Replace spaces with tabs in rules files.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
Use split_list2 in isolate_basic_target()
2012-12-07 16:48:55 -08:00 · 2012-12-06 19:12:44 -08:00 · 2012-12-06 15:20:10 -08:00 · 2012-12-06 15:13:46 -08:00 · 2012-12-05 07:52:07 -08:00 · 2012-12-04 10:54:32 -08:00
123 changed files with 4917 additions and 2117 deletions
--- a/Shorewall-core/lib.base
+++ b/Shorewall-core/lib.base
@@ -20,15 +20,11 @@
 #	along with this program; if not, write to the Free Software
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
-# This library contains the code common to all Shorewall components.
-#
-# - It is loaded by /sbin/shorewall.
-# - It is released as part of Shorewall[6] Lite where it is used by /sbin/shorewall[6]-lite
-#   and /usr/share/shorewall[6]-lite/shorecap.
+# This library contains the code common to all Shorewall components except the
+# generated scripts.
 #

-SHOREWALL_LIBVERSION=40502
-SHOREWALL_CAPVERSION=40507
+SHOREWALL_LIBVERSION=40509

 [ -n "${g_program:=shorewall}" ]

@@ -38,10 +34,7 @@ if [ -z "$g_readrc" ]; then
    #
    . /usr/share/shorewall/shorewallrc

-    g_libexec="$LIBEXECDIR"
    g_sharedir="$SHAREDIR"/$g_program
-    g_sbindir="$SBINDIR"
-    g_perllib="$PERLLIBDIR"
    g_confdir="$CONFDIR"/$g_program
    g_readrc=1
 fi
@@ -52,13 +45,13 @@ case $g_program in
    shorewall)
 	g_product="Shorewall"
 	g_family=4
-	g_tool=
+	g_tool=iptables
 	g_lite=
 	;;
    shorewall6)
 	g_product="Shorewall6"
 	g_family=6
-	g_tool=
+	g_tool=ip6tables
 	g_lite=
 	;;
    shorewall-lite)
--- a/Shorewall-core/lib.cli
+++ b/Shorewall-core/lib.cli
@@ -21,20 +21,21 @@
 #	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 #
 # This library contains the command processing code common to /sbin/shorewall[6] and
-# /sbin/shorewall[6]-lite.
+# /sbin/shorewall[6]-lite. In Shorewall and Shorewall6, the lib.cli-std library is 
+# loaded after this one and replaces some of the functions declared here.
 #

+SHOREWALL_CAPVERSION=40509
+
+[ -n "${g_program:=shorewall}" ]
+
 if [ -z "$g_readrc" ]; then
    #
    # This is modified by the installer when ${SHAREDIR} <> /usr/share
    #
    . /usr/share/shorewall/shorewallrc

-    g_libexec="$LIBEXECDIR"
    g_sharedir="$SHAREDIR"/$g_program
-    g_sbindir="$SBINDIR"
-    g_perllib="$PERLLIBDIR"
-    g_vardir="$VARDIR"
    g_confdir="$CONFDIR"/$g_program
    g_readrc=1
 fi
@@ -435,21 +436,42 @@ save_config() {
 #
 sort_routes() {
    local dest
+    local second
    local rest
-    local crvsn
+    local vlsm
+    local maxvlsm
+    local rule

-    while read dest rest; do
+    if [ $g_family -eq 4 ]; then
+	maxvlsm=032
+    else
+	maxvlsm=128
+    fi
+
+    while read dest second rest; do
 	if [ -n "$dest" ]; then
+	    rule="$dest $second $rest"
 	    case "$dest" in
 		default)
-		    echo "00 $dest $rest"
+		    echo "000 $rule"
+		    ;;
+		blackhole|local)
+		    case "$second" in
+			*/*)
+			    vlsm=${second#*/}
+			    printf "%03d %s\n" $vlsm "$rule"
+			    ;;
+			*)
+			    echo "$maxvlsm $rule"
+			    ;;
+		    esac
 		    ;;
 		*/*)
-		    crvsn=${dest#*/}
-		    printf "%02d %s\n" $crvsn "$dest $rest"
+		    vlsm=${dest#*/}
+		    printf "%03d %s\n" $vlsm "$rule"
 		    ;;
 		*)
-		    echo "32 $dest $rest"
+		    echo "$maxvlsm $rule"
 		    ;;
 	    esac
 	fi
@@ -480,7 +502,7 @@ show_routing() {
 	ip -$g_family rule list | find_tables | sort -u | while read table; do
 	    heading "Table $table:"
 	    if [ $g_family -eq 6 ]; then
-		ip -$g_family -o route list table $table | fgrep -v cache
+		ip -$g_family -o route list table $table | fgrep -v cache | sort_routes
 	    else
 		ip -4 -o route list table $table | sort_routes
 	    fi
@@ -493,13 +515,33 @@ show_routing() {
    else
 	heading "Routing Table"
 	if [ $g_family -eq 6 ]; then
-	    ip -$g_family -o route list | fgrep -v cache
+	    ip -$g_family -o route list | fgrep -v cache | sort_routes
 	else
 	    ip -4 -o route list table $table | sort_routes
 	fi
    fi
 }

+determine_ipset_version() {
+    local setname
+
+    if [ -z "$IPSET" -o $IPSET = ipset ]; then
+	IPSET=$(mywhich ipset)
+	[ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
+    fi
+
+    setname=fooX$$
+
+    qt ipset -X $setname # Just in case something went wrong the last time
+
+    if qt ipset -N $setname hash:ip family inet; then
+	qt ipset -X $setname
+	IPSETN="$IPSET"
+    else
+	IPSETN="$IPSET -n"
+    fi
+}
+
 #
 # 'list dynamic' command executor
 #
@@ -507,7 +549,7 @@ find_sets() {
    local junk
    local setname

-    ipset -L -n | grep "^Name: ${1}_" | while read junk setname; do echo $setname; done
+    $IPSETN -L | egrep "^Name: ${1}(_.+)?$" | while read junk setname; do echo $setname; done
 }

 list_zone() {
@@ -515,22 +557,22 @@ list_zone() {
    local sets
    local setname

-    [ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located"
+    determine_ipset_version

    if [ $g_family -eq 4 ]; then
-	sets=$(ipset -L -n | grep '^$1_');
+	sets=$($IPSETN -L | egrep "^$1(_.+)?");
     else
-	sets=$(ipset -L -n | grep "^6_$1_")
+	sets=$($IPSETN -L | egrep "^6_$1(_.+)?")
    fi

    [ -n "$sets" ] || sets=$(find_sets $1)

    for setname in $sets; do
 	echo "${setname#${1}_}:"
-	ipset -L $setname -n | awk 'BEGIN        {prnt=0;}; \
-                                    /^Members:/  {prnt=1; next; }; \
-                                    /^Bindings:/ {prnt=0; }; \
-                                                 { if (prnt == 1) print "   ", $1; };'
+	$IPSETN -L $setname | awk 'BEGIN        {prnt=0;}; \
+                                   /^Members:/  {prnt=1; next; }; \
+                                   /^Bindings:/ {prnt=0; }; \
+                                                { if (prnt == 1) print "   ", $1; };'
    done
 }

@@ -639,6 +681,8 @@ show_command() {
    table=filter
    local table_given
    table_given=
+    local output_filter
+    output_filter=cat

    show_macro() {
 	foo=`grep 'This macro' $macro | sed 's/This macro //'`
@@ -653,6 +697,16 @@ show_command() {
 	fi
    }

+    # eliminates rules which have not been used from ip*tables' output
+    brief_output() {
+	awk \
+	'/^Chain /  { heading1 = $0; getline heading2; printed = 0; next; };
+         /^ +0 +0 / { next; };
+         /^$/       { if ( printed == 1 ) { print $0; }; next; };
+                    { if ( printed == 0 ) { print heading1; print heading2; printed = 1 }; };
+	            { print; }';
+    }
+
    while [ $finished -eq 0 -a $# -gt 0 ]; do
 	option=$1
 	case $option in
@@ -705,6 +759,10 @@ show_command() {
 			    g_routecache=Yes
 			    option=${option#c}
 			    ;;
+			b*)
+			    output_filter=brief_output
+			    option=${option#b}
+			    ;;
 			*)
 			    usage 1
 			    ;;
@@ -722,6 +780,7 @@ show_command() {


    [ -n "$g_debugging" ] && set -x
+
    case "$1" in
 	connections)
 	    [ $# -gt 1 ] && usage 1
@@ -765,28 +824,28 @@ show_command() {
 	    echo "$g_product $SHOREWALL_VERSION NAT Table at $g_hostname - $(date)"
 	    echo
 	    show_reset
-	    $g_tool -t nat -L $g_ipt_options
+	    $g_tool -t nat -L $g_ipt_options | $output_filter
 	    ;;
 	raw)
 	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION RAW Table at $g_hostname - $(date)"
 	    echo
 	    show_reset
-	    $g_tool -t raw -L $g_ipt_options
+	    $g_tool -t raw -L $g_ipt_options | $output_filter
 	    ;;
 	rawpost)
 	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION RAWPOST Table at $g_hostname - $(date)"
 	    echo
 	    show_reset
-	    $g_tool -t rawpost -L $g_ipt_options
+	    $g_tool -t rawpost -L $g_ipt_options | $output_filter
 	    ;;
 	tos|mangle)
 	    [ $# -gt 1 ] && usage 1
 	    echo "$g_product $SHOREWALL_VERSION Mangle Table at $g_hostname - $(date)"
 	    echo
 	    show_reset
-	    $g_tool -t mangle -L $g_ipt_options
+	    $g_tool -t mangle -L $g_ipt_options | $output_filter
 	    ;;
 	log)
 	    [ $# -gt 2 ] && usage 1
@@ -822,7 +881,7 @@ show_command() {
 	    shift

 	    if [ -z "$1" ]; then
-		$g_tool -t mangle -L -n -v
+		$g_tool -t mangle -L -n -v | $output_filter
 		echo
 	    fi

@@ -885,15 +944,15 @@ show_command() {
 	    if [ -n "$g_filemode" ]; then
 		echo "CONFIG_PATH=$CONFIG_PATH"
 		echo "VARDIR=$VARDIR"
-		echo "LIBEXEC=$g_libexec"
-		echo "SBINDIR=$g_sbindir"
+		echo "LIBEXEC=${LIBEXECDIR}"
+		echo "SBINDIR=${SBINDIR}"
 		echo "CONFDIR=${CONFDIR}"
 		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR=${VARDIR}"
 	    else
 		echo "Default CONFIG_PATH is $CONFIG_PATH"
 		echo "Default VARDIR is /var/lib/$g_program"
-		echo "LIBEXEC is $g_libexec"
-		echo "SBINDIR is $g_sbindir"
+		echo "LIBEXEC is ${LIBEXECDIR}"
+		echo "SBINDIR is ${SBINDIR}"
 		echo "CONFDIR is ${CONFDIR}"
 		[ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR is ${VARDIR}"
 	    fi
@@ -905,11 +964,11 @@ show_command() {
 	    show_reset
 	    if [ $# -gt 0 ]; then
 		for chain in $*; do
-		    $g_tool -t $table -L $chain $g_ipt_options
+		    $g_tool -t $table -L $chain $g_ipt_options | $output_filter
 		    echo
 		done
 	    else
-		$g_tool -t $table -L $g_ipt_options
+		$g_tool -t $table -L $g_ipt_options | $output_filter
 	    fi
 	    ;;
 	vardir)
@@ -948,18 +1007,18 @@ show_command() {
 		    case $1 in
 			actions)
 			    [ $# -gt 1 ] && usage 1
-			    echo "A_ACCEPT            # Audit and accept the connection"
-			    echo "A_DROP              # Audit and drop the connection"
-			    echo "A_REJECT            # Audit and reject the connection "
-			    echo "allowBcast          # Silently Allow Broadcast/multicast"
-			    echo "allowInvalid        # Accept packets that are in the INVALID conntrack state."
-			    echo "allowinUPnP         # Allow UPnP inbound (to firewall) traffic"
-			    echo "allowoutUPnP        # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)"
-			    echo "dropBcast           # Silently Drop Broadcast/multicast"
-			    echo "dropInvalid         # Silently Drop packets that are in the INVALID conntrack state"
-			    echo "dropNotSyn          # Silently Drop Non-syn TCP packets"
-			    echo "forwardUPnP         # Allow traffic that upnpd has redirected from"
-			    echo "rejNotSyn           # Silently Reject Non-syn TCP packets"
+			    echo "A_ACCEPT                        # Audit and accept the connection"
+			    echo "A_DROP                          # Audit and drop the connection"
+			    echo "A_REJECT                        # Audit and reject the connection "
+			    echo "allowBcast                      # Silently Allow Broadcast/multicast"
+			    echo "allowInvalid                    # Accept packets that are in the INVALID conntrack state."
+			    echo "allowinUPnP                     # Allow UPnP inbound (to firewall) traffic"
+			    echo "allowoutUPnP                    # Allow traffic from local command 'upnpd' (does not work with kernels after 2.6.13)"
+			    echo "dropBcast                       # Silently Drop Broadcast/multicast"
+			    echo "dropInvalid                     # Silently Drop packets that are in the INVALID conntrack state"
+			    echo "dropNotSyn                      # Silently Drop Non-syn TCP packets"
+			    echo "forwardUPnP                     # Allow traffic that upnpd has redirected from"
+			    echo "rejNotSyn                       # Silently Reject Non-syn TCP packets"

 			    if [ -f ${g_confdir}/actions ]; then
 				cat ${g_sharedir}/actions.std ${g_confdir}/actions | grep -Ev '^\#|^$'
@@ -1027,14 +1086,14 @@ show_command() {
 		echo
 		show_reset
 		for chain in $*; do
-		    $g_tool -t $table -L $chain $g_ipt_options
+		    $g_tool -t $table -L $chain $g_ipt_options | $output_filter
 		    echo
 		done
 	    else
 		echo "$g_product $SHOREWALL_VERSION $table Table at $g_hostname - $(date)"
 		echo
 		show_reset
-		$g_tool -t $table -L $g_ipt_options
+		$g_tool -t $table -L $g_ipt_options | $output_filter
 	    fi
 	    ;;
    esac
@@ -1147,7 +1206,7 @@ do_dump_command() {
 	elif [ -r $LOGFILE ]; then
 	    g_logread="tac $LOGFILE"
 	else
-	    echo "LOGFILE ($LOGFILE) does not exist!" >&2
+	    echo "LOGFILE ($LOGFILE) does not exist! - See http://www.shorewall.net/shorewall_logging.html" >&2
 	    exit 2
 	fi
    fi
@@ -1590,60 +1649,83 @@ add_command() {
 	exit 2
    fi

-    case "$IPSET" in
-	*/*)
+    determine_ipset_version
+
+    case $1 in
+	*:*)
+	    while [ $# -gt 1 ]; do
+		if [ $g_family -eq 4 ]; then
+		    interface=${1%%:*}
+		    host=${1#*:}
+		else
+		    interface=${1%%|*}
+		    host=${1#*|}
+		fi
+
+		[ "$host" = "$1" ] && host=
+
+		if [ -z "$host" ]; then
+		    if [ $g_family -eq 4 ]; then
+			hostlist="$hostlist $interface:0.0.0.0/0"
+		    else
+			hostlist="$hostlist $interface:::/0"
+		    fi
+		else
+		    for h in $(separate_list $host); do
+			hostlist="$hostlist $interface:$h"
+		    done
+		fi
+
+		shift
+	    done
 	    ;;
 	*)
-	    [ -n "$(mywhich $IPSET)" ] || fatal_error "The $IPSET utility cannot be located"
+	    ipset=$1
+	    shift
+	    while [ $# -gt 0 ]; do
+		for h in $(separate_list $1); do
+		    hostlist="$hostlist $h"
+		done
+		shift
+	    done
 	    ;;
    esac
-    #
-    # Normalize host list
-    #
-    while [ $# -gt 1 ]; do
-	interface=${1%%:*}
-	host=${1#*:}
-	[ "$host" = "$1" ] && host=
-
-	if [ -z "$host" ]; then
-	    if [ $g_family -eq 4 ]; then
-	        hostlist="$hostlist $interface:0.0.0.0/0"
-	    else
-		hostlist="$hostlist $interface:::/0"
-	    fi
-	else
-	    for h in $(separate_list $host); do
-		hostlist="$hostlist $interface:$h"
-	    done
-	fi
-
-	shift
-    done

    zone=$1

-    for host in $hostlist; do
-	if [ $g_family -eq 4 ]; then
-	    interface=${host%:*}
-	    ipset=${zone}_${interface};
-	else
-	    interface=${host%%:*}
-	    ipset=6_${zone}_${interface};
-	fi
+    if [ -n "$zone" ]; then
+	for host in $hostlist; do
+	    if [ $g_family -eq 4 ]; then
+		interface=${host%:*}
+		ipset=${zone}_${interface};
+	    else
+		interface=${host%%:*}
+		ipset=6_${zone}_${interface};
+	    fi

-	if ! qt $IPSET -L $ipset -n; then
-	    fatal_error "Zone $zone, interface $interface is does not have a dynamic host list"
-	fi
+	    if ! qt $IPSET -L $ipset; then
+		fatal_error "Zone $zone, interface $interface does not have a dynamic host list"
+	    fi

-	host=${host#*:}
+	    host=${host#*:}

-	if $IPSET -A $ipset $host; then
-	    echo "Host $interface:$host added to zone $zone"
-	else
-	    fatal_error "Unable to add $interface:$host to zone $zone"
-	fi
-    done
+	    if $IPSET -A $ipset $host; then
+		echo "Host $interface:$host added to zone $zone"
+	    else
+		fatal_error "Unable to add $interface:$host to zone $zone"
+	    fi
+	done
+    else
+	qt $IPSET -L $ipset || fatal_error "Zone $ipset is not dynamic"

+	for host in $hostlist; do
+	    if $IPSET -A $ipset $host; then
+		echo "Host $host added to zone $ipset"
+	    else
+		fatal_error "Unable to add $host to zone $ipset"
+	    fi
+	done
+    fi
 }

 #
@@ -1656,61 +1738,83 @@ delete_command() {
 	exit 2;
    fi

-    case "$IPSET" in
-	*/*)
+    determine_ipset_version
+
+    case $1 in
+	*:*)
+	    while [ $# -gt 1 ]; do
+		if [ $g_family -eq 4 ]; then
+		    interface=${1%%:*}
+		    host=${1#*:}
+		else
+		    interface=${1%%|*}
+		    host=${1#*|}
+		fi
+
+		[ "$host" = "$1" ] && host=
+
+		if [ -z "$host" ]; then
+		    if [ $g_family -eq 4 ]; then
+			hostlist="$hostlist $interface:0.0.0.0/0"
+		    else
+			hostlist="$hostlist $interface:::/0"
+		    fi
+		else
+		    for h in $(separate_list $host); do
+			hostlist="$hostlist $interface:$h"
+		    done
+		fi
+
+		shift
+	    done
 	    ;;
 	*)
-	    [ -n "$(mywhich $IPSET)" ] || fatal_error "The $IPSET utility cannot be located"
+	    ipset=$1
+	    shift
+	    while [ $# -gt 0 ]; do
+		for h in $(separate_list $1); do
+		    hostlist="$hostlist $h"
+		done
+		shift
+	    done
 	    ;;
    esac

-    #
-    # Normalize host list
-    #
-    while [ $# -gt 1 ]; do
-	interface=${1%%:*}
-	host=${1#*:}
-	[ "$host" = "$1" ] && host=
-
-	if [ -z "$host" ]; then
-	    if [ $g_family -eq 4 ]; then
-		hostlist="$hostlist $interface:0.0.0.0/0"
-	    else
-		hostlist="$hostlist $interface:::/0"
-	    fi
-	else
-	    for h in $(separate_list $host); do
-		hostlist="$hostlist $interface:$h"
-	    done
-	fi
-
-	shift
-    done
-
    zone=$1

-    for hostent in $hostlist; do
-	if [ $g_family -eq 4 ]; then
-	    interface=${hostent%:*}
-	    ipset=${zone}_${interface};
-	else
-	    interface=${hostent%%:*}
-	    ipset=6_${zone}_${interface};
-	fi
+    if [ -n "$zone" ]; then
+	for host in $hostlist; do
+	    if [ $g_family -eq 4 ]; then
+		interface=${host%:*}
+		ipset=${zone}_${interface};
+	    else
+		interface=${host%%:*}
+		ipset=6_${zone}_${interface};
+	    fi

-	if ! qt $IPSET -L $ipset -n; then
-	    fatal_error "Zone $zone, interface $interface is does not have a dynamic host list"
-	fi
+	    if ! qt $IPSET -L $ipset -n; then
+		fatal_error "Zone $zone, interface $interface does not have a dynamic host list"
+	    fi

-	host=${hostent#*:}
+	    host=${host#*:}

-	if $IPSET -D $ipset $host; then
-	    echo "Host $hostent deleted from zone $zone"
-	else
-	    echo "   WARNING: Unable to delete host $hostent to zone $zone" >&2
-	fi
-    done
+	    if $IPSET -D $ipset $host; then
+		echo "Host $host deleted from zone $zone"
+	    else
+		echo "   WARNING: Unable to delete host $hostent to zone $zone" >&2
+	    fi
+	done
+    else
+	qt $IPSET -L $ipset -n || fatal_error "Zone $ipset is not dynamic"

+	for host in $hostlist; do
+	    if $IPSET -D $ipset $host; then
+		echo "Host $host deleted from to zone $ipset"
+	    else
+		echo "   WARNING: Unable to delete host $host from zone $zone" >&2
+	    fi
+	done
+    fi
 }

 #
@@ -2020,6 +2124,7 @@ determine_capabilities() {
    GEOIP_MATCH=
    RPFILTER_MATCH=
    NFACCT_MATCH=
+    CHECKSUM_TARGET=
    AMANDA_HELPER=
    FTP_HELPER=
    FTP0_HELPER=
@@ -2181,6 +2286,7 @@ determine_capabilities() {
 	qt $g_tool -t mangle -A $chain -m dscp --dscp 0 && DSCP_MATCH=Yes
 	qt $g_tool -t mangle -A $chain -j DSCP --set-dscp 0 && DSCP_TARGET=Yes
 	qt $g_tool -t mangle -A $chain -m rpfilter && RPFILTER_MATCH=Yes
+	qt $g_tool -t mangle -A $chain -j CHECKSUM --checksum-fill && CHECKSUM_TARGET=Yes

 	qt $g_tool -t mangle -F $chain
 	qt $g_tool -t mangle -X $chain
@@ -2309,7 +2415,9 @@ determine_capabilities() {
    fi

    qt $g_tool -A $chain -j AUDIT --type drop && AUDIT_TARGET=Yes
+
    qt $g_tool -A $chain -m condition --condition foo && CONDITION_MATCH=Yes
+
    qt $g_tool -S INPUT && IPTABLES_S=Yes
    qt $g_tool -F $chain
    qt $g_tool -X $chain
@@ -2417,6 +2525,8 @@ report_capabilities() {
 	report_capability "Geo IP match" $GEOIP_MATCH
 	report_capability "RPFilter match" $RPFILTER_MATCH
 	report_capability "NFAcct match" $NFACCT_MATCH
+	report_capability "Checksum Target" $CHECKSUM_TARGET
+
 	report_capability "Amanda Helper" $AMANDA_HELPER
 	report_capability "FTP Helper" $FTP_HELPER
 	report_capability "FTP-0 Helper" $FTP0_HELPER
@@ -2528,6 +2638,8 @@ report_capabilities1() {
    report_capability1 GEOIP_MATCH
    report_capability1 RPFILTER_MATCH
    report_capability1 NFACCT_MATCH
+    report_capability1 CHECKSUM_TARGET
+
    report_capability1 AMANDA_HELPER
    report_capability1 FTP_HELPER
    report_capability1 FTP0_HELPER
@@ -2868,7 +2980,27 @@ get_config() {
 	exit 2
    fi

-    IPSET=ipset
+    if [ -n "$IPSET" ]; then
+	case "$IPSET" in
+	    */*)
+		if [ ! -x "$IPSET" ] ; then
+		    echo "   ERROR: The program specified in IPSET ($IPSET) does not exist or is not executable" >&2
+		    exit 2
+		fi
+		;;
+	    *)
+		prog="$(mywhich $IPSET 2> /dev/null)"
+		if [ -z "$prog" ] ; then
+		    echo "   ERROR: Can't find $IPSET executable" >&2
+		    exit 2
+		fi
+		IPSET=$prog
+		;;
+	esac
+    else
+	IPSET=''
+    fi
+
    TC=tc

 }
@@ -3072,7 +3204,7 @@ usage() # $1 = exit status
    echo "   restart [ -n ] [ -p ] [ -f ] [ <directory> ]"
    echo "   restore [ -n ] [ <file name> ]"
    echo "   save [ <file name> ]"
-    echo "   show [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
+    echo "   show [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [<chain> [ <chain> ... ]"
    echo "   show [ -f ] capabilities"
    echo "   show classifiers"
    echo "   show config"
--- a/Shorewall-core/lib.common
+++ b/Shorewall-core/lib.common
@@ -84,7 +84,7 @@ get_script_version() { # $1 = script

    temp=$( $SHOREWALL_SHELL $1 version | tail -n 1 | sed 's/-.*//' )

-    if [ $? -ne 0 ]; then
+    if [ -z "$temp" ]; then
 	version=0
    else
 	ifs=$IFS
--- a/Shorewall-core/shorewallrc.default
+++ b/Shorewall-core/shorewallrc.default
@@ -10,7 +10,7 @@ PERLLIBDIR=${PREFIX}/share/shorewall    #Directory to install Shorewall Perl mod
 CONFDIR=/etc                            #Directory where subsystem configurations are installed
 SBINDIR=/sbin                           #Directory where system administration programs are installed
 MANDIR=${PREFIX}/man                    #Directory where manpages are installed.
-INITDIR=etc/init.d                      #Directory where SysV init scripts are installed.
+INITDIR=/etc/init.d                     #Directory where SysV init scripts are installed.
 INITFILE=$PRODUCT                       #Name of the product's installed SysV init script
 INITSOURCE=init.sh                      #Name of the distributed file to be installed as the SysV init script
 ANNOTATED=                              #If non-zero, annotated configuration files are installed
--- a/Shorewall-init/install.sh
+++ b/Shorewall-init/install.sh
@@ -292,6 +292,7 @@ fi
 if [ -n "$SYSTEMD" ]; then
    mkdir -p ${DESTDIR}${SYSTEMD}
    run_install $OWNERSHIP -m 600 shorewall-init.service ${DESTDIR}${SYSTEMD}/shorewall-init.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/shorewall-init.service
    echo "Service file installed as ${DESTDIR}${SYSTEMD}/shorewall-init.service"
    if [ -n "$DESTDIR" ]; then
 	mkdir -p ${DESTDIR}${SBINDIR}
--- a/Shorewall-lite/install.sh
+++ b/Shorewall-lite/install.sh
@@ -189,7 +189,6 @@ PATH=${SBINDIR}:/bin:/usr${SBINDIR}:/usr/bin:/usr/local/bin:/usr/local${SBINDIR}
 #
 cygwin=
 INSTALLD='-D'
-INITFILE=$PRODUCT
 T='-T'

 if [ -z "$BUILD" ]; then
@@ -281,21 +280,11 @@ if [ -n "$DESTDIR" ]; then

    install -d $OWNERSHIP -m 755 ${DESTDIR}/${SBINDIR}
    install -d $OWNERSHIP -m 755 ${DESTDIR}${INITDIR}
-
-    if [ -n "$SYSTEMD" ]; then
-	mkdir -p ${DESTDIR}/lib/systemd/system
-	INITFILE=
-    fi
 else
    if [ ! -f /usr/share/shorewall/coreversion ]; then
 	echo "$PRODUCT $VERSION requires Shorewall Core which does not appear to be installed" >&2
 	exit 1
    fi
-
-    if [ -f /lib/systemd/system ]; then
-	SYSTEMD=Yes
-	INITFILE=
-    fi
 fi

 echo "Installing $Product Version $VERSION"
@@ -364,7 +353,9 @@ fi
 # Install the .service file
 #
 if [ -n "$SYSTEMD" ]; then
+    mkdir -p ${DESTDIR}${SYSTEMD}
    run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}/${SYSTEMD}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
    echo "Service file installed as ${DESTDIR}/lib/systemd/system/$PRODUCT.service"
 fi

--- a/Shorewall-lite/manpages/shorewall-lite.xml
+++ b/Shorewall-lite/manpages/shorewall-lite.xml
@@ -337,6 +337,8 @@

      <arg choice="plain"><option>show</option></arg>

+      <arg><option>-b</option></arg>
+
      <arg><option>-x</option></arg>

      <arg><option>-l</option></arg>
@@ -841,6 +843,12 @@
                Netfilter table to display. The default is <emphasis
                role="bold">filter</emphasis>.</para>

+                <para>The <emphasis role="bold">-b</emphasis> ('brief') option
+                causes rules which have not been used (i.e. which have zero
+                packet and byte counts) to be omitted from the output. Chains
+                with no rules displayed are also omitted from the
+                output.</para>
+
                <para>The <emphasis role="bold">-l</emphasis> option causes
                the rule number for each Netfilter rule to be
                displayed.</para>
--- a/Shorewall-lite/shorecap
+++ b/Shorewall-lite/shorecap
@@ -53,10 +53,7 @@ g_program=shorewall-lite
 #
 . /usr/share/shorewall/shorewallrc

-g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR"/shorewall-lite
-g_sbindir="$SBINDIR"
-g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall-lite
 g_readrc=1

--- a/Shorewall-lite/shorewall-lite
+++ b/Shorewall-lite/shorewall-lite
@@ -33,9 +33,7 @@ PRODUCT=shorewall-lite
 . /usr/share/shorewall/shorewallrc

 g_program=$PRODUCT
-g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR"/shorewall-lite
-g_sbindir="$SBINDIR"
 g_confdir="$CONFDIR"/shorewall-lite
 g_readrc=1

--- a/Shorewall-lite/shorewall-lite.service
+++ b/Shorewall-lite/shorewall-lite.service
@@ -13,8 +13,8 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall-lite
 StandardOutput=syslog
-ExecStart=/sbin/shorewall-lite $OPTIONS start
-ExecStop=/sbin/shorewall-lite $OPTIONS stop
+ExecStart=/usr/sbin/shorewall-lite $OPTIONS start
+ExecStop=/usr/sbin/shorewall-lite $OPTIONS stop

 [Install]
 WantedBy=multi-user.target
--- a/Shorewall/Macros/macro.PPtP
+++ b/Shorewall/Macros/macro.PPtP
@@ -6,7 +6,7 @@
 #	This macro handles PPTP traffic.
 #
 ###############################################################################
-?FORMAT 2
+FORMAT 2
 #ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
 #				PORT(S)	PORT(S)	LIMIT	GROUP
 PARAM	-	-	47
--- a/Shorewall/Macros/macro.Puppet
+++ b/Shorewall/Macros/macro.Puppet
@@ -0,0 +1,12 @@
+#
+# Shorewall version 4 - Puppet Macro
+#
+# /usr/share/shorewall/macro.Puppet
+#
+#	This macro handles client-to-server for the Puppet configuration
+#	management system.
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	tcp	8140
--- a/Shorewall/Macros/macro.Teredo
+++ b/Shorewall/Macros/macro.Teredo
@@ -0,0 +1,11 @@
+#
+# Shorewall version 4 - Teredo Macro
+#
+# /usr/share/shorewall/macro.Teredo
+#
+#	This macro handles Teredo IPv6 over UDP tunneling traffic
+#
+###############################################################################
+#ACTION	SOURCE	DEST	PROTO	DEST	SOURCE	RATE	USER/
+#				PORT(S)	PORT(S)	LIMIT	GROUP
+PARAM	-	-	udp	3544
--- a/Shorewall/Macros/macro.template
+++ b/Shorewall/Macros/macro.template
@@ -71,9 +71,17 @@
 #	Remaining		Any value in the rules file REPLACES the value
 #	columns			given in the macro file.
 #
+# Multiple parameters may be passed to a macro. Within this file, $1 refers to the first parameter,
+# $2 to the second an so on. $1 is a synonym for PARAM but may be used anywhere in the file whereas
+# PARAM may only be used in the ACTION column.
+#
+# You can specify default values for parameters by using DEFAULT or DEFAULTS entry:
+#
+#      DEFAULTS  <default for $1>,<default for $2>,...
+#
 #######################################################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
 FORMAT 2
-####################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
+#################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -85,7 +85,7 @@ our @EXPORT = ( qw(
 		    $nat_table
 		    $mangle_table
 		    $filter_table
-		),
+		)
 	      );

 our %EXPORT_TAGS = (
@@ -98,11 +98,13 @@ our %EXPORT_TAGS = (
 				       ACTION
 				       MACRO
 				       LOGRULE
+				       NFLOG
 				       NFQ
 				       CHAIN
 				       SET
 				       AUDIT
 				       HELPER
+				       INLINE
 				       NO_RESTRICT
 				       PREROUTE_RESTRICT
 				       DESTIFACE_DISALLOW
@@ -117,6 +119,7 @@ our %EXPORT_TAGS = (
 				       OPTIMIZE_RULESET_MASK
 				       OPTIMIZE_MASK

+				       state_match
 				       state_imatch
 				       initialize_chain_table
 				       copy_rules
@@ -226,7 +229,7 @@ our %EXPORT_TAGS = (
 				       handle_network_list
 				       expand_rule
 				       addnatjump
-				       mysplit
+				       split_host_list
 				       set_chain_variables
 				       mark_firewall_not_started
 				       mark_firewall6_not_started
@@ -245,10 +248,11 @@ our %EXPORT_TAGS = (
 				       preview_netfilter_load
 				       create_chainlist_reload
 				       create_stop_load
+				       initialize_switches
 				       %targets
 				       %dscpmap
 				       %nfobjects
-				     ), ],
+				     ) ],
 		   );

 Exporter::export_ok_tags('internal');
@@ -356,6 +360,8 @@ use constant { STANDARD => 1,              #defined by Netfilter
 	       SET      => 2048,           #SET
 	       AUDIT    => 4096,           #A_ACCEPT, etc
 	       HELPER   => 8192,           #CT:helper
+	       NFLOG    => 16384,          #NFLOG or ULOG
+	       INLINE   => 32768,          #Inline action
 	   };
 #
 # Valid Targets -- value is a combination of one or more of the above
@@ -598,6 +604,8 @@ my %isocodes;

 use constant { ISODIR => '/usr/share/xt_geoip/LE' };

+my %switches;
+
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
@@ -658,6 +666,7 @@ sub initialize( $$$ ) {

    %isocodes  = ();
    %nfobjects = ();
+    %switches  = ();

    #
    # The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined.
@@ -716,7 +725,7 @@ sub set_comment( $ ) {
 sub macro_comment( $ ) {
    my $macro = $_[0];

-    $comment = $macro unless $comment || ! ( have_capability( 'COMMENTS' ) && $config{AUTO_COMMENT} );
+    $comment = $macro unless $comment || ! ( have_capability( 'COMMENTS' ) && $config{AUTOCOMMENT} );
 }

 #
@@ -2440,11 +2449,16 @@ sub require_audit($$;$) {
 sub get_action_logging() {
    my $chainref = get_action_chain;
    my $wholeaction = $chainref->{action};
-    my ( undef, $level, $tag, undef ) = split ':', $wholeaction;

-    $level = '' if $level =~ /^none/;
+    if ( $wholeaction ) {
+	my ( undef, $level, $tag, undef ) = split ':', $wholeaction;

-    ( $level, $tag );
+	$level = '' if $level =~ /^none/;
+
+	( $level, $tag );
+    } else {
+	( '' , '' );
+    }
 }

 #
@@ -2464,6 +2478,7 @@ sub initialize_chain_table($) {
 		    'A_ACCEPT'        => STANDARD  + AUDIT,
 		    'A_ACCEPT+'       => STANDARD  + NONAT + AUDIT,
 		    'NONAT'           => STANDARD  + NONAT + NATONLY,
+		    'AUDIT'           => STANDARD  + AUDIT,
 		    'DROP'            => STANDARD,
 		    'DROP!'           => STANDARD,
 		    'A_DROP'          => STANDARD + AUDIT,
@@ -2482,8 +2497,10 @@ sub initialize_chain_table($) {
 		    'COUNT'           => STANDARD,
 		    'QUEUE'           => STANDARD,
 		    'QUEUE!'          => STANDARD,
+		    'NFLOG'           => STANDARD + LOGRULE + NFLOG,
 		    'NFQUEUE'         => STANDARD + NFQ,
 		    'NFQUEUE!'        => STANDARD + NFQ,
+		    'ULOG'            => STANDARD + LOGRULE + NFLOG,
 		    'ADD'             => STANDARD + SET,
 		    'DEL'             => STANDARD + SET,
 		    'WHITELIST'       => STANDARD,
@@ -2491,7 +2508,7 @@ sub initialize_chain_table($) {
 		   );

 	for my $chain ( qw(OUTPUT PREROUTING) ) {
-	    new_builtin_chain 'raw', $chain, 'ACCEPT';
+	    new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0;
 	}

 	new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
@@ -2519,25 +2536,35 @@ sub initialize_chain_table($) {
 	#
 	%targets = ('ACCEPT'          => STANDARD,
 		    'ACCEPT!'         => STANDARD,
+		    'AUDIT'           => STANDARD  + AUDIT,
+		    'A_ACCEPT'        => STANDARD  + AUDIT,
 		    'DROP'            => STANDARD,
 		    'DROP!'           => STANDARD,
+		    'A_DROP'          => STANDARD + AUDIT,
+		    'A_DROP!'         => STANDARD + AUDIT,
 		    'REJECT'          => STANDARD,
 		    'REJECT!'         => STANDARD,
+		    'A_REJECT'        => STANDARD + AUDIT,
+		    'A_REJECT!'       => STANDARD + AUDIT,
 		    'LOG'             => STANDARD + LOGRULE,
 		    'CONTINUE'        => STANDARD,
 		    'CONTINUE!'       => STANDARD,
 		    'COUNT'           => STANDARD,
 		    'QUEUE'           => STANDARD,
 		    'QUEUE!'          => STANDARD,
+		    'NFLOG'           => STANDARD + LOGRULE + NFLOG,
 		    'NFQUEUE'         => STANDARD + NFQ,
 		    'NFQUEUE!'        => STANDARD + NFQ,
+		    'ULOG'            => STANDARD + LOGRULE + NFLOG,
 		    'ADD'             => STANDARD + SET,
 		    'DEL'             => STANDARD + SET,
+		    'WHITELIST'       => STANDARD,
 		    'HELPER'          => STANDARD + HELPER + NATONLY, #Actually RAWONLY
 		   );

 	for my $chain ( qw(OUTPUT PREROUTING) ) {
-	    new_builtin_chain 'raw', $chain, 'ACCEPT';
+	    new_builtin_chain( 'raw', $chain, 'ACCEPT' )->{insert} = 0;
+	    
 	}

 	new_builtin_chain 'rawpost', 'POSTROUTING', 'ACCEPT';
@@ -3058,6 +3085,8 @@ sub optimize_level8( $$$ ) {

    progress_message "\n Table $table pass $passes, $chains referenced user chains, level 8...";

+    %renamed = ();
+
    for my $chainref ( @chains ) {
 	my $digest = '';

@@ -3341,6 +3370,18 @@ sub combine_dports {
    \@rules;
 }

+#
+# When suppressing duplicate rules, care must be taken to avoid suppressing non-adjacent duplicates 
+# using any of these matches, because an intervening rule could modify the result of the match
+# of the second duplicate
+#
+my %bad_match = ( conntrack => 1, 
+		  dscp      => 1,
+		  ecn       => 1,
+		  mark      => 1,
+		  set       => 1,
+		  tos       => 1,
+		  u32       => 1 );
 #
 # Delete duplicate rules from the passed chain.
 #
@@ -3353,43 +3394,72 @@ sub delete_duplicates {
    my $lastrule  = @_;
    my $baseref   = pop;
    my $ruleref;
-    my $duplicate = 0;

-    while ( @_ && ! $duplicate ) {
-	{
+    while ( @_ ) {
+	my $docheck;
+	my $duplicate = 0;
+
+	if ( $baseref->{mode} == CAT_MODE ) {
 	    my $ports1;
-	    my @keys1     = sort( keys( %$baseref ) );
-	    my $rulenum   = @_;
-	    my $duplicate = 0;
+	    my @keys1    = sort( keys( %$baseref ) );
+	    my $rulenum  = @_;
+	    my $adjacent = 1;
+		
+	    {
+	      RULE:

-	  RULE:
+		while ( --$rulenum >= 0 ) {
+		    $ruleref = $_[$rulenum];

-	    while ( --$rulenum >= 0 ) {
-		$ruleref = $_[$rulenum];
+		    last unless $ruleref->{mode} == CAT_MODE;

-		my @keys2 = sort(keys( %$ruleref ) );
+		    my @keys2 = sort(keys( %$ruleref ) );

-		next unless @keys1 == @keys2 ;
+		    next unless @keys1 == @keys2 ;

-		my $keynum = 0;
+		    my $keynum = 0;

-		for my $key ( @keys1 ) {
-		    next RULE unless $key eq $keys2[$keynum++];
-		    next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
+		    if ( $adjacent > 0 ) {
+			#
+			# There are no non-duplicate rules between this rule and the base rule
+			#
+			for my $key ( @keys1 ) {
+			    next RULE unless $key eq $keys2[$keynum++];
+			    next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
+			}
+		    } else {
+			#
+			# There are non-duplicate rules between this rule and the base rule
+			#
+			for my $key ( @keys1 ) {
+			    next RULE unless $key eq $keys2[$keynum++];
+			    next RULE unless compare_values( $baseref->{$key}, $ruleref->{$key} );
+			    last RULE if $bad_match{$key};
+			}
+		    }
+		    #
+		    # This rule is a duplicate
+		    #
+		    $duplicate = 1;
+		    #
+		    # Increment $adjacent so that the continue block won't set it to zero
+		    #
+		    $adjacent++;
+
+		} continue {
+		    $adjacent--;
 		}
-
-		$duplicate = 1;
 	    }
-
-	    if ( $duplicate ) {
-		trace( $chainref, 'D', $lastrule, $baseref ) if $debug;
-	    } else {
-		unshift @rules, $baseref;
-	    }
-
-	    $baseref = pop @_;
-	    $lastrule--;
 	}
+
+	if ( $duplicate ) {
+	    trace( $chainref, 'D', $lastrule, $baseref ) if $debug;
+	} else {
+	    unshift @rules, $baseref;
+	}
+
+	$baseref = pop @_;
+	$lastrule--;
    }

    unshift @rules, $baseref if $baseref;
@@ -3405,18 +3475,12 @@ sub optimize_level16( $$$ ) {

    progress_message "\n Table $table pass $passes, $chains referenced user chains, level 16...";

-    if ( $table eq 'raw' ) {
-	#
-	# Helpers in rules have the potential for generating lots of duplicate iptables rules
-	# in the raw table. This step eliminates those duplicates
-	#
-	for my $chainref ( @chains ) {
-	    $chainref->{rules} = delete_duplicates( $chainref, @{$chainref->{rules}} );
-	}
-
-	$passes++;
+    for my $chainref ( @chains ) {
+	$chainref->{rules} = delete_duplicates( $chainref, @{$chainref->{rules}} );
    }

+    $passes++;
+    
    for my $chainref ( @chains ) {
 	$chainref->{rules} = combine_dports( $chainref, @{$chainref->{rules}} );
    }
@@ -3434,7 +3498,7 @@ sub valid_tables() {
    push @table_list, 'rawpost' if have_capability( 'RAWPOST_TABLE' );
    push @table_list, 'nat'     if have_capability( 'NAT_ENABLED' );
    push @table_list, 'mangle'  if have_capability( 'MANGLE_ENABLED' ) && $config{MANGLE_ENABLED};
-    push @table_list, 'filter';
+    push @table_list, 'filter'; #MUST BE LAST!!!

