevent' ) {
-		fatal_error "Invalid expevent argument ($args)" unless $args eq 'new';
-	    } elsif ( $option eq 'zone' ) {
-		fatal_error "Invalid zone id ($args)" unless $args =~ /^\d+$/;
+		fatal_error "Invalid helper' ($args)" if $args =~ /,/;
+		validate_helper( $args, $proto );
+		$action = "CT --helper $helpers_aliases{$args}";
+		$exception_rule = do_proto( $proto, '-', '-' );
+
+		for my $mod ( split_list1( $modifiers, 'ctevents' ) ) {
+		    fatal_error "Invalid helper option ($mod)" unless $mod =~ /^(\w+)=(.+)$/;
+		    $mod    = $1;
+		    my $val = $2;
+		    
+		    if ( $mod eq 'ctevents' ) {
+			for ( split_list( $val, 'ctevents' ) ) {
+			    fatal_error "Invalid 'ctevents' event ($_)" unless $valid_ctevent{$_};
+			}
+
+			$action .= " --ctevents $val";
+		    } elsif ( $mod eq 'expevents' ) {
+			fatal_error "Invalid expevent argument ($val)" unless $val eq 'new';
+			$action .= ' --expevents new';
+		    } else {
+			fatal_error "Invalid helper option ($mod)";
+		    }
+		}
 	    } else {
 		fatal_error "Invalid CT option ($option)";
 	    }
@@ -106,9 +141,60 @@ sub process_notrack_rule( $$$$$$$ ) {
 		 $target ,
 		 $exception_rule );

-    progress_message "  Notrack rule \"$currentline\" $done";
+    progress_message "  Conntrack rule \"$currentline\" $done";
+}

-    $globals{UNTRACKED} = 1;
+sub handle_helper_rule( $$$$$$$$$$$ ) {
+    my ( $helper, $source, $dest, $proto, $ports, $sports, $sourceref, $action_target, $actionchain, $user, $rule ) = @_;
+
+    if ( $helper ne '-' ) {
+	fatal_error "A HELPER is not allowed with this ACTION" if $action_target;
+	#
+	# This means that an ACCEPT or NAT rule with a helper is being processed
+	#
+	process_conntrack_rule( $actionchain ? ensure_raw_chain( $actionchain ) : undef ,
+				$sourceref ,
+				"CT:helper:$helper",
+				$source ,
+				$dest ,
+				$proto ,
+				$ports ,
+				$sports ,
+				$user );
+    } else {
+	assert( $action_target );
+	#
+	# The target is an action
+	#
+	if ( $actionchain ) {
+	    #
+	    # And the source is another action chain
+	    #
+	    expand_rule( ensure_raw_chain( $actionchain ) ,
+			 PREROUTE_RESTRICT ,
+			 $rule ,
+			 $source ,
+			 $dest ,
+			 '' ,
+			 $action_target ,
+			 '',
+			 'CT' ,
+			 '' );
+	} else {
+	    expand_rule( ensure_raw_chain( notrack_chain( $sourceref->{name} ) ) ,
+			 ( $sourceref->{type} == FIREWALL || $sourceref->{type} == VSERVER ?
+			   OUTPUT_RESTRICT :
+			   PREROUTE_RESTRICT ) ,
+			 $rule ,
+			 $source ,
+			 $dest ,
+			 '' ,
+			 $action_target ,
+			 '' ,
+			 'CT' ,
+			 '' );
+	}
+    }
 }

 sub process_format( $ ) {
@@ -119,51 +205,72 @@ sub process_format( $ ) {
    $format;
 }

-sub setup_notrack() {
+sub setup_conntrack() {

-    my $format = 1;
-    my $action = 'NOTRACK';
+    for my $name ( qw/notrack conntrack/ ) {

-    if ( my $fn = open_file 'notrack' ) {
+	my $fn = open_file( $name );

-	first_entry "$doing $fn...";
+	if ( $fn ) {

-	my $nonEmpty = 0;
+	    my $format = 1;

-	while ( read_a_line( NORMAL_READ ) ) {
-	    my ( $source, $dest, $proto, $ports, $sports, $user );
+	    my $action = 'NOTRACK';

-	    if ( $format == 1 ) {
-		( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
+	    my $empty = 1;

-		if ( $source eq 'FORMAT' ) {
-		    $format = process_format( $dest );
-		    next;
-		}
+	    first_entry( "$doing $fn..." );

-		if ( $source eq 'COMMENT' ) {
-		    process_comment;
-		    next;
-		}
-	    } else {
-		( $action, $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Notrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6 }, { COMMENT => 0, FORMAT => 2 };
+	    while ( read_a_line( NORMAL_READ ) ) {
+		my ( $source, $dest, $proto, $ports, $sports, $user );

-		if ( $action eq 'FORMAT' ) {
-		    $format = process_format( $source );
-		    $action = 'NOTRACK';
-		    next;
+		if ( $format == 1 ) {
+		    ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Conntrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
+
+		    if ( $source eq 'FORMAT' ) {
+			$format = process_format( $dest );
+			next;
+		    }
+		} else {
+		    ( $action, $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6 }, { COMMENT => 0, FORMAT => 2 };
+
+		    if ( $action eq 'FORMAT' ) {
+			$format = process_format( $source );
+			$action = 'NOTRACK';
+			next;
+		    }
 		}

 		if ( $action eq 'COMMENT' ) {
 		    process_comment;
 		    next;
 		}
+
+		$empty = 0;
+
+		if ( $source eq 'all' ) {
+		    for my $zone (all_zones) {
+			process_conntrack_rule( undef, undef, $action, $zone, $dest, $proto, $ports, $sports, $user );
+		    }
+		} else {
+		    process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user );
+		}
 	    }

-	    process_notrack_rule $action, $source, $dest, $proto, $ports, $sports, $user;
-	}
+	    clear_comment;

-	clear_comment;
+	    if ( $name eq 'notrack') {
+		if ( $empty ) {
+		    if ( unlink( $fn ) ) {
+			warning_message "Empty notrack file ($fn) removed";
+		    } else {
+			warning_message "Unable to remove empty notrack file ($fn): $!";
+		    }
+		} else {
+		    warning_message "Non-empty notrack file ($fn); please move its contents to the conntrack file";
+		}
+	    }
+	}
    }
 }

--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -34,6 +34,7 @@ use Shorewall::Zones;
 use Shorewall::Chains qw(:DEFAULT :internal);
 use Shorewall::IPAddrs;
 use Shorewall::Nat qw(:rules);
+use Shorewall::Raw qw( handle_helper_rule );
 use Scalar::Util 'reftype';

 use strict;
@@ -91,7 +92,9 @@ my %rulecolumns = ( action    =>   0,
 		    connlimit =>  10,
 		    time      =>  11,
 		    headers   =>  12,
-		    switch    =>  13 );
+		    switch    =>  13,
+		    helper    =>  14,
+		  );

 use constant { MAX_MACRO_NEST_LEVEL => 5 };

@@ -915,7 +918,7 @@ sub new_action( $$ ) {

    fatal_error "Invalid action name($action)" if reserved_name( $action );

-    $actions{$action} = { actchain => ''  };
+    $actions{$action} = { actchain => '' };

    $targets{$action} = $type;
 }
@@ -1424,7 +1427,7 @@ sub process_actions() {

 }

-sub process_rule1 ( $$$$$$$$$$$$$$$$$ );
+sub process_rule1 ( $$$$$$$$$$$$$$$$$$ );

 #
 # Populate an action invocation chain. As new action tuples are encountered,
@@ -1457,14 +1460,14 @@ sub process_action( $) {

 	while ( read_a_line( NORMAL_READ ) ) {

-	    my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition );
+	    my ($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper );

 	    if ( $format == 1 ) {
 		($target, $source, $dest, $proto, $ports, $sports, $rate, $user, $mark ) =
 		    split_line1 'action file', { target => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, rate => 6, user => 7, mark => 8 }, $rule_commands;
-		$origdest = $connlimit = $time = $headers = $condition = '-';
+		$origdest = $connlimit = $time = $headers = $condition = $helper = '-';
 	    } else {
-		($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition )
+		($target, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper )
 		    = split_line1 'action file', \%rulecolumns, $action_commands;
 	    }

@@ -1502,6 +1505,7 @@ sub process_action( $) {
 			   $time,
 			   $headers,
 			   $condition,
+			   $helper,
 			   0 );
 	}

@@ -1531,8 +1535,8 @@ sub use_policy_action( $ ) {
 #
 # Expand a macro rule from the rules file
 #
-sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {
-    my ($macro, $chainref, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $wildcard ) = @_;
+sub process_macro ( $$$$$$$$$$$$$$$$$$$) {
+    my ($macro, $chainref, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;

    my $nocomment = no_comment;

@@ -1550,13 +1554,13 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {

    while ( read_a_line( NORMAL_READ ) ) {

-	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition );
+	my ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper);

 	if ( $format == 1 ) {
 	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 'macro file', \%rulecolumns, $rule_commands;
-	    ( $morigdest, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition ) = qw/- - - - - -/;
+	    ( $morigdest, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper ) = qw/- - - - - - -/;
 	} else {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition ) = split_line1 'macro file', \%rulecolumns, $rule_commands;
+	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper ) = split_line1 'macro file', \%rulecolumns, $rule_commands;
 	}

 	fatal_error 'TARGET must be specified' if $mtarget eq '-';
@@ -1590,7 +1594,7 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {

 	my $actiontype = $targets{$action} || find_macro( $action );

-	fatal_error "Invalid Action ($mtarget) in macro" unless $actiontype & ( ACTION +  STANDARD + NATRULE + MACRO + CHAIN );
+	fatal_error( "Invalid Action ($mtarget) in macro", $actiontype ) unless $actiontype & ( ACTION + STANDARD + NATRULE + MACRO + CHAIN );

 	if ( $msource ) {
 	    if ( $msource eq '-' ) {
@@ -1635,6 +1639,7 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$ ) {
 				    merge_macro_column( $mtime,      $time ),
 				    merge_macro_column( $mheaders,   $headers ),
 				    merge_macro_column( $mcondition, $condition ),
+				    merge_macro_column( $mhelper,    $helper ),
 				    $wildcard
 				   );

@@ -1667,7 +1672,7 @@ sub verify_audit($;$$) {
 # Similarly, if a new action tuple is encountered, this function is called recursively for each rule in the action
 # body. In this latter case, a reference to the tuple's chain is passed in the first ($chainref) argument.
 #
-sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
+sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
    my ( $chainref,   #reference to Action Chain if we are being called from process_action(); undef otherwise
 	 $target,
 	 $current_param,
@@ -1684,6 +1689,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
 	 $time,
 	 $headers,
 	 $condition,
+	 $helper,
 	 $wildcard ) = @_;

    my ( $action, $loglevel)    = split_action $target;
@@ -1735,6 +1741,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
 				       $time,
 				       $headers,
 				       $condition,
+				       $helper,
 				       $wildcard );

 	$macro_nest_level--;
@@ -1776,12 +1783,13 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
 	    #
 	    process_action( $ref );
 	    #
-	    # Processing the action may determine that the action or one of it's dependents does NAT, so:
+	    # Processing the action may determine that the action or one of it's dependents does NAT or HELPER, so:
 	    #
 	    #    - Refresh $actiontype
-	    #    - Create the associate nat table chain if appropriate.
+	    #    - Create the associated nat and/or table chain if appropriate.
 	    #
 	    ensure_chain( 'nat', $ref->{name} ) if ( $actiontype = $targets{$basictarget} ) & NATRULE;
+	    ensure_chain( 'raw', $ref->{name} ) if ( $actiontype & HELPER );
 	}

 	$action = $basictarget; # Remove params, if any, from $action.
@@ -1796,6 +1804,10 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
 	$targets{$inaction} |= NATRULE if $inaction;
 	fatal_error "NAT rules are only allowed in the NEW section" unless $section eq 'NEW';
    }
+
+    if ( $actiontype & HELPER ) {
+	fatal_error "HELPER rules are only allowed in the NEW section" unless $section eq 'NEW';
+    }
    #
    # Take care of irregular syntax and targets
    #
@@ -1807,7 +1819,13 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
 	$bt =~ s/[-+!]$//;

 	my %functions =
-	    ( ACCEPT => sub() { $action = 'RETURN' if $blacklist; } ,
+	    ( ACCEPT => sub() { 
+		  if ( $blacklist ) {
+		      $action = 'RETURN';
+		  } elsif ( $helper ne '-' ) {
+		      $actiontype |= HELPER if $section eq 'NEW';
+		  }
+	      } ,
 	      
 	      REDIRECT => sub () {
 		  my $z = $actiontype & NATONLY ? '' : firewall_zone;
@@ -1832,12 +1850,19 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
 	      COUNT => sub { $action = ''; } ,

 	      LOG => sub { fatal_error 'LOG requires a log level' unless supplied $loglevel; } ,
+
+	      HELPER => sub { 
+		  fatal_error "HELPER requires require that the helper be specified in the HELPER column" if $helper eq '-';
+		  fatal_error "HELPER rules may only appear in the NEW section" unless $section eq 'NEW';
+		  $action = ''; } ,
 	    );

 	my $function = $functions{ $bt };

 	if ( $function ) {
 	    $function->();
+	} elsif ( $actiontype & NATRULE && $helper ne '-' ) {
+	    $actiontype |= HELPER;
 	} elsif ( $actiontype & SET ) {
 	    my %xlate = ( ADD => 'add-set' , DEL => 'del-set' );