    @table_list;
 }
@@ -3630,7 +3694,7 @@ sub source_iexclusion( $$$$$;@ ) {

    if ( $source =~ /^([^!]+)!([^!]+)$/ ) {
 	$source = $1;
-	@exclusion = mysplit( $2 );
+	@exclusion = split_host_list( $2 );

 	my $chainref1 = dont_move new_chain( $table , newexclusionchain( $table ) );

@@ -3681,7 +3745,7 @@ sub dest_iexclusion( $$$$$;@ ) {

    if ( $dest =~ /^([^!]+)!([^!]+)$/ ) {
 	$dest = $1;
-	@exclusion = mysplit( $2 );
+	@exclusion = split_host_list( $2 );

 	my $chainref1 = dont_move new_chain( $table , newexclusionchain( $table ) );

@@ -3715,6 +3779,16 @@ sub port_count( $ ) {
 #
 # Generate a state match
 #
+sub state_match( $ ) {
+    my $state = shift;
+
+    if ( $state eq 'ALL' ) {
+	''
+    } else {
+	have_capability 'CONNTRACK_MATCH' ? ( "-m conntrack --ctstate $state " ) : ( "-m state --state $state " );
+    }
+}
+
 sub state_imatch( $ ) {
    my $state = shift;

@@ -4596,17 +4670,37 @@ sub do_probability( $ ) {
 #
 # Generate a -m condition match
 #
-sub do_condition( $ ) {
-    my $condition = shift;
+sub do_condition( $$ ) {
+    my ( $condition, $chain ) = @_;

    return '' if $condition eq '-';

    my $invert = $condition =~ s/^!// ? '! ' : '';

+    my $initialize;
+
+    $initialize = $1 if $condition =~ s/(?:=([01]))?$//;
+
    require_capability 'CONDITION_MATCH', 'A non-empty SWITCH column', 's';
+
+    $chain =~ s/[^\w-]//g;
+    #                          $1    $2      -     $3
+    while ( $condition =~ m( ^(.*?) @({)?0(?(2)}) (.*)$ )x ) {
+	$condition = join( '', $1, $chain, $3 );
+    }
+
    fatal_error "Invalid switch name ($condition)" unless $condition =~ /^[a-zA-Z][-\w]*$/ && length $condition <= 30;

+    if ( defined $initialize ) {
+	if ( my $switchref = $switches{$condition} ) {
+	    fatal_error "Switch $condition was previously initialized to $switchref->{setting} at $switchref->{where}" unless $switchref->{setting} == $initialize;
+	} else {
+	    $switches{$condition} = { setting => $initialize, where => currentlineinfo };
+	}
+    }
+
    "-m condition ${invert}--condition $condition "
+	
 }

 #
@@ -4779,7 +4873,7 @@ sub get_set_flags( $$ ) {
 	}
    }

-    fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z]\w*/;
+    fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^(6_)?[a-zA-Z][-\w]*/;

    have_capability 'OLD_IPSET_MATCH' ? "--set $setname $options " : "--match-set $setname $options ";

@@ -4865,7 +4959,7 @@ sub load_isocodes() {
    $isocodes{substr(basename($_),0,2)} = 1 for @codes;
 }

-sub mysplit( $;$ );
+sub split_host_list( $;$ );

 #
 # Match a Source.
@@ -4895,12 +4989,12 @@ sub match_source_net( $;$\$ ) {

    if ( $net =~ /^\+\[(.+)\]$/ ) {
 	my $result = '';
-	my @sets = mysplit $1, 1;
+	my @sets = split_host_list $1, 1;

 	fatal_error "Multiple ipset matches require the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};

 	for $net ( @sets ) {
-	    fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(\+?)[a-zA-Z][-\w]*(\[.*\])?/;
+	    fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(\+?)(6_)?[a-zA-Z][-\w]*(\[.*\])?/;
 	    $result .= join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'src' ) );
 	}

@@ -4930,7 +5024,7 @@ sub match_source_net( $;$\$ ) {
 	    return '! -s ' . record_runtime_address $1, $2;
 	}

-	validate_net $net, 1;
+	$net = validate_net $net, 1;
 	return "! -s $net ";
    }

@@ -4938,7 +5032,7 @@ sub match_source_net( $;$\$ ) {
 	return '-s ' . record_runtime_address $1, $2;
    }

-    validate_net $net, 1;
+    $net = validate_net $net, 1;
    $net eq ALLIP ? '' : "-s $net ";
 }

@@ -4968,12 +5062,12 @@ sub imatch_source_net( $;$\$ ) {

    if ( $net =~ /^\+\[(.+)\]$/ ) {
 	my @result = ();
-	my @sets = mysplit $1, 1;
+	my @sets = split_host_list $1, 1;

 	fatal_error "Multiple ipset matches requires the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};

 	for $net ( @sets ) {
-	    fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(\+?)[a-zA-Z][-\w]*(\[.*\])?/;
+	    fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(\+?)(6_)?[a-zA-Z][-\w]*(\[.*\])?/;
 	    push @result , ( set => join( '', $1 ? '! ' : '', get_set_flags( $net, 'src' ) ) );
 	}

@@ -5003,7 +5097,7 @@ sub imatch_source_net( $;$\$ ) {
 	    return  ( s => '! ' . record_runtime_address( $1, $2, 1 ) );
 	}

-	validate_net $net, 1;
+	$net = validate_net $net, 1;
 	return ( s => "! $net " );
    }

@@ -5011,7 +5105,7 @@ sub imatch_source_net( $;$\$ ) {
 	return ( s =>  record_runtime_address( $1, $2, 1 ) );
    }

-    validate_net $net, 1;
+    $net = validate_net $net, 1;
    $net eq ALLIP ? () : ( s => $net );
 }

@@ -5037,12 +5131,12 @@ sub match_dest_net( $;$ ) {

    if ( $net =~ /^\+\[(.+)\]$/ ) {
 	my $result = '';
-	my @sets = mysplit $1, 1;
+	my @sets = split_host_list $1, 1;

 	fatal_error "Multiple ipset matches requires the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};

 	for $net ( @sets ) {
-	    fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(\+?)[a-zA-Z][-\w]*(\[.*\])?/;
+	    fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(\+?)(6_)?[a-zA-Z][-\w]*(\[.*\])?/;
 	    $result .= join( '', '-m set ', $1 ? '! ' : '', get_set_flags( $net, 'dst' ) );
 	}

@@ -5072,7 +5166,7 @@ sub match_dest_net( $;$ ) {
 	    return '! -d ' . record_runtime_address $1, $2;
 	}

-	validate_net $net, 1;
+	$net = validate_net $net, 1;
 	return "! -d $net ";
    }

@@ -5080,7 +5174,7 @@ sub match_dest_net( $;$ ) {
 	return '-d ' . record_runtime_address $1, $2;
    }

-    validate_net $net, 1;
+    $net = validate_net $net, 1;
    $net eq ALLIP ? '' : "-d $net ";
 }

@@ -5104,12 +5198,12 @@ sub imatch_dest_net( $;$ ) {

    if ( $net =~ /^\+\[(.+)\]$/ ) {
 	my @result;
-	my @sets = mysplit $1, 1;
+	my @sets = split_host_list $1, 1;

 	fatal_error "Multiple ipset matches requires the Repeat Match capability in your kernel and iptables" unless $globals{KLUDGEFREE};

 	for $net ( @sets ) {
-	    fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(\+?)[a-zA-Z][-\w]*(\[.*\])?/;
+	    fatal_error "Expected ipset name ($net)" unless $net =~ /^(!?)(\+?)(6_)?[a-zA-Z][-\w]*(\[.*\])?/;
 	    push @result , ( set => join( '', $1 ? '! ' : '', get_set_flags( $net, 'dst' ) ) );
 	}

@@ -5139,7 +5233,7 @@ sub imatch_dest_net( $;$ ) {
 	    return ( d => '! ' . record_runtime_address( $1, $2, 1 ) );
 	}

-	validate_net $net, 1;
+	$net = validate_net $net, 1;
 	return ( d => "! $net " );
    }

@@ -5147,7 +5241,7 @@ sub imatch_dest_net( $;$ ) {
 	return ( d => record_runtime_address( $1, $2, 1 ) );
    }

-    validate_net $net, 1;
+    $net = validate_net $net, 1;
    $net eq ALLIP ? () : ( d =>  $net );
 }

@@ -5164,7 +5258,7 @@ sub match_orig_dest ( $ ) {
 	if ( $net =~ /^&(.+)/ ) {
 	    $net = record_runtime_address '&', $1;
 	} else {
-	    validate_net $net, 1;
+	    $net = validate_net $net, 1;
 	}

 	have_capability( 'OLD_CONNTRACK_MATCH' ) ? "-m conntrack --ctorigdst ! $net " : "-m conntrack ! --ctorigdst $net ";
@@ -5172,7 +5266,7 @@ sub match_orig_dest ( $ ) {
 	if ( $net =~ /^&(.+)/ ) {
 	    $net = record_runtime_address '&', $1;
 	} else {
-	    validate_net $net, 1;
+	    $net = validate_net $net, 1;
 	}

 	$net eq ALLIP ? '' : "-m conntrack --ctorigdst $net ";
@@ -5417,7 +5511,7 @@ sub addnatjump( $$;@ ) {
 # Split a comma-separated source or destination host list but keep [...] together. Used for spliting address lists
 # where an element of the list might be +ipset[flag,...] or +[ipset[flag,...],...]
 #
-sub mysplit( $;$ ) {
+sub split_host_list( $;$ ) {
    my ( $input, $loose ) = @_;

    my @input = split_list $input, 'host';
@@ -5858,7 +5952,7 @@ sub handle_network_list( $$ ) {
    my $nets = '';
    my $excl = '';

-    my @nets = mysplit $list;
+    my @nets = split_host_list $list;

    for ( @nets ) {
 	if ( /!/ ) {
@@ -5893,17 +5987,19 @@ sub isolate_source_interface( $ ) {
    my ( $iiface, $inets );

    if ( $family == F_IPV4 ) {
-	if ( $source =~ /^~/ ) {
-	    $inets = $source;
-	} elsif ( $source =~ /^(.+?):(.+)$/ ) {
+	if ( $source =~ /^(.+?):(.+)$/ ) {
 	    $iiface = $1;
 	    $inets  = $2;
-	} elsif ( $source =~ /\+|&|~|\..*\./ || $source =~ /^!?\^/ ) {
+	} elsif ( $source =~ /^!?(?:\+|&|~|\^|\d+\.)/ ) {
 	    $inets = $source;
 	} else {
 	    $iiface = $source;
 	}
-    } elsif  ( $source =~ /^(.+?):<(.+)>\s*$/ || $source =~ /^(.+?):\[(.+)\]\s*$/ || $source =~ /^(.+?):(!?\+.+)$/ ) {
+    } elsif  ( $source =~ /^(.+?):<(.+)>\s*$/   ||
+	       $source =~ /^(.+?):\[(.+)\]\s*$/ ||
+	       $source =~ /^(.+?):(!?\+.+)$/    ||
+	       $source =~ /^(.+?):(\[.+\]\/(?:\d+))\s*$/
+	     ) {
 	$iiface = $1;
 	$inets  = $2;
    } elsif ( $source =~ /:/ ) {
@@ -6003,12 +6099,16 @@ sub isolate_dest_interface( $$$$ ) {
 	if ( $dest =~ /^(.+?):(.+)$/ ) {
 	    $diface = $1;
 	    $dnets  = $2;
-	} elsif ( $dest =~ /\+|&|%|~|\..*\./ || $dest =~ /^!?\^/ ) {
+	} elsif ( $dest =~ /^!?(?:\+|&|%|~|\^|\d+\.)/ ) {
 	    $dnets = $dest;
 	} else {
 	    $diface = $dest;
 	}
-    } elsif ( $dest =~ /^(.+?):<(.+)>\s*$/ || $dest =~ /^(.+?):\[(.+)\]\s*$/ || $dest =~ /^(.+?):(!?\+.+)$/ ) {
+    } elsif ( $dest =~ /^(.+?):<(.+)>\s*$/   || 
+	      $dest =~ /^(.+?):\[(.+)\]\s*$/ ||
+	      $dest =~ /^(.+?):(!?\+.+)$/    ||
+	      $dest =~ /^(.+?):(\[.+\]\/(?:\d+))\s*$/
+	    ) {
 	$diface = $1;
 	$dnets  = $2;
    } elsif ( $dest =~ /:/ ) {
@@ -6052,7 +6152,7 @@ sub verify_dest_interface( $$$$ ) {
 	    if ( $chainref->{accounting} ) {
 		fatal_error "Destination Interface ($diface) not allowed in the $chainref->{name} chain";
 	    } else {
-		fatal_error "Destination Interface ($diface) not allowed in the mangle OUTPUT chain";
+		fatal_error "Destination Interface ($diface) not allowed in the $chainref->{table} OUTPUT chain";
 	    }
 	}

@@ -6122,7 +6222,7 @@ sub handle_original_dest( $$$ ) {
 	}

 	unless ( $onets ) {
-	    my @oexcl = mysplit $oexcl;
+	    my @oexcl = split_host_list $oexcl;
 	    if ( @oexcl == 1 ) {
 		$rule .= match_orig_dest( "!$oexcl" );
 		$oexcl = '';
@@ -6173,19 +6273,19 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$ ) {
 	#
 	my $exclude = '-j MARK --or-mark ' . in_hex( $globals{EXCLUSION_MASK} );

-	for ( mysplit $iexcl ) {
+	for ( split_host_list $iexcl ) {
 	    my $cond = conditional_rule( $chainref, $_ );
 	    add_rule $chainref, ( match_source_net $_ , $restriction, $mac ) . $exclude;
 	    conditional_rule_end( $chainref ) if $cond;
 	}

-	for ( mysplit $dexcl ) {
+	for ( split_host_list $dexcl ) {
 	    my $cond = conditional_rule( $chainref, $_ );
 	    add_rule $chainref, ( match_dest_net $_, $restriction ) . $exclude;
 	    conditional_rule_end( $chainref ) if $cond;
 	}

-	for ( mysplit $oexcl ) {
+	for ( split_host_list $oexcl ) {
 	    my $cond = conditional_rule( $chainref, $_ );
 	    add_rule $chainref, ( match_orig_dest $_ ) . $exclude;
 	    conditional_rule_end( $chainref ) if $cond;
@@ -6206,19 +6306,19 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$ ) {
 	#
 	# Use the current rule and send all possible matches to the exclusion chain
 	#
-	for my $onet ( mysplit $onets ) {
+	for my $onet ( split_host_list $onets ) {

 	    my $cond = conditional_rule( $chainref, $onet );

 	    $onet = match_orig_dest $onet;

-	    for my $inet ( mysplit $inets ) {
+	    for my $inet ( split_host_list $inets ) {

 		my $cond = conditional_rule( $chainref, $inet );

 		my $source_match = match_source_net( $inet, $restriction, $mac ) if $globals{KLUDGEFREE};

-		for my $dnet ( mysplit $dnets ) {
+		for my $dnet ( split_host_list $dnets ) {
 		    $source_match = match_source_net( $inet, $restriction, $mac ) unless $globals{KLUDGEFREE};
 		    add_expanded_jump( $chainref, $echainref, 0, join( '', $rule, $source_match, match_dest_net( $dnet, $restriction ), $onet ) );
 		}
@@ -6231,19 +6331,19 @@ sub handle_exclusion( $$$$$$$$$$$$$$$$$$ ) {
 	#
 	# Generate RETURNs for each exclusion
 	#
-	for ( mysplit $iexcl ) {
+	for ( split_host_list $iexcl ) {
 	    my $cond = conditional_rule( $echainref, $_ );
 	    add_rule $echainref, ( match_source_net $_ , $restriction, $mac ) . '-j RETURN';
 	    conditional_rule_end( $echainref ) if $cond;
 	}

-	for ( mysplit $dexcl ) {
+	for ( split_host_list $dexcl ) {
 	    my $cond = conditional_rule( $echainref, $_ );
 	    add_rule $echainref, ( match_dest_net $_, $restriction ) . '-j RETURN';
 	    conditional_rule_end( $echainref ) if $cond;
 	}

-	for ( mysplit $oexcl ) {
+	for ( split_host_list $oexcl ) {
 	    my $cond = conditional_rule( $echainref, $_ );
 	    add_rule $echainref, ( match_orig_dest $_ ) . '-j RETURN';
 	    conditional_rule_end( $echainref ) if $cond;
@@ -6368,7 +6468,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 	( $inets, $iexcl ) = handle_network_list( $inets, 'SOURCE' );

 	unless ( $inets || $iexcl =~ /^\+\[/ || ( $iiface && $restriction & POSTROUTE_RESTRICT ) ) {
-	    my @iexcl = mysplit $iexcl, 1;
+	    my @iexcl = split_host_list $iexcl, 1;
 	    if ( @iexcl == 1 ) {
 		$rule .= match_source_net "!$iexcl" , $restriction;
 		$iexcl = '';
@@ -6383,7 +6483,7 @@ sub expand_rule( $$$$$$$$$$;$ )
 	( $dnets, $dexcl ) = handle_network_list( $dnets, 'DEST' );

 	unless ( $dnets || $dexcl =~ /^\+\[/ ) {
-	    my @dexcl = mysplit $dexcl, 1;
+	    my @dexcl = split_host_list $dexcl, 1;
 	    if ( @dexcl == 1 ) {
 		$rule .= match_dest_net "!$dexcl", $restriction;
 		$dexcl = '';
@@ -6429,19 +6529,19 @@ sub expand_rule( $$$$$$$$$$;$ )
 	#
 	# No non-trivial exclusions or we're using marks to handle them
 	#
-	for my $onet ( mysplit $onets ) {
+	for my $onet ( split_host_list $onets ) {
 	    my $cond1 = conditional_rule( $chainref, $onet );

 	    $onet = match_orig_dest $onet;

-	    for my $inet ( mysplit $inets ) {
+	    for my $inet ( split_host_list $inets ) {
 		my $source_match;

 		my $cond2 = conditional_rule( $chainref, $inet );

 		$source_match = match_source_net( $inet, $restriction, $mac ) if $globals{KLUDGEFREE};

-		for my $dnet ( mysplit $dnets ) {
+		for my $dnet ( split_host_list $dnets ) {
 		    $source_match  = match_source_net( $inet, $restriction, $mac ) unless $globals{KLUDGEFREE};
 		    my $dest_match = match_dest_net( $dnet, $restriction );
 		    my $matches = join( '', $rule, $source_match, $dest_match, $onet );
@@ -7346,7 +7446,7 @@ sub create_stop_load( $ ) {

    emit '';

-    emit(  '[ -n "$DEBUG" ] && command=debug_restore_input || command=$' . $UTILITY,
+    emit(  '[ -n "$g_debug_iptables" ] && command=debug_restore_input || command=$' . $UTILITY,
 	   '',
 	   'progress_message2 "Running $command..."',
 	   '',
@@ -7411,4 +7511,17 @@ sub create_stop_load( $ ) {

 }

+sub initialize_switches() {
+    if ( keys %switches ) {
+	emit( 'if [ $COMMAND = start ]; then' );
+	push_indent;
+	while ( my ( $switch, $setting ) = each %switches ) {
+	    my $file = "/proc/net/nf_condition/$switch";
+	    emit "[ -f $file ] && echo $setting->{setting} > $file";
+	}
+	pop_indent;
+	emit "fi\n";
+    }
+}
+
 1;
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@@ -203,6 +203,7 @@ sub generate_script_2() {

    emit (   '[ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir' );
    emit ( qq([ -n "\${VARDIR:=$shorewallrc1{VARDIR}}" ]) );
+    emit ( qq([ -n "\${VARLIB:=$shorewallrc1{VARLIB}}" ]) );

    emit 'TEMPFILE=';

@@ -458,49 +459,56 @@ sub generate_script_3($) {
        fatal_error "$iptables_save_file does not exist"
    fi
 EOF
-    pop_indent;
+    push_indent;
    setup_load_distribution;
    setup_forwarding( $family , 1 );
-    push_indent;
+    pop_indent;

    my $config_dir = $globals{CONFIGDIR};

    emit<<"EOF";
    set_state Started $config_dir
    run_restored_exit
-else
-    if [ \$COMMAND = refresh ]; then
-        chainlist_reload
+elif [ \$COMMAND = refresh ]; then
+    chainlist_reload
 EOF
+    push_indent;
    setup_load_distribution;
    setup_forwarding( $family , 0 );
-
-    emit( '        run_refreshed_exit' ,
-	  '        do_iptables -N shorewall' ,
-	  "        set_state Started $config_dir" ,
-	  '    else' ,
-	  '        setup_netfilter' );
-
+    pop_indent;
+    #
+    # Use a parameter list rather than 'here documents' to avoid an extra blank line
+    #
+    emit(
+'    run_refreshed_exit',
+'    do_iptables -N shorewall',
+"    set_state Started $config_dir",
+'    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall',
+'else',
+'    setup_netfilter'
+	);
+    push_indent;
    setup_load_distribution;
+    pop_indent;

-    emit<<"EOF";
-        conditionally_flush_conntrack
+    emit<<'EOF';
+    conditionally_flush_conntrack
 EOF
+    push_indent;
+    initialize_switches;
    setup_forwarding( $family , 0 );
+    pop_indent;

    emit<<"EOF";
-        run_start_exit
-        do_iptables -N shorewall
-        set_state Started $config_dir
-        run_started_exit
-    fi
-
+    run_start_exit
+    do_iptables -N shorewall
+    set_state Started $config_dir
+    [ \$0 = \${VARDIR}/firewall ] || cp -f \$(my_pathname) \${VARDIR}/firewall
+    run_started_exit
+fi
 EOF

    emit<<'EOF';
-    [ $0 = ${VARDIR}/firewall ] || cp -f $(my_pathname) ${VARDIR}/firewall
-fi
-
 date > ${VARDIR}/restarted

 case $COMMAND in
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -47,6 +47,7 @@ our @EXPORT = qw(
 		 warning_message
 		 fatal_error
 		 assert
+		 currentlineinfo

 		 progress_message
 		 progress_message_nocompress
@@ -104,6 +105,7 @@ our %EXPORT_TAGS = ( internal => [ qw( create_temp_script
 				       find_file
 				       split_list
 				       split_list1
+				       split_list2
 				       split_line
 				       split_line1
 				       first_entry
@@ -339,6 +341,7 @@ my  %capdesc = ( NAT_ENABLED     => 'NAT',
 		 GEOIP_MATCH     => 'GeoIP Match' ,
 		 RPFILTER_MATCH  => 'RPFilter Match',
 		 NFACCT_MATCH    => 'NFAcct Match',
+		 CHECKSUM_TARGET => 'Checksum Target',
 		 AMANDA_HELPER   => 'Amanda Helper',
 		 FTP_HELPER      => 'FTP Helper',
 		 FTP0_HELPER     => 'FTP-0 Helper',
@@ -607,7 +610,7 @@ sub initialize( $;$$) {
 		    KLUDGEFREE => '',
 		    STATEMATCH => '-m state --state',
 		    VERSION    => "4.5.8-Beta2",
-		    CAPVERSION => 40507 ,
+		    CAPVERSION => 40509 ,
 		  );
    #
    # From shorewall.conf file
@@ -731,6 +734,7 @@ sub initialize( $;$$) {
 	  USE_PHYSICAL_NAMES => undef,
 	  HELPERS => undef,
 	  AUTOHELPERS => undef,
+	  RESTORE_ROUTEMARKS => undef,
 	  #
 	  # Packet Disposition
 	  #
@@ -847,6 +851,8 @@ sub initialize( $;$$) {
 	       GEOIP_MATCH => undef,
 	       RPFILTER_MATCH => undef,
 	       NFACCT_MATCH => undef,
+	       CHECKSUM_TARGET => undef,
+
 	       AMANDA_HELPER => undef,
 	       FTP_HELPER => undef,
 	       FTP0_HELPER => undef,
@@ -1483,24 +1489,32 @@ sub progress_message3 {
 #
 # Push/Pop Indent
 #
-sub push_indent() {
-    if ( $indent2 ) {
-	$indent2 = '';
-	$indent = $indent1 = $indent1 . "\t";
-    } else {
-	$indent2 = '    ';
-	$indent = $indent1 . $indent2;
+sub push_indent(;$) {
+    my $times = shift || 1;
+
+    while ( $times-- ) {
+	if ( $indent2 ) {
+	    $indent2 = '';
+	    $indent = $indent1 = $indent1 . "\t";
+	} else {
+	    $indent2 = '    ';
+	    $indent = $indent1 . $indent2;
+	}
    }
 }

-sub pop_indent() {
-    if ( $indent2 ) {
-	$indent2 = '';
-	$indent = $indent1;
-    } else {
-	$indent1 = substr( $indent1 , 0, -1 );
-	$indent2 = '    ';
-	$indent = $indent1 . $indent2;
+sub pop_indent(;$) {
+    my $times = shift || 1;
+
+    while ( $times-- ) {
+	if ( $indent2 ) {
+	    $indent2 = '';
+	    $indent = $indent1;
+	} else {
+	    $indent1 = substr( $indent1 , 0, -1 );
+	    $indent2 = '    ';
+	    $indent = $indent1 . $indent2;
+	}
    }
 }

@@ -1638,8 +1652,8 @@ sub split_list( $$;$ ) {
    split /,/, $list;
 }

-sub split_list1( $$ ) {
-    my ($list, $type ) = @_;
+sub split_list1( $$;$ ) {
+    my ($list, $type, $keepparens ) = @_;

    fatal_error "Invalid $type list ($list)" if $list =~ /^,|,$|,,|!,|,!$/;

@@ -1652,17 +1666,17 @@ sub split_list1( $$ ) {

 	if ( ( $count = tr/(/(/ ) > 0 ) {
 	    fatal_error "Invalid $type list ($list)" if $element || $count > 1;
-	    s/\(//;
+	    s/\(// unless $keepparens;
 	    if ( ( $count = tr/)/)/ ) > 0 ) {
 		fatal_error "Invalid $type list ($list)" if $count > 1;
-		s/\)//;
+		s/\)// unless $keepparens;
 		push @list2 , $_;
 	    } else {
 		$element = $_;
 	    }
 	} elsif ( ( $count =  tr/)/)/ ) > 0 ) {
 	    fatal_error "Invalid $type list ($list)" unless $element && $count == 1;
-	    s/\)//;
+	    s/\)// unless $keepparens;
 	    push @list2, join ',', $element, $_;
 	    $element = '';
 	} elsif ( $element ) {
@@ -1675,6 +1689,59 @@ sub split_list1( $$ ) {
    @list2;
 }

+sub split_list2( $$ ) {
+    my ($list, $type ) = @_;
+
+    fatal_error "Invalid $type ($list)" if $list =~ /^:|::/;
+
+    my @list1 = split /:/, $list;
+    my @list2;
+    my $element   = '';
+    my $opencount = 0;
+
+
+    for ( @list1 ) {
+	my $count;
+
+	if ( ( $count = tr/(/(/ ) > 0 ) {
+	    $opencount += $count;
+	    if ( $element eq '' ) {
+		$element = $_;
+	    } else {
+		$element = join( ':', $element, $_ );
+	    }
+
+	    if ( ( $count = tr/)/)/ ) > 0 ) {
+		if ( ! ( $opencount -= $count ) ) {
+		     push @list2 , $element;
+		     $element = '';
+		} else {
+		    fatal_error "Invalid $type ($list)" if $opencount < 0;
+		}
+	    }
+	} elsif ( ( $count =  tr/)/)/ ) > 0 ) {
+	    fatal_error "Invalid $type ($list)" unless $element ne '';
+	    $element = join (':', $element, $_ );
+	    if ( ! ( $opencount -= $count ) ) {
+		 push @list2 , $element;
+		 $element = '';
+	    } else {
+		fatal_error "Invalid $type ($list)" if $opencount < 0;
+	    }
+	} elsif ( $element eq '' ) {
+	    push @list2 , $_;
+	} else {
+	    $element = join ':', $element , $_;
+	}
+    }
+    
+    unless ( $opencount == 0 ) {
+	fatal_error "Invalid $type ($list)";
+    }
+
+    @list2;
+}
+
 #
 # Determine if a value has been supplied
 #
@@ -2403,7 +2470,7 @@ sub embedded_perl( $ ) {
 # Push/pop action params
 #
 sub push_action_params( $$ ) {
-    my @params = split /,/, $_[1];
+    my @params = split_list1 $_[1], 'parameter', 1;
    my @oldparams = @actparms;

    @actparms = ();
@@ -2431,7 +2498,7 @@ sub default_action_params {
    for ( $i = 1; 1; $i++ ) {
 	last unless defined ( $val = shift );
 	my $curval = $actparms[$i];
-	$actparms[$i] =$val unless supplied( $curval );
+	$actparms[$i] = $val unless supplied( $curval );
    }

    fatal_error "Too Many arguments to action $action" if defined $actparms[$i];
@@ -2468,16 +2535,16 @@ sub set_action_param( $$ ) {
 #
 sub expand_variables( \$ ) {
    my ( $lineref, $count ) = ( $_[0], 0 );
-    #                         $1      $2   $3      -     $4
-    while ( $$lineref =~ m( ^(.*?) \$({)? (\w+) (?(2)}) (.*)$ )x ) {
+    #                         $1      $2   $3                  -     $4
+    while ( $$lineref =~ m( ^(.*?) \$({)? (\d+|[a-zA-Z]\w*) (?(2)}) (.*)$ )x ) {

 	my ( $first, $var, $rest ) = ( $1, $3, $4);

 	my $val;

 	if ( $var =~ /^\d+$/ ) {
-	    fatal_error "Undefined parameter (\$$var)" unless $var > 0 && defined $actparms[$var];
-	    $val = $actparms[$var];
+	    fatal_error "Undefined parameter (\$$var)" if ( ! defined $actparms[$var] ) || ( length( $var ) > 1 && $var =~ /^0/ );
+	    $val = $var ? $actparms[$var] : $actparms[0]->{name};
 	} elsif ( exists $params{$var} ) {
 	    $val = $params{$var};
 	} elsif ( exists $shorewallrc{$var} ) {
@@ -3319,26 +3386,26 @@ sub Amanda_Helper() {
    have_helper( 'amanda', 'udp', 10080 );
 }

-sub FTP_Helper() {
-    have_helper( 'ftp', 'tcp', 21 );
-}
-
 sub FTP0_Helper() {
    have_helper( 'ftp-0', 'tcp', 21 ) and $helpers_aliases{ftp} = 'ftp-0';
 }

+sub FTP_Helper() {
+    have_helper( 'ftp', 'tcp', 21 ) || FTP0_Helper;
+}
+
 sub H323_Helpers() {
    have_helper( 'RAS', 'udp', 1719 );
 }

-sub IRC_Helper() {
-    have_helper( 'irc', 'tcp', 6667 );
-}
-
 sub IRC0_Helper() {
    have_helper( 'irc-0', 'tcp', 6667 ) and $helpers_aliases{irc} = 'irc-0';
 }

+sub IRC_Helper() {
+    have_helper( 'irc', 'tcp', 6667 ) || IRC0_Helper;
+}
+
 sub Netbios_ns_Helper() {
    have_helper( 'netbios-ns', 'udp', 137 );
 }
@@ -3347,34 +3414,34 @@ sub PPTP_Helper() {
    have_helper( 'pptp', 'tcp', 1729 );
 }

-sub SANE_Helper() {
-    have_helper( 'sane', 'tcp', 6566 );
-}
-
 sub SANE0_Helper() {
    have_helper( 'sane-0', 'tcp', 6566 ) and $helpers_aliases{sane} = 'sane-0';
 }

-sub SIP_Helper() {
-    have_helper( 'sip', 'udp', 5060 );
+sub SANE_Helper() {
+    have_helper( 'sane', 'tcp', 6566 ) || SANE0_Helper;
 }

 sub SIP0_Helper() {
    have_helper( 'sip-0', 'udp', 5060 ) and $helpers_aliases{sip} = 'sip-0';
 }

+sub SIP_Helper() {
+    have_helper( 'sip', 'udp', 5060 ) || SIP0_Helper;
+}
+
 sub SNMP_Helper() {
    have_helper( 'snmp', 'udp', 161 );
 }

-sub TFTP_Helper() {
-    have_helper( 'tftp', 'udp', 69 );
-}
-
 sub TFTP0_Helper() {
    have_helper( 'tftp-0', 'udp', 69 ) and $helpers_aliases{tftp} = 'tftp-0';
 }

+sub TFTP_Helper() {
+    have_helper( 'tftp', 'udp', 69 ) || TFTP0_Helper;
+}
+
 sub Connlimit_Match() {
    qt1( "$iptables -A $sillyname -m connlimit --connlimit-above 8" );
 }
@@ -3491,12 +3558,17 @@ sub GeoIP_Match() {
    qt1( "$iptables -A $sillyname -m geoip --src-cc US" );
 }

+sub Checksum_Target() {
+    have_capability 'MANGLE_ENABLED' && qt1( "$iptables -t mangle -A $sillyname -j CHECKSUM --checksum-fill" );
+}
+
 our %detect_capability =
    ( ACCOUNT_TARGET =>\&Account_Target,
      AMANDA_HELPER => \&Amanda_Helper,
      AUDIT_TARGET => \&Audit_Target,
      ADDRTYPE => \&Addrtype,
      BASIC_FILTER => \&Basic_Filter,
+      CHECKSUM_TARGET => \&Checksum_Target,
      CLASSIFY_TARGET => \&Classify_Target,
      CONDITION_MATCH => \&Condition_Match,
      COMMENTS => \&Comments,
@@ -3624,17 +3696,6 @@ sub determine_capabilities() {

    $globals{KLUDGEFREE} = $capabilities{KLUDGEFREE} = detect_capability 'KLUDGEFREE';

-    if ( have_capability 'CT_TARGET' ) {
-	$capabilities{$_} = detect_capability $_ for ( values( %helpers_map ),
-						       'FTP0_HELPER',
-						       'IRC0_HELPER',
-						       'SANE0_HELPER',
-						       'SIP0_HELPER',
-						       'TFTP0_HELPER' );
-    } else {
-	$capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
-    }
-
    unless ( $config{ LOAD_HELPERS_ONLY } ) {
 	#
 	# Using 'detect_capability()' is a bit less efficient than calling the individual detection
@@ -3717,7 +3778,14 @@ sub determine_capabilities() {
 	$capabilities{GEOIP_MATCH}     = detect_capability( 'GEOIP_MATCH' );
 	$capabilities{RPFILTER_MATCH}  = detect_capability( 'RPFILTER_MATCH' );
 	$capabilities{NFACCT_MATCH}    = detect_capability( 'NFACCT_MATCH' );
+	$capabilities{CHECKSUM_TARGET} = detect_capability( 'CHECKSUM_TARGET' );
 	
+	if ( have_capability 'CT_TARGET' ) {
+	    $capabilities{$_} = detect_capability $_ for ( values( %helpers_map ) );
+	} else {
+	    $capabilities{HELPER_MATCH} = detect_capability 'HELPER_MATCH';
+	}
+
 	qt1( "$iptables -F $sillyname" );
 	qt1( "$iptables -X $sillyname" );
 	qt1( "$iptables -F $sillyname1" );
@@ -3733,7 +3801,7 @@ sub determine_capabilities() {
 	    qt1( "$iptables -t nat -X $sillyname" );
 	}

-	if ( $capabilities{RAW_ENABLED} ) {
+	if ( $capabilities{RAW_TABLE} ) {
 	    qt1( "$iptables -t raw -F $sillyname" );
 	    qt1( "$iptables -t raw -X $sillyname" );
 	}
@@ -4182,7 +4250,7 @@ sub get_params() {
 	    #
 	    # - Variable names preceded by 'export '
 	    # - Variable values are delimited by double quotes
-	    # - Embedded single quotes are escaped with '\'
+	    # - Embedded double quotes are escaped with '\'
 	    # - Valueless variables ( e.g., 'export foo') are supported
 	    #
 	    $shell = OLDBASH;
@@ -4527,7 +4595,7 @@ sub get_configuration( $$$ ) {
    default_yes_no 'EXPAND_POLICIES'            , '';
    default_yes_no 'KEEP_RT_TABLES'             , '';
    default_yes_no 'DELETE_THEN_ADD'            , 'Yes';
-    default_yes_no 'AUTO_COMMENT'               , 'Yes';
+    default_yes_no 'AUTOCOMMENT'                , 'Yes';
    default_yes_no 'MULTICAST'                  , '';
    default_yes_no 'MARK_IN_FORWARD_CHAIN'      , '';
    default_yes_no 'MANGLE_ENABLED'             , have_capability 'MANGLE_ENABLED' ? 'Yes' : '';
@@ -4557,6 +4625,9 @@ sub get_configuration( $$$ ) {
    default_yes_no 'USE_PHYSICAL_NAMES'         , '';
    default_yes_no 'IPSET_WARNINGS'             , 'Yes';
    default_yes_no 'AUTOHELPERS'                , 'Yes';
+    default_yes_no 'RESTORE_ROUTEMARKS'         , 'Yes';
+
+    $config{IPSET} = '' if supplied $config{IPSET} && $config{IPSET} eq 'ipset'; 

    if ( supplied $config{HELPERS} ) {
 	my %helpers_temp = %helpers_enabled;
--- a/Shorewall/Perl/Shorewall/IPAddrs.pm
+++ b/Shorewall/Perl/Shorewall/IPAddrs.pm
@@ -32,7 +32,7 @@ use Socket;
 use strict;

 our @ISA = qw(Exporter);
-our @EXPORT = qw( ALLIPv4
+our @EXPORT = ( qw( ALLIPv4
                  ALLIPv6
 		  NILIPv4
 		  NILIPv6
@@ -72,7 +72,7 @@ our @EXPORT = qw( ALLIPv4
 		  validate_port_list
 		  validate_icmp
 		  validate_icmp6
-		 );
+		 ) );
 our @EXPORT_OK = qw( );
 our $VERSION = 'MODULEVERSION';

@@ -207,11 +207,13 @@ sub validate_4net( $$ ) {
    }

    if ( defined wantarray ) {
-	assert ( ! $allow_name );
 	if ( wantarray ) {
+	    assert( ! $allow_name );
 	    ( decodeaddr( $net ) , $vlsm );
+	} elsif ( valid_4address $net ) {
+	    $vlsm == 32 ? $net : "$net/$vlsm";
 	} else {
-	    "$net/$vlsm";
+	    $net;
 	}
    }
 }
@@ -226,6 +228,8 @@ sub validate_4range( $$ ) {
    my $last  = decodeaddr $high;

    fatal_error "Invalid IP Range ($low-$high)" unless $first <= $last;
+
+    "$low-$high";
 }

 sub validate_4host( $$ ) {
@@ -608,7 +612,7 @@ sub validate_6address( $$ ) {

 sub validate_6net( $$ ) {
    my ($net, $vlsm, $rest) = split( '/', $_[0], 3 );
-    my $allow_name = $_[1];
+    my $allow_name = $_[0];

    if ( $net =~ /\+(\[?)/ ) {
 	if ( $1 ) {
@@ -620,22 +624,28 @@ sub validate_6net( $$ ) {
 	}
    }

+    fatal_error "Invalid Network address ($_[0])" unless supplied $net;
+
+    $net = $1 if $net =~ /^\[(.*)\]$/;
+
    if ( defined $vlsm ) {
        fatal_error "Invalid VLSM ($vlsm)"              unless $vlsm =~ /^\d+$/ && $vlsm <= 128;
 	fatal_error "Invalid Network address ($_[0])"   if defined $rest;
 	fatal_error "Invalid IPv6 address ($net)"       unless valid_6address $net;
    } else {
-	fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/' || ! defined $net;
+	fatal_error "Invalid Network address ($_[0])" if $_[0] =~ '/';
 	validate_6address $net, $allow_name;
 	$vlsm = 128;
    }

    if ( defined wantarray ) {
-	assert ( ! $allow_name );
 	if ( wantarray ) {
+	    assert( ! $allow_name );
 	    ( $net , $vlsm );
+	} elsif ( valid_6address ( $net ) ) {
+	    $vlsm == 32 ? $net : "$net/$vlsm";
 	} else {
-	    "$net/$vlsm";
+	    $net;
 	}
    }
 }
@@ -682,11 +692,13 @@ sub validate_6range( $$ ) {
    while ( @low ) {
 	my ( $l, $h) = ( shift @low, shift @high );
 	next     if hex "0x$l" == hex "0x$h";
-	return 1 if hex "0x$l"  < hex "0x$h";
+	return "$low-$high" if hex "0x$l"  < hex "0x$h";
 	last;
    }

    fatal_error "Invalid IPv6 Range ($low-$high)";
+
+    
 }

 sub validate_6host( $$ ) {
--- a/Shorewall/Perl/Shorewall/Misc.pm
+++ b/Shorewall/Perl/Shorewall/Misc.pm
@@ -702,13 +702,11 @@ sub process_stoppedrules() {
 	    }

 	    if ( $source eq $fw ) {
-		$chainref = $tableref->{OUTPUT};
+		$chainref = ( $target eq 'NOTRACK' ? $raw_table : $filter_table)->{OUTPUT};
 		$source = '';
 		$restriction = OUTPUT_RESTRICT;
-	    } 
-
-	    if ( $source =~ s/^($fw):// ) {
-		$chainref = $filter_table->{OUTPUT};
+	    } elsif ( $source =~ s/^($fw):// ) {
+		$chainref = ( $target eq 'NOTRACK' ? $raw_table : $filter_table)->{OUTPUT};
 		$restriction = OUTPUT_RESTRICT;
 	    }

@@ -717,9 +715,7 @@ sub process_stoppedrules() {
 		$chainref = $filter_table->{INPUT};
 		$dest = '';
 		$restriction = INPUT_RESTRICT;
-	    }
-
-	    if ( $dest =~ s/^($fw):// ) {
+	    } elsif ( $dest =~ s/^($fw):// ) {
 		fatal_error "\$FW may not be specified as the destination of a NOTRACK rule" if $target eq 'NOTRACK';
 		$chainref = $filter_table->{INPUT};
 		$restriction = INPUT_RESTRICT;
@@ -1482,10 +1478,11 @@ sub handle_loopback_traffic() {
 		    my @ipsec_match = match_ipsec_in $z1 , $hostref;

 		    for my $net ( @{$hostref->{hosts}} ) {
-			add_ijump( $rawout,
-				   j => $exclusion ,
-				   imatch_source_net $net,
-				   @ipsec_match );
+			insert_ijump( $rawout,
+				      j => $exclusion ,
+				      $rawout->{insert}++,
+				      imatch_source_net $net,
+				      @ipsec_match );
 		    }
 		}
 	    }
@@ -1530,10 +1527,6 @@ sub add_interface_jumps {
 	addnatjump 'POSTROUTING' , snat_chain( $interface ), imatch_dest_dev( $interface );
    }

-    addnatjump 'PREROUTING'  , 'nat_in';
-    addnatjump 'POSTROUTING' , 'nat_out';
-    addnatjump 'PREROUTING', 'dnat';
-
    for my $interface ( @interfaces  ) {
 	addnatjump 'PREROUTING'  , input_chain( $interface )  , imatch_source_dev( $interface );
 	addnatjump 'POSTROUTING' , output_chain( $interface ) , imatch_dest_dev( $interface );
@@ -1838,6 +1831,7 @@ sub add_prerouting_jumps( $$$$$$$$ ) {

    my $dnatref         = $nat_table->{dnat_chain( $zone )};
    my $preroutingref   = $nat_table->{PREROUTING};
+    my $rawref          = $raw_table->{PREROUTING};
    my $notrackref      = ensure_chain 'raw' , notrack_chain( $zone );
    my @ipsec_in_match  = match_ipsec_in  $zone , $hostref;

@@ -1862,15 +1856,20 @@ sub add_prerouting_jumps( $$$$$$$$ ) {
 	# There are notrack rules with this zone as the source.
 	# Add a jump from this source network to this zone's notrack chain
 	#
-	add_ijump $raw_table->{PREROUTING}, j => source_exclusion( $exclusions, $notrackref), imatch_source_dev( $interface), @source, @ipsec_in_match;
+	insert_ijump $rawref, j => source_exclusion( $exclusions, $notrackref), $rawref->{insert}++, imatch_source_dev( $interface), @source, @ipsec_in_match;
    }
    #
    # If this zone has parents with DNAT/REDIRECT or notrack rules and there are no CONTINUE polcies with this zone as the source
    # then add a RETURN jump for this source network.
    #
    if ( $nested ) {
-	add_ijump $preroutingref,           j => 'RETURN', imatch_source_dev( $interface), @source, @ipsec_in_match if $parenthasnat;
-	add_ijump $raw_table->{PREROUTING}, j => 'RETURN', imatch_source_dev( $interface), @source, @ipsec_in_match if $parenthasnotrack;
+	if ( $parenthasnat ) {
+	    add_ijump $preroutingref, j => 'RETURN',                      imatch_source_dev( $interface), @source, @ipsec_in_match;
+	}
+	if ( $parenthasnotrack ) {
+	    my $rawref = $raw_table->{PREROUTING};
+	    insert_ijump $rawref,     j => 'RETURN', $rawref->{insert}++, imatch_source_dev( $interface), @source, @ipsec_in_match;
+	}
    }
 }

@@ -2073,7 +2072,7 @@ sub optimize1_zones( $$@ ) {
 # The biggest disadvantage of the zone-policy-rule model used by Shorewall is that it doesn't scale well as the number of zones increases (Order N**2 where N = number of zones).
 # A major goal of the rewrite of the compiler in Perl was to restrict those scaling effects to this function and the rules that it generates.
 #
-# The function traverses the full "source-zone by destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table and
+# The function traverses the full "source-zone by destination-zone" matrix and generates the rules necessary to direct traffic through the right set of filter-table, raw-table and
 # nat-table rules.
 #
 sub generate_matrix() {
@@ -2236,6 +2235,11 @@ sub generate_matrix() {
    } # Source Zone Loop

    progress_message '  Finishing matrix...';
+    #
+    # Make sure that the 1:1 NAT jumps are last in PREROUTING
+    #
+    addnatjump 'PREROUTING'  , 'nat_in';
+    addnatjump 'POSTROUTING' , 'nat_out';

    add_interface_jumps @interfaces unless $interface_jumps_added;

--- a/Shorewall/Perl/Shorewall/Nat.pm
+++ b/Shorewall/Perl/Shorewall/Nat.pm
@@ -123,7 +123,7 @@ sub process_one_masq( )
    #
    # Handle Protocol, Ports and Condition
    #
-    $baserule .= do_proto( $proto, $ports, '' ) . do_condition( $condition );
+    $baserule .= do_proto( $proto, $ports, '' );
    #
    # Handle Mark
    #
@@ -158,6 +158,8 @@ sub process_one_masq( )

 	my $chainref = ensure_chain('nat', $pre_nat ? snat_chain $interface : masq_chain $interface);

+	$baserule .= do_condition( $condition , $chainref->{name} );
+
 	my $detectaddress = 0;
 	my $exceptionrule = '';
 	my $randomize     = '';
@@ -431,8 +433,8 @@ sub setup_netmap() {
 		    my @rulein;
 		    my @ruleout;

-		    validate_net $net1, 0;
-		    validate_net $net2, 0;
+		    $net1 = validate_net $net1, 0;
+		    $net2 = validate_net $net2, 0;

 		    unless ( $interfaceref->{root} ) {
 			@rulein  = imatch_source_dev( $interface );
@@ -466,7 +468,7 @@ sub setup_netmap() {

 		    require_capability 'RAWPOST_TABLE', 'Stateless NAT Entries', '';

-		    validate_net $net2, 0;
+		    $net2 = validate_net $net2, 0;

 		    unless ( $interfaceref->{root} ) {
 			@match = imatch_dest_dev(  $interface );
--- a/Shorewall/Perl/Shorewall/Proc.pm
+++ b/Shorewall/Perl/Shorewall/Proc.pm
@@ -219,30 +219,30 @@ sub setup_forwarding( $$ ) {

    if ( $family == F_IPV4 ) {
 	if ( $config{IP_FORWARDING} eq 'on' ) {
-	    emit '        echo 1 > /proc/sys/net/ipv4/ip_forward';
-	    emit '        progress_message2 IPv4 Forwarding Enabled';
+	    emit 'echo 1 > /proc/sys/net/ipv4/ip_forward';
+	    emit 'progress_message2 IPv4 Forwarding Enabled';
 	} elsif ( $config{IP_FORWARDING} eq 'off' ) {
-	    emit '        echo 0 > /proc/sys/net/ipv4/ip_forward';
-	    emit '        progress_message2 IPv4 Forwarding Disabled!';
+	    emit 'echo 0 > /proc/sys/net/ipv4/ip_forward';
+	    emit 'progress_message2 IPv4 Forwarding Disabled!';
 	}

 	emit '';

-	emit ( '        echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables' ,
+	emit ( 'echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables' ,
 	       ''
 	     ) if have_bridges;
    } else {
 	if ( $config{IP_FORWARDING} eq 'on' ) {
-	    emit '        echo 1 > /proc/sys/net/ipv6/conf/all/forwarding';
-	    emit '        progress_message2 IPv6 Forwarding Enabled';
+	    emit 'echo 1 > /proc/sys/net/ipv6/conf/all/forwarding';
+	    emit 'progress_message2 IPv6 Forwarding Enabled';
 	} elsif ( $config{IP_FORWARDING} eq 'off' ) {
-	    emit '        echo 0 > /proc/sys/net/ipv6/conf/all/forwarding';
-	    emit '        progress_message2 IPv6 Forwarding Disabled!';
+	    emit 'echo 0 > /proc/sys/net/ipv6/conf/all/forwarding';
+	    emit 'progress_message2 IPv6 Forwarding Disabled!';
 	}

 	emit '';

-	emit ( '        echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables' ,
+	emit ( 'echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables' ,
 	       ''
 	     ) if have_bridges;

@@ -251,9 +251,6 @@ sub setup_forwarding( $$ ) {
 	if ( @$interfaces ) {
 	    progress_message2 "$doing Interface forwarding..." if $first;

-	    push_indent;
-	    push_indent;
-
 	    save_progress_message 'Setting up IPv6 Interface Forwarding...';

 	    for my $interface ( @$interfaces ) {
@@ -270,9 +267,6 @@ sub setup_forwarding( $$ ) {
 		       "    error_message \"WARNING: Cannot set IPv6 forwarding on $interface\"" ) unless $optional;
 		emit   "fi\n";
 	    }
-
-	    pop_indent;
-	    pop_indent;
 	}
    }
 }
--- a/Shorewall/Perl/Shorewall/Providers.pm
+++ b/Shorewall/Perl/Shorewall/Providers.pm
@@ -118,10 +118,15 @@ sub initialize( $ ) {
 #
 sub setup_route_marking() {
    my $mask = in_hex( $globals{PROVIDER_MASK} );
+    my $exmask = have_capability( 'EXMARK' ) ? "/$mask" : '';

    require_capability( $_ , q(The provider 'track' option) , 's' ) for qw/CONNMARK_MATCH CONNMARK/;

-    add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;
+    if ( $config{RESTORE_ROUTEMARKS} ) {
+	add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask" for qw/PREROUTING OUTPUT/;
+    } else {
+	add_ijump $mangle_table->{$_} , j => 'CONNMARK', targetopts => "--restore-mark --mask $mask", connmark => "! --mark 0/$mask" for qw/PREROUTING OUTPUT/;
+    }

    my $chainref  = new_chain 'mangle', 'routemark';

@@ -145,10 +150,10 @@ sub setup_route_marking() {

 	    if ( $providerref->{shared} ) {
 		add_commands( $chainref, qq(if [ -n "$providerref->{mac}" ]; then) ), incr_cmd_level( $chainref ) if $providerref->{optional};
-		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
+		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}${exmask}", imatch_source_dev( $interface ), mac => "--mac-source $providerref->{mac}";
 		decr_cmd_level( $chainref ), add_commands( $chainref, "fi\n" ) if $providerref->{optional};
 	    } else {
-		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}", imatch_source_dev( $interface );
+		add_ijump $chainref, j => 'MARK', targetopts => "--set-mark $providerref->{mark}${exmask}", imatch_source_dev( $interface );
 	    }
 	}

@@ -333,24 +338,35 @@ sub balance_fallback_route( $$$$ ) {
    }
 }

-sub start_provider( $$$ ) {
-    my ($table, $number, $test ) = @_;
+sub start_provider( $$$$ ) {
+    my ($what, $table, $number, $test ) = @_;

-    emit "\n#\n# Add Provider $table ($number)\n#";
+    emit "\n#\n# Add $what $table ($number)\n#";
+
+    if ( $number ) {
+	emit "start_provider_$table() {";
+    } else {
+	emit "start_interface_$table() {";
+    }

-    emit "start_provider_$table() {";
    push_indent;
    emit $test;
    push_indent;

-    emit "qt ip -$family route flush table $number";
-    emit "echo \"qt \$IP -$family route flush table $number\" > \${VARDIR}/undo_${table}_routing";
+
+    if ( $number ) {
+	emit "qt ip -$family route flush table $number";
+	emit "echo \"qt \$IP -$family route flush table $number\" > \${VARDIR}/undo_${table}_routing";
+    } else {
+	emit( "> \${VARDIR}/undo_${table}_routing" );
+    }
 }

 #
 # Process a record in the providers file
 #
-sub process_a_provider() {
+sub process_a_provider( $ ) {
+    my $pseudo = $_[0]; # When true, this is an optional interface that we are treating somewhat like a provider.

    my ($table, $number, $mark, $duplicate, $interface, $gateway,  $options, $copy ) =
 	split_line 'providers file', { table => 0, number => 1, mark => 2, duplicate => 3, interface => 4, gateway => 5, options => 6, copy => 7 };
@@ -358,17 +374,20 @@ sub process_a_provider() {
    fatal_error "Duplicate provider ($table)" if $providers{$table};

    fatal_error 'NAME must be specified' if $table eq '-';
-    fatal_error "Invalid Provider Name ($table)" unless $table =~ /^[\w]+$/;

-    my $num = numeric_value $number;
+    unless ( $pseudo ) {
+	fatal_error "Invalid Provider Name ($table)" unless $table =~ /^[\w]+$/;

-    fatal_error 'NUMBER must be specified' if $number eq '-';
-    fatal_error "Invalid Provider number ($number)" unless defined $num;
+	my $num = numeric_value $number;

-    $number = $num;
+	fatal_error 'NUMBER must be specified' if $number eq '-';
+	fatal_error "Invalid Provider number ($number)" unless defined $num;

-    for my $providerref ( values %providers  ) {
-	fatal_error "Duplicate provider number ($number)" if $providerref->{number} == $number;
+	$number = $num;
+
+	for my $providerref ( values %providers  ) {
+	    fatal_error "Duplicate provider number ($number)" if $providerref->{number} == $number;
+	}
    }

    fatal_error 'INTERFACE must be specified' if $interface eq '-';
@@ -389,6 +408,11 @@ sub process_a_provider() {
    my $physical    = get_physical $interface;
    my $gatewaycase = '';

+    if ( $physical =~ /\+$/ ) {
+	return 0 if $pseudo;
+	fatal_error "Wildcard interfaces ($physical) may not be used as provider interfaces";
+    }
+
    if ( $gateway eq 'detect' ) {
 	fatal_error "Configuring multiple providers through one interface requires an explicit gateway" if $shared;
 	$gateway = get_interface_gateway $interface;
@@ -402,8 +426,15 @@ sub process_a_provider() {
 	$gateway = '';
    }

-    my ( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load ) =
-	(0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0 );
+    my ( $loose, $track, $balance, $default, $default_balance, $optional, $mtu, $tproxy, $local, $load, $what );
+
+    if ( $pseudo ) {	
+	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what ) =
+	( 0,      0                       , 0 ,        0,        0,                               1                                  , ''  , 0       , 0,      0,     'interface');
+    } else {
+	( $loose, $track,                   $balance , $default, $default_balance,                $optional,                           $mtu, $tproxy , $local, $load, $what )=
+	( 0,      $config{TRACK_PROVIDERS}, 0 ,        0,        $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), ''  , 0       , 0,      0,     'provider');
+    }

    unless ( $options eq '-' ) {
 	for my $option ( split_list $options, 'option' ) {
@@ -513,7 +544,7 @@ sub process_a_provider() {

    }

-    unless ( $loose ) {
+    unless ( $loose || $pseudo ) {
 	warning_message q(The 'proxyarp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyarp' );
 	warning_message q(The 'proxyndp' option is dangerous when specified on a Provider interface) if get_interface_option( $interface, 'proxyndp' );
    }
@@ -551,10 +582,14 @@ sub process_a_provider() {
 			   local       => $local ,
 			   tproxy      => $tproxy ,
 			   load        => $load ,
+			   pseudo      => $pseudo ,
+			   what        => $what ,
 			   rules       => [] ,
 			   routes      => [] ,
 			 };

+    $provider_interfaces{$interface} = $table unless $shared;
+
    if ( $track ) {
 	fatal_error "The 'track' option requires a numeric value in the MARK column" if $mark eq '-';

@@ -573,7 +608,22 @@ sub process_a_provider() {

    push @providers, $table;

-    progress_message "   Provider \"$currentline\" $done";
+    progress_message "   Provider \"$currentline\" $done" unless $pseudo;
+
+    return 1;
+}
+
+#
+# Emit a 'started' message
+#
+sub emit_started_message( $$$$$ ) {
+    my ( $spaces, $level, $pseudo, $name, $number ) = @_;
+
+    if ( $pseudo ) {
+	emit qq(${spaces}progress_message${level} "   Optional interface $name Started");
+    } else {
+	emit qq(${spaces}progress_message${level} "   Provider $name ($number) Started");
+    }
 }

 #
@@ -604,6 +654,9 @@ sub add_a_provider( $$ ) {
    my $local       = $providerref->{local};
    my $tproxy      = $providerref->{tproxy};
    my $load        = $providerref->{load};
+    my $pseudo      = $providerref->{pseudo};
+    my $what        = $providerref->{what};
+    my $label       = $pseudo ? 'Optional Interface' : 'Provider';

    my $dev         = chain_base $physical;
    my $base        = uc $dev;
@@ -612,14 +665,16 @@ sub add_a_provider( $$ ) {
    if ( $shared ) {
 	my $variable = $providers{$table}{mac} = get_interface_mac( $gateway, $interface , $table );
 	$realm = "realm $number";
-	start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
+	start_provider( $label , $table, $number, qq(if interface_is_usable $physical && [ -n "$variable" ]; then) );
+    } elsif ( $pseudo ) {
+	start_provider( $label , $table, $number, qq(if [ -n "\$SW_${base}_IS_USABLE" ]; then) );
    } else {
 	if ( $optional ) {
-	    start_provider( $table, $number, qq(if [ -n "\$SW_${base}_IS_USABLE" ]; then) );
+	    start_provider( $label, $table , $number, qq(if [ -n "\$SW_${base}_IS_USABLE" ]; then) );
 	} elsif ( $gatewaycase eq 'detect' ) {
-	    start_provider( $table, $number, qq(if interface_is_usable $physical && [ -n "$gateway" ]; then) );
+	    start_provider( $label, $table, $number, qq(if interface_is_usable $physical && [ -n "$gateway" ]; then) );
 	} else {
-	    start_provider( $table, $number, "if interface_is_usable $physical; then" );
+	    start_provider( $label, $table, $number, "if interface_is_usable $physical; then" );
 	}
 	$provider_interfaces{$interface} = $table;

@@ -737,7 +792,7 @@ CEOF
 	    emit  "qt \$IP -$family rule del from $address" if $config{DELETE_THEN_ADD};
 	    emit( "run_ip rule add from $address pref 20000 table $number" ,
 		  "echo \"qt \$IP -$family rule del from $address\" >> \${VARDIR}/undo_${table}_routing" );
-	} else {
+	} elsif ( ! $pseudo ) {
 	    emit  ( "find_interface_addresses $physical | while read address; do" );
 	    emit  ( "    qt \$IP -$family rule del from \$address" ) if $config{DELETE_THEN_ADD};
 	    emit  ( "    run_ip rule add from \$address pref 20000 table $number",
@@ -800,15 +855,17 @@ CEOF
 	    emit( "setup_${dev}_tc" ) if $tcdevices->{$interface};
 	}

-	emit ( qq(progress_message2 "   Provider $table ($number) Started") );
+	emit_started_message( '', 2, $pseudo, $table, $number );

 	pop_indent;

-	emit( 'else' );
-	emit( qq(    echo $weight > \${VARDIR}/${physical}_weight) ,
-	      qq(    progress_message "   Provider $table ($number) Started"),
-	      qq(fi\n)
-	    );
+	unless ( $pseudo ) {
+	    emit( 'else' );
+	    emit( qq(    echo $weight > \${VARDIR}/${physical}_weight) );
+	    emit_started_message( '    ', '', $pseudo, $table, $number );
+	}
+
+	emit "fi\n";
    } else {
 	emit( qq(echo 0 > \${VARDIR}/${physical}.status) );
 	emit( qq(progress_message "Provider $table ($number) Started") );
@@ -825,6 +882,8 @@ CEOF
    if ( $optional ) {
 	if ( $shared ) {
 	    emit ( "error_message \"WARNING: Gateway $gateway is not reachable -- Provider $table ($number) not Started\"" );
+	} elsif ( $pseudo ) {
+	    emit ( "error_message \"WARNING: Optional Interface $physical is not usable -- $table not Started\"" );
 	} else {
 	    emit ( "error_message \"WARNING: Interface $physical is not usable -- Provider $table ($number) not Started\"" );
 	}
@@ -842,14 +901,14 @@ CEOF

    pop_indent;

-    emit '}'; # End of start_provider_$table();
+    emit "} # End of start_${what}_${table}();";

    if ( $optional ) {
 	emit( '',
 	      '#',
-	      "# Stop provider $table",
+	      "# Stop $what $table",
 	      '#',
-	      "stop_provider_$table() {" );
+	      "stop_${what}_${table}() {" );

 	push_indent;

@@ -877,8 +936,13 @@ CEOF
 	    emit( qq(delete_gateway "$via" $tbl $physical) );
 	}

-	emit (". $undo",
-	      "> $undo" );
+	emit (". $undo" );
+
+	if ( $pseudo ) {
+	    emit( "rm -f $undo" );
+	} else {
+	    emit( "> $undo" );
+	}

 	emit ( '',
 	       "distribute_load $maxload @load_interfaces" ) if $load;
@@ -889,8 +953,13 @@ CEOF
 		  "qt \$TC qdisc del dev $physical ingress\n" ) if $tcdevices->{$interface};
 	}

-	emit( "echo 1 > \${VARDIR}/${physical}.status",
-	      "progress_message2 \"   Provider $table ($number) stopped\"" );
+	emit( "echo 1 > \${VARDIR}/${physical}.status" );
+
+	if ( $pseudo ) {
+	    emit( "progress_message2 \"   Optional Interface $table stopped\"" );
+	} else {
+	    emit( "progress_message2 \"   Provider $table ($number) stopped\"" );
+	}

 	pop_indent;

@@ -938,7 +1007,7 @@ sub add_an_rtrule( ) {
    if ( $dest eq '-' ) {
 	$dest = 'to ' . ALLIP;
    } else {
-	validate_net( $dest, 0 );
+	$dest = validate_net( $dest, 0 );
 	$dest = "to $dest";
    }

@@ -950,22 +1019,22 @@ sub add_an_rtrule( ) {
 	if ( $source =~ /:/ ) {
 	    ( my $interface, $source , my $remainder ) = split( /:/, $source, 3 );
 	    fatal_error "Invalid SOURCE" if defined $remainder;
-	    validate_net ( $source, 0 );
+	    $source = validate_net ( $source, 0 );
 	    $interface = physical_name $interface;
 	    $source = "iif $interface from $source";
 	} elsif ( $source =~ /\..*\..*/ ) {
-	    validate_net ( $source, 0 );
+	    $source = validate_net ( $source, 0 );
 	    $source = "from $source";
 	} else {
 	    $source = 'iif ' . physical_name $source;
 	}
-    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ||  $source =~  /^(.+?):\[(.+)\]\s*$/ ) {
+    } elsif ( $source =~  /^(.+?):<(.+)>\s*$/ ||  $source =~  /^(.+?):\[(.+)\]\s*$/ || $source =~ /^(.+?):(\[.+?\](?:\/\d+))$/ ) {
 	my ($interface, $source ) = ($1, $2);
-	validate_net ($source, 0);
+	$source = validate_net ($source, 0);
 	$interface = physical_name $interface;
 	$source = "iif $interface from $source";
    } elsif (  $source =~ /:.*:/ || $source =~ /\..*\..*/ ) {
-	validate_net ( $source, 0 );
+	$source = validate_net ( $source, 0 );
 	$source = "from $source";
    } else {
 	$source = 'iif ' . physical_name $source;
@@ -1020,7 +1089,7 @@ sub add_a_route( ) {
    }

    fatal_error 'DEST must be specified' if $dest eq '-';
-    validate_net ( $dest, 1 );
+    $dest = validate_net ( $dest, 1 );

    validate_address ( $gateway, 1 ) if $gateway ne '-';

@@ -1199,12 +1268,23 @@ sub process_providers( $ ) {
    my $tcdevices = shift;

    our $providers = 0;
+    our $pseudoproviders = 0;

    $lastmark = 0;

    if ( my $fn = open_file 'providers' ) {
 	first_entry "$doing $fn...";
-	process_a_provider, $providers++ while read_a_line( NORMAL_READ );
+	$providers += process_a_provider(0) while read_a_line( NORMAL_READ );
+    }
+    #
+    # Treat optional interfaces as pseudo-providers
+    #
+    for ( grep interface_is_optional( $_ ) && ! $provider_interfaces{ $_ }, all_real_interfaces ) {
+	#
+	#               TABLE NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
+	$currentline = "$_    0      -    -         $_        -       -       -";
+	#
+	$pseudoproviders += process_a_provider(1);
    }

    if ( $providers ) {
@@ -1227,17 +1307,19 @@ sub process_providers( $ ) {

 	    add_an_rtrule while read_a_line( NORMAL_READ );
 	}
+    }

-	$fn = open_file 'routes';
+    if ( $providers || $pseudoproviders ) {
+	my $fn = open_file 'routes';

 	if ( $fn ) {
 	    first_entry "$doing $fn...";
 	    emit '';
 	    add_a_route while read_a_line( NORMAL_READ );
 	}
-    }

-    add_a_provider( $providers{$_}, $tcdevices ) for @providers;
+	add_a_provider( $providers{$_}, $tcdevices ) for @providers;
+    }

    emit << 'EOF';;

@@ -1258,14 +1340,20 @@ EOF

 	if ( $providerref->{optional} ) {
 	    if ( $providerref->{shared} || $providerref->{physical} eq $provider) {
-		emit "$provider})";
+		emit "$provider)";
 	    } else {
 		emit( "$providerref->{physical}|$provider)" );
 	    }

-	    emit ( "    if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
-		   "        start_provider_$provider",
-		   '    else',
+	    if ( $providerref->{pseudo} ) {
+		emit ( "    if [ ! -f \${VARDIR}/$product/undo_${provider}_routing ]; then",
+		       "        start_interface_$provider" );
+	    } else {
+		emit ( "    if [ -z \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
+		       "        start_provider_$provider" );
+	    }
+
+	    emit ( '    else',
 		   "        startup_error \"Interface $providerref->{physical} is already enabled\"",
 		   '    fi',
 		   '    ;;'
@@ -1278,7 +1366,7 @@ EOF

    emit << 'EOF';;
        *)
-            startup_error "$g_interface is not an optional provider or provider interface"
+            startup_error "$g_interface is not an optional provider or interface"
            ;;
    esac

@@ -1299,14 +1387,26 @@ EOF
    for my $provider (@providers ) {
 	my $providerref = $providers{$provider};

-	emit( "$providerref->{physical}|$provider)",
-	      "    if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then",
-	      "        stop_provider_$provider",
-	      '    else',
-	      "        startup_error \"Interface $providerref->{physical} is already disabled\"",
-	      '    fi',
-	      '    ;;'
-	    ) if $providerref->{optional};
+	if ( $providerref->{optional} ) {
+	    if ( $provider eq $providerref->{physical} ) {
+		emit( "$provider)" );
+	    } else {
+		emit( "$providerref->{physical}|$provider)" );
+	    }
+
+	    if ( $providerref->{pseudo} ) {
+		emit( "    if [ -f \${VARDIR}/$product/undo_${provider}_routing ]; then" );
+	    } else {
+		emit( "    if [ -n \"`\$IP -$family route ls table $providerref->{number}`\" ]; then" );
+	    }
+
+	    emit( "        stop_$providerref->{what}_$provider",
+		  '    else',
+		  "        startup_error \"Interface $providerref->{physical} is already disabled\"",
+		  '    fi',
+		  '    ;;'
+		);
+	}
    }

    pop_indent;
@@ -1338,7 +1438,7 @@ sub setup_providers() {

 	emit '';

-	emit "start_provider_$_" for @providers;
+	emit "start_$providers{$_}->{what}_$_" for @providers;

 	emit '';

@@ -1852,7 +1952,7 @@ sub handle_stickiness( $ ) {

 sub setup_load_distribution() {
    emit ( '',
-	   "        distribute_load $maxload @load_interfaces" ,
+	   "distribute_load $maxload @load_interfaces" ,
 	   ''
 	 ) if @load_interfaces;
 }
--- a/Shorewall/Perl/Shorewall/Raw.pm
+++ b/Shorewall/Perl/Shorewall/Raw.pm
@@ -41,9 +41,9 @@ my %valid_ctevent = ( new => 1, related => 1, destroy => 1, reply => 1, assured
 #
 # Notrack
 #
-sub process_conntrack_rule( $$$$$$$$$ ) {
+sub process_conntrack_rule( $$$$$$$$$$ ) {

-    my ($chainref, $zoneref, $action, $source, $dest, $proto, $ports, $sports, $user ) = @_;
+    my ($chainref, $zoneref, $action, $source, $dest, $proto, $ports, $sports, $user, $switch ) = @_;

    require_capability 'RAW_TABLE', 'conntrack rules', '';

@@ -54,7 +54,9 @@ sub process_conntrack_rule( $$$$$$$$$ ) {
    my $zone;
    my $restriction = PREROUTE_RESTRICT;

-    unless ( $chainref ) {
+    if ( $chainref ) {
+	$restriction = OUTPUT_RESTRICT if $chainref->{name} eq 'OUTPUT';
+    } else {
 	#
 	# Entry in the conntrack file
 	#
@@ -66,13 +68,13 @@ sub process_conntrack_rule( $$$$$$$$$ ) {
 	}

 	$chainref = ensure_raw_chain( notrack_chain $zone );
-	$restriction = OUTPUT_RESTRICT if $zoneref->{type} == FIREWALL || $zoneref->{type} == VSERVER;
+	$restriction = OUTPUT_RESTRICT if $zoneref->{type}  & (FIREWALL | VSERVER );
 	fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-' && $restriction != OUTPUT_RESTRICT;
    }

    my $target = $action;
    my $exception_rule = '';
-    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user );
+    my $rule = do_proto( $proto, $ports, $sports ) . do_user ( $user ) . do_condition( $switch , $chainref->{name} );

    if ( $action eq 'NOTRACK' ) {
 	#
@@ -80,7 +82,7 @@ sub process_conntrack_rule( $$$$$$$$$ ) {
 	# Netfilter development list
 	#
 	$action = 'CT --notrack' if have_capability 'CT_TARGET';
-    } else {
+    } elsif ( $action ne 'DROP' ) {
 	(  $target, my ( $option, $args, $junk ) ) = split ':', $action, 4;

 	fatal_error "Invalid notrack ACTION ( $action )" if $junk || $target ne 'CT';
@@ -160,7 +162,9 @@ sub handle_helper_rule( $$$$$$$$$$$ ) {
 				$proto ,
 				$ports ,
 				$sports ,
-				$user );
+				$user,
+				'-',
+			      );
    } else {
 	assert( $action_target );
 	#
@@ -200,7 +204,7 @@ sub handle_helper_rule( $$$$$$$$$$$ ) {
 sub process_format( $ ) {
    my $format = shift;

-    fatal_error q(FORMAT must be '1' or '2') unless $format =~ /^[12]$/;
+    fatal_error q(FORMAT must be '1', '2' or '3') unless $format =~ /^[123]$/;

    $format;
 }
@@ -222,17 +226,17 @@ sub setup_conntrack() {
 	    first_entry( "$doing $fn..." );

 	    while ( read_a_line( NORMAL_READ ) ) {
-		my ( $source, $dest, $proto, $ports, $sports, $user );
+		my ( $source, $dest, $proto, $ports, $sports, $user, $switch );

 		if ( $format == 1 ) {
-		    ( $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Conntrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5 };
+		    ( $source, $dest, $proto, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { source => 0, dest => 1, proto => 2, dport => 3, sport => 4, user => 5, switch => 6 };

 		    if ( $source eq 'FORMAT' ) {
 			$format = process_format( $dest );
 			next;
 		    }
 		} else {
-		    ( $action, $source, $dest, $proto, $ports, $sports, $user ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6 }, { COMMENT => 0, FORMAT => 2 };
+		    ( $action, $source, $dest, $proto, $ports, $sports, $user, $switch ) = split_line1 'Conntrack File', { action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, switch => 7 }, { COMMENT => 0, FORMAT => 2 };

 		    if ( $action eq 'FORMAT' ) {
 			$format = process_format( $source );
@@ -248,13 +252,33 @@ sub setup_conntrack() {

 		$empty = 0;

-		if ( $source eq 'all' ) {
-		    for my $zone (all_zones) {
-			process_conntrack_rule( undef, undef, $action, $zone, $dest, $proto, $ports, $sports, $user );
+		if ( $format < 3 ) {
+		    if ( $source =~ /^all(-)?(:(.+))?$/ ) {
+			fatal_error 'USER/GROUP is not allowed unless the SOURCE zone is $FW or a Vserver zone' if $user ne '-';
+			for my $zone ( $1 ? off_firewall_zones : all_zones ) {
+			    process_conntrack_rule( undef ,
+						    undef,
+						    $action,
+						    $zone . ( $2 || ''),
+						    $dest,
+						    $proto,
+						    $ports,
+						    $sports,
+						    $user ,
+						    $switch );
+			}
+		    } else {
+			process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
 		    }
+		} elsif ( $action =~ s/:O$// ) {
+		    process_conntrack_rule( $raw_table->{OUTPUT}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+		} elsif ( $action =~ s/:OP// || $action =~ s/:PO// ) {
+		    process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+		    process_conntrack_rule( $raw_table->{OUTPUT},     undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
 		} else {
-		    process_conntrack_rule( undef, undef, $action, $source, $dest, $proto, $ports, $sports, $user );
-		}
+		    $action =~ s/:P//;
+		    process_conntrack_rule( $raw_table->{PREROUTING}, undef, $action, $source, $dest, $proto, $ports, $sports, $user, $switch );
+		}		    
 	    }

 	    clear_comment;
--- a/Shorewall/Perl/Shorewall/Rules.pm
+++ b/Shorewall/Perl/Shorewall/Rules.pm
@@ -96,7 +96,7 @@ my %rulecolumns = ( action    =>   0,
 		    helper    =>  14,
 		  );

-use constant { MAX_MACRO_NEST_LEVEL => 5 };
+use constant { MAX_MACRO_NEST_LEVEL => 10 };

 my $macro_nest_level;

@@ -109,6 +109,10 @@ my %active;
 #
 my %actions;
 #
+#  Inline Action Table
+#
+my %inlines;
+#
 # Contains an entry for each used <action>:<level>[:<tag>] that maps to the associated chain.
 #
 my %usedactions;
@@ -178,6 +182,10 @@ sub initialize( $ ) {
    #
    %actions           = ();
    #
+    # Inline Actions -- value is file.
+    #
+    %inlines           = ();
+    #
    # Action variants actually used. Key is <action>:<loglevel>:<tag>:<params>; value is corresponding chain name
    #
    %usedactions       = ();
@@ -307,6 +315,51 @@ sub use_policy_action( $ );
 sub normalize_action( $$$ );
 sub normalize_action_name( $ );

+sub process_default_action( $$$$ ) {
+    my ( $originalpolicy, $policy, $default, $level ) = @_;
+
+    if ( supplied $default ) {
+	my $default_option = ( $policy =~ /_DEFAULT$/ );
+	my ( $def, $param ) = get_target_param( $default );
+
+	if ( supplied $level ) {
+	    validate_level( $level );
+	} else {
+	    $level = 'none';
+	}
+
+	if ( "\L$default" eq 'none' ) {
+	    if ( supplied $param || ( supplied $level && $level ne 'none' ) ) {
+		if ( $default_option ) {
+		    fatal_error "Invalid setting (originalpolicy) for $policy";
+		} else {
+		    fatal_error "Invalid policy ($originalpolicy)";
+		}
+	    }
+
+	    $default = 'none';
+	} elsif ( $actions{$def} ) {
+	    $default = supplied $param  ? normalize_action( $def, $level, $param  ) :
+		       $level eq 'none' ? normalize_action_name $def :
+		       normalize_action( $def, $level, '' );
+	    use_policy_action( $default );
+	} elsif ( ( $targets{$def} || 0 ) == INLINE ) {
+	    $default = $def;
+	    $default = "$def($param)" if supplied $param;
+	} elsif ( $default_option ) {
+	    fatal_error "Unknown Action ($default) in $policy setting";
+	} else {
+	    fatal_error "Unknown Default Action ($default)";
+	}
+
+	$default = join( ':', $default, $level ) if $level ne 'none';
+    } else {
+	$default = $default_actions{$policy} || 'none';
+    }
+
+    $default;
+}
+
 #
 # Process an entry in the policy file.
 #
@@ -338,11 +391,11 @@ sub process_a_policy() {

    require_capability 'AUDIT_TARGET', ":audit", "s" if $audit;

-    my ( $policy, $default, $remainder ) = split( /:/, $originalpolicy, 3 );
+    my ( $policy, $default, $level, $remainder ) = split( /:/, $originalpolicy, 4 );

    fatal_error "Invalid or missing POLICY ($originalpolicy)" unless $policy;

-    fatal_error "Invalid default action ($default:$remainder)" if defined $remainder;
+    fatal_error "Invalid default action ($default:$level:$remainder)" if defined $remainder;

    ( $policy , my $queue ) = get_target_param $policy;

@@ -352,20 +405,7 @@ sub process_a_policy() {
 	fatal_error "A $policy policy may not be audited" unless $auditpolicies{$policy};
    }