@@ -2004,6 +2029,18 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
 		      do_headers( $headers ) ,
 		      do_condition( $condition ) ,
 		    );
+    } elsif ( $section eq 'RELATED' ) {
+	$rule = join( '',
+		      do_proto($proto, $ports, $sports),
+		      do_ratelimit( $ratelimit, $basictarget ) ,
+		      do_user( $user ) ,
+		      do_test( $mark , $globals{TC_MASK} ) ,
+		      do_connlimit( $connlimit ),
+		      do_time( $time ) ,
+		      do_headers( $headers ) ,
+		      do_condition( $condition ) ,
+		      do_helper( $helper ) ,
+		    );
    } else {
 	$rule = join( '',
 		      do_proto($proto, $ports, $sports),
@@ -2027,8 +2064,26 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
 	fatal_error "$basictarget rules are not allowed in the $section SECTION" if $actiontype & ( NATRULE | NONAT );
 	$rule .= "$globals{STATEMATCH} $section " unless $section eq 'ALL' || $blacklist;
    }
-
    #
+    # Generate CT rules(s), if any
+    #
+    if ( $actiontype & HELPER ) {
+	handle_helper_rule( $helper,
+			    $source,
+			    $origdest ? $origdest : $dest,
+			    $proto,
+			    $ports,
+			    $sports,
+			    $sourceref,
+			    ( $actiontype & ACTION ) ? $usedactions{$normalized_target}->{name} : '',
+			    $inaction ? $chain : '' ,
+			    $user ,
+			    $rule ,
+			  );
+
+	$targets{$inaction} |= HELPER if $inaction; 
+    }
+
    # Generate NAT rule(s), if any
    #
    if ( $actiontype & NATRULE ) {
@@ -2049,8 +2104,9 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
 				     $rule,
 				     $source,
 				     ( $actiontype & ACTION ) ? '' : $loglevel,
-				     $log_action
-				   );		 
+				     $log_action,
+				   );
+
 	#
 	# After NAT:
 	#   - the destination port will be the server port ($ports) -- we did that above
@@ -2069,6 +2125,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$ ) {
 	    $loglevel = '';
 	    $action   = 'ACCEPT';
 	    $origdest = ALLIP if  $origdest =~ /[+]/;
+	    $helper   = '-';
 	}
    } elsif ( $actiontype & NONAT ) {
 	#
@@ -2224,7 +2281,7 @@ sub build_zone_list( $$$\$\$ ) {
 # Process a Record in the rules file
 #
 sub process_rule ( ) {
-    my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $user, $mark, $connlimit, $time, $headers, $condition )
+    my ( $target, $source, $dest, $protos, $ports, $sports, $origdest, $ratelimit, $users, $mark, $connlimit, $time, $headers, $condition, $helper )
 	= split_line1 'rules file', \%rulecolumns, $rule_commands;

    fatal_error 'ACTION must be specified' if $target eq '-';
@@ -2250,6 +2307,7 @@ sub process_rule ( ) {
    my @source    = build_zone_list ( $fw, $source, 'SOURCE', $intrazone, $wild );
    my @dest      = build_zone_list ( $fw, $dest,   'DEST'  , $intrazone, $wild );
    my @protos    = split_list1 $protos, 'Protocol';
+    my @users     = split_list1 $users, 'USER/GROUP';
    my $generated = 0;

    fatal_error "Invalid or missing ACTION ($target)" unless defined $action;
@@ -2265,23 +2323,26 @@ sub process_rule ( ) {
 	    $destzone = $action =~ /^REDIRECT/ ? $fw : '' unless defined_zone $destzone;
 	    if ( ! $wild || $intrazone || ( $sourcezone ne $destzone ) ) {
 		for my $proto ( @protos ) {
-		    $generated |= process_rule1( undef,
-						 $target,
-						 '',
-						 $source,
-						 $dest,
-						 $proto,
-						 $ports,
-						 $sports,
-						 $origdest,
-						 $ratelimit,
-						 $user,
-						 $mark,
-						 $connlimit,
-						 $time,
-						 $headers,
-						 $condition,
-						 $wild );
+		    for my $user ( @users ) {
+			$generated |= process_rule1( undef,
+						     $target,
+						     '',
+						     $source,
+						     $dest,
+						     $proto,
+						     $ports,
+						     $sports,
+						     $origdest,
+						     $ratelimit,
+						     $user,
+						     $mark,
+						     $connlimit,
+						     $time,
+						     $headers,
+						     $condition,
+						     $helper,
+						     $wild );
+		    }
 		}
 	    }
 	}
@@ -2305,48 +2366,49 @@ sub classic_blacklist() {
    my $fw       = firewall_zone;
    my @zones    = off_firewall_zones;
    my @vservers = vserver_zones;
-    my @state = $config{BLACKLISTNEWONLY} ? $globals{UNTRACKED} ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
+    my @state = $config{BLACKLISTNEWONLY} ? have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,INVALID,UNTRACKED' : state_imatch 'NEW,INVALID' : ();
    my $result;

    for my $zone ( @zones ) {
 	my $zoneref = find_zone( $zone );
 	my $simple  =  @zones <= 2 && ! $zoneref->{complex};

-	if ( $zoneref->{options}{in}{blacklist} ) {
-	    my $blackref = $filter_table->{blacklst};
-	    add_ijump ensure_rules_chain( rules_chain( $zone, $_ ) ) , j => $blackref , @state for firewall_zone, @vservers;
+	if ( my $blackref = $filter_table->{blacklst} ) {
+	    if ( $zoneref->{options}{in}{blacklist} ) {
+		add_ijump ensure_rules_chain( rules_chain( $zone, $_ ) ) , j => $blackref , @state for firewall_zone, @vservers;

-	    if ( $simple ) {
-		#
-		# We won't create a zone forwarding chain for this zone so we must add blacklisting jumps to the rules chains
-		#
-		for my $zone1 ( @zones ) {
-		    my $ruleschain    = rules_chain( $zone, $zone1 );
+		if ( $simple ) {
+		    #
+		    # We won't create a zone forwarding chain for this zone so we must add blacklisting jumps to the rules chains
+		    #
+		    for my $zone1 ( @zones ) {
+			my $ruleschain    = rules_chain( $zone, $zone1 );
+			my $ruleschainref = $filter_table->{$ruleschain};
+
+			if ( $zone ne $zone1 || intrazone_allowed( $zone, $zoneref ) ) {
+			    add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
+			}
+		    }
+		}
+
+		$result = 1;
+	    }
+
+	    if ( $zoneref->{options}{out}{blacklist} ) {
+		$blackref = $filter_table->{blackout};
+		add_ijump ensure_rules_chain( rules_chain( firewall_zone, $zone ) ) , j => $blackref , @state;
+
+		for my $zone1 ( @zones, @vservers ) {
+		    my $ruleschain    = rules_chain( $zone1, $zone );
 		    my $ruleschainref = $filter_table->{$ruleschain};

-		    if ( $zone ne $zone1 || intrazone_allowed( $zone, $zoneref ) ) {
+		    if ( ( $zone ne $zone1 || intrazone_allowed( $zone, $zoneref ) ) ) {
 			add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
 		    }
 		}
+
+		$result = 1;
 	    }
-
-	    $result = 1;
-	}
-
-	if ( $zoneref->{options}{out}{blacklist} ) {
-	    my $blackref = $filter_table->{blackout};
-	    add_ijump ensure_rules_chain( rules_chain( firewall_zone, $zone ) ) , j => $blackref , @state;
-
-	    for my $zone1 ( @zones, @vservers ) {
-		my $ruleschain    = rules_chain( $zone1, $zone );
-		my $ruleschainref = $filter_table->{$ruleschain};
-
-		if ( ( $zone ne $zone1 || intrazone_allowed( $zone, $zoneref ) ) ) {
-		    add_ijump( ensure_rules_chain( $ruleschain ), j => $blackref, @state );
-		}
-	    }
-
-	    $result = 1;
 	}

 	unless ( $simple ) {
@@ -2355,7 +2417,7 @@ sub classic_blacklist() {
 	    #
 	    my $frwd_ref = new_standard_chain zone_forward_chain( $zone );

-	    add_ijump( $frwd_ref , j => $filter_table->{blacklst}, @state ) if $zoneref->{options}{in}{blacklist};
+	    add_ijump( $frwd_ref , j => $filter_table->{blacklst}, @state ) if $filter_table->{blacklst} && $zoneref->{options}{in}{blacklist};
 	}
    }

@@ -2402,6 +2464,8 @@ sub process_rules( $ ) {
 		   );

 	process_rule while read_a_line( NORMAL_READ );
+
+	clear_comment;
    }

    $section = '';
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -372,7 +372,11 @@ sub process_tc_rule( ) {

 					  if ( supplied $ip ) {
 					      if ( $family == F_IPV6 ) {
-						  $ip = $1 if $ip =~ /^\[(.+)\]$/ || $ip =~ /^<(.+)>$/;
+						  if ( $ip =~ /^\[(.+)\]$/ || $ip =~ /^<(.+)>$/ ) {
+						      $ip = $1;
+						  } elsif ( $ip =~ /^\[(.+)\]\/(\d+)$/ ) {
+						      $ip = join( $1, $2 );
+						  }
 					      }

 					      validate_address $ip, 1;
@@ -384,15 +388,21 @@ sub process_tc_rule( ) {
 		       TTL => sub() {
 			                  fatal_error "TTL is not supported in IPv6 - use HL instead" if $family == F_IPV6;
 					  fatal_error "Invalid TTL specification( $cmd/$rest )" if $rest;
-					  fatal_error "Chain designator $designator not allowed with TTL" if $designator && ! ( $designator eq 'F' );
-
 					  $chain = 'tcfor';

-					  $cmd =~ /^TTL\(([-+]?\d+)\)$/;
+					  if ( $designator ) {
+					      if ( $designator eq 'P' ) {
+						  $chain = 'tcpre';
+					      } else {
+						  fatal_error "Chain designator $designator not allowed with TTL" if $designator ne 'F';
+					      }
+					  }
+
+					  $cmd =~ /^TTL\(([-+]?(\d+))\)$/;

 					  my $param =  $1;

-					  fatal_error "Invalid TTL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
+					  fatal_error "Invalid TTL specification( $cmd )" unless supplied( $1 ) && ( $1 eq $2 || $2 != 0 ) && ( $param = abs $param ) < 256;

 					  if ( $1 =~ /^\+/ ) {
 					      $target .= " --ttl-inc $param";
@@ -405,15 +415,22 @@ sub process_tc_rule( ) {
 		       HL => sub() {
 			                  fatal_error "HL is not supported in IPv4 - use TTL instead" if $family == F_IPV4;
 					  fatal_error "Invalid HL specification( $cmd/$rest )" if $rest;
-					  fatal_error "Chain designator $designator not allowed with HL" if $designator && ! ( $designator eq 'F' );
-
 					  $chain = 'tcfor';

-					  $cmd =~ /^HL\(([-+]?\d+)\)$/;
+
+					  if ( $designator ) {
+					      if ( $designator eq 'P' ) {
+						  $chain = 'tcpre';
+					      } else {
+						  fatal_error "Chain designator $designator not allowed with HL" if $designator ne 'F';
+					      }
+					  }
+
+					  $cmd =~ /^HL\(([-+]?(\d+))\)$/;

 					  my $param =  $1;

-					  fatal_error "Invalid HL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
+					  fatal_error "Invalid HL specification( $cmd )" unless supplied( $1 ) && ( $1 eq $2 || $2 != 0 ) && ( $param = abs $param ) < 256;

 					  if ( $1 =~ /^\+/ ) {
 					      $target .= " --hl-inc $param";
@@ -820,8 +837,9 @@ sub process_simple_device() {
    }

    for ( my $i = 1; $i <= 3; $i++ ) {
+	my $prio = 16 | $i;
 	emit "run_tc qdisc add dev $physical parent $number:$i handle ${number}${i}: sfq quantum 1875 limit 127 perturb 10";
-	emit "run_tc filter add dev $physical protocol all prio 2 parent $number: handle $i fw classid $number:$i";
+	emit "run_tc filter add dev $physical protocol all prio $prio parent $number: handle $i fw classid $number:$i";
 	emit "run_tc filter add dev $physical protocol all prio 1 parent ${number}$i: handle ${number}${i} flow hash keys $type divisor 1024" if $type ne '-' && have_capability 'FLOW_FILTER';
 	emit '';
    }
@@ -969,6 +987,7 @@ sub validate_tc_device( ) {
 			    mtu           => $mtu,
 			    mpu           => $mpu,
 			    tsize         => $tsize,
+			    filterpri     => 0,
 			  } ,

    push @tcdevices, $device;
@@ -1043,6 +1062,16 @@ my %validredoptions = ( min         => RED_INTEGER,
 			ecn         => RED_NONE,
 		      );

+sub validate_filter_priority( $$ ) {
+    my ( $priority, $kind ) = @_;
+
+    my $pri = numeric_value( $priority );
+
+    fatal_error "Invalid $kind priority ($priority)" unless defined $pri && $pri > 0 && $pri <= 65535;
+
+    $pri;
+}
+
 sub validate_tc_class( ) {
    my ( $devclass, $mark, $rate, $ceil, $prio, $options ) =
 	split_line 'tcclasses file', { interface => 0, mark => 1, rate => 2, ceil => 3, prio => 4, options => 5 };
@@ -1096,11 +1125,26 @@ sub validate_tc_class( ) {

    my $tcref = $tcclasses{$device};

-    my $markval = 0;
+    if ( $devref->{qdisc} eq 'htb' ) {
+	fatal_error "Invalid PRIO ($prio)" unless defined numeric_value $prio;
+    }
+
+    my $markval  = 0;
+    my $markprio;

    if ( $mark ne '-' ) {
 	fatal_error "MARK may not be specified when TC_BITS=0" unless $config{TC_BITS};

+	( $mark, my $priority ) = split/:/, $mark, 2;
+
+	if ( supplied $priority ) {
+	    $markprio = validate_filter_priority( $priority, 'mark' );
+	} else {
+	    fatal_error "Missing mark priority" if $prio eq '-';
+	    $markprio =  ( $prio << 8 ) | 20;
+	    progress_message2 "   Priority of the $device packet mark $mark filter is $markprio";
+	}
+
 	$markval = numeric_value( $mark );
 	fatal_error "Invalid MARK ($markval)" unless defined $markval;

@@ -1169,16 +1213,15 @@ sub validate_tc_class( ) {
 	warning_message "Total RATE of classes ($devref->{guarantee}kbits) exceeds OUT-BANDWIDTH (${full}kbits)" if ( $devref->{guarantee} += $rate ) > $full;
    }

-    fatal_error "Invalid PRIO ($prio)" unless defined numeric_value $prio;
-
    $tcref->{$classnumber} = { tos       => [] ,
 			       rate      => $rate ,
 			       umax      => $umax ,
 			       dmax      => $dmax ,
 			       ceiling   => $ceil   = ( supplied $ceil   ? convert_rate( $ceilmax, $ceil,   'CEIL'  , $ceilname ) : 0 ),
 			       lsceil    => $lsceil = ( $lsceil          ? convert_rate( $ceilmax, $lsceil, 'LSCEIL', $ceilname ) : 0 ),
-			       priority  => $prio eq '-' ? 1 : $prio ,
+			       priority  => $prio ,
 			       mark      => $markval ,
+			       markprio  => $markprio ,
 			       flow      => '' ,
 			       pfifo     => 0,
 			       occurs    => 1,
@@ -1196,25 +1239,47 @@ sub validate_tc_class( ) {

    unless ( $options eq '-' ) {
 	for my $option ( split_list1 "\L$options", 'option' ) {
-	    my $optval = $tosoptions{$option};
+	    my $priority;
+	    my $optval;

-	    $option = "tos=$optval" if $optval;
+	    ( $option, my $pri ) =  split /:/, $option, 2;
+
+	    if ( $option =~ /^tos=(.+)/ || ( $optval = $tosoptions{$option} ) ) {
+
+		if ( supplied $pri ) {
+		    $priority = validate_filter_priority( $pri, 'mark' );
+		} else {
+		    fatal_error "Missing TOS priority" if $prio eq '-';
+		    $priority = ( $prio << 8 ) | 15;
+		    progress_message2 "   Priority of the $device $option filter is $priority";
+		}
+
+		$option = "tos=$optval" if $optval;
+	    } elsif ( supplied $pri ) {
+		$option = join ':', $option, $pri;
+	    }

 	    if ( $option eq 'default' ) {
 		fatal_error "Only one default class may be specified for device $device" if $devref->{default};
 		fatal_error "The $option option is not valid with 'occurs" if $tcref->{occurs} > 1;
 		$devref->{default} = $classnumber;
-	    } elsif ( $option eq 'tcp-ack' ) {
+	    } elsif ( $option =~ /tcp-ack(:(\d+|0x[0-0a-fA-F]))?$/ ) {
 		fatal_error "The $option option is not valid with 'occurs" if $tcref->{occurs} > 1;
-		$tcref->{tcp_ack} = 1;
+		if ( $1 ) {
+		    $tcref->{tcp_ack} = validate_filter_priority( $2, 'tcp-ack' );
+		} else {
+		    fatal_error "Missing tcp-ack priority" if $prio eq '-';
+		    my $ackpri = $tcref->{tcp_ack} =  ( $prio << 8 ) | 10;
+		    progress_message2 "   Priority of the $device tcp-ack filter is $ackpri";
+		}
 	    } elsif ( $option =~ /^tos=0x[0-9a-f]{2}$/ ) {
 		fatal_error "The $option option is not valid with 'occurs" if $tcref->{occurs} > 1;
 		( undef, $option ) = split /=/, $option;
-		push @{$tcref->{tos}}, "$option/0xff";
+		push @{$tcref->{tos}}, "$option/0xff:$priority";
 	    } elsif ( $option =~ /^tos=0x[0-9a-f]{2}\/0x[0-9a-f]{2}$/ ) {
 		fatal_error "The $option option is not valid with 'occurs" if $tcref->{occurs} > 1;
 		( undef, $option ) = split /=/, $option;
-		push @{$tcref->{tos}}, $option;
+		push @{$tcref->{tos}}, "$option:$priority";
 	    } elsif ( $option =~ /^flow=(.*)$/ ) {
 		fatal_error "The 'flow' option is not allowed with 'pfifo'" if $tcref->{pfifo};
 		fatal_error "The 'flow' option is not allowed with 'red'"   if $tcref->{red};
@@ -1319,6 +1384,7 @@ sub validate_tc_class( ) {
 					       ceiling  => $tcref->{ceiling} ,
 					       priority => $tcref->{priority} ,
 					       mark     => 0 ,
+					       markprio => $markprio ,
 					       flow     => $tcref->{flow} ,
 					       pfifo    => $tcref->{pfifo},
 					       occurs   => 0,
@@ -1340,7 +1406,7 @@ my %validlengths = ( 32 => '0xffe0', 64 => '0xffc0', 128 => '0xff80', 256 => '0x
 #
 sub process_tc_filter() {

-    my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length ) = split_line 'tcfilters file', { class => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, tos => 6, length => 7 };
+    my ( $devclass, $source, $dest , $proto, $portlist , $sportlist, $tos, $length, $priority ) = split_line 'tcfilters file', { class => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, tos => 6, length => 7 , priority => 8 };

    fatal_error 'CLASS must be specified' if $devclass eq '-';

@@ -1350,7 +1416,7 @@ sub process_tc_filter() {

    fatal_error "Invalid INTERFACE:CLASS ($devclass)" if defined $rest || ! ($device && $class );

-    my ( $ip, $ip32, $prio , $lo ) = $family == F_IPV4 ? ('ip', 'ip', 10, 2 ) : ('ipv6', 'ip6', 11 , 4 );
+    my ( $ip, $ip32, $lo ) = $family == F_IPV4 ? ('ip', 'ip', 2 ) : ('ipv6', 'ip6', 4 );

    my $devref;

@@ -1360,6 +1426,18 @@ sub process_tc_filter() {
 	( $device , $devref ) = dev_by_number( $device );
    }

+    my ( $prio, $filterpri ) = ( undef, $devref->{filterpri} );
+
+    if ( $priority eq '-' ) {
+	$prio = ++$filterpri;
+	fatal_error "Filter priority overflow" if $prio > 65535;
+    } else {
+	$prio = validate_filter_priority( $priority, 'filter' );
+	$filterpri = $prio if $prio > $filterpri;
+    }
+
+    $devref->{filterpri} = $filterpri;
+
    my $devnum = in_hexp $devref->{number};

    my $tcref = $tcclasses{$device};
@@ -1886,7 +1964,6 @@ sub process_traffic_shaping() {

 		$classids{$classid}=$devname;

-		my $priority = $tcref->{priority} << 8;
 		my $parent   = in_hexp $tcref->{parent};

 		emit ( "[ \$${dev}_mtu -gt $quantum ] && quantum=\$${dev}_mtu || quantum=$quantum" );
@@ -1945,22 +2022,23 @@ sub process_traffic_shaping() {
 		# add filters
 		#
 		unless ( $mark eq '-' ) {
-		    emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio " . ( $priority | 20 ) . " handle $mark fw classid $classid" if $tcref->{occurs} == 1;
+		    emit "run_tc filter add dev $device protocol all parent $devicenumber:0 prio $tcref->{markprio} handle $mark fw classid $classid" if $tcref->{occurs} == 1;
 		}

 		emit "run_tc filter add dev $device protocol all prio 1 parent $sfqinhex: handle $classnum flow hash keys $tcref->{flow} divisor 1024" if $tcref->{flow};
 		#
 		# options
 		#
-		emit( "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) . ' u32' .
+		emit( "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio $tcref->{tcp_ack} u32" .
 		      "\\\n    match ip protocol 6 0xff" .
 		      "\\\n    match u8 0x05 0x0f at 0" .
 		      "\\\n    match u16 0x0000 0xffc0 at 2" .
 		      "\\\n    match u8 0x10 0xff at 33 flowid $classid" ) if $tcref->{tcp_ack};

 		for my $tospair ( @{$tcref->{tos}} ) {
+		    ( $tospair, my $priority ) = split /:/, $tospair;
 		    my ( $tos, $mask ) = split q(/), $tospair;
-		    emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio " . ( $priority | 10 ) . " u32 match ip tos $tos $mask flowid $classid";
+		    emit "run_tc filter add dev $device parent $devicenumber:0 protocol ip prio $priority u32 match ip tos $tos $mask flowid $classid";
 		}

 		save_progress_message_short qq("   TC Class $classid defined.");
--- a/Shorewall/Perl/Shorewall/Tunnels.pm
+++ b/Shorewall/Perl/Shorewall/Tunnels.pm
@@ -61,7 +61,7 @@ sub setup_tunnels() {
 	    }
 	}

-	my @options = $globals{UNTRACKED} ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';
+	my @options = have_capability( 'RAW_TABLE' ) ? state_imatch 'NEW,UNTRACKED' : state_imatch 'NEW';

 	add_tunnel_rule $inchainref,  p => 50, @$source;
 	add_tunnel_rule $outchainref, p => 50, @$dest;
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -31,66 +31,69 @@ use Shorewall::IPAddrs;
 use strict;

 our @ISA = qw(Exporter);
-our @EXPORT = qw( NOTHING
-		  NUMERIC
-		  NETWORK
-		  IPSECPROTO
-		  IPSECMODE
-		  FIREWALL
-		  VSERVER
-		  IP
-		  BPORT
-		  IPSEC
-		  NO_UPDOWN
-		  NO_SFILTER
+our @EXPORT = ( qw( NOTHING
+		    NUMERIC
+		    NETWORK
+		    IPSECPROTO
+		    IPSECMODE
+		    FIREWALL
+		    VSERVER
+		    IP
+		    BPORT
+		    IPSEC
+		    GROUP
+		    NO_UPDOWN
+		    NO_SFILTER

-		  determine_zones
-		  zone_report
-		  dump_zone_contents
-		  find_zone
-		  firewall_zone
-		  defined_zone
-		  zone_type
-		  zone_interfaces
-		  zone_mark
-		  all_zones
-		  all_parent_zones
-		  complex_zones
-		  vserver_zones
-		  off_firewall_zones
-		  non_firewall_zones
-		  single_interface
-		  chain_base
-		  validate_interfaces_file
-		  all_interfaces
-		  all_real_interfaces
-		  all_plain_interfaces
-		  all_bridges
-		  interface_number
-		  find_interface
-		  known_interface
-		  get_physical
-		  physical_name
-		  have_bridges
-		  port_to_bridge
-		  source_port_to_bridge
-		  interface_is_optional
-		  interface_is_required
-		  find_interfaces_by_option
-		  find_interfaces_by_option1
-		  get_interface_option
-		  interface_has_option
-		  set_interface_option
-		  set_interface_provider
-		  interface_zones
-		  verify_required_interfaces
-		  validate_hosts_file
-		  find_hosts_by_option
-		  find_zone_hosts_by_option
-		  find_zones_by_option
-		  all_ipsets
-		  have_ipsec
-		 );
+		    determine_zones
+		    zone_report
+		    dump_zone_contents
+		    find_zone
+		    firewall_zone
+		    defined_zone
+		    zone_type
+		    zone_interfaces
+		    zone_mark
+		    all_zones
+		    all_parent_zones
+		    complex_zones
+		    vserver_zones
+		    on_firewall_zones
+		    off_firewall_zones
+		    non_firewall_zones
+		    single_interface
+		    chain_base
+		    validate_interfaces_file
+		    all_interfaces
+		    all_real_interfaces
+		    all_plain_interfaces
+		    all_bridges
+		    interface_number
+		    find_interface
+		    known_interface
+		    get_physical
+		    physical_name
+		    have_bridges
+		    port_to_bridge
+		    source_port_to_bridge
+		    interface_is_optional
+		    interface_is_required
+		    find_interfaces_by_option
+		    find_interfaces_by_option1
+		    get_interface_option
+		    interface_has_option
+		    set_interface_option
+		    set_interface_provider
+		    interface_zones
+		    verify_required_interfaces
+		    validate_hosts_file
+		    find_hosts_by_option
+		    find_zone_hosts_by_option
+		    find_zones_by_option
+		    all_ipsets
+		    have_ipsec
+		 ),
+	      );

 our @EXPORT_OK = qw( initialize );
 our $VERSION = 'MODULEVERSION';
@@ -117,7 +120,8 @@ use constant { IN_OUT     => 1,
 #
 #     @zones contains the ordered list of zones with sub-zones appearing before their parents.
 #
-#     %zones{<zone1> => {type =>       <zone type>       FIREWALL, IP, IPSEC, BPORT;
+#     %zones{<zone1> => {name =>       <name>,
+#                        type =>       <zone type>       FIREWALL, IP, IPSEC, BPORT;
 #                        complex =>    0|1
 #                        super   =>    0|1
 #                        options =>    { in_out  => < policy match string >
@@ -531,6 +535,7 @@ sub process_zone( \$ ) {
    }

    if ( $zoneref->{options}{in_out}{blacklist} ) {
+	warning_message q(The 'blacklist' option is deprecated);
 	for ( qw/in out/ ) {
 	    unless ( $zoneref->{options}{$_}{blacklist} ) {
 		$zoneref->{options}{$_}{blacklist} = 1;
@@ -538,6 +543,10 @@ sub process_zone( \$ ) {
 		warning_message( "Redundant 'blacklist' in " . uc( $_ ) . '_OPTIONS' );
 	    }
 	}
+    } else {
+	for ( qw/in out/ ) {
+	    warning_message q(The 'blacklist' option is deprecated), last if  $zoneref->{options}{$_}{blacklist};
+	}
    }

    return $zone;
@@ -838,6 +847,10 @@ sub all_zones() {
    @zones;
 }

+sub on_firewall_zones() {
+   grep ( ( $zones{$_}{type} & ( FIREWALL | VSERVER ) )  ,  @zones );
+}
+
 sub off_firewall_zones() {
   grep ( ! ( $zones{$_}{type} & ( FIREWALL | VSERVER ) )  ,  @zones );
 }
@@ -1140,7 +1153,7 @@ sub process_interface( $$ ) {
 		    $hostoptions{broadcast} = 1;
 		} elsif ( $option eq 'sfilter' ) {
 		    $filterref = [ split_list $value, 'address' ];
-		    validate_net( $_, 1) for @{$filterref}
+		    $_ = validate_net( $_, 1) for @{$filterref}
 		} else {
 		    assert(0);
 		}
@@ -1793,6 +1806,7 @@ sub process_host( ) {
 	    } elsif ( $option eq 'norfc1918' ) {
 		warning_message "The 'norfc1918' host option is no longer supported"
 	    } elsif ( $option eq 'blacklist' ) {
+		warning_message "The 'blacklist' option is deprecated";
 		$zoneref->{options}{in}{blacklist} = 1;
 	    } elsif ( $option =~ /^mss=(\d+)$/ ) {
 		fatal_error "Invalid mss ($1)" unless $1 >= 500;
--- a/Shorewall/Perl/compiler.pl
+++ b/Shorewall/Perl/compiler.pl
@@ -37,7 +37,8 @@
 #         --log_verbosity=<number>    # Log Verbosity range -1 to 2
 #         --family=<number>           # IP family; 4 = IPv4 (default), 6 = IPv6
 #         --preview                   # Preview the ruleset.
-#         --shorewallrc=<path>        # Path to shorewallrc file.
+#         --shorewallrc=<path>        # Path to global shorewallrc file.
+#         --shorewallrc1=<path>       # Path to export shorewallrc file.
 #         --config_path=<path-list>   # Search path for config files
 #
 use strict;
@@ -67,6 +68,7 @@ sub usage( $ ) {
    [ --update ]
    [ --convert ]
    [ --shorewallrc=<pathname> ]
+    [ --shorewallrc1=<pathname> ]
    [ --config_path=<path-list> ]
 ';