-    if ( $default ) {
-	my ( $def, $param ) = get_target_param( $default );
-
-	if ( "\L$default" eq 'none' ) {
-	    $default = 'none';
-	} elsif ( $actions{$def} ) {
-	    $default = supplied $param ? normalize_action( $def, 'none', $param  ) : normalize_action_name $def;
-	    use_policy_action( $default );
-	} else {
-	    fatal_error "Unknown Default Action ($default)";
-	}
-    } else {
-	$default = $default_actions{$policy} || 'none';
-    }
+    $default = process_default_action( $originalpolicy, $policy, $default, $level );

    if ( defined $queue ) {
 	fatal_error "Invalid policy ($policy($queue))" unless $policy eq 'NFQUEUE';
@@ -498,18 +538,9 @@ sub process_policies()
 	my $action = $config{$option};

 	unless ( $action eq 'none' ) {
-	    my ( $act, $param ) = get_target_param( $action );
-
-	    if ( "\L$action" eq 'none' ) {
-		$action = 'none';
-	    } elsif ( $actions{$act} ) {
-		$action = supplied $param ? normalize_action( $act, 'none', $param  ) : normalize_action_name $act;
-		use_policy_action( $action );
-	    } elsif ( $targets{$act} ) {
-		fatal_error "Invalid setting ($action) for $option";
-	    } else {
-		fatal_error "Default Action $option=$action not found";
-	    }
+	    my ( $default, $level, $remainder ) = split( /:/, $action, 3 );
+	    fatal_error "Invalid setting ( $action ) for $option" if supplied $remainder;
+	    $action = process_default_action( $action, $option, $default, $level );
 	}

 	$default_actions{$map{$option}} = $action;
@@ -548,12 +579,51 @@ sub process_policies()
 #
 # Policy Rule application
 #
+sub process_inline ($$$$$$$$$$$$$$$$$$$);
+
 sub policy_rules( $$$$$ ) {
    my ( $chainref , $target, $loglevel, $default, $dropmulticast ) = @_;

    unless ( $target eq 'NONE' ) {
 	add_ijump $chainref, j => 'RETURN', d => '224.0.0.0/4' if $dropmulticast && $target ne 'CONTINUE' && $target ne 'ACCEPT';
-	add_ijump $chainref, j => $default if $default && $default ne 'none';
+
+	if ( $default && $default ne 'none' ) {
+	    my ( $inline ) = split ':', $default;
+
+	    ( $inline, my $param ) = get_target_param( $inline );
+
+	    if ( ( $targets{$inline} || 0 ) == INLINE ) {
+		#
+		# Default action is an inline 
+		#
+		process_inline( $inline,      #Inline
+				$chainref,    #Chain
+				$default,     #Target
+				$param || '', #Param
+				'-',          #Source
+				'-',          #Dest
+				'-',          #Proto
+				'-',          #Ports
+				'-',          #Sports
+				'-',          #Original Dest
+				'-',          #Rate
+				'-',          #User
+				'-',          #Mark
+				'-',          #ConnLimit
+				'-',          #Time
+				'-',          #Headers
+				'-',          #Condition
+				'-',          #Helper
+				0,            #Wildcard
+			      );
+	    } else {
+		#
+		# Default action is a regular action -- jump to the action chain
+		#
+		add_ijump $chainref, j => $default;
+	    }
+	}
+ 
 	log_rule $loglevel , $chainref , $target , '' if $loglevel ne '';
 	fatal_error "Null target in policy_rules()" unless $target;

@@ -563,7 +633,7 @@ sub policy_rules( $$$$$ ) {
 }

 sub report_syn_flood_protection() {
-    progress_message_nocompress '      Enabled SYN flood protection';
+    progress_message_nocompress '      Enabled SYN flood Protection';
 }

 #
@@ -589,6 +659,7 @@ sub default_policy( $$$ ) {
 	    } else {
 		add_ijump $chainref,  g => $policyref;
 		$chainref = $policyref;
+		policy_rules( $chainref, $policy, $loglevel, $default, $config{MULTICAST} ) if $default =~/^macro\./;
 	    }
 	} elsif ( $policy eq 'CONTINUE' ) {
 	    report_syn_flood_protection if $synparams;
@@ -601,7 +672,6 @@ sub default_policy( $$$ ) {
    }

    progress_message_nocompress "   Policy $policy from $_[1] to $_[2] using chain $chainref->{name}";
-
 }

 sub ensure_rules_chain( $ );
@@ -630,7 +700,11 @@ sub apply_policy_rules() {
 		    # is a single jump. Generate_matrix() will just use the policy target when
 		    # needed.
 		    #
-		    ensure_rules_chain $name if $default ne 'none' || $loglevel || $synparms || $config{MULTICAST} || ! ( $policy eq 'ACCEPT' || $config{FASTACCEPT} );
+		    ensure_rules_chain $name if ( $default ne 'none' ||
+						  $loglevel          ||
+						  $synparms          ||
+						  $config{MULTICAST} ||
+						  ! ( $policy eq 'ACCEPT' || $config{FASTACCEPT} ) );
 		} else {
 		    ensure_rules_chain $name;
 		}
@@ -747,7 +821,7 @@ sub ensure_rules_chain( $ )
    $chainref = new_chain( 'filter', $chain ) unless $chainref;

    unless ( $chainref->{referenced} ) {
-	if ( $section =~/^(NEW|DONE)$/ ) {
+	if ( $section =~/^(NEW|DEFAULTACTION)$/ ) {
 	    finish_chain_section $chainref , 'ESTABLISHED,RELATED';
 	} elsif ( $section eq 'RELATED' ) {
 	    finish_chain_section $chainref , 'ESTABLISHED';
@@ -796,7 +870,7 @@ sub finish_chain_section ($$) {
 	if ( $chainref->{is_policy} ) {
 	    if ( $chainref->{synparams} ) {
 		my $synchainref = ensure_chain 'filter', syn_flood_chain $chainref;
-		if ( $section eq 'DONE' ) {
+		if ( $section eq 'DEFAULTACTION' ) {
 		    if ( $chainref->{policy} =~ /^(ACCEPT|CONTINUE|QUEUE|NFQUEUE)/ ) {
 			add_ijump $chainref, j => $synchainref, p => 'tcp --syn';
 		    }
@@ -842,26 +916,11 @@ sub finish_section ( $ ) {
 sub split_action ( $ ) {
    my $action = $_[0];

-    my $target = '';
-    my $max    = 3;
-    #
-    # The following rather grim RE, when matched, breaks the action into two parts:
-    #
-    #    basicaction(param)
-    #    logging part (may be empty)
-    #
-    # The param may contain one or more ':' characters
-    #
-    if ( $action =~ /^([^(:]+\(.*?\))(:(.*))?$/ ) {
-	$target = $1;
-	$action = $2 ? $3 : '';
-	$max    = 2;
-    }
+    my @list   = split_list2( $action, 'ACTION' );

-    my @a = split( /:/ , $action, 4 );
-    fatal_error "Invalid ACTION ($action)" if ( $action =~ /::/ ) || ( @a > $max );
-    $target = shift @a unless $target;
-    ( $target, join ":", @a );
+    fatal_error "Invalid ACTION ($action)" if @list > 3;
+
+    ( shift @list, join( ':', @list ) );
 }

 #
@@ -912,13 +971,13 @@ sub externalize( $ ) {
 #
 # Define an Action
 #
-sub new_action( $$ ) {
+sub new_action( $$$ ) {

-    my ( $action , $type ) = @_;
+    my ( $action , $type, $noinline ) = @_;

    fatal_error "Invalid action name($action)" if reserved_name( $action );

-    $actions{$action} = { actchain => '' };
+    $actions{$action} = { actchain => '' , noinline => $noinline } if $type & ACTION;

    $targets{$action} = $type;
 }
@@ -945,7 +1004,7 @@ sub createlogactionchain( $$$$$ ) {

    validate_level $level;

-    $actionref = new_action( $action , ACTION ) unless $actionref;
+    assert( $actionref );

    $chain = substr $chain, 0, 28 if ( length $chain ) > 28;

@@ -1060,6 +1119,8 @@ sub use_action( $ ) {
 sub merge_levels ($$) {
    my ( $superior, $subordinate ) = @_;

+    return $subordinate if $subordinate =~ /^(?:FORMAT|COMMENT|DEFAULTS?)$/;
+
    my @supparts = split /:/, $superior;
    my @subparts = split /:/, $subordinate;

@@ -1067,12 +1128,16 @@ sub merge_levels ($$) {

    my $target   = $subparts[0];

+    fatal_error "Missing ACTION" unless supplied $target;
+
    push @subparts, '' while @subparts < 3;   #Avoid undefined values

-    my $level = $supparts[1];
-    my $tag   = $supparts[2];
+    my $sublevel = $subparts[1];
+    my $level    = $supparts[1];
+    my $tag      = $supparts[2];

    if ( @supparts == 3 ) {
+	return "$subordinate:$tag"    if $target =~ /^(?:NFLOG|ULOG)\b/;
 	return "$target:none!:$tag"   if $level eq 'none!';
 	return "$target:$level:$tag"  if $level =~ /!$/;
 	return $subordinate           if $subparts >= 2;
@@ -1080,6 +1145,7 @@ sub merge_levels ($$) {
    }

    if ( @supparts == 2 ) {
+	return $subordinate           if $target =~ /^(?:NFLOG|ULOG)\b/;
 	return "$target:none!"        if $level eq 'none!';
 	return "$target:$level"       if ($level =~ /!$/) || ($subparts < 2);
    }
@@ -1095,6 +1161,9 @@ sub merge_levels ($$) {
 sub find_macro( $ )
 {
    my $macro = $_[0];
+
+    $macro =~ s/^macro.//;
+
    my $macrofile = find_file "macro.$macro";

    if ( -f $macrofile ) {
@@ -1159,7 +1228,13 @@ sub merge_macro_column( $$ ) {
 # Get Macro Name -- strips away trailing /*, :* and (*) from the first column in a rule, macro or action.
 #
 sub isolate_basic_target( $ ) {
-    my $target = ( split '[/:]', $_[0])[0];
+    my $target = $_[0];
+
+    if ( $target =~ /[\/]/ ) {
+	( $target ) = split( '/', $target);
+    } else {
+	( $target ) = split_list2( $target, 'parameter' );
+    } 

    $target =~ /^(\w+)[(].*[)]$/ ? $1 : $target;
 }
@@ -1393,38 +1468,63 @@ sub process_actions() {
    #
    # Add built-in actions to the target table and create those actions
    #
-    $targets{$_} = new_action( $_ , ACTION + BUILTIN ) for @builtins;
+    $targets{$_} = new_action( $_ , ACTION + BUILTIN, 1 ) for @builtins;

    for my $file ( qw/actions.std actions/ ) {
 	open_file $file;

 	while ( read_a_line( NORMAL_READ ) ) {
-	    my ( $action ) = split_line 'action file' , { action => 0 };
+	    my ( $action, $options ) = split_line 'action file' , { action => 0, options => 1 };
+
+	    my $type     = ACTION;
+	    my $noinline = 0;

 	    if ( $action =~ /:/ ) {
 		warning_message 'Default Actions are now specified in /etc/shorewall/shorewall.conf';
 		$action =~ s/:.*$//;
 	    }

-	    fatal_error "Invalid Action Name ($action)" unless $action =~ /^[\w-]+$/;
+	    fatal_error "Invalid Action Name ($action)" unless $action =~ /^[a-zA-Z][\w-]*$/;

-	    if ( $targets{$action} ) {
-		warning_message "Duplicate Action Name ($action) Ignored" unless $targets{$action} & ACTION;
-		next;
+	    if ( $options ne '-' ) {
+		for ( split_list( $options, 'option' ) ) {
+		    if ( $_ eq 'inline' ) {
+			$type = INLINE;
+		    } elsif ( $_ eq 'noinline' ) {
+			$noinline = 1;
+		    } else {
+			fatal_error "Invalid option ($_)";
+		    }
+		}
 	    }

-	    fatal_error "Invalid Action Name ($action)" unless "\L$action" =~ /^[a-z]\w*$/;
+	    fatal_error "Conflicting OPTIONS ($options)" if $noinline && $type == INLINE; 

-	    new_action $action, ACTION;
+	    if ( my $actiontype = $targets{$action} ) {
+		if ( ( $actiontype & ACTION ) && ( $type == INLINE ) ) {
+		    if ( $actions{$action}->{noinline} ) {
+			warning_message "'inline' option ignored on action $action -- that action may not be in-lined";
+			next;
+		    }
+		    
+		    delete $actions{$action};
+		    delete $targets{$action};
+		} else {
+		    warning_message "Duplicate Action Name ($action) Ignored" unless $actiontype & ( ACTION | INLINE );
+		    next;
+		}
+	    }

-	    my $actionfile = find_file "action.$action";
+	    new_action $action, $type, $noinline;
+
+	    my $actionfile = find_file( "action.$action" );

 	    fatal_error "Missing Action File ($actionfile)" unless -f $actionfile;
+
+	    $inlines{$action} = $actionfile if $type == INLINE;
 	}
    }

-    my $ref;
-
 }

 sub process_rule1 ( $$$$$$$$$$$$$$$$$$ );
@@ -1453,7 +1553,7 @@ sub process_action( $) {

 	my $oldparms = push_action_params( $chainref, $param );

-	$active{$wholeaction}++;
+	$active{$action}++;
 	push @actionstack, $wholeaction;

 	push_comment( '' );
@@ -1511,7 +1611,7 @@ sub process_action( $) {

 	pop_comment;

-	$active{$wholeaction}--;
+	$active{$action}--;
 	pop @actionstack;

 	pop_open;
@@ -1535,7 +1635,7 @@ sub use_policy_action( $ ) {
 #
 # Expand a macro rule from the rules file
 #
-sub process_macro ( $$$$$$$$$$$$$$$$$$$) {
+sub process_macro ($$$$$$$$$$$$$$$$$$$) {
    my ($macro, $chainref, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;

    my $nocomment = no_comment;
@@ -1560,7 +1660,21 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$$) {
 	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $mrate, $muser ) = split_line1 'macro file', \%rulecolumns, $rule_commands;
 	    ( $morigdest, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper ) = qw/- - - - - - -/;
 	} else {
-	    ( $mtarget, $msource, $mdest, $mproto, $mports, $msports, $morigdest, $mrate, $muser, $mmark, $mconnlimit, $mtime, $mheaders, $mcondition, $mhelper ) = split_line1 'macro file', \%rulecolumns, $rule_commands;
+	    ( $mtarget,
+	      $msource,
+	      $mdest,
+	      $mproto,
+	      $mports,
+	      $msports,
+	      $morigdest,
+	      $mrate,
+	      $muser,
+	      $mmark,
+	      $mconnlimit,
+	      $mtime,
+	      $mheaders,
+	      $mcondition,
+	      $mhelper ) = split_line1 'macro file', \%rulecolumns, $rule_commands;
 	}

 	fatal_error 'TARGET must be specified' if $mtarget eq '-';
@@ -1576,7 +1690,7 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$$) {
 	    next;
 	}

-	if ( $mtarget eq 'DEFAULT' ) {
+	if ( $mtarget =~ /^DEFAULTS?$/ ) {
 	    $param = $msource unless supplied $param;
 	    next;
 	}
@@ -1594,7 +1708,7 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$$) {

 	my $actiontype = $targets{$action} || find_macro( $action );

-	fatal_error( "Invalid Action ($mtarget) in macro", $actiontype ) unless $actiontype & ( ACTION + STANDARD + NATRULE + MACRO + CHAIN );
+	fatal_error( "Invalid Action ($mtarget) in macro") unless $actiontype & ( ACTION + STANDARD + NATRULE + MACRO + CHAIN );

 	if ( $msource ) {
 	    if ( $msource eq '-' ) {
@@ -1655,6 +1769,131 @@ sub process_macro ( $$$$$$$$$$$$$$$$$$$) {
    return $generated;
 }

+#
+# Expand an inline action rule from the rules file
+#
+sub process_inline ($$$$$$$$$$$$$$$$$$$) {
+    my ($inline, $chainref, $target, $param, $source, $dest, $proto, $ports, $sports, $origdest, $rate, $user, $mark, $connlimit, $time, $headers, $condition, $helper, $wildcard ) = @_;
+
+    my $nocomment = no_comment;
+
+    my $generated = 0;
+
+    macro_comment $inline;
+
+    my $oldparms = push_action_params( $chainref, $param );
+
+    my $inlinefile = $inlines{$inline};
+
+    progress_message "..Expanding inline action $inlinefile...";
+
+    push_open $inlinefile;
+
+    while ( read_a_line( NORMAL_READ ) ) {
+	my  ( $mtarget,
+	      $msource,
+	      $mdest,
+	      $mproto,
+	      $mports,
+	      $msports,
+	      $morigdest,
+	      $mrate,
+	      $muser,
+	      $mmark,
+	      $mconnlimit,
+	      $mtime,
+	      $mheaders,
+	      $mcondition,
+	      $mhelper ) = split_line1 'inline action file', \%rulecolumns, $rule_commands;
+
+	fatal_error 'TARGET must be specified' if $mtarget eq '-';
+
+	if ( $mtarget eq 'COMMENT' ) {
+	    process_comment unless $nocomment;
+	    next;
+	}
+
+	if ( $mtarget eq 'DEFAULTS' ) {
+	    default_action_params( $chainref, split_list( $msource, 'defaults' ) );
+	    next;
+	}
+
+	if ( $mtarget eq 'FORMAT' ) {
+	    fatal_error "FORMAT must be 2" unless $source ne '2';
+	    next;
+	}
+
+	$mtarget = merge_levels $target, $mtarget;
+
+	my $action = isolate_basic_target $mtarget;
+
+	fatal_error "Invalid or missing ACTION ($mtarget)" unless defined $action;
+
+	my $actiontype = $targets{$action} || find_macro( $action );
+
+	fatal_error( "Invalid Action ($mtarget) in inline action" ) unless $actiontype & ( ACTION + STANDARD + NATRULE + MACRO + CHAIN + INLINE );
+
+	if ( $msource ) {
+	    if ( $msource eq '-' ) {
+		$msource = $source || '';
+	    } elsif ( $msource =~ s/^DEST:?// ) {
+		$msource = merge_macro_source_dest $msource, $dest;
+	    } else {
+		$msource =~ s/^SOURCE:?//;
+		$msource = merge_macro_source_dest $msource, $source;
+	    }
+	} else {
+	    $msource = '';
+	}
+
+	if ( $mdest ) {
+	    if ( $mdest eq '-' ) {
+		$mdest = $dest || '';
+	    } elsif ( $mdest =~ s/^SOURCE:?// ) {
+		$mdest = merge_macro_source_dest $mdest , $source;
+	    } else {
+		$mdest =~ s/DEST:?//;
+		$mdest = merge_macro_source_dest $mdest, $dest;
+	    }
+	} else {
+	    $mdest = '';
+	}
+
+	$generated |= process_rule1(
+				    $chainref,
+				    $mtarget,
+				    $param,
+				    $msource,
+				    $mdest,
+				    merge_macro_column( $mproto,     $proto ) ,
+				    merge_macro_column( $mports,     $ports ) ,
+				    merge_macro_column( $msports,    $sports ) ,
+				    merge_macro_column( $morigdest,  $origdest ) ,
+				    merge_macro_column( $mrate,      $rate ) ,
+				    merge_macro_column( $muser,      $user ) ,
+				    merge_macro_column( $mmark,      $mark ) ,
+				    merge_macro_column( $mconnlimit, $connlimit) ,
+				    merge_macro_column( $mtime,      $time ),
+				    merge_macro_column( $mheaders,   $headers ),
+				    merge_macro_column( $mcondition, $condition ),
+				    merge_macro_column( $mhelper,    $helper ),
+				    $wildcard
+				   );
+
+	progress_message "   Rule \"$currentline\" $done";
+    }
+
+    pop_open;
+
+    progress_message "..End inline action $inlinefile";
+
+    pop_action_params( $oldparms );
+
+    clear_comment unless $nocomment;
+
+    return $generated;
+}
+
 #
 # Confirm that we have AUDIT_TARGET capability and ensure the appropriate AUDIT chain.
 #
@@ -1670,8 +1909,10 @@ sub verify_audit($;$$) {
 # Once a rule has been expanded via wildcards (source and/or dest zone eq 'all'), it is processed by this function. If
 # the target is a macro, the macro is expanded and this function is called recursively for each rule in the expansion.
 # Similarly, if a new action tuple is encountered, this function is called recursively for each rule in the action
-# body. In this latter case, a reference to the tuple's chain is passed in the first ($chainref) argument.
+# body. In this latter case, a reference to the tuple's chain is passed in the first ($chainref) argument. A chain
+# reference is also passed when rules are being generated during processing of a macro used as a default action.
 #
+
 sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
    my ( $chainref,   #reference to Action Chain if we are being called from process_action(); undef otherwise
 	 $target,
@@ -1696,12 +1937,15 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
    my ( $basictarget, $param ) = get_target_param $action;
    my $rule = '';
    my $optimize = $wildcard ? ( $basictarget =~ /!$/ ? 0 : $config{OPTIMIZE} & 5 ) : 0;
-    my $inaction = '';
+    my $inaction  = ''; # Set to true when we are process rules in an action file
+    my $inchain   = ''; # Set to true when a chain reference is passed.
    my $normalized_target;
    my $normalized_action;
    my $blacklist = ( $section eq 'BLACKLIST' );

-    ( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if defined $chainref;
+    if ( $inchain = defined $chainref ) {
+	( $inaction, undef, undef, undef ) = split /:/, $normalized_action = $chainref->{action}, 4 if $chainref->{action};
+    }

    $param = '' unless defined $param;

@@ -1711,7 +1955,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
    my $actiontype = $targets{$basictarget} || find_macro ( $basictarget );

    if ( $config{ MAPOLDACTIONS } ) {
-	( $basictarget, $actiontype , $param ) = map_old_actions( $basictarget ) unless $actiontype || $param;
+	( $basictarget, $actiontype , $param ) = map_old_actions( $basictarget ) unless $actiontype || supplied $param;
    }

    fatal_error "Unknown ACTION ($action)" unless $actiontype;
@@ -1720,7 +1964,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 	#
 	# process_macro() will call process_rule1() recursively for each rule in the macro body
 	#
-	fatal_error "Macro invocations nested too deeply" if ++$macro_nest_level > MAX_MACRO_NEST_LEVEL;
+	fatal_error "Macro/Inline invocations nested too deeply" if ++$macro_nest_level > MAX_MACRO_NEST_LEVEL;

 	$current_param = $param unless $param eq '' || $param eq 'PARAM';

@@ -1748,6 +1992,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {

 	return $generated;

+    } elsif ( $actiontype & ( ACTION | INLINE ) ) {
+	split_list1 $param, 'Action parameter';
    } elsif ( $actiontype & NFQ ) {
 	require_capability( 'NFQUEUE_TARGET', 'NFQUEUE Rules', '' );
 	my $paramval = $param eq '' ? 0 : numeric_value( $param );
@@ -1756,8 +2002,15 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
    } elsif ( $actiontype & SET ) {
 	require_capability( 'IPSET_MATCH', 'SET and UNSET rules', '' );
 	fatal_error "$action rules require a set name parameter" unless $param;
-    } elsif ( $actiontype & ACTION ) {
-	split_list $param, 'Action parameter';
+    } elsif ( ( $actiontype & AUDIT ) && ( $basictarget eq 'AUDIT' ) ) {
+	require_capability ( 'AUDIT_TARGET', 'The AUDIT action', 's' );
+	$param = $param eq '' ? 'drop' : $param;
+	fatal_error "Invalid AUDIT type ($param) -- must be 'accept', 'drop' or 'reject'" unless $param =~ /^(?:accept|drop|reject)$/;
+	$actiontype = STANDARD;
+    } elsif ( $actiontype & NFLOG ) {
+	validate_level( $action );
+	$loglevel = supplied $loglevel ? join( ':', $action, $loglevel ) : $action;
+	$action   = 'LOG';
    } else {
 	fatal_error "The $basictarget TARGET does not accept a parameter" unless $param eq '';
    }
@@ -1775,7 +2028,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 	#
 	$normalized_target = normalize_action( $basictarget, $loglevel, $param );

-	fatal_error( "Action $basictarget invoked Recursively (" .  join( '->', map( externalize( $_ ), @actionstack , $normalized_target ) ) . ')' ) if $active{$normalized_target};
+	fatal_error( "Action $basictarget invoked Recursively (" .  join( '->', map( externalize( $_ ), @actionstack , $normalized_target ) ) . ')' ) if $active{$basictarget};

 	if ( my $ref = use_action( $normalized_target ) ) {
 	    #
@@ -1813,7 +2066,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
    #
    my $log_action = $action;

-    unless ( $actiontype & ( ACTION | MACRO | NFQ | CHAIN ) ) {
+    unless ( $actiontype & ( ACTION | MACRO | NFLOG | NFQ | CHAIN | INLINE ) ) {
 	my $bt = $basictarget;

 	$bt =~ s/[-+!]$//;
@@ -1826,12 +2079,16 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 		      $actiontype |= HELPER if $section eq 'NEW';
 		  }
 	      } ,
-	      
+
+	      AUDIT => sub() {
+		  $action = "AUDIT --type $param";
+	      } ,
+
 	      REDIRECT => sub () {
 		  my $z = $actiontype & NATONLY ? '' : firewall_zone;
 		  if ( $dest eq '-' ) {
-		      $dest = $inaction ? '' : join( '', $z, '::' , $ports =~ /[:,]/ ? '' : $ports );
-		  } elsif ( $inaction ) {
+		      $dest = ( $inchain ) ? '' : join( '', $z, '::' , $ports =~ /[:,]/ ? '' : $ports );
+		  } elsif ( $inchain ) {
 		      $dest = ":$dest";
 		  } else {
 		      $dest = join( '', $z, '::', $dest ) unless $dest =~ /^[^\d].*:/;
@@ -1868,7 +2125,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {

 	    my ( $setname, $flags, $rest ) = split ':', $param, 3;
 	    fatal_error "Invalid ADD/DEL parameter ($param)" if $rest;
-	    fatal_error "Expected ipset name ($setname)" unless $setname =~ s/^\+// && $setname =~ /^[a-zA-Z]\w*$/;
+	    fatal_error "Expected ipset name ($setname)" unless $setname =~ s/^\+// && $setname =~ /^(6_)?[a-zA-Z][-\w]*$/;
 	    fatal_error "Invalid flags ($flags)" unless defined $flags && $flags =~ /^(dst|src)(,(dst|src)){0,5}$/;
 	    $action = join( ' ', 'SET --' . $xlate{$basictarget} , $setname , $flags );
 	}
@@ -1882,14 +2139,14 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
    my $destref;
    my $origdstports;

-    unless ( $inaction ) {
+    unless ( $inchain ) {
 	if ( $source =~ /^(.+?):(.*)/ ) {
 	    fatal_error "Missing SOURCE Qualifier ($source)" if $2 eq '';
 	    $sourcezone = $1;
 	    $source = $2;
 	} else {
 	    $sourcezone = $source;
-	    $source = ALLIP;
+	    $source = $actiontype == INLINE ? '-' : ALLIP;
 	}

 	if ( $dest =~ /^(.*?):(.*)/ ) {
@@ -1903,7 +2160,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 	    $destzone = '-';
 	} else {
 	    $destzone = $dest;
-	    $dest = ALLIP;
+	    $dest = $actiontype == INLINE ? '-' : ALLIP;
 	}

 	fatal_error "Missing source zone" if $sourcezone eq '-' || $sourcezone =~ /^:/;
@@ -1923,7 +2180,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 	    }
 	}
    } else {
-	unless ( $inaction ) {
+	unless ( $inchain ) {
 	    fatal_error "Missing destination zone" if $destzone eq '-' || $destzone eq '';
 	    fatal_error "Unknown destination zone ($destzone)" unless $destref = defined_zone( $destzone );
 	}
@@ -1931,7 +2188,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {

    my $restriction = NO_RESTRICT;

-    unless ( $inaction ) {
+    unless ( $inchain ) {
 	if ( $sourceref && ( $sourceref->{type} & ( FIREWALL | VSERVER ) ) ) {
 	    $restriction = $destref && ( $destref->{type} & ( FIREWALL | VSERVER ) ) ? ALL_RESTRICT : OUTPUT_RESTRICT;
 	} else {
@@ -1949,11 +2206,15 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
    #
    my $chain;

-    if ( $inaction ) {
+    if ( $inchain ) {
        #
-        # We are generating rules in an action chain -- the chain name is the name of that action chain
+        # We are generating rules in a chain -- get its name
        #
 	$chain = $chainref->{name};
+	#
+	# If we are processing an inline action, we need the source zone for NAT.
+	#
+	$sourceref = find_zone( $chainref->{sourcezone} ) if $chainref->{sourcezone}; 
    } else {
 	unless ( $actiontype & NATONLY ) {
 	    #
@@ -1970,7 +2231,8 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 	    #
 	    # Ensure that the chain exists but don't mark it as referenced until after optimization is checked
 	    #
-	    $chainref  = ensure_chain 'filter', $chain;
+	    ( $chainref  = ensure_chain( 'filter', $chain ) )->{sourcezone} = $sourcezone;
+
 	    my $policy = $chainref->{policy};

 	    if ( $policy eq 'NONE' ) {
@@ -2012,6 +2274,39 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 	    }
 	}
    }
+
+    if ( $actiontype & INLINE ) {
+	#
+	# process_inline() will call process_rule1() recursively for each rule in the macro body
+	#
+	fatal_error "Macro/Inline invocations nested too deeply" if ++$macro_nest_level > MAX_MACRO_NEST_LEVEL;
+
+	$current_param = $param unless $param eq '' || $param eq 'PARAM';
+
+	my $generated = process_inline( $basictarget,
+					$chainref,
+					$target,
+					$current_param,
+					$source,
+					$dest,
+					$proto,
+					$ports,
+					$sports,
+					$origdest,
+					$ratelimit,
+					$user,
+					$mark,
+					$connlimit,
+					$time,
+					$headers,
+					$condition,
+					$helper,
+					$wildcard );
+
+	$macro_nest_level--;
+
+	return $generated;
+    }
    #
    # Generate Fixed part of the rule
    #
@@ -2027,7 +2322,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 		      do_connlimit( $connlimit ),
 		      do_time( $time ) ,
 		      do_headers( $headers ) ,
-		      do_condition( $condition ) ,
+		      do_condition( $condition , $chain ) ,
 		    );
    } elsif ( $section eq 'RELATED' ) {
 	$rule = join( '',
@@ -2038,7 +2333,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 		      do_connlimit( $connlimit ),
 		      do_time( $time ) ,
 		      do_headers( $headers ) ,
-		      do_condition( $condition ) ,
+		      do_condition( $condition , $chain ) ,
 		      do_helper( $helper ) ,
 		    );
    } else {
@@ -2050,11 +2345,11 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 		      do_connlimit( $connlimit ),
 		      do_time( $time ) ,
 		      do_headers( $headers ) ,
-		      do_condition( $condition ) ,
+		      do_condition( $condition , $chain ) ,
 		    );
    }

-    unless ( $section eq 'NEW' || $inaction ) {
+    unless ( $section eq 'NEW' || $inchain ) {
 	if ( $config{FASTACCEPT} ) {
 	    fatal_error "Entries in the $section SECTION of the rules file not permitted with FASTACCEPT=Yes" unless
 		$section eq 'BLACKLIST' ||
@@ -2076,7 +2371,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 			    $sports,
 			    $sourceref,
 			    ( $actiontype & ACTION ) ? $usedactions{$normalized_target}->{name} : '',
-			    $inaction ? $chain : '' ,
+			    $inchain ? $chain : '' ,
 			    $user ,
 			    $rule ,
 			  );
@@ -2120,7 +2415,7 @@ sub process_rule1 ( $$$$$$$$$$$$$$$$$$ ) {
 			  do_ratelimit( $ratelimit, 'ACCEPT' ),
 			  do_user $user,
 			  do_test( $mark , $globals{TC_MASK} ),
-			  do_condition( $condition )
+			  do_condition( $condition , $chain )
 			);
 	    $loglevel = '';
 	    $action   = 'ACCEPT';
@@ -2488,7 +2783,7 @@ sub process_rules( $ ) {
 	clear_comment;
    }

-    $section = 'DONE';
+    $section = 'DEFAULTACTION';
 }

 1;
--- a/Shorewall/Perl/Shorewall/Tc.pm
+++ b/Shorewall/Perl/Shorewall/Tc.pm
@@ -174,6 +174,12 @@ my $family;

 my $divertref; # DIVERT chain

+my %validstates = ( NEW                => 0,
+		    RELATED            => 0,
+		    ESTABLISHED        => 0,
+		    UNTRACKED          => 0,
+		    INVALID            => 0,
+		  );
 #
 # Rather than initializing globals in an INIT block or during declaration,
 # we initialize them in a function. This is done for two reasons:
@@ -199,17 +205,17 @@ sub initialize( $ ) {
 }

 sub process_tc_rule( ) {
-    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp );
+    my ( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability , $dscp , $state );
    if ( $family == F_IPV4 ) {
-	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp ) =
-	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13 }, { COMMENT => 0, FORMAT => 2 } , 14;
+	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $probability, $dscp, $state ) =
+	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, probability => 12 , dscp => 13, state => 14 }, { COMMENT => 0, FORMAT => 2 } , 15;
 	$headers = '-';
    } else {
-	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp ) =
-	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 },  { COMMENT => 0, FORMAT => 2 }, 15;
+	( $originalmark, $source, $dest, $proto, $ports, $sports, $user, $testval, $length, $tos , $connbytes, $helper, $headers, $probability, $dscp, $state ) =
+	    split_line1 'tcrules file', { mark => 0, action => 0, source => 1, dest => 2, proto => 3, dport => 4, sport => 5, user => 6, test => 7, length => 8, tos => 9, connbytes => 10, helper => 11, headers => 12, probability => 13 , dscp => 14 , state => 15 },  { COMMENT => 0, FORMAT => 2 }, 16;
    }

-    our @tccmd;
+    our %tccmd;

    our $format;

@@ -259,6 +265,8 @@ sub process_tc_rule( ) {
    my $cmd;
    my $rest;
    my $matches = '';
+    my $mark1;
+    my $exceptionrule = '';

    my %processtcc = ( sticky => sub() {
 			                  if ( $chain eq 'tcout' ) {
@@ -372,7 +380,11 @@ sub process_tc_rule( ) {

 					  if ( supplied $ip ) {
 					      if ( $family == F_IPV6 ) {
-						  $ip = $1 if $ip =~ /^\[(.+)\]$/ || $ip =~ /^<(.+)>$/;
+						  if ( $ip =~ /^\[(.+)\]$/ || $ip =~ /^<(.+)>$/ ) {
+						      $ip = $1;
+						  } elsif ( $ip =~ /^\[(.+)\]\/(\d+)$/ ) {
+						      $ip = join( $1, $2 );
+						  }
 					      }

 					      validate_address $ip, 1;
@@ -380,6 +392,8 @@ sub process_tc_rule( ) {
 					  }

 					  $target .= ' --tproxy-mark';
+
+					  $exceptionrule = '-p tcp ';
 				      },
 		       TTL => sub() {
 			                  fatal_error "TTL is not supported in IPv6 - use HL instead" if $family == F_IPV6;
@@ -394,11 +408,11 @@ sub process_tc_rule( ) {
 					      }
 					  }

-					  $cmd =~ /^TTL\(([-+]?\d+)\)$/;
+					  $cmd =~ /^TTL\(([-+]?(\d+))\)$/;

 					  my $param =  $1;

-					  fatal_error "Invalid TTL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
+					  fatal_error "Invalid TTL specification( $cmd )" unless supplied( $1 ) && ( $1 eq $2 || $2 != 0 ) && ( $param = abs $param ) < 256;

 					  if ( $1 =~ /^\+/ ) {
 					      $target .= " --ttl-inc $param";
@@ -422,11 +436,11 @@ sub process_tc_rule( ) {
 					      }
 					  }

-					  $cmd =~ /^HL\(([-+]?\d+)\)$/;
+					  $cmd =~ /^HL\(([-+]?(\d+))\)$/;

 					  my $param =  $1;

-					  fatal_error "Invalid HL specification( $cmd )" unless $param && ( $param = abs $param ) < 256;
+					  fatal_error "Invalid HL specification( $cmd )" unless supplied( $1 ) && ( $1 eq $2 || $2 != 0 ) && ( $param = abs $param ) < 256;

 					  if ( $1 =~ /^\+/ ) {
 					      $target .= " --hl-inc $param";
@@ -453,6 +467,10 @@ sub process_tc_rule( ) {
 			                  assert( $cmd =~ /^TOS\((.+)\)$/ );
 					  $target .= decode_tos( $1 , 2 );
 				      },
+		       CHECKSUM => sub()
+		                        {  require_capability 'CHECKSUM_TARGET', 'The CHECKSUM action', 's';
+					   $target .= ' --checksum-fill';
+				       },
 		     );

    if ( $source ) {
@@ -493,13 +511,13 @@ sub process_tc_rule( ) {

 	    $chain    = $tcsref->{chain}                       if $tcsref->{chain};
 	    $target   = $tcsref->{target}                      if $tcsref->{target};
-	    $mark     = "$mark/" . in_hex( $globals{TC_MASK} ) if $connmark = $tcsref->{connmark};
+	    $mark     = "$mark/" . in_hex( $globals{TC_MASK} ) if $connmark = $tcsref->{connmark} && $mark !~ m'/';

 	    require_capability ('CONNMARK' , "CONNMARK Rules", '' ) if $connmark;

 	} else {
 	    unless ( $classid ) {
-		fatal_error "Invalid MARK ($originalmark)" unless $mark =~ /^([0-9a-fA-F]+)$/ and $designator =~ /^([0-9a-fA-F]+)$/;
+		fatal_error "Invalid ACTION ($originalmark)" unless $mark =~ /^([0-9a-fA-F]+)$/ and $designator =~ /^([0-9a-fA-F]+)$/;
 		fatal_error 'A CLASSIFY rule may not have $FW as the DEST' if $chain eq 'tcin';
 		$chain = 'tcpost';
 		$mark  = $originalmark;
@@ -537,10 +555,10 @@ sub process_tc_rule( ) {
    $list = '';

    unless ( $classid ) {
-      MARK:
 	{
-	    for my $tccmd ( @tccmd ) {
-		if ( $tccmd->{match}($cmd) ) {
+	    if ( $cmd =~ /^([[A-Z!&]+)/ ) {
+		if ( my $tccmd = $tccmd{$1} ) {
+		    fatal_error "Invalid $1 ACTION ($originalmark)" unless $tccmd->{match}($cmd); 
 		    fatal_error "$mark not valid with :C[FPT]" if $connmark;

 		    require_capability ('CONNMARK' , "SAVE/RESTORE Rules", '' ) if $tccmd->{connmark};
@@ -559,7 +577,7 @@ sub process_tc_rule( ) {
 		    }

 		    if ( $rest ) {
-			fatal_error "Invalid MARK ($originalmark)" if $marktype == NOMARK;
+			fatal_error "Invalid COMMAND ($originalmark)" if $marktype == NOMARK;

 			$mark = $rest if $tccmd->{mask};

@@ -571,20 +589,26 @@ sub process_tc_rule( ) {
 		    } elsif ( $tccmd->{mask} ) {
 			$mark = $tccmd->{mask};
 		    }
-
-		    last MARK;
+		} else {
+		    fatal_error "Invalid ACTION ($originalmark)";
 		}
-	    }
+	    } elsif ( $mark =~ /-/ ) {
+		( $mark, $mark1 ) = split /-/, $mark, 2;
+		validate_mark $mark;
+		fatal_error "Invalid mark range ($mark-$mark1)" if $mark =~ m'/';
+		validate_mark $mark1;
+		require_capability 'STATISTIC_MATCH', 'A mark range', 's';
+	    }  else {
+		validate_mark $mark;

-	    validate_mark $mark;
-
-	    if ( $config{PROVIDER_OFFSET} ) {
-		my $val = numeric_value( $cmd );
-		fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless defined $val;
-		my $limit = $globals{TC_MASK};
-		unless ( have_capability 'FWMARK_RT_MASK' ) {
-		    fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes"
-			if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= $limit;
+		if ( $config{PROVIDER_OFFSET} ) {
+		    my $val = numeric_value( $cmd );
+		    fatal_error "Invalid MARK/CLASSIFY ($cmd)" unless defined $val;
+		    my $limit = $globals{TC_MASK};
+		    unless ( have_capability 'FWMARK_RT_MASK' ) {
+			fatal_error "Marks <= $limit may not be set in the PREROUTING or OUTPUT chains when HIGH_ROUTE_MARKS=Yes"
+			    if $cmd && ( $chain eq 'tcpre' || $chain eq 'tcout' ) && $val <= $limit;
+		    }
 		}
 	    }
 	}
@@ -592,26 +616,89 @@ sub process_tc_rule( ) {

    fatal_error "USER/GROUP only allowed in the OUTPUT chain" unless ( $user eq '-' || ( $chain eq 'tcout' || $chain eq 'tcpost' ) );

-    if ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
-				     $restrictions{$chain} | $restriction,
-				     do_proto( $proto, $ports, $sports) . $matches .
-				     do_user( $user ) .
-				     do_test( $testval, $globals{TC_MASK} ) .
-				     do_length( $length ) .
-				     do_tos( $tos ) .
-				     do_connbytes( $connbytes ) .
-				     do_helper( $helper ) .
-				     do_headers( $headers ) .
-				     do_probability( $probability ) .
-				     do_dscp( $dscp ) ,
-				     $source ,
-				     $dest ,
-				     '' ,
-				     $mark ? "$target $mark" : $target,
-				     '' ,
-				     $target ,
-				     '' ) )
-	  && $device ) {
+    if ( $state ne '-' ) {
+	my @state = split_list( $state, 'state' );
+	my %state = %validstates;
+
+	for ( @state ) {
+	    fatal_error "Invalid STATE ($_)"   unless exists $state{$_};
+	    fatal_error "Duplicate STATE ($_)" if $state{$_};
+	}
+    } else {
+	$state = 'ALL';
+    }
+
+    if ( $mark1 ) {
+	#
+	# A Mark Range
+	#
+	my $chainref = ensure_chain( 'mangle', $chain );
+
+	( $mark1, my $mask ) = split( '/', $mark1 );
+
+	my ( $markval, $mark1val ) = ( numeric_value $mark, numeric_value $mark1 );
+
+	fatal_error "Invalid mark range ($mark-$mark1)" unless $markval < $mark1val;
+
+	$mask = $globals{TC_MASK} unless supplied $mask;
+
+	$mask = numeric_value $mask;
+
+	my $increment = 1;
+	my $shift     = 0;
+
+	$increment <<= 1, $shift++ until $increment & $mask;
+
+	$mask = in_hex $mask;
+
+	my $marks = ( ( $mark1val - $markval ) >> $shift ) + 1;
+
+	for ( my $packet = 0; $packet < $marks; $packet++, $markval += $increment ) {
+	    my $match = "-m statistic --mode nth --every $marks --packet $packet ";
+
+	    expand_rule( $chainref,
+			 $restrictions{$chain} | $restriction,
+			 $match .
+			 do_user( $user ) .
+			 do_test( $testval, $globals{TC_MASK} ) .
+			 do_test( $testval, $globals{TC_MASK} ) .
+			 do_length( $length ) .
+			 do_tos( $tos ) .
+			 do_connbytes( $connbytes ) .
+			 do_helper( $helper ) .
+			 do_headers( $headers ) .
+			 do_probability( $probability ) .
+			 do_dscp( $dscp ) .
+			 state_match( $state ) ,
+			 $source ,
+			 $dest ,
+			 '' ,
+			 "$target " . join( '/', in_hex( $markval ) , $mask ) ,
+			 '',
+			 $target ,
+			 $exceptionrule );
+	}
+    } elsif ( ( my $result = expand_rule( ensure_chain( 'mangle' , $chain ) ,
+					  $restrictions{$chain} | $restriction,
+					  do_proto( $proto, $ports, $sports) . $matches .
+					  do_user( $user ) .
+					  do_test( $testval, $globals{TC_MASK} ) .
+					  do_length( $length ) .
+					  do_tos( $tos ) .
+					  do_connbytes( $connbytes ) .
+					  do_helper( $helper ) .
+					  do_headers( $headers ) .
+					  do_probability( $probability ) .
+					  do_dscp( $dscp ) .
+					  state_match( $state ) ,
+					  $source ,
+					  $dest ,
+					  '' ,
+					  $mark ? "$target $mark" : $target,
+					  '' ,
+					  $target ,
+					  $exceptionrule ) )
+	      && $device ) {
 	#
 	# expand_rule() returns destination device if any
 	#
@@ -1137,7 +1224,8 @@ sub validate_tc_class( ) {
 	    $markprio = validate_filter_priority( $priority, 'mark' );
 	} else {
 	    fatal_error "Missing mark priority" if $prio eq '-';
-	    $markprio =  ( $prio << 8 ) | 20; 
+	    $markprio =  ( $prio << 8 ) | 20;
+	    progress_message2 "   Priority of the $device packet mark $mark filter is $markprio";
 	}

 	$markval = numeric_value( $mark );
@@ -1246,6 +1334,7 @@ sub validate_tc_class( ) {
 		} else {
 		    fatal_error "Missing TOS priority" if $prio eq '-';
 		    $priority = ( $prio << 8 ) | 15;
+		    progress_message2 "   Priority of the $device $option filter is $priority";
 		}

 		$option = "tos=$optval" if $optval;
@@ -1263,7 +1352,8 @@ sub validate_tc_class( ) {
 		    $tcref->{tcp_ack} = validate_filter_priority( $2, 'tcp-ack' );
 		} else {
 		    fatal_error "Missing tcp-ack priority" if $prio eq '-';
-		    $tcref->{tcp_ack} =  ( $prio << 8 ) | 10;
+		    my $ackpri = $tcref->{tcp_ack} =  ( $prio << 8 ) | 10;
+		    progress_message2 "   Priority of the $device tcp-ack filter is $ackpri";
 		}
 	    } elsif ( $option =~ /^tos=0x[0-9a-f]{2}$/ ) {
 		fatal_error "The $option option is not valid with 'occurs" if $tcref->{occurs} > 1;
@@ -1358,10 +1448,7 @@ sub validate_tc_class( ) {
    }

    unless ( $devref->{classify} || $occurs > 1 ) {
-	if ( $mark ne '-' ) {
-	    fatal_error "Missing MARK" if $mark eq '-';
-	    warning_message "Class NUMBER ignored -- INTERFACE $device does not have the 'classify' option"	if $devclass =~ /:/;
-	}
+	fatal_error "Missing MARK" if $mark eq '-';
    }

    $tcref->{flow}  = $devref->{flow}  unless $tcref->{flow};
@@ -1927,7 +2014,7 @@ sub process_traffic_shaping() {
 	    handle_in_bandwidth( $device, $devref->{in_bandwidth} );

 	    for my $rdev ( @{$devref->{redirected}} ) {
-		my $phyrdev = get_physical( $rdev );
+		my $phyrdev = physical_name( $rdev );
 		emit ( "run_tc qdisc add dev $phyrdev handle ffff: ingress" );
 		emit( "run_tc filter add dev $phyrdev parent ffff: protocol all u32 match u32 0 0 action mirred egress redirect dev $device > /dev/null" );
 	    }
@@ -2132,11 +2219,15 @@ sub process_secmark_rule() {
 		 I => 'tcin'    ,
 		 O => 'tcout'   , );

-    my %state = ( N =>  'NEW' ,
-		  I => 'INVALID',
-		  NI => 'NEW,INVALID',
-		  E =>  'ESTABLISHED' ,
-		  ER => 'ESTABLISHED,RELATED',
+    my %state = ( N   => 'NEW' ,
+		  I   => 'INVALID',
+		  U   => 'UNTRACKED',
+		  IU  => 'INVALID,UNTRACKED',
+		  NI  => 'NEW,INVALID',
+		  NU  => 'NEW,UNTRACKED',
+		  NIU => 'NEW,INVALID,UNTRACKED',
+		  E   => 'ESTABLISHED' ,
+		  ER  => 'ESTABLISHED,RELATED',
 		);

    my ( $chain , $state, $rest) = split ':', $chainin , 3;
@@ -2232,86 +2323,95 @@ sub setup_tc() {
    }

    if ( $config{MANGLE_ENABLED} ) {
-	our  @tccmd = ( { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
-			  target    => 'CONNMARK --save-mark --mask' ,
-			  mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK,
-			  mask      => in_hex( $globals{TC_MASK} ) ,
-			  connmark  => 1
-			} ,
-			{ match     => sub ( $ ) { $_[0] eq 'RESTORE' },
-			  target    => 'CONNMARK --restore-mark --mask' ,
-			  mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK ,
-			  mask      => in_hex( $globals{TC_MASK} ) ,
-			  connmark  => 1
-			} ,
-			{ match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
-			  target    => 'RETURN' ,
-			  mark      => NOMARK ,
-			  mask      => '' ,
-			  connmark  => 0
-			} ,
-			{ match     => sub ( $ ) { $_[0] eq 'SAME' },
-			  target    => 'sticky' ,
-			  mark      => NOMARK ,
-			  mask      => '' ,
-			  connmark  => 0
-			} ,
-			{ match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
-			  target    => 'IPMARK' ,
-			  mark      => NOMARK,
-			  mask      => '',
-			  connmark  => 0
-			} ,
-			{ match     => sub ( $ ) { $_[0] =~ '\|.*'} ,
-			  target    => 'MARK --or-mark' ,
-			  mark      => HIGHMARK ,
-			  mask      => '' } ,
-			{ match     => sub ( $ ) { $_[0] =~ '&.*' },
-			  target    => 'MARK --and-mark' ,
-			  mark      => HIGHMARK ,
-			  mask      => '' ,
-			  connmark  => 0
-			} ,
-			{ match     => sub ( $ ) { $_[0] =~ /^TPROXY/ },
-			  target    => 'TPROXY',
-			  mark      => HIGHMARK,
-			  mask      => '',
-			  connmark  => '' },
-			{ match     => sub( $ ) { $_[0] =~ /^DIVERT/ },
-			  target    => 'DIVERT',
-			  mark      => HIGHMARK,
-			  mask      => '',
-			  connmark  => '' },
-			{ match     => sub( $ ) { $_[0] =~ /^TTL/ },
-			  target    => 'TTL',
-			  mark      => NOMARK,
-			  mask      => '',
-			  connmark  => 0
-			},
-			{ match     => sub( $ ) { $_[0] =~ /^HL/ },
-			  target    => 'HL',
-			  mark      => NOMARK,
-			  mask      => '',
-			  connmark  => 0
-			},
-			{ match     => sub( $ ) { $_[0] =~ /^IMQ\(\d+\)$/ },
-			  target    => 'IMQ',
-			  mark      => NOMARK,
-			  mask      => '',
-			  connmark  => 0
-			},
-			{ match     => sub( $ ) { $_[0] =~ /^DSCP\(\w+\)$/ },
-			  target    => 'DSCP',
-			  mark      => NOMARK,
-			  mask      => '',
-			  connmark  => 0
-			},
-			{ match     => sub( $ ) { $_[0] =~ /^TOS\(.+\)$/ },
-			  target    => 'TOS',
-			  mark      => NOMARK,
-			  mask      => '',
-			  connmark  => 0
-			},
+	our  %tccmd = ( SAVE =>     { match     => sub ( $ ) { $_[0] eq 'SAVE' } ,
+				      target    => 'CONNMARK --save-mark --mask' ,
+				      mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK,
+				      mask      => in_hex( $globals{TC_MASK} ) ,
+				      connmark  => 1
+				    } ,
+			RESTORE =>  { match     => sub ( $ ) { $_[0] eq 'RESTORE' },
+				      target    => 'CONNMARK --restore-mark --mask' ,
+				      mark      => $config{TC_EXPERT} ? HIGHMARK : SMALLMARK ,
+				      mask      => in_hex( $globals{TC_MASK} ) ,
+				      connmark  => 1
+				    } ,
+			CONTINUE => { match     => sub ( $ ) { $_[0] eq 'CONTINUE' },
+				      target    => 'RETURN' ,
+				      mark      => NOMARK ,
+				      mask      => '' ,
+				      connmark  => 0
+				    } ,
+			SAME =>     { match     => sub ( $ ) { $_[0] eq 'SAME' },
+				      target    => 'sticky' ,
+				      mark      => NOMARK ,
+				      mask      => '' ,
+				      connmark  => 0
+				    } ,
+			IPMARK =>   { match     => sub ( $ ) { $_[0] =~ /^IPMARK/ },
+				      target    => 'IPMARK' ,
+				      mark      => NOMARK,
+				      mask      => '',
+				      connmark  => 0
+				    } ,
+			'|' =>      { match     => sub ( $ ) { $_[0] =~ '\|.*'} ,
+				      target    => 'MARK --or-mark' ,
+				      mark      => HIGHMARK ,
+				      mask      => ''
+				    } ,
+			'&' =>      { match     => sub ( $ ) { $_[0] =~ '&.*' },
+				      target    => 'MARK --and-mark' ,
+				      mark      => HIGHMARK ,
+				      mask      => '' ,
+				      connmark  => 0
+				    } ,
+			TPROXY =>   { match     => sub ( $ ) { $_[0] =~ /^TPROXY/ },
+				      target    => 'TPROXY',
+				      mark      => HIGHMARK,
+				      mask      => '',
+				      connmark  => ''
+				    },
+			DIVERT =>   { match     => sub( $ ) { $_[0] =~ /^DIVERT/ },
+				      target    => 'DIVERT',
+				      mark      => HIGHMARK,
+				      mask      => '',
+				      connmark  => ''
+				    },
+			TTL =>      { match     => sub( $ ) { $_[0] =~ /^TTL/ },
+				      target    => 'TTL',
+				      mark      => NOMARK,
+				      mask      => '',
+				      connmark  => 0
+			            },
+			HL =>       { match     => sub( $ ) { $_[0] =~ /^HL/ },
+				      target    => 'HL',
+				      mark      => NOMARK,
+				      mask      => '',
+				      connmark  => 0
+			            },
+			IMQ =>      { match     => sub( $ ) { $_[0] =~ /^IMQ\(\d+\)$/ },
+				      target    => 'IMQ',
+				      mark      => NOMARK,
+				      mask      => '',
+				      connmark  => 0
+			            },
+			DSCP =>     { match     => sub( $ ) { $_[0] =~ /^DSCP\(\w+\)$/ },
+				      target    => 'DSCP',
+				      mark      => NOMARK,
+				      mask      => '',
+				      connmark  => 0
+				    },
+			TOS =>      { match     => sub( $ ) { $_[0] =~ /^TOS\(.+\)$/ },
+				      target    => 'TOS',
+				      mark      => NOMARK,
+				      mask      => '',
+				      connmark  => 0
+				    },
+			CHECKSUM => { match     => sub( $ ) { $_[0] eq 'CHECKSUM' },
+				      target    => 'CHECKSUM' ,
+				      mark      => NOMARK,
+				      mask      => '',
+				      connmark  => 0,
+				    }
 		      );

 	if ( my $fn = open_file 'tcrules' ) {
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@@ -195,7 +195,9 @@ my @bport_zones;
 my %ipsets;
 my %physical;
 my %basemap;
+my %basemap1;
 my %mapbase;
+my %mapbase1;
 my $family;
 my $upgrade;
 my $have_ipsec;
@@ -238,24 +240,25 @@ my %maxoptionvalue = ( routefilter => 2, mss => 100000 , wait => 120 , ignore =>

 my %validhostoptions;

-my %validzoneoptions = ( mss          => NUMERIC,
-			 nomark       => NOTHING,
-			 blacklist    => NOTHING,
-			 strict       => NOTHING,
-			 next         => NOTHING,
-			 reqid        => NUMERIC,
-			 spi          => NUMERIC,
-			 proto        => IPSECPROTO,
-			 mode         => IPSECMODE,
-			 "tunnel-src" => NETWORK,
-			 "tunnel-dst" => NETWORK,
+my %validzoneoptions = ( mss            => NUMERIC,
+			 nomark         => NOTHING,
+			 blacklist      => NOTHING,
+			 dynamic_shared => NOTHING,
+			 strict         => NOTHING,
+			 next           => NOTHING,
+			 reqid          => NUMERIC,
+			 spi            => NUMERIC,
+			 proto          => IPSECPROTO,
+			 mode           => IPSECMODE,
+			 "tunnel-src"   => NETWORK,
+			 "tunnel-dst"   => NETWORK,
 		       );

 use constant { UNRESTRICTED => 1, NOFW => 2 , COMPLEX => 8, IN_OUT_ONLY => 16 };
 #
 # Hash of options that have their own key in the returned hash.
 #
-my %zonekey = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW, nomark => NOFW | IN_OUT_ONLY );
+my %zonekey = ( mss => UNRESTRICTED | COMPLEX , blacklist => NOFW, nomark => NOFW | IN_OUT_ONLY, dynamic_shared => IN_OUT_ONLY );

 #
 # Rather than initializing globals in an INIT block or during declaration,
@@ -281,7 +284,9 @@ sub initialize( $$ ) {
    %ipsets = ();
    %physical = ();
    %basemap = ();
+    %basemap1 = ();
    %mapbase = ();
+    %mapbase1 = ();
    $baseseq = 0;
    $minroot = 0;

@@ -399,7 +404,7 @@ sub parse_zone_option_list($$\$$)

 	    if ( $key ) {
 		fatal_error "Option '$e' not permitted with this zone type " if $key & NOFW && ($zonetype & ( FIREWALL | VSERVER) );
-		fatal_error "Opeion '$e' is only permitted in the OPTIONS columns" if $key & IN_OUT_ONLY && $column != IN_OUT;
+		fatal_error "Option '$e' is only permitted in the OPTIONS columns" if $key & IN_OUT_ONLY && $column != IN_OUT;
 		$$complexref = 1 if $key & COMPLEX;
 		$h{$e} = $val || 1;
 	    } else {
@@ -759,6 +764,13 @@ sub add_group_to_zone($$$$$)
 	    $new = \@exclusions;
 	}

+	if ( substr( $host, 0, 1 ) eq '+' ) {
+	    fatal_error "Invalid ipset name ($host)" unless $host =~ /^\+(6_)?[a-zA-Z][-\w]*$/;
+	    require_capability( 'IPSET_MATCH', 'Ipset names in host lists', '');
+	} else {
+	    $host = validate_host $host, 0;
+	}
+
 	unless ( $switched ) {
 	    if ( $type == $zonetype ) {
 		fatal_error "Duplicate Host Group ($interface:$host) in zone $zone" if $interfaces{$interface}{zone} eq $zone;
@@ -777,13 +789,6 @@ sub add_group_to_zone($$$$$)
 	    }
 	}

-	if ( substr( $host, 0, 1 ) eq '+' ) {
-	    fatal_error "Invalid ipset name ($host)" unless $host =~ /^\+(6_)?[a-zA-Z]\w*$/;
-	    require_capability( 'IPSET_MATCH', 'Ipset names in host lists', '');
-	} else {
-	    validate_host $host, 0;
-	}
-
 	push @$new, $host;
    }

@@ -935,6 +940,55 @@ sub chain_base($) {
    $basemap{$key} = $name;
 }

+#
+# This is a slightly relaxed version of the above that allows '-' in the generated name.
+#
+sub chain_base1($) {
+    my $chain = $_[0];
+    my $name  = $basemap1{$chain};
+    #
+    # Return existing mapping, if any
+    #
+    return $name if $name;
+    #
+    # Remember initial value
+    #
+    my $key = $chain;
+    #
+    # Handle VLANs and wildcards
+    #
+    $chain =~ s/\+$//;
+    $chain =~ tr/./_/;
+
+    if ( $chain eq '' || $chain =~ /^[0-9]/ || $chain =~ /[^-\w]/ ) {
+	#
+	# Must map. Remove all illegal characters
+	#
+	$chain =~ s/[^\w]//g;
+	#
+	# Prefix with if_ if it begins with a digit
+	#
+	$chain = join( '' , 'if_', $chain ) if $chain =~ /^[0-9]/;
+	#
+	# Create a new unique name
+	#
+	1 while $mapbase1{$name = join ( '_', $chain, ++$baseseq )};
+    } else {
+	#
+	# We'll store the identity mapping if it is unique
+	#
+	$chain = join( '_', $key , ++$baseseq ) while $mapbase1{$name = $chain};
+    }
+    #
+    # Store the reverse mapping
+    #
+    $mapbase1{$name} = $key;
+    #
+    # Store the mapping
+    #
+    $basemap1{$key} = $name;
+}
+
 #
 # Process a record in the interfaces file
 #
@@ -1153,7 +1207,7 @@ sub process_interface( $$ ) {
 		    $hostoptions{broadcast} = 1;
 		} elsif ( $option eq 'sfilter' ) {
 		    $filterref = [ split_list $value, 'address' ];
-		    validate_net( $_, 1) for @{$filterref}
+		    $_ = validate_net( $_, 1) for @{$filterref}
 		} else {
 		    assert(0);
 		}
@@ -1194,7 +1248,8 @@ sub process_interface( $$ ) {
 	}

 	if ( $netsref eq 'dynamic' ) {
-	    my $ipset = $family == F_IPV4 ? "${zone}_" . chain_base $physical : "6_${zone}_" . chain_base $physical;
+	    my $ipset = $family == F_IPV4 ? "${zone}" : "6_${zone}";
+	    $ipset = join( '_', $ipset, chain_base1( $physical ) ) unless $zoneref->{options}{in_out}{dynamic_shared};	    
 	    $netsref = [ "+$ipset" ];
 	    $ipsets{$ipset} = 1;
 	}
@@ -1764,9 +1819,10 @@ sub process_host( ) {
 	} else {
 	    fatal_error "Invalid HOST(S) column contents: $hosts";
 	}
-    } elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>$/   ||
-	      $hosts =~ /^([\w.@%-]+\+?):\[(.*)\]$/ ||
-	      $hosts =~ /^([\w.@%-]+\+?):(!?\+.*)$/   ||
+    } elsif ( $hosts =~ /^([\w.@%-]+\+?):<(.*)>$/               ||
+	      $hosts =~ /^([\w.@%-]+\+?)\[(.*)\]$/              ||
+	      $hosts =~ /^([\w.@%-]+\+?):(!?\[.+\](?:\/\d+)?)$/ ||
+	      $hosts =~ /^([\w.@%-]+\+?):(!?\+.*)$/             ||
 	      $hosts =~ /^([\w.@%-]+\+?):(dynamic)$/ ) {
 	$interface = $1;
 	$hosts = $2;
@@ -1777,9 +1833,9 @@ sub process_host( ) {
    }

    if ( $hosts =~ /^!?\+/ ) {
-	$zoneref->{complex} = 1;
-	fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/;
-	fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^!?\+[a-zA-Z][-\w]*$/;
+       $zoneref->{complex} = 1;
+       fatal_error "ipset name qualification is disallowed in this file" if $hosts =~ /[\[\]]/;
+       fatal_error "Invalid ipset name ($hosts)" unless $hosts =~ /^!?\+[a-zA-Z][-\w]*$/;
    }

    if ( $type & BPORT ) {
@@ -1843,8 +1899,14 @@ sub process_host( ) {
    if ( $hosts eq 'dynamic' ) {
 	fatal_error "Vserver zones may not be dynamic" if $type & VSERVER;
 	require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
-	my $physical = chain_base( physical_name $interface );
-	my $set      = $family == F_IPV4 ? "${zone}_${physical}" : "6_${zone}_${physical}";
+
+	my $set = $family == F_IPV4 ? "${zone}" : "6_${zone}";
+	
+	unless ( $zoneref->{options}{in_out}{dynamic_shared} ) {
+	    my $physical = chain_base1( physical_name $interface );
+	    $set = join( '_', $set, $physical );
+	}
+
 	$hosts = "+$set";
 	$optionsref->{dynamic} = 1;
 	$ipsets{$set} = 1;
--- a/Shorewall/Perl/getparams
+++ b/Shorewall/Perl/getparams
@@ -39,10 +39,7 @@ fi
 . /usr/share/shorewall/shorewallrc

 g_program=$PRODUCT
-g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR/shorewall"
-g_sbindir="$SBINDIR"
-g_perllib="$PERLLIBDIR"
 g_confdir="$CONFDIR/$PRODUCT"
 g_readrc=1

--- a/Shorewall/Perl/lib.core
+++ b/Shorewall/Perl/lib.core
@@ -430,7 +430,7 @@ run_iptables()
    local status

    while [ 1 ]; do
-	$g_tool $@
+	eval $g_tool $@
 	status=$?
 	[ $status -ne 4 ] && break
    done
@@ -626,7 +626,7 @@ EOF
    fi
 }

-?IF __IPV4
+?if __IPV4
 #################################################################################
 #                        IPv4-specific Functions
 #################################################################################
@@ -838,13 +838,13 @@ detect_dynamic_gateway() { # $1 = interface
 	gateway=$( find_peer $($IP addr list $interface ) )
    fi

-    if [ -z "$gateway" -a -f /var/lib/dhcpcd/dhcpcd-${1}.info ]; then
-	eval $(grep ^GATEWAYS=  /var/lib/dhcpcd/dhcpcd-${1}.info 2> /dev/null)
+    if [ -z "$gateway" -a -f ${VARLIB}/dhcpcd/dhcpcd-${1}.info ]; then
+	eval $(grep ^GATEWAYS=  ${VARLIB}/dhcpcd/dhcpcd-${1}.info 2> /dev/null)
 	[ -n "$GATEWAYS" ] && GATEWAYS=${GATEWAYS%,*} && gateway=$GATEWAYS
    fi

-    if [ -z "$gateway" -a -f /var/lib/dhcp/dhclient-${1}.lease ]; then
-	gateway=$(grep 'option routers' /var/lib/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done)
+    if [ -z "$gateway" -a -f ${VARLIB}/dhcp/dhclient-${1}.lease ]; then
+	gateway=$(grep 'option routers' ${VARLIB}/dhcp/dhclient-${1}.lease | tail -n 1 | while read j1 j2 gateway; do echo $gateway ; return 0; done)
    fi

    [ -n "$gateway" ] && echo $gateway
@@ -1032,7 +1032,7 @@ get_all_bcasts()
    $IP -f inet addr show 2> /dev/null | grep 'inet.*brd' | grep -v '/32 ' | sed 's/inet.*brd //; s/scope.*//;' | sort -u
 }

-?ELSE
+?else
 #################################################################################
 #                        IPv6-specific Functions
 #################################################################################
@@ -1324,4 +1324,4 @@ clear_firewall() {
    logger -p kern.info "$g_product Cleared"
 }

-?ENDIF
+?endif
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -33,25 +33,25 @@ usage() {
 }

 checkkernelversion() {
+?if __IPV6
    local kernel

-    if [ $g_family -eq 6 ]; then
-	kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')
+    kernel=$(uname -r 2> /dev/null | sed -e 's/-.*//')

-	case "$kernel" in
-	    *.*.*)
-		kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
-		;;
-	    *)
-		kernel=$(printf "%d%02d00" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
-		;;
-	esac
+    case "$kernel" in
+	*.*.*)
+	    kernel=$(printf "%d%02d%02d" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2 \3/g'))
+	    ;;
+	*)
+	    kernel=$(printf "%d%02d00" $(echo $kernel | sed -e 's/^\([0-9][0-9]*\)\.\([0-9][0-9]*\).*$/\1 \2/g'))
+	    ;;
+    esac

-	if [ $kernel -lt 20624 ]; then
-	    error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
-	    return 1
-	fi
+    if [ $kernel -lt 20624 ]; then
+	error_message "ERROR: $g_product requires Linux kernel 2.6.24 or later"
+	return 1
    fi
+?endif

    return 0
 }
--- a/Shorewall/Samples/Universal/rules
+++ b/Shorewall/Samples/Universal/rules
@@ -6,8 +6,8 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-##############################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH     HELPER
+#################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS	 SWITCH		 HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Shorewall/Samples/Universal/shorewall.conf
+++ b/Shorewall/Samples/Universal/shorewall.conf
@@ -186,6 +186,8 @@ REQUIRE_INTERFACE=Yes

 RESTORE_DEFAULT_ROUTE=Yes

+RESTORE_ROUTEMARKS=Yes
+
 RETAIN_ALIASES=No

 ROUTE_FILTER=No
--- a/Shorewall/Samples/one-interface/rules
+++ b/Shorewall/Samples/one-interface/rules
@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall-rules"
-##############################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH     HELPER
+#################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS	 SWITCH		 HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Shorewall/Samples/one-interface/shorewall.conf
+++ b/Shorewall/Samples/one-interface/shorewall.conf
@@ -197,6 +197,8 @@ REQUIRE_INTERFACE=No

 RESTORE_DEFAULT_ROUTE=Yes

+RESTORE_ROUTEMARKS=Yes
+
 RETAIN_ALIASES=No

 ROUTE_FILTER=No
--- a/Shorewall/Samples/three-interfaces/rules
+++ b/Shorewall/Samples/three-interfaces/rules
@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-##############################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH     HELPER
+#################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS	 SWITCH		 HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Shorewall/Samples/three-interfaces/shorewall.conf
+++ b/Shorewall/Samples/three-interfaces/shorewall.conf
@@ -195,6 +195,8 @@ REQUIRE_INTERFACE=No

 RESTORE_DEFAULT_ROUTE=Yes

+RESTORE_ROUTEMARKS=Yes
+
 RETAIN_ALIASES=No

 ROUTE_FILTER=No
--- a/Shorewall/Samples/three-interfaces/stoppedrules
+++ b/Shorewall/Samples/three-interfaces/stoppedrules
@@ -11,7 +11,7 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-stoppedrules"
 ###############################################################################
-#TARGET		SOURCE		DEST		PROTO	DEST		SOURCE
+#ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
 #							PORT(S)		PORT(S)
 ACCEPT		eth1		-
 ACCEPT		-		eth1
--- a/Shorewall/Samples/two-interfaces/rules
+++ b/Shorewall/Samples/two-interfaces/rules
@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-rules"
-##############################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH     HELPER
+#################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS	 SWITCH		 HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Shorewall/Samples/two-interfaces/shorewall.conf
+++ b/Shorewall/Samples/two-interfaces/shorewall.conf
@@ -198,6 +198,8 @@ REQUIRE_INTERFACE=No

 RESTORE_DEFAULT_ROUTE=Yes

+RESTORE_ROUTEMARKS=Yes
+
 RETAIN_ALIASES=No

 ROUTE_FILTER=No
--- a/Shorewall/Samples/two-interfaces/stoppedrules
+++ b/Shorewall/Samples/two-interfaces/stoppedrules
@@ -11,7 +11,7 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-stoppedrules"
 ###############################################################################
-#TARGET		SOURCE		DEST		PROTO	DEST		SOURCE
+#ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
 #							PORT(S)		PORT(S)
 ACCEPT		eth1		-
 ACCEPT		-		eth1
--- a/Shorewall/action.Broadcast
+++ b/Shorewall/action.Broadcast
@@ -43,6 +43,7 @@ fatal_error "Invalid parameter ($audit) to action Broadcast"   if supplied $audi
 fatal_error "Invalid parameter ($action) to action Broadcast"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;

 my $chainref           = get_action_chain;
+
 my ( $level, $tag )    = get_action_logging;
 my $target             = require_audit ( $action , $audit );

--- a/Shorewall/action.DropSmurfs
+++ b/Shorewall/action.DropSmurfs
@@ -16,12 +16,14 @@ DEFAULTS -
 ?BEGIN PERL;
 use strict;
 use Shorewall::Config qw(:DEFAULT F_IPV4 F_IPV6);
+use Shorewall::IPAddrs qw( IPv6_MULTICAST );
 use Shorewall::Chains;
 use Shorewall::Rules;

 my ( $audit ) = get_action_params( 1 );

 my $chainref        = get_action_chain;
+
 my ( $level, $tag ) = get_action_logging;
 my $target;

--- a/Shorewall/action.Invalid
+++ b/Shorewall/action.Invalid
@@ -43,6 +43,7 @@ fatal_error "Invalid parameter ($audit) to action Invalid"   if supplied $audit
 fatal_error "Invalid parameter ($action) to action Invalid"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;

 my $chainref         = get_action_chain;
+
 my ( $level, $tag )  = get_action_logging;
 my $target           = require_audit ( $action , $audit );

--- a/Shorewall/action.NotSyn
+++ b/Shorewall/action.NotSyn
@@ -43,6 +43,7 @@ fatal_error "Invalid parameter ($audit) to action NotSyn"   if supplied $audit &
 fatal_error "Invalid parameter ($action) to action NotSyn"  unless $action =~ /^(?:ACCEPT|DROP|REJECT)$/;

 my $chainref         = get_action_chain;
+
 my ( $level, $tag )  = get_action_logging;
 my $target           = require_audit ( $action , $audit );

--- a/Shorewall/action.RST
+++ b/Shorewall/action.RST
@@ -38,15 +38,16 @@ use Shorewall::Chains;

 my ( $action, $audit ) = get_action_params( 2 );

-fatal_error "Invalid parameter ($audit) to action NotSyn"   if supplied $audit && $audit ne 'audit';
-fatal_error "Invalid parameter ($action) to action NotSyn"  unless $action =~ /^(?:ACCEPT|DROP)$/;
+fatal_error "Invalid parameter ($audit) to action RST"   if supplied $audit && $audit ne 'audit';
+fatal_error "Invalid parameter ($action) to action RST"  unless $action =~ /^(?:ACCEPT|DROP)$/;

 my $chainref         = get_action_chain;
+
 my ( $level, $tag )  = get_action_logging;
 my $target           = require_audit ( $action , $audit );

 log_rule_limit $level, $chainref, 'RST' , $action, '', $tag, 'add', '-p 6 --tcp-flags RST RST ' if $level ne '';
-add_jump $chainref , $target, 0, '-p 6 --tcp-flags RST RST, ';
+add_jump $chainref , $target, 0, '-p 6 --tcp-flags RST RST ';

 allow_optimize( $chainref );

--- a/Shorewall/action.TCPFlags
+++ b/Shorewall/action.TCPFlags
@@ -1,7 +1,7 @@
 #
-# Shorewall version 4 - Drop Smurfs Action
+# Shorewall version 4 - Drop TCPFlags Action
 #
-# /usr/share/shorewall/action.DropSmurfs
+# /usr/share/shorewall/action.TCPFlags
 #
 #   Accepts a single optional parameter:
 #
@@ -21,6 +21,7 @@ use Shorewall::Chains;
 my ( $disposition, $audit ) = get_action_params( 2 );

 my $chainref        = get_action_chain;
+
 my ( $level, $tag ) = get_action_logging;

 fatal_error q(The first argument to 'TCPFlags' must be ACCEPT, REJECT, or DROP) unless $disposition =~ /^(ACCEPT|REJECT|DROP)$/;
--- a/Shorewall/action.template
+++ b/Shorewall/action.template
@@ -21,6 +21,6 @@
 #######################################################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
 FORMAT 2
-####################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
+#################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
--- a/Shorewall/actions.std
+++ b/Shorewall/actions.std
@@ -33,13 +33,13 @@
 #
 ###############################################################################
 #ACTION
-A_Drop 		    # Audited Default Action for DROP policy
-A_Reject	    # Audited Default action for REJECT policy
-Broadcast	    # Handles Broadcast/Multicast/Anycast
-Drop		    # Default Action for DROP policy
-DropSmurfs          # Drop smurf packets
-Invalid             # Handles packets in the INVALID conntrack state
-NotSyn              # Handles TCP packets which do not have SYN=1 and ACK=0
-Reject		    # Default Action for REJECT policy
-RST		    # Handle packets with RST set
-TCPFlags            # Handle bad flag combinations.
+A_Drop 		                # Audited Default Action for DROP policy
+A_Reject	                # Audited Default action for REJECT policy
+Broadcast  noinline             # Handles Broadcast/Multicast/Anycast
+Drop		                # Default Action for DROP policy
+DropSmurfs noinline             # Drop smurf packets
+Invalid    noinline             # Handles packets in the INVALID conntrack state
+NotSyn     noinline             # Handles TCP packets which do not have SYN=1 and ACK=0
+Reject                          # Default Action for REJECT policy
+RST	   noinline             # Handle packets with RST set
+TCPFlags   noinline             # Handle bad flag combinations.
--- a/Shorewall/configfiles/actions
+++ b/Shorewall/configfiles/actions
@@ -7,6 +7,6 @@
 #
 # Please see http://shorewall.net/Actions.html for additional information.
 #
-###############################################################################
-#ACTION             COMMENT (place '# ' below the 'C' in comment followed by
-#                           a comment describing the action)
+########################################################################################
+#ACTION    OPTIONS		COMMENT (place '# ' below the 'C' in comment followed by
+#                        	v        a comment describing the action)
--- a/Shorewall/configfiles/conntrack
+++ b/Shorewall/configfiles/conntrack
@@ -3,51 +3,51 @@
 #
 # For information about entries in this file, type "man shorewall-conntrack"
 #
-#############################################################################################
-FORMAT 2
-#ACTION			SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/
+##############################################################################################################
+FORMAT 3
+#ACTION			SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/		SWITCH
 #								PORT(S)		PORT(S)	GROUP
 ?if $AUTOHELPERS && __CT_TARGET

 ?if __AMANDA_HELPER
-CT:helper:amanda	all		-		udp	10080
+CT:helper:amanda:PO	-		-		udp	10080
 ?endif

 ?if __FTP_HELPER
-CT:helper:ftp		all		-		tcp	21
+CT:helper:ftp:PO	-		-		tcp	21
 ?endif

 ?if __H323_HELPER
-CT:helper:RAS		all		-		udp	1719
-CT:helper:Q.931		all		-		tcp	1720
+CT:helper:RAS;PO	-		-		udp	1719
+CT:helper:Q.931:PO	-		-		tcp	1720
 ?endif

 ?if __IRC_HELPER
-CT:helper:irc		all		-		tcp	6667
+CT:helper:irc:PO	-		-		tcp	6667
 ?endif

 ?if __NETBIOS_NS_HELPER
-CT:helper:netbios-ns	all		-		udp	137
+CT:helper:netbios-ns:PO	-		-		udp	137
 ?endif

 ?if __PPTP_HELPER
-CT:helper:pptp		all		-		tcp	1729
+CT:helper:pptp:PO	-		-		tcp	1723
 ?endif

 ?if __SANE_HELPER
-CT:helper:sane		all		-		tcp	6566
+CT:helper:sane:PO	-		-		tcp	6566
 ?endif

 ?if __SIP_HELPER
-CT:helper:sip		all		-		udp	5060
+CT:helper:sip:PO	-		-		udp	5060
 ?endif

 ?if __SNMP_HELPER
-CT:helper:snmp		all		-		udp	161
+CT:helper:snmp:PO	-		-		udp	161
 ?endif

 ?if __TFTP_HELPER
-CT:helper:tftp		all		-		udp	69
+CT:helper:tftp:PO	-		-		udp	69
 ?endif

 ?endif
--- a/Shorewall/configfiles/rules
+++ b/Shorewall/configfiles/rules
@@ -7,7 +7,7 @@
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
 #################################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH        HELPER
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS	 SWITCH		 HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Shorewall/configfiles/shorewall.conf
+++ b/Shorewall/configfiles/shorewall.conf
@@ -186,6 +186,8 @@ REQUIRE_INTERFACE=No

 RESTORE_DEFAULT_ROUTE=Yes

+RESTORE_ROUTEMARKS=Yes
+
 RETAIN_ALIASES=No

 ROUTE_FILTER=No
--- a/Shorewall/configfiles/stoppedrules
+++ b/Shorewall/configfiles/stoppedrules
@@ -10,5 +10,5 @@
 # information.
 #
 ###############################################################################
-#TARGET		SOURCE			DEST		PROTO	DEST	SOURCE
+#ACTION		SOURCE			DEST		PROTO	DEST	SOURCE
 #								PORT(S)	PORT(S)
--- a/Shorewall/install.sh
+++ b/Shorewall/install.sh
@@ -395,6 +395,7 @@ fi
 if [ -n "$SYSTEMD" ]; then
    mkdir -p ${DESTDIR}${SYSTEMD}
    run_install $OWNERSHIP -m 600 $PRODUCT.service ${DESTDIR}${SYSTEMD}/$PRODUCT.service
+    [ ${SBINDIR} != /sbin ] && eval sed -i \'s\|/sbin/\|${SBINDIR}/\|\' ${DESTDIR}${SYSTEMD}/$PRODUCT.service
    echo "Service file installed as ${DESTDIR}${SYSTEMD}/$PRODUCT.service"
 fi

--- a/Shorewall/lib.cli-std
+++ b/Shorewall/lib.cli-std
@@ -136,6 +136,12 @@ get_config() {
 			exit 2
 		    fi
 		    ;;
+		ipset)
+		    #
+		    # Old config files had this as default
+		    #
+		    IPSET=''
+		    ;;
 		*)
 		    prog="$(mywhich $IPSET 2> /dev/null)"
 		    if [ -z "$prog" ] ; then
@@ -146,7 +152,7 @@ get_config() {
 		    ;;
 	    esac
 	else
-	    IPSET='ipset'
+	    IPSET=''
 	fi

 	if [ -n "$TC" ]; then
@@ -363,7 +369,7 @@ compiler() {
    local shorewallrc
    local shorewallrc1

-    pc=$g_libexec/shorewall/compiler.pl
+    pc=${LIBEXECDIR}/shorewall/compiler.pl

    if [ $(id -u) -ne 0 ]; then
 	if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = /etc/$g_program ]; then
@@ -430,10 +436,10 @@ compiler() {
 	PERL=/usr/bin/perl
    fi