@@ -94,6 +96,7 @@ my $update        = 0;
 my $convert       = 0;
 my $config_path   = '';
 my $shorewallrc   = '';
+my $shorewallrc1  = '';

 Getopt::Long::Configure ('bundling');

@@ -126,6 +129,7 @@ my $result = GetOptions('h'               => \$help,
 			'convert'         => \$convert,
 			'config_path=s'   => \$config_path,
 			'shorewallrc=s'   => \$shorewallrc,
+			'shorewallrc1=s'  => \$shorewallrc1,
 		       );

 usage(1) unless $result && @ARGV < 2;
@@ -148,5 +152,6 @@ compiler( script          => $ARGV[0] || '',
 	  convert         => $convert,
 	  annotate        => $annotate,
 	  config_path     => $config_path,
-	  shorewallrc     => $shorewallrc
+	  shorewallrc     => $shorewallrc,
+	  shorewallrc1    => $shorewallrc1,
 	);
--- a/Shorewall/Perl/getparams
+++ b/Shorewall/Perl/getparams
@@ -25,12 +25,12 @@
 #
 #      $1 = Path name of params file
 #      $2 = $CONFIG_PATH
-#      $3 = Address family (4 o4 6)
+#      $3 = Address family (4 or 6)
 #
 if [ "$3" = 6 ]; then
-    g_program=shorewall6
+    PRODUCT=shorewall6
 else
-    g_program=shorewall
+    PRODUCT=shorewall
 fi

 #
@@ -38,11 +38,12 @@ fi
 #
 . /usr/share/shorewall/shorewallrc

+g_program=$PRODUCT
 g_libexec="$LIBEXECDIR"
-g_sharedir="$SHAREDIR"/shorewall
+g_sharedir="$SHAREDIR/shorewall"
 g_sbindir="$SBINDIR"
 g_perllib="$PERLLIBDIR"
-g_confdir="$CONFDIR"/shorewall
+g_confdir="$CONFDIR/$PRODUCT"
 g_readrc=1

 . $g_sharedir/lib.cli
--- a/Shorewall/Perl/lib.core
+++ b/Shorewall/Perl/lib.core
@@ -916,7 +916,12 @@ add_gateway() # $1 = Delta $2 = Table Number
 	delta=$1

 	if ! echo $route | fgrep -q ' nexthop '; then
-	    route=`echo $route | sed 's/via/nexthop via/'`
+	    if echo $route | fgrep -q via; then
+		route=`echo $route | sed 's/via/nexthop via/'`
+	    else
+		route="nexthop $route"
+	    fi
+
 	    dev=$(find_device $route)
 	    if [ -f ${VARDIR}/${dev}_weight ]; then
 		weight=`cat ${VARDIR}/${dev}_weight`
--- a/Shorewall/Samples/Universal/rules
+++ b/Shorewall/Samples/Universal/rules
@@ -6,8 +6,8 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-###################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+##############################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH     HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -114,7 +114,9 @@ ADD_SNAT_ALIASES=No

 ADMINISABSENTMINDED=Yes

-AUTO_COMMENT=Yes
+AUTOCOMMENT=Yes
+
+AUTOHELPERS=Yes

 AUTOMAKE=No

@@ -144,6 +146,8 @@ FASTACCEPT=Yes

 FORWARD_CLEAR_MARK=

+HELPERS=
+
 IMPLICIT_CONTINUE=No

 IPSET_WARNINGS=Yes
--- a/Shorewall/Samples/one-interface/rules
+++ b/Shorewall/Samples/one-interface/rules
@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-rules"
-######################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+##############################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH     HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -125,7 +125,9 @@ ADD_SNAT_ALIASES=No

 ADMINISABSENTMINDED=Yes

-AUTO_COMMENT=Yes
+AUTOCOMMENT=Yes
+
+AUTOHELPERS=Yes

 AUTOMAKE=No

@@ -155,6 +157,8 @@ FASTACCEPT=No

 FORWARD_CLEAR_MARK=

+HELPERS=
+
 IMPLICIT_CONTINUE=No

 IPSET_WARNINGS=Yes
--- a/Shorewall/Samples/three-interfaces/rules
+++ b/Shorewall/Samples/three-interfaces/rules
@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-######################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+##############################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH     HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -123,7 +123,9 @@ ADD_SNAT_ALIASES=No

 ADMINISABSENTMINDED=Yes

-AUTO_COMMENT=Yes
+AUTOCOMMENT=Yes
+
+AUTOHELPERS=Yes

 AUTOMAKE=No

@@ -153,6 +155,8 @@ FASTACCEPT=No

 FORWARD_CLEAR_MARK=

+HELPERS=
+
 IMPLICIT_CONTINUE=No

 IPSET_WARNINGS=Yes
--- a/Shorewall/Samples/three-interfaces/stoppedrules
+++ b/Shorewall/Samples/three-interfaces/stoppedrules
@@ -1,6 +1,6 @@
 #
-# Shorewall6 version 4.0 - Sample Routestopped File for two-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Shorewall version 4.5 - Sample Stoppedrules File for three-interface configuration.
+# Copyright (C) 2012 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -9,11 +9,12 @@
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
-# For information about entries in this file, type "man shorewall6-routestopped"
-#
-# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional
-# information.
-#
-##############################################################################
-#INTERFACE	HOST(S)                  OPTIONS
-eth1		-
+# For information about entries in this file, type "man shorewall-stoppedrules"
+###############################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
+#							PORT(S)		PORT(S)
+ACCEPT		eth1		-
+ACCEPT		-		eth1
+ACCEPT		eth2		-
+ACCEPT		-		eth2
+
--- a/Shorewall/Samples/two-interfaces/rules
+++ b/Shorewall/Samples/two-interfaces/rules
@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-######################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+##############################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH     HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -126,7 +126,9 @@ ADD_SNAT_ALIASES=No

 ADMINISABSENTMINDED=Yes

-AUTO_COMMENT=Yes
+AUTOCOMMENT=Yes
+
+AUTOHELPERS=Yes

 AUTOMAKE=No

@@ -156,6 +158,8 @@ FASTACCEPT=No

 FORWARD_CLEAR_MARK=

+HELPERS=
+
 IMPLICIT_CONTINUE=No

 IPSET_WARNINGS=Yes
--- a/Shorewall/Samples/two-interfaces/stoppedrules
+++ b/Shorewall/Samples/two-interfaces/stoppedrules
@@ -1,6 +1,6 @@
 #
-# Shorewall version 4.0 - Sample Routestopped File for two-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Shorewall version 4.5 - Sample Stoppedrules File for two-interface configuration.
+# Copyright (C) 2012 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -9,7 +9,9 @@
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
-# For information about entries in this file, type "man shorewall-routestopped"
-##############################################################################
-#INTERFACE	HOST(S)                  OPTIONS
-eth1		-
+# For information about entries in this file, type "man shorewall-stoppedrules"
+###############################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
+#							PORT(S)		PORT(S)
+ACCEPT		eth1		-
+ACCEPT		-		eth1
--- a/Shorewall/configfiles/blacklist
+++ b/Shorewall/configfiles/blacklist
@@ -1,11 +0,0 @@
-#
-# Shorewall version 4 - Blacklist File
-#
-# For information about entries in this file, type "man shorewall-blacklist"
-#
-# Please see http://shorewall.net/blacklisting_support.htm for additional
-# information.
-#
-###############################################################################
-#ADDRESS/SUBNET		PROTOCOL	PORT	OPTIONS
-
--- a/Shorewall/configfiles/conntrack
+++ b/Shorewall/configfiles/conntrack
@@ -0,0 +1,53 @@
+#
+# Shorewall version 4 - conntrack File
+#
+# For information about entries in this file, type "man shorewall-conntrack"
+#
+#############################################################################################
+FORMAT 2
+#ACTION			SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/
+#								PORT(S)		PORT(S)	GROUP
+?if $AUTOHELPERS && __CT_TARGET
+
+?if __AMANDA_HELPER
+CT:helper:amanda	all		-		udp	10080
+?endif
+
+?if __FTP_HELPER
+CT:helper:ftp		all		-		tcp	21
+?endif
+
+?if __H323_HELPER
+CT:helper:RAS		all		-		udp	1719
+CT:helper:Q.931		all		-		tcp	1720
+?endif
+
+?if __IRC_HELPER
+CT:helper:irc		all		-		tcp	6667
+?endif
+
+?if __NETBIOS_NS_HELPER
+CT:helper:netbios-ns	all		-		udp	137
+?endif
+
+?if __PPTP_HELPER
+CT:helper:pptp		all		-		tcp	1723
+?endif
+
+?if __SANE_HELPER
+CT:helper:sane		all		-		tcp	6566
+?endif
+
+?if __SIP_HELPER
+CT:helper:sip		all		-		udp	5060
+?endif
+
+?if __SNMP_HELPER
+CT:helper:snmp		all		-		udp	161
+?endif
+
+?if __TFTP_HELPER
+CT:helper:tftp		all		-		udp	69
+?endif
+
+?endif
--- a/Shorewall/configfiles/notrack
+++ b/Shorewall/configfiles/notrack
@@ -1,9 +0,0 @@
-#
-# Shorewall version 4 - Notrack File
-#
-# For information about entries in this file, type "man shorewall-notrack"
-#
-#####################################################################################
-FORMAT 2
-#ACTION		SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/
-#							PORT(S)		PORT(S)	GROUP
--- a/Shorewall/configfiles/routestopped
+++ b/Shorewall/configfiles/routestopped
@@ -1,6 +1,8 @@
 #
 # Shorewall version 4 - Routestopped File
 #
+# This file is deprecated in favor of the stoppedrules file
+#
 # For information about entries in this file, type "man shorewall-routestopped"
 #
 # The manpage is also online at
--- a/Shorewall/configfiles/rules
+++ b/Shorewall/configfiles/rules
@@ -6,8 +6,8 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-######################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
+#################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -114,7 +114,9 @@ ADD_SNAT_ALIASES=No

 ADMINISABSENTMINDED=Yes

-AUTO_COMMENT=Yes
+AUTOCOMMENT=Yes
+
+AUTOHELPERS=Yes

 AUTOMAKE=No

@@ -144,6 +146,8 @@ FASTACCEPT=No

 FORWARD_CLEAR_MARK=

+HELPERS=
+
 IMPLICIT_CONTINUE=No

 IPSET_WARNINGS=Yes
--- a/Shorewall/configfiles/stoppedrules
+++ b/Shorewall/configfiles/stoppedrules
@@ -0,0 +1,14 @@
+#
+# Shorewall version 4 - Stopped Rules File
+#
+# For information about entries in this file, type "man shorewall-stoppedrules"
+#
+# The manpage is also online at
+# http://www.shorewall.net/manpages/shorewall-stoppedrules.html
+#
+# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional
+# information.
+#
+###############################################################################
+#ACTION		SOURCE			DEST		PROTO	DEST	SOURCE
+#								PORT(S)	PORT(S)
--- a/Shorewall/configfiles/tcfilters
+++ b/Shorewall/configfiles/tcfilters
@@ -5,6 +5,6 @@
 #
 # See http://shorewall.net/traffic_shaping.htm for additional information.
 #
-##############################################################################################
-#INTERFACE:	SOURCE		DEST		PROTO	DEST	SOURCE   TOS		LENGTH
+########################################################################################################
+#INTERFACE:	SOURCE		DEST		PROTO	DEST	SOURCE   TOS		LENGTH	PRIORITY
 #CLASS							PORT(S)	PORT(S)
--- a/Shorewall/init.fedora.sh
+++ b/Shorewall/init.fedora.sh
--- a/Shorewall/init.suse.sh
+++ b/Shorewall/init.suse.sh
@@ -0,0 +1,93 @@
+#!/bin/sh
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.2
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 1999,2000,2001,2002,2003,2004,2005 - Tom Eastep (teastep@shorewall.net)
+#
+#	On most distributions, this file should be called /etc/init.d/shorewall.
+#
+#	Complete documentation is available at http://shorewall.net
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of Version 2 of the GNU General Public License
+#	as published by the Free Software Foundation.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, write to the Free Software
+#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#	If an error occurs while starting or restarting the firewall, the
+#	firewall is automatically stopped.
+#
+#	Commands are:
+#
+#	   shorewall start			  Starts the firewall
+#	   shorewall restart			  Restarts the firewall
+#	   shorewall reload			  Reload the firewall
+#						  (same as restart)
+#	   shorewall stop			  Stops the firewall
+#	   shorewall status			  Displays firewall status
+#
+
+### BEGIN INIT INFO
+# Provides:          shorewall
+# Required-Start:    $network $remote_fs
+# Required-Stop:     $network $remote_fs
+# Default-Start:     2 3 5
+# Default-Stop:      0 6
+# Short-Description: Configure the firewall at boot time
+# Description:       Configure the firewall according to the rules specified in
+#                    /etc/shorewall
+### END INIT INFO
+
+################################################################################
+# Give Usage Information						       #
+################################################################################
+usage() {
+    echo "Usage: $0 start|stop|reload|restart|status" >&2
+    exit 1
+}
+
+################################################################################
+# Get startup options (override default)
+################################################################################
+OPTIONS="-v0"
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
+if [ -f ${SYSCONFDIR}/shorewall ]; then
+    . ${SYSCONFDIR}/shorewall
+fi
+
+export SHOREWALL_INIT_SCRIPT=1
+
+################################################################################
+# E X E C U T I O N    B E G I N S   H E R E				       #
+################################################################################
+command="$1"
+shift
+
+case "$command" in
+    start)
+	exec $SBINDIR/shorewall $OPTIONS start $STARTOPTIONS
+	;;
+    restart|reload)
+	exec $SBINDIR/shorewall $OPTIONS restart $RESTARTOPTIONS
+	;;
+    status|stop)
+	exec $SBINDIR/shorewall $OPTIONS $command
+	;;
+    *)
+	usage
+	;;
+esac
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -193,7 +193,14 @@ else
    usage 1
 fi