-    if [ $g_perllib = ${g_libexec}/shorewall ]; then
+    if [ ${PERLLIBDIR} = ${LIBEXECDIR}/shorewall ]; then
 	$PERL $debugflags $pc $options $@
    else
-	PERL5LIB=$g_perllib
+	PERL5LIB=${PERLLIBDIR}
 	export PERL5LIB
 	$PERL $debugflags $pc $options $@
    fi
@@ -1309,7 +1315,7 @@ try_command() {

    [ -n "$nolock" ] || mutex_on

-    if run_it ${VARDIR}/.$command $command && [ -n "$timeout" ]; then
+    if run_it ${VARDIR}/.$command $g_debugging $command && [ -n "$timeout" ]; then
 	sleep $timeout

 	if [ "$command" = "restart" ]; then
--- a/Shorewall/manpages/shorewall-actions.xml
+++ b/Shorewall/manpages/shorewall-actions.xml
@@ -28,11 +28,73 @@
    the iptables rules to be performed in an ACTION in
    /etc/shorewall/action.<emphasis>action-name</emphasis>.</para>

-    <para>ACTION names should begin with an upper-case letter to distinguish
-    them from Shorewall-generated chain names and be composed of letters,
-    digits or numbers. If you intend to log from the action then the name must
-    be no longer than 11 characters in length if you use the standard
-    LOGFORMAT.</para>
+    <para>Columns are:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>NAME</term>
+
+        <listitem>
+          <para>The name of the action. ACTION names should begin with an
+          upper-case letter to distinguish them from Shorewall-generated chain
+          names and be composed of letters, digits or numbers. If you intend
+          to log from the action then the name must be no longer than 11
+          characters in length if you use the standard LOGFORMAT.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>OPTIONS</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.10. Available options are:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>inline</term>
+
+              <listitem>
+                <para>Causes the action body (defined in
+                action.<replaceable>action-name</replaceable>) to be expanded
+                in-line like a macro rather than in its own chain. You can
+                list Shorewall Standard Actions in this file to specify the
+                <option>inline</option> option.</para>
+
+                <caution>
+                  <para>Some of the Shorewall standard actions cannot be used
+                  in-line and will generate a warning and the compiler will
+                  ignore <option>inline</option> if you try to use them that
+                  way:</para>
+
+                  <simplelist>
+                    <member>Broadcast</member>
+
+                    <member>DropSmurfs</member>
+
+                    <member>Invalid</member>
+
+                    <member>NotSyn</member>
+
+                    <member>RST</member>
+
+                    <member>TCPFlags</member>
+                  </simplelist>
+                </caution>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>noinline</term>
+
+              <listitem>
+                <para>Causes any later <option>inline</option> option for the
+                same action to be ignored with a warning.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+    </variablelist>
  </refsect1>

  <refsect1>
--- a/Shorewall/manpages/shorewall-conntrack.xml
+++ b/Shorewall/manpages/shorewall-conntrack.xml
@@ -32,11 +32,26 @@
    role="bold">raw</emphasis> table. In 4.5.7, the file's name was changed to
    <emphasis role="bold">conntrack</emphasis>.</para>

-    <para>The file supports two different column layouts: FORMAT 1 and FORMAT
-    2, FORMAT 1 being the default. The two differ in that FORMAT 2 has an
-    additional leading ACTION column. When an entry in the file of this form
-    is encountered, the format of the following entries are assumed to be of
-    the specified <replaceable>format</replaceable>.</para>
+    <para>The file supports two different column layouts: FORMAT 1, FORMAT 2,
+    and FORMAT 3, FORMAT 1 being the default. The three differ as
+    follows:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>in FORMAT 2 and 3, there is an additional leading ACTION
+        column.</para>
+      </listitem>
+
+      <listitem>
+        <para>in FORMAT 3, the SOURCE column accepts no zone name; rather the
+        ACTION column allows a SUFFIX that determines the chain(s) that the
+        generated rule will be added to.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>When an entry in the following form is encountered, the format of
+    the following entries are assumed to be of the specified
+    <replaceable>format</replaceable>.</para>

    <simplelist>
      <member><emphasis role="bold">FORMAT</emphasis>
@@ -44,7 +59,10 @@
    </simplelist>

    <para>where <replaceable>format</replaceable> is either <emphasis
-    role="bold">1</emphasis> or <emphasis role="bold">2</emphasis>.</para>
+    role="bold">1</emphasis>,<emphasis role="bold">2</emphasis> or <emphasis
+    role="bold">3</emphasis>.</para>
+
+    <para>Format 3 was introduced in Shorewall 4.5.10.</para>

    <para>Comments may be attached to Netfilter rules generated from entries
    in this file through the use of COMMENT lines. These lines begin with the
@@ -63,12 +81,12 @@
        role="bold">NOTRACK</emphasis>|<emphasis
        role="bold">CT</emphasis>:<emphasis
        role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis
-        role="bold">CT:notrack</emphasis>}</term>
+        role="bold">CT:notrack</emphasis>|DROP}[:<replaceable>chain-designator</replaceable>]</term>

        <listitem>
-          <para>This column is only present when FORMAT = 2. Values other than
-          NOTRACK require <firstterm>CT Target </firstterm>support in your
-          iptables and kernel.</para>
+          <para>This column is only present when FORMAT &gt;= 2. Values other
+          than NOTRACK or DROP require <firstterm>CT Target
+          </firstterm>support in your iptables and kernel.</para>

          <itemizedlist>
            <listitem>
@@ -78,6 +96,13 @@
              <para>Disables connection tracking for this packet.</para>
            </listitem>

+            <listitem>
+              <para><option>DROP</option></para>
+
+              <para>Added in Shorewall 4.5.10. Silently discard the
+              packet.</para>
+            </listitem>
+
            <listitem>
              <para><option>helper</option>:<replaceable>name</replaceable></para>

@@ -143,6 +168,14 @@
                  </listitem>
                </varlistentry>

+                <varlistentry>
+                  <term></term>
+
+                  <listitem>
+                    <para></para>
+                  </listitem>
+                </varlistentry>
+
                <varlistentry>
                  <term>sane</term>

@@ -217,11 +250,46 @@

          <para>When FORMAT = 1, this column is not present and the rule is
          processed as if NOTRACK had been entered in this column.</para>
+
+          <para>Beginning with Shorewall 4.5.10, when FORMAT = 3, this column
+          can end with a colon followed by a
+          <replaceable>chain-designator</replaceable>. The
+          <replaceable>chain-designator</replaceable> can be one of the
+          following:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>P</term>
+
+              <listitem>
+                <para>The rule is added to the raw table PREROUTING chain.
+                This is the default if no
+                <replaceable>chain-designator</replaceable> is present.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>O</term>
+
+              <listitem>
+                <para>The rule is added to the raw table OUTPUT chain.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>PO or OP</term>
+
+              <listitem>
+                <para>The rule is added to the raw table PREROUTING and OUTPUT
+                chains.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
        </listitem>
      </varlistentry>

      <varlistentry>
-        <term>SOURCE ‒
+        <term>SOURCE (formats 1 and 2) ‒
        {<emphasis>zone</emphasis>[:<emphasis>interface</emphasis>][:<emphasis>address-list</emphasis>]|COMMENT}</term>

        <listitem>
@@ -235,44 +303,39 @@
          <para>Beginning with Shorewall 4.5.7, <option>all</option> can be
          used as the <replaceable>zone</replaceable> name to mean
          <firstterm>all zones</firstterm>.</para>
+
+          <para>Beginning with Shorewall 4.5.10, <option>all-</option> can be
+          used as the <replaceable>zone</replaceable> name to mean all
+          <firstterm>off-firewall zone</firstterm>s.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>SOURCE (format 3) ‒
+        {-|<emphasis>interface</emphasis>[:<emphasis>address-list</emphasis>]|<replaceable>address-list</replaceable>}</term>
+
+        <listitem>
+          <para>Where <replaceable>interface</replaceable> is an interface to
+          that zone, and <replaceable>address-list</replaceable> is a
+          comma-separated list of addresses (may contain exclusion - see
+          <ulink url="shorewall-exclusion.html">shorewall-exclusion</ulink>
+          (5)).</para>
+
+          <para>COMMENT is only allowed in format 1; the remainder of the line
+          is treated as a comment that will be associated with the generated
+          rule(s).</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>DEST ‒
-        [<replaceable>interface</replaceable>|<replaceable>address-list</replaceable>]</term>
+        {-|<emphasis>interface</emphasis>[:<emphasis>address-list</emphasis>]|<replaceable>address-list</replaceable>}</term>

        <listitem>
-          <para>where <replaceable>interface</replaceable> is the name of a
-          network interface and <replaceable>address-list</replaceable> is a
+          <para>where <replaceable>address-list</replaceable> is a
          comma-separated list of addresses (may contain exclusion - see
-          <ulink url="shorewall-exclusion.html">shorewall-exclusion</ulink>
-          (5)). If an interface is given:</para>
-
-          <itemizedlist>
-            <listitem>
-              <para>It must be up and configured with an IPv4 address when
-              Shorewall is started or restarted.</para>
-            </listitem>
-
-            <listitem>
-              <para>All routes out of the interface must be configured when
-              Shorewall is started or restarted.</para>
-            </listitem>
-
-            <listitem>
-              <para>Default routes out of the interface will result in a
-              warning message and will be ignored.</para>
-            </listitem>
-          </itemizedlist>
-
-          <para>These restrictions are because Netfilter doesn't support
-          NOTRACK rules that specify a destination interface (these rules are
-          applied before packets are routed and hence the destination
-          interface is unknown). Shorewall uses the routes out of the
-          interface to replace the interface with an address list
-          corresponding to the networks routed out of the named
-          interface.</para>
+          <ulink url="shorewall-exclusion.html">shorewall6-exclusion</ulink>
+          (5)).</para>
        </listitem>
      </varlistentry>

@@ -320,15 +383,82 @@
          id and or group id of the process sending the traffic.</para>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">SWITCH -
+        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.10 and allows enabling and disabling
+          the rule without requiring <command>shorewall
+          restart</command>.</para>
+
+          <para>The rule is enabled if the value stored in
+          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
+          is 1. The rule is disabled if that file contains 0 (the default). If
+          '!' is supplied, the test is inverted such that the rule is enabled
+          if the file contains 0.</para>
+
+          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
+          '@{0}' are replaced by the name of the chain to which the rule is a
+          added. The <replaceable>switch-name</replaceable> (after '...'
+          expansion) must begin with a letter and be composed of letters,
+          decimal digits, underscores or hyphens. Switch names must be 30
+          characters or less in length.</para>
+
+          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
+          turn a switch <emphasis role="bold">on</emphasis>:</para>
+
+          <simplelist>
+            <member><command>echo 1 &gt;
+            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
+          </simplelist>
+
+          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
+
+          <simplelist>
+            <member><command>echo 0 &gt;
+            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
+          </simplelist>
+
+          <para>Switch settings are retained over <command>shorewall
+          restart</command>.</para>
+
+          <para>When the <replaceable>switch-name</replaceable> is followed by
+          <option>=0</option> or <option>=1</option>, then the switch is
+          initialized to off or on respectively by the
+          <command>start</command> command. Other commands do not affect the
+          switch setting.</para>
+        </listitem>
+      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>EXAMPLE</title>

+    <para>Example 1:</para>
+
    <programlisting>#ACTION                       SOURCE            DEST               PROTO            DEST              SOURCE              USER/GROUP
 #                                                                                   PORT(S)           PORT(S)
 CT:helper:ftp(expevents=new)  fw                -                  tcp              21              </programlisting>
+
+    <para>Example 2 (Shorewall 4.5.10 or later):</para>
+
+    <para>Drop traffic to/from all zones to IP address 1.2.3.4</para>
+
+    <programlisting>FORMAT 2
+#ACTION                       SOURCE             DEST               PROTO            DEST              SOURCE              USER/GROUP
+#                                                                                   PORT(S)           PORT(S)
+DROP                          all-:1.2.3.4       -
+DROP                          all                1.2.3.4</programlisting>
+
+    <para>or<programlisting>FORMAT 3
+#ACTION                       SOURCE             DEST               PROTO            DEST              SOURCE              USER/GROUP
+#                                                                                   PORT(S)           PORT(S)
+DROP:P                        1.2.3.4            -
+DROP:PO                       -                  1.2.3.4
+</programlisting></para>
  </refsect1>

  <refsect1>
--- a/Shorewall/manpages/shorewall-interfaces.xml
+++ b/Shorewall/manpages/shorewall-interfaces.xml
@@ -461,7 +461,7 @@ loc     eth2            -</programlisting>
            </varlistentry>

            <varlistentry>
-              <term>nosmurfs</term>
+              <term><emphasis role="bold">nosmurfs</emphasis></term>

              <listitem>
                <para>Filter packets for smurfs (packets with a broadcast
@@ -637,7 +637,7 @@ loc     eth2            -</programlisting>
            </varlistentry>

            <varlistentry>
-              <term>rpfilter</term>
+              <term><emphasis role="bold">rpfilter</emphasis></term>

              <listitem>
                <para>Added in Shorewall 4.5.7. This is an anti-spoofing
@@ -651,7 +651,8 @@ loc     eth2            -</programlisting>
            </varlistentry>

            <varlistentry>
-              <term>sfilter=(<emphasis>net</emphasis>[,...])</term>
+              <term><emphasis
+	      role="bold">sfilter=(<emphasis>net</emphasis>[,...])</emphasis></term>

              <listitem>
                <para>Added in Shorewall 4.4.20. This option provides an
--- a/Shorewall/manpages/shorewall-masq.xml
+++ b/Shorewall/manpages/shorewall-masq.xml
@@ -124,7 +124,7 @@
      <varlistentry>
        <term><emphasis role="bold">SOURCE</emphasis> (Formerly called SUBNET)
        -
-        {<emphasis>interface</emphasis>[:<emphasis>exclusion</emphasis>]|<emphasis>address</emphasis>[<emphasis
+        {<emphasis>interface</emphasis>|<emphasis>address</emphasis>[<emphasis
        role="bold">,</emphasis><emphasis>address</emphasis>][<emphasis>exclusion</emphasis>]}</term>

        <listitem>
@@ -137,20 +137,6 @@
          fact. (Shorewall will use your main routing table to determine the
          appropriate addresses to masquerade).</para>

-          <para>In order to exclude a address of the specified SOURCE, you may
-          append an <emphasis>exclusion</emphasis> ("!" and a comma-separated
-          list of IP addresses (host or net) that you wish to exclude (see
-          <ulink
-          url="shorewall-exclusion.html">shorewall-exclusion</ulink>(5))).
-          Note that a colon (":") must appear between an
-          <replaceable>interface</replaceable> name and the
-          <replaceable>exclusion</replaceable>;</para>
-
-          <para>Example: eth1:!192.168.1.4,192.168.32.0/27</para>
-
-          <para>In that example traffic from eth1 would be masqueraded unless
-          it came from 192.168.1.4 or 196.168.32.0/27</para>
-
          <para>The preferred way to specify the SOURCE is to supply one or
          more host or network addresses separated by comma. You may use ipset
          names preceded by a plus sign (+) to specify a set of hosts.</para>
@@ -475,7 +461,7 @@

      <varlistentry>
        <term><emphasis role="bold">SWITCH -
-        [!]<replaceable>switch-name</replaceable></emphasis></term>
+        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.5.1 and allows enabling and disabling the
@@ -485,10 +471,14 @@
          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
          is 1. The rule is disabled if that file contains 0 (the default). If
          '!' is supplied, the test is inverted such that the rule is enabled
-          if the file contains 0. <replaceable>switch-name</replaceable> must
-          begin with a letter and be composed of letters, decimal digits,
-          underscores or hyphens. Switch names must be 30 characters or less
-          in length.</para>
+          if the file contains 0.</para>
+
+          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
+          '@{0}' are replaced by the name of the chain to which the rule is a
+          added. The <replaceable>switch-name</replaceable> (after '@...'
+          expansion) must begin with a letter and be composed of letters,
+          decimal digits, underscores or hyphens. Switch names must be 30
+          characters or less in length.</para>

          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
          turn a switch <emphasis role="bold">on</emphasis>:</para>
@@ -507,6 +497,13 @@

          <para>Switch settings are retained over <command>shorewall
          restart</command>.</para>
+
+          <para>Beginning with Shoreawll 4.5.10, when the
+          <replaceable>switch-name</replaceable> is followed by
+          <option>=0</option> or <option>=1</option>, then the switch is
+          initialized to off or on respectively by the
+          <command>start</command> command. Other commands do not affect the
+          switch setting.</para>
        </listitem>
      </varlistentry>

@@ -619,6 +616,29 @@
        eth0:+myset[dst]        -               206.124.146.177</programlisting>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term>Example 7:</term>
+
+        <listitem>
+          <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
+          round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
+          (Shorewall 4.5.9 and later).</para>
+
+          <programlisting>/etc/shorewall/tcrules:
+
+       #ACTION   SOURCE         DEST         PROTO   PORT(S)       SOURCE  USER    TEST
+       #                                                           PORT(S)
+       1-3:CF    192.168.1.0/24 eth0 ; state=NEW
+
+/etc/shorewall/masq:
+
+       #INTERFACE SOURCE         ADDRESS     ...
+       eth0       192.168.1.0/24 1.1.1.1 ; mark=1:C
+       eth0       192.168.1.0/24 1.1.1.3 ; mark=2:C
+       eth0       192.168.1.0/24 1.1.1.4 ; mark=3:C</programlisting>
+        </listitem>
+      </varlistentry>
    </variablelist>
  </refsect1>

--- a/Shorewall/manpages/shorewall-policy.xml
+++ b/Shorewall/manpages/shorewall-policy.xml
@@ -91,7 +91,7 @@
        role="bold">QUEUE</emphasis>|<emphasis
        role="bold">NFQUEUE</emphasis>[(<emphasis>queuenumber</emphasis>)]|<emphasis
        role="bold">NONE</emphasis>}[<emphasis
-        role="bold">:</emphasis>{<emphasis>default-action-or-macro</emphasis>|<emphasis
+        role="bold">:</emphasis>{<emphasis>default-action-or-macro</emphasis>[:level]|<emphasis
        role="bold">None</emphasis>}]</term>

        <listitem>
@@ -109,24 +109,19 @@
            </listitem>

            <listitem>
-              <para>The name of an action (requires that USE_ACTIONS=Yes in
-              <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5)).
-              That action will be invoked before the policy is
-              enforced.</para>
-            </listitem>
-
-            <listitem>
-              <para>The name of a macro. The rules in that macro will be
-              applied before the policy is enforced. This does not require
-              USE_ACTIONS=Yes.</para>
+              <para>The name of an action. The action will be invoked before
+              the policy is enforced.</para>
            </listitem>
          </orderedlist>

-          <blockquote>
-            <programlisting></programlisting>
+          <para>Actions can have parameters specified.</para>

-            <para>Possible policies are:</para>
-          </blockquote>
+          <para>Beginning with Shorewall 4.5.10, the action name can be
+          followed optionally by a colon and a log level. The level will be
+          applied to each rule in the action or body that does not already
+          have a log level.</para>
+
+          <para>Possible actions are:</para>

          <variablelist>
            <varlistentry>
--- a/Shorewall/manpages/shorewall-rules.xml
+++ b/Shorewall/manpages/shorewall-rules.xml
@@ -191,6 +191,50 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis>action</emphasis></term>
+
+              <listitem>
+                <para>The name of an <emphasis>action</emphasis> declared in
+                <ulink
+                url="shorewall-actions.html">shorewall-actions</ulink>(5) or
+                in /usr/share/shorewall/actions.std.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.12. Causes addresses and/or port
+                numbers to be added to the named
+                <replaceable>ipset</replaceable>. The
+                <replaceable>flags</replaceable> specify the address or tupple
+                to be added to the set and must match the type of ipset
+                involved. For example, for an iphash ipset, either the SOURCE
+                or DESTINATION address can be added using
+                <replaceable>flags</replaceable> <emphasis
+                role="bold">src</emphasis> or <emphasis
+                role="bold">dst</emphasis> respectively (see the -A command in
+                ipset (8)).</para>
+
+                <para>ADD is non-terminating. Even if a packet matches the
+                rule, it is passed on to the next rule.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>AUDIT[(accept|drop|reject)]</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.10. Audits the packet with the
+                specified type; if the type is omitted, then
+                <option>drop</option> is assumed. Require AUDIT_TARGET support
+                in the kernel and iptables.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term>A_ACCEPT, A_ACCEPT+ and A_ACCEPT!</term>

@@ -201,35 +245,6 @@
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term><emphasis role="bold">NONAT</emphasis></term>
-
-              <listitem>
-                <para>Excludes the connection from any subsequent <emphasis
-                role="bold">DNAT</emphasis>[-] or <emphasis
-                role="bold">REDIRECT</emphasis>[-] rules but doesn't generate
-                a rule to accept the traffic.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">DROP</emphasis></term>
-
-              <listitem>
-                <para>Ignore the request.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">DROP!</emphasis></term>
-
-              <listitem>
-                <para>like DROP but exempts the rule from being suppressed by
-                OPTIMIZE=1 in <ulink
-                url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term>A_DROP and A_DROP!</term>

@@ -240,25 +255,6 @@
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term><emphasis role="bold">REJECT</emphasis></term>
-
-              <listitem>
-                <para>disallow the request and return an icmp-unreachable or
-                an RST packet.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">REJECT!</emphasis></term>
-
-              <listitem>
-                <para>like REJECT but exempts the rule from being suppressed
-                by OPTIMIZE=1 in <ulink
-                url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term>A_REJECT AND A_REJECT!</term>

@@ -270,46 +266,15 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">DNAT</emphasis></term>
+              <term><emphasis role="bold">COMMENT</emphasis></term>

              <listitem>
-                <para>Forward the request to another system (and optionally
-                another port).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">DNAT-</emphasis></term>
-
-              <listitem>
-                <para>Advanced users only.</para>
-
-                <para>Like <emphasis role="bold">DNAT</emphasis> but only
-                generates the <emphasis role="bold">DNAT</emphasis> iptables
-                rule and not the companion <emphasis
-                role="bold">ACCEPT</emphasis> rule.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">REDIRECT</emphasis></term>
-
-              <listitem>
-                <para>Redirect the request to a server running on the
-                firewall.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">REDIRECT-</emphasis></term>
-
-              <listitem>
-                <para>Advanced users only.</para>
-
-                <para>Like <emphasis role="bold">REDIRECT</emphasis> but only
-                generates the <emphasis role="bold">REDIRECT</emphasis>
-                iptables rule and not the companion <emphasis
-                role="bold">ACCEPT</emphasis> rule.</para>
+                <para>the rest of the line will be attached as a comment to
+                the Netfilter rule(s) generated by the following entries. The
+                comment will appear delimited by "/* ... */" in the output of
+                "shorewall show &lt;chain&gt;". To stop the comment from being
+                attached to further rules, simply include COMMENT on a line by
+                itself.</para>
              </listitem>
            </varlistentry>

@@ -341,69 +306,6 @@
              </listitem>
            </varlistentry>

-            <varlistentry>
-              <term><emphasis role="bold">LOG</emphasis></term>
-
-              <listitem>
-                <para>Simply log the packet and continue with the next
-                rule.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">QUEUE</emphasis></term>
-
-              <listitem>
-                <para>Queue the packet to a user-space application such as
-                ftwall (http://p2pwall.sf.net). The application may reinsert
-                the packet for further processing.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">QUEUE!</emphasis></term>
-
-              <listitem>
-                <para>like QUEUE but exempts the rule from being suppressed by
-                OPTIMIZE=1 in <ulink
-                url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis
-              role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
-
-              <listitem>
-                <para>queues matching packets to a backend logging daemon via
-                a netlink socket then continues to the next rule. See <ulink
-                url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis
-              role="bold">NFQUEUE</emphasis>[(<replaceable>queuenumber</replaceable>)]</term>
-
-              <listitem>
-                <para>Queues the packet to a user-space application using the
-                nfnetlink_queue mechanism. If a
-                <replaceable>queuenumber</replaceable> is not specified, queue
-                zero (0) is assumed.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis
-              role="bold">NFQUEUE![(<replaceable>queuenumber</replaceable>)]</emphasis></term>
-
-              <listitem>
-                <para>like NFQUEUE but exempts the rule from being suppressed
-                by OPTIMIZE=1 in <ulink
-                url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
-              </listitem>
-            </varlistentry>
-
            <varlistentry>
              <term><emphasis role="bold">COUNT</emphasis></term>

@@ -414,26 +316,86 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">COMMENT</emphasis></term>
+              <term><emphasis
+              role="bold">DEL(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>

              <listitem>
-                <para>the rest of the line will be attached as a comment to
-                the Netfilter rule(s) generated by the following entries. The
-                comment will appear delimited by "/* ... */" in the output of
-                "shorewall show &lt;chain&gt;". To stop the comment from being
-                attached to further rules, simply include COMMENT on a line by
-                itself.</para>
+                <para>Added in Shorewall 4.4.12. Causes an entry to be deleted
+                from the named <replaceable>ipset</replaceable>. The
+                <replaceable>flags</replaceable> specify the address or tupple
+                to be deleted from the set and must match the type of ipset
+                involved. For example, for an iphash ipset, either the SOURCE
+                or DESTINATION address can be deletec using
+                <replaceable>flags</replaceable> <emphasis
+                role="bold">src</emphasis> or <emphasis
+                role="bold">dst</emphasis> respectively (see the -D command in
+                ipset (8)).</para>
+
+                <para>DEL is non-terminating. Even if a packet matches the
+                rule, it is passed on to the next rule.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
-              <term><emphasis>action</emphasis></term>
+              <term><emphasis role="bold">DNAT</emphasis></term>

              <listitem>
-                <para>The name of an <emphasis>action</emphasis> declared in
-                <ulink
-                url="shorewall-actions.html">shorewall-actions</ulink>(5) or
-                in /usr/share/shorewall/actions.std.</para>
+                <para>Forward the request to another system (and optionally
+                another port).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">DNAT-</emphasis></term>
+
+              <listitem>
+                <para>Advanced users only.</para>
+
+                <para>Like <emphasis role="bold">DNAT</emphasis> but only
+                generates the <emphasis role="bold">DNAT</emphasis> iptables
+                rule and not the companion <emphasis
+                role="bold">ACCEPT</emphasis> rule.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">DROP</emphasis></term>
+
+              <listitem>
+                <para>Ignore the request.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">DROP!</emphasis></term>
+
+              <listitem>
+                <para>like DROP but exempts the rule from being suppressed by
+                OPTIMIZE=1 in <ulink
+                url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>HELPER</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.7. This action requires that the
+                HELPER column contains the name of the Netfilter helper to be
+                associated with connections matching this connection. May only
+                be specified in the NEW section and is useful for being able
+                to specify a helper when the applicable policy is ACCEPT. No
+                destination zone should be specified in HELPER rules.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">LOG:<replaceable>level</replaceable></emphasis></term>
+
+              <listitem>
+                <para>Simply log the packet and continue with the next
+                rule.</para>
              </listitem>
            </varlistentry>

@@ -463,57 +425,132 @@

            <varlistentry>
              <term><emphasis
-              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
+              role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>

              <listitem>
-                <para>Added in Shorewall 4.4.12. Causes addresses and/or port
-                numbers to be added to the named
-                <replaceable>ipset</replaceable>. The
-                <replaceable>flags</replaceable> specify the address or tupple
-                to be added to the set and must match the type of ipset
-                involved. For example, for an iphash ipset, either the SOURCE
-                or DESTINATION address can be added using
-                <replaceable>flags</replaceable> <emphasis
-                role="bold">src</emphasis> or <emphasis
-                role="bold">dst</emphasis> respectively (see the -A command in
-                ipset (8)).</para>
+                <para>Added in Shorewall 4.5.9.3. Queues matching packets to a
+                backend logging daemon via a netlink socket then continues to
+                the next rule. See <ulink
+                url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>

-                <para>ADD is non-terminating. Even if a packet matches the
-                rule, it is passed on to the next rule.</para>
+                <para>Similar to<emphasis role="bold">
+                LOG:NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)],
+                except that the log level is not changed when this ACTION is
+                used in an action or macro body and the invocation of that
+                action or macro specifies a log level.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis
-              role="bold">DEL(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
+              role="bold">NFQUEUE</emphasis>[(<replaceable>queuenumber</replaceable>)]</term>

              <listitem>
-                <para>Added in Shorewall 4.4.12. Causes an entry to be deleted
-                from the named <replaceable>ipset</replaceable>. The
-                <replaceable>flags</replaceable> specify the address or tupple
-                to be deleted from the set and must match the type of ipset
-                involved. For example, for an iphash ipset, either the SOURCE
-                or DESTINATION address can be deletec using
-                <replaceable>flags</replaceable> <emphasis
-                role="bold">src</emphasis> or <emphasis
-                role="bold">dst</emphasis> respectively (see the -D command in
-                ipset (8)).</para>
-
-                <para>DEL is non-terminating. Even if a packet matches the
-                rule, it is passed on to the next rule.</para>
+                <para>Queues the packet to a user-space application using the
+                nfnetlink_queue mechanism. If a
+                <replaceable>queuenumber</replaceable> is not specified, queue
+                zero (0) is assumed.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
-              <term>HELPER</term>
+              <term><emphasis
+              role="bold">NFQUEUE![(<replaceable>queuenumber</replaceable>)]</emphasis></term>

              <listitem>
-                <para>Added in Shorewall 4.5.7. This action requires that the
-                HELPER column contains the name of the Netfilter helper to be
-                associated with connections matching this connection. May only
-                be specified in the NEW section and is useful for being able
-                to specify a helper when the applicable policy is ACCEPT. No
-                destination zone should be specified in HELPER rules.</para>
+                <para>like NFQUEUE but exempts the rule from being suppressed
+                by OPTIMIZE=1 in <ulink
+                url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">NONAT</emphasis></term>
+
+              <listitem>
+                <para>Excludes the connection from any subsequent <emphasis
+                role="bold">DNAT</emphasis>[-] or <emphasis
+                role="bold">REDIRECT</emphasis>[-] rules but doesn't generate
+                a rule to accept the traffic.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">QUEUE</emphasis></term>
+
+              <listitem>
+                <para>Queue the packet to a user-space application such as
+                ftwall (http://p2pwall.sf.net). The application may reinsert
+                the packet for further processing.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">QUEUE!</emphasis></term>
+
+              <listitem>
+                <para>like QUEUE but exempts the rule from being suppressed by
+                OPTIMIZE=1 in <ulink
+                url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">REJECT</emphasis></term>
+
+              <listitem>
+                <para>disallow the request and return an icmp-unreachable or
+                an RST packet.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">REJECT!</emphasis></term>
+
+              <listitem>
+                <para>like REJECT but exempts the rule from being suppressed
+                by OPTIMIZE=1 in <ulink
+                url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">REDIRECT</emphasis></term>
+
+              <listitem>
+                <para>Redirect the request to a server running on the
+                firewall.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">REDIRECT-</emphasis></term>
+
+              <listitem>
+                <para>Advanced users only.</para>
+
+                <para>Like <emphasis role="bold">REDIRECT</emphasis> but only
+                generates the <emphasis role="bold">REDIRECT</emphasis>
+                iptables rule and not the companion <emphasis
+                role="bold">ACCEPT</emphasis> rule.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">ULOG</emphasis>[(<replaceable>ulog-parameters</replaceable>)]</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.10. Queues matching packets to a
+                backend logging daemon via a netlink socket then continues to
+                the next rule. See <ulink
+                url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
+
+                <para>Similar to<emphasis role="bold">
+                LOG:ULOG</emphasis>[(<replaceable>ulog-parameters</replaceable>)],
+                except that the log level is not changed when this ACTION is
+                used in an action or macro body and the invocation of that
+                action or macro specifies a log level.</para>
              </listitem>
            </varlistentry>
          </variablelist>
@@ -819,7 +856,7 @@
            </orderedlist></para>

          <blockquote>
-            <para/>
+            <para></para>

            <para>Except when <emphasis role="bold">all</emphasis>[<emphasis
            role="bold">+]|[-</emphasis>] is specified, the server may be
@@ -1332,7 +1369,7 @@

      <varlistentry>
        <term><emphasis role="bold">SWITCH -
-        [!]<replaceable>switch-name</replaceable></emphasis></term>
+        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.4.24 and allows enabling and disabling
@@ -1343,10 +1380,14 @@
          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
          is 1. The rule is disabled if that file contains 0 (the default). If
          '!' is supplied, the test is inverted such that the rule is enabled
-          if the file contains 0. <replaceable>switch-name</replaceable> must
-          begin with a letter and be composed of letters, decimal digits,
-          underscores or hyphens. Switch names must be 30 characters or less
-          in length.</para>
+          if the file contains 0.</para>
+
+          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
+          '@{0}' are replaced by the name of the chain to which the rule is a
+          added. The <replaceable>switch-name</replaceable> (after '@...'
+          expansion) must begin with a letter and be composed of letters,
+          decimal digits, underscores or hyphens. Switch names must be 30
+          characters or less in length.</para>

          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
          turn a switch <emphasis role="bold">on</emphasis>:</para>
@@ -1365,6 +1406,13 @@

          <para>Switch settings are retained over <command>shorewall
          restart</command>.</para>
+
+          <para>Beginning with Shoreawll 4.5.10, when the
+          <replaceable>switch-name</replaceable> is followed by
+          <option>=0</option> or <option>=1</option>, then the switch is
+          initialized to off or on respectively by the
+          <command>start</command> command. Other commands do not affect the
+          switch setting.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall/manpages/shorewall-secmarks.xml
+++ b/Shorewall/manpages/shorewall-secmarks.xml
@@ -92,7 +92,7 @@

      <varlistentry>
        <term><emphasis role="bold">CHAIN:STATE (chain) -
-        {P|I|F|O|T}[:{N|I|NI|E|ER}]</emphasis></term>
+        {P|I|F|O|T}[:{N|I|U|IU|NI|NU|NIU|NUI:E|ER}]</emphasis></term>

        <listitem>
          <para>This column determines the CHAIN where the SElinux context is
@@ -125,6 +125,19 @@

            <member>:ER - ESTABLISHED or RELATED connection</member>
          </simplelist>
+
+          <para>Beginning with Shorewall 4.5.10, the following additional
+          options are available</para>
+
+          <simplelist>
+            <member>:U - UNTRACKED connection</member>
+
+            <member>:IU - INVALID or UNTRACKED connection</member>
+
+            <member>:NU - NEW or UNTRACKED connection</member>
+
+            <member>:NIU - NEW, INVALID or UNTRACKED connection.</member>
+          </simplelist>
        </listitem>
      </varlistentry>
    </variablelist>
--- a/Shorewall/manpages/shorewall-stoppedrules.xml
+++ b/Shorewall/manpages/shorewall-stoppedrules.xml
@@ -60,7 +60,7 @@
          firewall itself, while <replaceable>interface</replaceable>
          specifies packets arriving on the named interface.</para>

-          <para>This column may also include a omma-separated list of
+          <para>This column may also include a comma-separated list of
          IP/subnet addresses. If your kernel and iptables include iprange
          match support, IP address ranges are also allowed. Ipsets and
          exclusion are also supported. When <option>$FW</option> or interface
@@ -80,7 +80,7 @@
          arriving on the named interface. Neither may be specified if the
          target is <option>NOTRACK</option>.</para>

-          <para>This column may also include a omma-separated list of
+          <para>This column may also include a comma-separated list of
          IP/subnet addresses. If your kernel and iptables include iprange
          match support, IP address ranges are also allowed. Ipsets and
          exclusion are also supported. When <option>$FW</option> or interface
--- a/Shorewall/manpages/shorewall-tcclasses.xml
+++ b/Shorewall/manpages/shorewall-tcclasses.xml
@@ -120,10 +120,7 @@
        <emphasis>interface</emphasis>[[:<emphasis>parent</emphasis>]:<emphasis>class</emphasis>]</term>

        <listitem>
-          <para>Name of <emphasis>interface</emphasis>. Each interface may be
-          listed only once in this file. You may NOT specify the name of an
-          alias (e.g., eth0:0) here; see <ulink
-          url="http://www.shorewall.net/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink></para>
+          <para>Name of <emphasis>interface</emphasis>.</para>

          <para>You may specify the interface number rather than the interface
          name. If the <emphasis role="bold">classify</emphasis> option is
@@ -263,8 +260,8 @@
            </listitem>
          </itemizedlist>

-          <para> The rules for classes with lower numeric priorities will
-          appear before those with higher numeric priorities. </para>
+          <para>The rules for classes with lower numeric priorities will
+          appear before those with higher numeric priorities.</para>

          <para>Beginning with Shorewall 4.5.8, the PRIORITY may be omitted
          from an HFSC class if you do not use the MARK column or the
--- a/Shorewall/manpages/shorewall-tcfilters.xml
+++ b/Shorewall/manpages/shorewall-tcfilters.xml
@@ -285,6 +285,23 @@
       1:10      ::/0      ::/0         icmp6   echo-reply</programlisting>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term>Example 2:</term>
+
+        <listitem>
+          <para>Add two filters with priority 10 (Shorewall 4.5.8 or
+          later).</para>
+
+          <programlisting>       #CLASS    SOURCE    DEST         PROTO   DEST            PRIORITY
+       #                                        PORT
+
+       IPV4
+
+       1:10      0.0.0.0/0 0.0.0.0/0    icmp    echo-request    10
+       1:10      0.0.0.0/0 0.0.0.0/0    icmp    echo-reply      10</programlisting>
+        </listitem>
+      </varlistentry>
    </variablelist>
  </refsect1>

--- a/Shorewall/manpages/shorewall-tcrules.xml
+++ b/Shorewall/manpages/shorewall-tcrules.xml
@@ -131,8 +131,12 @@

              <para>The mark value may be optionally followed by "/" and a
              mask value (used to determine those bits of the connection mark
-              to actually be set). The mark and optional mask are then
-              followed by one of:</para>
+              to actually be set). When a mask is specified, the result of
+              logically ANDing the mark value with the mask must be the same
+              as the mark value.</para>
+
+              <para>The mark and optional mask are then followed by one
+              of:</para>

              <variablelist>
                <varlistentry>
@@ -178,26 +182,108 @@
                  </listitem>
                </varlistentry>
              </variablelist>
+            </listitem>

-              <para><emphasis role="bold">Special considerations for If
-              HIGH_ROUTE_MARKS=Yes in <ulink
-              url="shorewall.conf.html">shorewall.conf</ulink>(5</emphasis>).</para>
+            <listitem>
+              <para>A mark range which is a pair of integers separated by a
+              dash ("-"). Added in Shorewall 4.5.9.</para>

-              <para>If HIGH_ROUTE_MARKS=Yes, then you may also specify a value
-              in the range 0x0100-0xFF00 with the low-order byte being zero.
-              Such values may only be used in the PREROUTING chain (value
-              followed by <emphasis role="bold">:P</emphasis> or you have set
-              MARK_IN_FORWARD_CHAIN=No in <ulink
-              url="shorewall.conf.html">shorewall.conf</ulink>(5) and have not
-              followed the value with <option>:F</option>) or the OUTPUT chain
-              (SOURCE is <emphasis role="bold">$FW</emphasis>). With
-              HIGH_ROUTE_MARKS=Yes, non-zero mark values less that 256 are not
-              permitted. Shorewall prohibits non-zero mark values less that
-              256 in the OUTPUT chain when HIGH_ROUTE_MARKS=Yes. While earlier
-              versions allow such values in the OUTPUT chain, it is strongly
-              recommended that with HIGH_ROUTE_MARKS=Yes, you use the
-              POSTROUTING chain to apply traffic shaping
-              marks/classification.</para>
+              <para>May be optionally followed by a slash ("/") and a mask and
+              requires the <firstterm>Statistics Match</firstterm> capability
+              in iptables and kernel. Marks in the specified range are
+              assigned to packets on a round-robin fashion.</para>
+
+              <para>When a mask is specified, the result of logically ANDing
+              each mark value with the mask must be the same as the mark
+              value. The least significant bit in the mask is used as an
+              increment. For example, if '0x200-0x400/0xff00' is specified,
+              then the assigned mark values are 0x200, 0x300 and 0x400 in
+              equal proportions. If no mask is specified, then ( 2 **
+              MASK_BITS ) - 1 is assumed (MASK_BITS is set in <ulink
+              url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>
+
+              <para>May optionally be followed by <emphasis
+              role="bold">:P</emphasis>, <emphasis
+              role="bold">:F</emphasis>,<emphasis role="bold">:T</emphasis> or
+              <emphasis role="bold">:I</emphasis> where<emphasis role="bold">
+              :P</emphasis> indicates that marking should occur in the
+              PREROUTING chain, <emphasis role="bold">:F</emphasis> indicates
+              that marking should occur in the FORWARD chain, <emphasis
+              role="bold">:I </emphasis>indicates that marking should occur in
+              the INPUT chain (added in Shorewall 4.4.13), and <emphasis
+              role="bold">:T</emphasis> indicates that marking should occur in
+              the POSTROUTING chain. If neither <emphasis
+              role="bold">:P</emphasis>, <emphasis role="bold">:F</emphasis>
+              nor <emphasis role="bold">:T</emphasis> follow the mark value
+              then the chain is determined as follows:</para>
+
+              <para>- If the SOURCE is <emphasis
+              role="bold">$FW</emphasis>[<emphasis
+              role="bold">:</emphasis><emphasis>address-or-range</emphasis>[,<emphasis>address-or-range</emphasis>]...],
+              then the rule is inserted into the OUTPUT chain. When
+              HIGH_ROUTE_MARKS=Yes, only high mark values may be assigned
+              there. Packet marking rules for traffic shaping of packets
+              originating on the firewall must be coded in the POSTROUTING
+              chain (see below).</para>
+
+              <para>- Otherwise, the chain is determined by the setting of
+              MARK_IN_FORWARD_CHAIN in <ulink
+              url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
+
+              <para>Please note that <emphasis role="bold">:I</emphasis> is
+              included for completeness and affects neither traffic shaping
+              nor policy routing.</para>
+
+              <para>If your kernel and iptables include CONNMARK support then
+              you can also mark the connection rather than the packet.</para>
+
+              <para>The mark range and optional mask can then followed by one
+              of:</para>
+
+              <variablelist>
+                <varlistentry>
+                  <term><emphasis role="bold">C</emphasis></term>
+
+                  <listitem>
+                    <para>Mark the connection in the chain determined by the
+                    setting of MARK_IN_FORWARD_CHAIN</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term><emphasis role="bold">CF</emphasis></term>
+
+                  <listitem>
+                    <para>Mark the connection in the FORWARD chain</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term><emphasis role="bold">CP</emphasis></term>
+
+                  <listitem>
+                    <para>Mark the connection in the PREROUTING chain.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>CT</term>
+
+                  <listitem>
+                    <para>Mark the connecdtion in the POSTROUTING chain</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>CI</term>
+
+                  <listitem>
+                    <para>Mark the connection in the INPUT chain. This option
+                    is included for completeness and has no applicability to
+                    traffic shaping or policy routing.</para>
+                  </listitem>
+                </varlistentry>
+              </variablelist>
            </listitem>