-for var in SHAREDIR LIBEXECDIR PERLLIBDIR CONFDIR SBINDIR VARDIR; do
+if [ -z "${VARLIB}" ]; then
+    VARLIB=${VARDIR}
+    VARDIR=${VARLIB}/${PRODUCT}
+elif [ -z "${VARDIR}" ]; then
+    VARDIR=${VARLIB}/${PRODUCT}
+fi
+
+for var in SHAREDIR LIBEXECDIR PERLLIBDIR CONFDIR SBINDIR VARLIB VARDIR; do
    require $var
 done

@@ -371,7 +378,7 @@ mkdir -p ${DESTDIR}/${CONFDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${LIBEXECDIR}/$PRODUCT
 mkdir -p ${DESTDIR}${PERLLIBDIR}/Shorewall
 mkdir -p ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
-mkdir -p ${DESTDIR}/var/lib/$PRODUCT
+mkdir -p ${DESTDIR}${VARDIR}

 chmod 755 ${DESTDIR}${CONFDIR}/$PRODUCT
 chmod 755 ${DESTDIR}${SHAREDIR}/$PRODUCT
@@ -388,6 +395,7 @@ fi
 if [ -n "$SYSTEMD" ]; then
    mkdir -p ${DESTDIR}${SYSTEMD}
    run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
    echo "Service file installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
 fi

@@ -601,14 +609,14 @@ else
    fi
 fi
 #
-# Install the Stopped Routing file
+# Install the Stopped Rules file
 #
-run_install $OWNERSHIP -m 0644 routestopped           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
-run_install $OWNERSHIP -m 0644 routestopped.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
+run_install $OWNERSHIP -m 0644 stoppedrules           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/
+run_install $OWNERSHIP -m 0644 stoppedrules.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles/

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/routestopped ]; then
-    run_install $OWNERSHIP -m 0600 routestopped${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/routestopped
-    echo "Stopped Routing file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/routestopped"
+if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/stoppedrules ]; then
+    run_install $OWNERSHIP -m 0600 stoppedrules${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/stoppedrules
+    echo "Stopped Rules file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/stoppedrules"
 fi
 #
 # Install the Mac List file
@@ -634,14 +642,14 @@ if [ -f masq ]; then
    fi
 fi
 #
-# Install the Notrack file
+# Install the Conntrack file
 #
-run_install $OWNERSHIP -m 0644 notrack           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
-run_install $OWNERSHIP -m 0644 notrack.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
+run_install $OWNERSHIP -m 0644 conntrack           ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles
+run_install $OWNERSHIP -m 0644 conntrack.annotated ${DESTDIR}${SHAREDIR}/$PRODUCT/configfiles

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/notrack ]; then
-    run_install $OWNERSHIP -m 0600 notrack${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/notrack
-    echo "Notrack file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/notrack"
+if [ ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack ]; then
+    run_install $OWNERSHIP -m 0600 conntrack${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack
+    echo "Conntrack file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/conntrack"
 fi

 #
@@ -698,10 +706,6 @@ if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/tunnels ]; then
    echo "Tunnels file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/tunnels"
 fi

-if [ -z "$SPARSE" -a ! -f ${DESTDIR}${CONFDIR}/$PRODUCT/blacklist ]; then
-    run_install $OWNERSHIP -m 0600 blacklist${suffix} ${DESTDIR}${CONFDIR}/$PRODUCT/blacklist
-    echo "Blacklist file installed as ${DESTDIR}${CONFDIR}/$PRODUCT/blacklist"
-fi
 #
 # Install the blacklist rules file
 #
@@ -974,12 +978,6 @@ fi

 cd ..

-#
-# Install the Standard Actions file
-#
-install_file actions.std ${DESTDIR}${SHAREDIR}/$PRODUCT/actions.std 0644
-echo "Standard actions file installed as ${DESTDIR}${SHAREDIR}d/$PRODUCT/actions.std"
-
 #
 # Install the  Makefiles
 #
--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -34,8 +34,6 @@ get_config() {

    ensure_config_path

-
-
    if [ "$1" = Yes ]; then
 	params=$(find_file params)

@@ -363,6 +361,7 @@ uptodate() {
 compiler() {
    local pc
    local shorewallrc
+    local shorewallrc1

    pc=$g_libexec/shorewall/compiler.pl

@@ -378,7 +377,7 @@ compiler() {
    #
    # Get the config from $g_shorewalldir
    #
-    [ -n "$g_shorewalldir" -a "$g_shorewalldir" != ${g_confdir} ] && get_config
+    get_config Yes

    case $COMMAND in
 	*start|try|refresh)
@@ -399,14 +398,15 @@ compiler() {
    [ "$1" = nolock ] && shift;
    shift

+    shorewallrc=${g_basedir}/shorewallrc
+    
    if [ -n "$g_export" ]; then
-	shorewallrc=$(find_file shorewallrc)
-	[ -f "$shorewallrc" ] || fatal_error "Compiling for export requires a shorewallrc file"
-    else
-	shorewallrc="${g_basedir}/shorewallrc"
+	shorewallrc1=$(find_file shorewallrc)
+	[ -f "$shorewallrc1" ] || fatal_error "Compiling for export requires a shorewallrc file"
    fi

    options="--verbose=$VERBOSITY --family=$g_family --config_path=$CONFIG_PATH --shorewallrc=${shorewallrc}"
+    [ -n "$shorewallrc1" ] && options="$options --shorewallrc1=${shorewallrc1}"
    [ -n "$STARTUP_LOG" ] && options="$options --log=$STARTUP_LOG"
    [ -n "$LOG_VERBOSITY" ] && options="$options --log_verbosity=$LOG_VERBOSITY";
    [ -n "$g_export" ] && options="$options --export"
@@ -439,6 +439,21 @@ compiler() {
    fi
 }

+#
+# Run the postcompile user exit
+#
+run_postcompile() { # $1 is the compiled script
+    local script
+
+    script=$(find_file postcompile)
+
+    if [ -f $script ]; then
+	. $script $1
+    else
+	return 0
+    fi
+}
+
 #
 # Start Command Executor
 #
@@ -459,6 +474,7 @@ start_command() {
 	    progress_message3 "Compiling..."

 	    if compiler $g_debugging $nolock compile ${VARDIR}/.start; then
+		run_postcompile ${VARDIR}/.start
 		[ -n "$nolock" ] || mutex_on
 		run_it ${VARDIR}/.start $g_debugging start
 		rc=$?
@@ -603,6 +619,7 @@ compile_command() {
 		    case $option in
 			e*)
 			    g_export=Yes
+			    g_shorewalldir='.'
 			    option=${option#e}
 			    ;;
 			p*)
@@ -641,14 +658,14 @@ compile_command() {

    case $# in
 	0)
-	    file=${VARDIR}/firewall
+	    [ -n "$g_export" ] && file=firewall || file=${VARDIR}/firewall
 	    ;;
 	1)
 	    file=$1
 	    [ -d $file ] && echo "   ERROR: $file is a directory" >&2 && exit 2;
 	    ;;
 	2)
-	    [ -n "$g_shorewalldir" ] && usage 2
+	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2

 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -668,7 +685,7 @@ compile_command() {

    [ "x$file" = x- ] || progress_message3 "Compiling..."

-    compiler $g_debugging compile $file
+    compiler $g_debugging compile $file && run_postcompile $file
 }

 #
@@ -692,6 +709,7 @@ check_command() {
 			    ;;
 			e*)
 			    g_export=Yes
+			    g_shorewalldir='.'
 			    option=${option#e}
 			    ;;
 			p*)
@@ -731,7 +749,7 @@ check_command() {
 	0)
 	    ;;
 	1)
-	    [ -n "$g_shorewalldir" ] && usage 2
+	    [ -n "$g_shorewalldir" -a -z "$g_export" ] && usage 2

 	    if [ ! -d $1 ]; then
 		if [ -e $1 ]; then
@@ -934,6 +952,7 @@ restart_command() {
 	progress_message3 "Compiling..."

 	if compiler $g_debugging $nolock compile ${VARDIR}/.restart; then
+	    run_postcompile ${VARDIR}/.restart
 	    [ -n "$nolock" ] || mutex_on
 	    run_it ${VARDIR}/.restart $g_debugging restart
 	    rc=$?
@@ -1025,6 +1044,7 @@ refresh_command() {
    progress_message3 "Compiling..."

    if compiler $g_debugging $nolock compile ${VARDIR}/.refresh; then
+	run_postcompile ${VARDIR}/.refresh
 	[ -n "$nolock" ] || mutex_on
 	run_it ${VARDIR}/.refresh $g_debugging refresh
 	rc=$?
@@ -1139,6 +1159,8 @@ safe_commands() {
 	exit $status
    fi

+    run_postcompile ${VARDIR}/.$command
+
    case $command in
 	start)
 	    RESTOREFILE=NONE
@@ -1270,6 +1292,8 @@ try_command() {
 	exit $status
    fi

+    run_postcompile ${VARDIR}/.restart
+
    case $command in
 	start)
 	    RESTOREFILE=NONE
@@ -1628,7 +1652,9 @@ usage() # $1 = exit status
    echo "   show macros"
    echo "   show marks"
    echo "   show [ -x ] mangle|nat|raw|rawpost|routing"
+    echo "   show nfacct"
    echo "   show policies"
+    echo "   show routing"
    echo "   show tc [ device ]"
    echo "   show vardir"
    echo "   show zones"
@@ -1646,7 +1672,6 @@ compiler_command() {

    case $COMMAND in
 	compile)
-	    get_config Yes
 	    shift
 	    compile_command $@
 	    ;;
@@ -1656,7 +1681,6 @@ compiler_command() {
 	    refresh_command $@
 	    ;;
 	check)
-	    get_config Yes
 	    shift
 	    check_command $@
 	    ;;
--- a/Shorewall/manpages/shorewall-blacklist.xml
+++ b/Shorewall/manpages/shorewall-blacklist.xml
@@ -23,8 +23,10 @@
  <refsect1>
    <title>Description</title>

-    <para>The blacklist file is used to perform static blacklisting. You can
-    blacklist by source address (IP or MAC), or by application.</para>
+    <para>The blacklist file is used to perform static blacklisting by source
+    address (IP or MAC), or by application. The use of this file is deprecated
+    and beginning with Shorewall 4.5.7, the file is no longer
+    installed.</para>

    <para>The columns in the file are as follows (where the column name is
    followed by a different name in parentheses, the different name is used in
--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@@ -3,33 +3,34 @@
 "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
 <refentry>
  <refmeta>
-    <refentrytitle>shorewall6-notrack</refentrytitle>
+    <refentrytitle>shorewall6-conntrack</refentrytitle>

    <manvolnum>5</manvolnum>
  </refmeta>

  <refnamediv>
-    <refname>notrack</refname>
+    <refname>conntrack</refname>

-    <refpurpose>shorewall notrack file</refpurpose>
+    <refpurpose>shorewall conntrack file</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <cmdsynopsis>
-      <command>/etc/shorewall/notrack</command>
+      <command>/etc/shorewall/conntrack</command>
    </cmdsynopsis>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

-    <para>The original intent of the notrack file was to exempt certain
-    traffic from Netfilter connection tracking. Traffic matching entries in
-    this file were not to be tracked.</para>
+    <para>The original intent of the <emphasis role="bold">notrack</emphasis>
+    file was to exempt certain traffic from Netfilter connection tracking.
+    Traffic matching entries in the file were not to be tracked.</para>

    <para>The role of the file was expanded in Shorewall 4.4.27 to include all
-    rules tht can be added in the Netfilter <emphasis
-    role="bold">raw</emphasis> table.</para>
+    rules that can be added in the Netfilter <emphasis
+    role="bold">raw</emphasis> table. In 4.5.7, the file's name was changed to
+    <emphasis role="bold">conntrack</emphasis>.</para>

    <para>The file supports two different column layouts: FORMAT 1 and FORMAT
    2, FORMAT 1 being the default. The two differ in that FORMAT 2 has an
@@ -45,6 +46,13 @@
    <para>where <replaceable>format</replaceable> is either <emphasis
    role="bold">1</emphasis> or <emphasis role="bold">2</emphasis>.</para>

+    <para>Comments may be attached to Netfilter rules generated from entries
+    in this file through the use of COMMENT lines. These lines begin with the
+    word COMMENT; the remainder of the line is treated as a comment which is
+    attached to subsequent rules until another COMMENT line is found or until
+    the end of the file is reached. To stop adding comments to rules, use a
+    line with only the word COMMENT.</para>
+
    <para>The columns in the file are as follows (where the column name is
    followed by a different name in parentheses, the different name is used in
    the alternate specification syntax).</para>
@@ -53,63 +61,157 @@
      <varlistentry>
        <term><emphasis role="bold">ACTION</emphasis> - {<emphasis
        role="bold">NOTRACK</emphasis>|<emphasis
-        role="bold">CT</emphasis>:<replaceable>option</replaceable>[:<replaceable>arg,...</replaceable>]}</term>
+        role="bold">CT</emphasis>:<emphasis
+        role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis
+        role="bold">CT:notrack</emphasis>}</term>

        <listitem>
          <para>This column is only present when FORMAT = 2. Values other than
          NOTRACK require <firstterm>CT Target </firstterm>support in your
          iptables and kernel.</para>

-          <para>Possible values for <replaceable>option</replaceable> and
-          <replaceable>arg</replaceable>s are:</para>
-
          <itemizedlist>
            <listitem>
-              <para><option>notrack</option> (no
-              <replaceable>arg</replaceable>)</para>
+              <para><option>NOTRACK</option> or
+              <option>CT:notrack</option></para>

-              <para>Disables connection tracking for this packet, the same as
-              if NOTRACK has been specified in this column.</para>
+              <para>Disables connection tracking for this packet.</para>
            </listitem>

            <listitem>
              <para><option>helper</option>:<replaceable>name</replaceable></para>

-              <para>Use the helper identified by the name to this connection.
-              This is more flexible than loading the conntrack helper with
-              preset ports.</para>
-            </listitem>
+              <para>Attach the helper identified by the
+              <replaceable>name</replaceable> to this connection. This is more
+              flexible than loading the conntrack helper with preset
+              ports.</para>

-            <listitem>
-              <para><option>ctevents</option>:<replaceable>event</replaceable>,...</para>
+              <para>At this writing, the available helpers are:</para>

-              <para>Only generate the specified conntrack events for this
-              connection. Possible event types are: <emphasis
-              role="bold">new</emphasis>, <emphasis
-              role="bold">related</emphasis>, <emphasis
-              role="bold">destroy</emphasis>, <emphasis
-              role="bold">reply</emphasis>, <emphasis
-              role="bold">assured</emphasis>, <emphasis
-              role="bold">protoinfo</emphasis>, <emphasis
-              role="bold">helper</emphasis>, <emphasis
-              role="bold">mark</emphasis> (this is connection mark, not packet
-              mark), <emphasis role="bold">natseqinfo</emphasis>, and
-              <emphasis role="bold">secmark</emphasis>.</para>
-            </listitem>
+              <variablelist>
+                <varlistentry>
+                  <term>amanda</term>

-            <listitem>
-              <para><option>expevents</option><option>:new</option></para>
+                  <listitem>
+                    <para>Requires that the amanda netfilter helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>

-              <para>Only generate a new expectation events for this
-              connection.</para>
-            </listitem>
+                <varlistentry>
+                  <term>ftp</term>

-            <listitem>
-              <para><option>zone</option>:<replaceable>id</replaceable></para>
+                  <listitem>
+                    <para>Requires that the FTP netfilter helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>

-              <para>Assign this packet to zone <replaceable>id</replaceable>
-              and only have lookups done in that zone. By default, packets
-              have zone 0.</para>
+                <varlistentry>
+                  <term>irc</term>
+
+                  <listitem>
+                    <para>Requires that the IRC netfilter helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>netbios-ns</term>
+
+                  <listitem>
+                    <para>Requires that the netbios_ns (sic) helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>RAS and Q.931</term>
+
+                  <listitem>
+                    <para>These require that the H323 netfilter helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>pptp</term>
+
+                  <listitem>
+                    <para>Requires that the pptp netfilter helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>sane</term>
+
+                  <listitem>
+                    <para>Requires that the SANE netfilter helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>sip</term>
+
+                  <listitem>
+                    <para>Requires that the SIP netfilter helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>snmp</term>
+
+                  <listitem>
+                    <para>Requires that the SNMP netfilter helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>tftp</term>
+
+                  <listitem>
+                    <para>Requires that the TFTP netfilter helper is
+                    present.</para>
+                  </listitem>
+                </varlistentry>
+              </variablelist>
+
+              <para>May be followed by an option list of
+              <replaceable>arg</replaceable>=<replaceable>val</replaceable>
+              pairs in parentheses:</para>
+
+              <itemizedlist>
+                <listitem>
+                  <para><option>ctevents</option>=<replaceable>event</replaceable>[,...]</para>
+
+                  <para>Only generate the specified conntrack events for this
+                  connection. Possible event types are: <emphasis
+                  role="bold">new</emphasis>, <emphasis
+                  role="bold">related</emphasis>, <emphasis
+                  role="bold">destroy</emphasis>, <emphasis
+                  role="bold">reply</emphasis>, <emphasis
+                  role="bold">assured</emphasis>, <emphasis
+                  role="bold">protoinfo</emphasis>, <emphasis
+                  role="bold">helper</emphasis>, <emphasis
+                  role="bold">mark</emphasis> (this is connection mark, not
+                  packet mark), <emphasis role="bold">natseqinfo</emphasis>,
+                  and <emphasis role="bold">secmark</emphasis>. If more than
+                  one <emphasis>event</emphasis> is listed, the
+                  <replaceable>event</replaceable> list must be enclosed in
+                  parentheses (e.g., ctevents=(new,related)).</para>
+                </listitem>
+
+                <listitem>
+                  <para><option>expevents</option><option>=new</option></para>
+
+                  <para>Only generate a <emphasis role="bold">new</emphasis>
+                  expectation events for this connection.</para>
+                </listitem>
+              </itemizedlist>
            </listitem>
          </itemizedlist>

@@ -130,13 +232,9 @@
          url="shorewall-exclusion.html">shorewall-exclusion</ulink>
          (5)).</para>

-          <para>Comments may be attached to Netfilter rules generated from
-          entries in this file through the use of COMMENT lines. These lines
-          begin with the word COMMENT; the remainder of the line is treated as
-          a comment which is attached to subsequent rules until another
-          COMMENT line is found or until the end of the file is reached. To
-          stop adding comments to rules, use a line with only the word
-          COMMENT.</para>
+          <para>Beginning with Shorewall 4.5.7, <option>all</option> can be
+          used as the <replaceable>zone</replaceable> name to mean
+          <firstterm>all zones</firstterm>.</para>
        </listitem>
      </varlistentry>

@@ -225,6 +323,14 @@
    </variablelist>
  </refsect1>

+  <refsect1>
+    <title>EXAMPLE</title>
+
+    <programlisting>#ACTION                       SOURCE            DEST               PROTO            DEST              SOURCE              USER/GROUP
+#                                                                                   PORT(S)           PORT(S)
+CT:helper:ftp(expevents=new)  fw                -                  tcp              21              </programlisting>
+  </refsect1>
+
  <refsect1>
    <title>FILES</title>

--- a/Shorewall/manpages/shorewall-routestopped.xml
+++ b/Shorewall/manpages/shorewall-routestopped.xml
@@ -24,6 +24,10 @@
  <refsect1>
    <title>Description</title>

+    <para>This file is deprecated in favor of the <ulink
+    url="shorewall-stoppedrules.html">shorewall-stoppedrules</ulink>(5)
+    file.</para>
+
    <para>This file is used to define the hosts that are accessible when the
    firewall is stopped or is being stopped.</para>

--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -503,6 +503,19 @@
                rule, it is passed on to the next rule.</para>
              </listitem>
            </varlistentry>
+
+            <varlistentry>
+              <term>HELPER</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.7. This action requires that the
+                HELPER column contains the name of the Netfilter helper to be
+                associated with connections matching this connection. May only
+                be specified in the NEW section and is useful for being able
+                to specify a helper when the applicable policy is ACCEPT. No
+                destination zone should be specified in HELPER rules.</para>
+              </listitem>
+            </varlistentry>
          </variablelist>

          <para>The <replaceable>target</replaceable> may optionally be
@@ -1084,7 +1097,7 @@
      <varlistentry>
        <term><emphasis role="bold">USER/GROUP</emphasis> (user) - [<emphasis
        role="bold">!</emphasis>][<emphasis>user-name-or-number</emphasis>][<emphasis
-        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>]</term>
+        role="bold">:</emphasis><emphasis>group-name-or-number</emphasis>][,...]</term>

        <listitem>
          <para>This optional column may only be non-empty if the SOURCE is
@@ -1095,6 +1108,9 @@
          <emphasis>user</emphasis> and/or <emphasis>group</emphasis>
          specified (or is NOT running under that id if "!" is given).</para>

+          <para>Beginning with Shorewall 4.5.8, multiple user or group
+          names/ids separated by commas may be specified.</para>
+
          <para>Examples:</para>

          <variablelist>
@@ -1351,6 +1367,54 @@
          restart</command>.</para>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">HELPER</emphasis> - [helper]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.7.</para>
+
+          <para>In the NEW section, causes the named conntrack
+          <replaceable>helper</replaceable> to be associated with this
+          connection; the contents of this column are ignored unless ACTION is
+          ACCEPT*, DNAT* or REDIRECT*.</para>
+
+          <para>In the RELATED section, will only match if the related
+          connection has the named <replaceable>helper</replaceable>
+          associated with it.</para>
+
+          <para>The <replaceable>helper</replaceable> may be one of:</para>
+
+          <simplelist>
+            <member><option>amanda</option></member>
+
+            <member><option>ftp</option></member>
+
+            <member><option>irc</option></member>
+
+            <member><option>netbios-ns</option></member>
+
+            <member><option>pptp</option></member>
+
+            <member><option>Q.931</option></member>
+
+            <member><option>RAS</option></member>
+
+            <member><option>sane</option></member>
+
+            <member><option>sip</option></member>
+
+            <member><option>snmp</option></member>
+
+            <member><option>tftp</option></member>
+          </simplelist>
+
+          <para>If the HELPERS option is specified in <ulink
+          url="shorewall.conf.html">shorewall.conf</ulink>(5), then any module
+          specified in this column must be listed in the HELPERS
+          setting.</para>
+        </listitem>
+      </varlistentry>
    </variablelist>
  </refsect1>

@@ -1564,7 +1628,7 @@

          <programlisting>        #ACTION                       SOURCE           DEST           PROTO       DEST
        #                                                                         PORT(S)
-        DROP                          net:^A1,A2       fw             tcp         22</programlisting>
+        DROP                          net:^A1,A2       fw             tcp         25</programlisting>
        </listitem>
      </varlistentry>
    </variablelist>
--- a/Shorewall/manpages/shorewall-stoppedrules.xml
+++ b/Shorewall/manpages/shorewall-stoppedrules.xml
@@ -0,0 +1,162 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
+"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
+<refentry>
+  <refmeta>
+    <refentrytitle>shorewall-stoppedrules</refentrytitle>
+
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>stoppedrules</refname>
+
+    <refpurpose>The Shorewall file that governs what traffic flows through the
+    firewall while it is in the 'stopped' state.</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <cmdsynopsis>
+      <command>/etc/shorewall/stoppedrules</command>
+    </cmdsynopsis>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>This file is used to define the hosts that are accessible when the
+    firewall is stopped or is being stopped.</para>
+
+    <warning>
+      <para>Changes to this file do not take effect until after the next
+      <command>shorewall start</command>, <command>shorewall
+      restart</command>, or <option>shorewall compile</option> command.</para>
+    </warning>
+
+    <para>The columns in the file are as follows (where the column name is
+    followed by a different name in parentheses, the different name is used in
+    the alternate specification syntax).</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><emphasis role="bold">ACTION</emphasis> -
+        <option>ACCEPT|NOTRACK</option></term>
+
+        <listitem>
+          <para>Determines the disposition of the packet.
+          <option>ACCEPT</option> means that the packet will be accepted.
+          <option>NOTRACK</option> indicates that no conntrack entry should be
+          created for the packet. <option>NOTRACK</option> does not imply
+          <option>ACCEPT</option>.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">SOURCE</emphasis> - [<emphasis
+        role="bold">-</emphasis>|[$FW|<replaceable>interface</replaceable>]|[{$FW|interface}[<emphasis>:address</emphasis>[,<emphasis>address</emphasis>]...]]|[<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...]</term>
+
+        <listitem>
+          <para><option>$FW</option> matches packets originating on the
+          firewall itself, while <replaceable>interface</replaceable>
+          specifies packets arriving on the named interface.</para>
+
+          <para>This column may also include a comma-separated list of
+          IP/subnet addresses. If your kernel and iptables include iprange
+          match support, IP address ranges are also allowed. Ipsets and
+          exclusion are also supported. When <option>$FW</option> or interface
+          are specified, the list must be preceeded by a colon (":").</para>
+
+          <para>If left empty or supplied as "-", 0.0.0.0/0 is assumed.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">DEST</emphasis> - [<emphasis
+        role="bold">-</emphasis>|[$FW|<replaceable>interface</replaceable>]|[{$FW|interface}[<emphasis>:address</emphasis>[,<emphasis>address</emphasis>]...]]|[<emphasis>address</emphasis>[,<emphasis>address</emphasis>]...]</term>
+
+        <listitem>
+          <para><option>$FW</option> matches packets addressed the firewall
+          itself, while <replaceable>interface</replaceable> specifies packets
+          arriving on the named interface. Neither may be specified if the
+          target is <option>NOTRACK</option>.</para>
+
+          <para>This column may also include a comma-separated list of
+          IP/subnet addresses. If your kernel and iptables include iprange
+          match support, IP address ranges are also allowed. Ipsets and
+          exclusion are also supported. When <option>$FW</option> or interface
+          are specified, the list must be preceeded by a colon (":").</para>
+
+          <para>If left empty or supplied as "-", 0.0.0.0/0 is assumed.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>PROTO (Optional) ‒
+        <replaceable>protocol-name-or-number</replaceable></term>
+
+        <listitem>
+          <para>Protocol.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>DEST PORT(S) (dport) ‒
+        <replaceable>service-name/port-number-list</replaceable></term>
+
+        <listitem>
+          <para>Optional. A comma-separated list of port numbers and/or
+          service names from <filename>/etc/services</filename>. May also
+          include port ranges of the form
+          <replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
+          if your kernel and iptables include port range support.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>SOURCE PORT(S) (sport) ‒
+        <replaceable>service-name/port-number-list</replaceable></term>
+
+        <listitem>
+          <para>Optional. A comma-separated list of port numbers and/or
+          service names from <filename>/etc/services</filename>. May also
+          include port ranges of the form
+          <replaceable>low-port</replaceable>:<replaceable>high-port</replaceable>
+          if your kernel and iptables include port range support.</para>
+        </listitem>
+      </varlistentry>
+    </variablelist>
+
+    <note>
+      <para>The <emphasis role="bold">source</emphasis> and <emphasis
+      role="bold">dest</emphasis> options work best when used in conjunction
+      with ADMINISABSENTMINDED=Yes in <ulink
+      url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+    </note>
+  </refsect1>
+
+  <refsect1>
+    <title>FILES</title>
+
+    <para>/etc/shorewall/stoppedrules</para>
+  </refsect1>
+
+  <refsect1>
+    <title>See ALSO</title>
+
+    <para><ulink
+    url="http://shorewall.net/starting_and_stopping_shorewall.htm">http://shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
+
+    <para><ulink
+    url="http://shorewall.net/configuration_file_basics.htm#Pairs">http://shorewall.net/configuration_file_basics.htm#Pairs</ulink></para>
+
+    <para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
+    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
+    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
+    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
+    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
+    shorewall-rtrules(5), shorewall-rules(5), shorewall.conf(5),
+    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
+    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
+    shorewall-zones(5)</para>
+  </refsect1>
+</refentry>
--- a/Shorewall/manpages/shorewall-tcclasses.xml
+++ b/Shorewall/manpages/shorewall-tcclasses.xml
@@ -232,17 +232,47 @@
        <emphasis>priority</emphasis></term>