            <listitem>
@@ -255,27 +341,27 @@
            </listitem>

            <listitem>
-              <para><emphasis
-              role="bold">RESTORE</emphasis>[/<emphasis>mask</emphasis>] --
-              restore the packet's mark from the connection's mark using the
-              supplied mask if any. Your kernel and iptables must include
-              CONNMARK support.</para>
+              <para><emphasis role="bold">CHECKSUM</emphasis></para>

-              <para>As in 1) above, may be followed by <emphasis
-              role="bold">:P</emphasis> or <emphasis
-              role="bold">:F</emphasis></para>
+              <para>Added in Shorewall 4.5.9. Compute and fill in the checksum
+              in a packet that lacks a checksum. This is particularly useful
+              if you need to work around old applications, such as dhcp
+              clients, that do not work well with checksum offloads, but you
+              don't want to disable checksum offload in your device.</para>
+
+              <para>Requires 'Checksum Target' support in your kernel and
+              iptables.</para>
            </listitem>

            <listitem>
-              <para><emphasis
-              role="bold">SAVE</emphasis>[/<emphasis>mask</emphasis>] -- save
-              the packet's mark to the connection's mark using the supplied
-              mask if any. Your kernel and iptables must include CONNMARK
-              support.</para>
+              <para><emphasis role="bold">COMMENT</emphasis> -- the rest of
+              the line will be attached as a comment to the Netfilter rule(s)
+              generated by the following entries. The comment will appear
+              delimited by "/* ... */" in the output of <command>shorewall
+              show mangle</command></para>

-              <para>As in 1) above, may be followed by <emphasis
-              role="bold">:P</emphasis> or <emphasis
-              role="bold">:F</emphasis></para>
+              <para>To stop the comment from being attached to further rules,
+              simply include COMMENT on a line by itself.</para>
            </listitem>

            <listitem>
@@ -291,44 +377,85 @@
            </listitem>

            <listitem>
-              <para><emphasis role="bold">SAME</emphasis> Some websites run
-              applications that require multiple connections from a client
-              browser. Where multiple 'balanced' providers are configured,
-              this can lead to problems when some of the connections are
-              routed through one provider and some through another. The SAME
-              target allows you to work around that problem. SAME may be used
-              in the PREROUTING and OUTPUT chains. When used in PREROUTING, it
-              causes matching connections from an individual local system to
-              all use the same provider. For example: <programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
-#                                                        PORT(S)
-SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
-              If a host in 192.168.1.0/24 attempts a connection on TCP port 80
-              or 443 and it has sent a packet on either of those ports in the
-              last five minutes then the new connection will use the same
-              provider as the connection over which that last packet was
-              sent.</para>
+              <para><emphasis role="bold">DIVERT</emphasis></para>

-              <para>When used in the OUTPUT chain, it causes all matching
-              connections to an individual remote system to all use the same
-              provider. For example:<programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
-#                                                        PORT(S)
-SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
-              If the firewall attempts a connection on TCP port 80 or 443 and
-              it has sent a packet on either of those ports in the last five
-              minutes to the same remote system then the new connection will
-              use the same provider as the connection over which that last
-              packet was sent.</para>
+              <para>Added in Shorewall 4.5.4 and only available when FORMAT is
+              2. Two DIVERT rule should preceed the TPROXY rule and should
+              select DEST PORT tcp 80 and SOURCE PORT tcp 80 respectively
+              (assuming that tcp port 80 is being proxied). DIVERT avoids
+              sending packets to the TPROXY target once a socket connection to
+              Squid3 has been established by TPROXY. DIVERT marks the packet
+              with a unique mark and exempts it from any rules that
+              follow.</para>
            </listitem>

            <listitem>
-              <para><emphasis role="bold">COMMENT</emphasis> -- the rest of
-              the line will be attached as a comment to the Netfilter rule(s)
-              generated by the following entries. The comment will appear
-              delimited by "/* ... */" in the output of <command>shorewall
-              show mangle</command></para>
+              <para><emphasis
+              role="bold">DSCP</emphasis>(<replaceable>dscp</replaceable>)</para>

-              <para>To stop the comment from being attached to further rules,
-              simply include COMMENT on a line by itself.</para>
+              <para>Added in Shorewall 4.5.1. Sets the
+              <firstterm>Differentiated Services Code Point</firstterm> field
+              in the IP header. The <replaceable>dscp</replaceable> value may
+              be given as an even number (hex or decimal) or as the name of a
+              DSCP class. Valid class names and their associated hex numeric
+              values are:</para>
+
+              <programlisting>    CS0  =&gt; 0x00
+    CS1  =&gt; 0x08
+    CS2  =&gt; 0x10
+    CS3  =&gt; 0x18
+    CS4  =&gt; 0x20
+    CS5  =&gt; 0x28
+    CS6  =&gt; 0x30
+    CS7  =&gt; 0x38
+    BE   =&gt; 0x00
+    AF11 =&gt; 0x0a
+    AF12 =&gt; 0x0c
+    AF13 =&gt; 0x0e
+    AF21 =&gt; 0x12
+    AF22 =&gt; 0x14
+    AF23 =&gt; 0x16
+    AF31 =&gt; 0x1a
+    AF32 =&gt; 0x1c
+    AF33 =&gt; 0x1e
+    AF41 =&gt; 0x22
+    AF42 =&gt; 0x24
+    AF43 =&gt; 0x26
+    EF   =&gt; 0x2e</programlisting>
+
+              <para>To indicate more than one class, add their hex values
+              together and specify the result.</para>
+
+              <para>May be optionally followed by ':' and a capital letter
+              designating the chain where classification is to occur.</para>
+
+              <variablelist>
+                <varlistentry>
+                  <term>F</term>
+
+                  <listitem>
+                    <para>FORWARD chain.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>T</term>
+
+                  <listitem>
+                    <para>POSTROUTING chain (default).</para>
+                  </listitem>
+                </varlistentry>
+              </variablelist>
+            </listitem>
+
+            <listitem>
+              <para><emphasis
+              role="bold">IMQ</emphasis>(<replaceable>number</replaceable>)</para>
+
+              <para>Added in Shorewall 4.5.1. Specifies that the packet should
+              be passed to the IMQ identified by
+              <replaceable>number</replaceable>. Requires IMQ Target support
+              in your kernel and iptables.</para>
            </listitem>

            <listitem>
@@ -436,16 +563,121 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
            </listitem>

            <listitem>
-              <para><emphasis role="bold">DIVERT</emphasis></para>
+              <para><emphasis
+              role="bold">RESTORE</emphasis>[/<emphasis>mask</emphasis>] --
+              restore the packet's mark from the connection's mark using the
+              supplied mask if any. Your kernel and iptables must include
+              CONNMARK support.</para>

-              <para>Added in Shorewall 4.5.4 and only available when FORMAT is
-              2. Two DIVERT rule should preceed the TPROXY rule and should
-              select DEST PORT tcp 80 and SOURCE PORT tcp 80 respectively
-              (assuming that tcp port 80 is being proxied). DIVERT avoids
-              sending packets to the TPROXY target once a socket connection to
-              Squid3 has been established by TPROXY. DIVERT marks the packet
-              with a unique mark and exempts it from any rules that
-              follow.</para>
+              <para>As in 1) above, may be followed by <emphasis
+              role="bold">:P</emphasis> or <emphasis
+              role="bold">:F</emphasis></para>
+            </listitem>
+
+            <listitem>
+              <para><emphasis role="bold">SAME</emphasis> Some websites run
+              applications that require multiple connections from a client
+              browser. Where multiple 'balanced' providers are configured,
+              this can lead to problems when some of the connections are
+              routed through one provider and some through another. The SAME
+              target allows you to work around that problem. SAME may be used
+              in the PREROUTING and OUTPUT chains. When used in PREROUTING, it
+              causes matching connections from an individual local system to
+              all use the same provider. For example: <programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
+#                                                        PORT(S)
+SAME:P            192.168.1.0/24 0.0.0.0/0    tcp        80,443</programlisting>
+              If a host in 192.168.1.0/24 attempts a connection on TCP port 80
+              or 443 and it has sent a packet on either of those ports in the
+              last five minutes then the new connection will use the same
+              provider as the connection over which that last packet was
+              sent.</para>
+
+              <para>When used in the OUTPUT chain, it causes all matching
+              connections to an individual remote system to all use the same
+              provider. For example:<programlisting>#ACTION           SOURCE         DEST         PROTO      DEST
+#                                                        PORT(S)
+SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
+              If the firewall attempts a connection on TCP port 80 or 443 and
+              it has sent a packet on either of those ports in the last five
+              minutes to the same remote system then the new connection will
+              use the same provider as the connection over which that last
+              packet was sent.</para>
+            </listitem>
+
+            <listitem>
+              <para><emphasis
+              role="bold">SAVE</emphasis>[/<emphasis>mask</emphasis>] -- save
+              the packet's mark to the connection's mark using the supplied
+              mask if any. Your kernel and iptables must include CONNMARK
+              support.</para>
+
+              <para>As in 1) above, may be followed by <emphasis
+              role="bold">:P</emphasis> or <emphasis
+              role="bold">:F</emphasis></para>
+            </listitem>
+
+            <listitem>
+              <para><emphasis role="bold">STATE</emphasis> {<emphasis
+              role="bold">NEW</emphasis>|<emphasis
+              role="bold">RELATED</emphasis>|<emphasis
+              role="bold">ESTABLISHED</emphasis>|<emphasis
+              role="bold">INVALID</emphasis>} [,...]</para>
+
+              <para>Added in Shorewall 4.5.9. The rule will only match if the
+              packet's connection is in one of the listed states.</para>
+            </listitem>
+
+            <listitem>
+              <para><emphasis
+              role="bold">TOS</emphasis>(<replaceable>tos</replaceable>[/<replaceable>mask</replaceable>])</para>
+
+              <para>Added in Shorewall 4.5.1. Sets the <firstterm>Type of
+              Service</firstterm> field in the IP header. The
+              <replaceable>tos</replaceable> value may be given as an number
+              (hex or decimal) or as the name of a TOS type. Valid type names
+              and their associated hex numeric values are:</para>
+
+              <programlisting>Minimize-Delay       =&gt; 0x10,
+Maximize-Throughput  =&gt; 0x08,
+Maximize-Reliability =&gt; 0x04,
+Minimize-Cost        =&gt; 0x02,
+Normal-Service       =&gt; 0x00</programlisting>
+
+              <para>To indicate more than one class, add their hex values
+              together and specify the result.</para>
+
+              <para>When <replaceable>tos</replaceable> is given as a number,
+              it may be optionally followed by '/' and a
+              <replaceable>mask</replaceable>. When no
+              <replaceable>mask</replaceable> is given, the value 0xff is
+              assumed. When <replaceable>tos</replaceable> is given as a type
+              name, the <replaceable>mask</replaceable> 0x3f is
+              assumed.</para>
+
+              <para>The action performed is to zero out the bits specified by
+              the <replaceable>mask</replaceable>, then set the bits specified
+              by <replaceable>tos</replaceable>.</para>
+
+              <para>May be optionally followed by ':' and a capital letter
+              designating the chain where classification is to occur.</para>
+
+              <variablelist>
+                <varlistentry>
+                  <term>F</term>
+
+                  <listitem>
+                    <para>FORWARD chain.</para>
+                  </listitem>
+                </varlistentry>
+
+                <varlistentry>
+                  <term>T</term>
+
+                  <listitem>
+                    <para>POSTROUTING chain.</para>
+                  </listitem>
+                </varlistentry>
+              </variablelist>
            </listitem>

            <listitem>
@@ -515,7 +747,7 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
              role="bold">-</emphasis>|<emphasis
              role="bold">+</emphasis>]<replaceable>number</replaceable>)</para>

-              <para>Added in Shorewall 4.4.24. </para>
+              <para>Added in Shorewall 4.4.24.</para>

              <para>Prior to Shorewall 4.5.7.2, may be optionally followed by
              <emphasis role="bold">:F</emphasis> but the resulting rule is
@@ -534,128 +766,6 @@ SAME              $FW            0.0.0.0/0    tcp        80,443</programlisting>
              is set to <replaceable>number</replaceable>. The valid range of
              values for <replaceable>number</replaceable> is 1-255.</para>
            </listitem>
-
-            <listitem>
-              <para><emphasis
-              role="bold">IMQ</emphasis>(<replaceable>number</replaceable>)</para>
-
-              <para>Added in Shorewall 4.5.1. Specifies that the packet should
-              be passed to the IMQ identified by
-              <replaceable>number</replaceable>. Requires IMQ Target support
-              in your kernel and iptables.</para>
-            </listitem>
-
-            <listitem>
-              <para><emphasis
-              role="bold">DSCP</emphasis>(<replaceable>dscp</replaceable>)</para>
-
-              <para>Added in Shorewall 4.5.1. Sets the
-              <firstterm>Differentiated Services Code Point</firstterm> field
-              in the IP header. The <replaceable>dscp</replaceable> value may
-              be given as an even number (hex or decimal) or as the name of a
-              DSCP class. Valid class names and their associated hex numeric
-              values are:</para>
-
-              <programlisting>    CS0  =&gt; 0x00
-    CS1  =&gt; 0x08
-    CS2  =&gt; 0x10
-    CS3  =&gt; 0x18
-    CS4  =&gt; 0x20
-    CS5  =&gt; 0x28
-    CS6  =&gt; 0x30
-    CS7  =&gt; 0x38
-    BE   =&gt; 0x00
-    AF11 =&gt; 0x0a
-    AF12 =&gt; 0x0c
-    AF13 =&gt; 0x0e
-    AF21 =&gt; 0x12
-    AF22 =&gt; 0x14
-    AF23 =&gt; 0x16
-    AF31 =&gt; 0x1a
-    AF32 =&gt; 0x1c
-    AF33 =&gt; 0x1e
-    AF41 =&gt; 0x22
-    AF42 =&gt; 0x24
-    AF43 =&gt; 0x26
-    EF   =&gt; 0x2e</programlisting>
-
-              <para>To indicate more than one class, add their hex values
-              together and specify the result.</para>
-
-              <para>May be optionally followed by ':' and a capital letter
-              designating the chain where classification is to occur.</para>
-
-              <variablelist>
-                <varlistentry>
-                  <term>F</term>
-
-                  <listitem>
-                    <para>FORWARD chain.</para>
-                  </listitem>
-                </varlistentry>
-
-                <varlistentry>
-                  <term>T</term>
-
-                  <listitem>
-                    <para>POSTROUTING chain (default).</para>
-                  </listitem>
-                </varlistentry>
-              </variablelist>
-            </listitem>
-
-            <listitem>
-              <para><emphasis
-              role="bold">TOS</emphasis>(<replaceable>tos</replaceable>[/<replaceable>mask</replaceable>])</para>
-
-              <para>Added in Shorewall 4.5.1. Sets the <firstterm>Type of
-              Service</firstterm> field in the IP header. The
-              <replaceable>tos</replaceable> value may be given as an number
-              (hex or decimal) or as the name of a TOS type. Valid type names
-              and their associated hex numeric values are:</para>
-
-              <programlisting>Minimize-Delay       =&gt; 0x10,
-Maximize-Throughput  =&gt; 0x08,
-Maximize-Reliability =&gt; 0x04,
-Minimize-Cost        =&gt; 0x02,
-Normal-Service       =&gt; 0x00</programlisting>
-
-              <para>To indicate more than one class, add their hex values
-              together and specify the result.</para>
-
-              <para>When <replaceable>tos</replaceable> is given as a number,
-              it may be optionally followed by '/' and a
-              <replaceable>mask</replaceable>. When no
-              <replaceable>mask</replaceable> is given, the value 0xff is
-              assumed. When <replaceable>tos</replaceable> is given as a type
-              name, the <replaceable>mask</replaceable> 0x3f is
-              assumed.</para>
-
-              <para>The action performed is to zero out the bits specified by
-              the <replaceable>mask</replaceable>, then set the bits specified
-              by <replaceable>tos</replaceable>.</para>
-
-              <para>May be optionally followed by ':' and a capital letter
-              designating the chain where classification is to occur.</para>
-
-              <variablelist>
-                <varlistentry>
-                  <term>F</term>
-
-                  <listitem>
-                    <para>FORWARD chain.</para>
-                  </listitem>
-                </varlistentry>
-
-                <varlistentry>
-                  <term>T</term>
-
-                  <listitem>
-                    <para>POSTROUTING chain.</para>
-                  </listitem>
-                </varlistentry>
-              </variablelist>
-            </listitem>
          </orderedlist>
        </listitem>
      </varlistentry>
@@ -1014,10 +1124,7 @@ Normal-Service       =&gt; 0x00</programlisting>
          <para>Names a Netfiler protocol <firstterm>helper</firstterm> module
          such as <option>ftp</option>, <option>sip</option>,
          <option>amanda</option>, etc. A packet will match if it was accepted
-          by the named helper module. You can also append "-" and a port
-          number to the helper module name (e.g., <emphasis
-          role="bold">ftp-21</emphasis>) to specify the port number that the
-          original connection was made on.</para>
+          by the named helper module.</para>

          <para>Example: Mark all FTP data connections with mark
          4:<programlisting>#ACTION   SOURCE    DEST      PROTO   PORT(S)    SOURCE  USER TEST LENGTH TOS CONNBYTES HELPER
@@ -1114,6 +1221,29 @@ Normal-Service       =&gt; 0x00</programlisting>
          mark has been set, save it to the connection mark.</para>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term>Example 2:</term>
+
+        <listitem>
+          <para>SNAT outgoing connections on eth0 from 192.168.1.0/24 in
+          round-robin fashion between addresses 1.1.1.1, 1.1.1.3, and 1.1.1.9
+          (Shorewall 4.5.9 and later).</para>
+
+          <programlisting>/etc/shorewall/tcrules:
+
+       #ACTION   SOURCE         DEST         PROTO   PORT(S)       SOURCE  USER    TEST
+       #                                                           PORT(S)
+       1-3:CF    192.168.1.0/24 eth0 ; state=NEW
+
+/etc/shorewall/masq:
+
+       #INTERFACE SOURCE         ADDRESS     ...
+       eth0       192.168.1.0/24 1.1.1.1 ; mark=1:C
+       eth0       192.168.1.0/24 1.1.1.3 ; mark=2:C
+       eth0       192.168.1.0/24 1.1.1.4 ; mark=3:C</programlisting>
+        </listitem>
+      </varlistentry>
    </variablelist>
  </refsect1>

--- a/Shorewall/manpages/shorewall-zones.xml
+++ b/Shorewall/manpages/shorewall-zones.xml
@@ -227,6 +227,19 @@ c:a,b     ipv4</programlisting>
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis role="bold">dynamic_shared</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.9. May only be specified in the
+                OPTIONS column and indicates that only a single ipset should
+                be created for this zone if it has multiple dynamic entries in
+                <ulink url="shorewall-hosts.html">shorewall-hosts</ulink>(5).
+                Without this option, a separate ipset is created for each
+                interface.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis
              role="bold">reqid=</emphasis><emphasis>number</emphasis></term>
@@ -348,9 +361,9 @@ c:a,b     ipv4</programlisting>
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-nesting(8), shorewall-netmap(5),
    shorewall-params(5), shorewall-policy(5), shorewall-providers(5),
-    shorewall-proxyarp(5), shorewall-rtrules(5),
-    shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5),
-    shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
-    shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5)</para>
+    shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5),
+    shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
+    shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
+    shorewall-tos(5), shorewall-tunnels(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -92,47 +92,47 @@
    <variablelist>
      <varlistentry>
        <term><emphasis
-        role="bold">ACCEPT_DEFAULT=</emphasis>{<emphasis>action</emphasis>|<emphasis
+        role="bold">ACCEPT_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
        role="bold">none</emphasis>}</term>

        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis
-        role="bold">DROP_DEFAULT=</emphasis>{<emphasis>action</emphasis>|<emphasis
+        role="bold">DROP_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
        role="bold">none</emphasis>}</term>

        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis
-        role="bold">NFQUEUE_DEFAULT=</emphasis>{<emphasis>action</emphasis>|<emphasis
+        role="bold">NFQUEUE_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
        role="bold">none</emphasis>}</term>

        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis
-        role="bold">QUEUE_DEFAULT=</emphasis>{<emphasis>action</emphasis>|<emphasis
+        role="bold">QUEUE_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
        role="bold">none</emphasis>}</term>

        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis
-        role="bold">REJECT_DEFAULT=</emphasis>{<emphasis>action</emphasis>|<emphasis
+        role="bold">REJECT_DEFAULT=</emphasis>{<emphasis>action</emphasis>[(<replaceable>parameters</replaceable>)][:<replaceable>level</replaceable>]|<emphasis
        role="bold">none</emphasis>}</term>

        <listitem>
@@ -140,9 +140,9 @@
          REJECT policies was specified in the file
          /usr/share/shorewall/actions.std.</para>

-          <para>To allow for default rules to be applied when USE_ACTIONS=No,
-          the DROP_DEFAULT, REJECT_DEFAULT, ACCEPT_DEFAULT, QUEUE_DEFAULT and
-          NFQUEUE_DEFAULT options have been added.</para>
+          <para>In Shorewall 4.4.0, the DROP_DEFAULT, REJECT_DEFAULT,
+          ACCEPT_DEFAULT, QUEUE_DEFAULT and NFQUEUE_DEFAULT options were
+          added.</para>

          <para>DROP_DEFAULT describes the rules to be applied before a
          connection request is dropped by a DROP policy; REJECT_DEFAULT
@@ -152,14 +152,6 @@

          <para>The value applied to these may be:</para>

-          <simplelist>
-            <member>a) The name of an
-            <replaceable>action</replaceable>.</member>
-
-            <member>b) <emphasis role="bold">None</emphasis> or <emphasis
-            role="bold">none</emphasis></member>
-          </simplelist>
-
          <para>The default values are:</para>

          <simplelist>
@@ -174,14 +166,20 @@
            <member>NFQUEUE_DEFAULT="None"</member>
          </simplelist>

-          <para>If USE_ACTIONS=Yes, then these values refer to action.Drop and
-          action.Reject respectively. If USE_ACTIONS=No, then these values
-          refer to macro.Drop and macro.Reject.</para>
-
          <para>If you set the value of either option to "None" then no
          default action will be used and the default action or macro must be
          specified in <ulink
          url="shorewall-policy.html">shorewall-policy</ulink>(5).</para>
+
+          <para>You can pass <replaceable>parameters</replaceable> to the
+          specified action (e.g.,
+          <emphasis>myaction(audit,DROP)</emphasis>).</para>
+
+          <para>Beginning with Shorewall 4.5.10, the action name can be
+          followed optionally by a colon and a log
+          <replaceable>level</replaceable>. The level will be applied to each
+          rule in the action or body that does not already have a log
+          level.</para>
        </listitem>
      </varlistentry>

@@ -525,7 +523,7 @@
          </itemizedlist>

          <blockquote>
-            <para></para>
+            <para/>

            <para>If CONFIG_PATH is not given or if it is set to the empty
            value then the contents of /usr/share/shorewall/configpath are
@@ -932,7 +930,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
            </varlistentry>
          </variablelist>

-          <para></para>
+          <para/>

          <blockquote>
            <para>If this variable is not set or is given an empty value
@@ -1142,7 +1140,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
            </listitem>
          </itemizedlist>

-          <para></para>
+          <para/>

          <blockquote>
            <para>For example, using the default LOGFORMAT, the log prefix for
@@ -1159,7 +1157,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
              control your firewall after you enable this option.</para>
            </important>

-            <para></para>
+            <para/>

            <caution>
              <para>Do not use this option if the resulting log messages will
@@ -1726,6 +1724,15 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
              'Others and'. Empty comments at the end of a group of combined
              comments are replaced by 'and others'.</para>

+              <para>Beginning in Shorewall 4.5.10, this option also suppresses
+              duplicate adjacent rules and duplicate non-adjacent rules that
+              don't include <emphasis role="bold">mark</emphasis>, <emphasis
+              role="bold">connmark</emphasis>, <emphasis
+              role="bold">dscp</emphasis>, <emphasis
+              role="bold">ecn</emphasis>, <emphasis
+              role="bold">set</emphasis>, <emphasis role="bold">tos</emphasis>
+              or <emphasis role="bold">u32</emphasis> matches.</para>
+
              <variablelist>
                <varlistentry>
                  <term>Example 1:</term>
@@ -1823,7 +1830,7 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        role="bold">"</emphasis></term>

        <listitem>
-          <para></para>
+          <para/>
        </listitem>
      </varlistentry>

@@ -1934,6 +1941,22 @@ net     all  DROP   info</programlisting>then the chain name is 'net2all'
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term><emphasis role="bold">RESTORE_ROUTEMARKS=</emphasis>[<emphasis
+        role="bold">Yes</emphasis>|<emphasis role="bold">No</emphasis>]</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.9. When set to <emphasis
+          role="bold">Yes</emphasis> (the default), provider marks are
+          restored unconditionally at the top of the mangle OUTPUT and
+          PREROUTING chains, even if the saved mark is zero. When this option
+          is set to <emphasis role="bold">No</emphasis>, the mark is restored
+          even when it is zero. If you have problems with IPSEC ESP packets
+          not being routed correctly on output, try setting this option to
+          <emphasis role="bold">No</emphasis>.</para>
+        </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term><emphasis
        role="bold">RESTOREFILE=</emphasis><emphasis>filename</emphasis></term>
--- a/Shorewall/manpages/shorewall.xml
+++ b/Shorewall/manpages/shorewall.xml
@@ -24,12 +24,14 @@

      <arg rep="norepeat">-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>add</option></arg>
+      <arg choice="plain"><option>add {</option></arg>

      <arg choice="plain"
      rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg>

-      <arg choice="plain"><replaceable>zone</replaceable></arg>
+      <arg choice="plain"><replaceable>zone</replaceable><option>
+      |</option><replaceable> zone host-list</replaceable><option>
+      }</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -109,12 +111,14 @@

      <arg rep="norepeat">-<replaceable>options</replaceable></arg>

-      <arg choice="plain"><option>delete</option></arg>
+      <arg choice="plain"><option>delete {</option></arg>

      <arg choice="plain"
      rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg>

-      <arg choice="plain"><replaceable>zone</replaceable></arg>
+      <arg choice="plain"><replaceable>zone</replaceable><option>
+      |</option><replaceable> zone host-list</replaceable><option>
+      }</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
@@ -498,6 +502,8 @@

      <arg choice="plain"><option>show</option></arg>

+      <arg><option>-b</option></arg>
+
      <arg><option>-x</option></arg>

      <arg><option>-l</option></arg>
@@ -710,10 +716,10 @@
    url="shorewall.conf.html">shorewall.conf</ulink>(5). Each <emphasis
    role="bold">v</emphasis> adds one to the effective verbosity and each
    <emphasis role="bold">q</emphasis> subtracts one from the effective
-    VERBOSITY. Anternately, <emphasis role="bold">v</emphasis> may be followed
-    immediately with one of -1,0,1,2 to specify a specify VERBOSITY. There may
-    be no white space between <emphasis role="bold">v</emphasis> and the
-    VERBOSITY.</para>
+    VERBOSITY. Alternatively, <emphasis role="bold">v</emphasis> may be
+    followed immediately with one of -1,0,1,2 to specify a specify VERBOSITY.
+    There may be no white space between <emphasis role="bold">v</emphasis> and
+    the VERBOSITY.</para>

    <para>The <emphasis>options</emphasis> may also include the letter
    <option>t</option> which causes all progress messages to be
@@ -746,6 +752,15 @@
              <command>add</command> by <command>delete</command> and run the
              same command again. Then enter the correct command.</para>
            </caution></para>
+
+          <para>Beginning with Shorewall 4.5.9, the <emphasis
+          role="bold">dynamic_shared</emphasis> zone option (<ulink
+          url="shorewall-zones.html">shorewall-zones</ulink>(5)) allows a
+          single ipset to handle entries for multiple interfaces. When that
+          option is specified for a zone, the <command>add</command> command
+          has the alternative syntax in which the
+          <replaceable>zone</replaceable> name precedes the
+          <replaceable>host-list</replaceable>.</para>
        </listitem>
      </varlistentry>

@@ -861,6 +876,15 @@
          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
          file. A <emphasis>host-list</emphasis> is comma-separated list whose
          elements are a host or network address.</para>
+
+          <para>Beginning with Shorewall 4.5.9, the <emphasis
+          role="bold">dynamic_shared</emphasis> zone option (<ulink
+          url="shorewall-zones.html">shorewall-zones</ulink>(5)) allows a
+          single ipset to handle entries for multiple interfaces. When that
+          option is specified for a zone, the <command>delete</command>
+          command has the alternative syntax in which the
+          <replaceable>zone</replaceable> name precedes the
+          <replaceable>host-list</replaceable>.</para>
        </listitem>
      </varlistentry>

@@ -873,6 +897,13 @@
          or <replaceable>provider</replaceable>. Where more than one provider
          share a single network interface, a
          <replaceable>provider</replaceable> name must be given.</para>
+
+          <para>Beginning with Shorewall 4.5.10, this command may be used with
+          any optional network interface. <replaceable>interface</replaceable>
+          may be either the logical or physical name of the interface. The
+          command removes any routes added from <ulink
+          url="shorewall-routes.html">shorewall-routes</ulink>(5) and any
+          traffic shaping configuration for the interface.</para>
        </listitem>
      </varlistentry>

@@ -912,6 +943,14 @@
          or <replaceable>provider</replaceable>. Where more than one provider
          share a single network interface, a
          <replaceable>provider</replaceable> name must be given.</para>
+
+          <para>Beginning with Shorewall 4.5.10, this command may be used with
+          any optional network interface. <replaceable>interface</replaceable>
+          may be either the logical or physical name of the interface. The
+          command sets <filename>/proc</filename> entries for the interface,
+          adds any route specified in <ulink
+          url="shorewall-routes.html">shorewall-routes</ulink>(5) and installs
+          the interface's traffic shaping configuration, if any.</para>
        </listitem>
      </varlistentry>

@@ -1372,14 +1411,20 @@
                Netfilter table to display. The default is <emphasis
                role="bold">filter</emphasis>.</para>

+                <para>The <emphasis role="bold">-b</emphasis> ('brief') option
+                causes rules which have not been used (i.e. which have zero
+                packet and byte counts) to be omitted from the output. Chains
+                with no rules displayed are also omitted from the
+                output.</para>
+
                <para>The <emphasis role="bold">-l</emphasis> option causes
                the rule number for each Netfilter rule to be
                displayed.</para>

-                <para>If the <emphasis role="bold">t</emphasis> option and the
-                <option>chain</option> keyword are both omitted and any of the
-                listed <replaceable>chain</replaceable>s do not exist, a usage
-                message is displayed.</para>
+                <para>If the -<emphasis role="bold">t</emphasis> option and
+                the <option>chain</option> keyword are both omitted and any of
+                the listed <replaceable>chain</replaceable>s do not exist, a
+                usage message is displayed.</para>
              </listitem>
            </varlistentry>

--- a/Shorewall/shorewall
+++ b/Shorewall/shorewall
@@ -33,10 +33,7 @@ PRODUCT=shorewall
 . /usr/share/shorewall/shorewallrc

 g_program=$PRODUCT
-g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR"/shorewall
-g_sbindir="$SBINDIR"
-g_perllib="$PERLLIBDIR"
 g_confdir="$CONFDIR"/shorewall
 g_readrc=1

--- a/Shorewall/shorewall.service
+++ b/Shorewall/shorewall.service
@@ -13,8 +13,8 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall
 StandardOutput=syslog
-ExecStart=/sbin/shorewall $OPTIONS start
-ExecStop=/sbin/shorewall $OPTIONS stop
+ExecStart=/usr/sbin/shorewall $OPTIONS start
+ExecStop=/usr/sbin/shorewall $OPTIONS stop

 [Install]
 WantedBy=multi-user.target
--- a/Shorewall6-lite/manpages/shorewall6-lite.xml
+++ b/Shorewall6-lite/manpages/shorewall6-lite.xml
@@ -337,6 +337,8 @@

      <arg choice="plain"><option>show</option></arg>

+      <arg><option>-b</option></arg>
+
      <arg><option>-x</option></arg>

      <arg><option>-l</option></arg>
@@ -839,6 +841,12 @@
                Netfilter table to display. The default is <emphasis
                role="bold">filter</emphasis>.</para>

+                <para>The <emphasis role="bold">-b</emphasis> ('brief') option
+                causes rules which have not been used (i.e. which have zero
+                packet and byte counts) to be omitted from the output. Chains
+                with no rules displayed are also omitted from the
+                output.</para>
+
                <para>The <emphasis role="bold">-l</emphasis> option causes
                the rule number for each Netfilter rule to be
                displayed.</para>
--- a/Shorewall6-lite/shorecap
+++ b/Shorewall6-lite/shorecap
@@ -52,10 +52,7 @@ g_program=shorewall6-lite
 #
 . /usr/share/shorewall/shorewallrc

-g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR"/shorewall6-lite
-g_sbindir="$SBINDIR"
-g_vardir="$VARDIR"
 g_confdir="$CONFDIR"/shorewall6-lite
 g_readrc=1

--- a/Shorewall6-lite/shorewall6-lite
+++ b/Shorewall6-lite/shorewall6-lite
@@ -33,9 +33,7 @@ PRODUCT=shorewall6-lite
 . /usr/share/shorewall/shorewallrc

 g_program=$PRODUCT
-g_libexec="$LIBEXECDIR"
 g_sharedir="$SHAREDIR"/shorewall6-lite
-g_sbindir="$SBINDIR"
 g_confdir="$CONFDIR"/shorewall6-lite
 g_readrc=1

--- a/Shorewall6-lite/shorewall6-lite.service
+++ b/Shorewall6-lite/shorewall6-lite.service
@@ -13,8 +13,8 @@ Type=oneshot
 RemainAfterExit=yes
 EnvironmentFile=-/etc/sysconfig/shorewall6-lite
 StandardOutput=syslog
-ExecStart=/sbin/shorewall6-lite $OPTIONS start
-ExecStop=/sbin/shorewall6-lite $OPTIONS stop
+ExecStart=/usr/sbin/shorewall6-lite $OPTIONS start
+ExecStop=/usr/sbin/shorewall6-lite $OPTIONS stop

 [Install]
 WantedBy=multi-user.target
--- a/Shorewall6/Samples6/Universal/rules
+++ b/Shorewall6/Samples6/Universal/rules
@@ -6,8 +6,8 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages/shorewall-rules.html
 #
-######################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH     HELPER
+#######################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		 SWITCH		 HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Shorewall6/Samples6/Universal/shorewall6.conf
+++ b/Shorewall6/Samples6/Universal/shorewall6.conf
@@ -169,6 +169,8 @@ OPTIMIZE_ACCOUNTING=No

 REQUIRE_INTERFACE=Yes

+RESTORE_ROUTEMARKS=Yes
+
 TC_ENABLED=No

 TC_EXPERT=No
--- a/Shorewall6/Samples6/one-interface/rules
+++ b/Shorewall6/Samples6/one-interface/rules
@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information on entries in this file, type "man shorewall6-rules"
-######################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH     HELPER
+#######################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		 SWITCH		 HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Shorewall6/Samples6/one-interface/shorewall6.conf
+++ b/Shorewall6/Samples6/one-interface/shorewall6.conf
@@ -169,6 +169,8 @@ OPTIMIZE_ACCOUNTING=No

 REQUIRE_INTERFACE=No

+RESTORE_ROUTEMARKS=Yes
+
 TC_ENABLED=No

 TC_EXPERT=No
--- a/Shorewall6/Samples6/three-interfaces/rules
+++ b/Shorewall6/Samples6/three-interfaces/rules
@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-rules"
-######################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH     HELPER
+#######################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		 SWITCH		 HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Shorewall6/Samples6/three-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/three-interfaces/shorewall6.conf
@@ -169,6 +169,8 @@ OPTIMIZE_ACCOUNTING=No

 REQUIRE_INTERFACE=No

+RESTORE_ROUTEMARKS=Yes
+
 TC_ENABLED=No

 TC_EXPERT=No
--- a/Shorewall6/Samples6/three-interfaces/stoppedrules
+++ b/Shorewall6/Samples6/three-interfaces/stoppedrules
@@ -11,7 +11,7 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-stoppedrules"
 ###############################################################################
-#TARGET		SOURCE		DEST		PROTO	DEST		SOURCE
+#ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
 #							PORT(S)		PORT(S)
 ACCEPT		eth1		-
 ACCEPT		-		eth1
--- a/Shorewall6/Samples6/two-interfaces/rules
+++ b/Shorewall6/Samples6/two-interfaces/rules
@@ -10,8 +10,8 @@
 # See the file README.txt for further details.
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall6-rules"
-######################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH     HELPER
+#######################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		 SWITCH		 HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Shorewall6/Samples6/two-interfaces/shorewall6.conf
+++ b/Shorewall6/Samples6/two-interfaces/shorewall6.conf
@@ -169,6 +169,8 @@ OPTIMIZE_ACCOUNTING=No

 REQUIRE_INTERFACE=No

+RESTORE_ROUTEMARKS=Yes
+
 TC_ENABLED=No

 TC_EXPERT=No
--- a/Shorewall6/Samples6/two-interfaces/stoppedrules
+++ b/Shorewall6/Samples6/two-interfaces/stoppedrules
@@ -11,7 +11,7 @@
 #------------------------------------------------------------------------------
 # For information about entries in this file, type "man shorewall-stoppedrules"
 ###############################################################################
-#TARGET		SOURCE		DEST		PROTO	DEST		SOURCE
+#ACTION		SOURCE		DEST		PROTO	DEST		SOURCE
 #							PORT(S)		PORT(S)
 ACCEPT		eth1		-
 ACCEPT		-		eth1
--- a/Shorewall6/action.template
+++ b/Shorewall6/action.template
@@ -21,6 +21,6 @@
 #######################################################################################################
 #                                         DO NOT REMOVE THE FOLLOWING LINE
 FORMAT 2
-####################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS
+#####################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH    HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
--- a/Shorewall6/actions.std
+++ b/Shorewall6/actions.std
@@ -19,15 +19,15 @@
 #
 ###############################################################################
 #ACTION
-A_Drop	            # Audited Default Action for DROP policy
-A_Reject	    # Audited Default Action for REJECT policy
-A_AllowICMPs	    # Audited Accept needed ICMP6 types
-AllowICMPs	    # Accept needed ICMP6 types
-Broadcast           # Handles Broadcast/Multicast/Anycast
-Drop		    # Default Action for DROP policy
-DropSmurfs	    # Handles packets with a broadcast source address
-Invalid		    # Handles packets in the INVALID conntrack state
-NotSyn		    # Handles TCP packets that do not have SYN=1 and ACK=0
-Reject		    # Default Action for REJECT policy
-TCPFlags	    # Handles bad flags combinations
+A_Drop	                        # Audited Default Action for DROP policy
+A_Reject	                # Audited Default Action for REJECT policy
+A_AllowICMPs	                # Audited Accept needed ICMP6 types
+AllowICMPs   	                # Accept needed ICMP6 types
+Broadcast  noinline      	# Handles Broadcast/Multicast/Anycast
+Drop		        	# Default Action for DROP policy
+DropSmurfs noinline     	# Handles packets with a broadcast source address
+Invalid	   noinline		# Handles packets in the INVALID conntrack state
+NotSyn	   noinline 		# Handles TCP packets that do not have SYN=1 and ACK=0
+Reject		        	# Default Action for REJECT policy
+TCPFlags   noinline		# Handles bad flags combinations