        <listitem>
-          <para>The <emphasis>priority</emphasis> in which classes will be
-          serviced by the packet shaping scheduler and also the priority in
-          which bandwidth in excess of the rate will be given to each
-          class.</para>
+          <para>For HTB:</para>

-          <para>Higher priority classes will experience less delay since they
-          are serviced first. Priority values are serviced in ascending order
-          (e.g. 0 is higher priority than 1).</para>
+          <blockquote>
+            <para>The <emphasis>priority</emphasis> in which classes will be
+            serviced by the packet shaping scheduler and also the priority in
+            which bandwidth in excess of the rate will be given to each
+            class.</para>

-          <para>Classes may be set to the same priority, in which case they
-          will be serviced as equals.</para>
+            <para>Higher priority classes will experience less delay since
+            they are serviced first. Priority values are serviced in ascending
+            order (e.g. 0 is higher priority than 1).</para>
+
+            <para>Classes may be set to the same priority, in which case they
+            will be serviced as equals.</para>
+          </blockquote>
+
+          <para>For both HTB and HFSC, the <emphasis>priority</emphasis> is
+          used to calculate the priority of following Shorewall-generated
+          classification filters that refer to the class:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>Packet MARK</para>
+            </listitem>
+
+            <listitem>
+              <para><emphasis role="bold">tcp-ack</emphasis> and the <emphasis
+              role="bold">tos</emphasis> options (see below)</para>
+            </listitem>
+          </itemizedlist>
+
+          <para> The rules for classes with lower numeric priorities will
+          appear before those with higher numeric priorities. </para>
+
+          <para>Beginning with Shorewall 4.5.8, the PRIORITY may be omitted
+          from an HFSC class if you do not use the MARK column or the
+          <emphasis role="bold">tcp-ack</emphasis> or <emphasis
+          role="bold">tos</emphasis> options. If you use any of those features
+          and omit the PRIORITY, then you must specify a
+          <replaceable>priority</replaceable> along with the MARK or
+          option.</para>
        </listitem>
      </varlistentry>

@@ -275,7 +305,7 @@

            <varlistentry>
              <term><emphasis
-              role="bold">tos=0x</emphasis><emphasis>value</emphasis>[/0x<emphasis>mask</emphasis>]
+              role="bold">tos=0x</emphasis><emphasis>value</emphasis>[/0x<emphasis>mask</emphasis>][:<replaceable>priority</replaceable>]
              (mask defaults to 0xff)</term>

              <listitem>
@@ -283,12 +313,20 @@
                <emphasis>value</emphasis>/<emphasis>mask</emphasis>
                combination of the IP packet's TOS/Precedence/DiffSrv octet
                (aka the TOS byte).</para>
+
+                <para>Beginning with Shorewall 4.5.8, the
+                <replaceable>value/mask</replaceable> may be followed by a
+                colon (":") and a <replaceable>priority</replaceable>. This
+                priority determines the order in which filter rules are
+                processed during packet classification. If not specified, the
+                value (<replaceable>class priority</replaceable> &lt;&lt; 8) |
+                10) is used.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis
-              role="bold">tos-</emphasis><emphasis>tosname</emphasis></term>
+              role="bold">tos-</emphasis><emphasis>tosname</emphasis>[:<replaceable>priority</replaceable>]</term>

              <listitem>
                <para>Aliases for the following TOS octet value and mask
@@ -296,6 +334,14 @@
                deprecated in favor of diffserve classes, but programs like
                ssh, rlogin, and ftp still use them.</para>

+                <para>Beginning with Shorewall 4.5.8, the
+                <replaceable>tos-name</replaceable> may be followed by a colon
+                (":") and a <replaceable>priority</replaceable>. This priority
+                determines the order in which filter rules are processed
+                during packet classification. If not specified, the value
+                (<replaceable>class priority</replaceable> &lt;&lt; 8) | 10)
+                is used.</para>
+
                <programlisting>        <emphasis role="bold">tos-minimize-delay</emphasis>       0x10/0x10
        <emphasis role="bold">tos-maximize-throughput</emphasis>  0x08/0x08
        <emphasis role="bold">tos-maximize-reliability</emphasis> 0x04/0x04
@@ -310,7 +356,8 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">tcp-ack</emphasis></term>
+              <term><emphasis
+              role="bold">tcp-ack[:<replaceable>priority</replaceable>]</emphasis></term>

              <listitem>
                <para>If defined, causes a tc filter to be created that puts
@@ -320,7 +367,13 @@
                limited to 64 bytes because we want only packets WITHOUT
                payload to match.</para>

-                <para/>
+                <para>Beginning with Shorewall 4.5.8, the <emphasis
+                role="bold">tcp-ack</emphasis> may be followed by a colon
+                (":") and a <replaceable>priority</replaceable>. This priority
+                determines the order in which filter rules are processed
+                during packet classification. If not specified, the value
+                (<replaceable>class priority</replaceable> &lt;&lt; 8) | 20)
+                is used.</para>

                <note>
                  <para>This option is only valid for ONE class per
--- a/Shorewall/manpages/shorewall-tcdevices.xml
+++ b/Shorewall/manpages/shorewall-tcdevices.xml
@@ -180,7 +180,7 @@
        <term><emphasis role="bold">OPTIONS</emphasis> - {<emphasis
        role="bold">-</emphasis>|<emphasis
        role="bold">{classify</emphasis>|<emphasis
-        role="bold">hfsc</emphasis>|<emphasis
+        role="bold">htb|hfsc</emphasis>|<emphasis
        role="bold">linklayer</emphasis>={<emphasis
        role="bold">ethernet</emphasis>|<emphasis
        role="bold">atm</emphasis>|<emphasis
@@ -197,11 +197,14 @@
          marks. You must do all classification using CLASSIFY rules in <ulink
          url="shorewall-tcrules.html">shorewall-tcrules</ulink>(5).</para>

+          <para><option>htb</option> - Use the <firstterm>Hierarchical Token
+          Bucket</firstterm> queuing discipline. This is the default.</para>
+
          <para><option>hfsc</option> - Shorewall normally uses the
-          <firstterm>Hierarchical Token Bucket</firstterm> queuing discipline.
-          When <option>hfsc</option> is specified, the <firstterm>Hierarchical
-          Fair Service Curves</firstterm> discipline is used instead (see
-          tc-hfsc (7)).</para>
+          Hierarchical Token Bucket queuing discipline. When
+          <option>hfsc</option> is specified, the <firstterm>Hierarchical Fair
+          Service Curves</firstterm> discipline is used instead (see tc-hfsc
+          (7)).</para>

          <para><emphasis role="bold">linklayer</emphasis> - Added in
          Shorewall 4.5.6. Type of link (ethernet, atm, adsl). When specified,
--- a/Shorewall/manpages/shorewall-tcfilters.xml
+++ b/Shorewall/manpages/shorewall-tcfilters.xml
@@ -189,6 +189,73 @@
          <replaceable>number</replaceable> will match the rule.</para>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">PRIORITY</emphasis> - [<emphasis
+        role="bold">-</emphasis>|<emphasis>priority</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.8. Specifies the rule
+          <replaceable>priority</replaceable>. The
+          <replaceable>priority</replaceable> value must be &gt; 0 and &lt;=
+          65535.</para>
+
+          <para>When a <replaceable>priority</replaceable> is not
+          given:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>For Shorewall versions prior to 4.5.8 - all filters have
+              priority 10.</para>
+            </listitem>
+
+            <listitem>
+              <para>For Shorewall 4.5.8 and later - for each device, the
+              compiler maintains a <firstterm>high-water priority</firstterm>
+              with an initial value of 0. When a filter has no
+              <replaceable>priority</replaceable>, the high-water priority is
+              incremented by 1 and assigned to the filter. When a
+              <replaceable>priority</replaceable> greater than the high-water
+              priority is entered in this column, the high-water priority is
+              set to the specified <replaceable>priority</replaceable>. An
+              attempt to assign a priority value greater than 65535
+              (explicitly or implicitly) raises an error.</para>
+            </listitem>
+          </itemizedlist>
+
+          <para>The default priority values used by other Shorewall-generated
+          filters are as follows:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>Classify by packet mark - ( <replaceable>class
+              priority</replaceable> &lt;&lt; 8 ) | 20.</para>
+            </listitem>
+
+            <listitem>
+              <para>Ingress policing - 10</para>
+            </listitem>
+
+            <listitem>
+              <para>Simple TC ACK packets - 1</para>
+            </listitem>
+
+            <listitem>
+              <para>Complex TC ACK packets - ( <replaceable>class
+              priority</replaceable> &lt;&lt; 8 ) | 10.</para>
+            </listitem>
+
+            <listitem>
+              <para>Classify by TOS - ( <replaceable>class
+              priority</replaceable> &lt;&lt; 8 ) | 15.</para>
+            </listitem>
+
+            <listitem>
+              <para>Class with 'occurs' - 65535</para>
+            </listitem>
+          </itemizedlist>
+        </listitem>
+      </varlistentry>
    </variablelist>
  </refsect1>

@@ -218,6 +285,23 @@
       1:10      ::/0      ::/0         icmp6   echo-reply</programlisting>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term>Example 2:</term>
+
+        <listitem>
+          <para>Add two filters with priority 10 (Shorewall 4.5.8 or
+          later).</para>
+
+          <programlisting>       #CLASS    SOURCE    DEST         PROTO   DEST            PRIORITY
+       #                                        PORT
+
+       IPV4
+
+       1:10      0.0.0.0/0 0.0.0.0/0    icmp    echo-request    10
+       1:10      0.0.0.0/0 0.0.0.0/0    icmp    echo-reply      10</programlisting>
+        </listitem>
+      </varlistentry>
    </variablelist>
  </refsect1>

--- a/Shorewall/manpages/shorewall-tcrules.xml
+++ b/Shorewall/manpages/shorewall-tcrules.xml
@@ -515,11 +515,17 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
              role="bold">-</emphasis>|<emphasis
              role="bold">+</emphasis>]<replaceable>number</replaceable>)</para>

-              <para>Added in Shorewall 4.4.24. May be option followed by
+              <para>Added in Shorewall 4.4.24.</para>
+
+              <para>Prior to Shorewall 4.5.7.2, may be optionally followed by
              <emphasis role="bold">:F</emphasis> but the resulting rule is
-              always added to the FORWARD chain. If <emphasis
-              role="bold">+</emphasis> is included, packets matching the rule
-              will have their TTL incremented by
+              always added to the FORWARD chain. Beginning with Shorewall
+              4.5.7.s, it may be optionally followed by <emphasis
+              role="bold">:P</emphasis>, in which case the rule is added to
+              the PREROUTING chain.</para>
+
+              <para>If <emphasis role="bold">+</emphasis> is included, packets
+              matching the rule will have their TTL incremented by
              <replaceable>number</replaceable>. Similarly, if <emphasis
              role="bold">-</emphasis> is included, matching packets have
              their TTL decremented by <replaceable>number</replaceable>. If
@@ -1008,10 +1014,7 @@ Normal-Service       =&gt; 0x00</programlisting>
          <para>Names a Netfiler protocol <firstterm>helper</firstterm> module
          such as <option>ftp</option>, <option>sip</option>,
          <option>amanda</option>, etc. A packet will match if it was accepted
-          by the named helper module. You can also append "-" and a port
-          number to the helper module name (e.g., <emphasis
-          role="bold">ftp-21</emphasis>) to specify the port number that the
-          original connection was made on.</para>
+          by the named helper module.</para>

          <para>Example: Mark all FTP data connections with mark
          4:<programlisting>#ACTION   SOURCE    DEST      PROTO   PORT(S)    SOURCE  USER TEST LENGTH TOS CONNBYTES HELPER
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -96,7 +96,7 @@
        role="bold">none</emphasis>}</term>

        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>

@@ -106,7 +106,7 @@
        role="bold">none</emphasis>}</term>

        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>

@@ -116,7 +116,7 @@
        role="bold">none</emphasis>}</term>

        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>

@@ -126,7 +126,7 @@
        role="bold">none</emphasis>}</term>

        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>

@@ -283,14 +283,14 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">AUTO_COMMENT=</emphasis>[<emphasis
+        <term><emphasis role="bold">AUTOCOMMENT=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>

        <listitem>
-          <para>If set, if there is not a current comment when a macro is
-          invoked, the behavior is as if the first line of the macro file was
-          "COMMENT &lt;macro name&gt;". The AUTO_COMMENT option has a default
-          value of 'Yes'.</para>
+          <para>Formerly named AUTO_COMMENT. If set, if there is not a current
+          comment when a macro is invoked, the behavior is as if the first
+          line of the macro file was "COMMENT &lt;macro name&gt;". The
+          AUTO_COMMENT option has a default value of 'Yes'.</para>

          <para>The setting of the AUTOMAKE option is ignored if the
          <command>start</command> or <command>restart</command> command
@@ -299,6 +299,49 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">AUTOHELPERS=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.7. When set to <option>Yes</option>
+          (the default), the generated ruleset will automatically associate
+          helpers with applications that require them (FTP, IRC, etc.). When
+          configuring your firewall on systems running kernel 3.5 or later, it
+          is recommended that you:</para>
+
+          <orderedlist>
+            <listitem>
+              <para>Set AUTOHELPERS=No.</para>
+            </listitem>
+
+            <listitem>
+              <para>Either:</para>
+
+              <orderedlist numeration="loweralpha">
+                <listitem>
+                  <para>Modify <ulink
+                  url="shorewall-conntrack.html">shorewall-conntrack</ulink>
+                  (5) to only apply helpers where they are required; or</para>
+                </listitem>
+
+                <listitem>
+                  <para>Specify the appropriate helper in the HELPER column in
+                  <ulink url="shorewall-rules.html">shorewall-rules</ulink>
+                  (5).</para>
+
+                  <note>
+                    <para>The macros for those applications requiring a helper
+                    automatically specify the appropriate HELPER where
+                    required.</para>
+                  </note>
+                </listitem>
+              </orderedlist>
+            </listitem>
+          </orderedlist>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">AUTOMAKE=</emphasis>[<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
@@ -482,7 +525,7 @@
          </itemizedlist>