--- a/Shorewall6/configfiles/actions
+++ b/Shorewall6/configfiles/actions
@@ -8,5 +8,6 @@
 # Please see http://shorewall.net/Actions.html for additional information.
 #
 ###############################################################################
-#ACTION             COMMENT (place '# ' below the 'C' in comment followed by
-#                   v        a comment describing the action)
+########################################################################################
+#ACTION    OPTIONS              COMMENT (place '# ' below the 'C' in comment followed by
+#                               v        a comment describing the action)
--- a/Shorewall6/configfiles/conntrack
+++ b/Shorewall6/configfiles/conntrack
@@ -3,9 +3,9 @@
 #
 # For information about entries in this file, type "man shorewal6-conntrack"
 #
-#############################################################################################
+##############################################################################################################
 FORMAT 2
-#ACTION			SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/
+#ACTION			SOURCE		DESTINATION	PROTO	DEST		SOURCE	USER/		SWITCH
 #								PORT(S)		PORT(S)	GROUP
 ?if __CT_TARGET

@@ -31,7 +31,7 @@ CT:helper:netbios-ns	all		-		udp	137
 ?endif

 ?if __PPTP_HELPER
-CT:helper:pptp		all		-		tcp	1729
+CT:helper:pptp		all		-		tcp	1723
 ?endif

 ?if __SANE_HELPER
--- a/Shorewall6/configfiles/rules
+++ b/Shorewall6/configfiles/rules
@@ -6,8 +6,8 @@
 # The manpage is also online at
 # http://www.shorewall.net/manpages6/shorewall6-rules.html
 #
-#####################################################################################################################################################################################
-#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME       HEADERS   SWITCH    HELPER
+#######################################################################################################################################################################################################
+#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME		HEADERS		 SWITCH		 HELPER
 #							PORT	PORT(S)		DEST		LIMIT		GROUP
 #SECTION ALL
 #SECTION ESTABLISHED
--- a/Shorewall6/configfiles/shorewall6.conf
+++ b/Shorewall6/configfiles/shorewall6.conf
@@ -169,6 +169,8 @@ OPTIMIZE_ACCOUNTING=No

 REQUIRE_INTERFACE=No

+RESTORE_ROUTEMARKS=Yes
+
 TC_ENABLED=No

 TC_EXPERT=No
--- a/Shorewall6/configfiles/stoppedrules
+++ b/Shorewall6/configfiles/stoppedrules
@@ -10,5 +10,5 @@
 # information.
 #
 ###############################################################################
-#TARGET		SOURCE			DEST		PROTO	DEST	SOURCE
+#ACTION		SOURCE			DEST		PROTO	DEST	SOURCE
 #								PORT(S)	PORT(S)
--- a/Shorewall6/manpages/shorewall6-actions.xml
+++ b/Shorewall6/manpages/shorewall6-actions.xml
@@ -28,11 +28,73 @@
    the ip6tables rules to be performed in an ACTION in
    /etc/shorewall6/action.<emphasis>action-name</emphasis>.</para>

-    <para>ACTION names should begin with an upper-case letter to distinguish
-    them from Shorewall-generated chain names and be composed of letters,
-    digits or numbers. If you intend to log from the action then the name must
-    be no longer than 11 characters in length if you use the standard
-    LOGFORMAT.</para>
+    <para>Columns are:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term>NAME</term>
+
+        <listitem>
+          <para>The name of the action. ACTION names should begin with an
+          upper-case letter to distinguish them from Shorewall-generated chain
+          names and be composed of letters, digits or numbers. If you intend
+          to log from the action then the name must be no longer than 11
+          characters in length if you use the standard LOGFORMAT.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>OPTIONS</term>
+
+        <listitem>
+          <para>Added in Shorewall 4.5.10. Available options are:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>inline</term>
+
+              <listitem>
+                <para>Causes the action body (defined in
+                action.<replaceable>action-name</replaceable>) to be expanded
+                in-line like a macro rather than in its own chain. You can
+                list Shorewall Standard Actions in this file to specify the
+                <option>inline</option> option.</para>
+
+                <caution>
+                  <para>Some of the Shorewall standard actions cannot be used
+                  in-line and will generate a warning and the compiler will
+                  ignore <option>inline</option> if you try to use them that
+                  way:</para>
+
+                  <simplelist>
+                    <member>Broadcast</member>
+
+                    <member>DropSmurfs</member>
+
+                    <member>Invalid</member>
+
+                    <member>NotSyn</member>
+
+                    <member>RST</member>
+
+                    <member>TCPFlags</member>
+                  </simplelist>
+                </caution>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>noinline</term>
+
+              <listitem>
+                <para>Causes any later <option>inline</option> option for the
+                same action to be ignored with a warning.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
+        </listitem>
+      </varlistentry>
+    </variablelist>
  </refsect1>

  <refsect1>
@@ -49,10 +111,11 @@

    <para>shorewall6(8), shorewall6-accounting(5), shorewall6-blacklist(5),
    shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-maclist(5),
-    shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5), shorewall6-providers(5),
-    shorewall6-rtrules(5), shorewall6-routestopped(5),
-    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
-    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
-    shorewall6-tos(5), shorewall6-tunnels(5), shorewall-zones(5)</para>
+    shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
+    shorewall6-providers(5), shorewall6-rtrules(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
+    shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
+    shorewall-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall6/manpages/shorewall6-conntrack.xml
+++ b/Shorewall6/manpages/shorewall6-conntrack.xml
@@ -25,25 +25,44 @@

    <para>The original intent of the <emphasis role="bold">notrack</emphasis>
    file was to exempt certain traffic from Netfilter connection tracking.
-    Traffic matching entries in that file were not to be tracked.</para>
+    Traffic matching entries in the file were not to be tracked.</para>

    <para>The role of the file was expanded in Shorewall 4.4.27 to include all
    rules that can be added in the Netfilter <emphasis
    role="bold">raw</emphasis> table. In 4.5.7, the file's name was changed to
    <emphasis role="bold">conntrack</emphasis>.</para>

-    <para>The file supports two different column layouts: FORMAT 1 and FORMAT
-    2, FORMAT 1 being the default. The two differ in that FORMAT 2 has an
-    additional leading ACTION column. When an entry in the file of this form
-    is encountered, the format of the following entries are assumed to be of
-    the specified <replaceable>format</replaceable>.</para>
+    <para>The file supports two different column layouts: FORMAT 1, FORMAT 2,
+    and FORMAT 3, FORMAT 1 being the default. The three differ as
+    follows:</para>
+
+    <itemizedlist>
+      <listitem>
+        <para>in FORMAT 2 and 3, there is an additional leading ACTION
+        column.</para>
+      </listitem>
+
+      <listitem>
+        <para>in FORMAT 3, the SOURCE column accepts no zone name; rather the
+        ACTION column allows a SUFFIX that determines the chain(s) that the
+        generated rule will be added to.</para>
+      </listitem>
+    </itemizedlist>
+
+    <para>When an entry in the following form is encountered, the format of
+    the following entries are assumed to be of the specified
+    <replaceable>format</replaceable>.</para>

    <simplelist>
-      <member>FORMAT <replaceable>format</replaceable></member>
+      <member><emphasis role="bold">FORMAT</emphasis>
+      <replaceable>format</replaceable></member>
    </simplelist>

    <para>where <replaceable>format</replaceable> is either <emphasis
-    role="bold">1</emphasis> or <emphasis role="bold">2</emphasis>.</para>
+    role="bold">1</emphasis>,<emphasis role="bold">2</emphasis> or <emphasis
+    role="bold">3</emphasis>.</para>
+
+    <para>Format 3 was introduced in Shorewall 4.5.10.</para>

    <para>Comments may be attached to Netfilter rules generated from entries
    in this file through the use of COMMENT lines. These lines begin with the
@@ -62,12 +81,12 @@
        role="bold">NOTRACK</emphasis>|<emphasis
        role="bold">CT</emphasis>:<emphasis
        role="bold">helper</emphasis>:<replaceable>name</replaceable>[(<replaceable>arg</replaceable>=<replaceable>val</replaceable>[,...])|<emphasis
-        role="bold">CT:notrack</emphasis>}</term>
+        role="bold">CT:notrack</emphasis>|drop}[:<replaceable>chain-designator</replaceable>]</term>

        <listitem>
-          <para>This column is only present when FORMAT = 2. Values other than
-          NOTRACK require <firstterm>CT Target </firstterm>support in your
-          iptables and kernel.</para>
+          <para>This column is only present when FORMAT &gt;= 2. Values other
+          than NOTRACK require <firstterm>CT Target </firstterm>support in
+          your iptables and kernel.</para>

          <itemizedlist>
            <listitem>
@@ -77,6 +96,13 @@
              <para>Disables connection tracking for this packet.</para>
            </listitem>

+            <listitem>
+              <para><option>DROP</option></para>
+
+              <para>Added in Shorewall 4.5.10. Silently discard the
+              packet.</para>
+            </listitem>
+
            <listitem>
              <para><option>helper</option>:<replaceable>name</replaceable></para>

@@ -120,11 +146,46 @@

          <para>When FORMAT = 1, this column is not present and the rule is
          processed as if NOTRACK had been entered in this column.</para>
+
+          <para>Beginning with Shorewall 4.5.10, when FORMAT = 3, this column
+          can end with a colon followed by a
+          <replaceable>chain-designator</replaceable>. The
+          <replaceable>chain-designator</replaceable> can be one of the
+          following:</para>
+
+          <variablelist>
+            <varlistentry>
+              <term>P</term>
+
+              <listitem>
+                <para>The rule is added to the raw table PREROUTING chain.
+                This is the default if no
+                <replaceable>chain-designator</replaceable> is present.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>O</term>
+
+              <listitem>
+                <para>The rule is added to the raw table OUTPUT chain.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>PO or OP</term>
+
+              <listitem>
+                <para>The rule is added to the raw table PREROUTING and OUTPUT
+                chains.</para>
+              </listitem>
+            </varlistentry>
+          </variablelist>
        </listitem>
      </varlistentry>

      <varlistentry>
-        <term>SOURCE ‒
+        <term>SOURCE (formats 1 and 2) ‒
        <emphasis>zone</emphasis>[:<emphasis>interface</emphasis>][:<emphasis>address-list</emphasis>]</term>

        <listitem>
@@ -138,35 +199,39 @@
          <para>Beginning with Shorewall 4.5.7, <option>all</option> can be
          used as the <replaceable>zone</replaceable> name to mean
          <firstterm>all zones</firstterm>.</para>
+
+          <para>Beginning with Shorewall 4.5.10, <option>all-</option> can be
+          used as the <replaceable>zone</replaceable> name to mean all
+          <firstterm>off-firewall zone</firstterm>s.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>SOURCE (format 3) ‒
+        {-|<emphasis>interface</emphasis>[:<emphasis>address-list</emphasis>]|<replaceable>address-list</replaceable>}</term>
+
+        <listitem>
+          <para>Where <replaceable>interface</replaceable> is an interface to
+          that zone, and <replaceable>address-list</replaceable> is a
+          comma-separated list of addresses (may contain exclusion - see
+          <ulink url="shorewall-exclusion.html">shorewall-exclusion</ulink>
+          (5)).</para>
+
+          <para>COMMENT is only allowed in format 1; the remainder of the line
+          is treated as a comment that will be associated with the generated
+          rule(s).</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>DEST ‒
-        [<replaceable>interface</replaceable>|<replaceable>address-list</replaceable>]</term>
+        {-|<emphasis>interface</emphasis>[:<emphasis>address-list</emphasis>]|<replaceable>address-list</replaceable>}</term>

        <listitem>
          <para>where <replaceable>address-list</replaceable> is a
          comma-separated list of addresses (may contain exclusion - see
          <ulink url="shorewall-exclusion.html">shorewall6-exclusion</ulink>
-          (5)). If an interface is given:</para>
-
-          <itemizedlist>
-            <listitem>
-              <para>It must be up and configured with an IPv6 address when
-              Shorewall is started or restarted.</para>
-            </listitem>
-
-            <listitem>
-              <para>All routes out of the interface must be configured when
-              Shorewall is started or restarted.</para>
-            </listitem>
-
-            <listitem>
-              <para>Default routes out of the interface will result in a
-              warning message and will be ignored.</para>
-            </listitem>
-          </itemizedlist>
+          (5)).</para>
        </listitem>
      </varlistentry>

@@ -214,15 +279,87 @@
          id and or group id of the process sending the traffic.</para>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term><emphasis role="bold">SWITCH -
+        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>
+
+        <listitem>
+          <para>Added in Shorewall6 4.5.10 and allows enabling and disabling
+          the rule without requiring <command>shorewall6
+          restart</command>.</para>
+
+          <para>Enables the rule if the value stored in
+          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
+          is 1. Disables the rule if that file contains 0 (the default). If
+          '!' is supplied, the test is inverted such that the rule is enabled
+          if the file contains 0.</para>
+
+          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
+          '@{0}' are replaced by the name of the chain to which the rule is a
+          added. The <replaceable>switch-name</replaceable> (after '@...'
+          expansion) must begin with a letter and be composed of letters,
+          decimal digits, underscores or hyphens. Switch names must be 30
+          characters or less in length.</para>
+
+          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
+          turn a switch <emphasis role="bold">on</emphasis>:</para>
+
+          <simplelist>
+            <member><command>echo 1 &gt;
+            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
+          </simplelist>
+
+          <para>To turn it <emphasis role="bold">off</emphasis> again:</para>
+
+          <simplelist>
+            <member><command>echo 0 &gt;
+            /proc/net/nf_condition/<replaceable>switch-name</replaceable></command></member>
+          </simplelist>
+
+          <para>Switch settings are retained over <command>shorewall6
+          restart</command>.</para>
+
+          <para>When the <replaceable>switch-name</replaceable> is followed by
+          <option>=0</option> or <option>=1</option>, then the switch is
+          initialized to off or on respectively by the
+          <command>start</command> command. Other commands do not affect the
+          switch setting.</para>
+        </listitem>
+      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
-    <title>EXAMPLE</title>
+    <title>EXAMPLES</title>

-    <programlisting>#ACTION                       SOURCE            DEST               PROTO            DEST              SOURCE              USER/GROUP
+    <para>Example 1:</para>
+
+    <para>Use the FTP helper for TCP port 21 connections from the firewall
+    itself.</para>
+
+    <programlisting>FORMAT 2
+#ACTION                       SOURCE            DEST               PROTO            DEST              SOURCE              USER/GROUP
 #                                                                                   PORT(S)           PORT(S)
 CT:helper:ftp(expevents=new)  fw                -                  tcp              21              </programlisting>
+
+    <para>Example 2 (Shorewall 4.5.10 or later):</para>
+
+    <para>Drop traffic to/from all zones to IP address 2001:1.2.3::4</para>
+
+    <programlisting>FORMAT 2
+#ACTION                       SOURCE             DEST               PROTO            DEST              SOURCE              USER/GROUP
+#                                                                                   PORT(S)           PORT(S)
+DROP                          all-:2001:1.2.3::4 -
+DROP                          all                2001:1.2.3::4
+</programlisting>
+
+    <para>or<programlisting>FORMAT 3
+#ACTION                       SOURCE             DEST               PROTO            DEST              SOURCE              USER/GROUP
+#                                                                                   PORT(S)           PORT(S)
+DROP:P                        2001:1.2.3::4      -
+DROP:PO                       -                  2001:1.2.3::4
+</programlisting></para>
  </refsect1>

  <refsect1>
--- a/Shorewall6/manpages/shorewall6-interfaces.xml
+++ b/Shorewall6/manpages/shorewall6-interfaces.xml
@@ -374,7 +374,7 @@ loc     eth2            -</programlisting>
            </varlistentry>

            <varlistentry>
-              <term>rpfilter</term>
+              <term><emphasis role="bold">rpfilter</emphasis></term>

              <listitem>
                <para>Added in Shorewall 4.5.7. This is an anti-spoofing
@@ -411,7 +411,8 @@ loc     eth2            -</programlisting>
            </varlistentry>

            <varlistentry>
-              <term>sfilter=(<emphasis>net</emphasis>[,...])</term>
+              <term><emphasis
+	      role="bold">sfilter=(<emphasis>net</emphasis>[,...])</emphasis></term>

              <listitem>
                <para>Added in Shorewall 4.4.20. At this writing (spring
--- a/Shorewall6/manpages/shorewall6-policy.xml
+++ b/Shorewall6/manpages/shorewall6-policy.xml
@@ -97,36 +97,31 @@
        <listitem>
          <para>Policy if no match from the rules file is found.</para>

-          <para>If the policy is other than CONTINUE or NONE then the policy
-          may be followed by ":" and one of the following:</para>
+          <para>If the policy is neither CONTINUE nor NONE then the policy may
+          be followed by ":" and one of the following:</para>

          <orderedlist numeration="loweralpha">
            <listitem>
              <para>The word "None" or "none". This causes any default action
              defined in <ulink
-              url="shorewall6.conf.html">shorewall6.conf</ulink>(5) to be
+              url="shorewall.conf.html">shorewall.conf</ulink>(5) to be
              omitted for this policy.</para>
            </listitem>

            <listitem>
-              <para>The name of an action (requires that USE_ACTIONS=Yes in
-              <ulink url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).
-              That action will be invoked before the policy is
-              enforced.</para>
-            </listitem>
-
-            <listitem>
-              <para>The name of a macro. The rules in that macro will be
-              applied before the policy is enforced. This does not require
-              USE_ACTIONS=Yes.</para>
+              <para>The name of an action. The action will be invoked before
+              the policy is enforced.</para>
            </listitem>
          </orderedlist>

-          <blockquote>
-            <programlisting></programlisting>
+          <para>Actions can have parameters specified.</para>

-            <para>Possible policies are:</para>
-          </blockquote>
+          <para>Beginning with Shorewall 4.5.10, the action name can be
+          followed optionally by a colon and a log level. The level will be
+          applied to each rule in the action or body that does not already
+          have a log level.</para>
+
+          <para>Possible actions are:</para>

          <variablelist>
            <varlistentry>
@@ -322,10 +317,10 @@
    shorewall6-ipsec(5), shorewall6-maclist(5), shorewall6-masq(5),
    shorewall6-nat(5), shorewall6-netmap(5),
    shoewall6-netmap(5),shorewall6-params(5), shorewall6-policy(5),
-    shorewall6-providers(5), shorewall6-proxyarp(5),
-    shorewall6-rtrules(5), shorewall6-routestopped(5),
-    shorewall6-rules(5), shorewall6.conf(5), shorewall6-secmarks(5),
-    shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
-    shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
+    shorewall6-providers(5), shorewall6-proxyarp(5), shorewall6-rtrules(5),
+    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
+    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
+    shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
+    shorewall6-zones(5)</para>
  </refsect1>
 </refentry>
--- a/Shorewall6/manpages/shorewall6-rules.xml
+++ b/Shorewall6/manpages/shorewall6-rules.xml
@@ -120,32 +120,16 @@

    <variablelist>
      <varlistentry>
-        <term><emphasis role="bold">ACTION</emphasis> - {<emphasis
-        role="bold">ACCEPT</emphasis>[<emphasis
-        role="bold"><option>+</option>|<option>!</option></emphasis>]|<emphasis
-        role="bold">DROP[<option>!</option>]</emphasis>|<emphasis
-        role="bold">REJECT</emphasis>[<option>!</option>]|<emphasis
-        role="bold">DNAT</emphasis>[<emphasis
-        role="bold">-</emphasis>]|<emphasis
-        role="bold">SAME</emphasis>[<emphasis
-        role="bold">-</emphasis>]|<emphasis
-        role="bold">CONTINUE</emphasis>[<option>!</option>]|<emphasis
-        role="bold">LOG</emphasis>|<emphasis
-        role="bold">QUEUE</emphasis>[<option>!</option>]|<emphasis
-        role="bold">NFQUEUE</emphasis>[<emphasis
-        role="bold">(</emphasis><emphasis>queuenumber</emphasis><emphasis
-        role="bold">)</emphasis>]<emphasis
-        role="bold">|COMMENT</emphasis>|<emphasis>action</emphasis>|<emphasis>macro</emphasis>[<emphasis
-        role="bold">(</emphasis><emphasis>target</emphasis><emphasis
-        role="bold">)</emphasis>]}<emphasis
-        role="bold">[:</emphasis>{<emphasis>log-level</emphasis>|<emphasis
+        <term><emphasis role="bold">ACTION</emphasis> - <emphasis
+        role="bold"><replaceable>target</replaceable>[:</emphasis>{<emphasis>log-level</emphasis>|<emphasis
        role="bold">none</emphasis>}[<emphasis role="bold"><emphasis
        role="bold">!</emphasis></emphasis>][<emphasis
        role="bold">:</emphasis><emphasis>tag</emphasis>]]</term>

        <listitem>
          <para>Specifies the action to be taken if the connection request
-          matches the rule. Must be one of the following.</para>
+          matches the rule. <replaceable>target</replaceable> must be one of
+          the following.</para>

          <variablelist>
            <varlistentry>
@@ -167,30 +151,56 @@
            </varlistentry>

            <varlistentry>
-              <term>A_ACCEPT and A_ACCEPT!</term>
+              <term><emphasis>action</emphasis></term>
+
+              <listitem>
+                <para>The name of an <emphasis>action</emphasis> declared in
+                <ulink
+                url="shorewall6-actions.html">shorewall6-actions</ulink>(5) or
+                in /usr/share/shorewall/actions.std.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">ADD(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.12. Causes addresses and/or port
+                numbers to be added to the named
+                <replaceable>ipset</replaceable>. The
+                <replaceable>flags</replaceable> specify the address or tupple
+                to be added to the set and must match the type of ipset
+                involved. For example, for an iphash ipset, either the SOURCE
+                or DESTINATION address can be added using
+                <replaceable>flags</replaceable> <emphasis
+                role="bold">src</emphasis> or <emphasis
+                role="bold">dst</emphasis> respectively (see the -A command in
+                ipset (8)).</para>
+
+                <para>ADD is non-terminating. Even if a packet matches the
+                rule, it is passed on to the next rule.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>AUDIT[(accept|drop|reject)]</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.10. Audits the packet with the
+                specified type; if the type is omitted, then
+                <option>drop</option> is assumed. Require AUDIT_TARGET support
+                in the kernel and iptables.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>A_ACCEPT, and A_ACCEPT!</term>

              <listitem>
                <para>Added in Shorewall 4.4.20. Audited versions of ACCEPT
                and ACCEPT! respectively. Require AUDIT_TARGET support in the
-                kernel and ip6tables.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">DROP</emphasis></term>
-
-              <listitem>
-                <para>Ignore the request.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">DROP!</emphasis></term>
-
-              <listitem>
-                <para>like DROP but exempts the rule from being suppressed by
-                OPTIMIZE=1 in <ulink
-                url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+                kernel and iptables.</para>
              </listitem>
            </varlistentry>

@@ -200,26 +210,7 @@
              <listitem>
                <para>Added in Shorewall 4.4.20. Audited versions of DROP and
                DROP! respectively. Require AUDIT_TARGET support in the kernel
-                and ip6tables.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">REJECT</emphasis></term>
-
-              <listitem>
-                <para>disallow the request and return an icmp-unreachable or
-                an RST packet.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">REJECT!</emphasis></term>
-
-              <listitem>
-                <para>like REJECT but exempts the rule from being suppressed
-                by OPTIMIZE=1 in <ulink
-                url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+                and iptables.</para>
              </listitem>
            </varlistentry>

@@ -229,7 +220,20 @@
              <listitem>
                <para>Added in Shorewall 4.4.20. Audited versions of REJECT
                and REJECT! respectively. Require AUDIT_TARGET support in the
-                kernel and ip6tables.</para>
+                kernel and iptables.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">COMMENT</emphasis></term>
+
+              <listitem>
+                <para>the rest of the line will be attached as a comment to
+                the Netfilter rule(s) generated by the following entries. The
+                comment will appear delimited by "/* ... */" in the output of
+                "shorewall show &lt;chain&gt;". To stop the comment from being
+                attached to further rules, simply include COMMENT on a line by
+                itself.</para>
              </listitem>
            </varlistentry>

@@ -262,7 +266,69 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">LOG</emphasis></term>
+              <term><emphasis role="bold">COUNT</emphasis></term>
+
+              <listitem>
+                <para>Simply increment the rule's packet and byte count and
+                pass the packet to the next rule.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">DEL(<replaceable>ipset</replaceable>:<replaceable>flags</replaceable>)</emphasis></term>
+
+              <listitem>
+                <para>Added in Shorewall 4.4.12. Causes an entry to be deleted
+                from the named <replaceable>ipset</replaceable>. The
+                <replaceable>flags</replaceable> specify the address or tupple
+                to be deleted from the set and must match the type of ipset
+                involved. For example, for an iphash ipset, either the SOURCE
+                or DESTINATION address can be deletec using
+                <replaceable>flags</replaceable> <emphasis
+                role="bold">src</emphasis> or <emphasis
+                role="bold">dst</emphasis> respectively (see the -D command in
+                ipset (8)).</para>
+
+                <para>DEL is non-terminating. Even if a packet matches the
+                rule, it is passed on to the next rule.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">DROP</emphasis></term>
+
+              <listitem>
+                <para>Ignore the request.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">DROP!</emphasis></term>
+
+              <listitem>
+                <para>like DROP but exempts the rule from being suppressed by
+                OPTIMIZE=1 in <ulink
+                url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term>HELPER</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.7. This action requires that the
+                HELPER column contains the name of the Netfilter helper to be
+                associated with connections matching this connection. May only
+                be specified in the NEW section and is useful for being able
+                to specify a helper when the applicable policy is ACCEPT. No
+                destination zone should be specified in HELPER rules.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">LOG:<replaceable>level</replaceable></emphasis></term>

              <listitem>
                <para>Simply log the packet and continue with the next
@@ -270,6 +336,82 @@
              </listitem>
            </varlistentry>

+            <varlistentry>
+              <term><emphasis>macro</emphasis><emphasis
+              role="bold">[(<replaceable>macrotarget</replaceable>)]</emphasis></term>
+
+              <listitem>
+                <para>The name of a macro defined in a file named
+                macro.<emphasis>macro</emphasis>. If the macro accepts an
+                action parameter (Look at the macro source to see if it has
+                PARAM in the TARGET column) then the
+                <emphasis>macro</emphasis> name is followed by the
+                parenthesized <emphasis>macrotarget</emphasis> (<emphasis
+                role="bold">ACCEPT</emphasis>, <emphasis
+                role="bold">DROP</emphasis>, <emphasis
+                role="bold">REJECT</emphasis>, ...) to be substituted for the
+                parameter.</para>
+
+                <para>Example: FTP(ACCEPT).</para>
+
+                <para>The older syntax where the macro name and the target are
+                separated by a slash (e.g. FTP/ACCEPT) is still allowed but is
+                deprecated.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
+
+              <listitem>
+                <para>Added in Shorewall 4.5.9.3. Queues matching packets to a
+                backend logging daemon via a netlink socket then continues to
+                the next rule. See <ulink
+                url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
+
+                <para>Similar to<emphasis role="bold">
+                LOG:NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)],
+                except that the log level is not changed when this ACTION is
+                used in an action or macro and the invocation of that action
+                or macro specifies a log level.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">NFQUEUE</emphasis>[(<replaceable>queuenumber</replaceable>)]</term>
+
+              <listitem>
+                <para>Queues the packet to a user-space application using the
+                nfnetlink_queue mechanism. If a
+                <replaceable>queuenumber</replaceable> is not specified, queue
+                zero (0) is assumed.</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis
+              role="bold">NFQUEUE![(<replaceable>queuenumber</replaceable>)]</emphasis></term>
+
+              <listitem>
+                <para>like NFQUEUE but exempts the rule from being suppressed
+                by OPTIMIZE=1 in <ulink
+                url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
+              </listitem>
+            </varlistentry>
+
+            <varlistentry>
+              <term><emphasis role="bold">NONAT</emphasis></term>
+
+              <listitem>
+                <para>Excludes the connection from any subsequent <emphasis
+                role="bold">DNAT</emphasis>[-] or <emphasis
+                role="bold">REDIRECT</emphasis>[-] rules but doesn't generate
+                a rule to accept the traffic.</para>
+              </listitem>
+            </varlistentry>
+
            <varlistentry>
              <term><emphasis role="bold">QUEUE</emphasis></term>

@@ -291,107 +433,38 @@
            </varlistentry>

            <varlistentry>
-              <term><emphasis
-              role="bold">NFLOG</emphasis>[(<replaceable>nflog-parameters</replaceable>)]</term>
+              <term><emphasis role="bold">REJECT</emphasis></term>

              <listitem>
-                <para>queues matching packets to a backend logging daemon via
-                a netlink socket then continues to the next rule. See <ulink
-                url="http://www.shorewall.net/shorewall.logging.html">http://www.shorewall.net/shorewall_logging.html</ulink>.</para>
+                <para>disallow the request and return an icmp-unreachable or
+                an RST packet.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
-              <term><emphasis role="bold">NFQUEUE</emphasis></term>
+              <term><emphasis role="bold">REJECT!</emphasis></term>

              <listitem>
-                <para>Queues the packet to a user-space application using the
-                nfnetlink_queue mechanism. If a
-                <replaceable>queuenumber</replaceable> is not specified, queue
-                zero (0) is assumed.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">NFQUEUE!</emphasis></term>
-
-              <listitem>
-                <para>like NFQUEUE but exempts the rule from being suppressed
+                <para>like REJECT but exempts the rule from being suppressed
                by OPTIMIZE=1 in <ulink
                url="shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
              </listitem>
            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis role="bold">COMMENT</emphasis></term>
-
-              <listitem>
-                <para>the rest of the line will be attached as a comment to
-                the Netfilter rule(s) generated by the following entries. The
-                comment will appear delimited by "/* ... */" in the output of
-                "shorewall6 show &lt;chain&gt;". To stop the comment from
-                being attached to further rules, simply include COMMENT on a
-                line by itself.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis>action</emphasis></term>
-
-              <listitem>
-                <para>The name of an <emphasis>action</emphasis> declared in
-                <ulink
-                url="shorewall6-actions.html">shorewall6-actions</ulink>(5) or
-                in /usr/share/shorewall6/actions.std.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term><emphasis>macro</emphasis></term>
-
-              <listitem>
-                <para>The name of a macro defined in a file named
-                macro.<emphasis>macro</emphasis>. If the macro accepts an
-                action parameter (Look at the macro source to see if it has
-                PARAM in the TARGET column) then the
-                <emphasis>macro</emphasis> name is followed by the
-                parenthesized <emphasis>target</emphasis> (<emphasis
-                role="bold">ACCEPT</emphasis>, <emphasis
-                role="bold">DROP</emphasis>, <emphasis
-                role="bold">REJECT</emphasis>, ...) to be substituted for the
-                parameter.</para>
-
-                <para>Example: FTP(ACCEPT).</para>
-
-                <para>The older syntax where the macro name and the target are
-                separated by a slash (e.g. FTP/ACCEPT) is still allowed but is
-                deprecated.</para>
-              </listitem>
-            </varlistentry>
-
-            <varlistentry>
-              <term>HELPER</term>
-
-              <listitem>
-                <para>Added in Shorewall 4.5.7. This action requires that the
-                HELPER column contains the name of the Netfilter helper to be
-                associated with connections matching this connection. May only
-                be specified in the NEW section and is useful for being able
-                to specify a helper when the applicable policy is ACCEPT. No
-                destination zone should be specified in HELPER rules.</para>
-              </listitem>
-            </varlistentry>
          </variablelist>

-          <para>The <emphasis role="bold">ACTION</emphasis> may optionally be
+          <para>The <replaceable>target</replaceable> may optionally be
          followed by ":" and a syslog log level (e.g, REJECT:info or
          Web(ACCEPT):debug). This causes the packet to be logged at the
-          specified level.</para>
+          specified level. Note that if the <emphasis
+          role="bold">ACTION</emphasis> involves destination network address
+          translation (DNAT, REDIRECT, etc.) then the packet is logged
+          <emphasis role="bold">before</emphasis> the destination address is
+          rewritten.</para>

          <para>If the <emphasis role="bold">ACTION</emphasis> names an
          <emphasis>action</emphasis> declared in <ulink
-          url="shorewall6-actions.html">shorewall6-actions</ulink>(5) or in
-          /usr/share/shorewall6/actions.std then:</para>
+          url="shorewall-actions.html">shorewall-actions</ulink>(5) or in
+          /usr/share/shorewall/actions.std then:</para>

          <itemizedlist>
            <listitem>
@@ -412,15 +485,16 @@
            </listitem>
          </itemizedlist>

-          <para>You may also specify <emphasis role="bold">NFLOG</emphasis>
-          (must be in upper case) as a log level.This will log to the NFLOG
-          target for routing to a separate log through use of ulogd (<ulink
+          <para>You may also specify <emphasis role="bold">ULOG</emphasis> or
+          <emphasis role="bold">NFLOG</emphasis> (must be in upper case) as a
+          log level.This will log to the ULOG or NFLOG target for routing to a
+          separate log through use of ulogd (<ulink
          url="http://www.netfilter.org/projects/ulogd/index.html">http://www.netfilter.org/projects/ulogd/index.html</ulink>).</para>

          <para>Actions specifying logging may be followed by a log tag (a
          string of alphanumeric characters) which is appended to the string
          generated by the LOGPREFIX (in <ulink
-          url="shorewall6.conf.html">shorewall6.conf</ulink>(5)).</para>
+          url="shorewall.conf.html">shorewall.conf</ulink>(5)).</para>

          <para>Example: ACCEPT:info:ftp would include 'ftp ' at the end of
          the log prefix generated by the LOGPREFIX setting.</para>
@@ -1170,7 +1244,7 @@

      <varlistentry>
        <term><emphasis role="bold">SWITCH -
-        [!]<replaceable>switch-name</replaceable></emphasis></term>
+        [!]<replaceable>switch-name</replaceable>[={0|1}]</emphasis></term>

        <listitem>
          <para>Added in Shorewall6 4.4.24 and allows enabling and disabling
@@ -1181,10 +1255,14 @@
          <filename>/proc/net/nf_condition/<replaceable>switch-name</replaceable></filename>
          is 1. Disables the rule if that file contains 0 (the default). If
          '!' is supplied, the test is inverted such that the rule is enabled
-          if the file contains 0. The <replaceable>switch-name</replaceable>
-          must begin with a letter and be composed of letters, decimal digits,
-          underscores or hyphens. Switch names must be 30 characters or less
-          in length.</para>
+          if the file contains 0.</para>
+
+          <para>Within the <replaceable>switch-name</replaceable>, '@0' and
+          '@{0}' are replaced by the name of the chain to which the rule is a
+          added. The <replaceable>switch-name</replaceable> (after '@...'
+          expansion) must begin with a letter and be composed of letters,
+          decimal digits, underscores or hyphens. Switch names must be 30
+          characters or less in length.</para>

          <para>Switches are normally <emphasis role="bold">off</emphasis>. To
          turn a switch <emphasis role="bold">on</emphasis>:</para>
@@ -1203,6 +1281,13 @@

          <para>Switch settings are retained over <command>shorewall6
          restart</command>.</para>
+
+          <para>Beginning with Shoreawll 4.5.10, when the
+          <replaceable>switch-name</replaceable> is followed by
+          <option>=0</option> or <option>=1</option>, then the switch is
+          initialized to off or on respectively by the
+          <command>start</command> command. Other commands do not affect the
+          switch setting.</para>
        </listitem>
      </varlistentry>

@@ -1249,7 +1334,7 @@

          <para>If the HELPERS option is specified in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink>(5), then any module
-          specified in this column most be listed in the HELPERS
+          specified in this column must be listed in the HELPERS
          setting.</para>
        </listitem>
      </varlistentry>
--- a/Shorewall6/manpages/shorewall6-secmarks.xml
+++ b/Shorewall6/manpages/shorewall6-secmarks.xml
@@ -91,10 +91,13 @@
      </varlistentry>

      <varlistentry>
-        <term><emphasis role="bold">CHAIN -
-        {P|I|F|O|T}[:{N|I|NI|E|ER}]</emphasis></term>
+        <term><emphasis role="bold">CHAIN:STATE (chain) -
+        {P|I|F|O|T}[:{N|I|U|IU|NI|NU|NIU|NUI:E|ER}]</emphasis></term>

        <listitem>
+          <para>This column determines the CHAIN where the SElinux context is
+          to be applied:</para>
+
          <simplelist>
            <member>P - PREROUTING</member>

@@ -116,12 +119,25 @@

            <member>:I - INVALID connection</member>

-            <member>:NI - New or INVALID connection</member>
+            <member>:NI - NEW or INVALID connection</member>

            <member>:E - ESTABLISHED connection</member>

            <member>:ER - ESTABLISHED or RELATED connection</member>
          </simplelist>
+
+          <para>Beginning with Shorewall 4.5.10, the following additional
+          options are available</para>
+
+          <simplelist>
+            <member>:U - UNTRACKED connection</member>
+
+            <member>:IU - INVALID or UNTRACKED connection</member>
+
+            <member>:NU - NEW or UNTRACKED connection</member>
+
+            <member>:NIU - NEW, INVALID or UNTRACKED connection.</member>
+          </simplelist>
        </listitem>
      </varlistentry>
    </variablelist>
--- a/Shorewall6/manpages/shorewall6-stoppedrules.xml
+++ b/Shorewall6/manpages/shorewall6-stoppedrules.xml
@@ -60,13 +60,13 @@
          firewall itself, while <replaceable>interface</replaceable>
          specifies packets arriving on the named interface.</para>

-          <para>This column may also include a omma-separated list of
+          <para>This column may also include a comma-separated list of
          IP/subnet addresses. If your kernel and iptables include iprange
          match support, IP address ranges are also allowed. Ipsets and
          exclusion are also supported. When <option>$FW</option> or interface
          are specified, the list must be preceeded by a colon (":").</para>

-          <para>If left empty or supplied as "-", 0.0.0.0/0 is assumed.</para>
+          <para>If left empty or supplied as "-", ::/0 is assumed.</para>
        </listitem>
      </varlistentry>

@@ -80,13 +80,13 @@
          arriving on the named interface. Neither may be specified if the
          target is <option>NOTRACK</option>.</para>

-          <para>This column may also include a omma-separated list of
+          <para>This column may also include a comma-separated list of
          IP/subnet addresses. If your kernel and iptables include iprange
          match support, IP address ranges are also allowed. Ipsets and
          exclusion are also supported. When <option>$FW</option> or interface
          are specified, the list must be preceeded by a colon (":").</para>

-          <para>If left empty or supplied as "-", 0.0.0.0/0 is assumed.</para>
+          <para>If left empty or supplied as "-", ::/0 is assumed.</para>
        </listitem>
      </varlistentry>

--- a/Shorewall6/manpages/shorewall6-tcclasses.xml
+++ b/Shorewall6/manpages/shorewall6-tcclasses.xml
@@ -120,10 +120,7 @@
        <emphasis>interface</emphasis>[[:<emphasis>parent</emphasis>]:<emphasis>class</emphasis>]</term>

        <listitem>
-          <para>Name of <emphasis>interface</emphasis>. Each interface may be
-          listed only once in this file. You may NOT specify the name of an
-          alias (e.g., eth0:0) here; see <ulink
-          url="http://www.shorewall.net/FAQ.htm#faq18">http://www.shorewall.net/FAQ.htm#faq18</ulink></para>
+          <para>Name of <emphasis>interface</emphasis>.</para>

          <para>You may specify either the interface number or the interface
          name. If the <emphasis role="bold">classify</emphasis> option is
--- a/Shorewall6/manpages/shorewall6-tcfilters.xml
+++ b/Shorewall6/manpages/shorewall6-tcfilters.xml
@@ -279,6 +279,23 @@
       1:10      ::/0      ::/0         icmp6   echo-reply</programlisting>
        </listitem>
      </varlistentry>
+
+      <varlistentry>
+        <term>Example 2:</term>
+
+        <listitem>
+          <para>Add two filters with priority 10 (Shorewall 4.5.8 or
+          later).</para>
+
+          <programlisting>       #CLASS    SOURCE    DEST         PROTO   DEST            PRIORITY
+       #                                        PORT
+
+       IPV6
+
+       1:10      ::/0      ::/0         icmp    echo-request    10
+       1:10      ::/0      ::/0         icmp    echo-reply      10</programlisting>
+        </listitem>
+      </varlistentry>
    </variablelist>
  </refsect1>

--- a/Show More
+++ b/Show More