          <blockquote>
-            <para/>
+            <para></para>

            <para>If CONFIG_PATH is not given or if it is set to the empty
            value then the contents of /usr/share/shorewall/configpath are
@@ -677,13 +720,73 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
          <para>Added in Shorewall 4.5.4. Specifies the pathname of the
          directory containing the <firstterm>GeoIP Match</firstterm>
          database. See <ulink
-          url="http://www.shorewall.net/ISOCODES.html">http://www.shorewall.net/ISOCODES.html</ulink>.
+          url="http://www.shorewall.net/ISO-3661.html">http://www.shorewall.net/ISO-3661.html</ulink>.
          If not specified, the default value is
          <filename>/usr/share/xt_geoip/LE</filename> which is the default
          location of the little-endian database.</para>
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis
+        role="bold">HELPERS</emphasis>=[<emphasis>helper</emphasis>[,<replaceable>helper</replaceable>...]]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.7. This option lists the Netfilter
+          application helps that are to be enabled. If not specified, the
+          default is to enable all helpers.</para>
+
+          <para>Possible values for <replaceable>helper</replaceable>
+          are:</para>
+
+          <itemizedlist>
+            <listitem>
+              <para>amanda</para>
+            </listitem>
+
+            <listitem>
+              <para>ftp</para>
+            </listitem>
+
+            <listitem>
+              <para>h323</para>
+            </listitem>
+
+            <listitem>
+              <para>irc</para>
+            </listitem>
+
+            <listitem>
+              <para>netbios-ns</para>
+            </listitem>
+
+            <listitem>
+              <para>pptp</para>
+            </listitem>
+
+            <listitem>
+              <para>sane</para>
+            </listitem>
+
+            <listitem>
+              <para>sip</para>
+            </listitem>
+
+            <listitem>
+              <para>snmp</para>
+            </listitem>
+
+            <listitem>
+              <para>tftp</para>
+            </listitem>
+          </itemizedlist>
+
+          <para>When HELPERS is specified on a system running Kernel 3.5.0 or
+          later, automatic association of helpers to connections is
+          disabled.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis role="bold">HIGH_ROUTE_MARKS=</emphasis>{<emphasis
        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>}</term>
@@ -829,7 +932,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
            </varlistentry>
          </variablelist>

-          <para/>
+          <para></para>

          <blockquote>
            <para>If this variable is not set or is given an empty value
@@ -1039,7 +1142,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
            </listitem>
          </itemizedlist>

-          <para/>
+          <para></para>

          <blockquote>
            <para>For example, using the default LOGFORMAT, the log prefix for
@@ -1056,7 +1159,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
              control your firewall after you enable this option.</para>
            </important>

-            <para/>
+            <para></para>

            <caution>
              <para>Do not use this option if the resulting log messages will
@@ -1720,7 +1823,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        role="bold">"</emphasis></term>

        <listitem>
-          <para/>
+          <para></para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall.xml
+++ b/Shorewall/manpages/shorewall.xml
@@ -1623,9 +1623,11 @@
          temporary saved configuration
          (<filename>/var/lib/shorewall/.try</filename>). Next, if Shorewall
          is currently started then a <emphasis role="bold">restart</emphasis>
-          command is issued; otherwise, a <emphasis
-          role="bold">start</emphasis> command is performed. if an error
-          occurs during the compliation phase of the <emphasis
+          command is issued using the specified configuration
+          <replaceable>directory</replaceable>; otherwise, a <emphasis
+          role="bold">start</emphasis> command is performed using the
+          specified configuration <replaceable>directory</replaceable>. if an
+          error occurs during the compliation phase of the <emphasis
          role="bold">restart</emphasis> or <emphasis
          role="bold">start</emphasis>, the command terminates without
          changing the Shorewall state. If an error occurs during the
--- a/Shorewall/modules.essential
+++ b/Shorewall/modules.essential
@@ -25,6 +25,7 @@ loadmodule ip_conntrack
 loadmodule nf_conntrack
 loadmodule nf_conntrack_ipv4
 loadmodule iptable_nat
+loadmodule iptable_raw
 loadmodule xt_state
 loadmodule xt_tcpudp
 loadmodule ipt_LOG
--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@@ -25,18 +25,18 @@
 #       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
 ################################################################################################
-g_program=shorewall
+PRODUCT=shorewall

 #
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc

+g_program=$PRODUCT
 g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR"/shorewall
 g_sbindir="$SBINDIR"
 g_perllib="$PERLLIBDIR"
-g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall
 g_readrc=1

--- a/Shorewall6-lite/init.fedora.sh
+++ b/Shorewall6-lite/init.fedora.sh
--- a/Shorewall6-lite/init.suse.sh
+++ b/Shorewall6-lite/init.suse.sh
@@ -0,0 +1,87 @@
+#!/bin/sh
+#
+#     The Shoreline Firewall (Shorewall) Packet Filtering Firewall - V4.5
+#
+#     This program is under GPL [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt]
+#
+#     (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2012 - Tom Eastep (teastep@shorewall.net)
+#
+#	On most distributions, this file should be called /etc/init.d/shorewall.
+#
+#	Complete documentation is available at http://shorewall.net
+#
+#	This program is free software; you can redistribute it and/or modify
+#	it under the terms of Version 2 of the GNU General Public License
+#	as published by the Free Software Foundation.
+#
+#	This program is distributed in the hope that it will be useful,
+#	but WITHOUT ANY WARRANTY; without even the implied warranty of
+#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+#	GNU General Public License for more details.
+#
+#	You should have received a copy of the GNU General Public License
+#	along with this program; if not, write to the Free Software
+#	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+#	If an error occurs while starting or restarting the firewall, the
+#	firewall is automatically stopped.
+#
+#	Commands are:
+#
+#	   shorewall6-lite start			  Starts the firewall
+#	   shorewall6-lite restart			  Restarts the firewall
+#	   shorewall6-lite reload			  Reload the firewall
+#						          (same as restart)
+#	   shorewall6-lite stop 			  Stops the firewall
+#	   shorewall6-lite status			  Displays firewall status
+#
+
+### BEGIN INIT INFO
+# Provides:	  shorewall6-lite
+# Required-Start: $local_fs $remote_fs $syslog $network
+# Required-Stop:  $network $remote_fs
+# Default-Start:  2 3 5
+# Default-Stop:	  0 1 6
+# Description:	  starts and stops the shorewall firewall
+# Short-Description: Packet filtering firewall
+### END INIT INFO
+
+################################################################################
+# Give Usage Information						       #
+################################################################################
+usage() {
+    echo "Usage: $0 start|stop|reload|restart|status"
+    exit 1
+}
+
+################################################################################
+# Get startup options (override default)
+################################################################################
+OPTIONS=
+
+#
+# The installer may alter this
+#
+. /usr/share/shorewall/shorewallrc
+
+export SHOREWALL_INIT_SCRIPT=1
+
+################################################################################
+# E X E C U T I O N    B E G I N S   H E R E				       #
+################################################################################
+command="$1"
+
+case "$command" in
+    start)
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS start $STARTOPTIONS
+	;;
+    restart|reload)
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS restart $RESTARTOPTIONS
+	;;
+    status|stop)
+	exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $@
+	;;
+    *)
+	usage
+	;;
+esac
--- a/Shorewall6-lite/shorewall6-lite
+++ b/Shorewall6-lite/shorewall6-lite
@@ -25,17 +25,17 @@
 #       For a list of supported commands, type 'shorewall help' or 'shorewall6 help'
 #
 ################################################################################################
-g_program=shorewall6-lite
+PRODUCT=shorewall6-lite

 #
 # This is modified by the installer when ${SHAREDIR} != /usr/share
 #
 . /usr/share/shorewall/shorewallrc

+g_program=$PRODUCT
 g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR"/shorewall6-lite
 g_sbindir="$SBINDIR"
-g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall6-lite
 g_readrc=1

--- a/Shorewall6/Samples6/Universal/rules
+++ b/Shorewall6/Samples6/Universal/rules
@@ -6,8 +6,8 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-###########################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
+######################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH     HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -109,7 +109,9 @@ ACCOUNTING_TABLE=filter

 ADMINISABSENTMINDED=Yes

-AUTO_COMMENT=Yes
+AUTOCOMMENT=Yes
+
+AUTOHELPERS=Yes

 AUTOMAKE=No

@@ -135,6 +137,8 @@ FASTACCEPT=Yes

 FORWARD_CLEAR_MARK=

+HELPERS=
+
 IMPLICIT_CONTINUE=No

 IPSET_WARNINGS=Yes
--- a/Shorewall6/Samples6/one-interface/rules
+++ b/Shorewall6/Samples6/one-interface/rules
@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall6-rules"
-###########################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
+######################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH     HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -109,7 +109,9 @@ ACCOUNTING_TABLE=filter

 ADMINISABSENTMINDED=Yes

-AUTO_COMMENT=Yes
+AUTOCOMMENT=Yes
+
+AUTOHELPERS=Yes

 AUTOMAKE=No

@@ -135,6 +137,8 @@ FASTACCEPT=No

 FORWARD_CLEAR_MARK=

+HELPERS=
+
 IMPLICIT_CONTINUE=No

 IPSET_WARNINGS=Yes
--- a/Shorewall6/Samples6/three-interfaces/rules
+++ b/Shorewall6/Samples6/three-interfaces/rules
@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-rules"
-###########################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
+######################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH     HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -109,7 +109,9 @@ ACCOUNTING_TABLE=filter

 ADMINISABSENTMINDED=Yes

-AUTO_COMMENT=Yes
+AUTOCOMMENT=Yes
+
+AUTOHELPERS=Yes

 AUTOMAKE=No

@@ -135,6 +137,8 @@ FASTACCEPT=No

 FORWARD_CLEAR_MARK=

+HELPERS=
+
 IMPLICIT_CONTINUE=No

 IPSET_WARNINGS=Yes
--- a/Shorewall6/Samples6/three-interfaces/stoppedrules
+++ b/Shorewall6/Samples6/three-interfaces/stoppedrules
@@ -1,6 +1,6 @@
 #
-# Shorewall6 version 4 - Sample Routestopped File for three-interface configuration.
-# Copyright (C) 2006,2008 by the Shorewall Team
+# Shorewall6 version 4.5 Sample Stoppedrules File for three-interface configuration.
+# Copyright (C) 2012 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -9,12 +9,12 @@
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
-# For information about entries in this file, type "man shorewall6-routestopped"
-#
-# See http://shorewall.net/starting_and_stopping_shorewall.htm for additional
-# information.
-#
-##############################################################################
-#INTERFACE	HOST(S)
-eth1		-
-eth2		-
+# For information about entries in this file, type "man shorewall-stoppedrules"
+###############################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
+#							PORT(S)		PORT(S)
+ACCEPT		eth1		-
+ACCEPT		-		eth1
+ACCEPT		eth2		-
+ACCEPT		-		eth2
+
--- a/Shorewall6/Samples6/two-interfaces/rules
+++ b/Shorewall6/Samples6/two-interfaces/rules
@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-rules"
-###########################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH
+######################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH     HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -109,7 +109,9 @@ ACCOUNTING_TABLE=filter

 ADMINISABSENTMINDED=Yes

-AUTO_COMMENT=Yes
+AUTOCOMMENT=Yes
+
+AUTOHELPERS=Yes

 AUTOMAKE=No

@@ -135,6 +137,8 @@ FASTACCEPT=No

 FORWARD_CLEAR_MARK=

+HELPERS=
+
 IMPLICIT_CONTINUE=No

 IPSET_WARNINGS=Yes
--- a/Shorewall6/Samples6/two-interfaces/stoppedrules
+++ b/Shorewall6/Samples6/two-interfaces/stoppedrules
@@ -1,6 +1,6 @@
 #
-# Shorewall version 4.0 - Sample Routestopped File for three-interface configuration.
-# Copyright (C) 2006 by the Shorewall Team
+# Shorewall6 version 4.5 Sample Stoppedrules File for two-interface configuration.
+# Copyright (C) 2012 by the Shorewall Team
 #
 # This library is free software; you can redistribute it and/or
 # modify it under the terms of the GNU Lesser General Public
@@ -9,8 +9,9 @@
 #
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
-# For information about entries in this file, type "man shorewall-routestopped"
-##############################################################################
-#INTERFACE	HOST(S)
-eth1		-
-eth2		-
+# For information about entries in this file, type "man shorewall-stoppedrules"
+###############################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
+#							PORT(S)		PORT(S)
+ACCEPT		eth1		-
+ACCEPT		-		eth1
--- a/Shorewall6/configfiles/blacklist
+++ b/Shorewall6/configfiles/blacklist
@@ -1,10 +0,0 @@
-#
-# Shorewall6 version 4 - Blacklist File
-#
-# For information about entries in this file, type "man shorewall6-blacklist"
-#
-# Please see http://shorewall.net/blacklisting_support.htm for additional
-# information.
-#
-###############################################################################
-#ADDRESS/SUBNET		PROTOCOL	PORT	OPTIONS
--- a/Shorewall6/configfiles/conntrack
+++ b/Shorewall6/configfiles/conntrack
@@ -0,0 +1,53 @@
+#
+# Shorewall version 4 - conntrack File
+#
+# For information about entries in this file, type "man shorewal6-conntrack"
+#
+#############################################################################################
+FORMAT 2
+#ACTION			SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/
+#								PORT(S)		PORT(S)	GROUP
+?if __CT_TARGET
+
+?if __AMANDA_HELPER
+CT:helper:amanda	all		-		udp	10080
+?endif
+
+?if __FTP_HELPER
+CT:helper:ftp		all		-		tcp	21
+?endif
+
+?if __H323_HELPER
+CT:helper:RAS		all		-		udp	1719
+CT:helper:Q.931		all		-		tcp	1720
+?endif
+
+?if __IRC_HELPER
+CT:helper:irc		all		-		tcp	6667
+?endif
+
+?if __NETBIOS_NS_HELPER
+CT:helper:netbios-ns	all		-		udp	137
+?endif
+
+?if __PPTP_HELPER
+CT:helper:pptp		all		-		tcp	1723
+?endif
+
+?if __SANE_HELPER
+CT:helper:sane		all		-		tcp	6566
+?endif
+
+?if __SIP_HELPER
+CT:helper:sip		all		-		udp	5060
+?endif
+
+?if __SNMP_HELPER
+CT:helper:snmp		all		-		udp	161
+?endif
+
+?if __TFTP_HELPER
+CT:helper:tftp		all		-		udp	69
+?endif
+
+?endif
--- a/Show More
+++ b/Show More